BUILDING A NEW ACTIVE DIRECTORY Smita Carneiro, GCWN Active Directory Systems engineer Purdue University
BACKGROUND STORY Current one built in 2004 Custom engineered IDM (ACMaint) system provisions AD Some colleges have their own AD to fit their own needs Support for AD: Exchange Windows Server IAMO 2008 R2 Server OS, Domain and Forest functional level domains with some resources in both.lcl name
CURRENT LOGICAL STRUCTURE –Departments »Department 1000 Users Computers Groups Printers Servers Non-University Employees »Department 1001 Users Computers Groups Printers Servers Non-University Employees
ABSOLUTE NECESSITIES Dedicated project manager Sponsorship and buy in from management Budget dollars
START WITH A HEALTHY DOSE OF DISCOVERY Met with different stakeholders across campus and heard their concerns. 3 main groups: Infrastructure groups Current customers Prospective customers
STAKEHOLDERS CONCERNS Users spread out in different OUs makes it difficult for distributed IT Staff Faculty with dual appointments cannot get support easily from both departments Some departments have split support No separate admin groups for student workers Infrastructure has servers within regular structure, so block inheritance used for GPOs DDNS and workstation certificates restricted to some computers only
IAMO CONCERNS Password policy not enforced for all users No control over membership of Advanced OU Admins group for each department Advanced OU Admins have total control over user objects Too many non-person accounts, no accountability No differentiation between non-ACMainted person and service account
IAMO CONCERNS - CONTINUED Users and computers spread out, cannot apply security GPO in times of emergency w/o applying to entire domain No central group to decide/advise on changes made to whole directory Test Domain not really used
STARTED THE PLANNING PROCESS Talked to vendors, starting with Microsoft Bought Active Roles Server (ARS) Bought Dell Migration Manager (DMM) Hired a consultant to do a discovery process Came up with a single domain design
BUILDING PROCESS Built a test domain, used ARS Simple structure Default location for computers and user changed Used ARS to arrange objects
MANAGED UNITS
VALIDATION OF PROTOTYPE Formed a working group with just a few stakeholders Tested and gave feedback Made changes based on testing results Then built production
ADMINISTRATIVE ACCOUNTS No old administrative accounts, users have to request one Initially created paper forms, now electronic Admin group created for each support group, membership controlled by IAMO
STAKEHOLDERS CONCERNS Users being spread out – addressed by using MUs Easier to apply GPOs with new OU for computers Granular support for users using virtual attribute DDNS and workstation certificates available for all computers
IAMO CONCERNS User sprawl controlled– IAMO alone can create user, service accounts IAMO controls membership of Admin groups Virtual attribute created to denote service accounts Password policy now enforced, with the help of Fine Grained Password Policies Separate OU for Infrastructure Default OU for computers and users now, not a container
IAMO CONCERNS Started up a central AD Influence group
CAN I HAVE FRIES WITH THAT ? Additional attributes now populated: Unix UID, GID populated by central provisioning system Phone number format change PUID provisioned and put into confidential attribute
ADDITIONAL FEATURES ADDED Kerberos armoring enabled Use of gMSAs encouraged Enterprise Admin accounts marked ‘Sensitive account, cannot delegate’
CHALLENGES WE FACED Resources stretched thin both at central group and distributed IT Other urgent projects like LCR, PKI replacement Had to use Blue Cat DNS ARS learning curve, had to create documentation and training IDM’s AD provisioning component had to be rewritten
END OF STORY?
NEXT CHAPTER IN THE STORY Migrations are to start soon Preparation work, migrating users, groups, dual-acling Isilon, migrating workstations, training distributed IT personnel Unsupported departments Maintaining 2 production environments until old is gone
WAS IT WORTH IT?