Download presentation
Presentation is loading. Please wait.
Published byClaire Osborne Modified over 6 years ago
1
WIN.MIT.EDU Update Where are we today Related services
Changes since last year Upcoming enhancements New initiatives Discussion
2
Where are we today Domain has been running since 2001, single forest model Initially with the release of Windows 2000 Active Directory, Microsoft recommended the use of a dedicated forest root domain, MIT did not follow this model and deployed a single forest model. A number of years later Microsoft retracted the dedicated forest root model in favor of the single forest model MIT was able to address the security concerns the dedicated root model was intended to provide while avoiding security issues found in some multi-domain models Integration with MIT Kerberos, single sign-on User accounts are mapped to MIT Kerberos principals Cross-Realm tickets are copied from MS LSA cache at logon to the MIT Kerberos cache in Kerberos for Windows Requirement to have host SPN record in mit.edu namespace
3
Where are we today Integration with Moira
Users - Centralized identity management, OU admins manage groups Groups – Manage access to resources via group memberships Computers – host record in moira is for OU mapping not DNS dependent Container Hierarchy – Computer to OU mapping Preserves OU assignment across OS reinstalls or hardware replacement. No need to pre-stage computer objects in Active Directory Password Synchronization from MIT Kerberos Implemented in 2010 for Secure MIT WiFi Authentication MITnet DNS No need to run Microsoft specific DNS services Active Directory does not record the address of client computers Domain controller DNS records are stored in a separate DNS subdomain win.mit.edu
4
Where are we today Original design similar to Athena model except that container’s are more of bare-bones build your own The Athena model was a standard configuration and software set while the WIN domain provides a baseline framework then allows OU admins to modify computer policies and software distribution The WIN domain also provides support for hosting departmental servers in dedicated server OU’s with the ability to configure server specific policies User home directories Home directories in DFS with Previous Versions support Users files are available via multiple computers Users files and some applications are available via Citrix including support for tablets such as iPad
5
Related services WAUS – Windows Automated Updated Services since 2004
MIT repository for patching of Microsoft products Allows testing of new updates before release to the community Citrix Virtual application delivery to cross platform clients since 2003 XenApp Server 6 on Server 2008 R2 Support for mobile devices such as iPad’s KMS: In service 2007 Campus Wide Activation of Windows OS and Office Products PCI: McAfee ePO: Enterprise Policy Orchestrator Compliant environment for Merchant Systems In service since 2009 Terminal Server Licensing RDP CAL licensing for Terminal Server and Citrix Casper – Mac management
6
Changes Implemented since last year
Active Directory: Upgraded to 2008 R2 Windows 8 and Server 2012 support Retirement of the following package deployments (Software is still on DFS but not deployed): Moira snap-in: The moira mmc snap-in is no longer deployed Lpng (Kerberos printing client) LogonBefore: Network provider library no longer deployed Hesiod msi: Now part of mirror-distrib Selfmaint: Native Microsoft GP based task scheduler recommended AFS opt in: IS&T is no longer supporting OpenAFS for Windows Locker service: Office 2003 Office 2007
7
Changes Implemented since last year (cont.)
Package Upgrades Perl: 5.10 domain wide, no loner an opt-in. Kerberos for Windows: domain wide, no loner an opt-in. 4.0 is completing testing and planning of deployment Mirror-distrib (local script and utility cache) Now used to deploy Moira command line clients including Hesiod Retirement of tempjoin and Selfmaint services Retirement of Windows XP! Retirement of old Citrix Farm (new farm is XenXpp6) New Moira command line clients with Kerberos 5 support PXE: LiteTouch deployment Ability to pick software bundles and automatic joining to AD
8
Upcoming enhancements
New Hybrid Container Mapping model New version of IS&T populator application will support a hybrid container model Container administrators will be able to choose between traditional Moira based computer management or using Microsoft tools Computers not mapped in moira will show up in the Computers OU when first joined to AD and will have to be moved by the container administrator to their container Existing computers in another container will not be moved to the orphans or computers OU if their moira mapping is deleted Moira mappings aren’t going away now, they will still work of for those using them The wince.mit.edu opt-in interface can only be used for computers with Moira mappings Orphans container retired. The new populator code will have support to either turn it back on at a later date or define a new default container.
9
Upcoming enhancements
New handling of SPN management New populator code will no longer remove win.mit.edu SPN’s and then add mit.edu SPN’s. It will keep the win.mit.edu records and add mit.edu records. Occasionally, some Windows 7 and 2008 computers required SPN’s in both namespaces. The mit.edu SPN’s are required for cross-realm authentication Windows 8 The UAC is off in order to address some KfW compatibility issues. Windows 8 requires the UAC to be on to run most Metro apps. New Default domain user profile based on Windows 8 Perl retirement: With the retirement of XP, Perl scripts will be migrated to PowerShell or WSH Sophos Antivirus and HIPS An opt-in available via GPO settings end of June Full deployment in July, retirement of McAfee except for PCI
10
New initiatives Microsoft ADFS (AD Federation Services)
Enhance integration with other MIT systems or providers such as Touchstone or Office 365 Enhanced Identity Management More flexible model allowing a range or identity types Bit Locker/MDOP Evaluate as alternative to PGP Microsoft AD LDS Integration Run your own Windows based LDAP instance Import Active Directory data Office 365 Evaluate viability of Office 365 services for the MIT environment Hybrid AD model with possible Touchstone integration Initial focus on basic SharePoint services
11
Discussion What are your comments and questions regarding current features and how they can be improved What would be the impact of the suggested future enhancements and changes on how you use the WIN domain What would be on your wish list for features and/or changes
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.