W2K Migration Status Report W2k Migration Working Group February 21, 2001
W2K Migration Working Group Objective- “Provide Windows users with a secure environment to easily share resources across the site and with other labs.”
W2K Migration Working Group Meetings- Every Wednesday from 1-3:30pm since October of Training- Implementing Active Directory and Securing Windows 2000 Server. Web Page-
Members (Major NT Domains) BD – Brian Drendel BSS – Roger Fahnestock, Tom Ackenhusen OSS – Ken Fidler, Al Lilianstrom, Andy Romero, Jack Schmidt D0 – Greg Cisko Networking – Vyto Grigaliunas, David Tang TD – John Konc Successful Migration to W2K requires communication and planning!
Present Structure BSS TDFNALD0 D0Level3DMACS BDControls BEAMS Controls Systems CDF,ESH,F ESS,LS, PPD, VMS File Servers, and Web trust ESE
Child Proposed Structure (Not Complete) Root win.fnal.gov Child OU fermi.win.fnal.gov Child OU bss.win.fnal.govbdcontrols.win.fnal.gov OU computer print queue groups user Admin
Basic Concepts Active Directory- Directory service for W2K. Hierarchical directory that stores information about objects ( Users, Groups, Files, Printers, Computers) on the network. Objects- All objects have attributes that provide descriptive information about the object. A user’s Name is an attribute. Domain- Boundary for an Active Directory. A group of computers that share a common directory database. Domains designate specific security policies and administration. DC- Domain Controller. There are no PDC/BDCs. Domain controllers operate as equals and replicate information to each other. OU- Organizational Units. Container objects designed for managing users,groups, computers and other resources in a domain. Primary purpose is to allow delegation of administrative tasks. Microsoft recommends using OUs to mirror a company’s organizational structure.
Child Proposed Structure (Not Complete) Root win.fnal.gov Child OU fermi.win.fnal.gov Child OU bss.win.fnal.govbdcontrols.win.fnal.gov OU computer print queue groups user Admin
Domain Proposal Domain designs were discussed: –Concensus toward root domain with sub domains and OUs: win.fnal.gov root domain (reviewed by committee) fermi.win.fnal.gov – general domain for desktops bss.win.fnal.gov – separate because of audit requirements bdcontrols.win.fnal.gov – BEAMS control systems. Tighter security than general domain.
Proposal Benefits Root domain provides central place to manage accounts (need to verify) Root domain provides site security policy OUs provide stricter security policies Child domains broken into OUs: –Top level divisions/sections/major experiments –Organizational OUs can be defined by OU administrator –OUs can be configured to be seen only by members. Design provides easier access to site resources Design provides tighter control of DDNS for Networking (machines must register in W2K domain)
Domain Proposal Exceptions D0-Online.fnal.gov –Controls system boxes. Need to be tightly controlled. –No real need for Active Directory or access from outside domains.
Present Status Test domain structure in place. Defining tests –Strong Authentication Issues –Identify Applications –Defining Policies –Examine OU resource access Design Note development
Migration Issues User Account Cleanup- –Possibility of duplicate accounts –Identify dis-usered accounts –Interface to CNAS for new accounts? Hardware –Verify systems meet OS requirements –Remove inactive computer accounts Software –Licensing (buying new os?) –W2K Certification
Timeline Feb 2001 –Examine 3 rd party Tools –SA testing –Domain testing Mar 2001 –Domain testing –SA testing –design note draft Apr 2001 –Release design note to Divisions
Timeline June – Aug 2001 –Create pilot domain –Limited production tests Sept 2001 – Begin Domain Migration Nov 2001 –Review progress
Concerns How to handle standalone systems? –Visitors – provide access to printers –Lab – must have a user account in W2K domain to access resources. Should standalone domains be allowed? Strong Authentication