Upload
adam-getchell
View
3.613
Download
4
Embed Size (px)
Citation preview
UC Davis Active Directory/Unified Communications Design Whitepaper
Adam Getchell, College of Agricultural & Environmental Sciences
Executive Summary The budget crisis our University is in challenges us to simultaneously increase our efficiency while
lowering our costs. The campus IT infrastructure can play a pivotal role in achieving these objectives.
As such, a confluence of events (budget, aging infrastructure, rollout of a central Active
Directory/Exchange system (uConnect) presents a once in a decade opportunity to replace aging
systems with an infrastructure that serves the campus in the future, in a way that consolidates disparate
silos and provides uniform, high-quality service to the students, faculty, and staff of UC Davis. We can no
longer afford to run needlessly parallel systems (DNS, Kerberos, LDAP, email, calendaring, VoIP, etc.)
based on different operating systems and platforms when uConnect, if implemented properly, has the
potential to provide these services and more while eliminating the costs of running an entire duplicate
infrastructure.
Problem: UC Davis continues to operate in a distributed computing environment where each unit invests
heavily on duplicate services that fail to integrate with each other. Furthermore, these aging systems
were designed to solve the computing problems of the 20th century and fail to take advantage of current
computing trends, such as cloud computing, public key infrastructure, Voice-over-IP, and so forth, that
can provide cost savings and enhanced services to our community.
Furthermore, the staff of the current infrastructure are in the same silos as the systems they support.
The costs of staffing and running these services and infrastructure as-is may exceed the costs of
provisioning an updated and integrated infrastructure designed with current and future capabilities in
mind.
Solution: An IT Infrastructure for the entire campus that supports the goals of the Organizational
Excellence initiative1 should be constructed using the following principles:
Full-featured services (easy to use for clients)
Flexibility (allow room for clients to implement services not original to the design)
Interoperability (support Windows, Mac, Linux)
Stability/Security (follow best practices)
At a minimum, the infrastructure should support the following services for the campus:
A secure computing infrastructure
o Reliable, integrated network services (Domain Name System, DHCP, etc.)
o Secure account and password management (e.g. Kerberos)
o Public Key Infrastructure (e.g. SSL certificates for websites, digital certificates for email,
users, computers, etc.)
o An electronic directory of services that can be used to automatically discover new
systems and services (DDNS, web services, etc.)
o An electronic directory of people that can be used to automatically lookup attributes
and roles (e.g. email address, calendar availability, application role)
o Single-sign on to University resources such as email, Banner, DaFIS, Kuali, WhitePages,
web applications such as Timesheets and Recruitments, and partner applications such as
UCOP’s At Your Service using identity federation (e.g. Shibboleth)
o Accessibility to services from a wide variety of devices, including workstations, laptops,
mobile devices, and media consumption devices such as the iPad and tablet computers
Unified Communications
o Email
o Calendar
o Voice-over-IP telephony (with interoperability with other systems, e.g. Skype)
o Voicemail (available on email)
o Electronic FAX
o Instant Messaging (with interoperability with other systems, e.g. GoogleTalk, AIM)
o Audio/Video/Web-conferencing
o Electronic document management and collaboration (e.g. SharePoint) to make progress
towards the paperless office
Adherence of subscribers to the basic Cyber-Safety requirements
o Software patching and updates
o Anti-virus software
o Reduction of non-secure network services
o Robust authentication
o Protection of Personal Information
o Network firewalls
o Physical security for critical infrastructure
o Elimination of open mail relays
o Provision of secure off-campus access to electronic resources (e.g. Virtual Private
Networking)
o Auditing of critical infrastructure
o Disaster recovery for critical infrastructure
o Web Application Security
No solution can be complete without considering staffing. A federated approach, which combines the
efforts of folks in Information and Educational Technology with those IT staff in the colleges, schools,
departments, and organizations, would be the best option for UC Davis. The current collaboration of
ARM, CA&ES, and IET technical staff on the current uConnect project provides an example; such
collaborations should become the rule, rather than the exception. Strong collaborations and formal
working relationships between centralized units and local units allow the innovation, specialized
knowledge, and business needs of unit staff to be integrated into the operations of the critical
infrastructure balanced with best practices.
These services touch every aspect of business done at the university, and provide a platform for future
IT initiatives. The current state of the university requires that changes be made immediately to increases
efficiency. This proposed design is a significant step towards providing a common set of uniform tools
to enable productivity across all of the University’s functional domains for faculty, students, and staff.
Implementing this solution will result reduce duplicate services and save money.
Introduction
Audience
This paper is addressed to the executive decision makers, MSOs, managers, and technical staff in the UC
Davis community.
What this whitepaper is
As a whitepaper, it proposes a unified, best practices design for a campus-wide Active Directory and
Unified Communications system based on a set of principles. These principles provide guidance towards
providing a full-featured set of campus services that also provide a measure of cost-savings compared to
the existing campus technology infrastructure.
What this whitepaper is not
This whitepaper does not attempt to address comprehensively:
Total cost for client systems
Cost analysis for the large, central components of this architecture has been done elsewhere2; the
reader is encouraged to consult these and other references. Due to the nature of campus software
purchasing, and in particular the Microsoft Consolidated Campus Agreement, client software (e.g.
Client Access Licenses) have traditionally been purchased at the unit/department level3. Units have
always traditionally been able to opt into or out of such purchasing agreements, and alternative
models are not considered here. However, the campus as a whole will save the costs of purchasing
many server software components with the advent of the centralized system described in this
whitepaper.
This whitepaper is organized as follows:
Design describes the design of each of the major parts in the UC Davis Active Directory / Unified
Communications system. Many of these parts are interdependent, and require other services to
function properly.
Implementation identifies the critical path with the order of overall steps for dependent services.
Discussion recaptures the purpose of the changes in terms of services added, cost savings, and other
factors. It attempts to answer some of the questions that this project raises.
Glossary gives a brief description of the technical concepts discussed in this design. It may be skipped by
knowledgeable readers.
The Vision Consider the following use-cases that such a system might provide:
A student wishes to double major in another college. She goes online and fills out the change of major
petition and submits it to a web-based document management system using her UC Davis credentials.
The system notes that the student is an undergraduate; so it does not route them to the online
application for admission to a new graduate program, but goes instead to the Dean’s Office of the
originating college for approval. The counselor gets an email notification and logs into the document
management system to review the student’s records and other files. Noting that the student is in good
standing (on the Dean’s honor list) and on-track to graduate, he approves the request; it is then routed
to the new college (where it is checked automatically for fulfilled prerequisites), and finally to the
Registrars. Upon approval by the Registrar’s Office, the student receives an email that their change of
major has been granted, along with the contact information of the student’s new major advisor. The
student has also been automatically added to mailing lists for the department housing her new major.
A graduate student wishes to access the new compute cluster that his advisor has just recently
subscribed to. He goes to the cluster web page and fills out the access form online, which is routed to his
advisor for approval. In the background, the PI has a digital certificate associated with her email account,
so when she sends his approval the routing application can verify that she’s the originator of the
message as it goes to the help desk ticketing system for the cluster. The ticket system notes the approval
and emails the graduate student the directions for creating an SSH public/private keypair and uploading
the public key to the campus LDAP directory. After the graduate student does this, he replies to the help
desk email. The cluster admin reviews the ticket system, adds permission for the graduate student’s UC
Davis credentials to login to the cluster, and closes the ticket. Upon closure, the help desk ticket system
sends an email notifying the graduate student that he now has access to the cluster. He opens his SSH
client and logs in automatically using his Kerberos ID and SSH key.
A professor on sabbatical has a year-long adjunct appointment at a prestigious university overseas. She’s
working on a paper with collaborators back home, so she logs into the web front end of the document
management system using her UC Davis credentials, and notes that her collaborator has checked-in
changes to their paper. She compares the new changes with the previous version, and after annotating a
few comments decides a more in-depth discussion is required. She opens her email client and begins
composing a long message, but midway through her email client signals that her collaborator is online
and available to chat. They open an IM session, which becomes so productive that they decide to talk in
real-time using video and voice calling. Her collaborator wants to bring in one of his graduate students
working on a paper that illustrates one of his changes, so they invite him to the conference call and open
up an online whiteboard, where they discuss his paper with respect to hers.
These are just a sample of the possibilities that an integrated, robust IT architecture can provide to the
campus. So how do we get there while saving costs?
Design The principles behind a UC Davis Active Directory / Unified Communications system are:
Full-featured services
The services must be easy to use by the clients, requiring minimal technical configuration and time to
use.
Flexibility
While the infrastructure provides the basic services that most clients will need, it must also be flexible
enough so new features can be developed and added as needed. This approach allows room for clients
to implement services not original to the design.
Interoperability
The services should be usable across the broad range of computing platforms on campus, including
Windows, MacOS, Linux, and mobile devices. Equivalent support should be provided to a client,
regardless of choice of platform.
Stability/Security
Central systems should be reliable and dependable, with uptimes of greater than 99.9%. The systems
should be administered using industry-standard best practices, and systems security should be a top
priority. Excessive outages and security incidents hurt both the productivity and reputation of the
University.
Cost-effectiveness
The systems should be evaluated for fiscal efficiency and designed using commodity components
wherever possible. New trends in cloud computing, consumerization of IT, and mobile devices should be
evaluated with an eye towards delivering service efficiently at minimum possible cost, balanced against
the other stated principles.
The proposed design of a UC Davis Active Directory / Unified Communications system has many dynamic
components. These will be described below:
Active Directory
[Late-Breaking Note: The IT-Infrastructure Futures committee which convened May-October of 2011 to
discuss some of the suggestions in this paper, recommend that the campus pursue the Single-Forest
Single-Domain model. However, the following prescription is kept intact for discussion purposes, and
details of the Single-Forest Single-Domain model are examined below.]
The proposed model for the UC Davis Active Directory design is a single forest, multi-domain model with
the following features:
An empty root domain: to isolate critical Enterprise and Schema Administrators from all other
accounts
An account domain: to isolate user accounts from the domains that provide services, and allow
for easier scripting against a single account domain
A resource domain: to isolate services such as Exchange and Lync from member domain/OU
computers
A departmental domain?
These principles are based on the concept that a domain is a security boundary within Active Directory
intermediate between a forest and an organizational unit (OU). OUs may be a good fit for many units,
but provide less separation than domains.
Other models considered:
Multiple forests: A forest is a stronger security boundary than a domain. The tradeoff is that
services are more difficult to provision. Setting up Microsoft Lync across multiple forests
requires redundant Lync implementations for each forest4 and results in duplicated work for
Network Operations Center personnel.5 Network Authentication Control may not be workable if
hardware switches are unable to talk to multiple Network Policy Servers in different forests.
Single forest single domain: This is workable for large centralized organizations, but probably
does not mesh with the university culture. The advantage of this model is its simplicity. The
disadvantage is that there are no security boundaries protecting a unit from another rogue unit
in the domain, and it would be difficult to provision disparate security policies at the OU level. In
particular, each School/College/Organization may have different enforcement of Cyber-Safety
policies, as those decisions are delegated to the Deans and Vice-Chancellors. Finally, OUs have
disadvantages compared with domains, and some UC Davis units have already requested
separate domains. Removing this option might make the service less able to address client
needs.
The AD design as described offers some important features that specifically address the principles of
full-featured, interoperable, stable, secure, cost-effective service. As well, it enables custom
applications to be developed to address unit specific needs.
Examples of custom applications that have previously been developed but cannot be leveraged by
other units due to a lack of a flexible infrastructure are as follows:
CA&ES has developed an application which checks Banner for student enrollment, assigns
students enrolled in a particular class into an AD group, and then assigns that AD group to
the logon properties of particular computer labs. The result is that students enrolled in a
course can be automatically provisioned to have login privileges (which can be controlled by
day/time) to certain computers for a certain length of time (e.g. a quarter).
L&S has developed an application that imports/writes important administrative and
academic dates to user’s calendars to publish items such as Instruction beginning, Payroll
compute, University observed holidays, and so forth.
Integration between DavisMail (the student email system powered by Gmail) and uConnect can be
accomplished using SAML and the Google Apps APIs.6
Microsoft’s Live@Edu / Office 365 for Education service sets up federation between a user domain
(typically campus.ucdavis.edu) and the hosted services: Microsoft Office, SharePoint Online,
Exchange Online, and Lync Online.7 It allows for the possibility of going to a cloud-based service
offering on uConnect if that is deemed desirable.8
Many more applications and services of this nature are possible, and a structure which provides the
flexibility to write them should be provided.
To efficiently write such applications, user objects need to be in a central, well-known container (i.e.
the account domain) so that slow directory traversal calls are avoided.
Domain Name Service
Domain Name Service is a foundational piece of the internet. Many security issues are present which
require careful attention.9 Active Directory is based upon Dynamic DNS. Best practices with respect to
Active Directory and DNS are:
The DNS name of the forest is the DNS name of the organization (ucdavis.edu)10
DNSSEC should be implemented
DKIM should be implemented
The advantages for making the DNS name of the forest ucdavis.edu are:
A broad range of services register SRV records, including some that enable easier client
configuration, such as Autodiscover11 (which automatically connect Outlook clients to Exchange
mailboxes) and SIP (for Lync clients). Clients can automatically find these services via DNS query
Kerberos realm coincides with user logon name and the user principle name (UPN)
The Certificate Server (cf. Public Key Infrastructure) can be made authoritative for the
forest and all users therein
DNS names are so central to services populating Active Directory that one cannot do a DNS rename
operation once Exchange 2007, Exchange 2010, Microsoft Office Communications Server 2007R2, or
Microsoft Lync 2010 has been installed.12
The current uConnect root forest name is ad3.ucdavis.edu. As uConnect has Exchange 2010 and
OCS 2007R2 running, it cannot be renamed to ucdavis.edu. Therefore, a migration or some other
replication (e.g. forest-forest trust) must be done to get uConnect users into the new system.
Current migrations to uConnect, using automated tools have some tricky spots. This possibility was
noted when discussions first began on Xeda/uConnect implementation for the campus. However, given
the potential client base (~5,000 currently in uConnect versus several times that number for the campus
at large) and commitments that early adopters would be willing to tolerate disruptions for the benefit of
the campusi, the logical choice remains to continue forward with a design that benefits the entire
campus versus minimizing turmoil for early adopters. (Note that keeping the existing uConnect forest
sets up a multi-forest model, which is suboptimal (cf. Active Directory).)
To implement this change, the new Active Directory DNS servers will need to be brought up alongside
the existing Unix DNS servers. DNS zone transfers would be conducted to synchronize records between
Unix and Windows DNS, and the Infoblox tool (which is already compatible with AD13) would be
configured to write changes to Active Directory in addition to the existing Unix servers. Finally, after
sufficient use and confidence has been developed (incorporating input from Linux and MacOS users) the
Unix DNS servers would be turned off and the AD DNS servers would perform all DNS based functions.
Once this step was completed, the next exercise would be to configure AD DNS for DNSSEC, which is
straightforward.14 Units that wish to maintain their own DNS servers should be provided a mechanism to
register in DNSSEC.
Finally, DomainKeys Identified Mail should be implemented for Exchange. DKIM provides for a means of
cryptographically validating the domain name associated with an email; it allows organizations to
efficiently filter some types of spam email. It will be discussed in further detail below.
Dynamic Host Control Protocol
Campus DHCP services are currently provided by Infoblox. Some units still manually address and/or run
their own DHCP services.
Once the campus goes to IPv6, DHCP is not needed to assign addresses, as clients can automatically
configure their own IPv6 address without risk of collision (64-bits of the IPv6 address are assigned by the
clients themselves, which is twice the total count of IPv4 addresses possible in the Internet). However, it
is still useful to assign other information in DHCPv6, in particular, the IP addresses of the local DNS
servers.
Because services register with Active Directory’s Dynamic DNS servers, a DNS server becomes a catalog
of services that client computers can use to find applications, in the same way that the LDAP directory is
a catalog of people.
i Initial meetings with Xeda Steering Committee on 1/12/2010; many subsequent further discussions
Windows Vista clients and later include DHCPv6 clients, and Windows Server 2008 includes a DHCPv6
server and relay agent (used to relay DHCP messages from DHCP servers).15 A robust system of DHCP
servers scaled for campus will work together with Dynamic DNS servers to make campus applications
easy to find and use automatically by clients.
Kerberos
All faculty, students, and staff are eligible to obtain Kerberos accounts which authenticate to the central
campus Kerberos servers. A first step for using many applications developed on campus is obtaining a
Kerberos account.i
In turn, the campus has a user/password management system, more than two decades old, which
handles the provisioning and maintenance of client login accounts and passphrases to/from the
Kerberos servers to other systems needing this information. Finally, there are a variety of shadow
systems which takes direct dumps of user logins and password plain-text equivalents in order to
integrate their services with the existing Kerberos system.
The shortcomings of the existing system can be immediately addressed by taking advantage of the
Kerberos Key Distribution Center (KDC) built-into Windows AD Domain Controllers (DCs). The distributed
nature of Windows AD DCs provides reliability equal or superior to the existing system (e.g. there will be
more Windows DCs in the new system than there are Kerberos KDCs in the current system), and
Kerberos integration is automatically built-in to Active Directory clients, eliminating the necessity for
shadow systems.
Standard practice is to make the Kerberos realm the domain name.16 As this will be the case for the AD
forest ucdavis.edu, the mapping of hostnames onto Kerberos realms17 will be automatically handled
via DDNS, and AD clients will be able to automatically locate Kerberized services.18 Because Kerberized
services running elsewhere are not automatically viewable, services that are intended to be available
domain or forest-wide should use the Windows KDCs (which can be further assisted by using the
Subsystem for UNIX-based Applications in Windows Server 200819).
To implement this change, the Windows KDC would be populated with the accounts in the existing Unix
KDCs. This requires a passphrase reset, and has already been done on the uConnect DCs. It would be
done for the new Windows KDCs, avoiding the pitfalls that cropped up in the uConnect migrationii. After
sufficient use and confidence has been developed (incorporating input from Linux and MacOS users) the
Unix Kerberos servers would be turned off and the AD KDCs would perform all Kerberos login
authentications.
Active Directory Certificate Services, SSL, and Public Key Encryption
i Thanks to Megan Richmond for pointing this out. ii For example, small subsets of users were unable to login due to conflicts with previous uConnect account
information.
A Microsoft Certificate Server is a server acting as a Certificate Authority (CA) for the forest. Many
applications require a properly set-up CA.
A certificate is only as good as its chain of trust.20 The trust anchor for the digital certificate is the Root
CA.
The best practice setup for the campus CA isi:
1. Obtain an Intermediate CA certificate for the campus CA from a certificate authority such as
Verisign21 or InCommon (if they are capable of handling it)ii
2. The certificate server with the Intermediate CA certificate becomes the campus CA with a
complete Trust Chain
3. Templates are created on the campus CA to provision several Issuing CAs to perform certificate
server functions
4. The campus CA is taken offline, and optionally, locked in a safe. Because the campus CA has the
only Intermediate CA certificate, it is the only server which, if compromised, allows
impersonation of all certificates issued by the Issuing CAs for the ucdavis.edu domain.
5. The Issuing CAs perform all certificate requests
6. A separate web server/file server system is kept to store the revoke certificate list. Because
access to this system is required by the Issuing CAs before they will startup, this system should
be redundant
7. The campus CA is only ever brought online to define new templates for Issuing CAs or re-
authorize Issuing CAs when their certificates have expired (i.e. yearly)
A working example follows.
The campus CA, certroot.ucdavis.edu, has the Intermediate CA certificate for ucdavis.edu
(signed by a Root CA such as Verisign or InCommon) installed. It is now authoritative for
ucdavis.edu, and can issue digital certificates with the trust chain intact all the way to the Root CAs
(Verisign or InCommon).
Two issuing certificate servers, cert1.ucdavis.edu and cert2.ucdavis.edu, are brought
online and authorized by certroot.ucdavis.edu. Before they will successfully start, two
webservers, revokedcert1.ucdavis.edu and revokedcert2.ucdavis.edu, are also
brought online and setup with the revoked digital certificates list (initially empty).
Then certroot.ucdavis.edu is physically shut down (and locked away), and only revived to re-
authorize cert1.ucdavis.edu and cert2.ucdavis.edu when their authorizations expire
yearly.
i Special thanks go to Uwe Rossbach for sharing his research and experience on this topic. ii Experience with InCommon so far has shown some difficulties in getting SSL certificates properly issued;
InCommon seems to have marketing but limited technical support and no CA.
As revokedcert1.ucdavis.edu and revokedcert2.ucdavis.edu are up and running,
cert1.ucdavis.edu and cert2.ucdavis.edu readily startup and begin issuing digital
certificates for Exchange, Lync, VPN, and many other services.
The benefits of this system are:
The campus CA is protected from compromise
Microsoft Lync can be setup and installed
VPN and NAC/NAP can use user- or computer certificates to verify identities
Encrypting File System (EFS) can be turned on for all file servers in the campus Active Directory
Campus websites can easily request SSL certificates.
o Client web browsers with root CA certificates pre-loaded automatically fully trust
ucdavis.edu Secure Sockets Layer (SSL) websites with no additional work22
Clients can request certificates to use for email encryption.
Clients can request certificates to use for email digital signatures
o Applications can be written using workflow incorporated with digital signatures.23 A
purchasing application can be confident that an email from a buyer approving a
transaction is really from that buyer
Applications can make use of Code Signing.24 Code Signing uses digital signatures to prove the
authenticity of an application. Clients using that application can be confident of its origins
Lightweight Directory Access Protocol services
Currently, campus is provided with LDAP services integrated with a custom application which allows for
directory entries to be marked public or private, as desired. These entries are then published, subject to
these rules, on websites and used by other applications which need directory information.
LDAP is also provided by Active Directory, and is integrated into AD services in a way that a standalone
LDAP system is not, while still providing interoperabilityi with LDAP clients from multiple vendors.25 26 27
As an example, setting the “Manager” attribute in AD does several things:
In Outlook 2010, when viewing Calendars the “Team:” view automatically lists all subordinates
In Outlook 2010, the “To Manager” Quickstep automatically addresses the Manager
In SharePoint, workflow routing to supervisor makes use of the Manager attribute
The last point is significant because SharePoint contains the Windows Workflow engine, which allows
clients to create simple, graphical rules to route Microsoft Office documents amongst each other using
the built-in organizational chart that is present in AD using this attribute. Moreover, any .NET application
using Windows Workflow can also take advantage of this, as can any LDAP-aware application. An
effective, locally controlled enterprise-wide organizational chart is available just by using this property.
i A key issue is multi-value support, such as multiple addresses per user. Both Microsoft documentation and “in the field” reports indicate this is supported, see Endnotes.
Because many kinds of information can be added as additional attributes28 to LDAP, there are a variety
of additional applications29 which are opened up by the presence of an easily accessible directory of
people, the most important of which is authentication.
LDAP supports an extended operation called Password Modify.30 This, along with proper security
procedures (such as disallowing anonymous access to this and other key operations), allows LDAP to be
used as a replacement for the Central Authentication System (CAS). Note that LDAP is already being
used to handle wireless network authentication, i.e. MoobileNet/MoobileNetX.31
CAS is currently used on campus to authenticate web applications. It has a history of some instabilityi,
and moreover requires additional dedicated hardware to run in a robust, load-balanced manner. Using
the AD LDAP servers in the ucdavis.edu forest immediately provides stability and load-balancing, and
allows for CAS to be retired.
LDAP authentication is supported on a number of popular programming languages/web platforms:
.NET32 33
Java via the Java Authentication and Authorization Service34 and JaasLounge35
Cold Fusion 36
PHP 37
Perl 38
Python 39
Smartsite 40
Plone 41
Drupal 42
Hannon Hill Cascade Server 43
Atlassian Confluence 44
Oracle45 46
LDAP supports other authentication methods. Public keys can be distributed and authenticated using
LDAP.47 If a user has in their possession a USB key or hardware token with their private key, they will be
able to authenticate using SSH if the public key is published in LDAP. One use case would be for cluster
computing users; in clusters managed by Computational Science and Engineering, researchers gain
access to cluster resources (logins, batch queues, etc.) via SSH and public/private keypairs. Public-key
cryptography is robust authentication mechanism that is superior to passwords48; those services
wanting extra security would be able to use this if LDAP is correctly provisioned. As hardware tokens
become more prevalent (e.g. in smartcards) efforts would be made to support this more robust, two-
factor authentication scheme. Certain systems currently in use using hardware tokens could be migrated
to public-key cryptography.
To implement this change, a timetable should be published to the campus technical community
outlining the changeover schedule and resources available to convert existing web applications over to
i Last outage was August 18
th, 2010. Last unsuccessful upgrade was October 8
th, 2010.
LDAP or Shibboleth authentication (cf Single Sign On). Efforts should also be made to accurately
update the directory with business and other information, such as public keys and user password hashes
(LDAP stores a one-way hash of passwords to prevent compromise of the LDAP database from affecting
users49), that would be used for business process flow and authentication respectively. Value-added
projects, such as WhitePages, or applications that enable easy entry of business data, could be rewritten
to facilitate easy and accurate entry of useful directory information.
After an appropriate sunset period (no more than 2 years are recommended), CAS would be turned off
and the systems retired. Concurrently, as new services were developed based on LDAP (e.g. organization
charts, workflow, and public-key authentication) these would be released to the community along with
information on how to take advantage of these new services.
It’s worth noting that CAS can use AD/LDAP as an authentication backend.50 i Retiring CAS is not a
necessity, but it does save the infrastructure/staffing costs to run a system that is less redundant than
the backend services (LDAP) it is using.
Single Sign On
Integrating Kerberos, LDAP/Shibboleth authentication, and a public-key distribution system along with
Active Directory effectively gives users Single Sign On for services within UC Davis. Taking this a step
further to integrate with enterprise services outside of UC Davis, such as At Your Service51, involves
incorporating Shibboleth, an open-source implementation for federated identity-based authentication.52
Shibboleth 2 now incorporates interoperability with Microsoft Active Directory.53 Organizations such as
CampusEAI provide the myCampus Single Sign-On widget54 to allow users to sign into applications such
as Microsoft Exchange, Google Apps, Microsoft Live@EDU, Zimbra, Sakai and many others across
organizational boundaries one time. Regardless of which solution is chosen or developed, the existence
of these services should spur adoption of a solution as soon as feasible.
Exchange
Email and calendaring are fundamental to business operations, and should be properly resourced. What
are “proper resources”?
Exchange 2010 has raised the limit of items enumerable in a single folder to 100,00055, and reduced I/O
operations by nearly 70% with respect to Exchange 2007.56 Best practices for individual mail storage
are57:
Primary mailbox of not more than 10GB
Archive mailboxes of up to 10GB58 (as many as desired)
No use of offline personal archives (.PST)59
Based on these practices, a suggested pricing model for Exchange is:
i Thanks to Jeremy Philips for pointing this out.
Baseline usage mailbox for free (e.g. 2GB), to cover existing Cyrus users and units that find
Cyrus’ no cost and low capacity attractive
Additional mail costs not in excess of current hosted Exchange providers ($5/month/user60) 61 62
Archive mailboxes assessed at less cost than primary mailboxes
The traditional concern that large user mailboxes will make backup/recovery operations difficult is
resolved by Exchange 2010 SP1, which allows repair/recovery of individual mailboxes without taking
down the entire mailbox database.63
By making the Exchange mail service free for a certain level of service (and opening up Outlook Web
Access for web browser-based clients or IMAP/S for alternate clients such as Thunderbird; Apple’s
Mail/iCal/Address Book already ties directly to Exchange64), the current Cyrus mail users can be
migrated off of those aging systems and savings can be recouped from the staff and infrastructure
resources used to run Cyrus.
Once Cyrus users have been migrated, the rest of the campus can be moved onto the new mail system.
A proposed order of migration is listed in Implementation.
When everyone on campus has either a mailbox or a contact, the full capabilities of Exchange can be
used. Mailing list management can be moved to mail groups in Exchange. Web applications can be
developed (CA&ES, L&S, and the Law School have already written several) which leverage Exchange web
services to provide for automatic calendaring/appointments, automatic class list creation, room
scheduling, and so forth. These applications provide rich additional functionality.
Consideration should be made on whether it is worthwhile to retain mailing-list only systems such as
Sympa, which has a rich list of features65, but may or may not provide significant value-add compared to
developing applications from Exchange Web Services.66
DomainKeys Identified Mail
DKIM is actually independent of DNSSEC, but is included in this discussion because most
implementations of DKIM use DNSSEC. Several vendor solutions for DKIM on Exchange are present, such
as Axway67, which also provides a Spam filtering solution. Implementing a vendor DKIM solution such as
Axway would provide for greater email security as well as cost-savings associated with retiring the
current campus SpamAssassin system, which has some undesirable traitsi.
Microsoft Enterprise Voice ii
i Bulk-mail sent from reputable sources is almost always flagged as spam due to overly sensitive rules as currently configured on SpamAssassin. ii Special thanks go to Shuka Smith for sharing his research and experience on this topic.
The campus voice network is currently served by the Sonus network68, which provides service for
campus landlines, emergency services such as 911, and voicemail. There are also hooks for the Pinnacle
billing system, which is used by Communications Resources to bill phone use.
As of the release by Microsoft of Lync 2010 (formerly Office Communications Server), Lync provides the
capability to directly connect to a PSTN69, reducing the need for the Sonus network. In particular, the
current EVM system for electronic voice mail can be replaced by the transcription and storage
capabilities of Lync delivered to the Exchange mailbox, and it may prove simpler to use the built-in IP-
PBX capabilities of Lync.
uConnect is currently running Office Communications Server 2007 R2. There are three drawbacks of this
system, as implemented:70
1. The certificates used are self-signed (thus a broken trust chain )
2. OCS 2007 R2 does not have PSTN connectivity, and must rely on the Sonus cloud
3. The DNS SRV record for OCS on uConnect is _sip._tls.ad3.ucdavis.edu, which is not
discoverable by clients on the ucdavis.edu namespace.
The design proposed by this paper fixes the aforementioned three issues in the following ways:
1. Certificates are obtained from cert1.ucdavis.edu with a complete trust chain
2. Lync 2010, due 11/17/2010,71 is used, providing PSTN connectivity
3. The forest DNS name is ucdavis.edu, thus the SRV record is _sip._tls.ucdavis.edu,
discoverable by all clients on ucdavis.edu.
In addition, further cost-savings would be realized when Sonus is retired, as its duties are handled by
Lync.
Retiring Sonus would be a complex project, further complicated by the requirements of the Pinnacle
billing system. Analog phone service must continue to be provided until the last subscriber opts out.
Nonetheless, the way forward is to use existing and future telephony systems (including billing and
rates) based on software, SIP, and IP-based phones, and phase out older systems as soon as possible.
Document Management with SharePoint
Several document management systems already exist on campus, and document management itself can
be defined in many ways. Microsoft SharePoint 2010 provides the following capabilities72:
Accessibility, upon proper authentication, from anywhere with an Internet connection
Complete integration with Active Directory, Exchange, and Lync.
Complete integration with Microsoft Office (e.g. Word, Excel, PowerPoint, Outlook, OneNote,
Access) and Adobe PDF
Versioning, checkout, rating, and tagging for multi-user collaboration
Rule Based Submission (e.g. automatic movement of submitted documents to particular
libraries)
In Place Records Management for retention and eDiscovery
Metadata validation, indexing and management
Integration with cloud-based office suitesi
Ability to integrate with document-scanning solutions and manage electronic images of paper-
based information73 74
Ability to extend basic SharePoint functionality by programming custom web parts using
SharePoint Designer75 or .NET.76
By implementing SharePoint within the new uConnect architecture, campus units by default get a web-
based system with which to share and collaborate on documents which ties in with the rest of the
systems. For example, if Active Directory/LDAP is fully populated, SharePoint knows the supervisor and
other team members of a particular user, and a SharePoint workflow which automatically routes the
form to the supervisor can be easily built. The Presence and Availability of other people are visible in
SharePoint, so that people working on the same document can open an IM window or web/video
conference call to discuss their changes. Finally, SharePoint 2010 offers simultaneous editing of the
same file (coauthoring) and the ability to stream PowerPoint presentations over the web77, greatly
facilitating many common needs for faculty, students, and staff.
Implementation of SharePoint depends upon several items:
The Internet Connector license must be bought to allow access to SharePoint from the Internet
(estimated price, $4k)
Sufficient server and storage space must be allotted78 (typically 6-10 servers for a robust
SharePoint infrastructure plus storage for all the documents)
o If the SharePoint environment is virtualized, a number of considerations should be
addressed79
Campus subscribers to uConnect must have Enterprise CALs via MCCA
Units with a large investment in their current document management system might retain it based on
cost-benefit analysis. However, many other units will find the addition of an enterprise-wide document
sharing and collaboration system irresistible, and future web applications based on SharePoint could be
developed to provide targeted solutions to the business requirements of departments, colleges, schools
and units.ii
Cyber-Safety
i GoogleDocs, for example, as of now cannot handle complex formatting in Word documents with precise requirements, such as legal documents. However, Office Web Apps handles Office documents natively. ii In the absence of a central SharePoint solution, many units already in uConnect are working on their own
implementation, which gives an indication for potential popularity. In addition, UC Berkeley has CalShare, a SharePoint implementation. See: http://ist.berkeley.edu/services/is/calshare
Computer security, or Cyber-Safety, incorporates a number of concepts, the most basic of which are:80
Confidentiality
Integrity
Availability
The specific UC Davis Security Standards are given in Exhibit A of Chapter 310, Section 22, in the UC
Davis Policy and Procedure Manual.81 This proposed design directly addresses these practices as follows:
1. Software Patch Updates
A centralized Windows Server Update Services system is setup in resource.ucdavis.edu
for use by all campus Windows clients. A BigFix82 or similar system is setup in the resource
domain to provide patch updates for UNIX, Linux, MacOS, and virtual clients (as well as
Windows).
2. Anti-virus Software
A centralized Anti-virus Software service, based on the campus site-licensed anti-virus software,
will be provisioned in resource.ucdavis.edu. It will be configured such that the staff of
individual units will be able to administer the anti-virus software on their local IT resources.
3. Non-secure Network Services
The new design employs Microsoft’s Network Access Protection (NAP) in conjunction with
802.1x to restrict access to the network to devices which can pass a health check by a Network
Policy Server. Devices on a Windows domain failing the health check can be redirected to a
Remediation server which will apply patches and other features to allow the computer to come
into compliance. Once the health check has been passed, the system may access the network.
There are two ways to enable this:
DHCP (weak) – Can be bypassed by clients assigning their own IP addresses
802.1x (strong) – Cannot be bypassed by clients
In the recommended way to enable this, campus network switches are configured to support
802.1x and authentication to the network (usually via LDAP). This in turn requires that the
switches fully trust the Network Policy Servers; thus NAP is best done as a centralized service.
4. Authentication
Robust authentication is provided for users via:
a. A strong single sign-on password
b. Public/private key pair
c. Hardware device with digital certificate or public key
Authentication is thought of as applying to users, but with the advent of a campus CA, can also
be applied to computers. For example, domain controllers, file servers, and other sensitive
resources can be configured to reject connections from computers that do not have a valid
digital certificate.83 These (IPSec) policies must be carefully tested.
5. Personal Information
With the advent of a campus certificate server, all file servers in the ucdavis.edu domain can
turn on Encrypting File Services. To properly provision EFS and ensure that files can be
recovered in the event that the holding account is deleted:
a. A specific account holding the EFS Recovery Agent role must be established.
b. Enterprise Administrators in the root domain ucdavis.edu only grant temporary use
of the account to Domain and OU Administrators on an as-needed basis.
This provides default encryption on all files stored on all fileservers with EFS enabled. Under the
requirements of SB 1386, this would exempt the University from having to notify users if
personal information is disclosed from a file protected by EFS.84
The campus certificate server also allows for the encrypting of email and databases via standard
interfaces.
6. Firewall Services
Firewalls are widely deployed across campus. The upcoming migration of units to the campus
AD/UC infrastructure provides an opportunity to check: organizations are not allowed to join
until they show a properly-configured VLAN firewall. Because the services are standardized and
well-known, firewall rulesets should be easier to write, and best-practice rulesets can be
developed.
7. Physical Security
The campus AD/UC infrastructure ensures that much of the “crown jewels” of the campus IT
infrastructure remains in secured campus datacenters with reliable power, networking, and
HVAC. The design calls for two datacenter sites, which takes advantage of the load-balancing
inherent in AD and allows for disruptive services upgrades on one datacenter without affecting
the campus at large.
8. No Open Email Relays
The combination of Exchange 2010, DNSSEC, and DKIM means that:
a. Unauthenticated users are not allowed to send email
b. The campus email servers are well-known and cryptographically validated by the
outside world, eliminating the threat that a spammer masquerading as a
ucdavis.edu user will land the campus on an email blacklisti 85
For those departments still wishing to run their own email servers, provisioning DNSSEC and
requiring DKIM on all mailservers will maintain the benefits described above.
9. Proxy Services
Implementing NAP has the side-benefit of giving the campus a robust VPN solution.
Departments save the time/expense of running their own VPN, and users can be directed
towards the campus VPN. This will eliminate improperly configured proxy servers.
For those departments still wishing to run their own proxy server, the provisioning in LDAP of
password hashes gives them access to robust authentication.
10. Audit Logs
The campus.ucdavis.edu user account domain coupled with proper setup allows for a
robust auditing mechanism86 when coupled with good third-party tool which collects systems
logs from all AD/UC servers for separate log analysis. Note that units with their own domains are
also able to audit their own resources; for reliability these logs should be collected on the
central campus log analysis server. For best results, the third-party tool should be able to read
log formats from Windows, Unix, Linux, and MacOS servers. In addition:
a. An AD security group dedicated to Cyber Safety auditing should be established
b. The UC Davis campus Cyber Safety auditors should be granted membership to this group
c. Other unit Cyber Safety auditors should be granted membership upon request
d. Member domains should not implement policies or mechanisms which block the group
from resource access
e. Members of the Cyber Safety group should audit user data only with explicit written
permission from the chair, MSO, Dean or Vice Chancellor of the unit.
f. Any domain, sub-domain, or domain organizational unit targeted for a Cyber Safety
audit should receive prior notification
i. The Dean or Vice-Chancellor of the unit may override the notification
requirement at their discretion
11. Backup and Recovery
The system calls for the use of Microsoft Data Protection Manager to handle the backup of
Active Directory and the Unified Communications components (Exchange, Lync, etc.) This is a
disk-to-disk system which is compatible with the campus current use of NetBackup. Properly
configured, this provides two levels of backup (disk-to-disk for DPM and disk-to-tape for
i This has happened several times in the past years
NetBackup of DPM) to complement the tombstone/previous versions first level restoral
capabilities in Exchange and Windows file services.
DPM has significant data storage requirements; for cost-effectiveness, several DPM servers
coupled with Direct Attached Storage provide the best cost/storage ratio.
12. Web Application Security
LDAP authentication provides an industry-standard, known-good authentication mechanism. In
addition, CA&ES has developed a robust roles database (available as a web-service) for
authorization. A roles database used in this context means a system which controls access (and
provides auditing) to campus applications on a per-user, per-role, per-application, per-unit basis.
The campus has other Identity Management/Roles Database system initiatives for other
purposes, but they do not currently address the authorization problem in web applications.
Deployment of this system (or another with this functionality) enables developers to consider
the authentication and authorization problem solved, and move on to the other OWASP issues.
The benefits of these and the measures listed above:
Provides immediate feedback and quarantine of insecure systems from the campus network
Provides widespread encryption which can protect personal information in documents, emails,
and databases
Provides fault-tolerant secure physical hosting
Eliminates open relays and campus-on-email-blacklist problem
Provides VPN solution to campus
Provides easy auditing
Provides two levels of backup on critical data
Provides secure authentication and authorization processes for web applications and databases
Saves units the time/cost of doing these services themselves
Provides known, consistent quality
Provides functionality not available to individual units
Provides costs savings in purchasing software for whole campus
Implementation The previous section discussed a number of topics. In this section, the specifics are condensed down
into an implementation order and summary of necessary steps. Items in green are not on the critical
path, and may be done concurrently, as time permits, or once confidence has been established that a
migration is complete.
1. Setup the root AD domain ucdavis.edu
a. Perform initial zone transfer between dns1.ucdavis.edu to root AD domain controller
DNS servers
b. Configure Infoblox to update AD DNS servers
c. Setup DNSSEC
d. Publish tools/interfaces for ucdavis.edu sub-domains to add DNSSEC
e. Setup DHCP and DHCPv6
f. Retire Unix DNS servers
g. Retire older DHCP servers
2. Setup campus.ucdavis.edu account domain for user accounts
a. Set passwords on campus.ucdavis.edu to be the same as Kerberos passwords.
Requires a password reset.
b. Update computingaccounts.ucdavis.edu to change passwords on AD KDCs
c. Update the Whitepages application to make changes against AD LDAP
d. Setup user password hash storage in LDAP
e. Publish tools/interfaces for web application authentication in LDAP
f. Publish tools/interfaces for public key storage in LDAP
g. Setup roles database and publish web services interface for web application
authorization
h. Setup Shibboleth
i. Configure for federated authentication with At Your Service, Google Apps, Office 365 for
Education, etc.
j. Retire Unix LDAP servers
k. Evaluate retiring CAS
3. Setup resource.ucdavis.edu resource domain for forest-wide resources
a. Setup Active Directory Certificate Services
i. Setup certroot.ucdavis.edu
ii. Setup cert1.ucdavis.edu, cert2.ucdavis.edu,
revokedcert1.ucdavis.edu, and revokedcert2.ucdavis.edu
iii. Turn off and securely store certroot.ucdavis.edu
iv. Publish tools/interface for IT staff to obtain SSL certificates
b. Setup Exchange 2010
i. Setup DKIM and spam filtering
ii. Setup eFax, Fax-over-IP
iii. Migrate Cyrus users to Exchange mailboxes with no-cost storage limits
iv. Migrate CA&ES and current uConnect users
v. Migrate remaining units
vi. Retire Cyrus and SpamAssassin servers
vii. Publish tools/interfaces to email and calendar functions
viii. Evaluate sympa vs. Exchange/SharePoint web applications
c. Setup Lync 2010
i. Setup Mediation server
ii. Setup IM
1. Setup public IM connectors
iii. Setup audio/video/web conferencing
iv. Setup Enterprise Voice
1. Setup voicemail and voice transcription
2. Integrate Pinnacle and billing systems
3. Migrate voice users to Lync VoIP
v. Retire Sonus
d. Setup Systems Center: Configuration Manager
i. Setup Network Access Protection87
1. Apply AD forest schema extensions for NAP
2. Setup Network Policy Servers
3. Setup System Health Validators
4. Setup Reporting Point
ii. Publicize to clients how to use VPN access through the Network Policy Servers
iii. Retire SSL VPN
e. Setup Systems Center: Data Protection Manager
f. Setup Antivirus servers
g. Setup WSUS
h. Setup BigFix
i. Setup Auditing Server
j. Setup Subsystem for UNIX-based Applications
k. Setup Apple Remote Desktop
l. Setup Systems Center: Operations Manager
m. Setup Systems Center: Virtual Machine Manager
n. Setup Systems Center: Service Manager
Staffing
This design dramatically increases the complexity and scope of services offered compared to the current
uConnect services. Additional staffing and infrastructure resources must be allotted for success.
The envisioned system cuts across a number of organizational boundaries and some re-organization as a
result of new duties and retirement of older systems may result. Even so, enough resources may not be
allotted, simply because of the enormous breadth of technical knowledge required to successfully
implement the design.
The ARM/CA&ES/IET collaboration provides a roadmap for the way forward. Every stakeholder has a
vested interest in the success of this enterprise. Units that are willing and able to provide technical
talent should have their staff put to good use. In order to effectively synchronize everyone towards
tangible progress, they can be grouped as follows:
Core team and collaborators
This group consists of the core staff as provided to the project by ARM, CA&ES, IET and others,
responsible for setting up, administering, running, and maintaining the forest-wide resources. As can be
seen above, there are a large number of additional projects that should be done by units willing/able to
contribute technical staff. Examples of these types of projects are developing the various
tools/interfaces and applications that will provide services to clients.
Focus groups
These groups consist of technical IT staff evaluating the progress the system is making on the design
principles. Anyone interested in a focus group should be allowed to join, but the focus group chairs must
ensure that the feedback collected is presented in a useful form to the core team and collaborators:
1. Full-featured services – This group tests the usability of the various aspects of the system for
technical and non-technical users.
2. Flexibility – This group consists of interested outside parties that are planning to build exciting
new applications and are willing to test using the campus AD/UC infrastructure as their
foundation.
3. Interoperability – This group consists of MacOS and Linux sysadmins that provide feedback and
test cases to ensure their platforms are fully supported on the AD/UC infrastructure.
4. Stability/Security – This group ensures that the security best practices envisioned in the design
are maintained.
5. Cost-effectiveness – Added for completeness, this “focus group” is the core team and
collaborators who ensure the implementation of AD/UC services is as efficient as possible. This
implicitly includes the buyers who ensure prices for hardware and software take full advantage
of UC discounts.
Unit IT contacts consuming AD/UC services
This group consists of the technical staff that provides local IT support. A large percentage of IT work will
continue to reside in the units.
Governance
To be successful, the project must not only have a talented and well-coordinated group to execute the
setup, administration, and migration to the new system, but there must also be an open process
towards setting the future direction of the project. The author and collaborators have ideas on a new
governance structure (to be presented later) establishing project staffing as a center of excellence, and
are open to further concepts.
Completeness
This design offers a wide variety of features, but it is not necessary that all clients take advantage of all
of them. Clients may mix/match services as desired:
Email: Clients can connect to their Exchange mailboxes via Outlook Anywhere (Windows88,
MacOS 89), IMAP/S, mobile devices, tablets, and web browsers without joining their devices to a
Windows domain. Clients wishing to run their own mailservers may still do so, as long as they
implement DKIM.
Lync: Web-based clients are available for Lync services without installing software or joining a
domain90 91. VoIP phones are independent network devices separate from client computers;
using VoIP-enabled phones with Exchange integration requires that a user account be
provisioned for these services; software client choice is flexible. Analog phones are still
supported.
DNS: The Microsoft DNS servers can be configured to support wildcards for empty resource
record sets92 to provide support for BIND’s DNS wildcards. Clients requesting sub-domains may
also run their own DNS servers. DNSSEC is still provisioned throughout.
DHCP: Units may run their own DHCP servers on their networks, or hand-configure computers if
desired.
Kerberos/LDAP: These are standard network services with standard interfaces. Microsoft is a
member of the Kerberos foundation93 and has made Active Directory compliant94 with the latest
IETF specification of LDAP.95
Web authentication/authorization: As specified, web developers can choose LDAP or
Shibboleth for authentication. They can consume an authorization service or write their own.
Windows Domains: Windows domains provide administrative efficiencies, particularly for
Windows clients, but MacOS or Linux clients do not need to join a Windows domain to benefit
from services listed above.
Network Access Protection: NAP is intended to provide an extra level of security to clients
joining domains in the forest, so that they do not jeopardize the common resources in Active
Directory. Clients not on a domain need not have NAP configured.
Support For best results, tools to simplify the burdens of local IT support must be added to the system. The
inclusion of the Systems Center tools provides the potential for:
Automated Server monitoring (Systems Center: Operations Manager)
Client hardware/software management (Systems Center: Configuration Manager)
Hyper-V virtual machine provisioning (Systems Center: Virtual Machine Manager)
Help Desk ticketing (Systems Center: Service Manager)
Help Desk ticketing would greatly benefit subscribers to the system if they were able to pass tickets
between clients, local IT staff, and potentially, AD/UC systems staff and/or Networking Operations
Center staff.
Previous tools have been difficult to use; a project for a unified help desk should be started and chaired
by the majority users of the system, i.e. local IT support.
Discussion The project provides the following advantages to the campus:
Robust, full-featured Unified Communications
o A full-featured email and calendaring solution for Cyrus users
o Accessibility via web browser, client software, VPN, remote desktop, or mobile devices
o Opportunity to reduce telecommunications costs by leveraging VoIP
o A manageable, scalable solution
Provides common, central services with secure access mechanisms
o DaFISConnect (DaFIS on Windows Remote Desktop)i
o WSUS and BigFix for software patching
o Server log auditing
o Server status updates via Operations Manager
A common directory which can be directly leveraged into workflow and other applications
A safe and secure computing platform incorporating Cyber-Safety best practices
Enterprise wide single sign-on, with provision for federated authentication
o Benefits campus applications such as Kuali, Timesheets, Recruitments, and others
o Built-in workflow for SharePoint and other workflow applications
o Locally editable, up-to-date Organizational chart
Widespread use of digital certificates using either Web-of-Trust (public keys in LDAP) or Public
Key Infrastructure (PKI) using Active Directory Certificate Services
A fault-tolerant design resilient to failures and cracking attempts
A platform on which to build future web and cloud applications
The project also saves the costs of running these older systems:
Staff/infrastructure for running Cyrus
Staff/infrastructure for running SpamAssassin
Staff/infrastructure for running DNS
Staff/infrastructure for running DHCP
Staff/infrastructure for running LDAP
Staff/infrastructure for running Kerberos
Staff/infrastructure for running CAS
Staff/infrastructure for running SSL VPN
At some future time, the project may save the costs of these systems:
Sonus
Sympa
A complex project raises many questions; some will be addressed below.96
We’ve been successful, so why change?
i Currently provisioned on uConnect
True. But surely we have all seen that failure to adapt eventually leads to extinction. With respect to
Active Directory, the previous incarnation was created before many of the features in the new design
were developed. To quote from Active Directory Design Principles:97
“The one thing to keep in mind is that when designing your Active Directory, never go at it from
a, present needs, point of view. Technology and systems are changing so fast nowadays that you
have to design with the most open and future-proof concept that you can think of.”
No one else does this.
There really is a first time for everything, and we do have a unique opportunity. Everyone is ready for
change; we can take what we’ve learned and move forward. The current system is a hodge-podge of
sometimes incompatible systems that don’t offer the full range of functionality. This new design is a full-
featured integrated whole with flexibility to add additional services and applications via industry
standard protocols.
To generate this many questions and concerns, the idea has to be flawed.
Actually, many questions are good, as it shows engagement, and an engaged group makes better
decisions and implementations. The current partnership between ARM, CA&ES, and IET shows a strong
commitment of talent and resources to solving these issues, and we suggest the collaboration be
opened further. Everyone has a stake in the outcome.
Good idea, but this is not the time.
This is the perfect time, because there are many people excited and working to make this happen right
now. The state our university is in requires that we make changes and increases our efficiency
immediately, and this is a significant step towards getting everyone a set of consistent tools to do their
work.
Everyone has a stake in this enterprise. While it is difficult to “design by committee” – it is crucial that
Active Directory / Unified Communications move in the technical directions that serve the needs of the
campus stakeholders. The knowledge of the needed technical directions resides in and therefore should
be directly represented by the stakeholders themselves. Agile processes have already been proven to
work in a number of arenas98 99; it is worth repeating the “Agile Manifesto”100 here:
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
Acknowledgements I wish to thank Tom Pomroy, Uwe Rossbach, and Shuka Smith for many hours of conversation in
developing the topics in this whitepaper. The ideas presented here are a direct result of these
discussions. I also wish to acknowledge the following reviewers, who contributed their input and
perspectives to this paper:
Bob Brewer, Information Systems Manager, Environmental Science & Policy
Jamie Butler, Directory of Information Technology, School of Law
Jennifer Hughes, Information Systems Manager, Crocker Nuclear Laboratory
Rob Kerner, Plant Sciences IT Manager
Jeremy Philips, Director of Information Technology, Division of Social Sciences
Eric Prosser, Project Manager, Office of Research
Ben Ransom, System Administrator, College of Engineering
Megan Richmond, Lead Application Developer, Letters and Science Deans’ Office
Paul Waterstraat, Information Systems Manager, Geology
Revision History Initial version: 10/13/2010
Submitted Version: 1/25/2011
Final Version: 12/29/2011
Glossary The following is a selection of terms and definitions used in this discussion. Many unavoidably reference
other terms, which may or may not have abbreviations. For brevity, acronyms are defined with their
term.
Active Directory (AD): A Microsoft implementation of a variety of network services including101,
LDAP
Kerberos-based authentication
DNS
Central location for network administration and delegation of authority
Information security and single sign-on for user access to network based resources
The ability to scale up or down easily
Central storage location for application data
Synchronization of directory updates amongst several servers
Audio/Video/Web Conferencing: One-to-one, one-to-many, and many-to-many communication using
audio (voice) and visual communications integrated with webcams and browsers.
Certificate Authority (CA): A service issuing digital certificates.102
Digital Certificate: In cryptography, a digital certificate (also known as an identity certificate or public
key certificate) is an electronic document that uses a digital signature (a mathematical scheme which
demonstrates the authenticity of a document103) that binds together a Public Key with an identity
(information such as the name of a person/organization, address, etc.).104
Domain: In AD, a domain is a common flat database directory. Domains in AD are identified by their DNS
name structure, or namespace. Domains can contain other domains and Organizational Units.
DomainKeys Identified Mail (DKIM): DKIM is a method of associating a DNS domain name to an email,
allowing a recipient to validate that a message was sent by the organization with that particular DNS
domain name. Validation uses public-key cryptography; the signer adds a domain name to the message
and then affixes a digital signature. The verifier recovers the signer’s public key using DNS, and verifies
the signature.105
Domain Name System (DNS): The essential phone book for the Internet,106 translating human-friendly
hostnames to the actual IP addresses used by networking devices (routers, gateways, computers, etc.).
Domain Name System Security Extensions (DNSSEC): The original design of DNS did not include security,
as it was designed to be a scalable, distributed system. DNSSEC is designed to protect clients from
forged DNS data (e.g. which can be used to redirect to forged sites) while maintaining backwards
compatibility.107 DNSSEC is also queried by DKIM to provide verifiers with the public key of the signer.108
DNS Zone Transfer: A mechanism for replicating the databases containing DNS records across a set of
DNS servers.109 Nearly universal at one time, it is becoming less popular in favor of other database
replication mechanisms that modern DNS server packages provide, such as Active Directory-Integrated
DNS.110
Dynamic DNS (DDNS): A method/protocol/network service that provides the capability for a networked
device, such as a router or computer to notify a DNS server in real-time to make active DNS
configuration changes, such as the hostname, the IP address, or new SRV records.111
Dynamic Host Configuration Protocol (DHCP): DHCP is used on IP networks to configure computers with
IP addresses and other information, such as the IP address of the local DNS server. It also provides a
central database for keeping track of computers connected to the network, and prevents two computers
from being configured with the same IP address.112
Enterprise Voice: In Exchange, Voice-over-IP telephony (including voicemail) integrated with Exchange
email and calendars.
Extensible Messaging and Presence Protocol (XMPP): A network protocol used to handle IM and
Presence.113
Flat: In databases, flat is the opposite of relational. Every entry in the database contains all of its
information, and does not reference other entries.114
Forest: In AD, a tree of trees sharing a common catalog, directory, and DNS structure. If ucdavis.edu
is the forest, caes.ucdavis.edu and engineering.ucdavis.edu are trees in that forest.
Group Policy Objects (GPO): In AD, a set of rules which control the working environment of users and
computers. GPOs are used to provide a consistent set of services and environment and can be assigned
to domains, OUs, and sites. As an example, GPOs can be used to install software and ensure that it is the
version defined in the GPO.
Hostname: The human-readable Internet address of a computer. An example is: www.ucdavis.edu.
Internet Protocol (IP): The primary communications protocol used for the Internet.115
IP Address: The numeric network address for a device on the internet. There are two versions, IPv4 and
IPv6. IPv6 was instituted to address the limited number of remaining IPv4 addresses116, and is the future
of the Internet.117
IPv4 addresses look like: 169.237.1.1
IPv6 addresses look like: 2001:db8:1f70::999:de8:7648:6e8
Instant Messaging (IM): Real-time direct text-based communications between two or more people, also
known as online chat between known users (i.e. online chat can also be between anonymous users).118
Email, in contrast, is asynchronous text-based communication between two or more people.
Lightweight Directory Access Protocol (LDAP): The industry standard directory protocol, widely
accessible to management and query applications.119
Lync: Formerly known as Office Communications Server, Lync provides a unified instance for IM,
Presence, Audio/Video/Web Conferencing, and Enterprise Voice.
Kerberos: A computer network authentication protocol allowing nodes communicating over a non-
secure network to prove their identity in a secure manner.120
Mediation Server: In Lync, the Mediation server connects traffic from a basic media gateway (such as
PSTN) using SIP to Lync clients. 121 122 123 124
Network Access Protection (NAP): A Microsoft platform that controls access to network resources based
on a client computer’s identity (verified with a digital certificate) and compliance with policy.125 Software
to support policy enforcement must be installed on the client computer; it is currently integrated in
Windows XP SP3126 and lateri; separate clients are available for MacOS and Linux.127
Organizational Unit (OU): In AD, an organizational unit is a container used to simplify management.
Often, administrative access is delegated at the OU level. All OUs in a domain share the same (flat)
database. As a result, it is not possible to create two identically-named accounts in different OUs in a
domain because the database requires that attribute be unique.
Presence: In Lync, a combination of availability and willingness. Availability consults the user’s calendar
to see if they are able to be contacted. Willingness is the user’s self-defined criteria on how receptive
they are to being contacted.
Protocol: In networking, a formal description of digital message formats and the rules for exchanging
those messages.128
Public Key Cryptography: A cryptographic approach using asymmetric key algorithms. A famous example
is the use of prime numbers.129 It is very easy to verify that a particular number is the product of primes.
It is computationally expensive to factor a large number into its component primes. Public Key
cryptography uses mathematically related key pairs: a public key, which can be published, and a private
key, which is kept secret. A message encrypted by the private key can be easily decrypted by the public
key. On the other hand, it is very difficult to determine the private key using the public key.130
Public Switched Telephone Network (PSTN): Also known as plain old telephone service (POTS), it is the
public telephone network used by landlines and mobile phones.131
Secure Sockets Layer (SSL): A cryptographic protocol that provides for secure communications over open
networks, such as the internet. Commonly used by web browsers to connect to trusted webservers,
which provide an SSL certificate signed by a trusted CA. The follow-on to SSL is Transport Layer Security
(TLS).132
Service (SRV) Record: Data stored in DNS defining the hostname and port number of services for specific
services.133 Some examples of services which use SRV records:
Client SMTP authorization
Kerberos
LDAP
SIP
XMPP
Session Initiation Protocol (SIP): A network protocol used to handle multimedia communications such as
voice and/or video calls over IP.134
i Thanks to Curt Finley for pointing this out.
Site: In AD, a container of network addresses most often used to manage network traffic and replication
by assigning a cost value and replication schedule to address speed, reliability, availability, and other
physical properties.
Tree: In AD, single or multiple domains in a contiguous (DNS) namespace. For example,
caesdo.caes.ucdavis.edu and caes.ucdavis.edu are in the same tree;
caes.ucdavis.edu and engineering.ucdavis.edu are not.
Unified Communications (UC): The integration of real-time communications such as Instant Messaging,
Presence, Enterprise Voice, Audio/Video/Web Conferencing with non-real-time communications such as
email, voicemail, SMS (texting), and fax.135
uConnect: The current Active Directory / Exchange service available for recharge to campus
departments.136
References 1 http://oe.ucdavis.edu/
2 http://gunrockstatus.ucdavis.edu/docs/Project%20Gunrock%20Cost%20Comparison.pdf/view
3 http://iet.ucdavis.edu/microsoft/campus_agreement.cfm
4 Private conversation with Shuka Smith, a programmer in CA&ES Dean’s Office working with uConnect on the
Office Communications Server 2007 R2 implementation 5 Private communication with Mark Redican, Director of Communications Resources
6 http://code.google.com/googleapps/faq.html
7 http://office365.microsoft.com/en-US/education.aspx
8 http://www.microsoft.com/Presspass/press/2010/dec10/12-08USDACloudPR.mspx
9 http://www.your.org/dnscache/djbdns.pdf
10 http://technet.microsoft.com/en-us/library/bb727085.aspx
11 http://technet.microsoft.com/en-us/library/bb124251.aspx
12 http://social.technet.microsoft.com/wiki/contents/articles/renaming-a-windows-2008-active-directory-
domain.aspx 13
http://www.infoblox.com/en/resources/white-papers/dns-dhcp-microsoft-active-directory.html 14
http://technet.microsoft.com/en-us/library/ee649173(WS.10).aspx 15
http://technet.microsoft.com/en-us/magazine/2007.03.cableguy.aspx 16
http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-install/Kerberos-Realms.html 17
http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-install/Mapping-Hostnames-onto-Kerberos-Realms.html 18
Jason Garman, Kerberos: The Definitive Guide, (Sebastopol: O’Reilly Media Inc., 2003), 175-195 19
http://en.wikipedia.org/wiki/Windows_Services_for_UNIX 20
http://en.wikipedia.org/wiki/Chain_of_trust 21
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR657 22
http://technet.microsoft.com/en-us/library/dd361898.aspx 23
http://www.codeguru.com/csharp/csharp/cs_misc/security/article.php/c16491 24
http://en.wikipedia.org/wiki/Code_signing 25
http://technet.microsoft.com/en-us/library/cc750824.aspx 26
http://technet.microsoft.com/en-us/library/cc785254(WS.10).aspx 27
http://stackoverflow.com/questions/2099181/is-active-directory-really-ldap-compliant 28
http://www.zytrax.com/books/ldap/ch3/ 29
http://netmesh.info/jernst/digital_identity/microsoft-turning-the-ldap-directory-into-a-graph-database
30
http://www.faqs.org/rfcs/rfc3062.html 31
http://status.ucdavis.edu/index.php?f_path=top&o_path=past 32
http://support.microsoft.com/kb/326340 33
http://support.microsoft.com/kb/316748 34
http://www.javaactivedirectory.com/?page_id=72 35
http://jaaslounge.sourceforge.net/ 36
http://coldfusion.sys-con.com/node/154225 37
http://adldap.sourceforge.net/ 38
http://www.oneunified.net/blog/OpenSource/perl_activedirectory.article 39
http://stackoverflow.com/questions/140439/authenticating-against-active-directory-using-python-ldap 40
http://smartsite.org/smartsite.html?ch=DEF&id=4003 41
http://plone.org/documentation/kb/single-sign-on-with-active-directory 42
http://drupal.org/project/webserver_auth 43
http://www.hannonhill.com/kb/Authentication/ 44
http://confluence.atlassian.com/display/DEV/Mapping+Active+Directory+to+Confluence 45
http://download.oracle.com/docs/cd/E12096_01/books/admintool/admintool_Security7.html 46
http://download.oracle.com/javase/tutorial/jndi/ldap/authentication.html 47
http://www.ece.rutgers.edu/~parashar/Classes/03-04/ece572/project-reps/p-bisbal.pdf 48
http://en.wikipedia.org/wiki/Public-key_cryptography 49
http://www.faqs.org/rfcs/rfc3112.html 50
http://www.jasig.org/cas_server_3_4_3 51
http://atyourservice.ucop.edu/ 52
http://en.wikipedia.org/wiki/Shibboleth_(Internet2) 53
http://shibboleth.internet2.edu/shib-v2.0.html 54
http://www.campuseai.org/integrations1;jsessionid=5938AEABCF3C258827FFD979F233C4A2 55
http://sysadmin-talk.org/2010/05/large-is-not-always-best-when-it-comes-to-performance-but-it-helps-mailbox-performance-in-exchange-and-outlook-2010/ 56
http://msexchangeteam.com/archive/2010/02/22/454051.aspx 57
http://wikibon.org/wiki/v/MS_Exchange_2010:_Mega_Mailboxes,_Personal_Archives,_Goodbye_PSTs 58
http://support.microsoft.com/kb/832925 59
http://www.howexchangeworks.com/2009/08/archive-mailbox-in-exchange-2010.html 60
Communication from Dave Wallen, Manager of Microsoft Online Services Group from Computer Generated Solutions 61
http://news.cnet.com/8301-13860_3-20020029-56.html 62
http://www.microsoft.com/liveatedu/learn-about-office-365.aspx 63
http://msexchangeteam.com/archive/2010/08/23/455899.aspx 64
http://www.apple.com/macosx/what-is-macosx/mail-ical-address-book.html 65
http://www.sympa.org/overview/features 66
http://msdn.microsoft.com/en-us/library/bb204119(EXCHG.140).aspx 67
http://www.itwire.com/sponsored-announcements/25395--axway-extends-mailgate-with-virtualised-offering 68
http://www.sonusnet.com/ 69
http://www.infoworld.com/d/windows/microsoft-lync-2010-finally-communications-server-worth-the-effort-515 70
Microsoft Office Communications Server 2007 Edge Server Deployment Guide, http://www.microsoft.com/downloads/en/details.aspx?FamilyId=ED45B74E-00C4-40D2-ABEE-216CE50F5AD2&displaylang=en 71
http://www.microsoft.com/en-us/lync/default.aspx 72
http://blogs.msdn.com/b/mcsnoiwb/archive/2009/11/05/document-management-in-sharepoint-2010.aspx 73
http://www.knowledgelake.com/solutions/technology-solutions/Pages/document-imaging-management-sharepoint.aspx as one example solution, others exist from Xerox 74
http://www.avop.com/blog/joanne_gaudet/xerox_mfps_now_support_microsoft_sharepoint_server_2010
75
http://msdn.microsoft.com/en-us/library/ff630941.aspx 76
http://channel9.msdn.com/Blogs/funkyonex/Best-Practices-on-Building-SharePoint-2010-Web-Parts-with-Visual-Studio-2010 77
http://www.directionsonmicrosoft.com/samples/49-samples/940-document-sharing-with-office-2010-and-sharepoint-2010.html 78
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=FD1EAC86-AD47-4865-9378-80040D08AC55&displayLang=en#filelist 79
http://www.ditii.com/2010/06/03/sharepoint-2010-virtualisation-planning-and-technet-webcast-deep-dive-microsoft-virtualization-best-practices-for-sharepoint-2010-level-300/ 80
Matt Bishop, Computer Security: Art and Science (Boston: Addison-Wesley, 2003), 3-25. 81
http://manuals.ucdavis.edu/ppm/310/310-22a.pdf 82
http://www.bigfix.com/content/breakthrough-technology-revolutionary-economics 83
http://technet.microsoft.com/en-us/library/bb742429.aspx 84
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html 85
http://www.mxtoolbox.com/blacklists.aspx 86
http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html 87
http://technet.microsoft.com/en-us/library/bb681008.aspx 88
http://technet.microsoft.com/en-us/library/bb123741.aspx 89
http://www.officeformachelp.com/outlook/exchange/faqs/#outlookAnywhere 90
http://communicatorteam.com/archive/2010/10/19/1763.aspx 91
http://blogs.catapultsystems.com/tharrington/archive/2010/11/08/lync-conferencing-client-comparisons.aspx 92
http://en.wikipedia.org/wiki/Wildcard_DNS_record 93
http://www.kerberos.org/sponsors/index.html 94
, Microsoft Corporation, Active Directory LDAP Compliance (October 2003), 3-13 95
http://tools.ietf.org/html/rfc4510 96
http://www.ciozone.com/index.php?option=com_myblog&show=How-To-Protect-Good-Ideas-From-Getting-Shot-Down.html&Itemid=713 97
http://www.packtpub.com/article/active-directory-design-principles-part-1 98
http://en.wikipedia.org/wiki/Agile_software_development 99
http://agile-architecting.com/Archive/Agile%20Systems%20Engineering.pdf 100
http://agilemanifesto.org/ 101
http://en.wikipedia.org/wiki/Active_Directory 102
http://en.wikipedia.org/wiki/Certificate_authority 103
http://en.wikipedia.org/wiki/Digital_signature 104
http://en.wikipedia.org/wiki/Digital_certificate 105
http://en.wikipedia.org/wiki/Dkim 106
http://en.wikipedia.org/wiki/Domain_Name_System 107
http://en.wikipedia.org/wiki/DNSSEC 108
http://tools.ietf.org/html/rfc5585#section-4.4 109
http://en.wikipedia.org/wiki/DNS_zone_transfer 110
http://technet.microsoft.com/en-us/library/cc978010.aspx 111
http://en.wikipedia.org/wiki/Ddns 112
http://en.wikipedia.org/wiki/Dhcp 113
http://en.wikipedia.org/wiki/Extensible_Messaging_and_Presence_Protocol 114
http://en.wikipedia.org/wiki/Flat_file_database 115
http://en.wikipedia.org/wiki/Internet_Protocol 116
http://en.wikipedia.org/wiki/IPv4_address_exhaustion 117
http://en.wikipedia.org/wiki/IPv6 118
http://en.wikipedia.org/wiki/Instant_messaging 119
http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol 120
http://en.wikipedia.org/wiki/Kerberos_(protocol)
121
http://blogs.technet.com/b/drrez/archive/2009/12/01/direct-sip-configuring-mediation-server.aspx 122
http://technet.microsoft.com/en-us/library/ff793475.aspx 123
http://www.ocspedia.com/fe/Microsoft_Lync_Topology_Changes.aspx?ArticleID=105 124
http://gunrockstatus.ucdavis.edu/blog/gunrock-ocs-hardware-infrastructure-planning 125
http://technet.microsoft.com/en-us/network/bb545879.aspx 126
http://technet.microsoft.com/en-us/library/bb632788.aspx 127
http://en.wikipedia.org/wiki/Network_Access_Protection 128
http://en.wikipedia.org/wiki/Communications_protocol 129
http://en.wikipedia.org/wiki/Integer_factorization 130
http://en.wikipedia.org/wiki/Public-key_cryptography 131
http://en.wikipedia.org/wiki/Public_switched_telephone_network 132
http://en.wikipedia.org/wiki/Secure_Sockets_Layer 133
http://en.wikipedia.org/wiki/SRV_record 134
http://en.wikipedia.org/wiki/Session_Initiation_Protocol 135
http://en.wikipedia.org/wiki/Unified_communications 136
http://xeda.ucdavis.edu/