Presentation is loading. Please wait.

Presentation is loading. Please wait.

FROM MIT KERBEROS TO MICROSOFT ACTIVE DIRECTORY The Pennsylvania State University’s move from a lower case MIT Kerberos realm to a Standard Microsoft Active.

Published byBetty Mitchell Modified over 8 years ago

Similar presentations

Presentation on theme: "FROM MIT KERBEROS TO MICROSOFT ACTIVE DIRECTORY The Pennsylvania State University’s move from a lower case MIT Kerberos realm to a Standard Microsoft Active."— Presentation transcript:

1 FROM MIT KERBEROS TO MICROSOFT ACTIVE DIRECTORY The Pennsylvania State University’s move from a lower case MIT Kerberos realm to a Standard Microsoft Active Directory Deployment

2 OVERVIEW  Current state  MIT Kerberos “lower case realm name” passwords  Open LDAP  Central Domains:  ACCESS domain “Windows 2008 R2” external one-way trust  WIN domain “Windows 2008 R2” external one-way trust – Labs Only  60+ Other Windows domains  Current design does not support  Exchange  Majority of 3 rd party Apps and Hardware authentication and authorization  Local control of account live cycle

3 CAMPUS LOCATION MAP

4 BUSINESS REQUIREMENTS  Replace MIT Kerberos as authentication store  Central account and group provisioning  Foundation for other services (eg: Exchange, Skype, Office 365)  Improved PSU security posture  Restricted administrative accounts  Support of non MS clients and vended products  POSIXs Attributes  Custom Attributes

5 FUNDING FOR CHANGE  The current state could not support newer services  Security concerns of all Active Directory's - Security Need  No central ability to monitor all Account provisioning stores  Central Security office had no ability to monitor all Account stores  Bleed over from silos did not buy us security  Need ability to be more agile  Premier Microsoft Contract

6 CHALLENGES  Effort and resources  Up front costs  Team – 9 months to fully staff  Initial design started in March  Obstacles  No migration funding currently for units  No funding for auditing and logging  Other enhancements  Medical School <- Potential future challenge  Currently separate  Could potentially integrate at undetermined future date

7 TECHNICAL DESIGN  Support 180,000 accounts and 2 million groups “CPR, OpenLdap, Grouper”  Single Forest, Single Domain Design  2012 R2 Core  2012 R2 Forest Functional Level  External DNS  6 Prod Domain Controllers - 64 Gig of RAM, 4 CPUs  4 hosted in VMWare central service  2 on dedicated hardware  DNS  Bluecat Address Manager, formerly known as Proteus  Bluecat DNS/DHCP Server, formerly known as Adonis

8 NAMESPACE AND OU DESIGN  Lessons learned from other domains  Structure informed by location & Org Chart  Minimal depth  Facilitate delegated administration  Reduced logon time  Standard naming conventions  Newcomer friendly  Command-line friendly

9 OU DESIGN

10 SECURITY DESIGN  Administrative Accounts  Enterprise Admin, Domain Admin, Workstation Admin, Server Admin, OU Admin  Can only create OU Containers and Computer Objects  Self Service Portal  Create GPOs  Create Service Accounts  Create Keytabs  Central Authoritative source for accounts and groups  Central Identity Service for Account information  LDAP for additional attributes  Grouper and LDAP for group based administration

11 SECURITY PRACTICES  Protected privileged accounts  LAPS “Local Administrative Password Solution”  Secure Remote Desktop Service  GPOs to control runas service, logon as network, logon on locally, remote desktop logon  Protected Users group for Admin accounts  Red Forest?  Currently under investigation

12 RDS DESIGN PICTURE

13 WHAT DO YOU WANT TO KNOW?  Questions?

14 LINKS  http://identity.psu.edu http://identity.psu.edu  http://identity.psu.edu/oneforest-project-plan/  Ignite Video on PtH https://channel9.msdn.com/Events/Ignite/2015/BRK2334 https://channel9.msdn.com/Events/Ignite/2015/BRK2334  https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_o f_Pass-the-Hash.pdf https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_o f_Pass-the-Hash.pdf

15 BACKUPS  https://wikispaces.psu.edu/display/ONEForest/AD https://wikispaces.psu.edu/display/ONEForest/AD  https://wikispaces.psu.edu/pages/viewpage.action?pageId=249 266211 https://wikispaces.psu.edu/pages/viewpage.action?pageId=249 266211  https://wikispaces.psu.edu/display/ONEForest/DNS+Options https://wikispaces.psu.edu/display/ONEForest/DNS+Options  https://wikispaces.psu.edu/display/ONEForest/ONEForest+Project +Phases https://wikispaces.psu.edu/display/ONEForest/ONEForest+Project +Phases  https://wikispaces.psu.edu/display/ONEForest/ONEForest+Project +Phases+-+Deliverables

16 CURRENT AUTHENTICATION DESIGN

17

Download ppt "FROM MIT KERBEROS TO MICROSOFT ACTIVE DIRECTORY The Pennsylvania State University’s move from a lower case MIT Kerberos realm to a Standard Microsoft Active."

Similar presentations

ADManager Plus Simplify Your Active Directory Management.

ADManager Plus Simplify Your Active Directory Management.
Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
AD Child Domains By: Joan Carter 05/29/2003. Who can bring up a child domain in AD.ASU.EDU?  Campus/college/VP level units  Considerations: Is there.

AD Child Domains By: Joan Carter 05/29/2003. Who can bring up a child domain in AD.ASU.EDU?  Campus/college/VP level units  Considerations: Is there.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.

Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.
WIN.MIT.EDU  Where are we today  Related services  Current enhancements  Some future enhancements  SharePoint  Panel Discussion.

WIN.MIT.EDU  Where are we today  Related services  Current enhancements  Some future enhancements  SharePoint  Panel Discussion.
Active Directory Production Pilot Project Department of Administration Enterprise Technology Services (ETS) ETS is a customer based team that provides.

Active Directory Production Pilot Project Department of Administration Enterprise Technology Services (ETS) ETS is a customer based team that provides.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
UW Windows Infrastructure: Delegated OUs Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Identity and Access Management,

UW Windows Infrastructure: Delegated OUs Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Identity and Access Management,
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
1 Chapter 1 Introduction to Windows Server 2003. 2 Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.

1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.

Similar presentations

Ads by Google