Академический Документы
Профессиональный Документы
Культура Документы
1
CalNet Active Directory 10/18/08
Introduction to Active Directory
CalNet
Kerberos
Authentication
(MIT)
DNS Computer
(BIND)*
CalNet
Directory
Services
(LDAP) Laptop
Organizational
Unit
Transitive,
two-way
Organizational
trust Print Queue
Unit
Transitive,
two-way
trust haas.uc.berkeley.edu (HAAS)
Groups
Users Computers
4
CalNet Active Directory 10/18/08
CalNet AD Design Goals
5
CalNet Active Directory 10/18/08
CalNet AD Design Participants
6
CalNet Active Directory 10/18/08
Why join CalNet AD?
7
CalNet Active Directory 10/18/08
CalNet AD Design
Forest Root
SD SD
.........
pentium
& NTP R
.........
pentium
& NTP (UC)
MIT Kerberos
BERKELEY.EDU
SD
SD SD
actdir03 actdir04
actdir05 SM=Schema Master
(CAMPUS) (CAMPUS) campus.berkeley.edu
(CAMPUS) DNM=Domain Naming Master
IM, GC, PDC, RID, (CAMPUS)
GC & NTP RID=Relative ID Master
& NTP GC, & NTP
R
pentium
......... Boalt Hall
R R
PDC=PDC Emulator
IM=Infastructure Master
.........
pentium .........
pentium
Subdomains Join
Here
xx.campus.berkeley.edu
(XX) haas.uc.berkeley.edu
(HAAS)
8
CalNet Active Directory 10/18/08
Server Hardware
Dell PowerEdge 2550
– Dual 933MHz PIII
– 1GB RAM
– 2 redundant power supplies
– 5 drives with RAID 1, and RAID 5 configuration
Hardware/OS monitoring by CCS-SDA on 24/7 basis
9
CalNet Active Directory 10/18/08
Domain Controllers
Backup performed nightly and data stored on and off site
Physically secured
– Double locked doors requiring proximity card access
– Lockable rack cabinets
– SmartCard logon (future)
4 domain controllers in Evans Hall
– 2 domain controllers for each domain
– Each DC is connected to two UPS
– Each UPS is fed from a separate PDU
One CAMPUS domain controller located outside Evans Hall at
Boalt
– Located on campus backbone
– Power to building supplied by a separate power substation
10
CalNet Active Directory 10/18/08
Test Hardware
Dell PowerEdge 2550
– Dual 1133MHz PIII
– 2GB RAM
– 2 redundant power supplies
– 4 drives with RAID 5 configuration
11
CalNet Active Directory 10/18/08
Test Environment
VMware GSX Server software
Hosts
– 2 UC-TEST domain controller
– 2 CAMPUS-TEST domain controllers
– FreeBSD test KDC and BIND DNS
Available for integration testing
Backup/Recovery testing
12
CalNet Active Directory 10/18/08
CalNet AD Implementation Status
Design available at http://calnetad.berkeley.edu/
Domain controllers installed and configured for uc.berkeley.edu and
campus.berkeley.edu domains
Full Production status in August 2002 (CalNet account synchronization)
Test environment is implemented
Out of Evans domain controller for CAMPUS domain located at Boalt
13
CalNet Active Directory 10/18/08
Security
GPO to disable IIS services by default
GPO to set minimum level of security on member machines
DC physical security
Empty forest root domain
Restricted number of Enterprise Administrator accounts
Administrator SmartCard logon (e-Berkeley funded project)
14
CalNet Active Directory 10/18/08
GPO
Group Policies kept to a minimum
Based on NSA recommendations and modified for UCB
Domain group policies
– Password and Kerberos settings
– Disable IIS
– Disable DDNS updates
Domain controller group policies
– Restrict administrative group membership
– Require NTLMv2/Kerberos authentication
– Restrict domain controller access
15
CalNet Active Directory 10/18/08
Certificates
Participating in UCOP user certificate initiative
Offline campus root CA
AD integrated subordinate CAs
Uses
– SSL
– IPSEC
– Code signing
– SmartCards
16
CalNet Active Directory 10/18/08
EFS
Enabled when certificates are implemented
Key recovery will be delegated to OU administrators
Recovery policies will follow current campus computer policy
17
CalNet Active Directory 10/18/08
User Authentication
NTLMv2 support (pre-Windows 2000, SAMBA, Mac)
Kerberos support
– BERKELEY.EDU – MIT Kerberos Realm
– User authenticates with CalNetID@BERKELEY.EDU
User account information will come from CalNet LDAP database
Administrators will not need to manage user information/passwords
18
CalNet Active Directory 10/18/08
User Authentication
19
CalNet Active Directory 10/18/08
Current/Future Users
COIS joined as an OU
HAAS joined haas.uc.berkeley.edu domain to forest
IST-DOCS is investigating OU migration issues
COE (Dean’s Office) joined as an OU
IEOR joined as an OU
IIR joined as an OU
IAS joined as an OU
OE joined as an OU
CCHEM joined as an OU
CCS-SDA (HRMS) joined as an OU
WSS-W&MF (Fall ’02)
20
CalNet Active Directory 10/18/08
CalNet AD Future Directions
Improve infrastructure for high availability, add DC’s and out of Evans
KDC
Add certificate authority services for secure traffic and EFS
Integrate with UCOP certificate initiative
Add SmartCard support for secure machine access
Add administrative server for performance and security monitoring and
tuning (IDS, firewalls).
Add file sharing server for roaming user profiles and data storage.
Testing IDS solutions for domain controllers
Coordinate Microsoft training sessions for new administrators.
Establish minimum security standards for domain workstations
21
CalNet Active Directory 10/18/08
How to join CalNetAD
Check website for more information http://calnetad.berkeley.edu
Schedule meeting with the CalNetAD group
Sign a CalNetAD SLA
Join CalNetAD Planning Committee
Provide the DNS name of the first machine to join new OU
Provide the CalNet ID of the first OU admin
Provide the name of an OU administrative mail list
22
CalNet Active Directory 10/18/08