Post on 10-Feb-2016
description
www.netdesk.com
Let’s Get It Together
The Statewide Active Directory Forest
Agenda• Introduction• Session Goal• Statewide Forest Governance• Designing Active Directory?• Active Directory Technology• Benefits of the Statewide Forest • Joining The Forest
Todd Shelton• Project Quality Assurance
President, Netdesk Corporation• Single Sign-On proof of concept
About Netdesk• Netdesk is the largest Microsoft technical
trainer in the Northwest• Netdesk specializes exclusively in
Microsoft technology—systems and developer
• Netdesk carefully manages customer satisfaction to the highest levels
Session Goal• To help you understand
– What the statewide forest is– How decisions are made– How to use Active Directory – What you can get out of it– How to learn more or join
Project History• Win2K converges network and data base • LAN Managers group attempted to install in
1999 and not successful.• Appeal to CAB Infrastructure Subcommittee
1999• CAB Pilot Winter 2000 recommended single
forest for the state.• Project Steering Committee formed - kickoff Fall
2000• Project completion June 2001
CAB Forest Objectives• Create a State Forest Win2k Server environment
and install the statewide root for agencies who want to join.
• Implement the first version of the Active Directory.
• Provide a foundation to allow shared applications / data.
• Establish governing policies for the state forest.• Implement Exchange 2000 (new objective)
Accomplishments• Test Forest is up.• Three agencies attached/Two ready to join.• Pre-production Forest is up (L&I, DSHS are
attached).• Standards documentation developed.• Ongoing governance model has been
established.• Website: http://sww.wa.gov/win2k/
Project To Date• Broad participation.• CAB authorized (not a DIS show).• Not mandatory.• Governance model in practice.• Many applications coming.• Preparation for Exchange 2000.
How does our project compare?• Washington state is a national leader• Governance model is unique and robust—
didn’t come down “from the top”• The project focuses on business results• The quality is very high• The project sees the future clearly
CAB
Agencies Windows 2000Steering Committee DIS
DISStatewide RootManagement
Forest Resource Forest Application Group Developers
Forest Governance Model
Win2k Steering Committee• Participants:
– DSHS– ESD– DFI– GA– L&I– OFM– DOP – DIS– DOT– DOL
• Observers:– LEG– ECY– DOR– DRS (new)– EMD
Chair: Phil Grigg
Forest Resource Group• Responsible for network infrastructure,
operations, and change management• Interagency technical working group• Developed the project documents• Makes recommendations to the Steering
Committee• Chair: John Ditto
Forest Application Developers
• Two sets of responsibilities – Startup and Ongoing
• Define Active Directory strategic direction and recommend direction to the Windows 2000 Steering Committee in three areas:– Active Directory Schema– Application use of the Active Directory– Approval of applications that use Active Directory
• Chair: Gregg Arndt
DIS• Executes decisions made by the Steering
Committee• Steering Committee records are
incorporated into the DIS service level agreement
• Operates the root domain structure• DIS does NOT make forest decisions (but
DIS sits on the Steering Committee)
Forest Root Service Level Agreement (SLA)
• Forest Root Responsibilities– Implement Steering Committee Policy– Hardware and Software for the Root Domain – 99.9% availability in Production Environment– Pre-production and Rip & Tear Environment– Follow Change Control Processes – Root administration – Provides Problem Management – Contracts Vendor Technical Support 7/24/365
What is Active Directory?• A scalable (millions + objects) shared, replicated
database of user and other information• A partial copy lives on every domain controller• Active Directory manages authentication and
access control• It’s built into the operating system! (no extra
charge)
Active Directory Design• What are your business goals?
– Reduce the number of domain admins– Move password resets from the help desk– Reduce physical visits to workstations– Build a more responsive infrastructure
• What are you trying to accomplish administratively?
Active Directory Design• What are you trying to accomplish
administratively? • What administrative distinctions are you
making? • What “things” are administratively distinct?
Active Directory Design• Group like “things” together, separate distinct
ones using Active Directory `containers• Container objects are administrative boundaries
– Forest– Site– Domain– Organization Unit– Group
Active Directory Design• Manipulate these containers of “things”
using– Inheritance– Group Policy– Active Directory Permissions
Active Directory Design• Use containers and the three ways you
can manipulate them to– Delegate administration– Safely share users and resources
(applications) – Get IT out of administration and into
managing a secure, available, responsive infrastructure
Is AD important to business? • Policy-based network configuration (more
responsive network)• Shared identity information—built in user
directory• Delegated administration—change how
you think about IT administration• Platform for applications
Why the State Forest?• Become part of the community of practice• Take advantage of the money and blood
others have spent• Take advantage of other agencies’ user
accounts• Take better advantage of other agencies’
resources (the single sign-on)
Statewide Forest Benefits• It’s far cheaper than doing it by yourself• Policy-driven configuration management• New administration possibilities
– Delegated administration• New application possibilities
– Like Single Sign-On
Single Sign-On: The Problem• Users remember too many passwords• Developers manage authentication and
access control• Help desks interact with too many systems • Managers can’t set enterprise-wide access
control policies
Understanding Single Sign On• User Management
– Authentication– Identity
• Applications are Resources– But most also need their own user management
• Shared or Distributed Administration– It’s critical: Single Sign On won’t work without it
What Are The Benefits?• For Users:
– One password to remember• For Developers
– No more (or at least reduced) user management• For Infrastructure Administrators (Help Desk)
– Much less work dealing with passwords• For Policy Makers
– A Practical Policy-Managed Compute Environment
The Problem
• We have a user-based security model
• We need a resource-based security model
• (Thanks to John Ditto for saying this so well!)
The Single Sign-On Challenge• “Administrative Trust” must exist
between data owners and users.
• Then we can use Active Directory to make administration easier.
• This model is already in place with OFM’s agency delegate for financial systems
Windows 2000 Forest and Trusted Domains
App
licat
ions U
sersSecure App
DOT
Authenticate to
Window
s 2000
Mainframe and Legacy Applications
Logon Assist Module
SAO
Regular App
SAO\Regular
DOT\Regular
L&IL&I\Regular
Highly Secure AppPossibly with
separate authentication
Highly Secure\Users-Dennis Jones-Mike McVicker-Shelagh Taylor
SAO\Secure
DOT\Secure
L&I\SecureRegular\Users-L&I\Regular-DOT\Regular-SAO\Regular
Secure\Users-L&I\Secure-DOT\Secure-SAO\Secure
Shared, Trusted Group
Adm
inistration Processes
The Agency that owns the Secure Application delegates a trusted
“Security Administrator” at the user Agency who controls the membership
in the Secure group.
Single Sign-On Prototype• Validate the concept of using the Windows
2000 security for single sign-on to a non-compliant application.
• Assess feasibility of using a logon assist module.
• Validate web application compatibility with Windows 2000 security.
• Project Manager: Allen Schmidt, OFM
Benefits of the Statewide Forest• Active Directory shares identity information
statewide for free. • Benefits include cheaper IT administration,
delegation, and application development• Joining the forest is cheaper and easier
than going it alone• Build the enterprise community
Joining the Forest• Review the web site!• Especially study these documents:
– Agency Join Requirements– Naming Conventions and Standards– Root Domain Requirements
• Get trained• Get involved: Steering Committee and
working groups
How To Join• Preparation• Check sheet• Co-operation/ Letter of Intent• Rules of the environment• Change Management• Issue Escalation• Service Level Agreement • Agency Welcome Kit - in progress
Summary• CAB-approved, interagency project• All decisions are made through the
interagency Steering Committee• Active Directory shares user and other
information automatically• Mush of the work is already done (you
don’t have to pay for it!)• To join, visit the web site
Thank you!• Contacts
– Phil Grigg - Chair, Windows 2000 Steering Committee• (360) 902-7452 Email: PGrigg@ga.wa.gov
– Gregg Arndt - Chair, Forest Application Developers• (360) 664-6418 email: GreggA@dop.wa.gov
– Allen Schmidt – Project Manager, Single Sign-On Prototype• (360) 725-5272 email:Allen.Schmidt@ofm.wa.gov
– John Ditto – Chair, Forest Resource Group• (360) 902-0349 Email: ditto@dis.wa.gov (in the GAL)
– Bob Deshaye – Service Level Agreements • (360) 902-3336 Email: BobD@dis.wa.gov ( in the Gal)
– Todd Shelton – Netdesk Corporation• (206) 224-7690 Email Todd.Shelton@netdesk.com