You are on page 1of 61

Case Study of an Active Directory Deployment

Eric Chamberlain, CISSP
Presentation on the history and future of the Berkeley campus Active Directory deployment.
8/4/2003 Copyright © 2003 The Regents of the University of California 1

CalNetAD Services
http://calnetad.berkeley.edu Centrally funded Support for the domain controllers that run the forest Computer resource management Support for development and distribution of utility and administrative scripts
8/4/2003 Copyright © 2003 The Regents of the University of California 2

CalNetAD Services
Forum for discussion of Active Directory and Security issues Presentations about the CalNetAD service and related topics Notice of important changes and scheduled maintenance A service calendar which lists important events and milestones
8/4/2003 Copyright © 2003 The Regents of the University of California 3

Forest Information
Our size 65,000 user accounts 23 Units in OUs 3235 Computers in Forest Average one unauthorized connection attempt per machine per hour

8/4/2003

Copyright © 2003 The Regents of the University of California

4

Forest Information

8/4/2003

Copyright © 2003 The Regents of the University of California

5

Forest Information

8/4/2003

Copyright © 2003 The Regents of the University of California

6

In the Beginning

8/4/2003

Copyright © 2003 The Regents of the University of California

7

Existing Infrastructure
Berkeley Network Infrastructure
CalNet Kerberos Authentication (MIT) DNS (BIND)* CalNet Directory Services (LDAP)
Computer

Laptop

* BIND = Berkeley Internet Name Domain

Kerberos Realm (MIT Kerberos v5) CalNet Directory Service (Sun/iPlanet LDAPv3) DNS (BIND)
8/4/2003 Copyright © 2003 The Regents of the University of California 8

Initial Concerns
Multiple forests Burden on the DNS system Multiple user IDs

8/4/2003

Copyright © 2003 The Regents of the University of California

9

Goals
CalNet ID will be used for Windows desktop login CalNet Directory public information will be synchronized to AD DNS namespace for AD will support DDNS Minimal forests Collaborative resource
8/4/2003 Copyright © 2003 The Regents of the University of California 10

Initial Team (1.8 FTE)
Central Computing Services (Lead)

LDAP Kerberos

System and Network Security

Workstation Support Services Communications and Network Services

DNS

13 member advisory group
8/4/2003 Copyright © 2003 The Regents of the University of California 11

CalNetAD

8/4/2003

Copyright © 2003 The Regents of the University of California

12

Getting Started
Schedule a meeting with the CalNetAD project team. Agree to the CalNetAD policies and complete a Service Level Agreement (SLA). Provide the CalNetAD project team with the name of a mailing list of local administrators. Provide the CalNetAD project team with the CalNet ID of the first administrator for the new OU. Provide the CalNetAD project team with the DNS name of the first computer that will join the new OU. Participate in the CalNetAD Planning Committee.

8/4/2003

Copyright © 2003 The Regents of the University of California

13

Joining as a Domain
Everyone wants to join as a domain at first Strongly discouraged Requires agreement to additional responsibilities and limitations
 

Creating subdomains is not allowed. At least two (2) Domain Controllers (DCs) are required for a domain. The domain controllers should be installed on appropriately configured, fault-tolerant server-class machines. OS support for patches, fixes, upgrades, etc., are expected to be applied in a timely fashion to maintain forest security and OS consistency among domain controllers. The DCs are expected to be in operation at all times except for scheduled maintenance. Keep servers in a locked, access controlled room.
Copyright © 2003 The Regents of the University of California 14

8/4/2003

Joining as an Organizational Unit (OU)
Departments and units are encouraged to join the CalNetAD as an Organizational Unit (OU). Control of an OU in the CalNetAD forest will be delegated to an OU administrator group who shall have the ability to manage users, computers, local security groups, and Group Policy Objects (GPOs)

8/4/2003

Copyright © 2003 The Regents of the University of California

15

OU Administrators
Must read and agree to the policies, prior to being given an administrative account. Any local administrator who creates an administrative account for another local administrator must make sure the new administrator has read and agreed to these policies. All CalNetAD local administrators (or their proxy) are expected to participate in the CalNetAD Planning Committee and attend its meetings.

8/4/2003

Copyright © 2003 The Regents of the University of California

16

Standards

8/4/2003

Copyright © 2003 The Regents of the University of California

17

Naming Standards
Many departments and units, large and small Most administrative responsibilities delegated to system administrators Maintain an orderly forest, to ease recognition of forest resources, and to help avoid naming collisions.

8/4/2003

Copyright © 2003 The Regents of the University of California

18

Computer Names
xxx-rest_of_name (or) xxxrest_of_name xxx

Registered organization prefix, 2 or more characters in length. Suffix chosen by the organization creating the computer.

rest_of_name

Example: COIS-EXAMPLE123456789
8/4/2003 Copyright © 2003 The Regents of the University of California 19

User Account Names
The account name must be unique within the domain Shadow Account
 

CalNetID Example: eric@BERKELEY.EDU Prefixed by bang (!) followed by the OU prefix and the user id Bangs are not allowed in CalNetID's, these names will not conflict with Shadow Accounts that may be created in the future. Example: !OU-localname For compatibility with pre-Windows 2000 operating systems the account name is limited to 15 characters.

Private Account
 

 

8/4/2003

Copyright © 2003 The Regents of the University of California

20

Security and Distribution Groups
ddd-group_name-tt
 

dddd CalNetAD OU name group_name descriptive name which explains the purpose of the group tt type of group
ls domain local security gs global security us universal security ld domain local distribution gd global distribution ud universal distribution

Example: COIS-OU Admins-gs
Copyright © 2003 The Regents of the University of California 21

8/4/2003

Group Policy Objects (GPOs)
Use a CalNetAD OU Name as a prefix for all Group Policy names. Example: "COIS staff policy" or "HAAS lab 300 policy"

8/4/2003

Copyright © 2003 The Regents of the University of California

22

Authentication Clear text is not allowed All accounts must have a robust password that meets certain basic requirements for strength, complexity and form.
8/4/2003 Copyright © 2003 The Regents of the University of California 23

Account synchronization
Initially students are loaded into one OU.
  

FERPA Registrar Requirements Multiple units

Faculty, staff, and affiliate user accounts loaded into departmental OUs.

Home department code from the Payroll Action Form (PAF) would be useful as the department designator to map to CalNetAD OUs. Changes to the PAF Home Department Code would not be sufficient to cause an automatic move into or out of an OU without prior agreements from the involved parties. Issues that need more discussion are dual appointments and account deletions.
Copyright © 2003 The Regents of the University of California 24

8/4/2003

About the Forest

8/4/2003

Copyright © 2003 The Regents of the University of California

25

Enterprise Administration Responsibilities
Install and maintain the Active Directory domain controllers On duty Monday-Friday, from 8 a.m. to 5 p.m. Manage the flow of information from the CalNet Directory to CalNetAD. Communicate all enterprise-wide changes to domain and OU administrators via the CalNetAD Change Management System. Have administrator privileges on all domain controllers and OUs Assume a "hands-off" approach to local domain and OU administration. The EA group is not responsible for the administration of local user accounts (other than providing shadow CalNet ID accounts). Only when faced with an enterprise-wide emergency, will an Enterprise Administrator take action at the domain or OU level.

8/4/2003

Copyright © 2003 The Regents of the University of California

26

Domain Modifications
Campus

Default number of workstations a domain user could add to the domain was changed from 10 to 0. Only administrators can add workstations to the domain. The domain ACL's have been modified to prevent users from viewing internal structure
Copyright © 2003 The Regents of the University of California 27

UC

8/4/2003

Software License Compliance
Participation in the CalNetAD forest does not entitle departments to licenses for operating systems or other software for departmental systems. The CalNetAD service includes only licenses for software required to operate the CalNetAD forest and Domain Controllers. Departments should ensure that systems participating in the CalNetAD forest are properly licensed for software running on their systems, including operating system or server software.
8/4/2003 Copyright © 2003 The Regents of the University of California 28

Network Services
Windows DNS Server Services Turn off DDNS registration. Computers must be registered in DNS to communicate properly. DHCP services must be coordinated Internet Information Server (IIS) Distributed File System (DFS) Encrypted File Services (EFS)

8/4/2003

Copyright © 2003 The Regents of the University of California

29

Schema Changes
The schema defines objects and their associated attributes. Changes to the schema affect Active Directory across the entire CalNetAD forest. Schema changes will have to meet several requirements including privacy, appropriateness, and potential for conflict. Schema changes will first be implemented and tested in the test environment. After successful testing, normal change management procedures sill be followed to move the schema change into production. Changes to the production schema will only be implemented by IST during maintenance blocks following a prearranged notification with domain administrators.

8/4/2003

Copyright © 2003 The Regents of the University of California

30

Macintosh integration
The Workstation & Microcomputer Facilities is currently testing the process of integrating OS X Due to the requirement of having a home directory for users, W&MF needed the flexibility of specifying this path on each computer.
 

Active Directory would have required the attribute to be the same for every single user on campus which was not feasible. Our solution has been to use iPlanet where we could specify a specific attribute for just this purpose.

Even though we still have more testing to do, the results have been very positive thus far.

8/4/2003

Copyright © 2003 The Regents of the University of California

31

Timeline
Initial Production 3/2002 Final Production 8/2002

8/4/2003

Copyright © 2003 The Regents of the University of California

32

Production -7 Months
CalNetID (MIT Kerberos) for login CalNet (LDAP) public information synchronized DNS (BIND) namespace for DDNS 2 Domains (empty root) Consultant helped with hardware sizing

Presented to eArchitecture Working Group http:// calnetad.berkeley.edu web site is setup with CalNetAD information

4 initial DCs ordered

8/4/2003

Copyright © 2003 The Regents of the University of California

33

Production -5 Months
Design Goals
 

 

Support for single sign-on Interoperability (DNS,LDAP,Kerberos) Improve Desktop Security Opt-in model

Presented to Administrative Systems Operations Committee HAAS (Business School) joined as first major unit

Investigating how to synchronize LDAP and AD Eric Chamberlain was hired as the Campus Active Directory Architect 2.3 FTE

8/4/2003

Copyright © 2003 The Regents of the University of California

34

Production -5 Months

8/4/2003

Copyright © 2003 The Regents of the University of California

35

Production -3 Months (Pilot Status)
Planning Committee Meeting
 

8-5 M-F support Security Subcommittee formed

Presented to the CalNet Steering Committee Article published in the Berkeley Computing and Communications newsletter Chancellors Office and Departmental On-site Computing Support join

8/4/2003

Copyright © 2003 The Regents of the University of California

36

Production -3 Months (Pilot Status)

8/4/2003

Copyright © 2003 The Regents of the University of California

37

Production -2 Months 1/02
Test Environment setup Establishing GPOs Security Subcommittee Meeting
  

Require NTLMv2 or Kerberos Disable IIS Need for Certificates High availability Certificates Training for new administrators

Presented to the CalNet Working Committee Presented to the Information Technology Architecture Committee

Future
  

8/4/2003

Copyright © 2003 The Regents of the University of California

38

Production -1 Month (Pilot Status)
Preparing an out of data center DC Developed SLA Present at the Internet2 Middleware Conference Present to Micronet Present to eBerkeley Implementation Task Force Membership expands to 10 units

8/4/2003

Copyright © 2003 The Regents of the University of California

39

Production -1 Month (Pilot Status)
Security
     

Site wide GPOs Disable IIS services by default DC physical security Empty forest root domain Restricted number of Enterprise Administrator accounts SmartCard logon (future)
Group Policies kept to a minimum Based on NSA recommendations and modified for UCB

GPO
 

 

Disable IIS Require NTLMv2/Kerberos authentication

8/4/2003

Copyright © 2003 The Regents of the University of California

40

Initial Production
Service stable Continue policy development Planning committee meeting Develop OU Admin training materials LDAP synchronization work All of the GPO templates have been loaded into the test environment and tested. Back-up restore and other disaster recovery procedures have been tested. New CalNetAD members
 

IST Operations (IST-OPS) Ocean Engineering Graduate Group (OE) Workstation Microcomputer Facilities (IST-WSS) Central Computing Services – Systems and Data Administration

8/4/2003

Copyright © 2003 The Regents of the University of California

41

Initial Production
Planned Infrastructure improvements

A new Dell 2550 server has been purchased to serve as a third domain controller for the CAMPUS domain. The test machine (Dell 2550) and environment (VMware Server) is complete. VMs have been established for test versions of the KDC, DNS, and Active Directory domains and their controllers.

Test Machine

Trouble ticket reporting system and Change Management web site
8/4/2003 Copyright © 2003 The Regents of the University of California 42

Production +1 Month
Security Subcommittee meeting

IPSEC
IPSEC to secure communications between DCs IPSEC network cards in the DCs to off-load the IPSEC overhead from the CPUs

 

IDS Testing Certificate Services
Units were interested in VPN support The CalNetAD team requested money for servers to support a central Microsoft Certificate Service. The CalNetAD team will be using the service for the Enterprise Admin smart cards as well as the IPSEC traffic between DCs.

Design CalNet synchronization
8/4/2003 Copyright © 2003 The Regents of the University of California 43

Production +3 Months (6/02)
Planning Committee meeting e-Berkeley agreed to fund smart card research and a CalNetAD certificate server. A third DC for the CAMPUS domain installed at Boalt IPSec network cards installed in all of the Domain Controllers. Hired Arden Pineda (3.3 FTE)
8/4/2003

HAAS domain joined CCHEM OU created IIR OU created

Copyright © 2003 The Regents of the University of California

44

Production +3 Months
Code CalNet synchronization

Using a tool named MetaMerge to integrate the two directories.

Tested adding the inetorgperson schema changes. The CalNet ID is used for most of the limited number of attributes that will initially be integrated between the two directories. Default OUs will be used for user accounts that have not already been created in CalNetAD.
8/4/2003 Copyright © 2003 The Regents of the University of California 45

Production +4 Months
Install Application Server Install Production MetaMerge environment Test CalNet synchronization Develop migration strategies and procedures
8/4/2003

COEDEAN OU created IEOR OU created IAS OU created

Copyright © 2003 The Regents of the University of California

46

(Final) Production +5 Months
COE migration Implement CalNet synchronization Build Test Environment VM Library Present to Letters and Science Security Seminar Business Services Presentation Revise Web Site

8/4/2003

Copyright © 2003 The Regents of the University of California

47

Production +6 Months
COE migration Planning Committee Meeting Test certificate server (VMware) Application Server

8/4/2003

Copyright © 2003 The Regents of the University of California

48

Production +7 Months
COE migration IEOR migration Install SP3

Document directory integr

8/4/2003

Copyright © 2003 The Regents of the University of California

49

Production +8 Months
CalNetAD Intro Seminar

Teach new administrators basic OU management skills

Revise Design Documentation

8/4/2003

Copyright © 2003 The Regents of the University of California

50

Production +9 Months
Planning Committee meeting Security Subcommittee Windows Security Berkeley presentation to Micronet

8/4/2003

Copyright © 2003 The Regents of the University of California

51

Production +10 Months
LAW OU created Microsoft discontinues free non-security hotfixes for Windows NT 4.0 Server

8/4/2003

Copyright © 2003 The Regents of the University of California

52

Production +1 Year
100% Uptime: no scheduled or unscheduled outages

8/4/2003

Copyright © 2003 The Regents of the University of California

53

Production + 12 Months (3/03)
Planning Committee meeting Present to Institute of Industrial Relations actdir06 added to the UC domain out of the Seminar on Enabling data center Loopback Processing

8/4/2003

Copyright © 2003 The Regents of the University of California

54

Production +14 Months
Security Subcommittee
  

IDS software IPSEC Filters SUS

8/4/2003

Copyright © 2003 The Regents of the University of California

55

Production +15 Months

LAW migration Planning Committee meeting CalNetPKI Test Server 2003 Microsoft and CalNetAD discontinue support fo f Microsoft and CalNetAD discontinue support fo f

8/4/2003

Copyright © 2003 The Regents of the University of California

56

Production +17 Months (Present)
Microsoft sponsored Migrating to Server 2003 seminar

8/4/2003

Copyright © 2003 The Regents of the University of California

57

Production +18 Months
Planning Committee meeting

8/4/2003

Copyright © 2003 The Regents of the University of California

58

Production +22 Months (January)
Migrate DCs to Windows Server 2003

8/4/2003

Copyright © 2003 The Regents of the University of California

59

Future
Smart Card deployment Certificate services Web services File storage Check out Windows Sharepoint Services

Free with Server 2003
Copyright © 2003 The Regents of the University of California 60

8/4/2003

Questions

Eric Chamberlain eric@uclink.berkeley.edu http://calnetad.berkeley.edu
8/4/2003 Copyright © 2003 The Regents of the University of California 61