Presentation is loading. Please wait.

Presentation is loading. Please wait.

BUILDING A NEW ACTIVE DIRECTORY Smita Carneiro, GCWN Active Directory Systems engineer Purdue University.

Published byJerome Underwood Modified over 8 years ago

Similar presentations

Presentation on theme: "BUILDING A NEW ACTIVE DIRECTORY Smita Carneiro, GCWN Active Directory Systems engineer Purdue University."— Presentation transcript:

1 BUILDING A NEW ACTIVE DIRECTORY Smita Carneiro, GCWN Active Directory Systems engineer Purdue University

2 BACKGROUND STORY Current one built in 2004 Custom engineered IDM (ACMaint) system provisions AD Some colleges have their own AD to fit their own needs Support for AD: Exchange  Windows Server  IAMO 2008 R2 Server OS, Domain and Forest functional level 2003 2 domains with some resources in both.lcl name

3 CURRENT LOGICAL STRUCTURE –Departments »Department 1000 Users Computers Groups Printers Servers Non-University Employees »Department 1001 Users Computers Groups Printers Servers Non-University Employees

4 ABSOLUTE NECESSITIES Dedicated project manager Sponsorship and buy in from management Budget dollars

5 START WITH A HEALTHY DOSE OF DISCOVERY Met with different stakeholders across campus and heard their concerns. 3 main groups: Infrastructure groups Current customers Prospective customers

6 STAKEHOLDERS CONCERNS Users spread out in different OUs makes it difficult for distributed IT Staff Faculty with dual appointments cannot get support easily from both departments Some departments have split support No separate admin groups for student workers Infrastructure has servers within regular structure, so block inheritance used for GPOs DDNS and workstation certificates restricted to some computers only

7 IAMO CONCERNS Password policy not enforced for all users No control over membership of Advanced OU Admins group for each department Advanced OU Admins have total control over user objects Too many non-person accounts, no accountability No differentiation between non-ACMainted person and service account

8 IAMO CONCERNS - CONTINUED Users and computers spread out, cannot apply security GPO in times of emergency w/o applying to entire domain No central group to decide/advise on changes made to whole directory Test Domain not really used

9

10 STARTED THE PLANNING PROCESS Talked to vendors, starting with Microsoft Bought Active Roles Server (ARS) Bought Dell Migration Manager (DMM) Hired a consultant to do a discovery process Came up with a single domain design

11 BUILDING PROCESS Built a test domain, used ARS Simple structure Default location for computers and user changed Used ARS to arrange objects

12 MANAGED UNITS

13 VALIDATION OF PROTOTYPE Formed a working group with just a few stakeholders Tested and gave feedback Made changes based on testing results Then built production

14 ADMINISTRATIVE ACCOUNTS No old administrative accounts, users have to request one Initially created paper forms, now electronic Admin group created for each support group, membership controlled by IAMO

15 STAKEHOLDERS CONCERNS Users being spread out – addressed by using MUs Easier to apply GPOs with new OU for computers Granular support for users using virtual attribute DDNS and workstation certificates available for all computers

16 IAMO CONCERNS User sprawl controlled– IAMO alone can create user, service accounts IAMO controls membership of Admin groups Virtual attribute created to denote service accounts Password policy now enforced, with the help of Fine Grained Password Policies Separate OU for Infrastructure Default OU for computers and users now, not a container

17 IAMO CONCERNS Started up a central AD Influence group

18 CAN I HAVE FRIES WITH THAT ? Additional attributes now populated: Unix UID, GID populated by central provisioning system Phone number format change PUID provisioned and put into confidential attribute

19 ADDITIONAL FEATURES ADDED Kerberos armoring enabled Use of gMSAs encouraged Enterprise Admin accounts marked ‘Sensitive account, cannot delegate’

20 CHALLENGES WE FACED Resources stretched thin both at central group and distributed IT Other urgent projects like LCR, PKI replacement Had to use Blue Cat DNS ARS learning curve, had to create documentation and training IDM’s AD provisioning component had to be rewritten

21 END OF STORY?

22 NEXT CHAPTER IN THE STORY Migrations are to start soon Preparation work, migrating users, groups, dual-acling Isilon, migrating workstations, training distributed IT personnel Unsupported departments Maintaining 2 production environments until old is gone

23 WAS IT WORTH IT?

Download ppt "BUILDING A NEW ACTIVE DIRECTORY Smita Carneiro, GCWN Active Directory Systems engineer Purdue University."

Similar presentations

ADManager Plus Simplify Your Active Directory Management.

ADManager Plus Simplify Your Active Directory Management.
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.

Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
Windows Server 2003. WHAT IS ACTIVE DIRECTORY? FUNDAMENTALS OF THE ACTIVE DIRECTORY – Benefits of Using the Active Directory in an Enterprise Environment.

Windows Server WHAT IS ACTIVE DIRECTORY? FUNDAMENTALS OF THE ACTIVE DIRECTORY – Benefits of Using the Active Directory in an Enterprise Environment.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
Streamlining Support and Management through the Implementation of Active Directory Educause 2003 Mid-Atlantic Regional Gale D. Fritsche –

Streamlining Support and Management through the Implementation of Active Directory Educause 2003 Mid-Atlantic Regional Gale D. Fritsche –
Imperial College Web Review 2002 1 Imperial College.... An audience-focused realignment of our web strategy with our College strategy, our market, technology.

Imperial College Web Review Imperial College.... An audience-focused realignment of our web strategy with our College strategy, our market, technology.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
© Wiley Inc. 2006. All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure.

9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.

Similar presentations

Ads by Google