Proposal for Implementation of Active Directory at SFU

This report outlines an approach to implement Microsoft's Windows 2000 Active Directory Services on campus.

The proposal outlined here is the result of several months of consultation, including meetings with Microserve Solutions consultants, a feedback session with SFU Lan Administrators, and consultation with Microsoft senior consultants.

Active Directory is the distributed database where all information pertaining to users, groups, servers, printers and "shared information" is stored. A well-designed Active Directory structure is critical to the successful deployment of an Enterprise-wide Windows-2000 implementation.

There are three models to choose from when laying out an Active Directory structure:

Single forest, single domain
Single forest, multiple domain
Multiple forest, multiple domain

Single Forest, Single Domain

This model produces the simplest Active Directory structure. In previous versions of Windows NT, a single domain model could only be used in small companies. Microsoft has redesigned the Domain Controller in Windows2000 and this limitation no longer exists – a single domain can scale to handle millions of objects.

Advantages

Simplicity: With only one domain, there are no potential problems with cross-domain trusts or inter-domain communication. There are also fewer servers to setup, secure and administer. With a minimum number of domain controllers, the network is easy to understand and troubleshoot in the event of problems.

Minimal exposure to security risks: Every domain controller in a Windows2000 network is extremely sensitive from a security perspective. User passwords are stored in clear-text inside the Kerberos server running on each domain controller. A breach on one of these servers would expose every user’s password. In a single-domain model, only two domain controllers are needed, both of which can be located in a secure computer facility and managed by a security expert in ACS/OTS

Minimum interaction with DNS servers: Every domain controller tries to dynamically update the DNS with information about itself, or needs that information manually entered into the DNS database. A single domain model requires only two domain controllers updating the DNS

Consistency: With all users and resources located in one domain, a user will find the same "view" of the Windows2000 network regardless of what workstation she uses. She can use the same UserID and password to login and the same naming convention will be used for all resources in the directory.

Less hardware. Each domain requires a minimum of two good quality PC servers to implement. A single domain model requires the least amount of hardware, as only two servers are required

Disadvantages

The "browse" list of users and groups will be long. Certain dialogues in Windows2000 will attempt to display a complete list of objects in the domain. In a very large domain, not all objects will be displayed and a user will need to narrow their search by typing in the first few letters of the object they’re looking for. The display box is multi-threaded, so a search for a particular user will not be significantly slowed down as the browse window "fills-in" with all known users. This primarily affects assigning rights to files & printers and modifying group membership, which is typically only done by administrators.

Certain Group Policy security settings can only be set on a domain-wide basis, affecting all users equally. While this is a limitation, it’s arguably an advantage as it allows a security expert to tune these settings and then apply them equally to all users, guaranteeing a certain level of security with respect to those settings. The settings govern such things as password strength, minimum password length, and kerberos ticket lifetime
Complete departmental autonomy is not possible: Domain administrators – systems administrators in ACS/OTS – can take ownership of any object in the directory, regardless of what permissions filters have been set up by individual departments. While some may view this as a disadvantage, it can also be a benefit as it allows experienced administrators the ability to fix problems anywhere in the Directory regardless of what may have been done to it. While this prevents complete privacy in the Active Directory, a domain administrator would only exercise this option in the event of an emergency. Departmental administrators are also free to audit ownership events so that they can see if this ever happens

Single Forest, Multiple Domain

This model uses multiple domains to separate users and administrative control. The domains can be organized in a hierarchical fashion, where trust relationships between domains are transitive, in a ‘flat’ model, where every domain is at the top level of the forest, or in some combination of the two.

Advantages:

Complete departmental autonomy. Each department would be in charge of its own Domain Controllers – for better or worse – and would be able to block access to them from Windows2000 administrators in ACS/OTS. Departments would also be able to customize settings that can only be set on a domain-wide basis, such as certain security policy settings.

Fewer objects in departmental domains: departmental administrators using the "Add User" dialogue would not need to browse through an extremely long list of users to add their own users to groups and file access-control lists. Note that a top-level domain would still be created that would contain all users and common groups on campus – if a department wished to take advantage of those pre-created user accounts, it would still be necessary to browse a long list of users.

Disadvantages:

Complexity: This model produces a more complex Domain controller structure than a single domain model, as every domain must have at least two domain controllers, yet domain controllers must still all communicate with each other. Troubleshooting problems with this model would be considerably more complicated and time consuming than with the single-domain model

Increased exposure to security risks: Every domain controller is extremely sensitive from a security standpoint, as they provide the mechanism for entry into the Windows2000 Active Directory. More domain controllers means more machines to secure and more targets for hackers to go after.

Larger hardware budget: Each domain requires two domain controllers to run. It’s a widely held opinion among Windows Network industry experts that domain controllers should not run other services (such as file and print sharing), which means that two servers in each department must be dedicated to the task of running the domain.

Increased administrative effort: Each department would need Windows2000 administrators to run their own domain controllers. In addition, the increased complexity of the network would likely mean that more resources would need to be devoted to keeping it running. Adding to administrative complexity is the interaction with the DNS. As noted above, every domain controller must either interact with the DNS or have a number of entries added to the DNS on its behalf

Choosing the Right Model

Simplicity, high security, high reliability and low cost of operation were the primary objectives considered when choosing the right Active Directory structure.

We believe that the structure that meets these objectives is a "single domain" model. In this model, all information is organized within a single Windows Domain. Within that Domain, logical containers - called "Organizational Units" - will be created for each Department on campus. Each department will have complete control over its own Organizational Unit - Administrators within each department will have the ability to manage their own users, groups, servers and services as necessary.

Using a single domain, Windows-2000 authentication will be able to be tied into the Campus Computing Account system, which means that all SFU members will automatically have access to the system. Administrators in each department will be able to choose which of those users can access their department's computing resources. By pre-populating the directory with all of SFU's staff and students, departmental administrators will be freed from the mundane task of creating and deleting user accounts - those tasks will no longer be necessary

This model satisfies the project's objectives as follows:

Simplicity

A single domain model eliminates NT Domain trust relationships, cross-domain communication, and multiple failure points. In addition, under Windows-2000, every domain controller must be granted permission to update the campus DNS server - a single domain simplifies the interaction with DNS. Since the DNS service is perhaps the most critical service to the operation of the campus network, minimizing possible problem points with it is in the best interest of the campus community.

High Security

Using a single domain, all user authentication will be handled by Domain Controller servers located in our machine room. The critical part - the database with users' passwords - will be run on a separate secured Unix server tied into our Campus Computing Account system. This will keep user passwords safe, which will help prevent access to Windows-2000 servers by unauthorized users

High Reliability

Domain Controllers located in our machine room will be backed-up daily, run on an industrial UPS, and be plugged directly into our core network, ensuring good connectivity to all machines on campus. In addition, a single domain minimizes the number of servers necessary to implement the directory, minimizing the failure points.

Low Cost

A simple domain structure will minimize the computing hardware required to implement it, and the staff time necessary to run it, both of which will keep costs down.

In our discussions with Microsoft's consultants, it was determined that a 'placeholder' domain should be created which would 'anchor' the top of the Active Directory structure. This domain wouldn't contain any users or services, it would just hold the domain "sfu.ca". This is desirable because the top-level domain in an Active Directory structure can never be renamed or altered after the directory is in place.

This would give us a total of two domains, although the 'placeholder' domain would never handle any authentication.