Elliot Solutions Inc Deployment Plan
Elliot Solutions Inc Deployment Plan
ESI, the company described in the Week 1 Critical Thinking assignment, has acquired four small competitors in the last month. You are to create a deployment plan that incorporates the newly acquired organizations into ESI’s existing Active Directory. Also consider replication possibilities while minimizing WAN traffic.
I. Deploying Active Directory
Upgrading, Migration and Restructuring
As your enterprise environment grows, you will need to add additional components such as additional domain controllers (DC). Upgrading the domain controllers in an enterprise usually means you will be adding a new DC with an upgraded operating system or actually upgrading the version of Windows running on the current domain controllers.
Another upgrade involves what is called a restructure. A restructure involves adding more domain controllers to the enterprise core or decommissioning some older ones. Either way, the current active directory structure is undergoing a restructure.
Lastly, there is the migration. A migration means you will be moving objects between two or more domains. One of the most typical scenarios for this is when one company takes over or buys another company. Usually they will want to merge the business data and Active Directory databases, so you perform a migration from one domain into the other.
Windows Server 2008 provides tools to help with these tasks. The table below from LabSim lists some of the tools you can use.
Active Directory Migration Tool (ADMT) Use the Active Directory Migration Tool (ADMT) to move user, group, and computer accounts within a domain or forest, to move objects between forests, or to migrate objects from an NT domain to Active Directory.
• The target domain must have a trust relationship with the source domain (this relationship automatically exists when domains are in the same forest)
• ADMT v2.0 also migrates user passwords
Movetree Use MoveTree to move user objects within a domain or forest. MoveTree does not work between forests.
Dsmove Use Dsmove to move or rename objects within a domain.
User State Migration Tool (USMT) Use the User State Migration Tool (USMT) to move user profiles, containing user preferences and user documents, from one computer to another. You would typically use USMT when you are replacing a user’s workstation with a new workstation. USMT works on the files stored on the computer, regardless of whether the computer is a domain member or member of a workgroup.
When you begin to transfer objects or data into your enterprise, they will be assigned a new SID. A SID is a security identifier issued by Windows Server that identifies objects throughout the domain. If you wish to keep the SID that was assigned on the old domain so that permissions are not changed, you will need to preserve the SID history. Keep in mind that you will not have to retain SID history if the old domain is to be decommissioned.
LabSim lists several other things to consider during an Enterprise migration.
• When user accounts are moved to a new domain or forest, the User Principal Name (UPN) suffix might change. To allow users to continue using the previous UPN suffix, add an alternate UPN suffix to the domain using Active Directory Domains and Trusts. Then edit the user account properties to select the UPN suffix for the user account.
• When migrating objects between forests, establish a trust relationship between the two forests. You can use an external trust or a forest root trust for this purpose.
• The InetOrg object in Active Directory can be used to represent user accounts, although Active Directory includes a user class for this purpose. The InetOrg object is typically used for migration of users to another LDAP directory.
Adprep.exe is a command line utility that ships with Windows Server 2008. It does not install by default, but can be located on the software media. It comes in both a 32- and 64-bit version. The purpose of using this utility is to prepare a forest or a domain to acknowledge and admit a new domain controller into the enterprise that is running Windows Server 2008. It can also be used if you are upgrading an existing domain controller to Windows Server 2008.
LabSim advises you to be aware of the following:
• An existing domain controller must be running Windows 2000 SP4 or Windows Server 2003 SP1 to upgrade to Windows Server 2008
• You cannot change versions when upgrading. For example, you cannot upgrade a server running Windows Server 2003 Standard edition to Windows Server 2008 Enterprise edition
• Before adding the first domain controller running Windows Server 2008 to an existing Windows 2000 or Windows Server 2003 Active Directory environment, the forest and domain levels must be set appropriately
• Windows NT 4.0 domain controllers require the Windows 2000 Mixed functional level; you cannot have NT 4.0 and 2008 domain controllers within the same forest or domain
II. Active Directory in the Enterprise
Many enterprise administrators will find themselves having to deal with remote offices. Windows Server 2008 refers to these as branch offices. A branch office has some degree of access to the network but must balance access to the main network’s resources while keeping security intact. Each branch office should have a catalog server in-house in case access to the WAN goes down. If access were to be interrupted, users would still be able to authenticate using the catalog server. You should also have users in the branch using local resources before network resources. This improves performance and also controls replication problems.
Many branch offices use a read-only domain controller because they do not need to make changes to any of the Active Directory objects. If you find yourself in a situation where you do need to write, then you would need to use a regular domain controller.
Read-Only Domain Controllers
As we discussed above, many enterprise environments use read-only domain controllers (RODC) in their remote branch locations. It is especially useful if physical security cannot be assured. An RODC improves the amount of time it takes your remote users to log on to the network. It also improves security and access to network resources. If you decide to use an RODC, the domain and forest level must be at Windows Server 2003 or higher. If the enterprise does not have any domain controllers running Windows Server 2008, you will need to run the ADPREP tool. A read-only domain controller can only support inbound replication.
Managing Resources in Your Enterprise
There are a few solutions provided with Windows Server 2008 to help you manage resources and authentication between locations in your enterprise.
• Trusts are a recognized association set up between domains throughout the enterprise that allow communication, access to common resources and authentication.
• Active Directory Federation Services is a secure utility that permits access to applications between organizations whose users are accessing them via a Web browser.
• Identity Lifecycle Manager is a tool that automates managing user credentials, such as passwords, distribution lists, and certificates.
I. Active Directory Redundancy
Network Load Balancing
When it comes to accessing your data, there are several ways to improve performance and efficiency throughout your enterprise. Network load balancing (NLB) and Failover Clustering are two of the services that can be used. We will discuss network load balancing first. In Windows Server 2008, network load balancing acts like a traffic cop to direct IP traffic workloads across the enterprise using multiple servers. One of the main goals of NLB is to make sure no one server is overloaded.
The list below from LabSim provides more information about NLB.
• An NLB cluster can have between 2-32 nodes.
• Each node maintains its own data, typically on directly-attached storage. NLB is best suited for services with static data; if the data changes, you must implement a solution to synchronize data between the nodes.
• NLB can be configured on all Windows Server 2008 editions.
• NLB uses convergence to dynamically synchronize the configuration (but not the data) when nodes are added or removed.
• Implement multiple NICs to provide network redundancy for NLB nodes.
• Common services used with NLB have static data and include IIS, Terminal Services, Routing and Remote Access, and VPN access.
• Cluster nodes are typically located in the same location.
The following diagram from Microsoft’s TechNet Website shows how a four-host cluster works as a single virtual server to handle network traffic. Each host runs its own copy of the server with Network Load Balancing distributing the work among the four hosts.
Failover Clustering provides redundant services out of the box with Windows Server 2008 R2 Enterprise Edition. It eliminates that single point of failure that can take your enterprise’s productivity to a complete stop and protects your mission-critical applications. Should a server crash or go offline for any number of reasons, another server is waiting to take over and respond to requests. It is a very affordable option as well, since it comes packaged with the Datacenter and Enterprise versions of Server 2008. It is also one of the easier solutions to deploy in an enterprise environment.
You can create multiple clusters, and each cluster may have up to eight nodes. All nodes must share from a universal storage pool. Nodes are then granted access dependent upon the type of service you set up. Anywhere from one to all eight nodes may access the data pool independently or at the same time. Secondary nodes in a cluster setting are set up in a listening mode. When the active node goes down, the secondary node takes right over. Once the failed node comes back online, the secondary node goes back into listening mode and allows the main node to become the active node again.
The following are a few more facts about Failover Clustering.
• Redundancy for multiple hardware and network components is typical to prevent a single failure from making a node unavailable.
• Common services used with Failover Clustering must make frequent changes to data and include SQL, DHCP, Exchange, and Certificate Services.
• Cluster nodes can be more geographically dispersed.
II. Active Directory Recovery and Maintenance
Recovering Active Directory
What happens when an Active Directory domain controller fails? If you do not have a second domain controller running a concurrent up-to-date Active Directory database, then your users will be offline for quite some time while you scramble to recover the server and hope to restore a good recent backup of your Active Directory scheme. If you do not have a good backup of the system state of that domain controller, then you don’t even want to think about the headache that awaits you while you re-create every one of your users and assign permissions again. However, if your enterprise is configured correctly, then the scenario above will not happen to you and it will never be a cause for concern.
Recovering Active Directory from a secondary domain controller on your enterprise is actually not very hard. If a domain controller goes down, a second domain controller will provide the Active Directory functions required to keep business up and running. In fact, no one will ever know the first domain controller ever had a problem. Once you bring the failed domain controller back online, either after a repair or with a new server, the active domain controller will begin the replication process and the recovery will be complete.
Remember that a good backup routine can save you many hours or even days of downed production time. One of the most important things to back up when dealing with Active Directory is the system state. You can back up the entire contents of the server, but if you fail to get a good system state backup, your Active Directory database will not run. Therefore, it is imperative to back up the system state.
Keeping the Enterprise Current
The final thing we will discuss regarding data availability is keeping your systems throughout the enterprise up to date. The last thing you need is for a system to fail because it did not receive the latest update from Microsoft.
The following are some of the solutions available to you.
• Windows Updates provide updates to the operating system. There are two types of updates available: critical and non-critical. Critical updates should be downloaded as soon as they are available, since there is the potential that your system will be compromised if these are not installed immediately. Windows updates can be configured several ways. You can automate the download and install of updates on each device or you can download the updates and install them at a time of your own choosing.
• Microsoft Updates work the same as above, but with Microsoft applications like Office rather than operating systems.
• Windows Server Update Services (WSUS) is an application that needs to run on a server. It does the job of both services above and can be automated and customized to your specific requirements. No enterprise should be without a WSUS server. It will become your first line of defense against the type of problems that can occur when systems and applications are not patched and up to date.
ESI Active Directory Configuration
Elliott’s Solutions Inc. finally decided on its IP Scheme, Domain Name, DNS Configuration, and valued website to allow its many employees to access resources for greater productivity in many branches nationwide and to forthcoming new locations, and to facilitate the effort of customers to gather more information about ESI. It is time to design its new Active Directory and to define the corresponding policies.
Top View or Forest
ESI will have a single domain AD forest with centralized authentication and authorization. Security boundaries and specifications will be defined starting with the urgent requirements that will prevent cybercrime from forcing the entire network to start from scratch. The strategy of developing with precaution will allow all the officers and employees to become familiar with the actual implementation, without experiencing too much security threats from external sources.. First of all, the AD DS will be installed in Microsoft Windows Server 2008. Due to the rapid expansion of business operations, the aim will be to have three (3) Domain Controllers. This is to take the least probability of having to recover from backup files in case of technical troubles somewhere in the system. All branches will be connected by a single DNS name. Thus, from the Central Office of ESI.com, each branch will have a subdomain that employees can access after passing security authentication.
Illustrated with a diagram below are the Servers /.Controllers and that the branches will access daily to be connected to a Single Forest, Single Domain startup design. (Rommel, Florian 2009a).
All branches will access the server via Internet, more specifically by logging into the domain ESI.com. However, these servers can only share software but not printers and other devices that are within the branch vicinity.
These are the three (3) controllers or servers for the entire network. One will serve as automatic backup. The 3rd should backup only after internal audit has double checked the active or real time backup data.
For security purposes, the three servers will be located in a well-guarded, fireproof, temperature-controlled offices near the top 10 most trustworthy Executives. and where calamity cannot destroy them. Furthermore, one of them will be under daily audit by the IT Security Department. Servers will then link all the branches nationwide so that their computer work stations can share in the use of resources found in the centralized server. Note that only one server is mentioned because the other two are backup servers wherein one backup is most protected. It is foreseen that eventually, each branch will have to maintain a server of its own to handle activities that do not need to be strictly secured.
“The AD DS role is what enables the server to act as Domain Controller.” says the System Administrator . But the AD DS should first be installed. In Windows Server 2008, open Server Manager from the Quick Launch Toolbar icon, or by going to Administrative Tools.The next steps are as follows: Click “Roles” > “Add Roles” > Next > “Select Server Roles”> Click on Active Directory Domain Services.> Next> Confirm Selected Roles Installation> Wait for Installation Success> Doublecheck if AD DS got installed by going back to Server Manager. See Figure 2, 3 under Appendix. Once AD DS has been installed in Windows Server 2008, run DCPROMO as follows: Run> dcpromo > OK > Welcome to Active Directory Domain Services Installation Wizard > Next > Open system Compatibility > Next > Choose a Deployment Configuration > Select Create a New Domain > Be sure to type the exact Fully Qualified Domain Name (FQDN)., e.g. ESI.com > Set the Forest Functional Level. > Select additional Domain Controller Options by placing a check mark on the DNS Server.> Select DHCP > Continue until AD DS Installation is complete. When asked for a Directory Service Restore Mode Administrator Password, be sure to “control” and keep the password in writing for the time when the system might need to be restored. For the AD DS to completely install, the computer will ask to be restarted.
In creating a new Active Directory, there is a checklist of things to consider, namely,
Exact name of the DNS owned by ESI
Number of Users in the all branches combined
What is the bandwidth for authentication versus the prescribed bandwidth ?
Who are the administrators of the system?
Which server will be the Global Server?
Who will handle the Flexible Single Master Operation (FSMO) roles
The FSMO roles consist of (a) the Relative ID (RID) Master role, (b) the Infrastructure Master role, (c) the Primary Domain Controller (PDC) Emulator which synchronizes time, handles password changes, handles authentication failures, handles accounts that get locked, handles editing of Group Policies. (d) the Schemata Master Domain Controller who updates and modifies the scheme of the forest, and (e) Domain Name Master Controller who adds domains and links in the Active Directory. (Rommel, Florian 2009b).
Microsoft (2008) has certain requirements for Windows Server 2008 to be able to utilize the Group Policy preferences. Due to the length of those steps, Figure 4 (Appendix Section) was created. Definitely, the Remote Service Administration Tools (RSAT) will be installed in all computers to facilitate technical support via remote access. The Group Policy Objects that will be selected must first be approved by top management. Only employees of ESI may access files from the domain. There will be restrictions depending on what does not concern the user and what will be needed by the user. Authority limits will define who should have access to which files. All these can be done gradually. It is admitted that at the start, the rules will be strict in order to prevent the possibility of having to start all over again as a result of a “crash” or corrupted sets of hard drive which will cost the company substantial amounts if most computer hard drives have to be replaced or provided with a professional IT personnel who can remove all the corrupted files or fix them. However, as time passes and some level of familiarization is finally gained through actual implementation, centralization will be relaxed.
Only those related to work will be accessible to employees in computers connected to the servers. All websites containing Active X files or potentially dangerous downloads should be blocked.
IT Department will define all the highly trusted resource websites that can do no more to the files within ESI.com and will be held responsible for security breach as well as preventive measures to protect all sensitive files. Other departments have to be consulted. (Microsoft 2010)
“Windows Server 2008 uses Kerberos as the default authentication method…” according to Bender, Michael.(2009, p.393) In situations when it is not possible to provide authentication, IT may decide to utilize the NT LAN Manager Protocol.
Disaster / Emergency Systems of Control
As a matter of policy, ESI.com will not resort to any backup utilizing the Cloud Technology other than the Central Office backup facilities. This will prevent any 3rd party entity from breaking into the confidential files or any scammer/spammer and anonymouos cybercriminal from infiltrating the system and causing unnecessary troubles or threats to the business security. Definitely, there will be an IT Security Team who will be made responsible for various scenarios like sudden loss of power or cyber attacks.
To ensure long-term progress without being interrupted by system failures, downtimes, and too much focus on maintenance and repairs, the decision is to have a high-end set of Servers configured to maintain Active Directory. Those servers will be turned into Domain Controllers. And the DNS will be integrated with Active Directory. Domain Name System translates computer names into IP addresses and is capable of connecting computers to one another. It makes it easier for the server to find any of the client computers linked to the server.
Policies of Active Directory will tend to be restrictive in the immediate term. Definitely, only employees may access business private files. The public will be allowed only those meant to inform them about ESI.com. This restrictive policy will eventually be relaxed after some time of implementations and the IT Department has already strengthened the entire system against various threats.
What will be crucial for the short to medium term will be the ability of ESI Central Management to control operations positively by sharing some intangible yet valuable resources for its employees. For example, employees should not be disrupted by computer problems. Instead, their work should be facilitated by Head Office by the provision of adequate services for the maintenance of computers, for faster communications with branches, and to allow them to focus on their primary purpose for being employed. Also equally important will be the accessibility of great information to encourage potential clients to stay with ESI.com anywhere they may be around the country or outside the country.
Figure 1. Windows Server 2008 Service Manager
Figure 2. WS2008 Active Domain Server Roles
Figure 3. WS2008 AD DS Installed in Server Manager
Figure 4. Conditions to Allow Use of Group Policy Preferences
(Source: Microsoft 2008 http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx )
Elliott’s Solutions Inc. or ESI is a company that has many offices throughout the country. The company is rapidly growing and is considering expanding to other locations. ESI also has no web presence, and needs to establish one because of how fast the company is growing. By establishing a web presence the company can allow internal employees to access company resources with ease. It will also allow ESI’s customers to be able to access important resources, and allow potential customers to gather more information about ESI. In the following proposal, I will be discussing the creation of a DNS Namespace for ESI, the requirements for setting up a domain name, and develop a IP scheme that includes both DHCP and Static addressing.
Creating a DNS Namespace
A DNS Namespace is a hierarchical arrangement that resembles the root structure of a tree. Each domain extends from the node above it, beginning at the top with the top-level domain then a second-level domain, and then subdomains. A top-domain is something we always see when using the Internet. Examples of top-domains include .com, .org, .edu which are all commonly used top-level domain names. Second-level domains are also called parent domains and have to be registered through an approved ICANN (Internet Corporation for Assigned Names and Numbers) approved registrar (Website Gear, 2004). Subdomains are usually formed to identify a specific location or organizational name, such as la for Los Angeles or support for the support department. I propose using a top-level domain of .com as it is one of the more commonly used top-level domains for companies. We should also register a second-level or parent domain of ESI for Elliot’s Solutions Inc. Subdomains should be first broken down by office locations since our company has multiple offices located throughout the company. Then it should be broken down again by departments and then specific groups within the company. An example of our DNS namespace would be atlanta.support.esi.com, which would equate to the Atlanta office’s support department for our company. Creating this DNS Namespace will allow us to organize our domain, and adapt a standard naming practice.
Requirements for a Domain Name
The Internet is full of domains, and on cannot simply just create one. First the domain name has to be available for the top-level domain that you want. For example there might be an ESI.org but not an ESI.com. Domain names are governed by the ICANN or Internet Corporation for Assigned Names and Numbers and have to be registered by an approved ICANN registrar. During the registration process there is certain information that must be provided.
1. Domain Name owner credentials (name, company name, address, phone, email address etc.)
2. Administrative contact credentials
3. Technical contact credentials
4. Domain Name System (DNS) server details
The next step is deciding on whether or not the ESI will be hosting or will ESI have another company host the website. Since ESI is a large growing company, we will host our own website. We will then need to configure the DNS server which will listen for DNS requests from the Internet. We will also want to make sure that our public website is not directly connected to the network to prevent unwanted access or malicious attacks.
DHCP or Dynamic Host Configuration Protocol is a method of automatically assigning IP Addresses to hosts. DHCP can also be set to statically assign addresses which can be useful when assigning IP addresses to servers since you wouldn’t want these IP addresses to expire. DHCP also sets lease expirations on the addresses that it assigns, which will then require hosts to obtain a new IP address when their lease expires. This is a great method for saving time and energy when dealing with a large network. Static IP addresses are hard coded into the network card settings, and will remain the same until it is manually changed. This can be quite cumbersome when dealing with a large network, and can also be hard to troubleshoot. For ESI, I recommend using DHCP as the company is already a good size and growing rapidly. The only time that I would recommend using Static IP assignment is in the case when assigning IP addresses to servers, as we would want these IP addresses to stay the same.
Developing a web presence is no easy task. It requires a significant amount of time and planning. By creating a solid DNS Namespace, ESI can greatly improve the access that employees, clients, and potential clients have to needed resources. Creating a domain name is also something that requires preplanning and money to accomplish. Also, by creating a DHCP IP scheme to automatically assign IP addresses to hosts we will save a large amount of time and energy managing our network. By combining all of these elements ESI now has a web presence and can now accommodate its growing business.
WebsiteGear.(2004). Website domain name configuration.Retrieved from http://content.websitegear.com/article/domain_setup.htm