Embed Size (px)
Citation preview
Campus Active Directory Update
Jim Green, Academic Technology ServicesVictor Lounds, Administrative Information Services
Dave Carter, College of AgricultureMatt Stehouwer, College of Natural Science
ATS Active Directory Update
Jim GreenManager, Identity Management Team
Academic Technology Services
Background• Summer, 2009 – U. of Iowa visit by AIS and ATS upper
management• Proposal for ATS Identity Management-operated AD
domain– w/Kerberos, LDAP/Directory services, Netid, Shibboleth
• Fall 2009 – research, setup for Computer Labs standalone domain– Penn State, U. of Iowa conference calls
• Spring, 2010 – ATS reorganization– ATS’s “services” domain, Mel Micke joins Identity Management
Short term goals• Research to discover best practices for designing/operating AD
infrastructure• Support Windows login in the Computer Labs• Evolve into a generalized institution-wide service offering
– AD infrastructure for a centrally-supported MS Exchange service offering
– Other authentication/authorization applications, e.g. 802.1x• Coordinate with AIS and other units• Work toward a coherent plan
Computer Labs AD domain• Standalone domain
– To be replaced by proposed central AD domain• Will be rolled out to all labs by Fall, 2010• Four domain controllers• Populated with all MSU netids, not just current• Licensed via machine CALs• Authenticates via pass-through to MIT Kerberos
– Kerberos registry patch applied to workstations
Tentative design proposals• Top level domain• Authentication with MSU netid and password
– Pass-through or sync• Populate with current faculty, staff, students, affiliates• Populate with attributes needed for authorization
– E.g. departments for 802.11x, etc.• MS Exchange, other service offerings to be operated by ATS
Systems & Infrastructure team• Delegated management through Organizational Units
Coordination Activities• Meetings with College of Agriculture and College
of Natural Science• AIS shared consultant’s report and information
about their AD initiative• Working group formed with representatives from
Ag, Nat Sci, AIS, and ATS• Joint testbed put up
Issues• Competing priorities, notably including EBSP• Licensing• Is Identity Management the best location for this
service?• Organizational and policy logistics• Security• Design choices to best meet MSU institutional needs
AIS Active Directory Update
Victor Lounds, Administrative Information Services
What has AIS learned from our Development Environment?
After discussions with Microsoft AD support groups and contractors we were able to identify several issues
A multi-domain forest does not scale
A domain is not a security boundary
Although an empty forest can separate higher level roles, it does not gain any additional functionality or reliability
Single Forest / Single Domain
How can a centralized AD be managed?
Establishing methods for• Adding• Removing• Tracking changes• Reporting• Naming Conventions
Establishing a Processes for Administrative Changes
A request is submitted
deniedgranted
What about Kerberos & Active Directory?
MSUNet Kerberos authentication is a concern because of…
o Password Management
o AD / MSU Kerberoso Testo Q/Ao Production
CANR and CNSActive Directory Update
Dave Carter, College of AgricultureMatt Stehouwer, College of Natural Science
Sharing ofResources
ExchangeSharePoint
KnowledgeDatacenterCost
CANR and CNS Partnership
Exchange
CANRForest
CNSForest
SharePointO
ne w
ay tr
ust
One w
ay trust
Resource Forest
FIM
TMG
FIM – Forefront Identity Manager
Shared DataCenter at Computer Center
PowerEdge2950
PowerEdge1950
PowerEdge2900
PowerEdgeR900
PowerEdgeR900
PowerEdge2900
EST
PowerEdge1950
EST
PowerEdge2950
PowerEdge2950
CONSOLE
PWR HD TEMP PS FAIL
ETH 0 ETH 1
NSMXpress
NSMXpress Front
EST
PowerEdge2950
PowerEdgeSC 1435
EST
PowerEdgeSC 1435
4321
ES
T
6
7
5
3
41
2
0
PowerEdge2950
520
PowerVault122T
LTO Autoloader
READY/ACTIVITY
CANCEL PREVIOUS NEXT ENTER
CLEANDRIVE
MEDIAATTENTION
ERROR
PowerEdgeSC 1435
4321
PowerEdgeSC 1435
4321PowerEdge
2950
EST
EST
PowerEdge2950
Rack 1 Rack 2 Rack 3 Rack 4
EST
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 461 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47
EX 4200 Series 8PoE
ANR & CNS Environment
CollegeMail AD Server
HUB/CAS
PowerEdge1950
ProofPoint Mail Gateway
PowerEdge1950
HUB/CAS
Mailbox Store 1 Mailbox Store 2
Email Delivery – SMTP Client Authentication
Client Connections – https, imaps
Email Systems Flow
PowerEdge1950
0
1
2
3
CNS Mail Store 1
PowerEdgeSC 1435
CNS Mail Store 2
PowerEdge2950
VM – Blackberry Enterprise MAPI
HUB/CAS
PowerEdge1950
ProofPoint Mail Gateway
ANR AD Server
CNS AD Server
Campus Active Directory Under Testing
Campus AD Campus Resource Forest College Forest
ExchangeAD Servers
MIT Kerberos FIM
Campus Active Directory Update
Jim Green, ATS– [email protected] Victor Lounds, AIS - [email protected]
Dave Carter, CANR – [email protected] Stehouwer, CBS – [email protected]
