1. Rule:
Follow the exact same format in this slide template.
Indicate your rank/title, first, last name, office symbol, AKO email address, office phone number.Rule:
Follow the exact same format in this slide template.
Indicate your rank/title, first, last name, office symbol, AKO email address, office phone number.
3. EDS Vision
5. EDS-Lite - Background Requirement: The EDS-Lite requirement originated from the multi-forest implementation of Active Directory (AD) and Exchange 2003, which resulted in each forest having a Global Address List (GAL) containing only its own users.
Function: EDS-Lite consolidates and correlates identity data from the AD forests, Army Knowledge Online (AKO), and Global Directory Service (GDS) to create a Unified Army Global Address List (UAG) with the consolidated data written back into each forest’s directory.
This will allow Exchange 2003 users of MICROSOFT Outlook to locate and address email to any other AKO verified Army user.
The UAG includes user certificate information required for PKI encrypted messages and Electronic Data Interchange-Person Identifier (EDI-PI) information for enabling CAC logon.
Future: EDS-Lite will be the single source for the UAG and will function as a baseline for future initiatives to extend the Army Enterprise Directory Services capability and interface with the Joint JEDS.
6. EDS Lite GAL Synchronization
7. Unified GAL
EDS-Lite/GAL is a solution to address the need for a unified Global Address List (GAL) based on the multiple Forest implementation of Microsoft Exchange Server 2003.
Integrates AKO
The solution, supporting Exchange 2003 users, will provide a directory containing Army Knowledge Online (AKO) E-mail addresses validated via AKO user account information and AD Forest GAL Contacts and GDS Certificates
9. Enterprise User Attributes
10. Enterprise User Attributes
11. Hub (AKO-DR)
Fully operational with connectivity to the AKO and GDS data consumers.
Accreditation
Authority to Operate (ATO) was awarded 14 Nov 06.
Certificate to Operate (CTO) was signed 9 Jan 06 but runs concurrently with ATO.
Initial Operational Capability (IOC)
IOC occurred 14 Aug 06 for 16K CONUS Forest Active Directory (AD) Exchange 2003 users with the system meeting all functional requirements.
Currently approximate 186K in the UAG and 240K user objects are being updated in CONUS.
INSCOM is expected to be the next Forest to be joined.
DoD Enterprise Directory Services (JEDS)
12. Forest Joined to EDS-Lite
CONUS
Forests Actively in Process of Joining EDS-Lite
USAREUR
USARPAC
SWA
INSCOM
Forests for Which Implementation Coordination has not yet Occurred
Accessions Command
West Point
Korea
MEDCOM
Corps of Engineers
Army Reserve
National Guard
13. Enterprise Directory Service Provisioning EDS-P Version EDS-P Service developed by the Software Engineering Center-Ft Belvoir (SEC-B) in support of the Army Enterprise Directory Services.
EDS-P will provision users, machines and accounts from the Generating Forest (GF) Active Directory and MS Exchange Mail servers to the Deployed Force (DF) Active Directory and MS Exchange servers.
EDS-P service is designed to support the Warfighter train as they fights.
The EDS-P service capability allows a seamless transition from a Generating Force location to a Deployed Force location.
The functions of the EDS-P is to provision user and system objects from A GF Active Directory (AD) to a DF AD with little to no disruption in overall service to the Warfighter.
14. EDS-P Definition Provisioning is defined as the movement of user identities, data and services from a Generating Force (GF) AD forest to and from a Deployed Force (DF) AD forest
15. DF & EDS-P Guidance 15 July 05 memorandum Deployed AD forest’s “autonomously” as directed in the memorandum.
The “autonomously” concept is interim until a robust provisioning tool can accommodate the AD migration from generating to deployable AD forest and back consistent with the various phases of deployment operations.
The intent of the 15 July 05 memorandum is that while in garrison C4IM services would be provided by the installation DOIM and the deployable unit will provision back into the generating forces AD forest construct.
The DF AD forest’s will always remain active and persistent to accommodate deployments, exercises and emergency/contingency operations (Full vs. nearly Empty)
16. EDS-P Objective Restructure the Generating Force objects into the Deployable Forces (DF) Active Directory environment and reverse
Depict the process of provisioning of objects between the Generating Force and Deployable Forces forests and reverse
Restructure the Deployed Force objects into the Deployable Forces (DF) Active Directory environment and reverse in support of Modular Force
17. EDS-P Tool Capability Be able to operate at the OU Level
Developed Tool that does not require a trust between GF and DF Domains
Developed Code to move OU AD information between GF and DF
Developed Code to move mail accounts between GF and DF
“Dial-tone” email service (if no existing mail account)
Graphical User Interface between EDS-P tool set and GF/DF forests
Provisioning support for:
Single or multiple geographic sites
AD Site/domains
Selected unit(s)
Single objects
Working Code to move Domain Access for PC from GF to DF
Provision GF Systems Administration functions to identified System Administrator for the DF (Security)
Notifies Administrator of failed provisioning
Reporting
Graphical Interface that:
Moves User/Group objects to the deploying servers
Provides “Dial-tone” email service
Sets Security server settings for deployed environment
Sets Asset Management server settings for deployed environment
18. EDS-P Environment Process participants
DF Forest Administrator
DF OU Administrator
DF Commander
GF TLOU Administrator
Provisioning Administrator
Development of User manual
Process will be validated during testing
Process participants
DF Forest Administrator
DF OU Administrator
DF Commander
GF TLOU Administrator
Provisioning Administrator
Development of User manual
Process will be validated during testing
19. Unit Deploying Process
20. Provisioning Process for Units Returning from Deployment
22. Joint Enterprise Directory Services (JEDS)
23. A Global Information Grid (GIG) Identity Locator Service
Provisioned from Component and DOD Authoritative Identity Sources
Staged to GIG users and applications through secure interfaces
Purpose
To provide GIG NetCentric SOA and users a single source for GIG digital identity attribute information
To provide NCES People Discovery and Attribute Retrieval Services
JEDS Vision At its core JEDS is an enterprise level authoritative attribute harvesting and publishing service.
Data Quality – JEDS will only be as good as the quality of the attributes provided by its authoritative sources.
An authoritative source is an attribute repository or directory source with an established provisioning process that creates, maintains, and deletes/retires user and other attribute information IAW applicable personnel data management & privacy regulations and policy guidelines
ASD(NII) May 2005 Stated JEDS Objectives - Design and implement a secure, interoperable, manageable, incrementally scalable, information sharing capability to:�* Develop a comprehensive DoD White Pages service
* Provide users the ability to find people, organizations, services, devices, etc., across DoD
* Standardize and provide access to attributes owned and maintained by DoD Components
* Enable users, humans and machines, to access the attributes
Exchange data with Net-Centric Enterprise Services, Intel Community, Allies, Coalition partners, DHS, and other defined and ad hoc Communities of Interest
NCES Objectives – JEDS to provide NCES’s People Discovery & Attribute Retrieval Services
COCOM AD Interoperability Problem – JEDS can address the tactical mobile user problem by serving as a central provisioning source for tactical and JTF enclave Sys Admins to pull account info from
Potential Issues from aggregating all the GIG Users in one Enterprise Directory Database�* NetOps – JEDS will highlight the quality and inconsistency of the GIG diverse account provisioning and management process. DoD will need policies and processes to standardize account provisioning
OPSEC – Key in Intelligence Community classification is “sources & methods,” and the ultimate “source” is an organization’s “people;” so a Directory of all the GIG users must not only be shared but also protected from unauthorized access. To be determined the Access Control Requirements. This was a major issue when the IC built its JWICS Full Service Directory (IC FSD). Several attributes (i.e. SS #’s) have privacy restrictions
Authorization Attributes - If JEDS will serve as an enterprise level attribute source for ABAC; then we need to determine what Authorization attributes and from where JEDS will harvest from. Some of these sources (i.e. DMDC, DEERS, JPAS, DIMIHR, etc) are not under ASD(NII)
DISA (PEO IAN) is engaged with the NII (Mr. Mike Kreiger) PDM III effort to address these and other policy issues that will arise in building and deploying a GIG enterprise Directory Service
At its core JEDS is an enterprise level attribute harvesting and publishing serviceAt its core JEDS is an enterprise level authoritative attribute harvesting and publishing service.
Data Quality – JEDS will only be as good as the quality of the attributes provided by its authoritative sources.
An authoritative source is an attribute repository or directory source with an established provisioning process that creates, maintains, and deletes/retires user and other attribute information IAW applicable personnel data management & privacy regulations and policy guidelines
ASD(NII) May 2005 Stated JEDS Objectives - Design and implement a secure, interoperable, manageable, incrementally scalable, information sharing capability to:* Develop a comprehensive DoD White Pages service
* Provide users the ability to find people, organizations, services, devices, etc., across DoD
* Standardize and provide access to attributes owned and maintained by DoD Components
* Enable users, humans and machines, to access the attributes
Exchange data with Net-Centric Enterprise Services, Intel Community, Allies, Coalition partners, DHS, and other defined and ad hoc Communities of Interest
NCES Objectives – JEDS to provide NCES’s People Discovery & Attribute Retrieval Services
COCOM AD Interoperability Problem – JEDS can address the tactical mobile user problem by serving as a central provisioning source for tactical and JTF enclave Sys Admins to pull account info from
Potential Issues from aggregating all the GIG Users in one Enterprise Directory Database* NetOps – JEDS will highlight the quality and inconsistency of the GIG diverse account provisioning and management process. DoD will need policies and processes to standardize account provisioning
OPSEC – Key in Intelligence Community classification is “sources & methods,” and the ultimate “source” is an organization’s “people;” so a Directory of all the GIG users must not only be shared but also protected from unauthorized access. To be determined the Access Control Requirements. This was a major issue when the IC built its JWICS Full Service Directory (IC FSD). Several attributes (i.e. SS #’s) have privacy restrictions
Authorization Attributes - If JEDS will serve as an enterprise level attribute source for ABAC; then we need to determine what Authorization attributes and from where JEDS will harvest from. Some of these sources (i.e. DMDC, DEERS, JPAS, DIMIHR, etc) are not under ASD(NII)
DISA (PEO IAN) is engaged with the NII (Mr. Mike Kreiger) PDM III effort to address these and other policy issues that will arise in building and deploying a GIG enterprise Directory Service
At its core JEDS is an enterprise level attribute harvesting and publishing service
24. JEDS Data Structure and Sources Data Structure - Schema and Directory Information Tree (DIT)
Harvesting side – Depends on authoritative provisioning source
Core Directory – Relatively flat based on DMS/PKI upper DIT
Publishing Side – Multiple DIT views, depending on customer requirements
DISA Global Directory Services (GDS)
Source for PKI Email encryption certificate attributes
13 DoD Common Active Directory (AD) User Attributes
Initial NIPRnet Sources – Army EDS-lite, NMCI White Pages, AF Dir Service, USMC GAL, Pentagon (PAED) GAL, STRATCOM GAL, and DISA GAL
Initial SIPRnet Sources – Projected to be NIPRnet JEDS, COCOM GALs, REL DMZ AD Forest, others…
Future Sources
DMDC DEERS – A broad list of common attributes to include EDI_PI
DMS AD Forest for Organizational attributes (Blue Pages)
JPAS and ScatteredCastles for Clearance attributes
Other attributes will be added as sources are identified and synchronization agreements can be worked out
De-confliction keyed to Unique Identifiers (UIDs) - EDI_PI, Email, and SS# Schema is the core structure that defines how data is organized in the Directory database.
DIT – Directory Information Tree is the hierarchical tree-like structure that Directories display entries.
GDS – Global Directory Service, a GIG Directory of all DoD individual email addresses and encryption certificates (see https://powhatan.iiie.disa.mil/gds/ or query the GDS via https://dod411.gds.disa.mil/)
AD – Microsoft’s Active Directory product use by most DoD Components to manage user network authentication and authorization.
GAL - Global Address List, the Microsoft Exchange email listing of users & contacts in AD
DEERS – Defense Eligibility Enrollment Reporting System is the authoritative source for all DoD personnel and benefits information maintained by Defense Manpower Data Center (DMDC) (https://www.dmdc.osd.mil/deers/)
JPAS – Joint Personnel Adjudication System run by Defense Security Service. (https://jpas.dsis.dod.mil/index.html)
PAED – The Pentagon Area Enterprise Directory, a Global Address List (GAL) of all Pentagon, NCR, and participating HHQ Exchanges GAL compiled and maintained by the Pentagon Messaging Center for Pentagon Exchange mail users.
The 13 Active Directory User Object Attributes defined in the Apr 05 ASD(NII) Microsoft Active Directory (AD) Services Memo and associated naming specification. (see table in note page view). The ASD(NII) PDM III working group, Mr. Mike Krieger, is working to add two additional attributes, Clearance and Distinguished Name, based on availability of an authoritative source.Schema is the core structure that defines how data is organized in the Directory database.
DIT – Directory Information Tree is the hierarchical tree-like structure that Directories display entries.
GDS – Global Directory Service, a GIG Directory of all DoD individual email addresses and encryption certificates (see https://powhatan.iiie.disa.mil/gds/ or query the GDS via https://dod411.gds.disa.mil/)
AD – Microsoft’s Active Directory product use by most DoD Components to manage user network authentication and authorization.
GAL - Global Address List, the Microsoft Exchange email listing of users & contacts in AD
DEERS – Defense Eligibility Enrollment Reporting System is the authoritative source for all DoD personnel and benefits information maintained by Defense Manpower Data Center (DMDC) (https://www.dmdc.osd.mil/deers/)
JPAS – Joint Personnel Adjudication System run by Defense Security Service. (https://jpas.dsis.dod.mil/index.html)
PAED – The Pentagon Area Enterprise Directory, a Global Address List (GAL) of all Pentagon, NCR, and participating HHQ Exchanges GAL compiled and maintained by the Pentagon Messaging Center for Pentagon Exchange mail users.
The 13 Active Directory User Object Attributes defined in the Apr 05 ASD(NII) Microsoft Active Directory (AD) Services Memo and associated naming specification. (see table in note page view). The ASD(NII) PDM III working group, Mr. Mike Krieger, is working to add two additional attributes, Clearance and Distinguished Name, based on availability of an authoritative source.
27. Conclusion
28. Questions?
