case study of an active directory deployment

8/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California

11

Case Study of an Active Case Study of an Active Directory DeploymentDirectory Deployment

Eric Chamberlain, CISSPEric Chamberlain, CISSP

Presentation on the history and Presentation on the history and future of the Berkeley campus future of the Berkeley campus Active Directory deployment.Active Directory deployment.


CalNetAD ServicesCalNetAD Services

http://calnetad.berkeley.eduhttp://calnetad.berkeley.edu

Centrally fundedCentrally funded

Support for the domain controllers that run Support for the domain controllers that run the forestthe forest

Computer resource management Computer resource management

Support for development and distribution Support for development and distribution of utility and administrative scripts of utility and administrative scripts


CalNetAD ServicesCalNetAD Services

Forum for discussion of Active Directory Forum for discussion of Active Directory and Security issues and Security issues

Presentations about the CalNetAD service Presentations about the CalNetAD service and related topicsand related topics

Notice of important changes and Notice of important changes and scheduled maintenance scheduled maintenance

A service calendar which lists important A service calendar which lists important events and milestonesevents and milestones


Forest InformationForest Information

Our size 65,000 user accountsOur size 65,000 user accounts

23 Units in OUs23 Units in OUs

3235 Computers in Forest3235 Computers in Forest

Average one unauthorized connection Average one unauthorized connection attempt per machine per hourattempt per machine per hour


77

In the BeginningIn the Beginning


Existing InfrastructureExisting Infrastructure

Kerberos Realm (MIT Kerberos v5)Kerberos Realm (MIT Kerberos v5)

CalNet Directory Service (Sun/iPlanet LDAPv3) CalNet Directory Service (Sun/iPlanet LDAPv3)

DNS (BIND)DNS (BIND)

CalNetDirectoryServices(LDAP)

DNS(BIND)*

CalNetKerberos

Authentication(MIT)

Berkeley Network Infrastructure

Computer

Laptop

* BIND = Berkeley Internet Name Domain


Initial ConcernsInitial Concerns

Multiple forestsMultiple forests

Burden on the DNS systemBurden on the DNS system

Multiple user IDsMultiple user IDs


GoalsGoals

CalNet ID will be used for Windows CalNet ID will be used for Windows desktop login desktop login

CalNet Directory public information will CalNet Directory public information will be synchronized to ADbe synchronized to AD

DNS namespace for AD will support DNS namespace for AD will support DDNSDDNS

Minimal forestsMinimal forests

Collaborative resourceCollaborative resource


Initial Team (1.8 FTE)Initial Team (1.8 FTE)

Central Computing Services (Lead)Central Computing Services (Lead) LDAPLDAP

System and Network SecuritySystem and Network Security KerberosKerberos

Workstation Support ServicesWorkstation Support Services

Communications and Network ServicesCommunications and Network Services DNSDNS

13 member advisory group13 member advisory group


1212

CalNetADCalNetAD


Getting StartedGetting Started

Schedule a meeting with the CalNetAD project team.Schedule a meeting with the CalNetAD project team.Agree to the CalNetAD policies and complete a Service Agree to the CalNetAD policies and complete a Service Level Agreement (SLA).Level Agreement (SLA).Provide the CalNetAD project team with the name of a Provide the CalNetAD project team with the name of a mailing list of local administrators. mailing list of local administrators. Provide the CalNetAD project team with the CalNet ID of Provide the CalNetAD project team with the CalNet ID of the first administrator for the new OU.the first administrator for the new OU.Provide the CalNetAD project team with the DNS name Provide the CalNetAD project team with the DNS name of the first computer that will join the new OU.of the first computer that will join the new OU.Participate in the CalNetAD Planning Committee.Participate in the CalNetAD Planning Committee.


Joining as a DomainJoining as a Domain

Everyone wants to join as a domain at firstEveryone wants to join as a domain at firstStrongly discouragedStrongly discouragedRequires agreement to additional responsibilities and Requires agreement to additional responsibilities and limitationslimitations

Creating subdomains is not allowed. Creating subdomains is not allowed. At least two (2) Domain Controllers (DCs) are required for a At least two (2) Domain Controllers (DCs) are required for a

domain.domain. The domain controllers should be installed on appropriately The domain controllers should be installed on appropriately

configured, fault-tolerant server-class machines. configured, fault-tolerant server-class machines. OS support for patches, fixes, upgrades, etc., are expected to be OS support for patches, fixes, upgrades, etc., are expected to be

applied in a timely fashion to maintain forest security and OS applied in a timely fashion to maintain forest security and OS consistency among domain controllers. consistency among domain controllers.

The DCs are expected to be in operation at all times except for The DCs are expected to be in operation at all times except for scheduled maintenance. scheduled maintenance.

Keep servers in a locked, access controlled room.Keep servers in a locked, access controlled room.


Joining as an Joining as an Organizational Unit (OU)Organizational Unit (OU)

Departments and units are encouraged to join Departments and units are encouraged to join the CalNetAD as an Organizational Unit (OU). the CalNetAD as an Organizational Unit (OU). Control of an OU in the CalNetAD forest will be Control of an OU in the CalNetAD forest will be delegated to an OU administrator group who delegated to an OU administrator group who shall have the ability to manage users, shall have the ability to manage users, computers, local security groups, and Group computers, local security groups, and Group Policy Objects (GPOs)Policy Objects (GPOs)


OU AdministratorsOU Administrators

Must read and agree to the policies, prior to Must read and agree to the policies, prior to being given an administrative account. being given an administrative account. Any local administrator who creates an Any local administrator who creates an administrative account for another local administrative account for another local administrator must make sure the new administrator must make sure the new administrator has read and agreed to these administrator has read and agreed to these policies.policies.All CalNetAD local administrators (or their proxy) All CalNetAD local administrators (or their proxy) are expected to participate in the CalNetAD are expected to participate in the CalNetAD Planning Committee and attend its meetings.Planning Committee and attend its meetings.


1717

StandardsStandards


Naming StandardsNaming Standards

Many departments and units, large and Many departments and units, large and smallsmall

Most administrative responsibilities Most administrative responsibilities delegated to system administratorsdelegated to system administrators

Maintain an orderly forest, to ease Maintain an orderly forest, to ease recognition of forest resources, and to help recognition of forest resources, and to help avoid naming collisions. avoid naming collisions.


Computer NamesComputer Names

xxxxxx--rest_of_namerest_of_name (or) (or) xxxxxxrest_of_namerest_of_name

xxxxxx Registered organization prefix, 2 or more Registered organization prefix, 2 or more

characters in length.characters in length.

rest_of_namerest_of_name Suffix chosen by the organization creating the Suffix chosen by the organization creating the

computer. computer.

Example:Example: COIS-EXAMPLE123456789 COIS-EXAMPLE123456789


User Account NamesUser Account Names

The account name must be unique within the domainThe account name must be unique within the domainShadow AccountShadow Account

CalNetIDCalNetID Example: [email protected]: [email protected]

Private Account Private Account Prefixed by bang (!) followed by the Prefixed by bang (!) followed by the OU prefixOU prefix and the user id and the user id Bangs are not allowed in CalNetID's, these names will not Bangs are not allowed in CalNetID's, these names will not

conflict with Shadow Accounts that may be created in the future.conflict with Shadow Accounts that may be created in the future. Example: !OU-localname Example: !OU-localname For compatibility with pre-Windows 2000 operating systems the For compatibility with pre-Windows 2000 operating systems the

account name is limited to 15 characters.account name is limited to 15 characters.


Security and Distribution GroupsSecurity and Distribution Groups

ddd-ddd-group_namegroup_name--tttt dddddddd CalNetAD OU name CalNetAD OU name group_namegroup_name descriptive name which explains the descriptive name which explains the

purpose of the group purpose of the group tttt type of group type of group

ls domain local security ls domain local security gs global security gs global security us universal security us universal security ld domain local distribution ld domain local distribution gd global distribution gd global distribution ud universal distribution ud universal distribution

Example:Example: COIS-OU Admins-gs COIS-OU Admins-gs


Group Policy Objects (GPOs)Group Policy Objects (GPOs)

Use a CalNetAD OU Name as a prefix for all Group Use a CalNetAD OU Name as a prefix for all Group Policy names. Policy names. Example:Example: "COIS staff policy" or "HAAS lab 300 policy" "COIS staff policy" or "HAAS lab 300 policy"


AuthenticationAuthentication

Clear text is not allowedClear text is not allowed

All accounts must have a All accounts must have a robust password that meets robust password that meets certain basic requirements for certain basic requirements for strength, complexity and form. strength, complexity and form.


Account synchronizationAccount synchronization

Initially students are loaded into one OU.Initially students are loaded into one OU. FERPAFERPA Registrar RequirementsRegistrar Requirements Multiple unitsMultiple units

Faculty, staff, and affiliate user accounts loaded into Faculty, staff, and affiliate user accounts loaded into departmental OUs. departmental OUs.

Home department code from the Payroll Action Form (PAF) Home department code from the Payroll Action Form (PAF) would be useful as the department designator to map to would be useful as the department designator to map to CalNetAD OUs. CalNetAD OUs.

Changes to the PAF Home Department Code would not be Changes to the PAF Home Department Code would not be sufficient to cause an automatic move into or out of an OU sufficient to cause an automatic move into or out of an OU without prior agreements from the involved parties. without prior agreements from the involved parties.

Issues that need more discussion are dual appointments and Issues that need more discussion are dual appointments and account deletions.account deletions.


2525

About the ForestAbout the Forest


Enterprise Administration Enterprise Administration ResponsibilitiesResponsibilities

Install and maintain the Active Directory domain controllersInstall and maintain the Active Directory domain controllersOn duty Monday-Friday, from 8 a.m. to 5 p.m. On duty Monday-Friday, from 8 a.m. to 5 p.m. Manage the flow of information from the CalNet Directory to Manage the flow of information from the CalNet Directory to CalNetAD. CalNetAD. Communicate all enterprise-wide changes to domain and OU Communicate all enterprise-wide changes to domain and OU administrators via the CalNetAD Change Management System. administrators via the CalNetAD Change Management System. Have administrator privileges on all domain controllers and OUsHave administrator privileges on all domain controllers and OUsAssume a "hands-off" approach to local domain and OU Assume a "hands-off" approach to local domain and OU administration. administration. The EA group is not responsible for the administration of local user The EA group is not responsible for the administration of local user accounts (other than providing shadow CalNet ID accounts). accounts (other than providing shadow CalNet ID accounts). Only when faced with an enterprise-wide emergency, will an Only when faced with an enterprise-wide emergency, will an Enterprise Administrator take action at the domain or OU level. Enterprise Administrator take action at the domain or OU level.


Domain ModificationsDomain Modifications

CampusCampus Default number of workstations a domain user Default number of workstations a domain user

could add to the domain was changed from 10 could add to the domain was changed from 10 to 0. to 0.

Only administrators can add workstations to Only administrators can add workstations to the domain. the domain.

UCUC The domain ACL's have been modified to The domain ACL's have been modified to

prevent users from viewing internal structureprevent users from viewing internal structure


Software License ComplianceSoftware License Compliance

Participation in the CalNetAD forest does not Participation in the CalNetAD forest does not entitle departments to licenses for operating entitle departments to licenses for operating systems or other software for departmental systems or other software for departmental systems. systems. The CalNetAD service includes only licenses for The CalNetAD service includes only licenses for software required to operate the CalNetAD software required to operate the CalNetAD forest and Domain Controllers. forest and Domain Controllers. Departments should ensure that systems Departments should ensure that systems participating in the CalNetAD forest are properly participating in the CalNetAD forest are properly licensed for software running on their systems, licensed for software running on their systems, including operating system or server software.including operating system or server software.


Network ServicesNetwork Services

Windows DNS Server Services Windows DNS Server Services Turn off DDNS registration. Turn off DDNS registration. Computers must be registered in DNS to Computers must be registered in DNS to communicate properly. communicate properly. DHCP services must be coordinated DHCP services must be coordinated Internet Information Server (IIS)Internet Information Server (IIS)Distributed File System (DFS)Distributed File System (DFS)Encrypted File Services (EFS)Encrypted File Services (EFS)


Schema ChangesSchema Changes

The schema defines objects and their associated attributes. The schema defines objects and their associated attributes. Changes to the schema affect Active Directory across the entire Changes to the schema affect Active Directory across the entire CalNetAD forest. CalNetAD forest. Schema changes will have to meet several requirements including Schema changes will have to meet several requirements including privacy, appropriateness, and potential for conflict. privacy, appropriateness, and potential for conflict. Schema changes will first be implemented and tested in the test Schema changes will first be implemented and tested in the test environment. environment. After successful testing, normal change management procedures After successful testing, normal change management procedures sill be followed to move the schema change into production. sill be followed to move the schema change into production. Changes to the production schema will only be implemented by IST Changes to the production schema will only be implemented by IST during maintenance blocks following a prearranged notification with during maintenance blocks following a prearranged notification with domain administrators.domain administrators.


Macintosh integrationMacintosh integration

The Workstation & Microcomputer Facilities is currently The Workstation & Microcomputer Facilities is currently testing the process of integrating OS Xtesting the process of integrating OS XDue to the requirement of having a home directory for Due to the requirement of having a home directory for users, W&MF needed the flexibility of specifying this users, W&MF needed the flexibility of specifying this path on each computer.path on each computer.

Active Directory would have required the attribute to be the Active Directory would have required the attribute to be the same for every single user on campus which was not feasible. same for every single user on campus which was not feasible.

Our solution has been to use iPlanet where we could specify a Our solution has been to use iPlanet where we could specify a specific attribute for just this purpose. specific attribute for just this purpose.

Even though we still have more testing to do, the results Even though we still have more testing to do, the results have been very positive thus far. have been very positive thus far.


3232

TimelineTimeline

Initial Production 3/2002Initial Production 3/2002

Final Production 8/2002Final Production 8/2002


Production -7 MonthsProduction -7 Months

CalNetID (MIT Kerberos) CalNetID (MIT Kerberos) for loginfor login

CalNet (LDAP) public CalNet (LDAP) public information synchronizedinformation synchronized

DNS (BIND) namespace DNS (BIND) namespace for DDNSfor DDNS

2 Domains (empty root)2 Domains (empty root)

Consultant helped with Consultant helped with hardware sizinghardware sizing

4 initial DCs ordered4 initial DCs ordered

Presented to e-Presented to e-Architecture Working Architecture Working GroupGroup

http://http://calnetad.berkeley.educalnetad.berkeley.edu web site is setup with web site is setup with CalNetAD informationCalNetAD information



Design GoalsDesign Goals Support for single sign-onSupport for single sign-on Interoperability Interoperability

(DNS,LDAP,Kerberos)(DNS,LDAP,Kerberos) Improve Desktop SecurityImprove Desktop Security Opt-in modelOpt-in model

Investigating how to Investigating how to synchronize LDAP and ADsynchronize LDAP and ADEric Chamberlain was hired as Eric Chamberlain was hired as the Campus Active Directory the Campus Active Directory ArchitectArchitect2.3 FTE2.3 FTE

Presented to Administrative Presented to Administrative Systems Operations Systems Operations CommitteeCommittee

HAAS (Business School) HAAS (Business School) joined as first major unitjoined as first major unit


Production -3 Months (Pilot Status)Production -3 Months (Pilot Status)

Planning Committee Planning Committee MeetingMeeting

8-5 M-F support8-5 M-F support Security Subcommittee Security Subcommittee

formedformed

Presented to the CalNet Presented to the CalNet Steering CommitteeSteering Committee

Article published in the Article published in the Berkeley Computing and Berkeley Computing and Communications Communications newsletternewsletter

Chancellors Office and Chancellors Office and Departmental On-site Departmental On-site Computing Support joinComputing Support join


Production -3 Months (Pilot Status)Production -3 Months (Pilot Status)


Production -2 Months 1/02Production -2 Months 1/02

Test Environment setupTest Environment setupEstablishing GPOsEstablishing GPOsSecurity Subcommittee Security Subcommittee MeetingMeeting

Require NTLMv2 or KerberosRequire NTLMv2 or Kerberos Disable IISDisable IIS Need for CertificatesNeed for Certificates

FutureFuture High availabilityHigh availability CertificatesCertificates Training for new Training for new

administratorsadministrators

Presented to the CalNet Presented to the CalNet Working CommitteeWorking Committee

Presented to the Information Presented to the Information Technology Architecture Technology Architecture CommitteeCommittee


Production -1 Month (Pilot Status)Production -1 Month (Pilot Status)

Preparing an out of data Preparing an out of data center DCcenter DC

Developed SLADeveloped SLA

Present at the Internet2 Present at the Internet2 Middleware ConferenceMiddleware Conference

Present to MicronetPresent to Micronet

Present to eBerkeley Present to eBerkeley Implementation Task Implementation Task ForceForce

Membership expands to Membership expands to 10 units10 units


Production -1 Month (Pilot Status)Production -1 Month (Pilot Status)

SecuritySecurity Site wide GPOsSite wide GPOs Disable IIS services by defaultDisable IIS services by default DC physical securityDC physical security Empty forest root domainEmpty forest root domain Restricted number of Enterprise Administrator accountsRestricted number of Enterprise Administrator accounts SmartCard logon (future)SmartCard logon (future)

GPOGPO Group Policies kept to a minimumGroup Policies kept to a minimum Based on NSA recommendations and modified for UCBBased on NSA recommendations and modified for UCB Disable IIS Disable IIS Require NTLMv2/Kerberos authenticationRequire NTLMv2/Kerberos authentication


Initial ProductionInitial Production

Service stableService stableContinue policy developmentContinue policy developmentPlanning committee meetingPlanning committee meetingDevelop OU Admin training Develop OU Admin training materialsmaterialsLDAP synchronization workLDAP synchronization workAll of the GPO templates have All of the GPO templates have been loaded into the test been loaded into the test environment and tested. environment and tested. Back-up restore and other Back-up restore and other disaster recovery procedures disaster recovery procedures have been tested. have been tested.

New CalNetAD membersNew CalNetAD members IST Operations (IST-OPS) IST Operations (IST-OPS) Ocean Engineering Graduate Ocean Engineering Graduate

Group (OE) Group (OE) Workstation Microcomputer Workstation Microcomputer

Facilities (IST-WSS) Facilities (IST-WSS) Central Computing Services –Central Computing Services –

Systems and Data Systems and Data Administration Administration


Initial ProductionInitial Production

Planned Infrastructure improvementsPlanned Infrastructure improvements A new Dell 2550 server has been purchased to serve A new Dell 2550 server has been purchased to serve

as a third domain controller for the CAMPUS domain.as a third domain controller for the CAMPUS domain.

Test MachineTest Machine The test machine (Dell 2550) and environment The test machine (Dell 2550) and environment

(VMware Server) is complete. VMs have been (VMware Server) is complete. VMs have been established for test versions of the KDC, DNS, and established for test versions of the KDC, DNS, and Active Directory domains and their controllers.Active Directory domains and their controllers.

Trouble ticket reporting system and Change Trouble ticket reporting system and Change Management web siteManagement web site


Production +1 MonthProduction +1 Month

Security Subcommittee meetingSecurity Subcommittee meeting IPSECIPSEC

IPSEC to secure communications between DCsIPSEC to secure communications between DCsIPSEC network cards in the DCs to off-load the IPSEC IPSEC network cards in the DCs to off-load the IPSEC overhead from the CPUsoverhead from the CPUs

IDS TestingIDS Testing Certificate ServicesCertificate Services

Units were interested in VPN support Units were interested in VPN support The CalNetAD team requested money for servers to support The CalNetAD team requested money for servers to support a central Microsoft Certificate Service.a central Microsoft Certificate Service.The CalNetAD team will be using the service for the The CalNetAD team will be using the service for the Enterprise Admin smart cards as well as the IPSEC traffic Enterprise Admin smart cards as well as the IPSEC traffic between DCs. between DCs.

Design CalNet synchronizationDesign CalNet synchronization


Production +3 Months (6/02)Production +3 Months (6/02)

Planning Committee Planning Committee meetingmeetinge-Berkeley agreed to fund e-Berkeley agreed to fund smart card research and smart card research and a CalNetAD certificate a CalNetAD certificate server. server. A third DC for the A third DC for the CAMPUS domain CAMPUS domain installed at Boaltinstalled at BoaltIPSec network cards IPSec network cards installed in all of the installed in all of the Domain Controllers.Domain Controllers.Hired Arden Pineda (3.3 Hired Arden Pineda (3.3 FTE)FTE)

HAAS domain joinedHAAS domain joinedCCHEM OU createdCCHEM OU createdIIR OU createdIIR OU created


Production +3 MonthsProduction +3 Months

Code CalNet synchronizationCode CalNet synchronization Using a tool named MetaMerge to integrate the two Using a tool named MetaMerge to integrate the two

directories. directories.

Tested adding the inetorgperson schema Tested adding the inetorgperson schema changes.changes.The CalNet ID is used for most of the limited The CalNet ID is used for most of the limited number of attributes that will initially be number of attributes that will initially be integrated between the two directories. integrated between the two directories. Default OUs will be used for user accounts that Default OUs will be used for user accounts that have not already been created in CalNetAD. have not already been created in CalNetAD.



Install Application Install Application ServerServerInstall Production Install Production MetaMerge MetaMerge environmentenvironmentTest CalNet Test CalNet synchronizationsynchronizationDevelop migration Develop migration strategies and strategies and proceduresprocedures

COEDEAN OU COEDEAN OU createdcreated

IEOR OU createdIEOR OU created

IAS OU createdIAS OU created


(Final) Production +5 Months(Final) Production +5 Months

COE migrationCOE migrationImplement CalNet Implement CalNet synchronizationsynchronizationBuild Test Build Test Environment VM Environment VM LibraryLibrary

Present to Letters and Present to Letters and ScienceScience

Security SeminarSecurity Seminar

Business Services Business Services PresentationPresentation

Revise Web SiteRevise Web Site



COE migrationCOE migration

Planning Committee MeetingPlanning Committee Meeting

Test certificate server (VMware)Test certificate server (VMware)

Application ServerApplication Server



COE migrationCOE migration

IEOR migrationIEOR migration

Install SP3 Install SP3

Document directory inDocument directory integration processtegration process



CalNetAD Intro SeminarCalNetAD Intro Seminar Teach new administrators basic OU Teach new administrators basic OU

management skillsmanagement skills

Revise Design DocumentationRevise Design Documentation



Planning Committee meetingPlanning Committee meetingSecurity SubcommitteeSecurity Subcommittee

Windows Security Berkeley Windows Security Berkeley presentation to Micronetpresentation to Micronet



LAW OU created LAW OU created

Microsoft discontinues free non-security Microsoft discontinues free non-security hotfixeshotfixes for Windows NT 4.0 Server for Windows NT 4.0 Server


5353

Production +1 YearProduction +1 Year

100% Uptime: no scheduled or 100% Uptime: no scheduled or unscheduled outagesunscheduled outages


Production + 12 Months (3/03)Production + 12 Months (3/03)

Planning Committee Planning Committee meetingmeeting

actdir06 added to the actdir06 added to the UC domain out of the UC domain out of the data centerdata center

Present to Institute of Present to Institute of Industrial RelationsIndustrial Relations

Seminar on Enabling Seminar on Enabling Loopback ProcessingLoopback Processing



Security SubcommitteeSecurity Subcommittee IDS softwareIDS software IPSEC FiltersIPSEC Filters SUSSUS



LAW migrationLAW migration

Planning Committee meetingPlanning Committee meeting

CalNetPKICalNetPKI

Test Server 2003Test Server 2003

Microsoft and CalNetAD discontinue suppMicrosoft and CalNetAD discontinue support for Windows 98/98SEort for Windows 98/98SE

Microsoft and CalNetAD discontinue suppMicrosoft and CalNetAD discontinue support for Windows NT 4.0 Workstation ort for Windows NT 4.0 Workstation


Production +17 Months (Present)Production +17 Months (Present)

Microsoft sponsored Migrating to Server Microsoft sponsored Migrating to Server 2003 seminar2003 seminar



Planning Committee meetingPlanning Committee meeting


Production +22 Months (January)Production +22 Months (January)

Migrate DCs to Windows Server 2003Migrate DCs to Windows Server 2003


FutureFuture

Smart Card deploymentSmart Card deployment

Certificate servicesCertificate services

Web servicesWeb services

File storageFile storage

Check out Windows Sharepoint ServicesCheck out Windows Sharepoint Services Free with Server 2003Free with Server 2003


QuestionsQuestions

Eric Chamberlain Eric Chamberlain [email protected]@uclink.berkeley.edu

http://calnetad.berkeley.eduhttp://calnetad.berkeley.edu

case study of an active directory deployment

Technology

calnetad forest

calnetad policies

calnetad project team

calnetad local administrators

calnetad planning committee

administrative account

new ou

ou administrator group