Case Study of an Active Directory Deployment
Transcript of Case Study of an Active Directory Deployment
8/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
11
Case Study of an Active Case Study of an Active Directory DeploymentDirectory Deployment
Eric Chamberlain, CISSPEric Chamberlain, CISSP
Presentation on the history and Presentation on the history and future of the Berkeley campus future of the Berkeley campus Active Directory deployment.Active Directory deployment.
228/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
CalNetAD ServicesCalNetAD Services
http://calnetad.berkeley.eduhttp://calnetad.berkeley.edu
Centrally fundedCentrally funded
Support for the domain controllers that run Support for the domain controllers that run the forestthe forest
Computer resource management Computer resource management
Support for development and distribution Support for development and distribution of utility and administrative scripts of utility and administrative scripts
338/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
CalNetAD ServicesCalNetAD Services
Forum for discussion of Active Directory Forum for discussion of Active Directory and Security issues and Security issues
Presentations about the CalNetAD service Presentations about the CalNetAD service and related topicsand related topics
Notice of important changes and Notice of important changes and scheduled maintenance scheduled maintenance
A service calendar which lists important A service calendar which lists important events and milestonesevents and milestones
448/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Forest InformationForest Information
Our size 65,000 user accountsOur size 65,000 user accounts
23 Units in OUs23 Units in OUs
3235 Computers in Forest3235 Computers in Forest
Average one unauthorized connection Average one unauthorized connection attempt per machine per hourattempt per machine per hour
558/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Forest InformationForest Information
668/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Forest InformationForest Information
8/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
77
In the BeginningIn the Beginning
888/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Existing InfrastructureExisting Infrastructure
Kerberos Realm (MIT Kerberos v5)Kerberos Realm (MIT Kerberos v5)
CalNet Directory Service (Sun/iPlanet LDAPv3) CalNet Directory Service (Sun/iPlanet LDAPv3)
DNS (BIND)DNS (BIND)
CalNetDirectoryServices(LDAP)
DNS(BIND)*
CalNetKerberos
Authentication(MIT)
Berkeley Network Infrastructure
Computer
Laptop
* BIND = Berkeley Internet Name Domain
998/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Initial ConcernsInitial Concerns
Multiple forestsMultiple forests
Burden on the DNS systemBurden on the DNS system
Multiple user IDsMultiple user IDs
10108/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
GoalsGoals
CalNet ID will be used for Windows CalNet ID will be used for Windows desktop login desktop login
CalNet Directory public information will CalNet Directory public information will be synchronized to ADbe synchronized to AD
DNS namespace for AD will support DNS namespace for AD will support DDNSDDNS
Minimal forestsMinimal forests
Collaborative resourceCollaborative resource
11118/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Initial Team (1.8 FTE)Initial Team (1.8 FTE)
Central Computing Services (Lead)Central Computing Services (Lead) LDAPLDAP
System and Network SecuritySystem and Network Security KerberosKerberos
Workstation Support ServicesWorkstation Support Services
Communications and Network ServicesCommunications and Network Services DNSDNS
13 member advisory group13 member advisory group
8/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
1212
CalNetADCalNetAD
13138/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Getting StartedGetting Started
Schedule a meeting with the CalNetAD project team.Schedule a meeting with the CalNetAD project team.Agree to the CalNetAD policies and complete a Service Agree to the CalNetAD policies and complete a Service Level Agreement (SLA).Level Agreement (SLA).Provide the CalNetAD project team with the name of a Provide the CalNetAD project team with the name of a mailing list of local administrators. mailing list of local administrators. Provide the CalNetAD project team with the CalNet ID of Provide the CalNetAD project team with the CalNet ID of the first administrator for the new OU.the first administrator for the new OU.Provide the CalNetAD project team with the DNS name Provide the CalNetAD project team with the DNS name of the first computer that will join the new OU.of the first computer that will join the new OU.Participate in the CalNetAD Planning Committee.Participate in the CalNetAD Planning Committee.
14148/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Joining as a DomainJoining as a Domain
Everyone wants to join as a domain at firstEveryone wants to join as a domain at firstStrongly discouragedStrongly discouragedRequires agreement to additional responsibilities and Requires agreement to additional responsibilities and limitationslimitations
Creating subdomains is not allowed. Creating subdomains is not allowed. At least two (2) Domain Controllers (DCs) are required for a At least two (2) Domain Controllers (DCs) are required for a
domain.domain. The domain controllers should be installed on appropriately The domain controllers should be installed on appropriately
configured, fault-tolerant server-class machines. configured, fault-tolerant server-class machines. OS support for patches, fixes, upgrades, etc., are expected to be OS support for patches, fixes, upgrades, etc., are expected to be
applied in a timely fashion to maintain forest security and OS applied in a timely fashion to maintain forest security and OS consistency among domain controllers. consistency among domain controllers.
The DCs are expected to be in operation at all times except for The DCs are expected to be in operation at all times except for scheduled maintenance. scheduled maintenance.
Keep servers in a locked, access controlled room.Keep servers in a locked, access controlled room.
15158/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Joining as an Joining as an Organizational Unit (OU)Organizational Unit (OU)
Departments and units are encouraged to join Departments and units are encouraged to join the CalNetAD as an Organizational Unit (OU). the CalNetAD as an Organizational Unit (OU). Control of an OU in the CalNetAD forest will be Control of an OU in the CalNetAD forest will be delegated to an OU administrator group who delegated to an OU administrator group who shall have the ability to manage users, shall have the ability to manage users, computers, local security groups, and Group computers, local security groups, and Group Policy Objects (GPOs)Policy Objects (GPOs)
16168/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
OU AdministratorsOU Administrators
Must read and agree to the policies, prior to Must read and agree to the policies, prior to being given an administrative account. being given an administrative account. Any local administrator who creates an Any local administrator who creates an administrative account for another local administrative account for another local administrator must make sure the new administrator must make sure the new administrator has read and agreed to these administrator has read and agreed to these policies.policies.All CalNetAD local administrators (or their proxy) All CalNetAD local administrators (or their proxy) are expected to participate in the CalNetAD are expected to participate in the CalNetAD Planning Committee and attend its meetings.Planning Committee and attend its meetings.
8/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
1717
StandardsStandards
18188/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Naming StandardsNaming Standards
Many departments and units, large and Many departments and units, large and smallsmall
Most administrative responsibilities Most administrative responsibilities delegated to system administratorsdelegated to system administrators
Maintain an orderly forest, to ease Maintain an orderly forest, to ease recognition of forest resources, and to help recognition of forest resources, and to help avoid naming collisions. avoid naming collisions.
19198/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Computer NamesComputer Names
xxxxxx--rest_of_namerest_of_name (or) (or) xxxxxxrest_of_namerest_of_name
xxxxxx Registered organization prefix, 2 or more Registered organization prefix, 2 or more
characters in length.characters in length.
rest_of_namerest_of_name Suffix chosen by the organization creating the Suffix chosen by the organization creating the
computer. computer.
Example:Example: COIS-EXAMPLE123456789 COIS-EXAMPLE123456789
20208/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
User Account NamesUser Account Names
The account name must be unique within the domainThe account name must be unique within the domainShadow AccountShadow Account
CalNetIDCalNetID Example: [email protected]: [email protected]
Private Account Private Account Prefixed by bang (!) followed by the Prefixed by bang (!) followed by the OU prefixOU prefix and the user id and the user id Bangs are not allowed in CalNetID's, these names will not Bangs are not allowed in CalNetID's, these names will not
conflict with Shadow Accounts that may be created in the future.conflict with Shadow Accounts that may be created in the future. Example: !OU-localname Example: !OU-localname For compatibility with pre-Windows 2000 operating systems the For compatibility with pre-Windows 2000 operating systems the
account name is limited to 15 characters.account name is limited to 15 characters.
21218/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Security and Distribution GroupsSecurity and Distribution Groups
ddd-ddd-group_namegroup_name--tttt dddddddd CalNetAD OU name CalNetAD OU name group_namegroup_name descriptive name which explains the descriptive name which explains the
purpose of the group purpose of the group tttt type of group type of group
ls domain local security ls domain local security gs global security gs global security us universal security us universal security ld domain local distribution ld domain local distribution gd global distribution gd global distribution ud universal distribution ud universal distribution
Example:Example: COIS-OU Admins-gs COIS-OU Admins-gs
22228/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Group Policy Objects (GPOs)Group Policy Objects (GPOs)
Use a CalNetAD OU Name as a prefix for all Group Use a CalNetAD OU Name as a prefix for all Group Policy names. Policy names. Example:Example: "COIS staff policy" or "HAAS lab 300 policy" "COIS staff policy" or "HAAS lab 300 policy"
23238/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
AuthenticationAuthentication
Clear text is not allowedClear text is not allowed
All accounts must have a All accounts must have a robust password that meets robust password that meets certain basic requirements for certain basic requirements for strength, complexity and form. strength, complexity and form.
24248/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Account synchronizationAccount synchronization
Initially students are loaded into one OU.Initially students are loaded into one OU. FERPAFERPA Registrar RequirementsRegistrar Requirements Multiple unitsMultiple units
Faculty, staff, and affiliate user accounts loaded into Faculty, staff, and affiliate user accounts loaded into departmental OUs. departmental OUs.
Home department code from the Payroll Action Form (PAF) Home department code from the Payroll Action Form (PAF) would be useful as the department designator to map to would be useful as the department designator to map to CalNetAD OUs. CalNetAD OUs.
Changes to the PAF Home Department Code would not be Changes to the PAF Home Department Code would not be sufficient to cause an automatic move into or out of an OU sufficient to cause an automatic move into or out of an OU without prior agreements from the involved parties. without prior agreements from the involved parties.
Issues that need more discussion are dual appointments and Issues that need more discussion are dual appointments and account deletions.account deletions.
8/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
2525
About the ForestAbout the Forest
26268/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Enterprise Administration Enterprise Administration ResponsibilitiesResponsibilities
Install and maintain the Active Directory domain controllersInstall and maintain the Active Directory domain controllersOn duty Monday-Friday, from 8 a.m. to 5 p.m. On duty Monday-Friday, from 8 a.m. to 5 p.m. Manage the flow of information from the CalNet Directory to Manage the flow of information from the CalNet Directory to CalNetAD. CalNetAD. Communicate all enterprise-wide changes to domain and OU Communicate all enterprise-wide changes to domain and OU administrators via the CalNetAD Change Management System. administrators via the CalNetAD Change Management System. Have administrator privileges on all domain controllers and OUsHave administrator privileges on all domain controllers and OUsAssume a "hands-off" approach to local domain and OU Assume a "hands-off" approach to local domain and OU administration. administration. The EA group is not responsible for the administration of local user The EA group is not responsible for the administration of local user accounts (other than providing shadow CalNet ID accounts). accounts (other than providing shadow CalNet ID accounts). Only when faced with an enterprise-wide emergency, will an Only when faced with an enterprise-wide emergency, will an Enterprise Administrator take action at the domain or OU level. Enterprise Administrator take action at the domain or OU level.
27278/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Domain ModificationsDomain Modifications
CampusCampus Default number of workstations a domain user Default number of workstations a domain user
could add to the domain was changed from 10 could add to the domain was changed from 10 to 0. to 0.
Only administrators can add workstations to Only administrators can add workstations to the domain. the domain.
UCUC The domain ACL's have been modified to The domain ACL's have been modified to
prevent users from viewing internal structureprevent users from viewing internal structure
28288/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Software License ComplianceSoftware License Compliance
Participation in the CalNetAD forest does not Participation in the CalNetAD forest does not entitle departments to licenses for operating entitle departments to licenses for operating systems or other software for departmental systems or other software for departmental systems. systems. The CalNetAD service includes only licenses for The CalNetAD service includes only licenses for software required to operate the CalNetAD software required to operate the CalNetAD forest and Domain Controllers. forest and Domain Controllers. Departments should ensure that systems Departments should ensure that systems participating in the CalNetAD forest are properly participating in the CalNetAD forest are properly licensed for software running on their systems, licensed for software running on their systems, including operating system or server software.including operating system or server software.
29298/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Network ServicesNetwork Services
Windows DNS Server Services Windows DNS Server Services Turn off DDNS registration. Turn off DDNS registration. Computers must be registered in DNS to Computers must be registered in DNS to communicate properly. communicate properly. DHCP services must be coordinated DHCP services must be coordinated Internet Information Server (IIS)Internet Information Server (IIS)Distributed File System (DFS)Distributed File System (DFS)Encrypted File Services (EFS)Encrypted File Services (EFS)
30308/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Schema ChangesSchema Changes
The schema defines objects and their associated attributes. The schema defines objects and their associated attributes. Changes to the schema affect Active Directory across the entire Changes to the schema affect Active Directory across the entire CalNetAD forest. CalNetAD forest. Schema changes will have to meet several requirements including Schema changes will have to meet several requirements including privacy, appropriateness, and potential for conflict. privacy, appropriateness, and potential for conflict. Schema changes will first be implemented and tested in the test Schema changes will first be implemented and tested in the test environment. environment. After successful testing, normal change management procedures After successful testing, normal change management procedures sill be followed to move the schema change into production. sill be followed to move the schema change into production. Changes to the production schema will only be implemented by IST Changes to the production schema will only be implemented by IST during maintenance blocks following a prearranged notification with during maintenance blocks following a prearranged notification with domain administrators.domain administrators.
31318/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Macintosh integrationMacintosh integration
The Workstation & Microcomputer Facilities is currently The Workstation & Microcomputer Facilities is currently testing the process of integrating OS Xtesting the process of integrating OS XDue to the requirement of having a home directory for Due to the requirement of having a home directory for users, W&MF needed the flexibility of specifying this users, W&MF needed the flexibility of specifying this path on each computer.path on each computer.
Active Directory would have required the attribute to be the Active Directory would have required the attribute to be the same for every single user on campus which was not feasible. same for every single user on campus which was not feasible.
Our solution has been to use iPlanet where we could specify a Our solution has been to use iPlanet where we could specify a specific attribute for just this purpose. specific attribute for just this purpose.
Even though we still have more testing to do, the results Even though we still have more testing to do, the results have been very positive thus far. have been very positive thus far.
8/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
3232
TimelineTimeline
Initial Production 3/2002Initial Production 3/2002
Final Production 8/2002Final Production 8/2002
33338/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production -7 MonthsProduction -7 Months
CalNetID (MIT Kerberos) CalNetID (MIT Kerberos) for loginfor login
CalNet (LDAP) public CalNet (LDAP) public information synchronizedinformation synchronized
DNS (BIND) namespace DNS (BIND) namespace for DDNSfor DDNS
2 Domains (empty root)2 Domains (empty root)
Consultant helped with Consultant helped with hardware sizinghardware sizing
4 initial DCs ordered4 initial DCs ordered
Presented to e-Presented to e-Architecture Working Architecture Working GroupGroup
http://http://calnetad.berkeley.educalnetad.berkeley.edu web site is setup with web site is setup with CalNetAD informationCalNetAD information
34348/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production -5 MonthsProduction -5 Months
Design GoalsDesign Goals Support for single sign-onSupport for single sign-on Interoperability Interoperability
(DNS,LDAP,Kerberos)(DNS,LDAP,Kerberos) Improve Desktop SecurityImprove Desktop Security Opt-in modelOpt-in model
Investigating how to Investigating how to synchronize LDAP and ADsynchronize LDAP and ADEric Chamberlain was hired as Eric Chamberlain was hired as the Campus Active Directory the Campus Active Directory ArchitectArchitect2.3 FTE2.3 FTE
Presented to Administrative Presented to Administrative Systems Operations Systems Operations CommitteeCommittee
HAAS (Business School) HAAS (Business School) joined as first major unitjoined as first major unit
35358/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production -5 MonthsProduction -5 Months
36368/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production -3 Months (Pilot Status)Production -3 Months (Pilot Status)
Planning Committee Planning Committee MeetingMeeting
8-5 M-F support8-5 M-F support Security Subcommittee Security Subcommittee
formedformed
Presented to the CalNet Presented to the CalNet Steering CommitteeSteering Committee
Article published in the Article published in the Berkeley Computing and Berkeley Computing and Communications Communications newsletternewsletter
Chancellors Office and Chancellors Office and Departmental On-site Departmental On-site Computing Support joinComputing Support join
37378/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production -3 Months (Pilot Status)Production -3 Months (Pilot Status)
38388/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production -2 Months 1/02Production -2 Months 1/02
Test Environment setupTest Environment setupEstablishing GPOsEstablishing GPOsSecurity Subcommittee Security Subcommittee MeetingMeeting
Require NTLMv2 or KerberosRequire NTLMv2 or Kerberos Disable IISDisable IIS Need for CertificatesNeed for Certificates
FutureFuture High availabilityHigh availability CertificatesCertificates Training for new Training for new
administratorsadministrators
Presented to the CalNet Presented to the CalNet Working CommitteeWorking Committee
Presented to the Information Presented to the Information Technology Architecture Technology Architecture CommitteeCommittee
39398/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production -1 Month (Pilot Status)Production -1 Month (Pilot Status)
Preparing an out of data Preparing an out of data center DCcenter DC
Developed SLADeveloped SLA
Present at the Internet2 Present at the Internet2 Middleware ConferenceMiddleware Conference
Present to MicronetPresent to Micronet
Present to eBerkeley Present to eBerkeley Implementation Task Implementation Task ForceForce
Membership expands to Membership expands to 10 units10 units
40408/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production -1 Month (Pilot Status)Production -1 Month (Pilot Status)
SecuritySecurity Site wide GPOsSite wide GPOs Disable IIS services by defaultDisable IIS services by default DC physical securityDC physical security Empty forest root domainEmpty forest root domain Restricted number of Enterprise Administrator accountsRestricted number of Enterprise Administrator accounts SmartCard logon (future)SmartCard logon (future)
GPOGPO Group Policies kept to a minimumGroup Policies kept to a minimum Based on NSA recommendations and modified for UCBBased on NSA recommendations and modified for UCB Disable IIS Disable IIS Require NTLMv2/Kerberos authenticationRequire NTLMv2/Kerberos authentication
41418/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Initial ProductionInitial Production
Service stableService stableContinue policy developmentContinue policy developmentPlanning committee meetingPlanning committee meetingDevelop OU Admin training Develop OU Admin training materialsmaterialsLDAP synchronization workLDAP synchronization workAll of the GPO templates have All of the GPO templates have been loaded into the test been loaded into the test environment and tested. environment and tested. Back-up restore and other Back-up restore and other disaster recovery procedures disaster recovery procedures have been tested. have been tested.
New CalNetAD membersNew CalNetAD members IST Operations (IST-OPS) IST Operations (IST-OPS) Ocean Engineering Graduate Ocean Engineering Graduate
Group (OE) Group (OE) Workstation Microcomputer Workstation Microcomputer
Facilities (IST-WSS) Facilities (IST-WSS) Central Computing Services –Central Computing Services –
Systems and Data Systems and Data Administration Administration
42428/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Initial ProductionInitial Production
Planned Infrastructure improvementsPlanned Infrastructure improvements A new Dell 2550 server has been purchased to serve A new Dell 2550 server has been purchased to serve
as a third domain controller for the CAMPUS domain.as a third domain controller for the CAMPUS domain.
Test MachineTest Machine The test machine (Dell 2550) and environment The test machine (Dell 2550) and environment
(VMware Server) is complete. VMs have been (VMware Server) is complete. VMs have been established for test versions of the KDC, DNS, and established for test versions of the KDC, DNS, and Active Directory domains and their controllers.Active Directory domains and their controllers.
Trouble ticket reporting system and Change Trouble ticket reporting system and Change Management web siteManagement web site
43438/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +1 MonthProduction +1 Month
Security Subcommittee meetingSecurity Subcommittee meeting IPSECIPSEC
IPSEC to secure communications between DCsIPSEC to secure communications between DCsIPSEC network cards in the DCs to off-load the IPSEC IPSEC network cards in the DCs to off-load the IPSEC overhead from the CPUsoverhead from the CPUs
IDS TestingIDS Testing Certificate ServicesCertificate Services
Units were interested in VPN support Units were interested in VPN support The CalNetAD team requested money for servers to support The CalNetAD team requested money for servers to support a central Microsoft Certificate Service.a central Microsoft Certificate Service.The CalNetAD team will be using the service for the The CalNetAD team will be using the service for the Enterprise Admin smart cards as well as the IPSEC traffic Enterprise Admin smart cards as well as the IPSEC traffic between DCs. between DCs.
Design CalNet synchronizationDesign CalNet synchronization
44448/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +3 Months (6/02)Production +3 Months (6/02)
Planning Committee Planning Committee meetingmeetinge-Berkeley agreed to fund e-Berkeley agreed to fund smart card research and smart card research and a CalNetAD certificate a CalNetAD certificate server. server. A third DC for the A third DC for the CAMPUS domain CAMPUS domain installed at Boaltinstalled at BoaltIPSec network cards IPSec network cards installed in all of the installed in all of the Domain Controllers.Domain Controllers.Hired Arden Pineda (3.3 Hired Arden Pineda (3.3 FTE)FTE)
HAAS domain joinedHAAS domain joinedCCHEM OU createdCCHEM OU createdIIR OU createdIIR OU created
45458/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +3 MonthsProduction +3 Months
Code CalNet synchronizationCode CalNet synchronization Using a tool named MetaMerge to integrate the two Using a tool named MetaMerge to integrate the two
directories. directories.
Tested adding the inetorgperson schema Tested adding the inetorgperson schema changes.changes.The CalNet ID is used for most of the limited The CalNet ID is used for most of the limited number of attributes that will initially be number of attributes that will initially be integrated between the two directories. integrated between the two directories. Default OUs will be used for user accounts that Default OUs will be used for user accounts that have not already been created in CalNetAD. have not already been created in CalNetAD.
46468/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +4 MonthsProduction +4 Months
Install Application Install Application ServerServerInstall Production Install Production MetaMerge MetaMerge environmentenvironmentTest CalNet Test CalNet synchronizationsynchronizationDevelop migration Develop migration strategies and strategies and proceduresprocedures
COEDEAN OU COEDEAN OU createdcreated
IEOR OU createdIEOR OU created
IAS OU createdIAS OU created
47478/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
(Final) Production +5 Months(Final) Production +5 Months
COE migrationCOE migrationImplement CalNet Implement CalNet synchronizationsynchronizationBuild Test Build Test Environment VM Environment VM LibraryLibrary
Present to Letters and Present to Letters and ScienceScience
Security SeminarSecurity Seminar
Business Services Business Services PresentationPresentation
Revise Web SiteRevise Web Site
48488/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +6 MonthsProduction +6 Months
COE migrationCOE migration
Planning Committee MeetingPlanning Committee Meeting
Test certificate server (VMware)Test certificate server (VMware)
Application ServerApplication Server
49498/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +7 MonthsProduction +7 Months
COE migrationCOE migration
IEOR migrationIEOR migration
Install SP3 Install SP3
Document directory inDocument directory integration processtegration process
50508/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +8 MonthsProduction +8 Months
CalNetAD Intro SeminarCalNetAD Intro Seminar Teach new administrators basic OU Teach new administrators basic OU
management skillsmanagement skills
Revise Design DocumentationRevise Design Documentation
51518/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +9 MonthsProduction +9 Months
Planning Committee meetingPlanning Committee meetingSecurity SubcommitteeSecurity Subcommittee
Windows Security Berkeley Windows Security Berkeley presentation to Micronetpresentation to Micronet
52528/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +10 MonthsProduction +10 Months
LAW OU created LAW OU created
Microsoft discontinues free non-security Microsoft discontinues free non-security hotfixeshotfixes for Windows NT 4.0 Server for Windows NT 4.0 Server
8/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
5353
Production +1 YearProduction +1 Year
100% Uptime: no scheduled or 100% Uptime: no scheduled or unscheduled outagesunscheduled outages
54548/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production + 12 Months (3/03)Production + 12 Months (3/03)
Planning Committee Planning Committee meetingmeeting
actdir06 added to the actdir06 added to the UC domain out of the UC domain out of the data centerdata center
Present to Institute of Present to Institute of Industrial RelationsIndustrial Relations
Seminar on Enabling Seminar on Enabling Loopback ProcessingLoopback Processing
55558/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +14 MonthsProduction +14 Months
Security SubcommitteeSecurity Subcommittee IDS softwareIDS software IPSEC FiltersIPSEC Filters SUSSUS
56568/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +15 MonthsProduction +15 Months
LAW migrationLAW migration
Planning Committee meetingPlanning Committee meeting
CalNetPKICalNetPKI
Test Server 2003Test Server 2003
Microsoft and CalNetAD discontinue suppMicrosoft and CalNetAD discontinue support for Windows 98/98SEort for Windows 98/98SE
Microsoft and CalNetAD discontinue suppMicrosoft and CalNetAD discontinue support for Windows NT 4.0 Workstation ort for Windows NT 4.0 Workstation
57578/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +17 Months (Present)Production +17 Months (Present)
Microsoft sponsored Migrating to Server Microsoft sponsored Migrating to Server 2003 seminar2003 seminar
58588/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +18 MonthsProduction +18 Months
Planning Committee meetingPlanning Committee meeting
59598/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
Production +22 Months (January)Production +22 Months (January)
Migrate DCs to Windows Server 2003Migrate DCs to Windows Server 2003
60608/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
FutureFuture
Smart Card deploymentSmart Card deployment
Certificate servicesCertificate services
Web servicesWeb services
File storageFile storage
Check out Windows Sharepoint ServicesCheck out Windows Sharepoint Services Free with Server 2003Free with Server 2003
61618/4/20038/4/2003 Copyright © 2003 The Regents of the UCopyright © 2003 The Regents of the University of Californianiversity of California
QuestionsQuestions
Eric Chamberlain Eric Chamberlain [email protected]@uclink.berkeley.edu
http://calnetad.berkeley.eduhttp://calnetad.berkeley.edu