420 likes | 492 Views
Let’s Get It Together. The Statewide Active Directory Forest. Agenda. Introduction Session Goal Statewide Forest Governance Designing Active Directory? Active Directory Technology Benefits of the Statewide Forest Joining The Forest. Todd Shelton.
E N D
Let’s Get It Together The Statewide Active Directory Forest www.netdesk.com
Agenda • Introduction • Session Goal • Statewide Forest Governance • Designing Active Directory? • Active Directory Technology • Benefits of the Statewide Forest • Joining The Forest
Todd Shelton • Project Quality AssurancePresident, Netdesk Corporation • Single Sign-On proof of concept
About Netdesk • Netdesk is the largest Microsoft technical trainer in the Northwest • Netdesk specializes exclusively in Microsoft technology—systems and developer • Netdesk carefully manages customer satisfaction to the highest levels
Session Goal • To help you understand • What the statewide forest is • How decisions are made • How to use Active Directory • What you can get out of it • How to learn more or join
Project History • Win2K converges network and data base • LAN Managers group attempted to install in 1999 and not successful. • Appeal to CAB Infrastructure Subcommittee 1999 • CAB Pilot Winter 2000 recommended single forest for the state. • Project Steering Committee formed - kickoff Fall 2000 • Project completion June 2001
CAB Forest Objectives • Create a State Forest Win2k Server environment and install the statewide root for agencies who want to join. • Implement the first version of the Active Directory. • Provide a foundation to allow shared applications / data. • Establish governing policies for the state forest. • Implement Exchange 2000 (new objective)
Accomplishments • Test Forest is up. • Three agencies attached/Two ready to join. • Pre-production Forest is up (L&I, DSHS are attached). • Standards documentation developed. • Ongoing governance model has been established. • Website: http://sww.wa.gov/win2k/
Project To Date • Broad participation. • CAB authorized (not a DIS show). • Not mandatory. • Governance model in practice. • Many applications coming. • Preparation for Exchange 2000.
How does our project compare? • Washington state is a national leader • Governance model is unique and robust—didn’t come down “from the top” • The project focuses on business results • The quality is very high • The project sees the future clearly
Forest Governance Model CAB Windows 2000 Agencies DIS Steering Committee DIS Forest Application Forest Resource Statewide Root Group Developers Management
Participants: DSHS ESD DFI GA L&I OFM DOP DIS DOT DOL Observers: LEG ECY DOR DRS (new) EMD Win2k Steering Committee Chair: Phil Grigg
Forest Resource Group • Responsible for network infrastructure, operations, and change management • Interagency technical working group • Developed the project documents • Makes recommendations to the Steering Committee • Chair: John Ditto
Forest Application Developers • Two sets of responsibilities • Startup and Ongoing • Define Active Directory strategic direction and recommend direction to the Windows 2000 Steering Committee in three areas: • Active Directory Schema • Application use of the Active Directory • Approval of applications that use Active Directory • Chair: Gregg Arndt
DIS • Executes decisions made by the Steering Committee • Steering Committee records are incorporated into the DIS service level agreement • Operates the root domain structure • DIS does NOT make forest decisions (but DIS sits on the Steering Committee)
Forest Root Service Level Agreement (SLA) • Forest Root Responsibilities • Implement Steering Committee Policy • Hardware and Software for the Root Domain • 99.9% availability in Production Environment • Pre-production and Rip & Tear Environment • Follow Change Control Processes • Root administration • Provides Problem Management • Contracts Vendor Technical Support 7/24/365
What is Active Directory? • A scalable (millions + objects) shared, replicated database of user and other information • A partial copy lives on every domain controller • Active Directory manages authentication and access control • It’s built into the operating system! (no extra charge)
Active Directory Design • What are your business goals? • Reduce the number of domain admins • Move password resets from the help desk • Reduce physical visits to workstations • Build a more responsive infrastructure • What are you trying to accomplish administratively?
Active Directory Design • What are you trying to accomplish administratively? • What administrative distinctions are you making? • What “things” are administratively distinct?
Active Directory Design • Group like “things” together, separate distinct ones using Active Directory `containers • Container objects are administrative boundaries • Forest • Site • Domain • Organization Unit • Group
Active Directory Design • Manipulate these containers of “things” using • Inheritance • Group Policy • Active Directory Permissions
Active Directory Design • Use containers and the three ways you can manipulate them to • Delegate administration • Safely share users and resources (applications) • Get IT out of administration and into managing a secure, available, responsive infrastructure
Is AD important to business? • Policy-based network configuration (more responsive network) • Shared identity information—built in user directory • Delegated administration—change how you think about IT administration • Platform for applications
Why the State Forest? • Become part of the community of practice • Take advantage of the money and blood others have spent • Take advantage of other agencies’ user accounts • Take better advantage of other agencies’ resources (the single sign-on)
Statewide Forest Benefits • It’s far cheaper than doing it by yourself • Policy-driven configuration management • New administration possibilities • Delegated administration • New application possibilities • Like Single Sign-On
Single Sign-On: The Problem • Users remember too many passwords • Developers manage authentication and access control • Help desks interact with too many systems • Managers can’t set enterprise-wide access control policies
Understanding Single Sign On • User Management • Authentication • Identity • Applications are Resources • But most also need their own user management • Shared or Distributed Administration • It’s critical: Single Sign On won’t work without it
What Are The Benefits? • For Users: • One password to remember • For Developers • No more (or at least reduced) user management • For Infrastructure Administrators (Help Desk) • Much less work dealing with passwords • For Policy Makers • A Practical Policy-Managed Compute Environment
The Problem • We have a user-based security model • We need a resource-based security model • (Thanks to John Ditto for saying this so well!)
The Single Sign-On Challenge • “Administrative Trust” must exist between data owners and users. • Then we can use Active Directory to make administration easier. • This model is already in place with OFM’s agency delegate for financial systems
Windows 2000 Forest and Trusted Domains Regular\Users-L&I\Regular-DOT\Regular-SAO\Regular Secure App Mainframe and Legacy Applications Regular App DOT SAO L&I Applications Users Authenticate to Windows 2000 Highly Secure AppPossibly with separate authentication Secure\Users-L&I\Secure-DOT\Secure-SAO\Secure L&I\Secure DOT\Secure SAO\Secure DOT\Regular L&I\Regular SAO\Regular Logon Assist Module Highly Secure\Users-Dennis Jones-Mike McVicker-Shelagh Taylor The Agency that owns the Secure Application delegates a trusted “Security Administrator” at the user Agency who controls the membership in the Secure group. Shared, Trusted Group Administration Processes
Single Sign-On Prototype • Validate the concept of using the Windows 2000 security for single sign-on to a non-compliant application. • Assess feasibility of using a logon assist module. • Validate web application compatibility with Windows 2000 security. • Project Manager: Allen Schmidt, OFM
Benefits of the Statewide Forest • Active Directory shares identity information statewide for free. • Benefits include cheaper IT administration, delegation, and application development • Joining the forest is cheaper and easier than going it alone • Build the enterprise community
Joining the Forest • Review the web site! • Especially study these documents: • Agency Join Requirements • Naming Conventions and Standards • Root Domain Requirements • Get trained • Get involved: Steering Committee and working groups
How To Join • Preparation • Check sheet • Co-operation/ Letter of Intent • Rules of the environment • Change Management • Issue Escalation • Service Level Agreement • Agency Welcome Kit - in progress
Summary • CAB-approved, interagency project • All decisions are made through the interagency Steering Committee • Active Directory shares user and other information automatically • Mush of the work is already done (you don’t have to pay for it!) • To join, visit the web site
Thank you! • Contacts • Phil Grigg - Chair, Windows 2000 Steering Committee • (360) 902-7452 Email: PGrigg@ga.wa.gov • Gregg Arndt - Chair, Forest Application Developers • (360) 664-6418 email: GreggA@dop.wa.gov • Allen Schmidt – Project Manager, Single Sign-On Prototype • (360) 725-5272 email:Allen.Schmidt@ofm.wa.gov • John Ditto – Chair, Forest Resource Group • (360) 902-0349 Email: ditto@dis.wa.gov (in the GAL) • Bob Deshaye – Service Level Agreements • (360) 902-3336 Email: BobD@dis.wa.gov ( in the Gal) • Todd Shelton – Netdesk Corporation • (206) 224-7690 Email Todd.Shelton@netdesk.com