1. WIN.MIT.EDU  Where are we today  Related services  Current enhancements  Some future enhancements  SharePoint  Panel Discussion

2. Where are we today  Domain has been running since 2001, single forest model Initially with the release of Windows 2000 Active Directory, Microsoft recommended the use of a dedicated forest root domain, MIT did not follow this model and deployed a single forest model. A number of years later Microsoft retracted the dedicated forest root model in favor of the single forest model MIT was able to address the security concerns the dedicated root model was intended to provide while avoiding security issues found in some multi-domain models  Integration with MIT Kerberos, single sign-on User accounts are mapped to MIT Kerberos principals Cross-Realm tickets are copied from MS LSA cache at logon to the MIT Kerberos cache in Kerberos for Windows Requirement to have host SPN record in mit.edu namespace

3. Where are we today  Integration with Moira Users - Centralized identity management, OU admins manage groups Groups – Manage access to resources via group memberships Computers – host record in moira is for OU mapping  not DNS dependent Container Hierarchy – Computer to OU mapping  Preserves OU assignment across OS reinstalls or hardware replacement.  No need to pre-stage computer objects in Active Directory  MITnet DNS No need to run Microsoft specific DNS services Active Directory does not record the address of client computers Domain controller DNS records are stored in a separate DNS subdomain win.mit.edu

4. Where are we today  Original design similar to Athena model except that container’s are more of bare-bones build your own The Athena model was a standard configuration and software set while the WIN domain provides a baseline framework then allows OU admins to modify computer policies and software distribution The WIN domain also provides support for hosting departmental servers in dedicated server OU’s with the ability to configure server specific policies  User home directories Home directories in DFS with Previous Versions support Users files are available via multiple computers Users files and some applications are available via Citrix including support for tablets such as iPad

5. Related services  WAUS – Windows Automated Updated Services MIT repository for patching of Microsoft products In service since 2004 Allows testing of new updates before release to the community  Citrix Virtual application delivery to cross platform clients In service since 2003 Now running on XenApp6, Presentation Server 4.5 being phased out  Altiris Hardware and Software Inventory collection In service since 2007 Upgraded to version 7, adding Software Deployment and patching of third party products

6. Related services  McAfee ePO: Enterprise Policy Orchestrator Centralized management of McAfee products, In service since 2009  PXE Boot installation services Originally RIS, in service 2002 WDS, supporting Vista, Windows 7, server 2008, since 2008 LiteTouch - new  KMS: In service 2007 Campus Wide Activation of Windows OS and Office Products  PCI Compliant environment for Merchant Systems managed by ePO (2009)  Terminal Server Licensing RDP CAL licensing for Terminal Server and Citrix  Casper – Mac management

7. Current enhancements  Password Synchronization from MIT Kerberos Implemented in 2010 for Secure MIT WiFi Authentication  Citrix Upgrade to XenApp Server 6 on Server 2008 R2 Addition support for mobile devices such as iPad’s  Altiris Adding software deployment and phasing out GPO deployment Adding patching of 3 rd party software such as Adobe and Firefox  PXE: LiteTouch deployment Adding LiteTouch deployment to WDS as a replacement for Ghost Ability to pick software bundles and automatic joining to AD  AD Upgrades: Upgrading to 2008 R2  KfW and Perl Upgrades domain wide (now opt-in)

8. Some future enhancements  Microsoft ADFS (AD Federation Services) Enhance integration with other MIT systems or providers  Microsoft AD LDS Integration Run your own Windows based LDAP instance Import Active Directory data Supplement your own principals for non-MIT users SharePoint integration  Native Windows Authentication Model Can we retire the cross-realm model with MIT Kerberos and authenticate just against Active Directory or related services What are the dependencies  Applications: SAP, etc.  Manually getting MIT Kerberos tickets  PowerShell scripts Moving away from Perl and VB to PowerShell post retirement of XP

9. Some future enhancements  New Container Mapping models Can we manage OU’s and container mapping natively in AD What would we lose without the Moira integration Would it easier, more difficult, or the same amount of effort to use  Which tools or processes are more straightforward for an OU admin new to MIT What are the dependencies attached to making such a change  Software distribution / wince  SPN’s and cross-realm authentication  Bit Locker Encryption Should we move to Bit Locker for encryption instead of PGP Built into the Windows OS Does it meet the business requirements How does it compare in ease of use and administration MDOP (Desktop Optimization Pack) Advanced Bit Locker Tools  Covered under campus agreement

10. Some future enhancements  VDI IS&T is currently building a production like development environment Ability to use Virtual Terminals instead of Desktop computers Supports access via traditional clients  XenApp6 Support for streaming cached applications to clients  Windows 8 and UAC The UAC is off in order to address some KfW compatibility issues. Windows 8 requires the UAC to be on to run most Metro apps. Change in the user experience when clients receive UAC prompts  Cloud Integration ADFS may facilitate integration with certain services  SharePoint Central SharePoint services

11. SharePoint  Work on SharePoint is currently focused in two areas Well documented guidelines for integrating departmental SharePoint servers in WIN Design for a central service  Authentication methods and practices, pros and cons Windows authentication Forms based authentication Federated services  Directory service options Active Directory AD LDS (your own LDAP instance)  Import Active Directory data  Supplement your own principals for non-MIT users Database authentication  Central Service More than one service level for departments, teams, etc. Mounting document repositories in Outlook Office Web Apps

12. Panel Discussion  What are your comments and questions regarding current features and how they can be improved  What would be the impact of the suggested future enhancements and changes on how you use the WIN domain  What would be on your wish list for features and/or changes