Presentation on theme: "83 NOS Perspective: AFNETOPS and the AFNET Migration"— Presentation transcript:
183 NOS Perspective: AFNETOPS and the AFNET Migration Lt Col Eric P. DeLangeCommander
2Chain of Command & AFNETOPS Organization AFSPCAF Network Integration Center(Scott AFB)24 AF624 OC688 Info Ops WingInfo Ops & Net Engineering(Lackland AFB)67 Net Warfare WingNet Ops & Monitoring, CND/A(Lackland AFB)689 Combat Comm WingCombat Comm & Comm Maint/System Tech Eval(Robins AFB)26 NOG(Lackland AFB)26 NOS (Gunter Annex)33 NWS (Lackland AFB)26 OSS (Lackland AFB)352 NWS (Hickam AFB)426 NWS (Vogelweh GE)68 NWS (Brooks CB, TX)690 NSG(Lackland AFB)83 NOS (Langley AFB)561 NOS (Peterson AFB)690 NSS (Lackland AFB)690 ISS (Lackland AFB)67 NWG(Lackland AFB)91 NWS (Lackland AFB)315 NWS (Fort Meade)299 NOSS (KS ANG)310 CF (CO AFR)622 CF (VA AFR)Base Network Control Ctr’s (NCCs)---- AFNETOPS C2 Process
367th Network Warfare Wing 67 NWW26 NOGNet Defense690 NSGNet Ops67 NWGFull SpectrumDefendOperateAttackOperations Of and On the NetworkUSAF’s Cyberspace Force – Combat Wing, Global PresenceMission:Operate, Manage, & Defend Global AF NetworksTrain and Ready Airmen to Execute Computer Network Exploitation and AttackPerform Electronic Systems Security AssessmentsConducts the Full Range of Network WarfareNetwork Operations (Establish)Net Defense (Control)Full Spectrum (Use)Depicted are the 3 Groups that comprise our Wing, each responsible for one or more of the previous slide’s major mission areas
4MissionCommand, Control, Operate, Sustain, and Defend assigned Air Force networks to assure global cyber supremacy and enforce Air Force network standards and to develop Airman as cyber warriors.
5The AFNET Platform Delivering… Career AddressStandardization and ConsolidationSingle Sign-OnReduced Cost and System ComplexityAF-Wide CollaborationAir Force Wide EnterpriseCareer addressUser who PCS to an AFNet migrated base will have immediate network access – no more waiting for a new accountIncreases end user productivity24/7 access to /applicationsOne address for entire association with AF (military/civil service)Standardization/ConsolidationConsistent look/feel; simplified operations, maintenance, and common training proceduresAllows 24 AF commander to operate, maintain, and defend a standardized network...increased predictabilityProvides full visibility across the entire AF infrastructureEnforces standardized security policies, vulnerability scanning, and patch managementUsers will notice an immediate impact with regards to problem reporting & resolutionTier 0 web-based interface making a debutVIP helpdesk calls tagged and resolved expeditiouslySingle Sign-OnUsers can log into any AFNet migrated computer worldwide and access their account and office tools anywhere within .af.milReduced Cost/ComplexityBy collapsing MAJCOM centric networks, redundant architecture and equipment is eliminated and/or consolidatedAF-wide CollaborationEnterprise-wide collaboration and improved security; Operational oversight by a single commanderStandardized and Secure!
6Services in the AFNET AFNET MANAGED UNCLASSIFIED Management ToolsNetwork Account ManagementSecurity Policy Enforcement/ManagementApplication MonitoringNetwork MonitoringSecurity/AuthenticationDirectory (AD)Anti-VirusSecurity Patching (SCCM)CAC CertificationCapabilitiesMobile DevicesESDAFNET MANAGEDAF EnterpriseForestC2 and Functional SystemsFunctional ServicesSharePointMS Office Communication ServerList ServersFax ServersProject Management ServersFTP ServersEnterprise–wide VPNStorage<…our ultimate goal is to shut down legacy domains across the AF.>To do this, the capabilities and services listed here must migrate to the AFNETWe migrated many of the services listed on the right prior to the first base migration. In some cases, we established a new instance in the AFNETIncludes key capabilities that allow AFNetOps to Patch, Scan, and Monitor the systems in their Areas of Responsibility and allow the AETC MCCC key SA on their AORManagement of Core Services are also moving under the operational control of AFNetOps as part of the AFNet migrationWe are diligently working with the managers for C2 and Functional systems that will be impacted by the AFNet migration to ensure that all critical services remain fully functional before, during and after the migration. We will do everything in our power to maintain this functionality, while at the same time upholding the security posture of the network.
7What the AFNET Migration is NOT! AFNet is not a “full” tech refresh of base equipmentAFNet does not “reprogram” PMO systemsAFNet does not provide C&A of base enclavesAFNet Enterprise Service Desk (ESD) was not not established to handle all communication issues (LMR, IPTV, etc)AFNet does not provide Continuity of Operations (COOP)AFNet does not “restructure” AF boundaries; Completely separate but related effortAFNet does not remove Single Points of Failure (SPOF)AFNet does not “fix” existing network issuesAFNet does not physically “move” base level functional systems to the APC
8Components of Migration Initial CoordinationProgrammatic CoordinationBegins 210 days prior to migration / Duration ~15 daysInfrastructure PreparationCircuit Upgrades, Facility Improvements, AQ processesBegins ~180 days prior to migration / Duration up to 150 days (or more)Source Environment PreparationPrepare the legacy environments for migration (Administrative & Technical)Begins ~90 days prior to migration / Duration ~60 daysTarget Environment PreparationPrepare AFNET to support migration of siteBegins ~60 days prior to migration / Duration ~60 daysMigrationMove Legacy Active Directory resources to AFNetDuration varies from 15 days - up to 150 days (or more)Post MigrationEnvironment Clean up, Legacy Func App Transition & ShutdownBegins ~180 prior to migration / Duration up to 150 days (or more)Legacy shutdown actions occur concurrently during migration/post migration actions-- The actual Migration is only one aspect of the total program. Multiple vendors have experience doing Active Directory and Exchange migrations.-- MAJCOM and base-level preparation that takes significant effort. The current process starts 210-days prior to a migration to allow for site surveys, base communication/boundary upgrades, server/storage equipment upgrades/purchases, facility improvements (allied support), and client/user preparation.InitialCoordInfrastructure PrepSourceEnv PrepTargetMigrationPost MigrationLegacy Shutdown
9Migration Organizational Roles/Responsibilities ‘Key’ stakeholders and what each contributes to the migration of an organizationMAJCOMCoordinate Base SupportCoordinate Migration ScheduleFacilitate Strategic CommunicationAFSPCFunding for Hardware and Allied SupportContracting SupportThis is a TEAM Sport!Core Migration TeamO&M for the AFNetOperational Issue Resolution24 AF/67 NWW(Includes 690 NSG, 83 NOS,561 NOS)Project ManagementOperationsLegacy ShutdownAFNICApproximate amount of time spent planning/executingBaseExecutes ChecklistCoord Local Support/Info DisseminationProvides Dedicated CST Support10%40%35%Note most prep accomplished by the legacy owners
10Entrance Criteria AFNIC/ECSO 690 NSG UNCLASSIFIEDEntrance CriteriaComplete all pre-migration checklistsKey servers in-place, configured, and operationalProper, documented certification and accreditationSupport orgs prepared to accept responsibility<1% user accts over mailbox size limitXP machine POA&MCyber Readiness Review (CRR)AFNIC/ECSOProgrammatic690 NSGOperationsCRR represents formal hand-off from programmatic actions to operationsFACILITATIONLESSONS LEARNEDCRRTechnical ChecklistsExecutionFeedbackPre-MigrationAdministrative ChecklistsPrior to beginning the migration, certain criteria must be met. These entrance criteria are tracked through checklists and fall into two main categories: Environmental/Technical and Administrative.Environmental/Technical CriteriaChecklists: All pre-migration checklists will be completed and validated by the AFNet migration team. Checklists will be complete for ALL migrating environmentsServices: The following Services will be in-place (installed, powered and connected to the operational network), configured (includes core operating systems, assigned ADX applications and services with vulnerability scans complete) and operational (communicating and passing traffic with appropriate core systems in the AFNet):Directory Resource Administrator (DRA)Group Policy Administrator (GPA)Application Manager (AppMgr)Anti-virus (SAV/McAffee)Patch Management (SCCM/SMS/SUS)Administrative CriteriaThe following support organizations must be informed and prepared to accept technical and administrative responsibility for the migrating site:INOSC-E/INOSC-WEnterprise Service Unit (as assigned by the INOSC)Enterprise Service Desk (ESD) or other Help Desk Entity if the ESD is not ready to assume responsibility for the siteAccredited EnclavesConnection to the AFNet constitutes an assumption of risk on the part of all participating enclaves. As such the enclave joining the AFNet must have a proper and documented certification and accreditation.In lieu of a proper and documented certification and accreditation, the risk of connecting to an un-accredited enclave must be documented and approved by the system Designated Approval Authority (DAA)Key servers in-place, configured, and operationalProper, documented certification and accreditationSupport organizations prepared to accept responsibility
11Exit criteria will be reviewed during outbrief Migrate user/machine accts, , public folders & other servicesAll mission systems operational pre-migration are still operational post-migrationAccessible via trust or in the AFNet<1% minor (user-level) tickets and no major (exec/base-level or higher mission impact) tickets related to MIGRATIONOutstanding Help Desk tickets related to Other Services will transfer to the ESU/ESDPrior to the migration, the onsite CSA team will assist with migration readiness of the base pre-migration, direct the local CSAs in resolving issues during the migration, and assist as needed during the 2-week post-migration clean up period. Before they leave, they will ensure the followingAll user accounts, machine accounts, and accounts migrated into the AFNETAll mission systems operational pre-migration are still operational and can be accessed via the trust or in the AFNET if it was migratedReduce trouble tickets to a reasonable number. This number will be determined based upon the criticality and complexity of the remaining outagesUn-migrated Object ResolutionUn-migrated AD objects that remain in the legacy environment after official migration actions are complete will be migrated by the appropriate ESD/ESU.Un-migrated AD objects that remain in the legacy environment after migration systems and agents have been removed from the site will be migrated manually by the appropriate ESD/ESU.Un-migrated SIPR environments will be revisited at a later point in the migration process. In most cases this will require an additional visit to the site by a migration team and will be executed in similarly to the NIPR migration.Site Decommissioning: The 690 NSG is responsible for decommissioning existing servers in the legacy domain at <Base> AFB that will not be migrated to the AFNet (DC, DHCP, and Exchange). The servers will not be decommissioned until the migration team and CS agree the servers are no longer needed to support the legacy domain. The decommissioned servers will be made available to the ADX PMO for possible reuse of the hardware and server licenses where feasible.Exit criteria will be reviewed during outbrief
12Post Migration Support Environment Tier 0Tier 1Tier 2Tier 3UserESDI-NOSC/ESU/APCMCCC/NCC/CFP“Self-service”TT Submission/StatusLoad own printerLoad appr S/W appsEtc.Tier 1Create/assign/track TTsInitial troubleshootingAD User Acct MgmtTier 2Admin/AssistEITSM Acct MgmtEtc.More complex HW/SW problemsRequires specific construct attentionNetwk Transport, Server, Boundary issuesLocal Touch MX req’dHighly specializedexpertise required- Engineers- System integrators- 3rd-party providers- Vendors- FSEs/SMEsPMO-managed systems- AFPKI- AFDS- ADLS- AFNet Response CtrWhen AFNetOps migration efforts are complete, core services ( , file shares, web services, etc.) will be managed within the I-NOSC’s ESUs and end-user issues and problems will be addressed through a central Enterprise IT Service Desk (ESD).The ESD will publish a standard level of service describing how it will resolve issues using a four-tier system for trouble ticket resolution.The items listed in Blue have been implemented in the AFNetTier 0: Users will consult a knowledge base repository to solve their own problems (i.e., loading printers, updating Global Access List entries, resetting passwords). Any problem not resolved through user self-help will reach Tier 1.Tier 1: The ESD will generate a trouble ticket and will be responsible for it until the problem is resolved. This trouble ticket will consist of a standard list of required information concerning the problem and customer. It will be routed by the ESD staff to one of two levels depending on the severity.- Tier 1 Level 1 is contained within the ESD and is used for basic troubleshooting with a turnaround goal of 20 minutes, or less, for priority problems.- Tier 1 Level 2 is also within the ESD, but is for advanced situations that cannot meet the 20 minute turnaroundTier 2: If a problem cannot be solved by the ESD through remote desktop administration or other network tools, it will be escalated to Tier 2, where another entity will be assigned the problem. These entities might utilize other resources (such as the CSA or MCCC) that have physical access to the equipment.Tier 3: Any problem not resolved by the lower tiers, will be passed to Tier 3, where specialized expertise (such as engineers or vendors), will be responsible for resolving the issue).Enterprise Service DeskDSN 510-HELPDESK ( )“owns” lifecycle management
13Lessons Learned Adherence to Checklist Completion Dedicated Migration CSTsSecurity Permissions for Mapped DrivesStrategic CommunicationsIdentifying Network Bandwidth IssuesSelecting Pilot UsersAdherence to checklist completionDedicate the resources to ensure timely completion of preparation checklist activitiesLack of attention to detail on checklist items will have a negative impact on migration activitiesStrategic CommunicationGet word out about the migration to the populaceUse various media (base paper, flyers, , etc.) to get the word outIdentify Network Bandwidth IssuesIdentify any network bandwidth issues early to allow lead time for mitigationAD Groups and ExchangeEnsure computers and users are correctly placed in the legacy OU structureClear out stale objectsEnsure users are categorized correctly and within mailbox limitsPersonal distro lists may be lost during migration, user awarenessIdentify all Alt Token users, Blackberry/Good Mobile users, VIPsNeed justification for Alt Token users to retain in the AFNetNeed to validate licenses for Blackberry/Good Mobile usersRequest trusted agents for alt tokens in the AFNetDedicate CSTs to MigrationEnsure enough CSTs to cover migration activitiesAFNIC CSTs will conduct training sessions the week prior to migrationEnsure AFNIC CSTs have rights in legacy and Remedy Security permissions for mapped drivesAssign permissions via groups vs. usersUse FQDN Select Pilot UsersSelect from various agencies and unique missionsNo VIPs or critical usersEnsure ATO and CR processMaintain a current ATOComplete request for change request agents within the AFNetEnsure a viable change request submission capability/processIdentifying Alt Token, Blackberry/Good Mobile, VIP UsersAD Groups and ExchangeEnsuring ATO and CR Process
14Success Continued Mission Accomplishment UNCLASSIFIEDKeys to SuccessLeadership SupportSuccess Continued Mission AccomplishmentActive Base ParticipationOperational FocusStrategic CommunicationsBased on our experience with previous bases, we’ve learned there are some keys to a successful migrationDedicated CST support - Your CSTs are critical to success pre, during, and post migration. We ask that you establish a dedicated Client Support Technician team to support the migration.We will provide the training, but if they are not available at all time during migrations, implementation will suffer.Continued support keeping base users informed throughout the migration using targeted messages, base newspaper articles, and other Strategic Communications tools available here at XXXHelp us stay on schedule - By doing this we complete the migration in the shortest amount of time and minimize impact to your operationsIf you have mission concerns that will delay any migrations, address them with the migration team so they can be channeled to the approval authorityBy continuing to work together, we will migrate XXX into the AFNet as quickly as possible with the least impact to the Wing mission.