WIN.MIT.EDU Update Where are we today Related services Changes since last year Upcoming enhancements New initiatives
Where are we today Domain has been running since 2001, single forest model Initially with the release of Windows 2000 Active Directory, Microsoft recommended the use of a dedicated forest root domain, MIT did not follow this model and deployed a single forest model. A number of years later Microsoft retracted the dedicated forest root model in favor of the single forest model MIT was able to address the security concerns the dedicated root model was intended to provide while avoiding security issues found in some multi-domain models Integration with MIT Kerberos, single sign-on User accounts are mapped to MIT Kerberos principals Cross-Realm tickets are copied from MS LSA cache at logon to the MIT Kerberos cache in Kerberos for Windows Requirement to have host SPN record in mit.edu namespace
Where are we today Container Management “Islands of Control” Departments can administer their workstations and servers independently almost as if they were running a separate domain Seamless ability to share resources with other departments Departments control machines and access to their resources instead of the users directly Domain Administrators can be removed from Administrators Group on all workstations and servers Container Administrators have the ability override default domain group policy settings Containers have ACL’s in Moira defining who may administer them and auto creation of groups to set ACL’s on machine accounts within their containers
Where are we today Integration with Moira Users - Centralized identity management, OU admins manage groups Groups – Manage access to resources via group memberships Computers – host record in moira is for OU mapping not DNS dependent Container Hierarchy – Computer to OU mapping Preserves OU assignment across OS reinstalls or hardware replacement. No need to pre-stage computer objects in Active Directory Password Synchronization from MIT Kerberos Implemented in 2010 for Secure MIT WiFi Authentication MITnet DNS No need to run Microsoft specific DNS services Active Directory does not record the address of client computers Domain controller DNS records are stored in a separate DNS subdomain win.mit.edu
Where are we today: Moira – “Incremental” The Moira incremental update is used to keep the WIN.MIT.EDU domain synchronized to the Moira database. The Moira incremental will create and maintain the following in Active Directory: User accounts (MIT Kerberos ID’s – principal’s), and profile options Account status changes such as activation/deactivation Lists and Groups with their memberships Container Hierarchy When relevant changes to users groups and containers are made in Moira the incremental is triggered and the change is propagated to Active Directory. The Moira incremental will distinguish between list and groups when propagating them in Active Directory: Lists = Distribution groups Groups = Security groups Do not write directly to AD to create Domain groups or security descriptors The data may be over-written Make these changes in Moira Local groups can be managed directly via Windows
WIN.MIT.EDU Architecture Moira Populator MIT Kerberos KDC’s WIN.MIT.EDU DC’s MITnet DNS Data Warehouse DFS Storage Query Data Feed
Where are we today Original design similar to Athena model except that container’s are more of bare-bones build your own The Athena model was a standard configuration and software set while the WIN domain provides a baseline framework then allows OU admins to modify computer policies and software distribution The WIN domain also provides support for hosting departmental servers in dedicated server OU’s with the ability to configure server specific policies User home directories Home directories in DFS with Previous Versions support Users files are available via multiple computers Users files and some applications are available via Citrix including support for tablets such as iPad
Where are we today DFS: Previous Versions Uses VSS: Windows Server Shadow copy services for user Home directories Point-in-time copies of files. View, Copy or Restore files and folders as they existed at points of time in the past. Recover files that were accidentally deleted or overwritten. Compare versions of file while working. Self service file restore capability for the end user. Snapshots are made every 4 AM. Versions of up to 64 days are available. Shadow copies are read-only. You cannot edit the contents of a shadow copy.
Related services WAUS – Windows Automated Updated Services Citrix KMS: In service since 2004 MIT repository for patching of Microsoft products Allows testing of new updates before release to the community Citrix Virtual application delivery to cross platform clients in service since 2003 XenApp Server 6, Support for mobile devices such as iPad’s KMS: In service since 2007 Campus Wide Activation of Windows OS and Office Products PCI: McAfee ePO: Enterprise Policy Orchestrator Compliant environment for Merchant Systems In service since 2009 Terminal Server Licensing RDP CAL licensing for Terminal Server and Citrix Casper – Mac management
Changes Implemented since last year Sophos Antivirus replaced McAfee Antivirus Deployed by default in WIN.MIT.EDU last summer Opt-out is available per container as a group policy setting McAfee VirusScan no longer deployed (except for PCI) Sophos installer does not uninstall Microsoft Security Essentials Retired package deployments Kerberos for Windows 3.2.2 (opt-in only) Kerberos for Windows 4.x available via new deployment services New handling of SPN management New populator code will no longer remove win.mit.edu SPN’s and then add mit.edu SPN’s. It will keep the win.mit.edu records and add mit.edu records Occasionally, some Windows 7 and 2008 computers required SPN’s in both namespaces. The mit.edu SPN’s are required for cross-realm authentication
Changes Implemented since last year WSUS (MIT WAUS) Backend in now Server 2012 R2 LDAPS support for Active Directory Support for clients using an encrypted LDAP query over port 636 Internet Explorer 10 for Windows 7 LiteTouch support for Windows 8.1 Deployment (opt-in) for Office 2013 Retirement of Office 2007 Windows XP Retired – This time for real! Windows XP was de-supported by IS&T last summer This summer bootstrapping support of new machines and legacy group policy settings for Windows XP are being retired No new security patches issued for Windows XP by Microsoft Retired Student Windows XP download
Changes Implemented since last year Hybrid Container Mapping model New version of IS&T populator application supports a hybrid container model Container administrators can choose between traditional Moira based computer management or using Microsoft tools Computer objects not defined in Moira can be pre-staged in the target OU then joined to AD, this allows placement of the object in the target OU Computers not mapped in moira or pre-staged will show up in the Computers OU when first joined to AD Existing computers are no longer moved to the orphans OU if their moira mapping is deleted Moira mappings aren’t going away now, they will still work of for those using them The wince.mit.edu opt-in interface can only be used for computers with Moira mappings Orphans container retired. The new populator code will have support to either turn it back on at a later date or define a new default container.
Upcoming enhancements UAC The UAC had previously been set to off in order to address KfW compatibility issues. Windows 8 requires the UAC to be on to run most Metro apps. We will be turning on the UAC for Metro app support Bit Locker/MDOP Evaluate as alternative to PGP Integration with SCCM or Sophos SafeGuard for key escrow and reporting Mirror-distrib (local script and utility cache) Removed Perl dependency in bootstrapping process With the retirement of XP, Perl scripts are being migrated to PowerShell Internet Explorer 11 IE 11 is currently in testing phase PCI 3.0 This summer PCI systems will support the PCI 3.0 spec Support for Windows 8.1
Upcoming enhancements Windows 8.1 and Laptop support Opt-in to laptop policy on wince.mit.edu Still some issues with tablets that can not be joined via a wired connection Evaluating GP based wireless policies compatibility with our Radius Wi-Fi authentication to support computer object based authentication for domain computers Disable IPV6 on Cisco VPN interface Phase out of Server 2003 No domain infrastructure still runs on 2003 but we encourage all departments to move off this platform within the year Retirement of following packages from wince opt-ins Identity Finder TSM backup client Kerberos for Windows 3.2.2 opt-in
Upcoming enhancements SCCM: System Center Configuration Manager Centrally available instance of SCCM 2012 R2 SCCM Schema additions to AD Agent opt-in per container via win.mit.edu group policy settings Management Console available via Citrix OU Delegation available on request Reporting Services available via console or web interface Software deployment including self-service via the local agent interface
SCCM Self-Service Software can be installed by the user via the self service interface within the client and does not require local administrator privileges
SCCM Support Deployment support available via the DITR team OU Delegation available on request Collections restricted to your own OU Learning from Emory’s experience