www.netdesk.com

Let’s Get It Together

The Statewide Active Directory Forest

Agenda

• Introduction

• Session Goal

• Statewide Forest Governance

• Designing Active Directory?

• Active Directory Technology

• Benefits of the Statewide Forest

• Joining The Forest

Todd Shelton

• Project Quality AssurancePresident, Netdesk Corporation

• Single Sign-On proof of concept

About Netdesk

• Netdesk is the largest Microsoft technical trainer in the Northwest

• Netdesk specializes exclusively in Microsoft technology—systems and developer

• Netdesk carefully manages customer satisfaction to the highest levels

Session Goal

• To help you understand– What the statewide forest is– How decisions are made– How to use Active Directory – What you can get out of it– How to learn more or join

Project History• Win2K converges network and data base • LAN Managers group attempted to install in

1999 and not successful.• Appeal to CAB Infrastructure Subcommittee

1999• CAB Pilot Winter 2000 recommended single

forest for the state.• Project Steering Committee formed - kickoff Fall

2000• Project completion June 2001

CAB Forest Objectives• Create a State Forest Win2k Server environment

and install the statewide root for agencies who want to join.

• Implement the first version of the Active Directory.

• Provide a foundation to allow shared applications / data.

• Establish governing policies for the state forest.• Implement Exchange 2000 (new objective)

Accomplishments• Test Forest is up.• Three agencies attached/Two ready to join.• Pre-production Forest is up (L&I, DSHS are

attached).• Standards documentation developed.• Ongoing governance model has been

established.• Website: http://sww.wa.gov/win2k/

Project To Date

• Broad participation.

• CAB authorized (not a DIS show).

• Not mandatory.

• Governance model in practice.

• Many applications coming.

• Preparation for Exchange 2000.

How does our project compare?

• Washington state is a national leader

• Governance model is unique and robust—didn’t come down “from the top”

• The project focuses on business results

• The quality is very high

• The project sees the future clearly

CAB

Agencies Windows 2000Steering Committee

DIS

DISStatewide RootManagement

Forest Resource Forest Application Group Developers

Forest Governance Model

Win2k Steering Committee• Participants:

– DSHS– ESD– DFI– GA– L&I– OFM– DOP – DIS– DOT– DOL

• Observers:– LEG– ECY– DOR– DRS (new)– EMD

Chair: Phil Grigg

Forest Resource Group

• Responsible for network infrastructure, operations, and change management

• Interagency technical working group

• Developed the project documents

• Makes recommendations to the Steering Committee

• Chair: John Ditto

Forest Application Developers

• Two sets of responsibilities – Startup and Ongoing

• Define Active Directory strategic direction and recommend direction to the Windows 2000 Steering Committee in three areas:– Active Directory Schema– Application use of the Active Directory– Approval of applications that use Active Directory

• Chair: Gregg Arndt

DIS

• Executes decisions made by the Steering Committee

• Steering Committee records are incorporated into the DIS service level agreement

• Operates the root domain structure• DIS does NOT make forest decisions (but

DIS sits on the Steering Committee)

Forest Root Service Level Agreement (SLA)

• Forest Root Responsibilities– Implement Steering Committee Policy– Hardware and Software for the Root Domain – 99.9% availability in Production Environment– Pre-production and Rip & Tear Environment– Follow Change Control Processes – Root administration – Provides Problem Management – Contracts Vendor Technical Support 7/24/365

What is Active Directory?• A scalable (millions + objects) shared, replicated

database of user and other information• A partial copy lives on every domain controller• Active Directory manages authentication and

access control• It’s built into the operating system! (no extra

charge)

Active Directory Design

• What are your business goals? – Reduce the number of domain admins– Move password resets from the help desk– Reduce physical visits to workstations– Build a more responsive infrastructure

• What are you trying to accomplish administratively?

Active Directory Design

• What are you trying to accomplish administratively?

• What administrative distinctions are you making?

• What “things” are administratively distinct?

Active Directory Design• Group like “things” together, separate distinct

ones using Active Directory `containers• Container objects are administrative boundaries

– Forest– Site– Domain– Organization Unit– Group

Active Directory Design

• Manipulate these containers of “things” using– Inheritance– Group Policy– Active Directory Permissions

Active Directory Design

• Use containers and the three ways you can manipulate them to– Delegate administration– Safely share users and resources

(applications) – Get IT out of administration and into

managing a secure, available, responsive infrastructure

Is AD important to business?

• Policy-based network configuration (more responsive network)

• Shared identity information—built in user directory

• Delegated administration—change how you think about IT administration

• Platform for applications

Why the State Forest?

• Become part of the community of practice

• Take advantage of the money and blood others have spent

• Take advantage of other agencies’ user accounts

• Take better advantage of other agencies’ resources (the single sign-on)

Statewide Forest Benefits

• It’s far cheaper than doing it by yourself

• Policy-driven configuration management

• New administration possibilities– Delegated administration

• New application possibilities– Like Single Sign-On

Single Sign-On: The Problem

• Users remember too many passwords

• Developers manage authentication and access control

• Help desks interact with too many systems

• Managers can’t set enterprise-wide access control policies

Understanding Single Sign On

• User Management– Authentication– Identity

• Applications are Resources– But most also need their own user management

• Shared or Distributed Administration– It’s critical: Single Sign On won’t work without it

What Are The Benefits?• For Users:

– One password to remember

• For Developers– No more (or at least reduced) user management

• For Infrastructure Administrators (Help Desk)– Much less work dealing with passwords

• For Policy Makers– A Practical Policy-Managed Compute Environment

The Problem

• We have a user-based security model

• We need a resource-based security model

• (Thanks to John Ditto for saying this so well!)

The Single Sign-On Challenge

• “Administrative Trust” must exist between data owners and users.

• Then we can use Active Directory to make administration easier.

• This model is already in place with OFM’s agency delegate for financial systems

Windows 2000 Forest and Trusted Domains

Ap

pli

cati

on

s

UsersSecure

App

DOT

Au

then

ticate to W

ind

ow

s 2000

Mainframe and Legacy Applications

Logon Assist Module

SAO

Regular App

SAO\Regular

DOT\Regular

L&IL&I\Regular

Highly Secure AppPossibly with

separate authentication

Highly Secure\Users-Dennis Jones-Mike McVicker-Shelagh Taylor

SAO\Secure

DOT\Secure

L&I\SecureRegular\Users-L&I\Regular-DOT\Regular-SAO\Regular

Secure\Users-L&I\Secure-DOT\Secure-SAO\Secure

Sh

ared, T

rusted

Gro

up

A

dm

inis

tratio

n P

rocesse

s

The Agency that owns the Secure Application delegates a trusted

“Security Administrator” at the user Agency who controls the membership

in the Secure group.

Single Sign-On Prototype• Validate the concept of using the Windows

2000 security for single sign-on to a non-compliant application.

• Assess feasibility of using a logon assist module.

• Validate web application compatibility with Windows 2000 security.

• Project Manager: Allen Schmidt, OFM

Benefits of the Statewide Forest

• Active Directory shares identity information statewide for free.

• Benefits include cheaper IT administration, delegation, and application development

• Joining the forest is cheaper and easier than going it alone

• Build the enterprise community

Joining the Forest

• Review the web site!• Especially study these documents:

– Agency Join Requirements– Naming Conventions and Standards– Root Domain Requirements

• Get trained• Get involved: Steering Committee and

working groups

How To Join• Preparation• Check sheet• Co-operation/ Letter of Intent• Rules of the environment• Change Management• Issue Escalation• Service Level Agreement • Agency Welcome Kit - in progress

Summary

• CAB-approved, interagency project• All decisions are made through the

interagency Steering Committee• Active Directory shares user and other

information automatically• Mush of the work is already done (you

don’t have to pay for it!)• To join, visit the web site

Thank you!• Contacts

– Phil Grigg - Chair, Windows 2000 Steering Committee• (360) 902-7452 Email: PGrigg@ga.wa.gov

– Gregg Arndt - Chair, Forest Application Developers• (360) 664-6418 email: GreggA@dop.wa.gov

– Allen Schmidt – Project Manager, Single Sign-On Prototype• (360) 725-5272 email:Allen.Schmidt@ofm.wa.gov

– John Ditto – Chair, Forest Resource Group• (360) 902-0349 Email: ditto@dis.wa.gov (in the GAL)

– Bob Deshaye – Service Level Agreements • (360) 902-3336 Email: BobD@dis.wa.gov ( in the Gal)

– Todd Shelton – Netdesk Corporation• (206) 224-7690 Email Todd.Shelton@netdesk.com