Active Directory

Consolidation: Phase 3

Update

Colin Bell (cpbell)

February 7, 2013

Working High-Level WBS

Clarity, Governance, Change Management, and Documentation

1. Clarify transfer process and goals.

2. Transfer knowledge from Engineering w.r.t. current monitoring and

management techniques.

3. Establish Change Management controls inside IST w.r.t. NEXUS.

4. Establish Service Management controls inside IST w.r.t. NEXUS.

5. Establish IST based monitoring and audit capabilities to augment current

capabilities.

6. Document future (ADS retirement plans)

7. Transfer "ownership" and ultimate operational responsibility to IST.

Goals: Governance

• Document Terms of Reference for a

Governance body with campus-wide

representation. (underway – Feb 22, 2013)

• Establish controls so all parties have a

voice. (change management procedure)

• Establish grievance process so that

parties can lodge complaints. (underway-

need test case)

Current Involvement (1)

• Executive Steering Group

– Dave Wallace (IST), Olga Vechtomova (ENG)

– Colin Bell (IST), Bruce Campbell (IST), Marko

Dumancic (ENV), Erick Engelke (ENG),

Martin Timmerman (IST)

Current Involvement (2)

• Monitoring, Audit, and Software

Management (MAS Subgroup)

– ENG => Daniel Delattre, Erick Engelke, Hon

Tam

– IST => Colin Bell, Mike Cocker, John Mayall

– ARTS => Nevil Bromley

Current Involvement (3)

• Governance (GOV Subgroup)

– Colin Bell (IST), Erick Engelke (ENG), Martin

Timmerman (IST)

Goal: Establish Service

Management (NEXUS/APEX) • Incident Management (in progress)

• Change Management (draft in use)

• Release Management (imminent –

decommissioning of DC + rebuild to be

test case)

Goal: Document the Future (in progress / targeted – March 2013)

• Develop roadmap for migration of services

from ADS to NEXUS.

– Actual ‘moves’ are out-of-scope.

• Document shared monitoring, auditing,

and software management requirements.

• Document current and future roles and

responsibilities for all stakeholders +

established campus bodies.

Goal: Ultimate Operational

Responsibility on IST • Move to minimize the number of Domain

Administrators in NEXUS.

• Consolidate top-level responsibilities in

IST (as an infrastructure service).

– “Handover the Keys” (ADAud2012 – MP5.0)

• Goal => MS2 – April 30, 2013

Goal: Meet Audit

Requirements (1) • Overall Strategy and Plan

– Develop project plan and RAID log. Socialized

with project stakeholders. [ADAud2012-1.0-HP] (today is

first step of socialization, project plans and RAID log to be released to

successive groups in coming weeks)

– Establish a management committee and

leverage it as a forum to discuss and resolve

critical project related decisions. [ADAud2012-2.0-HP]

(completed initial group, expansion coming)

Goal: Meet Audit

Requirements (2)

• Test Plans and Test Cases

– Ensure test plan, scenarios, cases and results

are documented. [ADAud2012-3.0-MP] (started and

underway – Change Management Procedure will help control work)

Goal: Meet Audit

Requirements (3)

• Documentation of Rollback Plans

– Ensure that each migration procedure defines

and tests a rollback plan. In cases where a

roll-back is not required due to risk level, the

decision is documented. [ADAud2012-4.0-MP] (many

migrations completed in Phase 2 – any future work will rely on Change

Management Procedure + RAID Log)

Goal: Meet Audit

Requirements (4) • Active Directory Governance and

Operations

– Determine roles and responsibilities and

communicate accordingly across IST,

Engineering, and Security teams.

[ADAud2012-5.0-MP] (Change Management Procedure normalizes

work, RASCI Chart can now be built to formalize roles / responsibilities)

RASCI = {Responsible, Accountable, Support, Consulted, Informed}

Goal: Meet Audit

Requirements (5) • Migration Strategy Planning

– Perform an analysis of application and

servers that leverage ADS. Develop a server /

application migration plan.

[ADAud2012-6.0-MP] (Already planned as part of the ‘Document the

Future’ effort. See previous slide – March 2013.)

Goal: Meet Audit

Requirements (6) • Object Migration Approach [ADAud2012-7.0-MP]

– Perform analysis on accounts that have not

been migrated.

– Review and clean up orphan accounts.

– Review privileged accounts and analyze if

access is still valid after migration.

– Perform analysis on accounts.

– Inventory service accounts and use.

. … to be planned w/ MAS Subgroup + EAWG.

Goal: Meet Audit

Requirements (7) • Interoperability Requirements [ADAud2012-8.0-LP]

– Identify, document, and socialize WatIAM

integration requirements with key

stakeholders to ensure that all issues are

identified and addressed.

… much work done in Phase II. Work in Phase III to be

planned with input from EAWG – IdM Analysis.

Change Management

Procedure (1) Change?

What is cause?

Verify Ticket exists and

update RAID Issue Log

Create 'Risk' RAID entries for

any risks identified in

Change Request Form

Feature / Change RequestProblem / Incident

Is there a complete service interruption?

Follow Emergency Response (Repair)

or DRP

Calculate Risk (likelihood vs.

impact)

No

Is the change global or universal in scope?

(Require Domain-level or Enterprise privs?)

Follow Client Support Procedure for affected Client

No

Yes

Verify update of Ticket and RAID Log

Apply AD Operations judgement framework

Complete Root Cause Analysis

(RCA) Procedure

Change is eligible for batching?

NoThis should be a

Problem / Incident

Submit 'Change Requests' for

remediation actions.

Verify update of Ticket and 'Issue'

RAID Log

Apply AD Management

judgement framework

Submit to Governance Committee

requires Governanceoversight

ChangeGranted?

Update all associated

RAID "Risks" and/or Tickets

Communicate and make changes

Yes

No

Communicate and make changes

does not requireGovernance oversight

University of Waterloo

NEXUS / Active Directory Change Procedure

Version 0.4 - DRAFT

YesYes

Research and Document Threat /

Cause

High Risk / Imminent Danger?

No Yes

Resolved? Yes

No

Perform pre-authorized risk mitigation actions.

(from RCA and/or OJF)

Change Management

Procedure (2) Working to

Model the data

required for

Change

Management

Dates

• Start: Nov 2nd, 2012

• MS1: Dec 19, 2012 (completed)

– “Transfer Keys” > IST in APEX + NEXUS at

highest level.

• MS2: April 30, 2013

– “Work Complete” > By this point IST is only

party working at top-level of APEX + NEXUS.

Everything is documented.

Dates

• MS3: June 14, 2013

– “Project Complete”

• MS4: June 28, 2013

– “Project Closing Complete”