ACTIVE DIRECTORYRedesign
Metropolitan State College of DenverDivision of Information Technology
HOW DID WE GET HERE?
OPERATING SYSTEMS SUPPORTED OVER THE LAST 13 YEARS Novell Netware Banyan Vines Windows Server 3.11 Windows Server 4.0 Windows Server 2000 (Active Directory) Windows Server 2003 (Active Directory)
REASONS WHY THE PROJECT WAS INITIATED?
TO ENHANCE AND SECURE ALL OBJECTS WITHIN ACTIVE DIRECTORY FOR EASE OF
MANAGEMENT AND SUPPORT
MAJOR ISSUES ADDRESSED: Separate Admin1 and Academic Domain
Students should not be accessing services from Admin1
Create Internal DNS services Our current DNS services should remain external New DNS services will be for internal use only.
Organize OU structure Role based security
WHAT DOES OUR CURRENT ENVIRONMENT LOOK LIKE?
CURRENT WINDOWS INFRASTRUCTURE
We have a single forest with two domains
Auraria Campus
ADMIN1 Academic
South Campus
ADMIN1 ACADEMIC
North Campus
ADMIN1 ACADEMIC
Intersite Replication Intersite Replication
Academic.winad.mscd.edu(Forest Root)
Admin1.winad.mscd.edu
Intraforest Implicit 2-way Domain Wide Trust
WHAT ARE THE ISSUES WITH THE CURRENT DESIGN?
Implicit and mandatory 2-way domain trust Admin1and academic are members of same
forest All users are considered trusted by the forest
model Students and faculty could access resources
(printers, file shares, etc) if left with the default security.
Users from either domain can become members of security groups
EXISTING RESOURCE MODEL
Admin1.winad.mscd.edu
Admin1 File Server
Admin1User
Admin1Group
Admin1Print Queue
Admin1VPN Server
Admin1 Citrix Server
Academic.winad.mscd.edu
Academic File Server
AcademicUser
AcademicGroup
AcademicPrint Queue
SCOBS Citrix Server
Intraforest Implicit 2-way Domain Wide Trust
Admin1Workstation
Admin1Workstation
EXISTING SECURITY MODEL
Admin1.winad.mscd.edu
Academic.winad.mscd.edu
Admin1 File Server
Admin1User
Admin1Group Academic
File Server
AcademicUser
AcademicGroup
WHERE ARE WE GOING FROM HERE?
PROPOSED DESIGN Building three new forests of single domains Administrators and staff will be members of
administrative domain Faculty and students will be members of the
student domain Server based services will be contained in
the services domain
PROPOSED DESIGN STRUCTURE
Admin.mscd.edu
Services.mscd.eduCross-Forest 2-way Selective Trust
Auraria Campus
SERVICES
ADMIN
South CampusNorth Campus
Intersite Replication Intersite Replication
Students.mscd.edu
Cross-Forest 2-way Selective Trust
STUDENTS
Services
ADMIN STUDENTS
SERIVICES
ADMIN STUDENTS
Intersite Replication Intersite ReplicationIntersite Replication Intersite Replication
Cross-Forest 1-way Selective Trust (For Administration)
PROPOSED RESOURCE MODEL
Cross-Forest
2-way Selectiv
e Trust Cross-Forest 2-way Selective Trust
Admin.mscd.edu
Admin user
AdminGroup
FacStafWorkstation
Students.winad.mscd.edu
StudentsUser
StudentsGroup
StudentsWorkstation
Services.winad.mscd.edu
Services File Server
ServicesVPN Server
Services Citrix Server
ServicesPrint Queue
ServicesGroup
Cross-Forest 1-way Selective Trust (for Administration)
ORGANIZATION UNIT MODEL
Shared Services
Services.mscd.edu
Admin Access Only
Admin and Student Access
Student Access Only
Group Policy ObjectGranting “Allowed to Authenticate” right
To Admin “Domain Users” group
Group Policy ObjectGranting “Allowed to Authenticate” right
To Admin and Students “Domain Users” groups
Group Policy ObjectGranting “Allowed to Authenticate” right
To Students “Domain Users” group
Admin Server
Students Server
Shared Server
Resource Security Groups
Resource Group
WHAT’S LEFT TO DO? Test environment = Completed Build Production environment = Working on Test Create Migration Plan
User/Group migration Printing File Sharing Workstation SIDS Citrix
Test Create schedule for departmental move Implementation
Thank You