1 / 42

Understanding Statewide Active Directory Forest Governance

Join Todd Shelton from Netdesk to learn about Statewide Forest Governance, AD technology, benefits, and more. Understand what the forest is, decision-making process, and how to leverage AD effectively.

meagan
Download Presentation

Understanding Statewide Active Directory Forest Governance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Let’s Get It Together The Statewide Active Directory Forest www.netdesk.com

  2. Agenda • Introduction • Session Goal • Statewide Forest Governance • Designing Active Directory? • Active Directory Technology • Benefits of the Statewide Forest • Joining The Forest

  3. Todd Shelton • Project Quality AssurancePresident, Netdesk Corporation • Single Sign-On proof of concept

  4. About Netdesk • Netdesk is the largest Microsoft technical trainer in the Northwest • Netdesk specializes exclusively in Microsoft technology—systems and developer • Netdesk carefully manages customer satisfaction to the highest levels

  5. Session Goal • To help you understand • What the statewide forest is • How decisions are made • How to use Active Directory • What you can get out of it • How to learn more or join

  6. Project History • Win2K converges network and data base • LAN Managers group attempted to install in 1999 and not successful. • Appeal to CAB Infrastructure Subcommittee 1999 • CAB Pilot Winter 2000 recommended single forest for the state. • Project Steering Committee formed - kickoff Fall 2000 • Project completion June 2001

  7. CAB Forest Objectives • Create a State Forest Win2k Server environment and install the statewide root for agencies who want to join. • Implement the first version of the Active Directory. • Provide a foundation to allow shared applications / data. • Establish governing policies for the state forest. • Implement Exchange 2000 (new objective)

  8. Accomplishments • Test Forest is up. • Three agencies attached/Two ready to join. • Pre-production Forest is up (L&I, DSHS are attached). • Standards documentation developed. • Ongoing governance model has been established. • Website: http://sww.wa.gov/win2k/

  9. Project To Date • Broad participation. • CAB authorized (not a DIS show). • Not mandatory. • Governance model in practice. • Many applications coming. • Preparation for Exchange 2000.

  10. How does our project compare? • Washington state is a national leader • Governance model is unique and robust—didn’t come down “from the top” • The project focuses on business results • The quality is very high • The project sees the future clearly

  11. Forest Governance Model CAB Windows 2000 Agencies DIS Steering Committee DIS Forest Application Forest Resource Statewide Root Group Developers Management

  12. Participants: DSHS ESD DFI GA L&I OFM DOP DIS DOT DOL Observers: LEG ECY DOR DRS (new) EMD Win2k Steering Committee Chair: Phil Grigg

  13. Forest Resource Group • Responsible for network infrastructure, operations, and change management • Interagency technical working group • Developed the project documents • Makes recommendations to the Steering Committee • Chair: John Ditto

  14. Forest Application Developers • Two sets of responsibilities • Startup and Ongoing • Define Active Directory strategic direction and recommend direction to the Windows 2000 Steering Committee in three areas: • Active Directory Schema • Application use of the Active Directory • Approval of applications that use Active Directory • Chair: Gregg Arndt

  15. DIS • Executes decisions made by the Steering Committee • Steering Committee records are incorporated into the DIS service level agreement • Operates the root domain structure • DIS does NOT make forest decisions (but DIS sits on the Steering Committee)

  16. Forest Root Service Level Agreement (SLA) • Forest Root Responsibilities • Implement Steering Committee Policy • Hardware and Software for the Root Domain • 99.9% availability in Production Environment • Pre-production and Rip & Tear Environment • Follow Change Control Processes • Root administration • Provides Problem Management • Contracts Vendor Technical Support 7/24/365

  17. What is Active Directory? • A scalable (millions + objects) shared, replicated database of user and other information • A partial copy lives on every domain controller • Active Directory manages authentication and access control • It’s built into the operating system! (no extra charge)

  18. Active Directory Design • What are your business goals? • Reduce the number of domain admins • Move password resets from the help desk • Reduce physical visits to workstations • Build a more responsive infrastructure • What are you trying to accomplish administratively?

  19. Active Directory Design • What are you trying to accomplish administratively? • What administrative distinctions are you making? • What “things” are administratively distinct?

  20. Active Directory Design • Group like “things” together, separate distinct ones using Active Directory `containers • Container objects are administrative boundaries • Forest • Site • Domain • Organization Unit • Group

  21. Active Directory Design • Manipulate these containers of “things” using • Inheritance • Group Policy • Active Directory Permissions

  22. Active Directory Design • Use containers and the three ways you can manipulate them to • Delegate administration • Safely share users and resources (applications) • Get IT out of administration and into managing a secure, available, responsive infrastructure

  23. Is AD important to business? • Policy-based network configuration (more responsive network) • Shared identity information—built in user directory • Delegated administration—change how you think about IT administration • Platform for applications

  24. Why the State Forest? • Become part of the community of practice • Take advantage of the money and blood others have spent • Take advantage of other agencies’ user accounts • Take better advantage of other agencies’ resources (the single sign-on)

  25. Statewide Forest Benefits • It’s far cheaper than doing it by yourself • Policy-driven configuration management • New administration possibilities • Delegated administration • New application possibilities • Like Single Sign-On

  26. Single Sign-On: The Problem • Users remember too many passwords • Developers manage authentication and access control • Help desks interact with too many systems • Managers can’t set enterprise-wide access control policies

  27. Understanding Single Sign On • User Management • Authentication • Identity • Applications are Resources • But most also need their own user management • Shared or Distributed Administration • It’s critical: Single Sign On won’t work without it

  28. What Are The Benefits? • For Users: • One password to remember • For Developers • No more (or at least reduced) user management • For Infrastructure Administrators (Help Desk) • Much less work dealing with passwords • For Policy Makers • A Practical Policy-Managed Compute Environment

  29. The Problem • We have a user-based security model • We need a resource-based security model • (Thanks to John Ditto for saying this so well!)

  30. The Single Sign-On Challenge • “Administrative Trust” must exist between data owners and users. • Then we can use Active Directory to make administration easier. • This model is already in place with OFM’s agency delegate for financial systems

  31. Windows 2000 Forest and Trusted Domains Regular\Users-L&I\Regular-DOT\Regular-SAO\Regular Secure App Mainframe and Legacy Applications Regular App DOT SAO L&I Applications Users Authenticate to Windows 2000 Highly Secure AppPossibly with separate authentication Secure\Users-L&I\Secure-DOT\Secure-SAO\Secure L&I\Secure DOT\Secure SAO\Secure DOT\Regular L&I\Regular SAO\Regular Logon Assist Module Highly Secure\Users-Dennis Jones-Mike McVicker-Shelagh Taylor The Agency that owns the Secure Application delegates a trusted “Security Administrator” at the user Agency who controls the membership in the Secure group. Shared, Trusted Group Administration Processes

  32. Single Sign-On Prototype • Validate the concept of using the Windows 2000 security for single sign-on to a non-compliant application. • Assess feasibility of using a logon assist module. • Validate web application compatibility with Windows 2000 security. • Project Manager: Allen Schmidt, OFM

  33. Benefits of the Statewide Forest • Active Directory shares identity information statewide for free. • Benefits include cheaper IT administration, delegation, and application development • Joining the forest is cheaper and easier than going it alone • Build the enterprise community

  34. Joining the Forest • Review the web site! • Especially study these documents: • Agency Join Requirements • Naming Conventions and Standards • Root Domain Requirements • Get trained • Get involved: Steering Committee and working groups

  35. How To Join • Preparation • Check sheet • Co-operation/ Letter of Intent • Rules of the environment • Change Management • Issue Escalation • Service Level Agreement • Agency Welcome Kit - in progress

  36. Summary • CAB-approved, interagency project • All decisions are made through the interagency Steering Committee • Active Directory shares user and other information automatically • Mush of the work is already done (you don’t have to pay for it!) • To join, visit the web site

  37. Thank you! • Contacts • Phil Grigg - Chair, Windows 2000 Steering Committee • (360) 902-7452 Email: PGrigg@ga.wa.gov • Gregg Arndt - Chair, Forest Application Developers • (360) 664-6418 email: GreggA@dop.wa.gov • Allen Schmidt – Project Manager, Single Sign-On Prototype • (360) 725-5272 email:Allen.Schmidt@ofm.wa.gov • John Ditto – Chair, Forest Resource Group • (360) 902-0349 Email: ditto@dis.wa.gov (in the GAL) • Bob Deshaye – Service Level Agreements • (360) 902-3336 Email: BobD@dis.wa.gov ( in the Gal) • Todd Shelton – Netdesk Corporation • (206) 224-7690 Email Todd.Shelton@netdesk.com

More Related