ACTIVE DIRECTORYRedesign

Metropolitan State College of DenverDivision of Information Technology

HOW DID WE GET HERE?

OPERATING SYSTEMS SUPPORTED OVER THE LAST 13 YEARS Novell Netware Banyan Vines Windows Server 3.11 Windows Server 4.0 Windows Server 2000 (Active Directory) Windows Server 2003 (Active Directory)

REASONS WHY THE PROJECT WAS INITIATED?

TO ENHANCE AND SECURE ALL OBJECTS WITHIN ACTIVE DIRECTORY FOR EASE OF

MANAGEMENT AND SUPPORT

MAJOR ISSUES ADDRESSED: Separate Admin1 and Academic Domain

Students should not be accessing services from Admin1

Create Internal DNS services Our current DNS services should remain external New DNS services will be for internal use only.

Organize OU structure Role based security

WHAT DOES OUR CURRENT ENVIRONMENT LOOK LIKE?

CURRENT WINDOWS INFRASTRUCTURE

We have a single forest with two domains

Auraria Campus

ADMIN1 Academic

South Campus

ADMIN1 ACADEMIC

North Campus

ADMIN1 ACADEMIC

Intersite Replication Intersite Replication

Academic.winad.mscd.edu(Forest Root)

Admin1.winad.mscd.edu

Intraforest Implicit 2-way Domain Wide Trust

WHAT ARE THE ISSUES WITH THE CURRENT DESIGN?

Implicit and mandatory 2-way domain trust Admin1and academic are members of same

forest All users are considered trusted by the forest

model Students and faculty could access resources

(printers, file shares, etc) if left with the default security.

Users from either domain can become members of security groups

EXISTING RESOURCE MODEL

Admin1.winad.mscd.edu

Admin1 File Server

Admin1User

Admin1Group

Admin1Print Queue

Admin1VPN Server

Admin1 Citrix Server

Academic.winad.mscd.edu

Academic File Server

AcademicUser

AcademicGroup

AcademicPrint Queue

SCOBS Citrix Server

Intraforest Implicit 2-way Domain Wide Trust

Admin1Workstation

Admin1Workstation

EXISTING SECURITY MODEL

Admin1.winad.mscd.edu

Academic.winad.mscd.edu

Admin1 File Server

Admin1User

Admin1Group Academic

File Server

AcademicUser

AcademicGroup

WHERE ARE WE GOING FROM HERE?

PROPOSED DESIGN Building three new forests of single domains Administrators and staff will be members of

administrative domain Faculty and students will be members of the

student domain Server based services will be contained in

the services domain

PROPOSED DESIGN STRUCTURE

Admin.mscd.edu

Services.mscd.eduCross-Forest 2-way Selective Trust

Auraria Campus

SERVICES

ADMIN

South CampusNorth Campus

Intersite Replication Intersite Replication

Students.mscd.edu

Cross-Forest 2-way Selective Trust

STUDENTS

Services

ADMIN STUDENTS

SERIVICES

ADMIN STUDENTS

Intersite Replication Intersite ReplicationIntersite Replication Intersite Replication

Cross-Forest 1-way Selective Trust (For Administration)

PROPOSED RESOURCE MODEL

Cross-Forest

2-way Selectiv

e Trust Cross-Forest 2-way Selective Trust

Admin.mscd.edu

Admin user

AdminGroup

FacStafWorkstation

Students.winad.mscd.edu

StudentsUser

StudentsGroup

StudentsWorkstation

Services.winad.mscd.edu

Services File Server

ServicesVPN Server

Services Citrix Server

ServicesPrint Queue

ServicesGroup

Cross-Forest 1-way Selective Trust (for Administration)

ORGANIZATION UNIT MODEL

Shared Services

Services.mscd.edu

Admin Access Only

Admin and Student Access

Student Access Only

Group Policy ObjectGranting “Allowed to Authenticate” right

To Admin “Domain Users” group

Group Policy ObjectGranting “Allowed to Authenticate” right

To Admin and Students “Domain Users” groups

Group Policy ObjectGranting “Allowed to Authenticate” right

To Students “Domain Users” group

Admin Server

Students Server

Shared Server

Resource Security Groups

Resource Group

WHAT’S LEFT TO DO? Test environment = Completed Build Production environment = Working on Test Create Migration Plan

User/Group migration Printing File Sharing Workstation SIDS Citrix

Test Create schedule for departmental move Implementation

Thank You