CalNet AD: UC Berkeley’s Active Directory Implementation
CalNet Active Directory
1 10/18/08
Introduction to Active Directory Berkeley Network Infrastructure CalNet Kerberos Authentication (MIT) DNS (BIND)* CalNet Directory Services (LDAP)
Computer
Laptop
* BIND = Berkeley Internet Name Domain
Part of the suite of Windows 2000 products Microsoft’s implementation of the CalNet model Enterprise class software which makes extensive use of enterprise-wide computing infrastructures Integration with CalNet necessitates central support
CalNet Active Directory
2 10/18/08
Some Active Directory Terminology CalNetAD Forest Tree1 - uc.berkeley.edu
Tree2 - campus.berkeley.edu
Organizational Unit
Transitive, two-way trust
Transitive, two-way trust
Print Queue
Organizational Unit
haas.uc.berkeley.edu (HAAS)
Groups
Users
Computers
Forest – A collection of one or more trees of domains, organized as peers and connected by two-way transitive trusts. domains – A directory-based container object containing a hierarchical structure of other containers and objects (OUs); domains can be joined into trees of domains Organization Unit (OU) – A logical container used within domains for which administrative authority can be delegated to designated groups
CalNet Active Directory
3 10/18/08
Major Features of Active Directory
Directory Service based on Lightweight Directory Access Protocol (LDAP) V.3.0 Name resolution is based on Domain Name Service (DNS), replacing Windows Name Service (WINS) Support for Kerberos 5 authentication Support delegation of authority to Organizational Units PKI support, includes SmartCards and certificates
CalNet Active Directory
4 10/18/08
CalNet AD Design Goals
Support for single sign-on environment Interoperability with campus infrastructure for DNS, directory services, and CalNet authentication Improved security at the desktop level Improved management and administration of workstations ‘Opt-in’ model – Join the CAMPUS domain as an OU – Create a child domain under CAMPUS
CalNet Active Directory
5 10/18/08
CalNet AD Design Participants
IST Implementation Team – CCS (Mike Blasingame, Eric Chamberlain, Arden Pineda) – WSS (Karl Grose) – CNS (Mike Sinatra) – SNS (Mike Friedman) – Consultant
Campus Planning Committee (and Security Subcommittee) – http://calnetad.berkeley.edu/planning/planning_members.html –
[email protected] –
[email protected]
CalNet Active Directory
6 10/18/08
Why join CalNet AD?
Access to CalNet services Easier, searchable access to network services (printers, file servers, etc.) published in the forest Centralized support for hardware, security, redundancy, and backup requirements provided to the central domain controllers Easier desktop management – remote software installation – policy implementation via Group Policy Objects (GPOs) – centralized file storage and user data – minimum security requirements can be established Decentralized/Dynamic management Centrally funded infrastructure
CalNet Active Directory
7 10/18/08
CalNet AD Design Forest Root SD
SD
Netfinity 3000
Campus NTP Source
Netfinity 3000
R
actdir01 (UC) SM, DNM, GC, & NTP
R
pentium .........
actdir02 (UC) PDC, IM, RID, GC, & NTP
pentium .........
uc.berkeley.edu (UC)
MIT Kerberos BERKELEY.EDU All shadow accounts reside here (from MIT realm)
SD
SD
Netfinity 3000
SD
Netfinity 3000
Netfinity 3000
actdir03 (CAMPUS) IM, GC, & NTP
actdir05 (CAMPUS) GC & NTP R
pentium
.........
Boalt Hall
R
pentium .........
actdir04 (CAMPUS) PDC, RID, GC, & NTP
campus.berkeley.edu (CAMPUS)
R
pentium .........
OU's Delegated Here
College X
College Y
SM=Schema Master DNM=Domain Naming Master RID=Relative ID Master PDC=PDC Emulator IM=Infastructure Master GC=Global Catalog NTP=Network Time Protocol
Dept. Z
Subdomains Join Here
xx.campus.berkeley.edu (XX)
CalNet Active Directory
haas.uc.berkeley.edu (HAAS)
8 10/18/08
Server Hardware
Dell PowerEdge 2550 – Dual 933MHz PIII – 1GB RAM – 2 redundant power supplies – 5 drives with RAID 1, and RAID 5 configuration Hardware/OS monitoring by CCS-SDA on 24/7 basis
CalNet Active Directory
9 10/18/08
Domain Controllers
Backup performed nightly and data stored on and off site Physically secured – Double locked doors requiring proximity card access – Lockable rack cabinets – SmartCard logon (future) 4 domain controllers in Evans Hall – 2 domain controllers for each domain – Each DC is connected to two UPS – Each UPS is fed from a separate PDU One CAMPUS domain controller located outside Evans Hall at Boalt – Located on campus backbone – Power to building supplied by a separate power substation
CalNet Active Directory
10 10/18/08
Test Hardware
Dell PowerEdge 2550 – Dual 1133MHz PIII – 2GB RAM – 2 redundant power supplies – 4 drives with RAID 5 configuration
CalNet Active Directory
11 10/18/08
Test Environment
VMware GSX Server software Hosts – 2 UC-TEST domain controller – 2 CAMPUS-TEST domain controllers – FreeBSD test KDC and BIND DNS Available for integration testing Backup/Recovery testing
CalNet Active Directory
12 10/18/08
CalNet AD Implementation Status
Design available at http://calnetad.berkeley.edu/ Domain controllers installed and configured for uc.berkeley.edu and campus.berkeley.edu domains Full Production status in August 2002 (CalNet account synchronization) Test environment is implemented Out of Evans domain controller for CAMPUS domain located at Boalt
CalNet Active Directory
13 10/18/08
Security
GPO to disable IIS services by default GPO to set minimum level of security on member machines DC physical security Empty forest root domain Restricted number of Enterprise Administrator accounts Administrator SmartCard logon (e-Berkeley funded project)
CalNet Active Directory
14 10/18/08
GPO
Group Policies kept to a minimum Based on NSA recommendations and modified for UCB Domain group policies – Password and Kerberos settings – Disable IIS – Disable DDNS updates Domain controller group policies – Restrict administrative group membership – Require NTLMv2/Kerberos authentication – Restrict domain controller access
CalNet Active Directory
15 10/18/08
Certificates
Participating in UCOP user certificate initiative Offline campus root CA AD integrated subordinate CAs Uses – – – –
SSL IPSEC Code signing SmartCards
CalNet Active Directory
16 10/18/08
EFS
Enabled when certificates are implemented Key recovery will be delegated to OU administrators Recovery policies will follow current campus computer policy
CalNet Active Directory
17 10/18/08
User Authentication
NTLMv2 support (pre-Windows 2000, SAMBA, Mac) Kerberos support – BERKELEY.EDU – MIT Kerberos Realm – User authenticates with
[email protected]
User account information will come from CalNet LDAP database Administrators will not need to manage user information/passwords
CalNet Active Directory
18 10/18/08
User Authentication
CalNet Active Directory
19 10/18/08
Current/Future Users
COIS joined as an OU HAAS joined haas.uc.berkeley.edu domain to forest IST-DOCS is investigating OU migration issues COE (Dean’s Office) joined as an OU IEOR joined as an OU IIR joined as an OU IAS joined as an OU OE joined as an OU CCHEM joined as an OU CCS-SDA (HRMS) joined as an OU WSS-W&MF (Fall ’02)
CalNet Active Directory
20 10/18/08
CalNet AD Future Directions
Improve infrastructure for high availability, add DC’s and out of Evans KDC Add certificate authority services for secure traffic and EFS Integrate with UCOP certificate initiative Add SmartCard support for secure machine access Add administrative server for performance and security monitoring and tuning (IDS, firewalls). Add file sharing server for roaming user profiles and data storage. Testing IDS solutions for domain controllers Coordinate Microsoft training sessions for new administrators. Establish minimum security standards for domain workstations
Send comments to:
[email protected]
CalNet Active Directory
21 10/18/08
How to join CalNetAD
Check website for more information http://calnetad.berkeley.edu Schedule meeting with the CalNetAD group Sign a CalNetAD SLA Join CalNetAD Planning Committee Provide the DNS name of the first machine to join new OU Provide the CalNet ID of the first OU admin Provide the name of an OU administrative mail list
CalNet Active Directory
22 10/18/08