View
238
Download
0
Category
Preview:
Citation preview
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
1/27
Enterprise Server Farm (ESF)
Active Directory [for WindowsServer 2003]
Rules of Engagement
Application Management TeamVersion 1.6March 4, 2011
SECURITY WARNING
The information contained herein i !ro!rietar" to the Common#ea$th of %enn"$&ania and m't not (e
dic$oed to 'n)a'thori*ed !eronne$+ The reci!ient of thi doc'ment, (" it retention and 'e, aree to
!rotect the information contained herein+ Reader are ad&ied that thi doc'ment ma" (e '(-ect to the
term of a non)dic$o're areement+
DO NOT DISCLOSE ANY OF THIS INFORMATION WITHOUT OBTAINING PERMISSION FROM
THE MANAGEMENT RESPONSIBLE FOR THIS DOCUMENT.
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
2/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
Version HistoryDate Version Modified By / Approved By Section(s) Comment
43032005
632432005
1+0 7+ Wi$$
S+ Sharma
A$$ Initia$ draft
Incor!orated S+ Sharma comment8
Re!$ace Windo# 2000 reference #ith Windo# 2009
mo&e Tota$ Cot of .#nerhi! reference, add Maintenance
and :ac;'! ection
1031
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
3/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
Table of Contents1 ESF OVERVIEW & ESF INFRASTRUCTURE.............................................................................5
1+1 ES .ERIEW++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++6
1.1.1 ESF Engagement Proe!!......................................................................................................"
1.1.# ESF De$%o&ment Proe!!......................................................................................................."
1.1.' Common(ea%t) A$$%*at*on Cert*+*at*on an, Are,*tat*on -CA#......................................."
1+2 ES INRASTRUCTURE+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>1.#.1 E/terna% DM0 Ser*t& 0one.............................................................................................. ...2
1.#.# Interna% Ser3*e! Ser*t& 0one............................................................................................. 2
1.#.' Interna% DM0 Ser*t& 0one..................................................................................................2
2 ACTIVE DIRECTORY IMPLEMENTATION................................................................................7
2+1 %UR%.SE3 .ERIEW++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++5
#.1.1 Bene+*t!..................................................................................................................................4
2+2 ASSUM%TI.NS++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++52+ SCEMATIC?IAGRAM3 ?IAGRAM?ESCRI%TI.N?ETAI/S+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
#.'.1 ESF LAN -E/tranet...............................................................................................................5
#.'.# Internet Ae!!.......................................................................................................................6
#.'.' B!*ne!! Log* La&er -BLL...................................................................................................62+4 %RERE@UISITES++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++10
2+6 IM%/EMENTATI.N?ETAI/S++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++11
#.".1 ESF At*3e D*retor& Im$%ementat*on Deta*%! 7 S)emat* D*agram!................................11
#.".# Loat*on an, Ro%e o+ Doma*n Contro%%er!.......................................................................... .11
#.".' APPS Doma*n......................................................................................................................1#
#.".8 USER Doma*n an, MUSER Doma*n...................................................................................1#
3 ACTIVE DIRECTORY RULES OF ENGAGEMENT............................................................. ....14
+1 R U/ES.ENGAGEMENT.ERIEW+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++14+2 NAMINGC.NENTI.NS+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++14
'.#.1 Ser3er Name!.......................................................................................................................18
'.#.# Ser3*e Aont!.................................................................................................................. 18
'.#.' U!er Aont!......................................................................................................................1"+ SERICES++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++16
'.'.1 A$$%*at*on! Re!*,*ng *n Manage, Ser3*e!................................................................... .....1"
'.'.# A$$%*at*on! Re!*,*ng *n ESF Co9Loat*on..........................................................................1"
'.'.' A$$%*at*on! Re!*,*ng *n Agen& Loat*on...........................................................................12
+4 ES GR.U%%./ICY.:ECTSBG%.S++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++1=
+6 R ./ESAN?RES%.NSI:I/ITIES+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++21
+> M.NIT.RING++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++22
+5 SECURITY+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++22
'.4.1 W*n,o(! #::' At)ent*at*on Ar)*tetre......................................................................... ##
'.4.# W*n,o(! Met)o,! o+ At)ent*at*on.................................................................................... #'
'.4.' Cert*+*ate At)ent*at*on....................................................................................................#'
'.4.8 Form! At)ent*at*on.......................................................................................................... #''.4." Reommen,e, At)ent*at*on Met)o,!............................................................................... #'
'.4.2 A$$%*at*on Ser*t&.............................................................................................................#8+= :AC7U%AN?REC.ERY+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++24
+< CANGEMANAGEMENT++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++24
+10 MAINTENANCE+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++24
4 ACTIVE DIRECTORY AND APPLICATION DEVELOPMENT RESOURCES......................25
4+1 ACTIE?IRECT.RYRES.URCES+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++26
4+2 A%%/ICATI.N?EE/.%MENTRES.URCES+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++2>
5 APPENDIX A SCHEMA MANAGEMENT PROCESS.............................................................27
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
4/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 4 . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
5/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
1 ESF Overview ESF !nfrastr"ct"re
Thi ection contain tandard information that i inc$'ded in a$$ R.E doc'ment+
1.1 ESF OVERVIEW
The Common#ea$th of %enn"$&aniaD Enter!rie Ser&er arm BES !ro&ide otin Ser&ice forAenc" We():aed and Aenc" S!ecific a!!$ication+ It miion i to maintain a hih $e&e$ of ec'rit",
a&ai$a(i$it", re$ia(i$it", and manaement of the Common#ea$th of %enn"$&ania miion critica$ #e(
a!!$ication+
Refer toEnterprise Server Farm,for a f'$$ decri!tion of the ES and a$$ hotin and er&ice offerin+
1.1.1 ESF Engagement Process
If "o'r aenc" i coniderin de!$o"in a!!$ication in the ES, eFamine the ES #e( ite to 'ndertandthe ES Ser&ice %ortfo$io, and then contact "o'r Ser&ice Coordinator BSC+ SC are $iaion (et#een
aencie and the ES+ The" an#er !re$iminar" 'etion and coordinate meetin #ith ES !eronne$ to
en're conitent comm'nication on im!$e or com!$eF !ro-ect+
Refer toESF Getting Started, for an o&er&ie# of the (enefit, er&ice, and o!tion for hotin "o'ra!!$ication at the CTC ES+
Refer toESF Services Coordinator, to identif" "o'r aenc" Ser&ice Coordinator+
1.1.2 ESF Deployment Process
The ES fo$$o# a #e$$)defined de!$o"ment !roce for a$$ a!!$ication de!$o"ment+ A!!$ication
de&e$o!ment i !erformed at the aenc" or contractor $ocation #hi$e the ES ho'e (oth a tain and a
!rod'ction en&ironment, #hich are mirror imae of each other+ Thi tr'ct'red de!$o"ment and tetin
!roce en're a ta($e a!!$ication in !rod'ction+ %rior to enterin the ES, e&er" ne# a!!$ication ire'ired to 'ndero a ec'rit" aement+
Refer toDeploing in Managed Servicesto re&ie# MS de!$o"ment !roce doc'ment
Refer toDeploing in Managed Services !iteto re&ie# MS/ de!$o"ment !roce doc'ment+
1.1.3 Commonealt! "pplication Certi#ication an$ "ccre$itation %C"2&
Refer toCommon#ea$th %o$ic" IT:)SEC006reardin HCommon#ea$th A!!$ication Certification and
AccreditationH
C$ic;htt!833###+ca+tate+!a+' to initiate the Common#ea$th A!!$ication Certification and
Accreditation BCA2 %roce+
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 6 . 25
http://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&level=1&menuLevel=Level_1&parentCommID=0&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&level=1&menuLevel=Level_1&parentCommID=0&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&level=1&menuLevel=Level_1&parentCommID=0&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&PageID=223464&level=2&parentCommID=460&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&PageID=223464&level=2&parentCommID=460&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=511&&PageID=221013&level=2&parentCommID=511&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=511&&PageID=221013&level=2&parentCommID=511&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=741&&PageID=209395&level=3&css=L3&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=741&&PageID=209395&level=3&css=L3&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt/community/managed_services_lite/742/deploying_in_managed_services_lite/219359http://www.portal.state.pa.us/portal/server.pt/community/managed_services_lite/742/deploying_in_managed_services_lite/219359http://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=200500&mode=2&contentid=http://pubcontent.state.pa.us/publishedcontent/publish/cop_general_government_operations/oa/oa_portal/omd/p_and_p/itbs/domains/security/itbs/itb_sec005.htmlhttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=200500&mode=2&contentid=http://pubcontent.state.pa.us/publishedcontent/publish/cop_general_government_operations/oa/oa_portal/omd/p_and_p/itbs/domains/security/itbs/itb_sec005.htmlhttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=200500&mode=2&contentid=http://pubcontent.state.pa.us/publishedcontent/publish/cop_general_government_operations/oa/oa_portal/omd/p_and_p/itbs/domains/security/itbs/itb_sec005.htmlhttps://www.sqca.state.pa.us/login.php?returnto=/index.phphttps://www.sqca.state.pa.us/login.php?returnto=/index.phphttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&level=1&menuLevel=Level_1&parentCommID=0&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&PageID=223464&level=2&parentCommID=460&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=511&&PageID=221013&level=2&parentCommID=511&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=741&&PageID=209395&level=3&css=L3&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt/community/managed_services_lite/742/deploying_in_managed_services_lite/219359http://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=200500&mode=2&contentid=http://pubcontent.state.pa.us/publishedcontent/publish/cop_general_government_operations/oa/oa_portal/omd/p_and_p/itbs/domains/security/itbs/itb_sec005.htmlhttps://www.sqca.state.pa.us/login.php?returnto=/index.php7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
6/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
1.2 ESF I'FR"S(R)C()RE
The ES We( arm architect're i emented into ec'rit" *one that are io$ated from each other &ia
fire#a$$+ The ES Net#or; contain the EFterna$ ?M ec'rit" *one, the Interna$ Ser&ice ec'rit" *one,
and the Interna$ ?M ec'rit" *one+ Thee three !rimar" net#or; are either, !h"ica$$" or $oica$$",
connected to one another+
1.2.1 E*ternal D+, Sec-rity ,oneThe EFterna$ ?M ec'rit" *one contain Internet)facin er&er that are connected to the Enter!rie
?M+ ES)manaed #e( er&er B'ch a Manaed Ser&ice and Aenc")manaed er&er B'ch a Co)
/ocation er&er (oth eFit in the EFterna$ ?M Sec'rit" *one+ Manaed Ser&ice and Co)/ocation
er&er are on e!arate '(net ec'red (" either fire#a$$ or Acce Contro$ /it BAC/+
1.2.2 Internal Serices Sec-rity ,one
The Interna$ Ser&ice ec'rit" *one contain Manaed Ser&ice data(ae er&er and other a!!$icationer&er from #hich d"namic content i o(tained (" #e( er&er+
1.2.3 Internal D+, Sec-rity ,one
The Interna$ ?M ec'rit" *one contain the Manaed We( and a!!$ication er&er that need to (eaccei($e on$" from the Common#ea$th Metro!o$itan Area Net#or; BMAN+ Thi Sec'rit" one a$o
contain interna$ Co)/ocation data(ae and #e( and a!!$ication er&er that are io$ated from the
Manaed Ser&ice er&er+
When ES ?omain Contro$$er intercomm'nicate in a ec'rit" *one, a$$ comm'nication 'e tandard
R%C and do not re'ire I%SEC encr"!tion or a'thentication+ ?omain Contro$$er)to)?omain Contro$$er
comm'nication (et#een ec'rit" *one !"#'e I%SEC #ith A'thentication eader BA+
.ther hot)to)A? Com!onent comm'nication in the Manaed Ser&ice !ortion of the Enter!rie Ser&er
arm doe not re'ire I%SEC+ o#e&er, I%SEC i re'ired for a$$ comm'nication (et#een entitieo'tide the Manaed Ser&ice and ES A? com!onent+
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE > . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
7/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
# Active Directory !mp$ementation
2.1 P)RPOSE/ OVERVIEW
The Common#ea$th of %enn"$&aniaD Enter!rie Ser&er arm BES 'e the Windo# Ser&er 200
Acti&e ?irector" BA? and er&er infratr'ct're to e!arate the Common#ea$thD enter!rie A? foret
a!!$ication from thoe a!!$ication that can (e acceed interna$$" and eFterna$$"+ The A!!$icationManaement Team BAMT manae the ES Acti&e ?irector" en&ironment+
2.1.1 0ene#its
:aed on a t'd" cond'cted (" Gartner, the Tota$ Cot of .#nerhi! for the ES A? i a fraction of an
in)aenc" Acti&e ?irector" o$'tion that inc$'de hard#are, oft#are, o!eration, and faci$itie+
Yo'r aenc" ain thee (enefit #hen "o' 'e ES A?8
.A !ro&ide a ec're $ocation to hot the Acti&e ?irector" and de!endent f'nction B'ch a
?NS+
The a!!$ication can 'e eFitin a'thentication and a'thori*ation data from either the A%%S
domain BES or the interna$ %A+/C/ domain BCW.%A, #hich !ro&ide the aenc"D interna$
'er #ith in$e in)on to it a!!$ication+
Windo# 200 Acti&e ?irector" chema chane to accommodate a!!$ication can (e made in the
ES A? foret, the %A+/C/ foret, or (oth at the dicretion of the Architect'ra$ Standard
Committee and Schema Manaement :oard+ See A!!endiF A J Schema Manaement %roce for
detai$+
Interna$ IT taff i freed '! to #or; on aenc" trateic initiati&e+
AMT #i$$ !ro&ide 24F5 monitorin, manaement, and '!!ort to !ro&ide increaed re$ia(i$it",
a&ai$a(i$it", ca$a(i$it", and ec'rit" a #e$$ a im!ro&e a!!$ication a'thentication thro'h ES
Acti&e ?irector"+
ES Acti&e ?irector" i hih$" a&ai$a($e #ith ('i$t)in red'ndanc", diater reco&er", and m'$ti!$e
$ocation for acce+
ES ha the ;no#$ede and eF!ertie to maintain and manae Acti&e ?irector" and i f'$$"
enaed #ith Uni" and Microoft to dianoe, tro'($ehoot, and reo$&e an" i'e or !ro($em+
2.2 "SS)+P(IO'S
Thi doc'ment a'me that the reader ha a (aic 'ndertandin of A? conce!t inc$'din8
oret
?omain
.rani*ation Unit B.U
.(-ect
Schema
?NS
A? Manaement %rinci!$e
N$%8 A!!endiF : J Acti&e ?irector" and A!!$ication ?e&e$o!ment Reo'rce contain reference that
dic' each of thee a'm!tion in de!th+
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 5 . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
8/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
2.3 SCHE+"(ICDI"R"+/ DI"R"+DESCRIP(IO'DE("IS
The net#or; architect're i the ;e" com!onent of the f'nctiona$it" and ec'rit" of the ES /AN
BEFtranet+
Thi diaram ho# ho# ES net#or; de!$o"ment re$ate to Acti&e ?irector"+ Three !rimar" net#or;
#ithin the de!$o"ment are either $oica$$" or !h"ica$$" connected to one another to ma;e '! the ES
net#or;8
ES /AN BEFtranet
Internet Acce
:'ine /oic /a"er B://
2.3.1 ESF "' %E*tranet&
The EFtranet reide in the CTC Internet one B?emi$itari*ed one or ?M and contain Internet
Information Ser&ice BIIS, domain contro$$er, and other A? infratr'ct're 'ch a ?NS and WINS+Thro'h ro'ter ec'rit" !ermiion or the Acce Contro$ /it BAC/ on the ro'ter3fire#a$$ (et#een
CW.%A and the EFtranet, a$$ traffic that oriinate from CW.%A i a$$o#ed into the EFtranet+ If a
reo'rce on CW.%A i !'hin data to a er&er on the EFtranet, a$$ comm'nication i a$$o#ed+
In re&ere, a$$ traffic oriinatin from the EFtranet i ($oc;ed oin (ac; to CW.%A+ If a (atch -o(
attem!t to r'n a !roce from an EFtranet machine that initiate comm'nication (ac; into CW.%A, the
traffic i ($oc;ed (" the AC/ on the ro'ter (et#een CW.%A and the EFtranet+ ?ata on CW.%A er&eri either !'hed to the EFtranet from the CW.%A reo'rce or the CW.%A reo'rce m't reide in the
EFtranet+ Within the EFtranet, a$$ er&er are homed to the ame net#or; and are a$$o#ed to comm'nicate
#ith one another a'min a!!ro!riate riht (et#een reo'rce+
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE = . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
9/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
The er&er $ocated in the EFtranet comm'nicate (ac; to CW.%A thro'h Internet %rotoco$ Sec'rit"
BI%Sec+ Thi ta($e ho# the a!!ro&ed !ort and aociated f'nction for Acti&e ?irector"
comm'nication that i a$$o#ed to tra&ere from the EFtranet to interna$ Acti&e ?irector" er&er8
P$' (!) P$*"' A**%''+,"% - DM/ $ CWOPA I!$%!(" N%$0
%rotoco$ Description
60 Enca!'$atin Sec'rit" %rotoco$ BES% for I%SEC
61 A'thentication eader BA for I%SEC
%ort &ype Description
20 and 21 TC% and U?% T%
26 TC% and U?% SMT% Bo't(o'nd on$"
=0 TC% and U?% htt!
44 U?% SS/
2.3.2 Internet "ccess
The eFterna$ fire#a$$ BInternet)facin manae traffic (et#een the Internet and the EFtranet+ C$ient
accein #e( ite in the EFtranet are a$$o#ed to connect &ia the Internet once the !ro!er credentia$ are
'!!$ied to the Acti&e ?irector"+
P$' A**%''+,"% - I!$%!%$ $ E$(!%$ DM/ N%$0
%ort &ype Description
6 TC% and U?% ?NS name reo$'tion and *one tranfer
== TC% and U?% 7er(ero
=< TC% and U?% /?A%
600 U?% ISA7M% for I%SEC
2.3.3 0-siness ogic ayer %0&
The c'rrent dein of the ES ?M a$$o# on$" Internet er&ice 'ch a htt!, htt!, and other (aic
er&ice $i;e T% and SMT% thro'h the Internet)facin ide of the ?M+ A$$ manaement and data(ae
acce to co)$ocated er&er i &ia an intranet)on$" ro'ta($e (ac;)end addre thro'h the :'ine /oic
/a"er B://+
:// en're that aenc" traffic inc$'din manaement traffic 'ch a T%, #e( adminitration, (ac;'!,
termina$ er&ice, or other remote manaement oft#are and (ac;)end data traffic 'ch a data(ae traffic
(et#een the co)$ocated er&er and the aenc" ha&e a ec're, hiher)!eed !ath that i not a&ai$a($e from
the Internet+
To faci$itate thi dein, a net#or; card i added to e&er" co)$ocated er&er and confi'red #ith an
intranet ro'ta($e addre+ The defa'$t ate#a" i $eft ($an; for thi interface, and !eritent ro'te areadded for each aenc" er&er or manaement tation that need :// acce+
LL '%*6+$# ()(!$(8%' (%9
.n$" htt!, htt!, T%, and SMT% acce are a$$o#ed from the Internet
Se!arate !ath eFit for !'($ic and aenc" data
:// cannot (e reached direct$" from the Internet
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE < . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
10/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
LL :%-(!*% ()(!$(8%' (%9
Se!arate NIC and inre3ere !ath for front and (ac; end acce !ro&ide more areate
(and#idth &ia $e coneted faci$itie
e#er ho! and hiher !eed $in; (et#een #e( farm Co)/ocation area and the aencie
:eca'e !eritent ro'te need to (e added to a$$o# !ro!er ro'tin to aenc" "tem acro the ://,
front)end acce from thee ame "tem can (e !ro($ematic+ Traffic that i ent to the front)end from
'ch a hot ma" (e ro'ted (ac; acro the ://, and the ret'rn traffic i o'rced from the :// addre
rather than the co)$ocated er&erD front)end addre+ When thi traffic reache the aenc" hotoriinatin the traffic, it i dro!!ed a in&a$id+
To im!ro&e ec'rit", ES o!eratin !o$ic" tate that front)end acce to a co)$ocated er&er i not
'!!orted for an" "tem that accee that ame er&er &ia the ://+ o#e&er, #e 'ndertand that in
ome cae aencie ma" not (e a($e to dicontin'e 'ch front)end acce from manaement tation orer&er+
2. PRERE4)ISI(ES
A!!$ication m't meet thee re'irement to 'e ES A? in the ES8
The a!!$ication m't (e interated to r'n on the Windo# 200 Ser&er fami$" of o!eratin
"tem and m't (e a($e to 'e interated ec'rit" BActi&e ?irector" A'thentication+ AMT ha f'$$ adminitrati&e acce o&er the Acti&e ?irector" oret+
The ES oret tr't the CW.%A B%A+/C/ domain+ Thi tr't faci$itate the Sin$e Sin).n
ec'rit" mode$ #here(" 'er acco'nt in CW.%A can (e 'ed to rant acce to the a!!$ication
in the ES+
If "o' ha&e a non)Windo# (aed a!!$ication or other it'ation not identified in thi doc'ment
that re'ire Acti&e ?irector" or an" director" er&ice, enae the Architect'ra$ Standard
Committee at acmem(erKtate+!a+'to dic' ('ine re'irement, architect're, and
!oi($e o$'tion+ See A!!endiF A J Schema Manaement %roce for detai$+
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 10 . 25
mailto:ascmembers@state.pa.usmailto:ascmembers@state.pa.us7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
11/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
2.5 I+PE+E'("(IO'DE("IS
2.5.1 ESF "ctie Directory Implementation Details 6 Sc!ematic Diagrams
ES im!$emented a in$e foret3m'$ti!$e domain mode$ for Acti&e ?irector"+ An em!t" root ca$$ed
R..T+STATE+%A+US reide #ithin the foret+ Thi domain ho'e the Enter!rie Admin ro$e, Schema
Admin ro$e, and foret)#ide SM. ro$e+ A!!$ication reide in A%%S+STATE+%A+US and 'er acco'nt
are di&ided amon t#o domain8 USER+A%%S+STATE+%A BUSER and MUSER+A%%S+STATE+%A+US
BMUSER+
USER ho'e non)manaed 'er or e$f)reitered 'er imi$ar to a t"!ica$ !orta$ 'er #ith c'tomi*ed
content $i;e %A %o#er%ort+ USER domain ec'rit" i commen'rate #ith re'irement for Internet
a!!$ication+ MUSER ho'e manaed 'er, contit'ent, and &endor that m't acce $ine)of)('ine
a!!$ication or other a!!$ication #here a'thori*ation and ec'rit" are critica$+ The !onorin aenc"
!erform 'er, ro'!, and a'thori*ation manaement imi$ar to the #a" CW.%A i manaed+
Thi diaram ho# a hih)$e&e$ &ie# of the CW.%A and ES Acti&e ?irector" name!ace a defined in
the f'nctiona$ !ecification+
2.5.2 ocation an$ Role o# Domain Controllers
C$ic; thi $in; to et the mot '!)to)date information a(o't the domain contro$$er #ithin thien&ironment8htt!833###+oaef+tate+!a+'3ite3ef3Ser&ice
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 11 . 25
http://var/www/apps/Services/AMT%20OPERATIONS%20-%20APPLICATION%20DEPLOYMENT/ACTIVE%20DIRECTORY%20%5BWin%20AD%20-%20Domain%20Cont%20-%20DFS%20-%20DNS%20-%20MUSER%5D/Domain%20Controller/Domain%20Controllers.xlshttp://var/www/apps/Services/AMT%20OPERATIONS%20-%20APPLICATION%20DEPLOYMENT/ACTIVE%20DIRECTORY%20%5BWin%20AD%20-%20Domain%20Cont%20-%20DFS%20-%20DNS%20-%20MUSER%5D/Domain%20Controller/Domain%20Controllers.xlshttp://var/www/apps/Services/AMT%20OPERATIONS%20-%20APPLICATION%20DEPLOYMENT/ACTIVE%20DIRECTORY%20%5BWin%20AD%20-%20Domain%20Cont%20-%20DFS%20-%20DNS%20-%20MUSER%5D/Domain%20Controller/Domain%20Controllers.xls7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
12/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
ES Acti&e ?irector" .rani*ation Unit B.U
Thi diaram ho# the .rani*ation Unit B.U for the ES Acti&e ?irector" name!ace a defined in
the f'nctiona$ !ecification+ A!!$ication reide in A%%S+STATE+%A+US BA%%S and 'er acco'nt reide
in USER+A%%S+STATE+%A BUSER and MUSER+A%%S+STATE+%A+US BMUSER+
2.5.3 "PPS Domain
AMT contro$ and manae the A%%S domain and define and maintain a$$ $e&e$ of .U tr'ct're+ AMTrecommendation for .U in the A%%S domain are8
.U de!th ho'$d not eFceed fo'r $e&e$
The to! $e&e$ .U i the Aenc" .U and conit of the aenc"D 2)diit code
The econd $e&e$ conit of the er&er .U and er&ice acco'nt .U
/o#er $e&e$ .U recommendation are8
> character maFim'm $enth9 o!tiona$ if it a!!$ie to the aenc"D IT adminitration mode$
Gro'! ma" (e !$aced in a$$ .U tartin from the Aenc" .U
.U are $oc;ed do#n (" defa'$t #ith chane initiated thro'h the initia$ de!$o"ment !roce or a er&ice
re'et BRemed" tic;et+ C'rrent$", de$eated !ermiion o&er .U #ithin the A%%S domain are not
'!!orted+ Machine acco'nt are .N/Y created (" AMT thro'h the initia$ de!$o"ment !roce or aer&ice re'et+
?e$eated !ermiion to the A%%S domain i retricted to maintain ta(i$it" and ec'rit" for a$$ aencie
and a!!$ication+ ES !eronne$ hand$e a$$ chane re'et inc$'din, ('t not $imited to, er&er
creation3de$etion, er&ice acco'nt et'!, and ro'! !o$ic" !$acement+ BG%. creation and manaement are
dic'ed in de!th in a $ater ection+
2.5. )SER Domain an$ +)SER Domain
A$$ e$f)reitered 'er are ho'ed in the %A/oin .U for the USER domain+ AMT define and
maintain the to! three $e&e$ of the MUSER .U tr'ct're+
AMT recommendation for .U in the MUSER domain are8
.U de!th ho'$d not eFceed fo'r $e&e$ The to! $e&e$ .U i the Aenc" .U and conit of the aenc"D 2)diit code
The econd $e&e$ conit of the a!!$ication name and 'er container
AMT create .U (e$o# the a!!$ication name ('t the aenc" adminiter them
/o#er $e&e$ .U recommendation are8
> character maFim'm $enth if it a!!$ie to the aenc"D IT adminitration mode$
Gro'! ma" (e !$aced in a$$ .U tartin from the Aenc" .U
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 12 . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
13/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
AMT i&e aencie de$eated !ermiion o&er their .U+ An aenc" can adminiter on$" that !ortion of
the director" that !ertain to them Btheir o#n .U+ Since the MUSER+A%%S+STATE+%A+US domain
enforce tihter ec'rit" !o$icie, ES Too$ i the on$" '!!orted mean of maintainin 'er acco'nt in
the MUSER domain+ S'(mit a re'et for ES !eronne$ to confi're ES Too$ acce for the aenc"
a!!$ication+
Within the MUSER+A%%S+STATE+%A+US domain8
Aenc" Adminitrator can create, de$ete, or modif" 'er and ro'! o(-ect and a!!$" .U ro'!
!o$icie to 'er+ The aenc" !ro&ide the !o$ic" and ES !ro&ide inta$$ation aitance+ A'thori*ed MUSER .UAdmin can 'e the ES Too$ #e(ite8 htt!833###+eftoo$+tate+!a+'3
to create, modif", and de$ete 'er #ithin the aenc"D .U9 create Common#ea$th em!$o"ee
acco'nt and &endor acco'nt9 reet !a#ord9 and 'n$oc; acco'nt+ o#e&er, the ES Too$
cannot chane incorrect$")entered em!$o"ee I?+
.UAdmin can a$o 'e the Acti&e ?irector" Uer and Com!'ter Manaement Cono$e Sna!)in
to !erform &ario' ta;+
.UAdmin can !erform thee ro$e #ith the ES Too$ and Acti&e ?irector" Uer and Com!'ter
Manaement Cono$e Sna!)in8
'o$e ESF &oo$ AD sers and Comp"ters
?e$eate .U)A!!).UA?MIN mem(erhi! L
Ena($e3dia($e an acco'nt L L
Create3de$ete3modif" ro'! L
Create3de$ete3modif" 'er L
Modif" a$$ !ro!ertie of a 'er Breet !a#ord, ro'! mem(erhi!, and a$$ other!ro!ertie eFce!t Em!$o"ee I?, SamAcco'ntName, and '$$Name BCN
L L
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 1 . 25
https://www.esftools.state.pa.us/https://www.esftools.state.pa.us/7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
14/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
Active Directory '"$es of En*a*ement
3.1 R)ESOFE'"E+E'(OVERVIEW
Thi ection dic'e ES Standard and a!ect of er&ice !ro&ided for the Acti&e ?irector"+
3.2 '"+I'CO'VE'(IO'SNamin con&ention !ro&ide a tandard a!!roach to namin different o(-ect and he$! to tro'($ehoot and
$ocate o(-ect+ A$$ o(-ect a$o need a detai$ed decri!tion of 'e+ Namin con&ention are a fo$$o#8
Namin con&ention !ro&ide a tandard a!!roach to namin different o(-ect #ithin Acti&e ?irector" and
he$! to tro'($ehoot and $ocate o(-ect+ A$$ o(-ect a$o need a detai$ed decri!tion of 'e+ A decri!tionfie$d i a&ai$a($e for a$$ Uer, Inet.r%eron, Com!'ter, Gro'!, .U and Container o(-ect #ithin Acti&e
?irector"+
3.2.1 Serer 'ames
When a er&er name i (aed on $ocation, (ro#in or earchin (" the firt !art of the er&er name
ret'rn a$$ er&er from a$$ aencie Bfor eFam!$e, earchin on :G ret'rn a$$ :G er&er from a$$
aencie+ Since m'$ti!$e aencie eFit in the ame $ocation, 'e the t#o)diit aenc" code at the frontof the er&er name to $ocate an aenc"D er&er, rather than the $ocation name+
A a$$ ne# er&er are ('i$t, the recommended namin tandard i AA///ELLL, #here8
AA Aenc" code
/// /ocation code9 for eFam!$e8 CTC Common#ea$th Techno$o" Center, W/. Wi$$o#
.a;, CAM Cameron Street
'nction code9 for eFam!$e8 :T :i*Ta$;, EL EFchane Ser&er, IS We( Ser&er, S@
S@/ Ser&er, A% A!!$ication
E En&ironment9 for eFam!$e8 T Tet $a(, S Stain, ? ?e&e$o!ment, % %rod'ction,
R?iater Reco&er"
LLL Uni'e n'm(er that increment (aed on 'e
The recommended c$'ter namin tandard i Ser&er nameSCBEBLLL, #here8
SC Ser&er C$'ter
E En&ironment9 for eFam!$e8 T Tet $a(, S Stain, ? ?e&e$o!ment, % %rod'ction,
R?iater Reco&er"
LLL Uni'e n'm(er9 for eFam!$e8 001 Bho'$d (e the ame a the er&erD name
If the a!!$ication i hoted and manaed (" ES, the !redefined t#o)diit code i EN for Enter!rie+
3.2.2 Serice "cco-nts
A an aenc" ha more a!!$ication hoted in the A!!$ication A?, more er&ice acco'nt m't (e 'edfor a!!$ication+ The recommended namin tandard i AASRELLL, #here8
AA Aenc" code
SR Ser&ice acco'nt9 for eFam!$e8 CTC Common#ea$th Techno$o" Center, W/. Wi$$o#
.a;, CAM Cameron Street
'nction code9 for eFam!$e8 :T :i*Ta$;, EL EFchane Ser&er, IS We( Ser&er, S@
S@/ Ser&er, A% A!!$ication
E En&ironment9 for eFam!$e8 T Tet $a(, S Stain, ? ?e&e$o!ment, % %rod'ction
LLL Uni'e n'm(er that increment (aed on 'e
If the a!!$ication i hoted and manaed (" ES, the !redefined t#o)diit code i EN for Enter!rie+
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 14 . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
15/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
3.2.3 )ser "cco-nts
The Enter!rie Ser&er team !erform an initia$ ('$; creation of 'er acco'nt (aed on an EFce$
!readheet that the aenc" !ro&ide+ o$$o# thi namin tandard for thee acco'nt8
A 'er name ha three !art8 a firt name, a $at name, and a midd$e initia$+ Ue thee !art to contr'ct a
'er acco'nt name #here the &aria($e are irtName, /atName and Midd$eName and On re!reent an
inteer n'm(er of character of the &aria($e from the $eft+ or eFam!$e, O6God*i$$a i e'a$ to God*i+ If a
!artic'$ar 'er acco'nt name a$read" eFit, fo$$o# thi $it 'nti$ a 'ni'e 'er name i fo'nd8 1 ) O1irtNameO
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
16/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
infratr'ct're+ ?irector")ena($ed a!!$ication ho'$d reide in Co)/ocation or Manaed Ser&ice for
o!tima$ director" accei(i$it" and !erformance+
Certain er&er or er&ice confi'ration 'ch a I%SEC are re'ired for a$$ comm'nication #ith the
domain+ Contact "o'r AAM for detai$+
A::"+*($+!' R%'+)+!8 +! ESF C;L*($+!
3.3.3 "pplications Resi$ing in "gency ocation
Some aencie chooe to ho'e a$$ of their er&er in a $ocation o'tide the !h"ica$ and $oica$ $oca$e of
the ES+ Aencie that need to $e&erae the enter!rie architect're and ha&e identified re'irement to
'e the ES Acti&e ?irector" can $e&erae the ES A? er&ice acro the net#or;+ Thi confi'ration
re'ire caref'$ !$annin and ana$"i to a&oid 'neF!ected !ro($em+ Aencie in thi it'ation ho'$d
contact their AAM immediate$" for f'rther aitance+
Another Acti&e ?irector" o!tion for remote 'e of director" er&ice i to ditri('te a domain contro$$er
to a remote ite Bdecentra$i*ed domain contro$$er+ The ES A? i de!$o"ed and o!timi*ed for a hih
&o$'me hotin en&ironment and therefore re'ire architect'ra$ chane to accommodate a ditri('ted
architect're+ Accommodatin thi re'irement in&o$&e m'$ti!$e dein and faci$it" conideration that an
aenc" ma" or ma" not (e a($e to f'$fi$$+ Some factor that affect the deciion for decentra$i*ed domain
contro$$er are8
ES A? dein conideration for remote !$acement of domain contro$$er 'ch a ite
to!o$o"3GC !$acement, re!$ication $atenc", and ec're net#or; tranmiion
ES or aenc" acce to !h"ica$ remote domain contro$$er add cot and ri; to manain and
ec'rin the oret
%ot)de!$o"ment manaement and monitorin of ES chane to domain contro$$er in&o$&e
added com!$eFit" and cot
ES m't acti&e$" manae the rea$ a&ai$a($e (and#idth or (and#idth 'arantee from aenc" to
ES for Acti&e ?irector" o!eration
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 1> . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
17/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
Thi $it demontrate #h" decentra$i*ed domain contro$$er are the $eat !referred method and not a
c'rrent$" '!!orted o$'tion+ o#e&er the ES i committed to addrein the emerin ('ine need
of the Common#ea$th+
If "o'r aenc" re'ire a ditri('ted domain contro$$er or remote 'e of the ES Acti&e ?irector", contact
"o'r AAM to re'et a con'$tation+ %$eae inc$'de the nat're of "o'r re'et and a$$ re$e&ant
information+
A::"+*($+!' R%'+)+!8 +! A8%!*# L*($+!
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 15 . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
18/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
3. ESF RO)PPOIC8O09EC(S%POS&
ES im!$ement domain !o$icie that inc$'de !a#ord, machine acco'nt, and 'er acco'nt !o$icie+ The
aenc" maintain and a!!$ie ro'! !o$ic" at the .U $e&e$ in Co)/ocation+ The c'rrent ES domain
!o$ic" for MUSER+A%%S+STATE+%A+US i8
%o$icy Defa"$t
Settin*
Settin* Confi*"ration
%assword %o$icy
Enforce !a#ord hitor" 1 > 24 i the maFim'm &a$'e
MaFim'm !a#ord ae 42 >0
Mimim'm !a#ord ae 0 2
Mimim'm !a#ord $enth 0 5
%a#ord m't meet com!$eFit" re'irement ?ia($ed Ena($ed
Store !a#ord 'in re&ere encr"!tion ?ia($ed ?ia($ed
Acco"nt +oc,o"t %o$icy
Acco'nt $oc;o't d'ration ?ia($ed Acco'nt i $oc;ed o't
'nti$ Adminitrator'n$oc; it
Not a!!$ied to A%%S domain
Acco'nt $oc;o't threho$d ?ia($ed 6 Acco'nt $oc;ed o't after 6 fai$ed attem!t
Reet acco'nt $oc;o't co'nter after ?ia($ed 520 ai$ed attem!t reet after 12 ho'r
A"dit %o$icy
A'dit acco'nt $oon e&ent No a'ditin S'cce, ai$'re
A'dit acco'nt manaement No a'ditin S'cce, ai$'re
A'dit director" er&ice acce No a'ditin No a'ditin
A'dit $oon e&ent No a'ditin S'cce, ai$'re
A'dit o(-ect acce No a'ditin ai$'re
A'dit !o$ic" chane No a'ditin S'cce, ai$'re
A'dit !ri&i$ee 'e No a'ditin ai$'re
A'dit !roce trac;in No a'ditin No a'ditin
A'dit "tem e&ent No a'ditin ai$'re
Sec"rity Options
A$$o# "tem to (e h't do#n #itho't ha&in to $o on ?ia($ed
Retrict C?)R.M acce to $oca$$" $oed)on 'er on$" Ena($e i$e er&er ma" need to hare C?)R.M
Retrict f$o!!" acce to $oca$$" $oed)on 'er on$" Ena($e
Smart card remo&a$ (eha&ior No action orce $ooff
Event +o* %o$icy
MaFim'm a!!$ication $o i*e 612 ;i$o("te 606> ;i$o("te
MaFim'm ec'rit" $o i*e 612 ;i$o("te 10240 ;i$o("te
MaFim'm "tem $o i*e 612 ;i$o("te 606> ;i$o("te
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 1= . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
19/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
%o$icy Defa"$t
Settin*
Settin* Confi*"ration
%re&ent /oca$ G'et ro'! from accein a!!$ication $o ?ia($ed Ena($ed
%re&ent /oca$ G'et ro'! from accein ec'rit" $o ?ia($ed Ena($ed
%re&ent /oca$ G'et ro'! from accein "tem $o ?ia($ed Ena($ed
Retain a!!$ication $o Not defined
Retain ec'rit" $o Not defined
Retain "tem $o Not defined
Retention method for a!!$ication $o A needed
Retention method for ec'rit" $o A needed
Retention method for "tem $o A needed
E&ent /o AC/ Not confi'red Ena($ed Confi're the Reitr" o that on$" domain
adminitrator can c$ear e&ent $o
System Services
A$erter A'tomatic
Com!'ter :ro#er A'tomatic
?C% C$ient A'tomatic
?itri('ted i$e S"tem A'tomatic
?itri('ted /in; Trac;in C$ient A'tomatic
?itri('ted Tranaction Coordinator A'tomatic
?NS C$ient A'tomatic
E&ent /o A'tomatic
I%SEC Ser&ice A'tomatic
/icene /oin A'tomatic
/oca$ ?i; Manaer A'tomatic
Meener A'tomatic
Net /oon A'tomatic
%$' and %$a" A'tomatic
%rint S!oo$er A'tomatic
%rotected Storae A'tomatic
Remote %roced're Ca$$ BR%C A'tomatic
Remote Reitr" A'tomatic
Remo&a($e Storae A'tomatic
Secondar" /oon A'tomatic
Sec'rit" Acco'nt Manaer A'tomatic
Ser&er A'tomatic
Sm!t&c A'tomatic
S"tem E&ent Notification A'tomatic
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 1< . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
20/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
%o$icy Defa"$t
Settin*
Settin* Confi*"ration
Ta; Sched'$er A'tomatic
TC%3I% Net:I.S e$!er A'tomatic
Windo# Time A'tomatic
Wor;tation A'tomatic
A!!$ication Manaement Man'a$
C$i!:oo; Man'a$
Net#or; ??E Man'a$
Net#or; ??E ?S?M Man'a$
Remote Acce Connection Manaer Man'a$
R&! Man'a$
Fi$e System %o$icy
Winnt and a$$ '(fo$der Adminitator
SYSTEM
CREAT.R3.WNER
?omain Uer
'$$ Contro$
'$$ Contro$
'$$ Contro$
Read
WinntRe!air Adminitator '$$ Contro$
WinntS"tem2confi Adminitator
SYSTEM
CREAT.R3.WNER
?omain Uer
'$$ Contro$
'$$ Contro$
'$$ Contro$
/it
WinntS"tem2!oo$ Adminitator
SYSTEM
CREAT.R3.WNER
%o#er Uer B#3 on$"
?omain Uer
'$$ Contro$
'$$ Contro$
'$$ Contro$
'$$ Contro$
Read
P$o !artitionQ Adminitator
SYSTEM
CREAT.R3.WNER
E&er"one
'$$ Contro$
'$$ Contro$
'$$ Contro$
None
Contro$ %ane$
ide Screen Sa&er ta( Not confi'red Not confi'red Uer ho'$d not (e a($e to chane thecreen a&er
Screen a&er eFec'ta($e name Not confi'red Not confi'red 2)(it $oon creen a&er
%a#ord !rotect the creen a&er Not confi'red Not confi'red %a#ord !rotection needed
Screen a&er timeo't Not confi'red Not confi'red
&ermina$ Services
Set time $imit for diconnected eion Not confi'red Ena($ed End a diconnected eion8 1 da"
Set time $imit for acti&e ('t id$e Termina$ Ser&iceeion
Not confi'red Ena($ed Id$e eion $imit8 1 da"
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 20 . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
21/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
%o$icy Defa"$t
Settin*
Settin* Confi*"ration
Terminate eion #hen time $imit are reached Not confi'red Ena($ed
3.5 ROES"'DRESPO'SI0II(IES
Thi ta($e o't$ine the adminitrati&e and manaement ta; re!oni(i$itie for ES, C'tomer, and
com(ined AMT and C'tomer+ AMT ha com!$eted mot of it re!oni(i$itie in ettin '! Acti&e?irector"+
'o$e/'esponsi-i$ity ESF 'eponsi-i$ity C"stomer 'esponsi-i$ity
Domain Mana*ement
SM. L
Re!$ication L
?omain %o$ic" L
%a#ord %o$ic" L
Schema Manaement L
Gro'! %o$ic" BCommon L
Domain Contro$$er
Maintain o!eratin "tem L
A!!$" er&ice !ac;3ec'rit" ro$$'!
!ac;ae3!atche
L
A!!$" ec'rit" tem!$ate L
?iater reco&er" L
?e!$o"3Inta$$ ?C L
O Mana*ement
Create to! $e&e$ BAenc" .U L
%ermiion on to! $e&e$ L
Create Secondar"3Tertiar" L
%ermiion on econd and third $e&e$ .U L
Create ro'! !o$icie L L B.U on$" for aenc" in Co)/ocation
ser Mana*ement
Create 'er L
Create ro'! L
Modif" 'er L
Modif" ro'! L
?e$ete 'er L
?e$ete ro'! L
Create machine acco'nt L
?e$ete machine acco'nt L
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 21 . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
22/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
3.: +O'I(ORI'
Since Acti&e ?irector" i 'ch a critica$ com!onent of the ES infratr'ct're and the a!!$ication r'nninin thi en&ironment, monitorin and manain Acti&e ?irector" i eentia$ to en're the a&ai$a(i$it" and
!erformance of aenc" ('ine a!!$ication+
ES o!eration de$i&er an enter!rie)c$a o$'tion for o!eration manaement and monitorin of
Windo# er&er, Windo# infratr'ct're inc$'din Acti&e ?irector", and +NET Enter!rie Ser&er 'ch
a S@/ Ser&er+
ES manae critica$ f'nction to en're that Acti&e ?irector" er&ice are o!erationa$ and !erformin at
a hih deree of re$ia(i$it"+ The Acti&e ?irector" ea$th Indicator that ES conider critica$ are8
A(i$it" for 'er to $o on 'ic;$" to acce to net#or; reo'rce
@'ic; re!one to /?A% 'erie
Conitent data on a$$ domain contro$$er
Re!$ication occ'r #ithin eF!ected timeframe
@'ic; re!one to correctin o'tae
A$$ ro$e mater '! and r'nnin
Sta($e C%U 'ae on domain contro$$er
Red'ced WAN traffic
To monitor thee A? critica$ f'nction, M.M 'e thee indicator to en're ES A? hea$th8 No error or #arnin in re$e&ant $o 'ch a A?, RS, /SASS, and man" more
Re!$ication $atenc"
C%U 'ti$i*ation
ree !ace
?i; 'e'e $enth
/?A% !in3@'er" time
Cache hit rate
Ro$e ho$der !rioritie
3.; SEC)RI(8
3.;.1 Win$os 2
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
23/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
3.;.2 Win$os +et!o$s o# "-t!entication
Windo# method of a'thentication thro'h IIS are8
Met.od Description
Anon"mo' A$$ 'er a'thenticate a the IUSRmachinename acco'nt+
Ue on$" for 'nretricted !art of the ite+
:aic :aic a'thentication re'et a 'er name and !a#ord for &erification, ('t the 'er detai$ are tranmitted to the er&er in
c$ear teFt+ Sec'rit" i not &er" ood (eca'e the !ac;et can (e interce!ted and credentia$ to$en+
Sec'rit" can (e increaed (" 'in the Sec're Soc;et /a"er BSS/, #hich !ro&ide a ec're comm'nication channe$ for the
tranfer of eniti&e information+
?iet ?iet a'thentication re'et a 'er name and !a#ord (efore a$$o#in acce to the retricted area of a ite+ ?iet
a'thentication doe not end the credentia$ 'in c$ear teFt a (aic a'thentication doe9 intead it 'e a hahin mechanim to
encr"!t the data (efore tranmiion+
Interated In interated Windo# a'thentication the 'erD NT domain or Acti&e ?irector" er&ice acco'nt i 'ed for a'thentication+ Since
interated Windo# encr"!t tranmitted data, it i idea$ for intranet o$'tion+
3.;.3 Certi#icate "-t!entication
Certificate a'thentication 'e a certificate, or ;e", tored on the c$ient com!'ter to &erif" the 'er
identification+ The certificate i a'tomatica$$" !reented for a'thentication #hen a retricted reo'rce ire'eted+ If a certificate i not !reent, acce i ranted 'in the 'et acco'nt+ Certificate can (e
ma!!ed to a in$e NT domain or Acti&e ?irector" acco'nt Bman")to)one ma!!in or each certificate
can (e ma!!ed to a e!arate acco'nt Bone)to)one ma!!in+
3.;. Forms "-t!entication
orm a'thentication 'e a c'tom #e( !ae to re'et a 'er $oon credentia$ for retricted area of a
#e( ite+ The $oon form doe not !erform 'er &erification9 it i o$e$" for co$$ectin a'thentication
detai$+ C'tom code &a$idate the 'er credentia$ aaint a data tore for a'thentication+ After the 'erha (een a'thenticated, a to;en i ret'rned+ The to;en &erifie the 'er for each '(e'ent acce to a
retricted !art of a #e( ite+
Ue coo;ie or a c'tom mechanim 'ch a a 'ni'e identifier in the UR/ 'er" trin or hidden fie$d
to identif" 'er after the" ha&e $oed on+
3.;.5 Recommen$e$ "-t!entication +et!o$s
We recommend thee a'thentication method8
Met.od Description
Intranet ite We recommend Interated Windo# a'thentication if the #e( ite meet thi criteria8A$$ 'er ha&e an NT domain or Acti&e ?irector" acco'nt+
Acce i eFc$'i&e$" thro'h Internet EF!$orer+
No 'nretricted area eFit+
EFtranet ite An" one of three form of a'thentication are 'ita($e if the #e( ite meet thi criteria8
Uer are from (oth interna$ and eFterna$ o'rce+
Some 'nretricted area eFit+
S'ita($e a'thentication are8
:aic a'thentication
Certificate a'thenticationorm a'thentication
Certificate a'thentication !ro&ide eam$e a'thentication (" a$$o#in aociated certificate to NT domain or Acti&e ?irector"
acco'nt+ Certificate a'thentication i a &er" ec're o$'tion for eniti&e data tored on the #e( ite+
Ue form a'thentication if "o' do not #ant to create NT domain or Acti&e ?irector" acco'nt for "o'r eFterna$ 'er+ We a$o
!refer form a'thentication if the cot of manain certificate o't#eih the added ec'rit" &a$'e+
:aic a'thentication re'et a 'er name and !a#ord for &erification+ SS/ !ro&ide a ec're comm'nication channe$ for the
tranfer of eniti&e information+
ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 2 . 25
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
24/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
After a 'er i a'thenticated, &erif" acce riht for the re'eted reo'rce+ If the reo'rce i a fi$e
"tem reo'rce 'ch a a tem!$ate fi$e, chec; the AC/+ If the 'er i8
/ited in the AC/ and ha 'fficient !ri&i$ee to !erform the re'eted f'nction, rant acce+
Not $ited in the AC/ or doe not ha&e 'fficient acce !ri&i$ee, den" acce to the reo'rce+
3.;.: "pplication Sec-rity
PAL8+! A::"+*($+!
EFterna$ contit'ent m't ha&e a %A/oin acco'nt to ha&e acce and in$e in)on to a$$ ES #e(
ite+ Acco'nt that 'e %A/oin to $oin to the tate #e(ite are ho'ed #ithin the
USER+A%%S+STATE+%A+US domain+ Thi domain doe not ha&e an" acco'nt retriction 'ch a
$oc;o't, minim'm !a#ord $enth, or !a#ord trenth+ The contit'ent manae thee acco'nt Bfor
eFam!$e, chanin a !a#ord+ Thee Internet 'er acco'nt do not ha&e an" acce to the interna$%A+/C/ en&ironment+
S
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
25/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
Active Directory and App$ication Deve$opment 'eso"rces
Thi a!!endiF 'mmari*e im!ortant reference to Acti&e ?irector" conce!t and com!onent+
.1 "C(IVEDIREC(OR8RESO)RCES
?einin and ?e!$o"in ?irector" and Sec'rit" Ser&ice8htt!833technet2+microoft+com3#indo#er&er3en3$i(rar"3d2ff116)1512)4=e4)acdc)
=cae1(6
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
26/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
.2 "PPIC"(IO'DEVEOP+E'(RESO)RCES
The Acti&e ?irector" !ro&ide rich '!!ort for $ocatin and #or;in #ith A? o(-ect+ Re&ie# thee $in;
to doc'ment, ite, and am!$e code that he$! #ith the de!$o"ment, adminitration, and de&e$o!ment of
a!!$ication ('i$t '!on Acti&e ?irector", Acti&e ?irector" Ser&ice Interface BA?SI, and ?irector"
Ser&ice+
Acti&e ?irector" Schemahtt!833mdn2+microoft+com3en)'3$i(rar"3m>54
7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe
27/27
C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM
0 Appendi A 2 Sc.ema Mana*ement %rocess
The ES #or; c$oe$" #ith and !artici!ate in the Architect'ra$ Standard Committee BASC+ The ASC
#or; #ith aencie to 'ndertand e&o$&in ('ine re'irement and he$! to $e&erae, !rotect, and
eFtend the eFitin Common#ea$th infratr'ct're+ Thi doc'ment decri(e Acti&e ?irector" a it eFit
toda" in ES+ The A? !rod'ct and A? in the Common#ea$th BCW.%A i &at$" more com!$eF and
encom!ain+
When "o' thin; a(o't the chema, remem(er8
Schema chane are $o(a$+ An entire foret ha a in$e chema that i $o(a$$" re!$icated+ A co!" of the
chema eFit on e&er" domain contro$$er in the foret+ When "o' eFtend the chema, "o' do o for the
entire foret+
Schema addition are not re&eri($e+ When a ne# c$a or attri('te i added to the chema, it cannot (e
remo&ed+ An eFitin attri('te or c$a can (e dia($ed ('t not remo&ed+ See ?ia($in EFitin C$ae
and Attri('te athtt!833mdn2+microoft+com3en)'3$i(rar"3m>56
Recommended