CalNet AD: UC Berkeley’s Active Directory ImplementationCalNet Active Directory 1 10/18/08 Introduction to Active Directory Berkeley Network Infrastructure CalNet Kerberos Authentication (MIT) DNS (BIND)* CalNet Directory Services (LDAP) Computer Laptop * BIND = Berkeley Internet Name Domain Part of the suite of Windows 2000 products Microsoft’s implementation of the CalNet model Enterprise class software which makes extensive use of enterprise-wide computing infrastructures Integration with CalNet necessitates central support 2 10/18/08 CalNet Active Directory Some Active Directory Terminology CalNetAD Forest Tree1 - uc.berkeley.edu Tree2 - campus.berkeley.edu Organizational Unit Transitive, two-way trust Print Queue Organizational Unit Transitive, two-way trust haas.uc.berkeley.edu (HAAS) Groups Users Computers Forest – A collection of one or more trees of domains, organized as peers and connected by two-way transitive trusts. domains – A directory-based container object containing a hierarchical structure of other containers and objects (OUs); domains can be joined into trees of domains Organization Unit (OU) – A logical container used within domains for which administrative authority can be delegated to designated groups CalNet Active Directory 3 10/18/08 Major Features of Active Directory Directory Service based on Lightweight Directory Access Protocol (LDAP) V.3.0 Name resolution is based on Domain Name Service (DNS), replacing Windows Name Service (WINS) Support for Kerberos 5 authentication Support delegation of authority to Organizational Units PKI support, includes SmartCards and certificates CalNet Active Directory 4 10/18/08 CalNet AD Design Goals Support for single sign-on environment Interoperability with campus infrastructure for DNS, directory services, and CalNet authentication Improved security at the desktop level Improved management and administration of workstations ‘Opt-in’ model – Join the CAMPUS domain as an OU – Create a child domain under CAMPUS CalNet Active Directory 5 10/18/08 CalNet AD Design Participants IST Implementation Team – CCS (Mike Blasingame, Eric Chamberlain, Arden Pineda) – WSS (Karl Grose) – CNS (Mike Sinatra) – SNS (Mike Friedman) – Consultant Campus Planning Committee (and Security Subcommittee) – http://calnetad.berkeley.edu/planning/planning_members.html –
[email protected] –
[email protected] CalNet Active Directory 6 10/18/08 Why join CalNet AD? Access to CalNet services Easier, searchable access to network services (printers, file servers, etc.) published in the forest Centralized support for hardware, security, redundancy, and backup requirements provided to the central domain controllers Easier desktop management – remote software installation – policy implementation via Group Policy Objects (GPOs) – centralized file storage and user data – minimum security requirements can be established Decentralized/Dynamic management Centrally funded infrastructure CalNet Active Directory 7 10/18/08 CalNet AD Design Forest Root SD SD Campus NTP Source Netfinity 3000 Netfinity 3000 R actdir01 (UC) SM, DNM, GC, & NTP R actdir02 (UC) PDC, IM, RID, GC, & NTP pentium ......... pentium ......... uc.berkeley.edu (UC) MIT Kerberos BERKELEY.EDU All shadow accounts reside here (from MIT realm) SD Netfinity 3000 SD SD Netfinity 3000 Netfinity 3000 actdir05 (CAMPUS) GC & NTP R actdir03 (CAMPUS) IM, GC, & NTP R R actdir04 (CAMPUS) PDC, RID, GC, & NTP pentium ......... campus.berkeley.edu (CAMPUS) pentium ......... Boalt Hall pentium ......... OU's Delegated Here SM=Schema Master DNM=Domain Naming Master RID=Relative ID Master PDC=PDC Emulator IM=Infastructure Master GC=Global Catalog NTP=Network Time Protocol College X College Y Dept. Z Subdomains Join Here xx.campus.berkeley.edu (XX) haas.uc.berkeley.edu (HAAS) CalNet Active Directory 8 10/18/08 Server Hardware Dell PowerEdge 2550 – Dual 933MHz PIII – 1GB RAM – 2 redundant power supplies – 5 drives with RAID 1, and RAID 5 configuration Hardware/OS monitoring by CCS-SDA on 24/7 basis CalNet Active Directory 9 10/18/08 Domain Controllers Backup performed nightly and data stored on and off site Physically secured – Double locked doors requiring proximity card access – Lockable rack cabinets – SmartCard logon (future) 4 domain controllers in Evans Hall – 2 domain controllers for each domain – Each DC is connected to two UPS – Each UPS is fed from a separate PDU One CAMPUS domain controller located outside Evans Hall at Boalt – Located on campus backbone – Power to building supplied by a separate power substation 10 10/18/08 CalNet Active Directory Test Hardware Dell PowerEdge 2550 – Dual 1133MHz PIII – 2GB RAM – 2 redundant power supplies – 4 drives with RAID 5 configuration CalNet Active Directory 11 10/18/08 Test Environment VMware GSX Server software Hosts – 2 UC-TEST domain controller – 2 CAMPUS-TEST domain controllers – FreeBSD test KDC and BIND DNS Available for integration testing Backup/Recovery testing CalNet Active Directory 12 10/18/08 CalNet AD Implementation Status Design available at http://calnetad.berkeley.edu/ Domain controllers installed and configured for uc.berkeley.edu and campus.berkeley.edu domains Full Production status in August 2002 (CalNet account synchronization) Test environment is implemented Out of Evans domain controller for CAMPUS domain located at Boalt CalNet Active Directory 13 10/18/08 Security GPO to disable IIS services by default GPO to set minimum level of security on member machines DC physical security Empty forest root domain Restricted number of Enterprise Administrator accounts Administrator SmartCard logon (e-Berkeley funded project) CalNet Active Directory 14 10/18/08 GPO Group Policies kept to a minimum Based on NSA recommendations and modified for UCB Domain group policies – Password and Kerberos settings – Disable IIS – Disable DDNS updates Domain controller group policies – Restrict administrative group membership – Require NTLMv2/Kerberos authentication – Restrict domain controller access 15 10/18/08 CalNet Active Directory Certificates Participating in UCOP user certificate initiative Offline campus root CA AD integrated subordinate CAs Uses – – – – SSL IPSEC Code signing SmartCards CalNet Active Directory 16 10/18/08 EFS Enabled when certificates are implemented Key recovery will be delegated to OU administrators Recovery policies will follow current campus computer policy CalNet Active Directory 17 10/18/08 User Authentication NTLMv2 support (pre-Windows 2000, SAMBA, Mac) Kerberos support – BERKELEY.EDU – MIT Kerberos Realm – User authenticates with
[email protected] User account information will come from CalNet LDAP database Administrators will not need to manage user information/passwords CalNet Active Directory 18 10/18/08 User Authentication CalNet Active Directory 19 10/18/08 Current/Future Users COIS joined as an OU HAAS joined haas.uc.berkeley.edu domain to forest IST-DOCS is investigating OU migration issues COE (Dean’s Office) joined as an OU IEOR joined as an OU IIR joined as an OU IAS joined as an OU OE joined as an OU CCHEM joined as an OU CCS-SDA (HRMS) joined as an OU WSS-W&MF (Fall ’02) 20 10/18/08 CalNet Active Directory CalNet AD Future Directions Improve infrastructure for high availability, add DC’s and out of Evans KDC Add certificate authority services for secure traffic and EFS Integrate with UCOP certificate initiative Add SmartCard support for secure machine access Add administrative server for performance and security monitoring and tuning (IDS, firewalls). Add file sharing server for roaming user profiles and data storage. Testing IDS solutions for domain controllers Coordinate Microsoft training sessions for new administrators. Establish minimum security standards for domain workstations Send comments to:
[email protected] CalNet Active Directory 21 10/18/08 How to join CalNetAD Check website for more information http://calnetad.berkeley.edu Schedule meeting with the CalNetAD group Sign a CalNetAD SLA Join CalNetAD Planning Committee Provide the DNS name of the first machine to join new OU Provide the CalNet ID of the first OU admin Provide the name of an OU administrative mail list CalNet Active Directory 22 10/18/08