Ad 1

CalNet AD: UC Berkeley’s Active Directory Implementation

CalNet Active Directory

1 10/18/08

Introduction to Active Directory Berkeley Network Infrastructure CalNet Kerberos Authentication (MIT) DNS (BIND)* CalNet Directory Services (LDAP)

Computer

Laptop

* BIND = Berkeley Internet Name Domain

   

Part of the suite of Windows 2000 products Microsoft’s implementation of the CalNet model Enterprise class software which makes extensive use of enterprise-wide computing infrastructures Integration with CalNet necessitates central support

CalNet Active Directory

2 10/18/08

Some Active Directory Terminology CalNetAD Forest Tree1 - uc.berkeley.edu

Tree2 - campus.berkeley.edu

Organizational Unit

Transitive, two-way trust

Transitive, two-way trust

Print Queue

Organizational Unit

haas.uc.berkeley.edu (HAAS)

Groups

Users

 



Computers

Forest – A collection of one or more trees of domains, organized as peers and connected by two-way transitive trusts. domains – A directory-based container object containing a hierarchical structure of other containers and objects (OUs); domains can be joined into trees of domains Organization Unit (OU) – A logical container used within domains for which administrative authority can be delegated to designated groups

CalNet Active Directory

3 10/18/08

Major Features of Active Directory     

Directory Service based on Lightweight Directory Access Protocol (LDAP) V.3.0 Name resolution is based on Domain Name Service (DNS), replacing Windows Name Service (WINS) Support for Kerberos 5 authentication Support delegation of authority to Organizational Units PKI support, includes SmartCards and certificates

CalNet Active Directory

4 10/18/08

CalNet AD Design Goals     

Support for single sign-on environment Interoperability with campus infrastructure for DNS, directory services, and CalNet authentication Improved security at the desktop level Improved management and administration of workstations ‘Opt-in’ model – Join the CAMPUS domain as an OU – Create a child domain under CAMPUS

CalNet Active Directory

5 10/18/08

CalNet AD Design Participants 

IST Implementation Team – CCS (Mike Blasingame, Eric Chamberlain, Arden Pineda) – WSS (Karl Grose) – CNS (Mike Sinatra) – SNS (Mike Friedman) – Consultant



Campus Planning Committee (and Security Subcommittee) – http://calnetad.berkeley.edu/planning/planning_members.html – [email protected] – [email protected]

CalNet Active Directory

6 10/18/08

Why join CalNet AD?    

 

Access to CalNet services Easier, searchable access to network services (printers, file servers, etc.) published in the forest Centralized support for hardware, security, redundancy, and backup requirements provided to the central domain controllers Easier desktop management – remote software installation – policy implementation via Group Policy Objects (GPOs) – centralized file storage and user data – minimum security requirements can be established Decentralized/Dynamic management Centrally funded infrastructure

CalNet Active Directory

7 10/18/08

CalNet AD Design Forest Root SD

SD

Netfinity 3000

Campus NTP Source

Netfinity 3000

R

actdir01 (UC) SM, DNM, GC, & NTP

R

pentium .........

actdir02 (UC) PDC, IM, RID, GC, & NTP

pentium .........

uc.berkeley.edu (UC)

MIT Kerberos BERKELEY.EDU All shadow accounts reside here (from MIT realm)

SD

SD

Netfinity 3000

SD

Netfinity 3000

Netfinity 3000

actdir03 (CAMPUS) IM, GC, & NTP

actdir05 (CAMPUS) GC & NTP R

pentium

.........

Boalt Hall

R

pentium .........

actdir04 (CAMPUS) PDC, RID, GC, & NTP

campus.berkeley.edu (CAMPUS)

R

pentium .........

OU's Delegated Here

College X

College Y

SM=Schema Master DNM=Domain Naming Master RID=Relative ID Master PDC=PDC Emulator IM=Infastructure Master GC=Global Catalog NTP=Network Time Protocol

Dept. Z

Subdomains Join Here

xx.campus.berkeley.edu (XX)

CalNet Active Directory

haas.uc.berkeley.edu (HAAS)

8 10/18/08

Server Hardware 



Dell PowerEdge 2550 – Dual 933MHz PIII – 1GB RAM – 2 redundant power supplies – 5 drives with RAID 1, and RAID 5 configuration Hardware/OS monitoring by CCS-SDA on 24/7 basis

CalNet Active Directory

9 10/18/08

Domain Controllers  





Backup performed nightly and data stored on and off site Physically secured – Double locked doors requiring proximity card access – Lockable rack cabinets – SmartCard logon (future) 4 domain controllers in Evans Hall – 2 domain controllers for each domain – Each DC is connected to two UPS – Each UPS is fed from a separate PDU One CAMPUS domain controller located outside Evans Hall at Boalt – Located on campus backbone – Power to building supplied by a separate power substation

CalNet Active Directory

10 10/18/08

Test Hardware 

Dell PowerEdge 2550 – Dual 1133MHz PIII – 2GB RAM – 2 redundant power supplies – 4 drives with RAID 5 configuration

CalNet Active Directory

11 10/18/08

Test Environment  

 

VMware GSX Server software Hosts – 2 UC-TEST domain controller – 2 CAMPUS-TEST domain controllers – FreeBSD test KDC and BIND DNS Available for integration testing Backup/Recovery testing

CalNet Active Directory

12 10/18/08

CalNet AD Implementation Status     

Design available at http://calnetad.berkeley.edu/ Domain controllers installed and configured for uc.berkeley.edu and campus.berkeley.edu domains Full Production status in August 2002 (CalNet account synchronization) Test environment is implemented Out of Evans domain controller for CAMPUS domain located at Boalt

CalNet Active Directory

13 10/18/08

Security      

GPO to disable IIS services by default GPO to set minimum level of security on member machines DC physical security Empty forest root domain Restricted number of Enterprise Administrator accounts Administrator SmartCard logon (e-Berkeley funded project)

CalNet Active Directory

14 10/18/08

GPO   



Group Policies kept to a minimum Based on NSA recommendations and modified for UCB Domain group policies – Password and Kerberos settings – Disable IIS – Disable DDNS updates Domain controller group policies – Restrict administrative group membership – Require NTLMv2/Kerberos authentication – Restrict domain controller access

CalNet Active Directory

15 10/18/08

Certificates    

Participating in UCOP user certificate initiative Offline campus root CA AD integrated subordinate CAs Uses – – – –

SSL IPSEC Code signing SmartCards

CalNet Active Directory

16 10/18/08

EFS   

Enabled when certificates are implemented Key recovery will be delegated to OU administrators Recovery policies will follow current campus computer policy

CalNet Active Directory

17 10/18/08

User Authentication  

NTLMv2 support (pre-Windows 2000, SAMBA, Mac) Kerberos support – BERKELEY.EDU – MIT Kerberos Realm – User authenticates with [email protected]

 

User account information will come from CalNet LDAP database Administrators will not need to manage user information/passwords

CalNet Active Directory

18 10/18/08

User Authentication

CalNet Active Directory

19 10/18/08

Current/Future Users           

COIS joined as an OU HAAS joined haas.uc.berkeley.edu domain to forest IST-DOCS is investigating OU migration issues COE (Dean’s Office) joined as an OU IEOR joined as an OU IIR joined as an OU IAS joined as an OU OE joined as an OU CCHEM joined as an OU CCS-SDA (HRMS) joined as an OU WSS-W&MF (Fall ’02)

CalNet Active Directory

20 10/18/08

CalNet AD Future Directions         



Improve infrastructure for high availability, add DC’s and out of Evans KDC Add certificate authority services for secure traffic and EFS Integrate with UCOP certificate initiative Add SmartCard support for secure machine access Add administrative server for performance and security monitoring and tuning (IDS, firewalls). Add file sharing server for roaming user profiles and data storage. Testing IDS solutions for domain controllers Coordinate Microsoft training sessions for new administrators. Establish minimum security standards for domain workstations

Send comments to: [email protected]

CalNet Active Directory

21 10/18/08

How to join CalNetAD       

Check website for more information http://calnetad.berkeley.edu Schedule meeting with the CalNetAD group Sign a CalNetAD SLA Join CalNetAD Planning Committee Provide the DNS name of the first machine to join new OU Provide the CalNet ID of the first OU admin Provide the name of an OU administrative mail list

CalNet Active Directory

22 10/18/08