Colorado State University’s Active Directory EnvironmentPresented by theACNS Windows Group

Windows Administrators Advisory Group MeetingFeb 22 2011

“The State of the Forest”

Get-PresentationAgenda

•Background on current state of AD Forest•Active Directory Basics•AD Site status•Diagram of Active Directory•Process and data replication•eID -> AD provisioning process•GAL Population

•Please ask questions at any time

History of AD at CSU (ColoState.EDU)

• Windows 2000 Implementation committee chose public DNS namespace for forest root.

• ColoState.EDU consisted of one site (Default-First-Site-Name) for some time.

• “Business” site added a few years later to help with problems implementing MOM.

• “Denver Center” site came (and went).• “eFort” site created to support systems at state

DR facility in Denver.• “CSURoot” site recently added to fix Exchange

GC and DC selection issues.

Active Directory Incidents•Over the years, many one-off errors

replicating with various DCs across campus.

•Summer 2010 – Exchange outage for a few hours due to unexplained behavior related to Business site.

•Summer 2010 – Various replication issues manifested as inability to view info in AD Sites and Services from Server 2008 systems.

Active Directory Basics

•A Forest is a complete instance of the Active Directory database

•A Domain is a “partition” of the AD database which contains objects (users, computers, GPOs, groups, OUs, etc.) local to an administrative unit

•The Forest contains a number of partitions, including individual domains, System, Configuration, Schema, DNS data, application data, etc.

Active Directory Basics•Domain Controller

▫A Windows server that hosts a single domain’s directory partition, plus schema and configuration partitions for the entire forest

▫A DC performs authentications only for the domain to which it belongs

•Global Catalog▫A Domain Controller that hosts all data a DC

stores, in addition to a partial, read-only replica of every other domain partition in the forest

•Every GC is a DC, but not all DCs are GCs

What are Active Directory Sites?•AD Sites represent the physical structure

(topology) of the underlying network•Sites…

▫Facilitate efficient directory replication▫Aide in the Windows authentication process▫Allow clients to locate nearest server

providers•Sites are defined by IP subnets•Sites are logical boundaries used

extensively by Microsoft Exchange services

Status of Active Directory Sites•Four AD Sites are defined today

▫Default-First-Site-Name ~90% of forest domain controllers live here

▫CSURoot ACNS managed central site for Exchange

▫Business Maintained by College of Business for Exchange

▫eFort State of Colorado disaster recovery datacenter in

Denver – ACNS DC and DNS servers are located here

AD Sites in the COLOSTATE Forest•The following diagram illustrates the AD

Sites currently defined in COLOSTATE.•Note that we have also noted the

datacenter location where key servers are hosted in addition to showing the AD Domain to which these key servers are joined.

Diagrams of Active Directory

•The following picture was generated by the Microsoft AD Topology Diagrammer

•This represents the COLOSTATE root domain, the 34 child domains, and 92 domain controllers

Diagrams of Active Directory

•The following picture was also generated by the Microsoft AD Topology Diagrammer

•This is a different view of our AD Site environment, showing all servers in each site (regardless of domain)

•This picture also shows the inter-site replication links between all domain controllers in the forest (not all DCs replicate across site boundaries)

Additional AD Details

•Currently there are 34 child domains consisting of 92 domain controllers▫Two domains have only one domain

controller – a non-optimal configuration•Currently there are 30 Global Catalog

servers•DC version breakdown:

▫21 DCs running Windows Server 2003▫12 DCs running Windows Server 2008▫59 DCs running Windows Server 2008 R2

eID to Active Directory

•Process managed by ACNS Windows Group

•Entire Process written in Powershell▫Windows Powershell ISE▫Microsoft.Exchange.Management.PowerSh

ell.E2010 (Microsoft)▫ActiveDirectory Module (Microsoft)▫Custom Modules created by CSU

eID to Active Directory Updates

•Single updates initiated by actions at eID▫Password changes▫Update to E-mail settings

•Recently Updated eIDs Synced Nightly▫Monday through Friday▫Sync all records changed in the last 3 days

• Full eIDAD Sync on Weekends▫Jobs run on Saturday and Sunday mornings

GAL Population

•eIDAD Process Populates the GAL•eID Users in the GAL

▫eIDs with Central Exchange Mailboxes▫Primary eIDs that do not have a Central

Exchange Mailbox set to MailUser RecipientType

•Other Objects in the GAL▫Central Exchange Resources (DLs, Rooms,

etc.)▫Business Exchange Users and Resources

GAL User Examples•Central Exchange User:

▫Baatz, Lance•Primary eID set as MailUser

▫Tomlin, Mike (EID)•Associate eIDs (by defaults appear as eID)

▫bcowher•Person with Central Exchange and Business

Account (dual entries appear in the GAL):▫Noll, Chuck▫Noll, Chuck

Deprovisioning

•Faculty, Staff, and Associate eIDs (eIDAD)▫Disabled 30 days after status is updated in

HR•Student eIDs (eIDAD)

▫Disabled 1 year after status is updated in Banner

•Exchange Mailboxes (Separate process)▫Mailboxes removed 45 days after eligibility

is loss▫Notifications are sent starting at day 15

(approx)

Questions?