Scribd
Upload
141 views22 pages

10/18/08 Calnet Active Directory 1

The document discusses UC Berkeley's implementation of Active Directory (AD), called CalNet AD. It provides an overview of key AD concepts like forests, domains, and organizational units. CalNet AD was designed for single sign-on, interoperability with campus infrastructure, improved security and management of desktops. It follows an "opt-in" model where departments join the main CAMPUS domain or create a child domain. Central support is provided for the core AD infrastructure.

Uploaded by

Anurag
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
141 views22 pages

10/18/08 Calnet Active Directory 1

The document discusses UC Berkeley's implementation of Active Directory (AD), called CalNet AD. It provides an overview of key AD concepts like forests, domains, and organizational units. CalNet AD was designed for single sign-on, interoperability with campus infrastructure, improved security and management of desktops. It follows an "opt-in" model where departments join the main CAMPUS domain or create a child domain. Central support is provided for the core AD infrastructure.

Uploaded by

Anurag
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 22

CalNet AD:

UC Berkeley’s Active Directory


Implementation

1
CalNet Active Directory 10/18/08
Introduction to Active Directory

Berkeley Network Infrastructure

CalNet
Kerberos
Authentication
(MIT)
DNS Computer

(BIND)*

CalNet
Directory
Services
(LDAP) Laptop

* BIND = Berkeley Internet Name Domain

 Part of the suite of Windows 2000 products


 Microsoft’s implementation of the CalNet model
 Enterprise class software which makes extensive use of enterprise-wide
computing infrastructures
 Integration with CalNet necessitates central support
2
CalNet Active Directory 10/18/08
Some Active Directory Terminology
CalNetAD
Forest
Tree1 - uc.berkeley.edu
Tree2 - campus.berkeley.edu

Organizational
Unit

Transitive,
two-way
Organizational
trust Print Queue
Unit

Transitive,
two-way
trust haas.uc.berkeley.edu (HAAS)

Groups

Users Computers

 Forest – A collection of one or more trees of domains, organized as


peers and connected by two-way transitive trusts.
 domains – A directory-based container object containing a hierarchical
structure of other containers and objects (OUs); domains can be joined
into trees of domains
 Organization Unit (OU) – A logical container used within domains for
which administrative authority can be delegated to designated groups
3
CalNet Active Directory 10/18/08
Major Features of Active Directory

 Directory Service based on Lightweight Directory Access Protocol


(LDAP) V.3.0
 Name resolution is based on Domain Name Service (DNS), replacing
Windows Name Service (WINS)
 Support for Kerberos 5 authentication
 Support delegation of authority to Organizational Units
 PKI support, includes SmartCards and certificates

4
CalNet Active Directory 10/18/08
CalNet AD Design Goals

 Support for single sign-on environment


 Interoperability with campus infrastructure for DNS, directory
services, and CalNet authentication
 Improved security at the desktop level
 Improved management and administration of workstations
 ‘Opt-in’ model
– Join the CAMPUS domain as an OU
– Create a child domain under CAMPUS

5
CalNet Active Directory 10/18/08
CalNet AD Design Participants

 IST Implementation Team


– CCS (Mike Blasingame, Eric Chamberlain, Arden Pineda)
– WSS (Karl Grose)
– CNS (Mike Sinatra)
– SNS (Mike Friedman)
– Consultant

 Campus Planning Committee (and Security Subcommittee)


– http://calnetad.berkeley.edu/planning/planning_members.html
[email protected]
[email protected]

6
CalNet Active Directory 10/18/08
Why join CalNet AD?

 Access to CalNet services


 Easier, searchable access to network services (printers, file servers,
etc.) published in the forest
 Centralized support for hardware, security, redundancy, and backup
requirements provided to the central domain controllers
 Easier desktop management
– remote software installation
– policy implementation via Group Policy Objects (GPOs)
– centralized file storage and user data
– minimum security requirements can be established
 Decentralized/Dynamic management
 Centrally funded infrastructure

7
CalNet Active Directory 10/18/08
CalNet AD Design
Forest Root
SD SD

Netfinity 3000 Netfinity 3000

Campus actdir01 actdir02


NTP Source (UC) (UC)
SM, DNM, PDC, IM,
GC, RID, GC, uc.berkeley.edu
R

.........
pentium
& NTP R

.........
pentium
& NTP (UC)

MIT Kerberos
BERKELEY.EDU

All shadow accounts reside


here (from MIT realm)

SD
SD SD

Netfinity 3000 Netfinity 3000 Netfinity 3000

actdir03 actdir04
actdir05 SM=Schema Master
(CAMPUS) (CAMPUS) campus.berkeley.edu
(CAMPUS) DNM=Domain Naming Master
IM, GC, PDC, RID, (CAMPUS)
GC & NTP RID=Relative ID Master
& NTP GC, & NTP
R

pentium
......... Boalt Hall
R R
PDC=PDC Emulator
IM=Infastructure Master
.........
pentium .........
pentium

OU's Delegated Here GC=Global Catalog


NTP=Network Time Protocol

College X College Y Dept. Z

Subdomains Join
Here

xx.campus.berkeley.edu
(XX) haas.uc.berkeley.edu
(HAAS)

8
CalNet Active Directory 10/18/08
Server Hardware
 Dell PowerEdge 2550
– Dual 933MHz PIII
– 1GB RAM
– 2 redundant power supplies
– 5 drives with RAID 1, and RAID 5 configuration
 Hardware/OS monitoring by CCS-SDA on 24/7 basis

9
CalNet Active Directory 10/18/08
Domain Controllers
 Backup performed nightly and data stored on and off site
 Physically secured
– Double locked doors requiring proximity card access
– Lockable rack cabinets
– SmartCard logon (future)
 4 domain controllers in Evans Hall
– 2 domain controllers for each domain
– Each DC is connected to two UPS
– Each UPS is fed from a separate PDU
 One CAMPUS domain controller located outside Evans Hall at
Boalt
– Located on campus backbone
– Power to building supplied by a separate power substation
10
CalNet Active Directory 10/18/08
Test Hardware
 Dell PowerEdge 2550
– Dual 1133MHz PIII
– 2GB RAM
– 2 redundant power supplies
– 4 drives with RAID 5 configuration

11
CalNet Active Directory 10/18/08
Test Environment
 VMware GSX Server software
 Hosts
– 2 UC-TEST domain controller
– 2 CAMPUS-TEST domain controllers
– FreeBSD test KDC and BIND DNS
 Available for integration testing
 Backup/Recovery testing

12
CalNet Active Directory 10/18/08
CalNet AD Implementation Status
 Design available at http://calnetad.berkeley.edu/
 Domain controllers installed and configured for uc.berkeley.edu and
campus.berkeley.edu domains
 Full Production status in August 2002 (CalNet account synchronization)
 Test environment is implemented
 Out of Evans domain controller for CAMPUS domain located at Boalt

13
CalNet Active Directory 10/18/08
Security
 GPO to disable IIS services by default
 GPO to set minimum level of security on member machines
 DC physical security
 Empty forest root domain
 Restricted number of Enterprise Administrator accounts
 Administrator SmartCard logon (e-Berkeley funded project)

14
CalNet Active Directory 10/18/08
GPO
 Group Policies kept to a minimum
 Based on NSA recommendations and modified for UCB
 Domain group policies
– Password and Kerberos settings
– Disable IIS
– Disable DDNS updates
 Domain controller group policies
– Restrict administrative group membership
– Require NTLMv2/Kerberos authentication
– Restrict domain controller access

15
CalNet Active Directory 10/18/08
Certificates
 Participating in UCOP user certificate initiative
 Offline campus root CA
 AD integrated subordinate CAs
 Uses
– SSL
– IPSEC
– Code signing
– SmartCards

16
CalNet Active Directory 10/18/08
EFS
 Enabled when certificates are implemented
 Key recovery will be delegated to OU administrators
 Recovery policies will follow current campus computer policy

17
CalNet Active Directory 10/18/08
User Authentication
 NTLMv2 support (pre-Windows 2000, SAMBA, Mac)
 Kerberos support
– BERKELEY.EDU – MIT Kerberos Realm
– User authenticates with [email protected]
 User account information will come from CalNet LDAP database
 Administrators will not need to manage user information/passwords

18
CalNet Active Directory 10/18/08
User Authentication

19
CalNet Active Directory 10/18/08
Current/Future Users
 COIS joined as an OU
 HAAS joined haas.uc.berkeley.edu domain to forest
 IST-DOCS is investigating OU migration issues
 COE (Dean’s Office) joined as an OU
 IEOR joined as an OU
 IIR joined as an OU
 IAS joined as an OU
 OE joined as an OU
 CCHEM joined as an OU
 CCS-SDA (HRMS) joined as an OU
 WSS-W&MF (Fall ’02)
20
CalNet Active Directory 10/18/08
CalNet AD Future Directions
 Improve infrastructure for high availability, add DC’s and out of Evans
KDC
 Add certificate authority services for secure traffic and EFS
 Integrate with UCOP certificate initiative
 Add SmartCard support for secure machine access
 Add administrative server for performance and security monitoring and
tuning (IDS, firewalls).
 Add file sharing server for roaming user profiles and data storage.
 Testing IDS solutions for domain controllers
 Coordinate Microsoft training sessions for new administrators.
 Establish minimum security standards for domain workstations

 Send comments to: [email protected]

21
CalNet Active Directory 10/18/08
How to join CalNetAD
 Check website for more information http://calnetad.berkeley.edu
 Schedule meeting with the CalNetAD group
 Sign a CalNetAD SLA
 Join CalNetAD Planning Committee
 Provide the DNS name of the first machine to join new OU
 Provide the CalNet ID of the first OU admin
 Provide the name of an OU administrative mail list

22
CalNet Active Directory 10/18/08

You might also like