www. let’s get it together the statewide active directory forest

Click here to load reader

Download Www.  Let’s Get It Together The Statewide Active Directory Forest

Post on 27-Dec-2015




0 download

Embed Size (px)


  • Lets Get It TogetherThe Statewide Active Directory Forest

  • AgendaIntroductionSession GoalStatewide Forest GovernanceDesigning Active Directory?Active Directory TechnologyBenefits of the Statewide Forest Joining The Forest

  • Todd SheltonProject Quality Assurance President, Netdesk CorporationSingle Sign-On proof of concept

  • About NetdeskNetdesk is the largest Microsoft technical trainer in the NorthwestNetdesk specializes exclusively in Microsoft technologysystems and developerNetdesk carefully manages customer satisfaction to the highest levels

  • Session GoalTo help you understandWhat the statewide forest isHow decisions are madeHow to use Active Directory What you can get out of itHow to learn more or join

  • Project HistoryWin2K converges network and data base LAN Managers group attempted to install in 1999 and not successful.Appeal to CAB Infrastructure Subcommittee 1999CAB Pilot Winter 2000 recommended single forest for the state.Project Steering Committee formed - kickoff Fall 2000Project completion June 2001

  • CAB Forest ObjectivesCreate a State Forest Win2k Server environment and install the statewide root for agencies who want to join. Implement the first version of the Active Directory.Provide a foundation to allow shared applications / data.Establish governing policies for the state forest.Implement Exchange 2000 (new objective)

  • AccomplishmentsTest Forest is up.Three agencies attached/Two ready to join.Pre-production Forest is up (L&I, DSHS are attached).Standards documentation developed.Ongoing governance model has been established.Website: http://sww.wa.gov/win2k/

  • Project To DateBroad participation.CAB authorized (not a DIS show).Not mandatory.Governance model in practice.Many applications coming.Preparation for Exchange 2000.

  • How does our project compare?Washington state is a national leaderGovernance model is unique and robustdidnt come down from the topThe project focuses on business resultsThe quality is very highThe project sees the future clearly

  • Forest Governance ModelCABAgenciesWindows 2000Steering CommitteeDISDISStatewide RootManagement Forest ResourceForest Application GroupDevelopers

  • Win2k Steering CommitteeParticipants:DSHSESDDFIGAL&IOFMDOP DISDOTDOL

    Observers: LEG ECY DOR DRS (new) EMD

    Chair: Phil Grigg

  • Forest Resource GroupResponsible for network infrastructure, operations, and change managementInteragency technical working groupDeveloped the project documentsMakes recommendations to the Steering CommitteeChair: John Ditto

  • Forest Application DevelopersTwo sets of responsibilities Startup and Ongoing Define Active Directory strategic direction and recommend direction to the Windows 2000 Steering Committee in three areas:Active Directory SchemaApplication use of the Active DirectoryApproval of applications that use Active DirectoryChair: Gregg Arndt

  • DISExecutes decisions made by the Steering CommitteeSteering Committee records are incorporated into the DIS service level agreementOperates the root domain structureDIS does NOT make forest decisions (but DIS sits on the Steering Committee)

  • Forest Root Service Level Agreement (SLA)Forest Root ResponsibilitiesImplement Steering Committee PolicyHardware and Software for the Root Domain 99.9% availability in Production EnvironmentPre-production and Rip & Tear EnvironmentFollow Change Control Processes Root administration Provides Problem Management Contracts Vendor Technical Support 7/24/365

  • What is Active Directory?A scalable (millions + objects) shared, replicated database of user and other informationA partial copy lives on every domain controllerActive Directory manages authentication and access controlIts built into the operating system! (no extra charge)

  • Active Directory DesignWhat are your business goals? Reduce the number of domain adminsMove password resets from the help deskReduce physical visits to workstationsBuild a more responsive infrastructureWhat are you trying to accomplish administratively?

  • Active Directory DesignWhat are you trying to accomplish administratively? What administrative distinctions are you making? What things are administratively distinct?

  • Active Directory DesignGroup like things together, separate distinct ones using Active Directory `containersContainer objects are administrative boundariesForestSiteDomainOrganization UnitGroup

  • Active Directory DesignManipulate these containers of things usingInheritanceGroup PolicyActive Directory Permissions

  • Active Directory DesignUse containers and the three ways you can manipulate them toDelegate administrationSafely share users and resources (applications) Get IT out of administration and into managing a secure, available, responsive infrastructure

  • Is AD important to business? Policy-based network configuration (more responsive network)Shared identity informationbuilt in user directoryDelegated administrationchange how you think about IT administrationPlatform for applications

  • Why the State Forest?Become part of the community of practiceTake advantage of the money and blood others have spentTake advantage of other agencies user accountsTake better advantage of other agencies resources (the single sign-on)

  • Statewide Forest BenefitsIts far cheaper than doing it by yourselfPolicy-driven configuration managementNew administration possibilitiesDelegated administrationNew application possibilitiesLike Single Sign-On

  • Single Sign-On: The ProblemUsers remember too many passwordsDevelopers manage authentication and access controlHelp desks interact with too many systems Managers cant set enterprise-wide access control policies

  • Understanding Single Sign OnUser ManagementAuthenticationIdentityApplications are ResourcesBut most also need their own user managementShared or Distributed AdministrationIts critical: Single Sign On wont work without it

  • What Are The Benefits?For Users:One password to rememberFor DevelopersNo more (or at least reduced) user managementFor Infrastructure Administrators (Help Desk)Much less work dealing with passwordsFor Policy MakersA Practical Policy-Managed Compute Environment

  • The Problem

    We have a user-based security model

    We need a resource-based security model

    (Thanks to John Ditto for saying this so well!)

  • The Single Sign-On ChallengeAdministrative Trust must exist between data owners and users.

    Then we can use Active Directory to make administration easier. This model is already in place with OFMs agency delegate for financial systems

  • Shared, Trusted Group Administration ProcessesThe Agency that owns the Secure Application delegates a trusted Security Administrator at the user Agency who controls the membership in the Secure group.

  • Single Sign-On PrototypeValidate the concept of using the Windows 2000 security for single sign-on to a non-compliant application.Assess feasibility of using a logon assist module.Validate web application compatibility with Windows 2000 security. Project Manager: Allen Schmidt, OFM

  • Benefits of the Statewide ForestActive Directory shares identity information statewide for free. Benefits include cheaper IT administration, delegation, and application developmentJoining the forest is cheaper and easier than going it aloneBuild the enterprise community

  • Joining the ForestReview the web site!Especially study these documents: Agency Join RequirementsNaming Conventions and StandardsRoot Domain RequirementsGet trainedGet involved: Steering Committee and working groups

  • How To JoinPreparationCheck sheetCo-operation/ Letter of IntentRules of the environmentChange ManagementIssue EscalationService Level Agreement Agency Welcome Kit - in progress

  • SummaryCAB-approved, interagency projectAll decisions are made through the interagency Steering CommitteeActive Directory shares user and other information automaticallyMush of the work is already done (you dont have to pay for it!)To join, visit the web site

  • Thank you!ContactsPhil Grigg - Chair, Windows 2000 Steering Committee(360) 902-7452 Email: PGrigg@ga.wa.govGregg Arndt - Chair, Forest Application Developers(360) 664-6418 email: GreggA@dop.wa.govAllen Schmidt Project Manager, Single Sign-On Prototype(360) 725-5272 email:Allen.Schmidt@ofm.wa.govJohn Ditto Chair, Forest Resource Group(360) 902-0349 Email: ditto@dis.wa.gov (in the GAL)Bob Deshaye Service Level Agreements (360) 902-3336 Email: BobD@dis.wa.gov ( in the Gal)Todd Shelton Netdesk Corporation(206) 224-7690 Email Todd.Shelton@netdesk.com

View more