Sei sulla pagina 1di 61

Case Study of an Active

Directory Deployment

Eric Chamberlain, CISSP

Presentation on the history and


future of the Berkeley campus
Active Directory deployment.

8/4/2003 Copyright © 2003 The Regents of the University of California 1


CalNetAD Services
http://calnetad.berkeley.edu
Centrally funded
Support for the domain controllers that run
the forest
Computer resource management
Support for development and distribution
of utility and administrative scripts

8/4/2003 Copyright © 2003 The Regents of the University of California 2


CalNetAD Services
Forum for discussion of Active Directory
and Security issues
Presentations about the CalNetAD service
and related topics
Notice of important changes and
scheduled maintenance
A service calendar which lists important
events and milestones

8/4/2003 Copyright © 2003 The Regents of the University of California 3


Forest Information
Our size 65,000 user accounts
23 Units in OUs
3235 Computers in Forest
Average one unauthorized connection
attempt per machine per hour

8/4/2003 Copyright © 2003 The Regents of the University of California 4


Forest Information

8/4/2003 Copyright © 2003 The Regents of the University of California 5


Forest Information

8/4/2003 Copyright © 2003 The Regents of the University of California 6


In the Beginning

8/4/2003 Copyright © 2003 The Regents of the University of California 7


Existing Infrastructure

Berkeley Network Infrastructure

CalNet
Kerberos
Authentication
(MIT)
DNS Computer

(BIND)*

CalNet
Directory
Services
(LDAP) Laptop

* BIND = Berkeley Internet Name Domain

Kerberos Realm (MIT Kerberos v5)


CalNet Directory Service (Sun/iPlanet LDAPv3)
DNS (BIND)
8/4/2003 Copyright © 2003 The Regents of the University of California 8
Initial Concerns
Multiple forests
Burden on the DNS system
Multiple user IDs

8/4/2003 Copyright © 2003 The Regents of the University of California 9


Goals
CalNet ID will be used for Windows
desktop login
CalNet Directory public information will
be synchronized to AD
DNS namespace for AD will support
DDNS
Minimal forests
Collaborative resource
8/4/2003 Copyright © 2003 The Regents of the University of California 10
Initial Team (1.8 FTE)
Central Computing Services (Lead)
 LDAP
System and Network Security
 Kerberos
Workstation Support Services
Communications and Network Services
 DNS
13 member advisory group
8/4/2003 Copyright © 2003 The Regents of the University of California 11
CalNetAD

8/4/2003 Copyright © 2003 The Regents of the University of California 12


Getting Started
Schedule a meeting with the CalNetAD project team.
Agree to the CalNetAD policies and complete a Service
Level Agreement (SLA).
Provide the CalNetAD project team with the name of a
mailing list of local administrators.
Provide the CalNetAD project team with the CalNet ID of
the first administrator for the new OU.
Provide the CalNetAD project team with the DNS name
of the first computer that will join the new OU.
Participate in the CalNetAD Planning Committee.

8/4/2003 Copyright © 2003 The Regents of the University of California 13


Joining as a Domain
Everyone wants to join as a domain at first
Strongly discouraged
Requires agreement to additional responsibilities and
limitations
 Creating subdomains is not allowed.

At least two (2) Domain Controllers (DCs) are required for a
domain.

The domain controllers should be installed on appropriately
configured, fault-tolerant server-class machines.
 OS support for patches, fixes, upgrades, etc., are expected to be
applied in a timely fashion to maintain forest security and OS
consistency among domain controllers.

The DCs are expected to be in operation at all times except for
scheduled maintenance.

Keep servers in a locked, access controlled room.

8/4/2003 Copyright © 2003 The Regents of the University of California 14


Joining as an
Organizational Unit (OU)
Departments and units are encouraged to join
the CalNetAD as an Organizational Unit (OU).
Control of an OU in the CalNetAD forest will be
delegated to an OU administrator group who
shall have the ability to manage users,
computers, local security groups, and Group
Policy Objects (GPOs)

8/4/2003 Copyright © 2003 The Regents of the University of California 15


OU Administrators
Must read and agree to the policies, prior to
being given an administrative account.
Any local administrator who creates an
administrative account for another local
administrator must make sure the new
administrator has read and agreed to these
policies.
All CalNetAD local administrators (or their proxy)
are expected to participate in the CalNetAD
Planning Committee and attend its meetings.

8/4/2003 Copyright © 2003 The Regents of the University of California 16


Standards

8/4/2003 Copyright © 2003 The Regents of the University of California 17


Naming Standards
Many departments and units, large and
small
Most administrative responsibilities
delegated to system administrators
Maintain an orderly forest, to ease
recognition of forest resources, and to
help avoid naming collisions.

8/4/2003 Copyright © 2003 The Regents of the University of California 18


Computer Names
xxx-rest_of_name (or) xxxrest_of_name
xxx
 Registered organization prefix, 2 or more
characters in length.
rest_of_name
 Suffix chosen by the organization creating the
computer.
Example: COIS-EXAMPLE123456789

8/4/2003 Copyright © 2003 The Regents of the University of California 19


User Account Names
The account name must be unique within the domain
Shadow Account

CalNetID

Example: eric@BERKELEY.EDU
Private Account

Prefixed by bang (!) followed by the OU prefix and the user id

Bangs are not allowed in CalNetID's, these names will not
conflict with Shadow Accounts that may be created in the future.
 Example: !OU-localname
 For compatibility with pre-Windows 2000 operating systems the
account name is limited to 15 characters.

8/4/2003 Copyright © 2003 The Regents of the University of California 20


Security and Distribution Groups
ddd-group_name-tt
 dddd CalNetAD OU name
 group_name descriptive name which explains the
purpose of the group
 tt type of group
ls domain local security
gs global security
us universal security
ld domain local distribution
gd global distribution
ud universal distribution
 Example: COIS-OU Admins-gs

8/4/2003 Copyright © 2003 The Regents of the University of California 21


Group Policy Objects (GPOs)
Use a CalNetAD OU Name as a prefix for all Group
Policy names.
Example: "COIS staff policy" or "HAAS lab 300 policy"

8/4/2003 Copyright © 2003 The Regents of the University of California 22


Authentication

Clear text is not allowed


All accounts must have a
robust password that meets
certain basic requirements for
strength, complexity and form.

8/4/2003 Copyright © 2003 The Regents of the University of California 23


Account synchronization
Initially students are loaded into one OU.
 FERPA

Registrar Requirements

Multiple units
Faculty, staff, and affiliate user accounts loaded into
departmental OUs.

Home department code from the Payroll Action Form (PAF)
would be useful as the department designator to map to
CalNetAD OUs.

Changes to the PAF Home Department Code would not be
sufficient to cause an automatic move into or out of an OU
without prior agreements from the involved parties.

Issues that need more discussion are dual appointments and
account deletions.

8/4/2003 Copyright © 2003 The Regents of the University of California 24


About the Forest

8/4/2003 Copyright © 2003 The Regents of the University of California 25


Enterprise Administration
Responsibilities
Install and maintain the Active Directory domain controllers
On duty Monday-Friday, from 8 a.m. to 5 p.m.
Manage the flow of information from the CalNet Directory to
CalNetAD.
Communicate all enterprise-wide changes to domain and OU
administrators via the CalNetAD Change Management System.
Have administrator privileges on all domain controllers and OUs
Assume a "hands-off" approach to local domain and OU
administration.
The EA group is not responsible for the administration of local user
accounts (other than providing shadow CalNet ID accounts).
Only when faced with an enterprise-wide emergency, will an
Enterprise Administrator take action at the domain or OU level.

8/4/2003 Copyright © 2003 The Regents of the University of California 26


Domain Modifications
Campus
 Default number of workstations a domain user
could add to the domain was changed from
10 to 0.
 Only administrators can add workstations to
the domain.
UC
 The domain ACL's have been modified to
prevent users from viewing internal structure

8/4/2003 Copyright © 2003 The Regents of the University of California 27


Software License Compliance
Participation in the CalNetAD forest does not
entitle departments to licenses for operating
systems or other software for departmental
systems.
The CalNetAD service includes only licenses for
software required to operate the CalNetAD
forest and Domain Controllers.
Departments should ensure that systems
participating in the CalNetAD forest are properly
licensed for software running on their systems,
including operating system or server software.

8/4/2003 Copyright © 2003 The Regents of the University of California 28


Network Services
Windows DNS Server Services
Turn off DDNS registration.
Computers must be registered in DNS to
communicate properly.
DHCP services must be coordinated
Internet Information Server (IIS)
Distributed File System (DFS)
Encrypted File Services (EFS)

8/4/2003 Copyright © 2003 The Regents of the University of California 29


Schema Changes
The schema defines objects and their associated attributes.
Changes to the schema affect Active Directory across the entire
CalNetAD forest.
Schema changes will have to meet several requirements including
privacy, appropriateness, and potential for conflict.
Schema changes will first be implemented and tested in the test
environment.
After successful testing, normal change management procedures
sill be followed to move the schema change into production.
Changes to the production schema will only be implemented by IST
during maintenance blocks following a prearranged notification with
domain administrators.

8/4/2003 Copyright © 2003 The Regents of the University of California 30


Macintosh integration
The Workstation & Microcomputer Facilities is currently
testing the process of integrating OS X
Due to the requirement of having a home directory for
users, W&MF needed the flexibility of specifying this path
on each computer.

Active Directory would have required the attribute to be the
same for every single user on campus which was not feasible.

Our solution has been to use iPlanet where we could specify a
specific attribute for just this purpose.
Even though we still have more testing to do, the results
have been very positive thus far.

8/4/2003 Copyright © 2003 The Regents of the University of California 31


Timeline
Initial Production 3/2002
Final Production 8/2002

8/4/2003 Copyright © 2003 The Regents of the University of California 32


Production -7 Months
CalNetID (MIT Kerberos) Presented to e-
for login Architecture Working
CalNet (LDAP) public Group
information synchronized http://
DNS (BIND) namespace calnetad.berkeley.edu
for DDNS web site is setup with
CalNetAD information
2 Domains (empty root)
Consultant helped with
hardware sizing
 4 initial DCs ordered

8/4/2003 Copyright © 2003 The Regents of the University of California 33


Production -5 Months
Design Goals Presented to Administrative
 Support for single sign-on Systems Operations
 Interoperability Committee
(DNS,LDAP,Kerberos)
HAAS (Business School)
 Improve Desktop Security
joined as first major unit
 Opt-in model
Investigating how to
synchronize LDAP and AD
Eric Chamberlain was hired as
the Campus Active Directory
Architect
2.3 FTE

8/4/2003 Copyright © 2003 The Regents of the University of California 34


Production -5 Months

8/4/2003 Copyright © 2003 The Regents of the University of California 35


Production -3 Months (Pilot Status)
Planning Committee Presented to the CalNet
Meeting Steering Committee
 8-5 M-F support Article published in the
 Security Subcommittee Berkeley Computing and
formed Communications
newsletter
Chancellors Office and
Departmental On-site
Computing Support join

8/4/2003 Copyright © 2003 The Regents of the University of California 36


Production -3 Months (Pilot Status)

8/4/2003 Copyright © 2003 The Regents of the University of California 37


Production -2 Months 1/02
Test Environment setup Presented to the CalNet
Establishing GPOs Working Committee
Security Subcommittee Presented to the Information
Meeting
 Require NTLMv2 or Kerberos Technology Architecture
 Disable IIS Committee
 Need for Certificates
Future
 High availability
 Certificates
 Training for new
administrators

8/4/2003 Copyright © 2003 The Regents of the University of California 38


Production -1 Month (Pilot Status)
Preparing an out of data Present at the Internet2
center DC Middleware Conference
Developed SLA Present to Micronet
Present to eBerkeley
Implementation Task
Force
Membership expands to
10 units

8/4/2003 Copyright © 2003 The Regents of the University of California 39


Production -1 Month (Pilot Status)
Security
 Site wide GPOs
 Disable IIS services by default

DC physical security
 Empty forest root domain
 Restricted number of Enterprise Administrator accounts
 SmartCard logon (future)
GPO
 Group Policies kept to a minimum
 Based on NSA recommendations and modified for UCB
 Disable IIS

Require NTLMv2/Kerberos authentication

8/4/2003 Copyright © 2003 The Regents of the University of California 40


Initial Production
Service stable New CalNetAD members
Continue policy development  IST Operations (IST-OPS)
Planning committee meeting  Ocean Engineering Graduate
Group (OE)
Develop OU Admin training  Workstation Microcomputer
materials Facilities (IST-WSS)
LDAP synchronization work  Central Computing Services –
All of the GPO templates have Systems and Data
been loaded into the test Administration
environment and tested.
Back-up restore and other
disaster recovery procedures
have been tested.

8/4/2003 Copyright © 2003 The Regents of the University of California 41


Initial Production
Planned Infrastructure improvements
 A new Dell 2550 server has been purchased to serve
as a third domain controller for the CAMPUS domain.
Test Machine
 The test machine (Dell 2550) and environment
(VMware Server) is complete. VMs have been
established for test versions of the KDC, DNS, and
Active Directory domains and their controllers.
Trouble ticket reporting system and Change
Management web site

8/4/2003 Copyright © 2003 The Regents of the University of California 42


Production +1 Month
Security Subcommittee meeting
 IPSEC
IPSEC to secure communications between DCs
IPSEC network cards in the DCs to off-load the IPSEC
overhead from the CPUs
 IDS Testing
 Certificate Services
Units were interested in VPN support
The CalNetAD team requested money for servers to support
a central Microsoft Certificate Service.
The CalNetAD team will be using the service for the
Enterprise Admin smart cards as well as the IPSEC traffic
between DCs.
Design CalNet synchronization
8/4/2003 Copyright © 2003 The Regents of the University of California 43
Production +3 Months (6/02)
Planning Committee HAAS domain joined
meeting CCHEM OU created
e-Berkeley agreed to fund IIR OU created
smart card research and
a CalNetAD certificate
server.
A third DC for the
CAMPUS domain
installed at Boalt
IPSec network cards
installed in all of the
Domain Controllers.
Hired Arden Pineda (3.3
FTE)

8/4/2003 Copyright © 2003 The Regents of the University of California 44


Production +3 Months
Code CalNet synchronization
 Using a tool named MetaMerge to integrate the two
directories.
Tested adding the inetorgperson schema
changes.
The CalNet ID is used for most of the limited
number of attributes that will initially be
integrated between the two directories.
Default OUs will be used for user accounts that
have not already been created in CalNetAD.

8/4/2003 Copyright © 2003 The Regents of the University of California 45


Production +4 Months
Install Application COEDEAN OU
Server created
Install Production IEOR OU created
MetaMerge
environment IAS OU created
Test CalNet
synchronization
Develop migration
strategies and
procedures

8/4/2003 Copyright © 2003 The Regents of the University of California 46


(Final) Production +5 Months
COE migration Present to Letters and
Implement CalNet Science
synchronization Security Seminar
Build Test Business Services
Environment VM
Library Presentation
Revise Web Site

8/4/2003 Copyright © 2003 The Regents of the University of California 47


Production +6 Months
COE migration
Planning Committee Meeting
Test certificate server (VMware)
Application Server

8/4/2003 Copyright © 2003 The Regents of the University of California 48


Production +7 Months
COE migration Document directory integr
IEOR migration
Install SP3

8/4/2003 Copyright © 2003 The Regents of the University of California 49


Production +8 Months
CalNetAD Intro Seminar
 Teach new administrators basic OU
management skills
Revise Design Documentation

8/4/2003 Copyright © 2003 The Regents of the University of California 50


Production +9 Months
Planning Committee meeting Windows Security Berkeley
Security Subcommittee presentation to Micronet

8/4/2003 Copyright © 2003 The Regents of the University of California 51


Production +10 Months
LAW OU created
Microsoft discontinues free non-security
hotfixes for Windows NT 4.0 Server

8/4/2003 Copyright © 2003 The Regents of the University of California 52


Production +1 Year
100% Uptime: no scheduled or
unscheduled outages

8/4/2003 Copyright © 2003 The Regents of the University of California 53


Production + 12 Months (3/03)
Planning Committee meeting
Present to Institute of
actdir06 added to the Industrial Relations
UC domain out of the Seminar on Enabling
data center Loopback Processing

8/4/2003 Copyright © 2003 The Regents of the University of California 54


Production +14 Months
Security Subcommittee
 IDS software
 IPSEC Filters
 SUS

8/4/2003 Copyright © 2003 The Regents of the University of California 55


Production +15 Months
LAW migration
Planning Committee meeting
CalNetPKI
Test Server 2003
Microsoft and CalNetAD discontinue support fo
f
Microsoft and CalNetAD discontinue support fo
f

8/4/2003 Copyright © 2003 The Regents of the University of California 56


Production +17 Months (Present)
Microsoft sponsored Migrating to Server
2003 seminar

8/4/2003 Copyright © 2003 The Regents of the University of California 57


Production +18 Months
Planning Committee meeting

8/4/2003 Copyright © 2003 The Regents of the University of California 58


Production +22 Months (January)
Migrate DCs to Windows Server 2003

8/4/2003 Copyright © 2003 The Regents of the University of California 59


Future
Smart Card deployment
Certificate services
Web services
File storage

Check out Windows Sharepoint Services


 Free with Server 2003

8/4/2003 Copyright © 2003 The Regents of the University of California 60


Questions

Eric Chamberlain
eric@uclink.berkeley.edu

http://calnetad.berkeley.edu

8/4/2003 Copyright © 2003 The Regents of the University of California 61