Active Directory Service Active Directory Service StrategyStrategy

28 September 200528 September 2005Author: Mark CribbenAuthor: Mark CribbenContributors/Reviews: Ian Race, Eric Shaw, Andrew Muir, Contributors/Reviews: Ian Race, Eric Shaw, Andrew Muir, Peter NilssonPeter Nilsson

Active Directory ServicesActive Directory Services

RequirementsRequirements

Service definitionService definition

Service architectureService architecture

Service deliveryService delivery

Service implementationService implementation

Management toolsManagement tools

Support modelSupport model

IssuesIssues

RoadmapRoadmap

Active Directory Service Active Directory Service Requirements (1)Requirements (1)

Functional RequirementsFunctional RequirementsCore Identity store for global infrastructure Core Identity store for global infrastructure Directory service that can support at least 100,000+ users Directory service that can support at least 100,000+ users plus workstations, printers, supporting servers and resourcesplus workstations, printers, supporting servers and resourcesSupport mergers, acquisitions and divestituresSupport mergers, acquisitions and divestituresSupport additional security requirements through legal or Support additional security requirements through legal or jurisdictional directionjurisdictional directionSupport AD aware applicationsSupport AD aware applicationsFlexible deployment to reduce future OS and Directory Flexible deployment to reduce future OS and Directory upgrades without impacting applicationsupgrades without impacting applicationsIntegrated component of a wider IdM infrastructureIntegrated component of a wider IdM infrastructureCentralisation of domain controllers to data centre(s) and Centralisation of domain controllers to data centre(s) and large office communitieslarge office communitiesEnforcement of core server and desktop standardsEnforcement of core server and desktop standardsIntegrated Name and location ServiceIntegrated Name and location ServiceCentralised ownership of directory. Delegated administrationCentralised ownership of directory. Delegated administrationFacilitate a federated infrastructure between different Facilitate a federated infrastructure between different business areas and external partnersbusiness areas and external partners

Active Directory Service Active Directory Service Requirements (2)Requirements (2)Non-functional RequirementsNon-functional Requirements

Meet authentication OLAsMeet authentication OLAsMeet availability SLAMeet availability SLAEnsure accurate and consistent information Ensure accurate and consistent information Meet recovery SLAsMeet recovery SLAsAD recovery mitigation strategyAD recovery mitigation strategyDocumented and tested Forest Recovery proceduresDocumented and tested Forest Recovery proceduresCompliant with appropriate published MS recommended Compliant with appropriate published MS recommended practices and guidancepractices and guidance

Security RequirementsSecurity RequirementsDCs hardened and kept patchedDCs hardened and kept patchedData access between forests restrictedData access between forests restrictedCompliance with Group IT Security policies and proceduresCompliance with Group IT Security policies and proceduresUse of security templates where possible to ensure Use of security templates where possible to ensure consistencyconsistencyAdditional machine authentication to the networkAdditional machine authentication to the networkSecured access to corporate resourcesSecured access to corporate resources

AD Service Definition (1)AD Service Definition (1)Map Functional RequirementsMap Functional Requirements

RequirementRequirement Service ImplementationService ImplementationCore Identity store for global Core Identity store for global infrastructure infrastructure

Active Directory.Active Directory.

Directory service that can support at Directory service that can support at least 100,000+ users along with their least 100,000+ users along with their workstations and supporting serversworkstations and supporting servers

Domain controllers spec’d accordingly Domain controllers spec’d accordingly to ensure required performance and to ensure required performance and local disk capacity to support growth. local disk capacity to support growth.

Support mergers, acquisitions and Support mergers, acquisitions and divestituresdivestitures

Forest trusts for newly merged or Forest trusts for newly merged or acquired businesses if already on acquired businesses if already on Windows Server 2003. Domain trusts Windows Server 2003. Domain trusts for mergers and acquisitions where for mergers and acquisitions where Windows Server 2003 FFL not Windows Server 2003 FFL not available.available.

Support additional security Support additional security requirements through legal or requirements through legal or jurisdictional directionjurisdictional direction

Additional forests for services or data Additional forests for services or data that require guaranteed isolation and that require guaranteed isolation and control of access. Wider access can be control of access. Wider access can be achieved through forest or domain achieved through forest or domain trusts.trusts.

Support AD aware applicationsSupport AD aware applications Appropriate schema extensions to the Appropriate schema extensions to the core AD where appropriate. Special core AD where appropriate. Special case applications to use either ADAM case applications to use either ADAM or separate forest.or separate forest.

AD Service Definition (2)AD Service Definition (2)

Map Functional RequirementsMap Functional RequirementsRequirementRequirement Service ImplementationService ImplementationFlexible deployment to reduce future Flexible deployment to reduce future OS and Directory upgrades without OS and Directory upgrades without impacting applicationsimpacting applications

Will be achieved through multiple Will be achieved through multiple domains / forests dependent upon the domains / forests dependent upon the level of independence required. Some level of independence required. Some cases will be better served through cases will be better served through ADAMADAM

Integrated component of a wider IdM Integrated component of a wider IdM infrastructureinfrastructure

AD, ADAM, MIIS, ADAMSyncAD, ADAM, MIIS, ADAMSync

Enforcement of core server and Enforcement of core server and desktop standardsdesktop standards

Group Policy to be the prime method Group Policy to be the prime method for deploying core standards for deploying core standards throughout the forest(s).throughout the forest(s).

CentralisationCentralisation of domain controllers to of domain controllers to data centre(s) and large office data centre(s) and large office communitiescommunities

AD Site topology and definition. FSMOs AD Site topology and definition. FSMOs to be located centrally in the to be located centrally in the datacentre.datacentre.

Large office communities to be Large office communities to be serviced by local domain controllersserviced by local domain controllers

Integrated Name and location ServiceIntegrated Name and location Service DNS to provide global name resolution DNS to provide global name resolution services as well as AD name and services as well as AD name and location serviceslocation services

AD Service Definition (3)AD Service Definition (3)

Map Functional RequirementsMap Functional RequirementsRequirementRequirement Service ImplementationService ImplementationCentralised ownership of directory. Centralised ownership of directory. Barclays to own and manage forest Barclays to own and manage forest

administration accountsadministration accounts

Delegation of administrationDelegation of administration Administrative tasks to be delegated to Administrative tasks to be delegated to lesser privileged service accounts. lesser privileged service accounts. Reduce accident and attack surface.Reduce accident and attack surface.

Facilitate a federated infrastructure Facilitate a federated infrastructure between different business areas and between different business areas and external partnersexternal partners

Forest trusts, ADFSForest trusts, ADFS

AD Service Definition (1)AD Service Definition (1)Map Non-functionalMap Non-functional

RequirementRequirement Service ImplementationService ImplementationMeet availability SLAMeet availability SLA Appropriate number of DCs to support both regular Appropriate number of DCs to support both regular

authentication load and fail over in the event of a authentication load and fail over in the event of a disaster.disaster.

Meet authentication OLAsMeet authentication OLAs Standardised server specification, split domain Standardised server specification, split domain controllers between data centres and large office controllers between data centres and large office communities, monitoringcommunities, monitoring

Ensure accurate and consistent information Ensure accurate and consistent information Monitoring of replication, part of a wider IdM Monitoring of replication, part of a wider IdM infrastructureinfrastructure

Meet recovery SLAsMeet recovery SLAs Appropriate backup, restore, failover design (needs Appropriate backup, restore, failover design (needs analysis & design). Requires both object recovery analysis & design). Requires both object recovery as well as forest recovery.as well as forest recovery.

AD recovery mitigation strategyAD recovery mitigation strategy Control on changes made to AD, fast recovery of Control on changes made to AD, fast recovery of lost or deleted objects, delayed replication site(s)lost or deleted objects, delayed replication site(s)

Documented and tested forest recovery proceduresDocumented and tested forest recovery procedures Clearly documented processes and procedures for Clearly documented processes and procedures for recovering production forests that have been tested recovering production forests that have been tested and verified regularlyand verified regularly

Consistent naming standardsConsistent naming standards Agreed naming standards across all areas: Users, Agreed naming standards across all areas: Users, workstations, servers, GPOsworkstations, servers, GPOs

Compliant with appropriate published MS Compliant with appropriate published MS recommended practices and guidancerecommended practices and guidance

MS publishes a lot of guidance and MS publishes a lot of guidance and recommendations for Enterprise Directory services. recommendations for Enterprise Directory services. All designs must be compliant with appropriate All designs must be compliant with appropriate guidance to ensure maximum performance and guidance to ensure maximum performance and supportability.supportability.

AD Service Definition (2)AD Service Definition (2)Map Security RequirementsMap Security Requirements

RequirementRequirement Service ImplementationService ImplementationDCs hardened and kept patchedDCs hardened and kept patched DCs to be part of the corporate patch DCs to be part of the corporate patch

management processmanagement process

Data access between forests restrictedData access between forests restricted sIDFiltering and trust Authentication FirewallsIDFiltering and trust Authentication Firewall

Compliance with Group IT Security policies Compliance with Group IT Security policies and proceduresand procedures

All Group IT security policies to be complied All Group IT security policies to be complied with and applied to the deployed ADs. with and applied to the deployed ADs. Procedures where defined to be followed Procedures where defined to be followed and adhered to.and adhered to.

Where no defined guidance exists the Where no defined guidance exists the principles espoused by Group IT Security to principles espoused by Group IT Security to be implemented in the most appropriate be implemented in the most appropriate mannermanner

Use of templates where possible to ensure Use of templates where possible to ensure consistencyconsistency

A common set of security templates to be A common set of security templates to be defined and applied across multiple forests. defined and applied across multiple forests.

Additional machine authentication to the Additional machine authentication to the networknetwork

Deployment of 802.1x infrastructure to add Deployment of 802.1x infrastructure to add another layer of security for both wired and another layer of security for both wired and wireless devices. wireless devices.

Secured access to corporate resourcesSecured access to corporate resources IPSec to be considered as an additional IPSec to be considered as an additional security layer in protecting corporate security layer in protecting corporate resources. File server resources to be resources. File server resources to be protected by domain based ACLs.protected by domain based ACLs.

AD Service ArchitectureAD Service Architecture

•Account InformationAccount Information•PrivilegesPrivileges•ProfilesProfiles•PoliciesPolicies•Single Sign-OnSingle Sign-On

•Account InformationAccount Information•PrivilegesPrivileges•ProfilesProfiles•PoliciesPolicies•Single Sign-OnSingle Sign-On

Windows UsersWindows Users

•Network ResourcesNetwork Resources•File SharesFile Shares•PrintersPrinters•PoliciesPolicies

•Network ResourcesNetwork Resources•File SharesFile Shares•PrintersPrinters•PoliciesPolicies

Windows ServersWindows Servers

•ConfigurationConfiguration•SecuritySecurity•QuarantineQuarantine•PoliciesPolicies

•ConfigurationConfiguration•SecuritySecurity•QuarantineQuarantine•PoliciesPolicies

Windows ClientsWindows Clients

•HRHR•DatabasesDatabases•MainframesMainframes•UNIXUNIX

•HRHR•DatabasesDatabases•MainframesMainframes•UNIXUNIX

Other SystemsOther Systems

•Other AD forestsOther AD forests•ADAM based applicationsADAM based applications•Barclays white pagesBarclays white pages•Barclays Enterprise DirectoryBarclays Enterprise Directory

•Other AD forestsOther AD forests•ADAM based applicationsADAM based applications•Barclays white pagesBarclays white pages•Barclays Enterprise DirectoryBarclays Enterprise Directory

Other Directory ServicesOther Directory Services

•ConfigurationConfiguration•Quality of ServiceQuality of Service•Security PoliciesSecurity Policies•Single Sign-OnSingle Sign-On

•ConfigurationConfiguration•Quality of ServiceQuality of Service•Security PoliciesSecurity Policies•Single Sign-OnSingle Sign-On

Network DevicesNetwork Devices

•ConfigurationConfiguration•Security PolicySecurity Policy•VPN & Remote AccessVPN & Remote Access•QuarantineQuarantine•Single Sign-OnSingle Sign-On

•ConfigurationConfiguration•Security PolicySecurity Policy•VPN & Remote AccessVPN & Remote Access•QuarantineQuarantine•Single Sign-OnSingle Sign-On

Firewall ServicesFirewall Services

•Single Sign-OnSingle Sign-On•Automated deploymentAutomated deployment•ConfigurationConfiguration•App-specific directory dataApp-specific directory data

•Single Sign-OnSingle Sign-On•Automated deploymentAutomated deployment•ConfigurationConfiguration•App-specific directory dataApp-specific directory data

3rd Party Applications3rd Party Applications

•Core Directory serviceCore Directory service•Foundation for IdMFoundation for IdM•Improved ProductivityImproved Productivity•InteroperabilityInteroperability

•Core Directory serviceCore Directory service•Foundation for IdMFoundation for IdM•Improved ProductivityImproved Productivity•InteroperabilityInteroperability

Active DirectoryActive Directory

AD Service Delivery (1)AD Service Delivery (1)Core Forest StructureCore Forest Structure

Single core forest for all users, their desktops, printers, defined Single core forest for all users, their desktops, printers, defined servers and resources.servers and resources.Single domain in the core forest. No placeholder domain.Single domain in the core forest. No placeholder domain.Additional forests for core shared services where it makes sense to Additional forests for core shared services where it makes sense to break them outbreak them outOwnership and governance retained by BarclaysOwnership and governance retained by BarclaysDefined administration and management processes adhered toDefined administration and management processes adhered toReduced and controlled admin accountsReduced and controlled admin accounts

Additional ForestsAdditional ForestsDecision criteria met: Service isolation, data isolation, application / Decision criteria met: Service isolation, data isolation, application / resource isolation.resource isolation.Service isolation: Requirement for separate or independent Service isolation: Requirement for separate or independent administration, separate governance administration, separate governance Data isolation: Security boundary / isolation; separate jurisdictions, Data isolation: Security boundary / isolation; separate jurisdictions, legal requirementslegal requirementsResource isolation: Application specific that cannot be satisfied Resource isolation: Application specific that cannot be satisfied through ADAM; Unique or exclusive schema requirements.through ADAM; Unique or exclusive schema requirements.Single domain onlySingle domain onlyOwnership and governance retained by BarclaysOwnership and governance retained by BarclaysDefined administration and management processes adhered toDefined administration and management processes adhered toReduced and controlled admin accountsReduced and controlled admin accounts

AD Service Delivery (2)AD Service Delivery (2)Domain controllersDomain controllers

Standard configuration to support at least 100,000+ users, their workstations, Standard configuration to support at least 100,000+ users, their workstations, printers, defined servers and resources.printers, defined servers and resources.Base OS version to be Windows Server 2003 R2Base OS version to be Windows Server 2003 R2DCs Centralised in data centre(s) with distributed DCs for large office DCs Centralised in data centre(s) with distributed DCs for large office communitiescommunitiesLocal disk storageLocal disk storageAnti VirusAnti VirusRemote desktop enabled for administrationRemote desktop enabled for administrationSingle Site to cover centralised domain controllers allowing for seamless Single Site to cover centralised domain controllers allowing for seamless failover failover Backup to meet object recovery SLA requirement (direct to tape, snapshot – Backup to meet object recovery SLA requirement (direct to tape, snapshot – needs analysis & design)needs analysis & design)

DNSDNSAD integrated DNS to support core forestAD integrated DNS to support core forestUse of Stub Zones or Conditional Forwarding to integrate with any additional Use of Stub Zones or Conditional Forwarding to integrate with any additional forests.forests.Scaled to support wider Barclays name resolution requirementsScaled to support wider Barclays name resolution requirements

Group PolicyGroup PolicyCore technology for deploying consistent desktop and server within a forestCore technology for deploying consistent desktop and server within a forestLimited use of Block policy inheritance and No overrideLimited use of Block policy inheritance and No overrideFlexible configuration of GPOs. Avoid large monolithic GPOsFlexible configuration of GPOs. Avoid large monolithic GPOsOptimise performance through filtering and disabling of unused policy portionsOptimise performance through filtering and disabling of unused policy portionsConsistent templates used for GPO across all forestsConsistent templates used for GPO across all forestsClean and lightweight SYSVOL ~ removing of adm template filesClean and lightweight SYSVOL ~ removing of adm template files

AD Service Delivery (3)AD Service Delivery (3)

Forest recoveryForest recoveryDocumented forest recovery procedures for all forestsDocumented forest recovery procedures for all forestsRegular testing and verification of forest recovery Regular testing and verification of forest recovery proceduresproceduresDefined triggers for invoking forest recovery processDefined triggers for invoking forest recovery process

AD Recovery mitigationAD Recovery mitigationVerified and reliable backup and restore processVerified and reliable backup and restore processStrong control of permissions and admin activities in Strong control of permissions and admin activities in the forest. Use of delegated functions with limited the forest. Use of delegated functions with limited privilege.privilege.Monitoring of AD activity. Particular attention to key Monitoring of AD activity. Particular attention to key containers such as Schema and Configuration.containers such as Schema and Configuration.Delayed replication site(s) with strong control and Delayed replication site(s) with strong control and governancegovernanceUse of tools that facilitate object reanimationUse of tools that facilitate object reanimation

AD Service delivery - toolsAD Service delivery - toolsDecision on tools and toolsets to support the AD service:Decision on tools and toolsets to support the AD service:

Native only or mix of native and 3Native only or mix of native and 3rdrd party? party?ManagementManagement

MOM for monitoring, alerting, performance and trendingMOM for monitoring, alerting, performance and trendingSMS for deployment of patches and applicationsSMS for deployment of patches and applicationsGPMC for management of Group PolicyGPMC for management of Group Policy

Configuration managementConfiguration managementA number of 3A number of 3rdrd party tools to support configuration party tools to support configuration management of Group Policy such as Quest, NetPro, Desktop management of Group Policy such as Quest, NetPro, Desktop Standard, NetIQStandard, NetIQPreventative actions to preserve AD integrity such as NetPro’s Preventative actions to preserve AD integrity such as NetPro’s Directory LockdownDirectory Lockdown

OperationsOperationsAD restore tools such as Sysinternals and Quest that make AD restore tools such as Sysinternals and Quest that make use of object reanimationuse of object reanimation

AdministrationAdministrationTools that support delegation of administration such as Quest Tools that support delegation of administration such as Quest ActiveRolesActiveRolesTools that support troubleshooting and analysis of the Tools that support troubleshooting and analysis of the directory service such as Quest, NetProdirectory service such as Quest, NetPro

AD Service ImplementationAD Service Implementation

Core AD ForestCore AD Forest

Resource AD Resource AD Forest (eg. Forest (eg. Exchange)Exchange)

Application Application DirectoryDirectory(eg. ADAM)(eg. ADAM)

Autonomous Autonomous ForestForest

MIIS 2003MIIS 2003

SAPSAP

LegendLegend

SynchronisationSynchronisation

TrustTrust

Authenticated accessAuthenticated access

Proxy authenticationProxy authentication

Support ModelSupport Model

Service ownership and deliveryService ownership and deliveryService owned by Head of IT infrastructure deliveryService owned by Head of IT infrastructure delivery

Day to day responsibility delegated to Desktop Service Day to day responsibility delegated to Desktop Service Performance Leader and his Service Performance Performance Leader and his Service Performance ManagersManagers

Technical Governance controlled throughTechnical Governance controlled throughAD CAB and AD COEAD CAB and AD COE

Operational Change Control Operational Change Control

Release Management Release Management

Impact on support groupsImpact on support groupsMinimised through Minimised through

Clear Roles and responsibilities Clear Roles and responsibilities

Documentation of the Technical + Business Operational Documentation of the Technical + Business Operational ModelsModels

Use of standard and repeatable change and release Use of standard and repeatable change and release processesprocesses

AD Service IssuesAD Service IssuesYet another migrationYet another migration

Likely that AD needs to be redesigned and current Likely that AD needs to be redesigned and current users migrated into the new ADusers migrated into the new ADTools available to perform the migration. Depending on Tools available to perform the migration. Depending on the complexities ADMT can do the job or else there are the complexities ADMT can do the job or else there are third party tools such as Quest to assist and add further third party tools such as Quest to assist and add further valuevalue

IdM wider issuesIdM wider issuesAD is just one component in the IdM infrastructure of AD is just one component in the IdM infrastructure of the bank. How many identities does any one user have? the bank. How many identities does any one user have? Need to be looking to drive simpler and more Need to be looking to drive simpler and more consistent Identity across the bank.consistent Identity across the bank.Password synchronisation between connected systemsPassword synchronisation between connected systemsConstraints on how many ADs are created with clear Constraints on how many ADs are created with clear decisions about where it is appropriate to create new decisions about where it is appropriate to create new forests. Danger is ending up with the NT 4 forests. Danger is ending up with the NT 4 infrastructure implemented in AD.infrastructure implemented in AD.Dependencies between AD versions, OS versions and Dependencies between AD versions, OS versions and applications.applications.Is centralised AD a workable solution for all Is centralised AD a workable solution for all requirements?requirements?

AD Service RoadmapAD Service RoadmapTechnology roadmapTechnology roadmap

Windows Server 2003 R2Windows Server 2003 R2ADFSADFSEnterprise Print management solutionEnterprise Print management solutionADAMADAM

Next major version of Windows Server Next major version of Windows Server (Longhorn Server 2007/8)(Longhorn Server 2007/8)

Branch office serverBranch office serverAD as a serviceAD as a serviceServer coreServer coreNew FRS modelNew FRS modelImprovements to GPO architectureImprovements to GPO architectureNetwork Access ProtectionNetwork Access Protection

Service roadmapService roadmapInternal federationInternal federationSecure external federation (?)Secure external federation (?)Better integrated IdM frameworkBetter integrated IdM framework

© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.