UC Davis Active Directory/Unified Communications Design Whitepaper

Adam Getchell, College of Agricultural & Environmental Sciences

Executive Summary The budget crisis our University is in challenges us to simultaneously increase our efficiency while

lowering our costs. The campus IT infrastructure can play a pivotal role in achieving these objectives.

As such, a confluence of events (budget, aging infrastructure, rollout of a central Active

Directory/Exchange system (uConnect) presents a once in a decade opportunity to replace aging

systems with an infrastructure that serves the campus in the future, in a way that consolidates disparate

silos and provides uniform, high-quality service to the students, faculty, and staff of UC Davis. We can no

longer afford to run needlessly parallel systems (DNS, Kerberos, LDAP, email, calendaring, VoIP, etc.)

based on different operating systems and platforms when uConnect, if implemented properly, has the

potential to provide these services and more while eliminating the costs of running an entire duplicate

infrastructure.

Problem: UC Davis continues to operate in a distributed computing environment where each unit invests

heavily on duplicate services that fail to integrate with each other. Furthermore, these aging systems

were designed to solve the computing problems of the 20th century and fail to take advantage of current

computing trends, such as cloud computing, public key infrastructure, Voice-over-IP, and so forth, that

can provide cost savings and enhanced services to our community.

Furthermore, the staff of the current infrastructure are in the same silos as the systems they support.

The costs of staffing and running these services and infrastructure as-is may exceed the costs of

provisioning an updated and integrated infrastructure designed with current and future capabilities in

mind.

Solution: An IT Infrastructure for the entire campus that supports the goals of the Organizational

Excellence initiative1 should be constructed using the following principles:

Full-featured services (easy to use for clients)

Flexibility (allow room for clients to implement services not original to the design)

Interoperability (support Windows, Mac, Linux)

Stability/Security (follow best practices)

At a minimum, the infrastructure should support the following services for the campus:

A secure computing infrastructure

o Reliable, integrated network services (Domain Name System, DHCP, etc.)

o Secure account and password management (e.g. Kerberos)

o Public Key Infrastructure (e.g. SSL certificates for websites, digital certificates for email,

users, computers, etc.)

o An electronic directory of services that can be used to automatically discover new

systems and services (DDNS, web services, etc.)

o An electronic directory of people that can be used to automatically lookup attributes

and roles (e.g. email address, calendar availability, application role)

o Single-sign on to University resources such as email, Banner, DaFIS, Kuali, WhitePages,

web applications such as Timesheets and Recruitments, and partner applications such as

UCOP’s At Your Service using identity federation (e.g. Shibboleth)

o Accessibility to services from a wide variety of devices, including workstations, laptops,

mobile devices, and media consumption devices such as the iPad and tablet computers

Unified Communications

o Email

o Calendar

o Voice-over-IP telephony (with interoperability with other systems, e.g. Skype)

o Voicemail (available on email)

o Electronic FAX

o Instant Messaging (with interoperability with other systems, e.g. GoogleTalk, AIM)

o Audio/Video/Web-conferencing

o Electronic document management and collaboration (e.g. SharePoint) to make progress

towards the paperless office

Adherence of subscribers to the basic Cyber-Safety requirements

o Software patching and updates

o Anti-virus software

o Reduction of non-secure network services

o Robust authentication

o Protection of Personal Information

o Network firewalls

o Physical security for critical infrastructure

o Elimination of open mail relays

o Provision of secure off-campus access to electronic resources (e.g. Virtual Private

Networking)

o Auditing of critical infrastructure

o Disaster recovery for critical infrastructure

o Web Application Security

No solution can be complete without considering staffing. A federated approach, which combines the

efforts of folks in Information and Educational Technology with those IT staff in the colleges, schools,

departments, and organizations, would be the best option for UC Davis. The current collaboration of

ARM, CA&ES, and IET technical staff on the current uConnect project provides an example; such

collaborations should become the rule, rather than the exception. Strong collaborations and formal

working relationships between centralized units and local units allow the innovation, specialized

knowledge, and business needs of unit staff to be integrated into the operations of the critical

infrastructure balanced with best practices.

These services touch every aspect of business done at the university, and provide a platform for future

IT initiatives. The current state of the university requires that changes be made immediately to increases

efficiency. This proposed design is a significant step towards providing a common set of uniform tools

to enable productivity across all of the University’s functional domains for faculty, students, and staff.

Implementing this solution will result reduce duplicate services and save money.

Introduction

Audience

This paper is addressed to the executive decision makers, MSOs, managers, and technical staff in the UC

Davis community.

What this whitepaper is

As a whitepaper, it proposes a unified, best practices design for a campus-wide Active Directory and

Unified Communications system based on a set of principles. These principles provide guidance towards

providing a full-featured set of campus services that also provide a measure of cost-savings compared to

the existing campus technology infrastructure.

What this whitepaper is not

This whitepaper does not attempt to address comprehensively:

Total cost for client systems

Cost analysis for the large, central components of this architecture has been done elsewhere2; the

reader is encouraged to consult these and other references. Due to the nature of campus software

purchasing, and in particular the Microsoft Consolidated Campus Agreement, client software (e.g.

Client Access Licenses) have traditionally been purchased at the unit/department level3. Units have

always traditionally been able to opt into or out of such purchasing agreements, and alternative

models are not considered here. However, the campus as a whole will save the costs of purchasing

many server software components with the advent of the centralized system described in this

whitepaper.

This whitepaper is organized as follows:

Design describes the design of each of the major parts in the UC Davis Active Directory / Unified

Communications system. Many of these parts are interdependent, and require other services to

function properly.

Implementation identifies the critical path with the order of overall steps for dependent services.

Discussion recaptures the purpose of the changes in terms of services added, cost savings, and other

factors. It attempts to answer some of the questions that this project raises.

Glossary gives a brief description of the technical concepts discussed in this design. It may be skipped by

knowledgeable readers.

The Vision Consider the following use-cases that such a system might provide:

A student wishes to double major in another college. She goes online and fills out the change of major

petition and submits it to a web-based document management system using her UC Davis credentials.

The system notes that the student is an undergraduate; so it does not route them to the online

application for admission to a new graduate program, but goes instead to the Dean’s Office of the

originating college for approval. The counselor gets an email notification and logs into the document

management system to review the student’s records and other files. Noting that the student is in good

standing (on the Dean’s honor list) and on-track to graduate, he approves the request; it is then routed

to the new college (where it is checked automatically for fulfilled prerequisites), and finally to the

Registrars. Upon approval by the Registrar’s Office, the student receives an email that their change of

major has been granted, along with the contact information of the student’s new major advisor. The

student has also been automatically added to mailing lists for the department housing her new major.

A graduate student wishes to access the new compute cluster that his advisor has just recently

subscribed to. He goes to the cluster web page and fills out the access form online, which is routed to his

advisor for approval. In the background, the PI has a digital certificate associated with her email account,

so when she sends his approval the routing application can verify that she’s the originator of the

message as it goes to the help desk ticketing system for the cluster. The ticket system notes the approval

and emails the graduate student the directions for creating an SSH public/private keypair and uploading

the public key to the campus LDAP directory. After the graduate student does this, he replies to the help

desk email. The cluster admin reviews the ticket system, adds permission for the graduate student’s UC

Davis credentials to login to the cluster, and closes the ticket. Upon closure, the help desk ticket system

sends an email notifying the graduate student that he now has access to the cluster. He opens his SSH

client and logs in automatically using his Kerberos ID and SSH key.

A professor on sabbatical has a year-long adjunct appointment at a prestigious university overseas. She’s

working on a paper with collaborators back home, so she logs into the web front end of the document

management system using her UC Davis credentials, and notes that her collaborator has checked-in

changes to their paper. She compares the new changes with the previous version, and after annotating a

few comments decides a more in-depth discussion is required. She opens her email client and begins

composing a long message, but midway through her email client signals that her collaborator is online

and available to chat. They open an IM session, which becomes so productive that they decide to talk in

real-time using video and voice calling. Her collaborator wants to bring in one of his graduate students

working on a paper that illustrates one of his changes, so they invite him to the conference call and open

up an online whiteboard, where they discuss his paper with respect to hers.

These are just a sample of the possibilities that an integrated, robust IT architecture can provide to the

campus. So how do we get there while saving costs?

Design The principles behind a UC Davis Active Directory / Unified Communications system are:

Full-featured services

The services must be easy to use by the clients, requiring minimal technical configuration and time to

use.

Flexibility

While the infrastructure provides the basic services that most clients will need, it must also be flexible

enough so new features can be developed and added as needed. This approach allows room for clients

to implement services not original to the design.

Interoperability

The services should be usable across the broad range of computing platforms on campus, including

Windows, MacOS, Linux, and mobile devices. Equivalent support should be provided to a client,

regardless of choice of platform.

Stability/Security

Central systems should be reliable and dependable, with uptimes of greater than 99.9%. The systems

should be administered using industry-standard best practices, and systems security should be a top

priority. Excessive outages and security incidents hurt both the productivity and reputation of the

University.

Cost-effectiveness

The systems should be evaluated for fiscal efficiency and designed using commodity components

wherever possible. New trends in cloud computing, consumerization of IT, and mobile devices should be

evaluated with an eye towards delivering service efficiently at minimum possible cost, balanced against

the other stated principles.

The proposed design of a UC Davis Active Directory / Unified Communications system has many dynamic

components. These will be described below:

Active Directory

[Late-Breaking Note: The IT-Infrastructure Futures committee which convened May-October of 2011 to

discuss some of the suggestions in this paper, recommend that the campus pursue the Single-Forest

Single-Domain model. However, the following prescription is kept intact for discussion purposes, and

details of the Single-Forest Single-Domain model are examined below.]

The proposed model for the UC Davis Active Directory design is a single forest, multi-domain model with

the following features:

An empty root domain: to isolate critical Enterprise and Schema Administrators from all other

accounts

An account domain: to isolate user accounts from the domains that provide services, and allow

for easier scripting against a single account domain

A resource domain: to isolate services such as Exchange and Lync from member domain/OU

computers

A departmental domain?

These principles are based on the concept that a domain is a security boundary within Active Directory

intermediate between a forest and an organizational unit (OU). OUs may be a good fit for many units,

but provide less separation than domains.

Other models considered:

Multiple forests: A forest is a stronger security boundary than a domain. The tradeoff is that

services are more difficult to provision. Setting up Microsoft Lync across multiple forests

requires redundant Lync implementations for each forest4 and results in duplicated work for

Network Operations Center personnel.5 Network Authentication Control may not be workable if

hardware switches are unable to talk to multiple Network Policy Servers in different forests.

Single forest single domain: This is workable for large centralized organizations, but probably

does not mesh with the university culture. The advantage of this model is its simplicity. The

disadvantage is that there are no security boundaries protecting a unit from another rogue unit

in the domain, and it would be difficult to provision disparate security policies at the OU level. In

particular, each School/College/Organization may have different enforcement of Cyber-Safety

policies, as those decisions are delegated to the Deans and Vice-Chancellors. Finally, OUs have

disadvantages compared with domains, and some UC Davis units have already requested

separate domains. Removing this option might make the service less able to address client

needs.

The AD design as described offers some important features that specifically address the principles of

full-featured, interoperable, stable, secure, cost-effective service. As well, it enables custom

applications to be developed to address unit specific needs.

Examples of custom applications that have previously been developed but cannot be leveraged by

other units due to a lack of a flexible infrastructure are as follows:

CA&ES has developed an application which checks Banner for student enrollment, assigns

students enrolled in a particular class into an AD group, and then assigns that AD group to

the logon properties of particular computer labs. The result is that students enrolled in a

course can be automatically provisioned to have login privileges (which can be controlled by

day/time) to certain computers for a certain length of time (e.g. a quarter).

L&S has developed an application that imports/writes important administrative and

academic dates to user’s calendars to publish items such as Instruction beginning, Payroll

compute, University observed holidays, and so forth.

Integration between DavisMail (the student email system powered by Gmail) and uConnect can be

accomplished using SAML and the Google Apps APIs.6

Microsoft’s Live@Edu / Office 365 for Education service sets up federation between a user domain

(typically campus.ucdavis.edu) and the hosted services: Microsoft Office, SharePoint Online,

Exchange Online, and Lync Online.7 It allows for the possibility of going to a cloud-based service

offering on uConnect if that is deemed desirable.8

Many more applications and services of this nature are possible, and a structure which provides the

flexibility to write them should be provided.

To efficiently write such applications, user objects need to be in a central, well-known container (i.e.

the account domain) so that slow directory traversal calls are avoided.

Domain Name Service

Domain Name Service is a foundational piece of the internet. Many security issues are present which

require careful attention.9 Active Directory is based upon Dynamic DNS. Best practices with respect to

Active Directory and DNS are:

The DNS name of the forest is the DNS name of the organization (ucdavis.edu)10

DNSSEC should be implemented

DKIM should be implemented

The advantages for making the DNS name of the forest ucdavis.edu are:

A broad range of services register SRV records, including some that enable easier client

configuration, such as Autodiscover11 (which automatically connect Outlook clients to Exchange

mailboxes) and SIP (for Lync clients). Clients can automatically find these services via DNS query

Kerberos realm coincides with user logon name and the user principle name (UPN)

The Certificate Server (cf. Public Key Infrastructure) can be made authoritative for the

forest and all users therein

DNS names are so central to services populating Active Directory that one cannot do a DNS rename

operation once Exchange 2007, Exchange 2010, Microsoft Office Communications Server 2007R2, or

Microsoft Lync 2010 has been installed.12

The current uConnect root forest name is ad3.ucdavis.edu. As uConnect has Exchange 2010 and

OCS 2007R2 running, it cannot be renamed to ucdavis.edu. Therefore, a migration or some other

replication (e.g. forest-forest trust) must be done to get uConnect users into the new system.

Current migrations to uConnect, using automated tools have some tricky spots. This possibility was

noted when discussions first began on Xeda/uConnect implementation for the campus. However, given

the potential client base (~5,000 currently in uConnect versus several times that number for the campus

at large) and commitments that early adopters would be willing to tolerate disruptions for the benefit of

the campusi, the logical choice remains to continue forward with a design that benefits the entire

campus versus minimizing turmoil for early adopters. (Note that keeping the existing uConnect forest

sets up a multi-forest model, which is suboptimal (cf. Active Directory).)

To implement this change, the new Active Directory DNS servers will need to be brought up alongside

the existing Unix DNS servers. DNS zone transfers would be conducted to synchronize records between

Unix and Windows DNS, and the Infoblox tool (which is already compatible with AD13) would be

configured to write changes to Active Directory in addition to the existing Unix servers. Finally, after

sufficient use and confidence has been developed (incorporating input from Linux and MacOS users) the

Unix DNS servers would be turned off and the AD DNS servers would perform all DNS based functions.

Once this step was completed, the next exercise would be to configure AD DNS for DNSSEC, which is

straightforward.14 Units that wish to maintain their own DNS servers should be provided a mechanism to

register in DNSSEC.

Finally, DomainKeys Identified Mail should be implemented for Exchange. DKIM provides for a means of

cryptographically validating the domain name associated with an email; it allows organizations to

efficiently filter some types of spam email. It will be discussed in further detail below.

Dynamic Host Control Protocol

Campus DHCP services are currently provided by Infoblox. Some units still manually address and/or run

their own DHCP services.

Once the campus goes to IPv6, DHCP is not needed to assign addresses, as clients can automatically

configure their own IPv6 address without risk of collision (64-bits of the IPv6 address are assigned by the

clients themselves, which is twice the total count of IPv4 addresses possible in the Internet). However, it

is still useful to assign other information in DHCPv6, in particular, the IP addresses of the local DNS

servers.

Because services register with Active Directory’s Dynamic DNS servers, a DNS server becomes a catalog

of services that client computers can use to find applications, in the same way that the LDAP directory is

a catalog of people.

i Initial meetings with Xeda Steering Committee on 1/12/2010; many subsequent further discussions

Windows Vista clients and later include DHCPv6 clients, and Windows Server 2008 includes a DHCPv6

server and relay agent (used to relay DHCP messages from DHCP servers).15 A robust system of DHCP

servers scaled for campus will work together with Dynamic DNS servers to make campus applications

easy to find and use automatically by clients.

Kerberos

All faculty, students, and staff are eligible to obtain Kerberos accounts which authenticate to the central

campus Kerberos servers. A first step for using many applications developed on campus is obtaining a

Kerberos account.i

In turn, the campus has a user/password management system, more than two decades old, which

handles the provisioning and maintenance of client login accounts and passphrases to/from the

Kerberos servers to other systems needing this information. Finally, there are a variety of shadow

systems which takes direct dumps of user logins and password plain-text equivalents in order to

integrate their services with the existing Kerberos system.

The shortcomings of the existing system can be immediately addressed by taking advantage of the

Kerberos Key Distribution Center (KDC) built-into Windows AD Domain Controllers (DCs). The distributed

nature of Windows AD DCs provides reliability equal or superior to the existing system (e.g. there will be

more Windows DCs in the new system than there are Kerberos KDCs in the current system), and

Kerberos integration is automatically built-in to Active Directory clients, eliminating the necessity for

shadow systems.

Standard practice is to make the Kerberos realm the domain name.16 As this will be the case for the AD

forest ucdavis.edu, the mapping of hostnames onto Kerberos realms17 will be automatically handled

via DDNS, and AD clients will be able to automatically locate Kerberized services.18 Because Kerberized

services running elsewhere are not automatically viewable, services that are intended to be available

domain or forest-wide should use the Windows KDCs (which can be further assisted by using the

Subsystem for UNIX-based Applications in Windows Server 200819).

To implement this change, the Windows KDC would be populated with the accounts in the existing Unix

KDCs. This requires a passphrase reset, and has already been done on the uConnect DCs. It would be

done for the new Windows KDCs, avoiding the pitfalls that cropped up in the uConnect migrationii. After

sufficient use and confidence has been developed (incorporating input from Linux and MacOS users) the

Unix Kerberos servers would be turned off and the AD KDCs would perform all Kerberos login

authentications.

Active Directory Certificate Services, SSL, and Public Key Encryption

i Thanks to Megan Richmond for pointing this out. ii For example, small subsets of users were unable to login due to conflicts with previous uConnect account

information.

A Microsoft Certificate Server is a server acting as a Certificate Authority (CA) for the forest. Many

applications require a properly set-up CA.

A certificate is only as good as its chain of trust.20 The trust anchor for the digital certificate is the Root

CA.

The best practice setup for the campus CA isi:

1. Obtain an Intermediate CA certificate for the campus CA from a certificate authority such as

Verisign21 or InCommon (if they are capable of handling it)ii

2. The certificate server with the Intermediate CA certificate becomes the campus CA with a

complete Trust Chain

3. Templates are created on the campus CA to provision several Issuing CAs to perform certificate

server functions

4. The campus CA is taken offline, and optionally, locked in a safe. Because the campus CA has the

only Intermediate CA certificate, it is the only server which, if compromised, allows

impersonation of all certificates issued by the Issuing CAs for the ucdavis.edu domain.

5. The Issuing CAs perform all certificate requests

6. A separate web server/file server system is kept to store the revoke certificate list. Because

access to this system is required by the Issuing CAs before they will startup, this system should

be redundant

7. The campus CA is only ever brought online to define new templates for Issuing CAs or re-

authorize Issuing CAs when their certificates have expired (i.e. yearly)

A working example follows.

The campus CA, certroot.ucdavis.edu, has the Intermediate CA certificate for ucdavis.edu

(signed by a Root CA such as Verisign or InCommon) installed. It is now authoritative for

ucdavis.edu, and can issue digital certificates with the trust chain intact all the way to the Root CAs

(Verisign or InCommon).

Two issuing certificate servers, cert1.ucdavis.edu and cert2.ucdavis.edu, are brought

online and authorized by certroot.ucdavis.edu. Before they will successfully start, two

webservers, revokedcert1.ucdavis.edu and revokedcert2.ucdavis.edu, are also

brought online and setup with the revoked digital certificates list (initially empty).

Then certroot.ucdavis.edu is physically shut down (and locked away), and only revived to re-

authorize cert1.ucdavis.edu and cert2.ucdavis.edu when their authorizations expire

yearly.

i Special thanks go to Uwe Rossbach for sharing his research and experience on this topic. ii Experience with InCommon so far has shown some difficulties in getting SSL certificates properly issued;

InCommon seems to have marketing but limited technical support and no CA.

As revokedcert1.ucdavis.edu and revokedcert2.ucdavis.edu are up and running,

cert1.ucdavis.edu and cert2.ucdavis.edu readily startup and begin issuing digital

certificates for Exchange, Lync, VPN, and many other services.

The benefits of this system are:

The campus CA is protected from compromise

Microsoft Lync can be setup and installed

VPN and NAC/NAP can use user- or computer certificates to verify identities

Encrypting File System (EFS) can be turned on for all file servers in the campus Active Directory

Campus websites can easily request SSL certificates.

o Client web browsers with root CA certificates pre-loaded automatically fully trust

ucdavis.edu Secure Sockets Layer (SSL) websites with no additional work22

Clients can request certificates to use for email encryption.

Clients can request certificates to use for email digital signatures

o Applications can be written using workflow incorporated with digital signatures.23 A

purchasing application can be confident that an email from a buyer approving a

transaction is really from that buyer

Applications can make use of Code Signing.24 Code Signing uses digital signatures to prove the

authenticity of an application. Clients using that application can be confident of its origins

Lightweight Directory Access Protocol services

Currently, campus is provided with LDAP services integrated with a custom application which allows for

directory entries to be marked public or private, as desired. These entries are then published, subject to

these rules, on websites and used by other applications which need directory information.

LDAP is also provided by Active Directory, and is integrated into AD services in a way that a standalone

LDAP system is not, while still providing interoperabilityi with LDAP clients from multiple vendors.25 26 27

As an example, setting the “Manager” attribute in AD does several things:

In Outlook 2010, when viewing Calendars the “Team:” view automatically lists all subordinates

In Outlook 2010, the “To Manager” Quickstep automatically addresses the Manager

In SharePoint, workflow routing to supervisor makes use of the Manager attribute

The last point is significant because SharePoint contains the Windows Workflow engine, which allows

clients to create simple, graphical rules to route Microsoft Office documents amongst each other using

the built-in organizational chart that is present in AD using this attribute. Moreover, any .NET application

using Windows Workflow can also take advantage of this, as can any LDAP-aware application. An

effective, locally controlled enterprise-wide organizational chart is available just by using this property.

i A key issue is multi-value support, such as multiple addresses per user. Both Microsoft documentation and “in the field” reports indicate this is supported, see Endnotes.

Because many kinds of information can be added as additional attributes28 to LDAP, there are a variety

of additional applications29 which are opened up by the presence of an easily accessible directory of

people, the most important of which is authentication.

LDAP supports an extended operation called Password Modify.30 This, along with proper security

procedures (such as disallowing anonymous access to this and other key operations), allows LDAP to be

used as a replacement for the Central Authentication System (CAS). Note that LDAP is already being

used to handle wireless network authentication, i.e. MoobileNet/MoobileNetX.31

CAS is currently used on campus to authenticate web applications. It has a history of some instabilityi,

and moreover requires additional dedicated hardware to run in a robust, load-balanced manner. Using

the AD LDAP servers in the ucdavis.edu forest immediately provides stability and load-balancing, and

allows for CAS to be retired.

LDAP authentication is supported on a number of popular programming languages/web platforms:

.NET32 33

Java via the Java Authentication and Authorization Service34 and JaasLounge35

Cold Fusion 36

PHP 37

Perl 38

Python 39

Smartsite 40

Plone 41

Drupal 42

Hannon Hill Cascade Server 43

Atlassian Confluence 44

Oracle45 46

LDAP supports other authentication methods. Public keys can be distributed and authenticated using

LDAP.47 If a user has in their possession a USB key or hardware token with their private key, they will be

able to authenticate using SSH if the public key is published in LDAP. One use case would be for cluster

computing users; in clusters managed by Computational Science and Engineering, researchers gain

access to cluster resources (logins, batch queues, etc.) via SSH and public/private keypairs. Public-key

cryptography is robust authentication mechanism that is superior to passwords48; those services

wanting extra security would be able to use this if LDAP is correctly provisioned. As hardware tokens

become more prevalent (e.g. in smartcards) efforts would be made to support this more robust, two-

factor authentication scheme. Certain systems currently in use using hardware tokens could be migrated

to public-key cryptography.

To implement this change, a timetable should be published to the campus technical community

outlining the changeover schedule and resources available to convert existing web applications over to

i Last outage was August 18

th, 2010. Last unsuccessful upgrade was October 8

th, 2010.

LDAP or Shibboleth authentication (cf Single Sign On). Efforts should also be made to accurately

update the directory with business and other information, such as public keys and user password hashes

(LDAP stores a one-way hash of passwords to prevent compromise of the LDAP database from affecting

users49), that would be used for business process flow and authentication respectively. Value-added

projects, such as WhitePages, or applications that enable easy entry of business data, could be rewritten

to facilitate easy and accurate entry of useful directory information.

After an appropriate sunset period (no more than 2 years are recommended), CAS would be turned off

and the systems retired. Concurrently, as new services were developed based on LDAP (e.g. organization

charts, workflow, and public-key authentication) these would be released to the community along with

information on how to take advantage of these new services.

It’s worth noting that CAS can use AD/LDAP as an authentication backend.50 i Retiring CAS is not a

necessity, but it does save the infrastructure/staffing costs to run a system that is less redundant than

the backend services (LDAP) it is using.

Single Sign On

Integrating Kerberos, LDAP/Shibboleth authentication, and a public-key distribution system along with

Active Directory effectively gives users Single Sign On for services within UC Davis. Taking this a step

further to integrate with enterprise services outside of UC Davis, such as At Your Service51, involves

incorporating Shibboleth, an open-source implementation for federated identity-based authentication.52

Shibboleth 2 now incorporates interoperability with Microsoft Active Directory.53 Organizations such as

CampusEAI provide the myCampus Single Sign-On widget54 to allow users to sign into applications such

as Microsoft Exchange, Google Apps, Microsoft Live@EDU, Zimbra, Sakai and many others across

organizational boundaries one time. Regardless of which solution is chosen or developed, the existence

of these services should spur adoption of a solution as soon as feasible.

Exchange

Email and calendaring are fundamental to business operations, and should be properly resourced. What

are “proper resources”?

Exchange 2010 has raised the limit of items enumerable in a single folder to 100,00055, and reduced I/O

operations by nearly 70% with respect to Exchange 2007.56 Best practices for individual mail storage

are57:

Primary mailbox of not more than 10GB

Archive mailboxes of up to 10GB58 (as many as desired)

No use of offline personal archives (.PST)59

Based on these practices, a suggested pricing model for Exchange is:

i Thanks to Jeremy Philips for pointing this out.

Baseline usage mailbox for free (e.g. 2GB), to cover existing Cyrus users and units that find

Cyrus’ no cost and low capacity attractive

Additional mail costs not in excess of current hosted Exchange providers ($5/month/user60) 61 62

Archive mailboxes assessed at less cost than primary mailboxes

The traditional concern that large user mailboxes will make backup/recovery operations difficult is

resolved by Exchange 2010 SP1, which allows repair/recovery of individual mailboxes without taking

down the entire mailbox database.63

By making the Exchange mail service free for a certain level of service (and opening up Outlook Web

Access for web browser-based clients or IMAP/S for alternate clients such as Thunderbird; Apple’s

Mail/iCal/Address Book already ties directly to Exchange64), the current Cyrus mail users can be

migrated off of those aging systems and savings can be recouped from the staff and infrastructure

resources used to run Cyrus.

Once Cyrus users have been migrated, the rest of the campus can be moved onto the new mail system.

A proposed order of migration is listed in Implementation.

When everyone on campus has either a mailbox or a contact, the full capabilities of Exchange can be

used. Mailing list management can be moved to mail groups in Exchange. Web applications can be

developed (CA&ES, L&S, and the Law School have already written several) which leverage Exchange web

services to provide for automatic calendaring/appointments, automatic class list creation, room

scheduling, and so forth. These applications provide rich additional functionality.

Consideration should be made on whether it is worthwhile to retain mailing-list only systems such as

Sympa, which has a rich list of features65, but may or may not provide significant value-add compared to

developing applications from Exchange Web Services.66

DomainKeys Identified Mail

DKIM is actually independent of DNSSEC, but is included in this discussion because most

implementations of DKIM use DNSSEC. Several vendor solutions for DKIM on Exchange are present, such

as Axway67, which also provides a Spam filtering solution. Implementing a vendor DKIM solution such as

Axway would provide for greater email security as well as cost-savings associated with retiring the

current campus SpamAssassin system, which has some undesirable traitsi.

Microsoft Enterprise Voice ii

i Bulk-mail sent from reputable sources is almost always flagged as spam due to overly sensitive rules as currently configured on SpamAssassin. ii Special thanks go to Shuka Smith for sharing his research and experience on this topic.

The campus voice network is currently served by the Sonus network68, which provides service for

campus landlines, emergency services such as 911, and voicemail. There are also hooks for the Pinnacle

billing system, which is used by Communications Resources to bill phone use.

As of the release by Microsoft of Lync 2010 (formerly Office Communications Server), Lync provides the

capability to directly connect to a PSTN69, reducing the need for the Sonus network. In particular, the

current EVM system for electronic voice mail can be replaced by the transcription and storage

capabilities of Lync delivered to the Exchange mailbox, and it may prove simpler to use the built-in IP-

PBX capabilities of Lync.

uConnect is currently running Office Communications Server 2007 R2. There are three drawbacks of this

system, as implemented:70

1. The certificates used are self-signed (thus a broken trust chain )

2. OCS 2007 R2 does not have PSTN connectivity, and must rely on the Sonus cloud

3. The DNS SRV record for OCS on uConnect is _sip._tls.ad3.ucdavis.edu, which is not

discoverable by clients on the ucdavis.edu namespace.

The design proposed by this paper fixes the aforementioned three issues in the following ways:

1. Certificates are obtained from cert1.ucdavis.edu with a complete trust chain

2. Lync 2010, due 11/17/2010,71 is used, providing PSTN connectivity

3. The forest DNS name is ucdavis.edu, thus the SRV record is _sip._tls.ucdavis.edu,

discoverable by all clients on ucdavis.edu.

In addition, further cost-savings would be realized when Sonus is retired, as its duties are handled by

Lync.

Retiring Sonus would be a complex project, further complicated by the requirements of the Pinnacle

billing system. Analog phone service must continue to be provided until the last subscriber opts out.

Nonetheless, the way forward is to use existing and future telephony systems (including billing and

rates) based on software, SIP, and IP-based phones, and phase out older systems as soon as possible.

Document Management with SharePoint

Several document management systems already exist on campus, and document management itself can

be defined in many ways. Microsoft SharePoint 2010 provides the following capabilities72:

Accessibility, upon proper authentication, from anywhere with an Internet connection

Complete integration with Active Directory, Exchange, and Lync.

Complete integration with Microsoft Office (e.g. Word, Excel, PowerPoint, Outlook, OneNote,

Access) and Adobe PDF

Versioning, checkout, rating, and tagging for multi-user collaboration

Rule Based Submission (e.g. automatic movement of submitted documents to particular

libraries)

In Place Records Management for retention and eDiscovery

Metadata validation, indexing and management

Integration with cloud-based office suitesi

Ability to integrate with document-scanning solutions and manage electronic images of paper-

based information73 74

Ability to extend basic SharePoint functionality by programming custom web parts using

SharePoint Designer75 or .NET.76

By implementing SharePoint within the new uConnect architecture, campus units by default get a web-

based system with which to share and collaborate on documents which ties in with the rest of the

systems. For example, if Active Directory/LDAP is fully populated, SharePoint knows the supervisor and

other team members of a particular user, and a SharePoint workflow which automatically routes the

form to the supervisor can be easily built. The Presence and Availability of other people are visible in

SharePoint, so that people working on the same document can open an IM window or web/video

conference call to discuss their changes. Finally, SharePoint 2010 offers simultaneous editing of the

same file (coauthoring) and the ability to stream PowerPoint presentations over the web77, greatly

facilitating many common needs for faculty, students, and staff.

Implementation of SharePoint depends upon several items:

The Internet Connector license must be bought to allow access to SharePoint from the Internet

(estimated price, $4k)

Sufficient server and storage space must be allotted78 (typically 6-10 servers for a robust

SharePoint infrastructure plus storage for all the documents)

o If the SharePoint environment is virtualized, a number of considerations should be

addressed79

Campus subscribers to uConnect must have Enterprise CALs via MCCA

Units with a large investment in their current document management system might retain it based on

cost-benefit analysis. However, many other units will find the addition of an enterprise-wide document

sharing and collaboration system irresistible, and future web applications based on SharePoint could be

developed to provide targeted solutions to the business requirements of departments, colleges, schools

and units.ii

Cyber-Safety

i GoogleDocs, for example, as of now cannot handle complex formatting in Word documents with precise requirements, such as legal documents. However, Office Web Apps handles Office documents natively. ii In the absence of a central SharePoint solution, many units already in uConnect are working on their own

implementation, which gives an indication for potential popularity. In addition, UC Berkeley has CalShare, a SharePoint implementation. See: http://ist.berkeley.edu/services/is/calshare

Computer security, or Cyber-Safety, incorporates a number of concepts, the most basic of which are:80

Confidentiality

Integrity

Availability

The specific UC Davis Security Standards are given in Exhibit A of Chapter 310, Section 22, in the UC

Davis Policy and Procedure Manual.81 This proposed design directly addresses these practices as follows:

1. Software Patch Updates

A centralized Windows Server Update Services system is setup in resource.ucdavis.edu

for use by all campus Windows clients. A BigFix82 or similar system is setup in the resource

domain to provide patch updates for UNIX, Linux, MacOS, and virtual clients (as well as

Windows).

2. Anti-virus Software

A centralized Anti-virus Software service, based on the campus site-licensed anti-virus software,

will be provisioned in resource.ucdavis.edu. It will be configured such that the staff of

individual units will be able to administer the anti-virus software on their local IT resources.

3. Non-secure Network Services

The new design employs Microsoft’s Network Access Protection (NAP) in conjunction with

802.1x to restrict access to the network to devices which can pass a health check by a Network

Policy Server. Devices on a Windows domain failing the health check can be redirected to a

Remediation server which will apply patches and other features to allow the computer to come

into compliance. Once the health check has been passed, the system may access the network.

There are two ways to enable this:

DHCP (weak) – Can be bypassed by clients assigning their own IP addresses

802.1x (strong) – Cannot be bypassed by clients

In the recommended way to enable this, campus network switches are configured to support

802.1x and authentication to the network (usually via LDAP). This in turn requires that the

switches fully trust the Network Policy Servers; thus NAP is best done as a centralized service.

4. Authentication

Robust authentication is provided for users via:

a. A strong single sign-on password

b. Public/private key pair

c. Hardware device with digital certificate or public key

Authentication is thought of as applying to users, but with the advent of a campus CA, can also

be applied to computers. For example, domain controllers, file servers, and other sensitive

resources can be configured to reject connections from computers that do not have a valid

digital certificate.83 These (IPSec) policies must be carefully tested.

5. Personal Information

With the advent of a campus certificate server, all file servers in the ucdavis.edu domain can

turn on Encrypting File Services. To properly provision EFS and ensure that files can be

recovered in the event that the holding account is deleted:

a. A specific account holding the EFS Recovery Agent role must be established.

b. Enterprise Administrators in the root domain ucdavis.edu only grant temporary use

of the account to Domain and OU Administrators on an as-needed basis.

This provides default encryption on all files stored on all fileservers with EFS enabled. Under the

requirements of SB 1386, this would exempt the University from having to notify users if

personal information is disclosed from a file protected by EFS.84

The campus certificate server also allows for the encrypting of email and databases via standard

interfaces.

6. Firewall Services

Firewalls are widely deployed across campus. The upcoming migration of units to the campus

AD/UC infrastructure provides an opportunity to check: organizations are not allowed to join

until they show a properly-configured VLAN firewall. Because the services are standardized and

well-known, firewall rulesets should be easier to write, and best-practice rulesets can be

developed.

7. Physical Security

The campus AD/UC infrastructure ensures that much of the “crown jewels” of the campus IT

infrastructure remains in secured campus datacenters with reliable power, networking, and

HVAC. The design calls for two datacenter sites, which takes advantage of the load-balancing

inherent in AD and allows for disruptive services upgrades on one datacenter without affecting

the campus at large.

8. No Open Email Relays

The combination of Exchange 2010, DNSSEC, and DKIM means that:

a. Unauthenticated users are not allowed to send email

b. The campus email servers are well-known and cryptographically validated by the

outside world, eliminating the threat that a spammer masquerading as a

ucdavis.edu user will land the campus on an email blacklisti 85

For those departments still wishing to run their own email servers, provisioning DNSSEC and

requiring DKIM on all mailservers will maintain the benefits described above.

9. Proxy Services

Implementing NAP has the side-benefit of giving the campus a robust VPN solution.

Departments save the time/expense of running their own VPN, and users can be directed

towards the campus VPN. This will eliminate improperly configured proxy servers.

For those departments still wishing to run their own proxy server, the provisioning in LDAP of

password hashes gives them access to robust authentication.

10. Audit Logs

The campus.ucdavis.edu user account domain coupled with proper setup allows for a

robust auditing mechanism86 when coupled with good third-party tool which collects systems

logs from all AD/UC servers for separate log analysis. Note that units with their own domains are

also able to audit their own resources; for reliability these logs should be collected on the

central campus log analysis server. For best results, the third-party tool should be able to read

log formats from Windows, Unix, Linux, and MacOS servers. In addition:

a. An AD security group dedicated to Cyber Safety auditing should be established

b. The UC Davis campus Cyber Safety auditors should be granted membership to this group

c. Other unit Cyber Safety auditors should be granted membership upon request

d. Member domains should not implement policies or mechanisms which block the group

from resource access

e. Members of the Cyber Safety group should audit user data only with explicit written

permission from the chair, MSO, Dean or Vice Chancellor of the unit.

f. Any domain, sub-domain, or domain organizational unit targeted for a Cyber Safety

audit should receive prior notification

i. The Dean or Vice-Chancellor of the unit may override the notification

requirement at their discretion

11. Backup and Recovery

The system calls for the use of Microsoft Data Protection Manager to handle the backup of

Active Directory and the Unified Communications components (Exchange, Lync, etc.) This is a

disk-to-disk system which is compatible with the campus current use of NetBackup. Properly

configured, this provides two levels of backup (disk-to-disk for DPM and disk-to-tape for

i This has happened several times in the past years

NetBackup of DPM) to complement the tombstone/previous versions first level restoral

capabilities in Exchange and Windows file services.

DPM has significant data storage requirements; for cost-effectiveness, several DPM servers

coupled with Direct Attached Storage provide the best cost/storage ratio.

12. Web Application Security

LDAP authentication provides an industry-standard, known-good authentication mechanism. In

addition, CA&ES has developed a robust roles database (available as a web-service) for

authorization. A roles database used in this context means a system which controls access (and

provides auditing) to campus applications on a per-user, per-role, per-application, per-unit basis.

The campus has other Identity Management/Roles Database system initiatives for other

purposes, but they do not currently address the authorization problem in web applications.

Deployment of this system (or another with this functionality) enables developers to consider

the authentication and authorization problem solved, and move on to the other OWASP issues.

The benefits of these and the measures listed above:

Provides immediate feedback and quarantine of insecure systems from the campus network

Provides widespread encryption which can protect personal information in documents, emails,

and databases

Provides fault-tolerant secure physical hosting

Eliminates open relays and campus-on-email-blacklist problem

Provides VPN solution to campus

Provides easy auditing

Provides two levels of backup on critical data

Provides secure authentication and authorization processes for web applications and databases

Saves units the time/cost of doing these services themselves

Provides known, consistent quality

Provides functionality not available to individual units

Provides costs savings in purchasing software for whole campus

Implementation The previous section discussed a number of topics. In this section, the specifics are condensed down

into an implementation order and summary of necessary steps. Items in green are not on the critical

path, and may be done concurrently, as time permits, or once confidence has been established that a

migration is complete.

1. Setup the root AD domain ucdavis.edu

a. Perform initial zone transfer between dns1.ucdavis.edu to root AD domain controller

DNS servers

b. Configure Infoblox to update AD DNS servers

c. Setup DNSSEC

d. Publish tools/interfaces for ucdavis.edu sub-domains to add DNSSEC

e. Setup DHCP and DHCPv6

f. Retire Unix DNS servers

g. Retire older DHCP servers

2. Setup campus.ucdavis.edu account domain for user accounts

a. Set passwords on campus.ucdavis.edu to be the same as Kerberos passwords.

Requires a password reset.

b. Update computingaccounts.ucdavis.edu to change passwords on AD KDCs

c. Update the Whitepages application to make changes against AD LDAP

d. Setup user password hash storage in LDAP

e. Publish tools/interfaces for web application authentication in LDAP

f. Publish tools/interfaces for public key storage in LDAP

g. Setup roles database and publish web services interface for web application

authorization

h. Setup Shibboleth

i. Configure for federated authentication with At Your Service, Google Apps, Office 365 for

Education, etc.

j. Retire Unix LDAP servers

k. Evaluate retiring CAS

3. Setup resource.ucdavis.edu resource domain for forest-wide resources

a. Setup Active Directory Certificate Services

i. Setup certroot.ucdavis.edu

ii. Setup cert1.ucdavis.edu, cert2.ucdavis.edu,

revokedcert1.ucdavis.edu, and revokedcert2.ucdavis.edu

iii. Turn off and securely store certroot.ucdavis.edu

iv. Publish tools/interface for IT staff to obtain SSL certificates

b. Setup Exchange 2010

i. Setup DKIM and spam filtering

ii. Setup eFax, Fax-over-IP

iii. Migrate Cyrus users to Exchange mailboxes with no-cost storage limits

iv. Migrate CA&ES and current uConnect users

v. Migrate remaining units

vi. Retire Cyrus and SpamAssassin servers

vii. Publish tools/interfaces to email and calendar functions

viii. Evaluate sympa vs. Exchange/SharePoint web applications

c. Setup Lync 2010

i. Setup Mediation server

ii. Setup IM

1. Setup public IM connectors

iii. Setup audio/video/web conferencing

iv. Setup Enterprise Voice

1. Setup voicemail and voice transcription

2. Integrate Pinnacle and billing systems

3. Migrate voice users to Lync VoIP

v. Retire Sonus

d. Setup Systems Center: Configuration Manager

i. Setup Network Access Protection87

1. Apply AD forest schema extensions for NAP

2. Setup Network Policy Servers

3. Setup System Health Validators

4. Setup Reporting Point

ii. Publicize to clients how to use VPN access through the Network Policy Servers

iii. Retire SSL VPN

e. Setup Systems Center: Data Protection Manager

f. Setup Antivirus servers

g. Setup WSUS

h. Setup BigFix

i. Setup Auditing Server

j. Setup Subsystem for UNIX-based Applications

k. Setup Apple Remote Desktop

l. Setup Systems Center: Operations Manager

m. Setup Systems Center: Virtual Machine Manager

n. Setup Systems Center: Service Manager

Staffing

This design dramatically increases the complexity and scope of services offered compared to the current

uConnect services. Additional staffing and infrastructure resources must be allotted for success.

The envisioned system cuts across a number of organizational boundaries and some re-organization as a

result of new duties and retirement of older systems may result. Even so, enough resources may not be

allotted, simply because of the enormous breadth of technical knowledge required to successfully

implement the design.

The ARM/CA&ES/IET collaboration provides a roadmap for the way forward. Every stakeholder has a

vested interest in the success of this enterprise. Units that are willing and able to provide technical

talent should have their staff put to good use. In order to effectively synchronize everyone towards

tangible progress, they can be grouped as follows:

Core team and collaborators

This group consists of the core staff as provided to the project by ARM, CA&ES, IET and others,

responsible for setting up, administering, running, and maintaining the forest-wide resources. As can be

seen above, there are a large number of additional projects that should be done by units willing/able to

contribute technical staff. Examples of these types of projects are developing the various

tools/interfaces and applications that will provide services to clients.

Focus groups

These groups consist of technical IT staff evaluating the progress the system is making on the design

principles. Anyone interested in a focus group should be allowed to join, but the focus group chairs must

ensure that the feedback collected is presented in a useful form to the core team and collaborators:

1. Full-featured services – This group tests the usability of the various aspects of the system for

technical and non-technical users.

2. Flexibility – This group consists of interested outside parties that are planning to build exciting

new applications and are willing to test using the campus AD/UC infrastructure as their

foundation.

3. Interoperability – This group consists of MacOS and Linux sysadmins that provide feedback and

test cases to ensure their platforms are fully supported on the AD/UC infrastructure.

4. Stability/Security – This group ensures that the security best practices envisioned in the design

are maintained.

5. Cost-effectiveness – Added for completeness, this “focus group” is the core team and

collaborators who ensure the implementation of AD/UC services is as efficient as possible. This

implicitly includes the buyers who ensure prices for hardware and software take full advantage

of UC discounts.

Unit IT contacts consuming AD/UC services

This group consists of the technical staff that provides local IT support. A large percentage of IT work will

continue to reside in the units.

Governance

To be successful, the project must not only have a talented and well-coordinated group to execute the

setup, administration, and migration to the new system, but there must also be an open process

towards setting the future direction of the project. The author and collaborators have ideas on a new

governance structure (to be presented later) establishing project staffing as a center of excellence, and

are open to further concepts.

Completeness

This design offers a wide variety of features, but it is not necessary that all clients take advantage of all

of them. Clients may mix/match services as desired:

Email: Clients can connect to their Exchange mailboxes via Outlook Anywhere (Windows88,

MacOS 89), IMAP/S, mobile devices, tablets, and web browsers without joining their devices to a

Windows domain. Clients wishing to run their own mailservers may still do so, as long as they

implement DKIM.

Lync: Web-based clients are available for Lync services without installing software or joining a

domain90 91. VoIP phones are independent network devices separate from client computers;

using VoIP-enabled phones with Exchange integration requires that a user account be

provisioned for these services; software client choice is flexible. Analog phones are still

supported.

DNS: The Microsoft DNS servers can be configured to support wildcards for empty resource

record sets92 to provide support for BIND’s DNS wildcards. Clients requesting sub-domains may

also run their own DNS servers. DNSSEC is still provisioned throughout.

DHCP: Units may run their own DHCP servers on their networks, or hand-configure computers if

desired.

Kerberos/LDAP: These are standard network services with standard interfaces. Microsoft is a

member of the Kerberos foundation93 and has made Active Directory compliant94 with the latest

IETF specification of LDAP.95

Web authentication/authorization: As specified, web developers can choose LDAP or

Shibboleth for authentication. They can consume an authorization service or write their own.

Windows Domains: Windows domains provide administrative efficiencies, particularly for

Windows clients, but MacOS or Linux clients do not need to join a Windows domain to benefit

from services listed above.

Network Access Protection: NAP is intended to provide an extra level of security to clients

joining domains in the forest, so that they do not jeopardize the common resources in Active

Directory. Clients not on a domain need not have NAP configured.

Support For best results, tools to simplify the burdens of local IT support must be added to the system. The

inclusion of the Systems Center tools provides the potential for:

Automated Server monitoring (Systems Center: Operations Manager)

Client hardware/software management (Systems Center: Configuration Manager)

Hyper-V virtual machine provisioning (Systems Center: Virtual Machine Manager)

Help Desk ticketing (Systems Center: Service Manager)

Help Desk ticketing would greatly benefit subscribers to the system if they were able to pass tickets

between clients, local IT staff, and potentially, AD/UC systems staff and/or Networking Operations

Center staff.

Previous tools have been difficult to use; a project for a unified help desk should be started and chaired

by the majority users of the system, i.e. local IT support.

Discussion The project provides the following advantages to the campus:

Robust, full-featured Unified Communications

o A full-featured email and calendaring solution for Cyrus users

o Accessibility via web browser, client software, VPN, remote desktop, or mobile devices

o Opportunity to reduce telecommunications costs by leveraging VoIP

o A manageable, scalable solution

Provides common, central services with secure access mechanisms

o DaFISConnect (DaFIS on Windows Remote Desktop)i

o WSUS and BigFix for software patching

o Server log auditing

o Server status updates via Operations Manager

A common directory which can be directly leveraged into workflow and other applications

A safe and secure computing platform incorporating Cyber-Safety best practices

Enterprise wide single sign-on, with provision for federated authentication

o Benefits campus applications such as Kuali, Timesheets, Recruitments, and others

o Built-in workflow for SharePoint and other workflow applications

o Locally editable, up-to-date Organizational chart

Widespread use of digital certificates using either Web-of-Trust (public keys in LDAP) or Public

Key Infrastructure (PKI) using Active Directory Certificate Services

A fault-tolerant design resilient to failures and cracking attempts

A platform on which to build future web and cloud applications

The project also saves the costs of running these older systems:

Staff/infrastructure for running Cyrus

Staff/infrastructure for running SpamAssassin

Staff/infrastructure for running DNS

Staff/infrastructure for running DHCP

Staff/infrastructure for running LDAP

Staff/infrastructure for running Kerberos

Staff/infrastructure for running CAS

Staff/infrastructure for running SSL VPN

At some future time, the project may save the costs of these systems:

Sonus

Sympa

A complex project raises many questions; some will be addressed below.96

We’ve been successful, so why change?

i Currently provisioned on uConnect

True. But surely we have all seen that failure to adapt eventually leads to extinction. With respect to

Active Directory, the previous incarnation was created before many of the features in the new design

were developed. To quote from Active Directory Design Principles:97

“The one thing to keep in mind is that when designing your Active Directory, never go at it from

a, present needs, point of view. Technology and systems are changing so fast nowadays that you

have to design with the most open and future-proof concept that you can think of.”

No one else does this.

There really is a first time for everything, and we do have a unique opportunity. Everyone is ready for

change; we can take what we’ve learned and move forward. The current system is a hodge-podge of

sometimes incompatible systems that don’t offer the full range of functionality. This new design is a full-

featured integrated whole with flexibility to add additional services and applications via industry

standard protocols.

To generate this many questions and concerns, the idea has to be flawed.

Actually, many questions are good, as it shows engagement, and an engaged group makes better

decisions and implementations. The current partnership between ARM, CA&ES, and IET shows a strong

commitment of talent and resources to solving these issues, and we suggest the collaboration be

opened further. Everyone has a stake in the outcome.

Good idea, but this is not the time.

This is the perfect time, because there are many people excited and working to make this happen right

now. The state our university is in requires that we make changes and increases our efficiency

immediately, and this is a significant step towards getting everyone a set of consistent tools to do their

work.

Everyone has a stake in this enterprise. While it is difficult to “design by committee” – it is crucial that

Active Directory / Unified Communications move in the technical directions that serve the needs of the

campus stakeholders. The knowledge of the needed technical directions resides in and therefore should

be directly represented by the stakeholders themselves. Agile processes have already been proven to

work in a number of arenas98 99; it is worth repeating the “Agile Manifesto”100 here:

Individuals and interactions over processes and tools

Working software over comprehensive documentation

Customer collaboration over contract negotiation

Responding to change over following a plan

Acknowledgements I wish to thank Tom Pomroy, Uwe Rossbach, and Shuka Smith for many hours of conversation in

developing the topics in this whitepaper. The ideas presented here are a direct result of these

discussions. I also wish to acknowledge the following reviewers, who contributed their input and

perspectives to this paper:

Bob Brewer, Information Systems Manager, Environmental Science & Policy

Jamie Butler, Directory of Information Technology, School of Law

Jennifer Hughes, Information Systems Manager, Crocker Nuclear Laboratory

Rob Kerner, Plant Sciences IT Manager

Jeremy Philips, Director of Information Technology, Division of Social Sciences

Eric Prosser, Project Manager, Office of Research

Ben Ransom, System Administrator, College of Engineering

Megan Richmond, Lead Application Developer, Letters and Science Deans’ Office

Paul Waterstraat, Information Systems Manager, Geology

Revision History Initial version: 10/13/2010

Submitted Version: 1/25/2011

Final Version: 12/29/2011

Glossary The following is a selection of terms and definitions used in this discussion. Many unavoidably reference

other terms, which may or may not have abbreviations. For brevity, acronyms are defined with their

term.

Active Directory (AD): A Microsoft implementation of a variety of network services including101,

LDAP

Kerberos-based authentication

DNS

Central location for network administration and delegation of authority

Information security and single sign-on for user access to network based resources

The ability to scale up or down easily

Central storage location for application data

Synchronization of directory updates amongst several servers

Audio/Video/Web Conferencing: One-to-one, one-to-many, and many-to-many communication using

audio (voice) and visual communications integrated with webcams and browsers.

Certificate Authority (CA): A service issuing digital certificates.102

Digital Certificate: In cryptography, a digital certificate (also known as an identity certificate or public

key certificate) is an electronic document that uses a digital signature (a mathematical scheme which

demonstrates the authenticity of a document103) that binds together a Public Key with an identity

(information such as the name of a person/organization, address, etc.).104

Domain: In AD, a domain is a common flat database directory. Domains in AD are identified by their DNS

name structure, or namespace. Domains can contain other domains and Organizational Units.

DomainKeys Identified Mail (DKIM): DKIM is a method of associating a DNS domain name to an email,

allowing a recipient to validate that a message was sent by the organization with that particular DNS

domain name. Validation uses public-key cryptography; the signer adds a domain name to the message

and then affixes a digital signature. The verifier recovers the signer’s public key using DNS, and verifies

the signature.105

Domain Name System (DNS): The essential phone book for the Internet,106 translating human-friendly

hostnames to the actual IP addresses used by networking devices (routers, gateways, computers, etc.).

Domain Name System Security Extensions (DNSSEC): The original design of DNS did not include security,

as it was designed to be a scalable, distributed system. DNSSEC is designed to protect clients from

forged DNS data (e.g. which can be used to redirect to forged sites) while maintaining backwards

compatibility.107 DNSSEC is also queried by DKIM to provide verifiers with the public key of the signer.108

DNS Zone Transfer: A mechanism for replicating the databases containing DNS records across a set of

DNS servers.109 Nearly universal at one time, it is becoming less popular in favor of other database

replication mechanisms that modern DNS server packages provide, such as Active Directory-Integrated

DNS.110

Dynamic DNS (DDNS): A method/protocol/network service that provides the capability for a networked

device, such as a router or computer to notify a DNS server in real-time to make active DNS

configuration changes, such as the hostname, the IP address, or new SRV records.111

Dynamic Host Configuration Protocol (DHCP): DHCP is used on IP networks to configure computers with

IP addresses and other information, such as the IP address of the local DNS server. It also provides a

central database for keeping track of computers connected to the network, and prevents two computers

from being configured with the same IP address.112

Enterprise Voice: In Exchange, Voice-over-IP telephony (including voicemail) integrated with Exchange

email and calendars.

Extensible Messaging and Presence Protocol (XMPP): A network protocol used to handle IM and

Presence.113

Flat: In databases, flat is the opposite of relational. Every entry in the database contains all of its

information, and does not reference other entries.114

Forest: In AD, a tree of trees sharing a common catalog, directory, and DNS structure. If ucdavis.edu

is the forest, caes.ucdavis.edu and engineering.ucdavis.edu are trees in that forest.

Group Policy Objects (GPO): In AD, a set of rules which control the working environment of users and

computers. GPOs are used to provide a consistent set of services and environment and can be assigned

to domains, OUs, and sites. As an example, GPOs can be used to install software and ensure that it is the

version defined in the GPO.

Hostname: The human-readable Internet address of a computer. An example is: www.ucdavis.edu.

Internet Protocol (IP): The primary communications protocol used for the Internet.115

IP Address: The numeric network address for a device on the internet. There are two versions, IPv4 and

IPv6. IPv6 was instituted to address the limited number of remaining IPv4 addresses116, and is the future

of the Internet.117

IPv4 addresses look like: 169.237.1.1

IPv6 addresses look like: 2001:db8:1f70::999:de8:7648:6e8

Instant Messaging (IM): Real-time direct text-based communications between two or more people, also

known as online chat between known users (i.e. online chat can also be between anonymous users).118

Email, in contrast, is asynchronous text-based communication between two or more people.

Lightweight Directory Access Protocol (LDAP): The industry standard directory protocol, widely

accessible to management and query applications.119

Lync: Formerly known as Office Communications Server, Lync provides a unified instance for IM,

Presence, Audio/Video/Web Conferencing, and Enterprise Voice.

Kerberos: A computer network authentication protocol allowing nodes communicating over a non-

secure network to prove their identity in a secure manner.120

Mediation Server: In Lync, the Mediation server connects traffic from a basic media gateway (such as

PSTN) using SIP to Lync clients. 121 122 123 124

Network Access Protection (NAP): A Microsoft platform that controls access to network resources based

on a client computer’s identity (verified with a digital certificate) and compliance with policy.125 Software

to support policy enforcement must be installed on the client computer; it is currently integrated in

Windows XP SP3126 and lateri; separate clients are available for MacOS and Linux.127

Organizational Unit (OU): In AD, an organizational unit is a container used to simplify management.

Often, administrative access is delegated at the OU level. All OUs in a domain share the same (flat)

database. As a result, it is not possible to create two identically-named accounts in different OUs in a

domain because the database requires that attribute be unique.

Presence: In Lync, a combination of availability and willingness. Availability consults the user’s calendar

to see if they are able to be contacted. Willingness is the user’s self-defined criteria on how receptive

they are to being contacted.

Protocol: In networking, a formal description of digital message formats and the rules for exchanging

those messages.128

Public Key Cryptography: A cryptographic approach using asymmetric key algorithms. A famous example

is the use of prime numbers.129 It is very easy to verify that a particular number is the product of primes.

It is computationally expensive to factor a large number into its component primes. Public Key

cryptography uses mathematically related key pairs: a public key, which can be published, and a private

key, which is kept secret. A message encrypted by the private key can be easily decrypted by the public

key. On the other hand, it is very difficult to determine the private key using the public key.130

Public Switched Telephone Network (PSTN): Also known as plain old telephone service (POTS), it is the

public telephone network used by landlines and mobile phones.131

Secure Sockets Layer (SSL): A cryptographic protocol that provides for secure communications over open

networks, such as the internet. Commonly used by web browsers to connect to trusted webservers,

which provide an SSL certificate signed by a trusted CA. The follow-on to SSL is Transport Layer Security

(TLS).132

Service (SRV) Record: Data stored in DNS defining the hostname and port number of services for specific

services.133 Some examples of services which use SRV records:

Client SMTP authorization

Kerberos

LDAP

SIP

XMPP

Session Initiation Protocol (SIP): A network protocol used to handle multimedia communications such as

voice and/or video calls over IP.134

i Thanks to Curt Finley for pointing this out.

Site: In AD, a container of network addresses most often used to manage network traffic and replication

by assigning a cost value and replication schedule to address speed, reliability, availability, and other

physical properties.

Tree: In AD, single or multiple domains in a contiguous (DNS) namespace. For example,

caesdo.caes.ucdavis.edu and caes.ucdavis.edu are in the same tree;

caes.ucdavis.edu and engineering.ucdavis.edu are not.

Unified Communications (UC): The integration of real-time communications such as Instant Messaging,

Presence, Enterprise Voice, Audio/Video/Web Conferencing with non-real-time communications such as

email, voicemail, SMS (texting), and fax.135

uConnect: The current Active Directory / Exchange service available for recharge to campus

departments.136

References 1 http://oe.ucdavis.edu/

2 http://gunrockstatus.ucdavis.edu/docs/Project%20Gunrock%20Cost%20Comparison.pdf/view

3 http://iet.ucdavis.edu/microsoft/campus_agreement.cfm

4 Private conversation with Shuka Smith, a programmer in CA&ES Dean’s Office working with uConnect on the

Office Communications Server 2007 R2 implementation 5 Private communication with Mark Redican, Director of Communications Resources

6 http://code.google.com/googleapps/faq.html

7 http://office365.microsoft.com/en-US/education.aspx

8 http://www.microsoft.com/Presspass/press/2010/dec10/12-08USDACloudPR.mspx

9 http://www.your.org/dnscache/djbdns.pdf

10 http://technet.microsoft.com/en-us/library/bb727085.aspx

11 http://technet.microsoft.com/en-us/library/bb124251.aspx

12 http://social.technet.microsoft.com/wiki/contents/articles/renaming-a-windows-2008-active-directory-

domain.aspx 13

http://www.infoblox.com/en/resources/white-papers/dns-dhcp-microsoft-active-directory.html 14

http://technet.microsoft.com/en-us/library/ee649173(WS.10).aspx 15

http://technet.microsoft.com/en-us/magazine/2007.03.cableguy.aspx 16

http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-install/Kerberos-Realms.html 17

http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-install/Mapping-Hostnames-onto-Kerberos-Realms.html 18

Jason Garman, Kerberos: The Definitive Guide, (Sebastopol: O’Reilly Media Inc., 2003), 175-195 19

http://en.wikipedia.org/wiki/Windows_Services_for_UNIX 20

http://en.wikipedia.org/wiki/Chain_of_trust 21

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR657 22

http://technet.microsoft.com/en-us/library/dd361898.aspx 23

http://www.codeguru.com/csharp/csharp/cs_misc/security/article.php/c16491 24

http://en.wikipedia.org/wiki/Code_signing 25

http://technet.microsoft.com/en-us/library/cc750824.aspx 26

http://technet.microsoft.com/en-us/library/cc785254(WS.10).aspx 27

http://stackoverflow.com/questions/2099181/is-active-directory-really-ldap-compliant 28

http://www.zytrax.com/books/ldap/ch3/ 29

http://netmesh.info/jernst/digital_identity/microsoft-turning-the-ldap-directory-into-a-graph-database

30

http://www.faqs.org/rfcs/rfc3062.html 31

http://status.ucdavis.edu/index.php?f_path=top&o_path=past 32

http://support.microsoft.com/kb/326340 33

http://support.microsoft.com/kb/316748 34

http://www.javaactivedirectory.com/?page_id=72 35

http://jaaslounge.sourceforge.net/ 36

http://coldfusion.sys-con.com/node/154225 37

http://adldap.sourceforge.net/ 38

http://www.oneunified.net/blog/OpenSource/perl_activedirectory.article 39

http://stackoverflow.com/questions/140439/authenticating-against-active-directory-using-python-ldap 40

http://smartsite.org/smartsite.html?ch=DEF&id=4003 41

http://plone.org/documentation/kb/single-sign-on-with-active-directory 42

http://drupal.org/project/webserver_auth 43

http://www.hannonhill.com/kb/Authentication/ 44

http://confluence.atlassian.com/display/DEV/Mapping+Active+Directory+to+Confluence 45

http://download.oracle.com/docs/cd/E12096_01/books/admintool/admintool_Security7.html 46

http://download.oracle.com/javase/tutorial/jndi/ldap/authentication.html 47

http://www.ece.rutgers.edu/~parashar/Classes/03-04/ece572/project-reps/p-bisbal.pdf 48

http://en.wikipedia.org/wiki/Public-key_cryptography 49

http://www.faqs.org/rfcs/rfc3112.html 50

http://www.jasig.org/cas_server_3_4_3 51

http://atyourservice.ucop.edu/ 52

http://en.wikipedia.org/wiki/Shibboleth_(Internet2) 53

http://shibboleth.internet2.edu/shib-v2.0.html 54

http://www.campuseai.org/integrations1;jsessionid=5938AEABCF3C258827FFD979F233C4A2 55

http://sysadmin-talk.org/2010/05/large-is-not-always-best-when-it-comes-to-performance-but-it-helps-mailbox-performance-in-exchange-and-outlook-2010/ 56

http://msexchangeteam.com/archive/2010/02/22/454051.aspx 57

http://wikibon.org/wiki/v/MS_Exchange_2010:_Mega_Mailboxes,_Personal_Archives,_Goodbye_PSTs 58

http://support.microsoft.com/kb/832925 59

http://www.howexchangeworks.com/2009/08/archive-mailbox-in-exchange-2010.html 60

Communication from Dave Wallen, Manager of Microsoft Online Services Group from Computer Generated Solutions 61

http://news.cnet.com/8301-13860_3-20020029-56.html 62

http://www.microsoft.com/liveatedu/learn-about-office-365.aspx 63

http://msexchangeteam.com/archive/2010/08/23/455899.aspx 64

http://www.apple.com/macosx/what-is-macosx/mail-ical-address-book.html 65

http://www.sympa.org/overview/features 66

http://msdn.microsoft.com/en-us/library/bb204119(EXCHG.140).aspx 67

http://www.itwire.com/sponsored-announcements/25395--axway-extends-mailgate-with-virtualised-offering 68

http://www.sonusnet.com/ 69

http://www.infoworld.com/d/windows/microsoft-lync-2010-finally-communications-server-worth-the-effort-515 70

Microsoft Office Communications Server 2007 Edge Server Deployment Guide, http://www.microsoft.com/downloads/en/details.aspx?FamilyId=ED45B74E-00C4-40D2-ABEE-216CE50F5AD2&displaylang=en 71

http://www.microsoft.com/en-us/lync/default.aspx 72

http://blogs.msdn.com/b/mcsnoiwb/archive/2009/11/05/document-management-in-sharepoint-2010.aspx 73

http://www.knowledgelake.com/solutions/technology-solutions/Pages/document-imaging-management-sharepoint.aspx as one example solution, others exist from Xerox 74

http://www.avop.com/blog/joanne_gaudet/xerox_mfps_now_support_microsoft_sharepoint_server_2010

75

http://msdn.microsoft.com/en-us/library/ff630941.aspx 76

http://channel9.msdn.com/Blogs/funkyonex/Best-Practices-on-Building-SharePoint-2010-Web-Parts-with-Visual-Studio-2010 77

http://www.directionsonmicrosoft.com/samples/49-samples/940-document-sharing-with-office-2010-and-sharepoint-2010.html 78

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=FD1EAC86-AD47-4865-9378-80040D08AC55&displayLang=en#filelist 79

http://www.ditii.com/2010/06/03/sharepoint-2010-virtualisation-planning-and-technet-webcast-deep-dive-microsoft-virtualization-best-practices-for-sharepoint-2010-level-300/ 80

Matt Bishop, Computer Security: Art and Science (Boston: Addison-Wesley, 2003), 3-25. 81

http://manuals.ucdavis.edu/ppm/310/310-22a.pdf 82

http://www.bigfix.com/content/breakthrough-technology-revolutionary-economics 83

http://technet.microsoft.com/en-us/library/bb742429.aspx 84

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html 85

http://www.mxtoolbox.com/blacklists.aspx 86

http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html 87

http://technet.microsoft.com/en-us/library/bb681008.aspx 88

http://technet.microsoft.com/en-us/library/bb123741.aspx 89

http://www.officeformachelp.com/outlook/exchange/faqs/#outlookAnywhere 90

http://communicatorteam.com/archive/2010/10/19/1763.aspx 91

http://blogs.catapultsystems.com/tharrington/archive/2010/11/08/lync-conferencing-client-comparisons.aspx 92

http://en.wikipedia.org/wiki/Wildcard_DNS_record 93

http://www.kerberos.org/sponsors/index.html 94

, Microsoft Corporation, Active Directory LDAP Compliance (October 2003), 3-13 95

http://tools.ietf.org/html/rfc4510 96

http://www.ciozone.com/index.php?option=com_myblog&show=How-To-Protect-Good-Ideas-From-Getting-Shot-Down.html&Itemid=713 97

http://www.packtpub.com/article/active-directory-design-principles-part-1 98

http://en.wikipedia.org/wiki/Agile_software_development 99

http://agile-architecting.com/Archive/Agile%20Systems%20Engineering.pdf 100

http://agilemanifesto.org/ 101

http://en.wikipedia.org/wiki/Active_Directory 102

http://en.wikipedia.org/wiki/Certificate_authority 103

http://en.wikipedia.org/wiki/Digital_signature 104

http://en.wikipedia.org/wiki/Digital_certificate 105

http://en.wikipedia.org/wiki/Dkim 106

http://en.wikipedia.org/wiki/Domain_Name_System 107

http://en.wikipedia.org/wiki/DNSSEC 108

http://tools.ietf.org/html/rfc5585#section-4.4 109

http://en.wikipedia.org/wiki/DNS_zone_transfer 110

http://technet.microsoft.com/en-us/library/cc978010.aspx 111

http://en.wikipedia.org/wiki/Ddns 112

http://en.wikipedia.org/wiki/Dhcp 113

http://en.wikipedia.org/wiki/Extensible_Messaging_and_Presence_Protocol 114

http://en.wikipedia.org/wiki/Flat_file_database 115

http://en.wikipedia.org/wiki/Internet_Protocol 116

http://en.wikipedia.org/wiki/IPv4_address_exhaustion 117

http://en.wikipedia.org/wiki/IPv6 118

http://en.wikipedia.org/wiki/Instant_messaging 119

http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol 120

http://en.wikipedia.org/wiki/Kerberos_(protocol)

121

http://blogs.technet.com/b/drrez/archive/2009/12/01/direct-sip-configuring-mediation-server.aspx 122

http://technet.microsoft.com/en-us/library/ff793475.aspx 123

http://www.ocspedia.com/fe/Microsoft_Lync_Topology_Changes.aspx?ArticleID=105 124

http://gunrockstatus.ucdavis.edu/blog/gunrock-ocs-hardware-infrastructure-planning 125

http://technet.microsoft.com/en-us/network/bb545879.aspx 126

http://technet.microsoft.com/en-us/library/bb632788.aspx 127

http://en.wikipedia.org/wiki/Network_Access_Protection 128

http://en.wikipedia.org/wiki/Communications_protocol 129

http://en.wikipedia.org/wiki/Integer_factorization 130

http://en.wikipedia.org/wiki/Public-key_cryptography 131

http://en.wikipedia.org/wiki/Public_switched_telephone_network 132

http://en.wikipedia.org/wiki/Secure_Sockets_Layer 133

http://en.wikipedia.org/wiki/SRV_record 134

http://en.wikipedia.org/wiki/Session_Initiation_Protocol 135

http://en.wikipedia.org/wiki/Unified_communications 136

http://xeda.ucdavis.edu/