Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • 10/18/08 Calnet Active Directory 1

    Загружено:

    Anurag
    72 просмотров22 страницы
    The document discusses UC Berkeley's implementation of Active Directory (AD), called CalNet AD. It provides an overview of key AD concepts like forests, domains, and organizational units. CalNet AD was designed for single sign-on, interoperability with campus infrastructure, improved security and management of desktops. It follows an "opt-in" model where departments join the main CAMPUS domain or create a child domain. Central support is provided for the core AD infrastructure.

    Исходное описание:

    Оригинальное название

    Ad 1

    Авторское право

    © Attribution Non-Commercial (BY-NC)

    Доступные форматы

    PPT, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    The document discusses UC Berkeley's implementation of Active Directory (AD), called CalNet AD. It provides an overview of key AD concepts like forests, domains, and organizational units. CalNet AD was designed for single sign-on, interoperability with campus infrastructure, improved security and management of desktops. It follows an "opt-in" model where departments join the main CAMPUS domain or create a child domain. Central support is provided for the core AD infrastructure.

    Авторское право:

    Attribution Non-Commercial (BY-NC)
    Скачайте в формате PPT, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    72 просмотров22 страницы

    10/18/08 Calnet Active Directory 1

    Загружено:

    Anurag
    The document discusses UC Berkeley's implementation of Active Directory (AD), called CalNet AD. It provides an overview of key AD concepts like forests, domains, and organizational units. CalNet AD was designed for single sign-on, interoperability with campus infrastructure, improved security and management of desktops. It follows an "opt-in" model where departments join the main CAMPUS domain or create a child domain. Central support is provided for the core AD infrastructure.

    Авторское право:

    Attribution Non-Commercial (BY-NC)
    Скачайте в формате PPT, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 22

    CalNet AD:

    UC Berkeley’s Active Directory


    Implementation

    1
    CalNet Active Directory 10/18/08
    Introduction to Active Directory

    Berkeley Network Infrastructure

    CalNet
    Kerberos
    Authentication
    (MIT)
    DNS Computer

    (BIND)*

    CalNet
    Directory
    Services
    (LDAP) Laptop

    * BIND = Berkeley Internet Name Domain

     Part of the suite of Windows 2000 products


     Microsoft’s implementation of the CalNet model
     Enterprise class software which makes extensive use of enterprise-wide
    computing infrastructures
     Integration with CalNet necessitates central support
    2
    CalNet Active Directory 10/18/08
    Some Active Directory Terminology
    CalNetAD
    Forest
    Tree1 - uc.berkeley.edu
    Tree2 - campus.berkeley.edu

    Organizational
    Unit

    Transitive,
    two-way
    Organizational
    trust Print Queue
    Unit

    Transitive,
    two-way
    trust haas.uc.berkeley.edu (HAAS)

    Groups

    Users Computers

     Forest – A collection of one or more trees of domains, organized as


    peers and connected by two-way transitive trusts.
     domains – A directory-based container object containing a hierarchical
    structure of other containers and objects (OUs); domains can be joined
    into trees of domains
     Organization Unit (OU) – A logical container used within domains for
    which administrative authority can be delegated to designated groups
    3
    CalNet Active Directory 10/18/08
    Major Features of Active Directory

     Directory Service based on Lightweight Directory Access Protocol


    (LDAP) V.3.0
     Name resolution is based on Domain Name Service (DNS), replacing
    Windows Name Service (WINS)
     Support for Kerberos 5 authentication
     Support delegation of authority to Organizational Units
     PKI support, includes SmartCards and certificates

    4
    CalNet Active Directory 10/18/08
    CalNet AD Design Goals

     Support for single sign-on environment


     Interoperability with campus infrastructure for DNS, directory
    services, and CalNet authentication
     Improved security at the desktop level
     Improved management and administration of workstations
     ‘Opt-in’ model
    – Join the CAMPUS domain as an OU
    – Create a child domain under CAMPUS

    5
    CalNet Active Directory 10/18/08
    CalNet AD Design Participants

     IST Implementation Team


    – CCS (Mike Blasingame, Eric Chamberlain, Arden Pineda)
    – WSS (Karl Grose)
    – CNS (Mike Sinatra)
    – SNS (Mike Friedman)
    – Consultant

     Campus Planning Committee (and Security Subcommittee)


    – http://calnetad.berkeley.edu/planning/planning_members.html
    – Calnetad-planning@uclink.berkeley.edu
    – Calnetad-security@uclink.berkeley.edu

    6
    CalNet Active Directory 10/18/08
    Why join CalNet AD?

     Access to CalNet services


     Easier, searchable access to network services (printers, file servers,
    etc.) published in the forest
     Centralized support for hardware, security, redundancy, and backup
    requirements provided to the central domain controllers
     Easier desktop management
    – remote software installation
    – policy implementation via Group Policy Objects (GPOs)
    – centralized file storage and user data
    – minimum security requirements can be established
     Decentralized/Dynamic management
     Centrally funded infrastructure

    7
    CalNet Active Directory 10/18/08
    CalNet AD Design
    Forest Root
    SD SD

    Netfinity 3000 Netfinity 3000

    Campus actdir01 actdir02


    NTP Source (UC) (UC)
    SM, DNM, PDC, IM,
    GC, RID, GC, uc.berkeley.edu
    R

    .........
    pentium
    & NTP R

    .........
    pentium
    & NTP (UC)

    MIT Kerberos
    BERKELEY.EDU

    All shadow accounts reside


    here (from MIT realm)

    SD
    SD SD

    Netfinity 3000 Netfinity 3000 Netfinity 3000

    actdir03 actdir04
    actdir05 SM=Schema Master
    (CAMPUS) (CAMPUS) campus.berkeley.edu
    (CAMPUS) DNM=Domain Naming Master
    IM, GC, PDC, RID, (CAMPUS)
    GC & NTP RID=Relative ID Master
    & NTP GC, & NTP
    R

    pentium
    ......... Boalt Hall
    R R
    PDC=PDC Emulator
    IM=Infastructure Master
    .........
    pentium .........
    pentium

    OU's Delegated Here GC=Global Catalog


    NTP=Network Time Protocol

    College X College Y Dept. Z

    Subdomains Join
    Here

    xx.campus.berkeley.edu
    (XX) haas.uc.berkeley.edu
    (HAAS)

    8
    CalNet Active Directory 10/18/08
    Server Hardware
     Dell PowerEdge 2550
    – Dual 933MHz PIII
    – 1GB RAM
    – 2 redundant power supplies
    – 5 drives with RAID 1, and RAID 5 configuration
     Hardware/OS monitoring by CCS-SDA on 24/7 basis

    9
    CalNet Active Directory 10/18/08
    Domain Controllers
     Backup performed nightly and data stored on and off site
     Physically secured
    – Double locked doors requiring proximity card access
    – Lockable rack cabinets
    – SmartCard logon (future)
     4 domain controllers in Evans Hall
    – 2 domain controllers for each domain
    – Each DC is connected to two UPS
    – Each UPS is fed from a separate PDU
     One CAMPUS domain controller located outside Evans Hall at
    Boalt
    – Located on campus backbone
    – Power to building supplied by a separate power substation
    10
    CalNet Active Directory 10/18/08
    Test Hardware
     Dell PowerEdge 2550
    – Dual 1133MHz PIII
    – 2GB RAM
    – 2 redundant power supplies
    – 4 drives with RAID 5 configuration

    11
    CalNet Active Directory 10/18/08
    Test Environment
     VMware GSX Server software
     Hosts
    – 2 UC-TEST domain controller
    – 2 CAMPUS-TEST domain controllers
    – FreeBSD test KDC and BIND DNS
     Available for integration testing
     Backup/Recovery testing

    12
    CalNet Active Directory 10/18/08
    CalNet AD Implementation Status
     Design available at http://calnetad.berkeley.edu/
     Domain controllers installed and configured for uc.berkeley.edu and
    campus.berkeley.edu domains
     Full Production status in August 2002 (CalNet account synchronization)
     Test environment is implemented
     Out of Evans domain controller for CAMPUS domain located at Boalt

    13
    CalNet Active Directory 10/18/08
    Security
     GPO to disable IIS services by default
     GPO to set minimum level of security on member machines
     DC physical security
     Empty forest root domain
     Restricted number of Enterprise Administrator accounts
     Administrator SmartCard logon (e-Berkeley funded project)

    14
    CalNet Active Directory 10/18/08
    GPO
     Group Policies kept to a minimum
     Based on NSA recommendations and modified for UCB
     Domain group policies
    – Password and Kerberos settings
    – Disable IIS
    – Disable DDNS updates
     Domain controller group policies
    – Restrict administrative group membership
    – Require NTLMv2/Kerberos authentication
    – Restrict domain controller access

    15
    CalNet Active Directory 10/18/08
    Certificates
     Participating in UCOP user certificate initiative
     Offline campus root CA
     AD integrated subordinate CAs
     Uses
    – SSL
    – IPSEC
    – Code signing
    – SmartCards

    16
    CalNet Active Directory 10/18/08
    EFS
     Enabled when certificates are implemented
     Key recovery will be delegated to OU administrators
     Recovery policies will follow current campus computer policy

    17
    CalNet Active Directory 10/18/08
    User Authentication
     NTLMv2 support (pre-Windows 2000, SAMBA, Mac)
     Kerberos support
    – BERKELEY.EDU – MIT Kerberos Realm
    – User authenticates with CalNetID@BERKELEY.EDU
     User account information will come from CalNet LDAP database
     Administrators will not need to manage user information/passwords

    18
    CalNet Active Directory 10/18/08
    User Authentication

    19
    CalNet Active Directory 10/18/08
    Current/Future Users
     COIS joined as an OU
     HAAS joined haas.uc.berkeley.edu domain to forest
     IST-DOCS is investigating OU migration issues
     COE (Dean’s Office) joined as an OU
     IEOR joined as an OU
     IIR joined as an OU
     IAS joined as an OU
     OE joined as an OU
     CCHEM joined as an OU
     CCS-SDA (HRMS) joined as an OU
     WSS-W&MF (Fall ’02)
    20
    CalNet Active Directory 10/18/08
    CalNet AD Future Directions
     Improve infrastructure for high availability, add DC’s and out of Evans
    KDC
     Add certificate authority services for secure traffic and EFS
     Integrate with UCOP certificate initiative
     Add SmartCard support for secure machine access
     Add administrative server for performance and security monitoring and
    tuning (IDS, firewalls).
     Add file sharing server for roaming user profiles and data storage.
     Testing IDS solutions for domain controllers
     Coordinate Microsoft training sessions for new administrators.
     Establish minimum security standards for domain workstations

     Send comments to: calnetad-planning@uclink.berkeley.edu

    21
    CalNet Active Directory 10/18/08
    How to join CalNetAD
     Check website for more information http://calnetad.berkeley.edu
     Schedule meeting with the CalNetAD group
     Sign a CalNetAD SLA
     Join CalNetAD Planning Committee
     Provide the DNS name of the first machine to join new OU
     Provide the CalNet ID of the first OU admin
     Provide the name of an OU administrative mail list

    22
    CalNet Active Directory 10/18/08

    Вам также может понравиться