Ms - Msl - Coloc - Esf Active Directory Roe

7/26/2019 Ms - Msl - Coloc - Esf Active Directory Roe

1/27

Enterprise Server Farm (ESF)

Active Directory [for WindowsServer 2003]

Rules of Engagement

Application Management TeamVersion 1.6March 4, 2011

SECURITY WARNING

The information contained herein i !ro!rietar" to the Common#ea$th of %enn"$&ania and m't not (e

dic$oed to 'n)a'thori*ed !eronne$+ The reci!ient of thi doc'ment, (" it retention and 'e, aree to

!rotect the information contained herein+ Reader are ad&ied that thi doc'ment ma" (e '(-ect to the

term of a non)dic$o're areement+

DO NOT DISCLOSE ANY OF THIS INFORMATION WITHOUT OBTAINING PERMISSION FROM

THE MANAGEMENT RESPONSIBLE FOR THIS DOCUMENT.


2/27

C.MM.NWEA/T . %ENNSY/ANIA ENTER%RISE SERER ARM

Version HistoryDate Version Modified By / Approved By Section(s) Comment

43032005

632432005

1+0 7+ Wi$$

S+ Sharma

A$$ Initia$ draft

Incor!orated S+ Sharma comment8

Re!$ace Windo# 2000 reference #ith Windo# 2009

mo&e Tota$ Cot of .#nerhi! reference, add Maintenance

and :ac;'! ection

1031


3/27


Table of Contents1 ESF OVERVIEW & ESF INFRASTRUCTURE.............................................................................5

1+1 ES .ERIEW++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++6

1.1.1 ESF Engagement Proe!!......................................................................................................"

1.1.# ESF De$%o&ment Proe!!......................................................................................................."

1.1.' Common(ea%t) A$$%*at*on Cert*+*at*on an, Are,*tat*on -CA#......................................."

1+2 ES INRASTRUCTURE+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>1.#.1 E/terna% DM0 Ser*t& 0one.............................................................................................. ...2

1.#.# Interna% Ser3*e! Ser*t& 0one............................................................................................. 2

1.#.' Interna% DM0 Ser*t& 0one..................................................................................................2

2 ACTIVE DIRECTORY IMPLEMENTATION................................................................................7

2+1 %UR%.SE3 .ERIEW++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++5

#.1.1 Bene+*t!..................................................................................................................................4

2+2 ASSUM%TI.NS++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++52+ SCEMATIC?IAGRAM3 ?IAGRAM?ESCRI%TI.N?ETAI/S+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=

#.'.1 ESF LAN -E/tranet...............................................................................................................5

#.'.# Internet Ae!!.......................................................................................................................6

#.'.' B!*ne!! Log* La&er -BLL...................................................................................................62+4 %RERE@UISITES++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++10

2+6 IM%/EMENTATI.N?ETAI/S++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++11

#.".1 ESF At*3e D*retor& Im$%ementat*on Deta*%! 7 S)emat* D*agram!................................11

#.".# Loat*on an, Ro%e o+ Doma*n Contro%%er!.......................................................................... .11

#.".' APPS Doma*n......................................................................................................................1#

#.".8 USER Doma*n an, MUSER Doma*n...................................................................................1#

3 ACTIVE DIRECTORY RULES OF ENGAGEMENT............................................................. ....14

+1 R U/ES.ENGAGEMENT.ERIEW+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++14+2 NAMINGC.NENTI.NS+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++14

'.#.1 Ser3er Name!.......................................................................................................................18

'.#.# Ser3*e Aont!.................................................................................................................. 18

'.#.' U!er Aont!......................................................................................................................1"+ SERICES++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++16

'.'.1 A$$%*at*on! Re!*,*ng *n Manage, Ser3*e!................................................................... .....1"

'.'.# A$$%*at*on! Re!*,*ng *n ESF Co9Loat*on..........................................................................1"

'.'.' A$$%*at*on! Re!*,*ng *n Agen& Loat*on...........................................................................12

+4 ES GR.U%%./ICY.:ECTSBG%.S++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++1=

+6 R ./ESAN?RES%.NSI:I/ITIES+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++21

+> M.NIT.RING++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++22

+5 SECURITY+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++22

'.4.1 W*n,o(! #::' At)ent*at*on Ar)*tetre......................................................................... ##

'.4.# W*n,o(! Met)o,! o+ At)ent*at*on.................................................................................... #'

'.4.' Cert*+*ate At)ent*at*on....................................................................................................#'

'.4.8 Form! At)ent*at*on.......................................................................................................... #''.4." Reommen,e, At)ent*at*on Met)o,!............................................................................... #'

'.4.2 A$$%*at*on Ser*t&.............................................................................................................#8+= :AC7U%AN?REC.ERY+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++24

+< CANGEMANAGEMENT++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++24

+10 MAINTENANCE+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++24

4 ACTIVE DIRECTORY AND APPLICATION DEVELOPMENT RESOURCES......................25

4+1 ACTIE?IRECT.RYRES.URCES+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++26

4+2 A%%/ICATI.N?EE/.%MENTRES.URCES+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++2>

5 APPENDIX A SCHEMA MANAGEMENT PROCESS.............................................................27

ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE . 25


4/27


ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 4 . 25


5/27


1 ESF Overview ESF !nfrastr"ct"re

Thi ection contain tandard information that i inc$'ded in a$$ R.E doc'ment+

1.1 ESF OVERVIEW

The Common#ea$th of %enn"$&aniaD Enter!rie Ser&er arm BES !ro&ide otin Ser&ice forAenc" We():aed and Aenc" S!ecific a!!$ication+ It miion i to maintain a hih $e&e$ of ec'rit",

a&ai$a(i$it", re$ia(i$it", and manaement of the Common#ea$th of %enn"$&ania miion critica$ #e(

a!!$ication+

Refer toEnterprise Server Farm,for a f'$$ decri!tion of the ES and a$$ hotin and er&ice offerin+

1.1.1 ESF Engagement Process

If "o'r aenc" i coniderin de!$o"in a!!$ication in the ES, eFamine the ES #e( ite to 'ndertandthe ES Ser&ice %ortfo$io, and then contact "o'r Ser&ice Coordinator BSC+ SC are $iaion (et#een

aencie and the ES+ The" an#er !re$iminar" 'etion and coordinate meetin #ith ES !eronne$ to

en're conitent comm'nication on im!$e or com!$eF !ro-ect+

Refer toESF Getting Started, for an o&er&ie# of the (enefit, er&ice, and o!tion for hotin "o'ra!!$ication at the CTC ES+

Refer toESF Services Coordinator, to identif" "o'r aenc" Ser&ice Coordinator+

1.1.2 ESF Deployment Process

The ES fo$$o# a #e$$)defined de!$o"ment !roce for a$$ a!!$ication de!$o"ment+ A!!$ication

de&e$o!ment i !erformed at the aenc" or contractor $ocation #hi$e the ES ho'e (oth a tain and a

!rod'ction en&ironment, #hich are mirror imae of each other+ Thi tr'ct'red de!$o"ment and tetin

!roce en're a ta($e a!!$ication in !rod'ction+ %rior to enterin the ES, e&er" ne# a!!$ication ire'ired to 'ndero a ec'rit" aement+

Refer toDeploing in Managed Servicesto re&ie# MS de!$o"ment !roce doc'ment

Refer toDeploing in Managed Services !iteto re&ie# MS/ de!$o"ment !roce doc'ment+

1.1.3 Commonealt! "pplication Certi#ication an$ "ccre$itation %C"2&

Refer toCommon#ea$th %o$ic" IT:)SEC006reardin HCommon#ea$th A!!$ication Certification and

AccreditationH

C$ic;htt!833###+ca+tate+!a+' to initiate the Common#ea$th A!!$ication Certification and

Accreditation BCA2 %roce+

http://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&level=1&menuLevel=Level_1&parentCommID=0&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&level=1&menuLevel=Level_1&parentCommID=0&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&level=1&menuLevel=Level_1&parentCommID=0&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&PageID=223464&level=2&parentCommID=460&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&PageID=223464&level=2&parentCommID=460&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=511&&PageID=221013&level=2&parentCommID=511&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=511&&PageID=221013&level=2&parentCommID=511&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=741&&PageID=209395&level=3&css=L3&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=741&&PageID=209395&level=3&css=L3&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt/community/managed_services_lite/742/deploying_in_managed_services_lite/219359http://www.portal.state.pa.us/portal/server.pt/community/managed_services_lite/742/deploying_in_managed_services_lite/219359http://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=200500&mode=2&contentid=http://pubcontent.state.pa.us/publishedcontent/publish/cop_general_government_operations/oa/oa_portal/omd/p_and_p/itbs/domains/security/itbs/itb_sec005.htmlhttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=200500&mode=2&contentid=http://pubcontent.state.pa.us/publishedcontent/publish/cop_general_government_operations/oa/oa_portal/omd/p_and_p/itbs/domains/security/itbs/itb_sec005.htmlhttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=200500&mode=2&contentid=http://pubcontent.state.pa.us/publishedcontent/publish/cop_general_government_operations/oa/oa_portal/omd/p_and_p/itbs/domains/security/itbs/itb_sec005.htmlhttps://www.sqca.state.pa.us/login.php?returnto=/index.phphttps://www.sqca.state.pa.us/login.php?returnto=/index.phphttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&level=1&menuLevel=Level_1&parentCommID=0&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt?open=512&objID=460&&PageID=223464&level=2&parentCommID=460&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=511&&PageID=221013&level=2&parentCommID=511&menuLevel=Level_2&mode=2http://www.portal.state.pa.us/portal/server.pt?open=512&objID=741&&PageID=209395&level=3&css=L3&mode=2&in_hi_userid=267279&cached=truehttp://www.portal.state.pa.us/portal/server.pt/community/managed_services_lite/742/deploying_in_managed_services_lite/219359http://www.portal.state.pa.us/portal/server.pt?open=512&objID=416&PageID=200500&mode=2&contentid=http://pubcontent.state.pa.us/publishedcontent/publish/cop_general_government_operations/oa/oa_portal/omd/p_and_p/itbs/domains/security/itbs/itb_sec005.htmlhttps://www.sqca.state.pa.us/login.php?returnto=/index.php


6/27


1.2 ESF I'FR"S(R)C()RE

The ES We( arm architect're i emented into ec'rit" *one that are io$ated from each other &ia

fire#a$$+ The ES Net#or; contain the EFterna$ ?M ec'rit" *one, the Interna$ Ser&ice ec'rit" *one,

and the Interna$ ?M ec'rit" *one+ Thee three !rimar" net#or; are either, !h"ica$$" or $oica$$",

connected to one another+

1.2.1 E*ternal D+, Sec-rity ,oneThe EFterna$ ?M ec'rit" *one contain Internet)facin er&er that are connected to the Enter!rie

?M+ ES)manaed #e( er&er B'ch a Manaed Ser&ice and Aenc")manaed er&er B'ch a Co)

/ocation er&er (oth eFit in the EFterna$ ?M Sec'rit" *one+ Manaed Ser&ice and Co)/ocation

er&er are on e!arate '(net ec'red (" either fire#a$$ or Acce Contro$ /it BAC/+

1.2.2 Internal Serices Sec-rity ,one

The Interna$ Ser&ice ec'rit" *one contain Manaed Ser&ice data(ae er&er and other a!!$icationer&er from #hich d"namic content i o(tained (" #e( er&er+

1.2.3 Internal D+, Sec-rity ,one

The Interna$ ?M ec'rit" *one contain the Manaed We( and a!!$ication er&er that need to (eaccei($e on$" from the Common#ea$th Metro!o$itan Area Net#or; BMAN+ Thi Sec'rit" one a$o

contain interna$ Co)/ocation data(ae and #e( and a!!$ication er&er that are io$ated from the

Manaed Ser&ice er&er+

When ES ?omain Contro$$er intercomm'nicate in a ec'rit" *one, a$$ comm'nication 'e tandard

R%C and do not re'ire I%SEC encr"!tion or a'thentication+ ?omain Contro$$er)to)?omain Contro$$er

comm'nication (et#een ec'rit" *one !"#'e I%SEC #ith A'thentication eader BA+

.ther hot)to)A? Com!onent comm'nication in the Manaed Ser&ice !ortion of the Enter!rie Ser&er

arm doe not re'ire I%SEC+ o#e&er, I%SEC i re'ired for a$$ comm'nication (et#een entitieo'tide the Manaed Ser&ice and ES A? com!onent+

ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE > . 25


7/27


# Active Directory !mp$ementation

2.1 P)RPOSE/ OVERVIEW

The Common#ea$th of %enn"$&aniaD Enter!rie Ser&er arm BES 'e the Windo# Ser&er 200

Acti&e ?irector" BA? and er&er infratr'ct're to e!arate the Common#ea$thD enter!rie A? foret

a!!$ication from thoe a!!$ication that can (e acceed interna$$" and eFterna$$"+ The A!!$icationManaement Team BAMT manae the ES Acti&e ?irector" en&ironment+

2.1.1 0ene#its

:aed on a t'd" cond'cted (" Gartner, the Tota$ Cot of .#nerhi! for the ES A? i a fraction of an

in)aenc" Acti&e ?irector" o$'tion that inc$'de hard#are, oft#are, o!eration, and faci$itie+

Yo'r aenc" ain thee (enefit #hen "o' 'e ES A?8

.A !ro&ide a ec're $ocation to hot the Acti&e ?irector" and de!endent f'nction B'ch a

?NS+

The a!!$ication can 'e eFitin a'thentication and a'thori*ation data from either the A%%S

domain BES or the interna$ %A+/C/ domain BCW.%A, #hich !ro&ide the aenc"D interna$

'er #ith in$e in)on to it a!!$ication+

Windo# 200 Acti&e ?irector" chema chane to accommodate a!!$ication can (e made in the

ES A? foret, the %A+/C/ foret, or (oth at the dicretion of the Architect'ra$ Standard

Committee and Schema Manaement :oard+ See A!!endiF A J Schema Manaement %roce for

detai$+

Interna$ IT taff i freed '! to #or; on aenc" trateic initiati&e+

AMT #i$$ !ro&ide 24F5 monitorin, manaement, and '!!ort to !ro&ide increaed re$ia(i$it",

a&ai$a(i$it", ca$a(i$it", and ec'rit" a #e$$ a im!ro&e a!!$ication a'thentication thro'h ES

Acti&e ?irector"+

ES Acti&e ?irector" i hih$" a&ai$a($e #ith ('i$t)in red'ndanc", diater reco&er", and m'$ti!$e

$ocation for acce+

ES ha the ;no#$ede and eF!ertie to maintain and manae Acti&e ?irector" and i f'$$"

enaed #ith Uni" and Microoft to dianoe, tro'($ehoot, and reo$&e an" i'e or !ro($em+

2.2 "SS)+P(IO'S

Thi doc'ment a'me that the reader ha a (aic 'ndertandin of A? conce!t inc$'din8

oret

?omain

.rani*ation Unit B.U

.(-ect

Schema

?NS

A? Manaement %rinci!$e

N$%8 A!!endiF : J Acti&e ?irector" and A!!$ication ?e&e$o!ment Reo'rce contain reference that

dic' each of thee a'm!tion in de!th+



8/27


2.3 SCHE+"(ICDI"R"+/ DI"R"+DESCRIP(IO'DE("IS

The net#or; architect're i the ;e" com!onent of the f'nctiona$it" and ec'rit" of the ES /AN

BEFtranet+

Thi diaram ho# ho# ES net#or; de!$o"ment re$ate to Acti&e ?irector"+ Three !rimar" net#or;

#ithin the de!$o"ment are either $oica$$" or !h"ica$$" connected to one another to ma;e '! the ES

net#or;8

ES /AN BEFtranet

Internet Acce

:'ine /oic /a"er B://

2.3.1 ESF "' %E*tranet&

The EFtranet reide in the CTC Internet one B?emi$itari*ed one or ?M and contain Internet

Information Ser&ice BIIS, domain contro$$er, and other A? infratr'ct're 'ch a ?NS and WINS+Thro'h ro'ter ec'rit" !ermiion or the Acce Contro$ /it BAC/ on the ro'ter3fire#a$$ (et#een

CW.%A and the EFtranet, a$$ traffic that oriinate from CW.%A i a$$o#ed into the EFtranet+ If a

reo'rce on CW.%A i !'hin data to a er&er on the EFtranet, a$$ comm'nication i a$$o#ed+

In re&ere, a$$ traffic oriinatin from the EFtranet i ($oc;ed oin (ac; to CW.%A+ If a (atch -o(

attem!t to r'n a !roce from an EFtranet machine that initiate comm'nication (ac; into CW.%A, the

traffic i ($oc;ed (" the AC/ on the ro'ter (et#een CW.%A and the EFtranet+ ?ata on CW.%A er&eri either !'hed to the EFtranet from the CW.%A reo'rce or the CW.%A reo'rce m't reide in the

EFtranet+ Within the EFtranet, a$$ er&er are homed to the ame net#or; and are a$$o#ed to comm'nicate

#ith one another a'min a!!ro!riate riht (et#een reo'rce+

ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE = . 25


9/27


The er&er $ocated in the EFtranet comm'nicate (ac; to CW.%A thro'h Internet %rotoco$ Sec'rit"

BI%Sec+ Thi ta($e ho# the a!!ro&ed !ort and aociated f'nction for Acti&e ?irector"

comm'nication that i a$$o#ed to tra&ere from the EFtranet to interna$ Acti&e ?irector" er&er8

P$' (!) P$*"' A**%''+,"% - DM/ $ CWOPA I!$%!(" N%$0

%rotoco$ Description

60 Enca!'$atin Sec'rit" %rotoco$ BES% for I%SEC

61 A'thentication eader BA for I%SEC

%ort &ype Description

20 and 21 TC% and U?% T%

26 TC% and U?% SMT% Bo't(o'nd on$"

=0 TC% and U?% htt!

44 U?% SS/

2.3.2 Internet "ccess

The eFterna$ fire#a$$ BInternet)facin manae traffic (et#een the Internet and the EFtranet+ C$ient

accein #e( ite in the EFtranet are a$$o#ed to connect &ia the Internet once the !ro!er credentia$ are

'!!$ied to the Acti&e ?irector"+

P$' A**%''+,"% - I!$%!%$ $ E$(!%$ DM/ N%$0

%ort &ype Description

6 TC% and U?% ?NS name reo$'tion and *one tranfer

== TC% and U?% 7er(ero

=< TC% and U?% /?A%

600 U?% ISA7M% for I%SEC

2.3.3 0-siness ogic ayer %0&

The c'rrent dein of the ES ?M a$$o# on$" Internet er&ice 'ch a htt!, htt!, and other (aic

er&ice $i;e T% and SMT% thro'h the Internet)facin ide of the ?M+ A$$ manaement and data(ae

acce to co)$ocated er&er i &ia an intranet)on$" ro'ta($e (ac;)end addre thro'h the :'ine /oic

/a"er B://+

:// en're that aenc" traffic inc$'din manaement traffic 'ch a T%, #e( adminitration, (ac;'!,

termina$ er&ice, or other remote manaement oft#are and (ac;)end data traffic 'ch a data(ae traffic

(et#een the co)$ocated er&er and the aenc" ha&e a ec're, hiher)!eed !ath that i not a&ai$a($e from

the Internet+

To faci$itate thi dein, a net#or; card i added to e&er" co)$ocated er&er and confi'red #ith an

intranet ro'ta($e addre+ The defa'$t ate#a" i $eft ($an; for thi interface, and !eritent ro'te areadded for each aenc" er&er or manaement tation that need :// acce+

LL '%*6+$# ()(!$(8%' (%9

.n$" htt!, htt!, T%, and SMT% acce are a$$o#ed from the Internet

Se!arate !ath eFit for !'($ic and aenc" data

:// cannot (e reached direct$" from the Internet

ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE < . 25


10/27


LL :%-(!*% ()(!$(8%' (%9

Se!arate NIC and inre3ere !ath for front and (ac; end acce !ro&ide more areate

(and#idth &ia $e coneted faci$itie

e#er ho! and hiher !eed $in; (et#een #e( farm Co)/ocation area and the aencie

:eca'e !eritent ro'te need to (e added to a$$o# !ro!er ro'tin to aenc" "tem acro the ://,

front)end acce from thee ame "tem can (e !ro($ematic+ Traffic that i ent to the front)end from

'ch a hot ma" (e ro'ted (ac; acro the ://, and the ret'rn traffic i o'rced from the :// addre

rather than the co)$ocated er&erD front)end addre+ When thi traffic reache the aenc" hotoriinatin the traffic, it i dro!!ed a in&a$id+

To im!ro&e ec'rit", ES o!eratin !o$ic" tate that front)end acce to a co)$ocated er&er i not

'!!orted for an" "tem that accee that ame er&er &ia the ://+ o#e&er, #e 'ndertand that in

ome cae aencie ma" not (e a($e to dicontin'e 'ch front)end acce from manaement tation orer&er+

2. PRERE4)ISI(ES

A!!$ication m't meet thee re'irement to 'e ES A? in the ES8

The a!!$ication m't (e interated to r'n on the Windo# 200 Ser&er fami$" of o!eratin

"tem and m't (e a($e to 'e interated ec'rit" BActi&e ?irector" A'thentication+ AMT ha f'$$ adminitrati&e acce o&er the Acti&e ?irector" oret+

The ES oret tr't the CW.%A B%A+/C/ domain+ Thi tr't faci$itate the Sin$e Sin).n

ec'rit" mode$ #here(" 'er acco'nt in CW.%A can (e 'ed to rant acce to the a!!$ication

in the ES+

If "o' ha&e a non)Windo# (aed a!!$ication or other it'ation not identified in thi doc'ment

that re'ire Acti&e ?irector" or an" director" er&ice, enae the Architect'ra$ Standard

Committee at acmem(erKtate+!a+'to dic' ('ine re'irement, architect're, and

!oi($e o$'tion+ See A!!endiF A J Schema Manaement %roce for detai$+

mailto:[email protected]:[email protected]


11/27


2.5 I+PE+E'("(IO'DE("IS

2.5.1 ESF "ctie Directory Implementation Details 6 Sc!ematic Diagrams

ES im!$emented a in$e foret3m'$ti!$e domain mode$ for Acti&e ?irector"+ An em!t" root ca$$ed

R..T+STATE+%A+US reide #ithin the foret+ Thi domain ho'e the Enter!rie Admin ro$e, Schema

Admin ro$e, and foret)#ide SM. ro$e+ A!!$ication reide in A%%S+STATE+%A+US and 'er acco'nt

are di&ided amon t#o domain8 USER+A%%S+STATE+%A BUSER and MUSER+A%%S+STATE+%A+US

BMUSER+

USER ho'e non)manaed 'er or e$f)reitered 'er imi$ar to a t"!ica$ !orta$ 'er #ith c'tomi*ed

content $i;e %A %o#er%ort+ USER domain ec'rit" i commen'rate #ith re'irement for Internet

a!!$ication+ MUSER ho'e manaed 'er, contit'ent, and &endor that m't acce $ine)of)('ine

a!!$ication or other a!!$ication #here a'thori*ation and ec'rit" are critica$+ The !onorin aenc"

!erform 'er, ro'!, and a'thori*ation manaement imi$ar to the #a" CW.%A i manaed+

Thi diaram ho# a hih)$e&e$ &ie# of the CW.%A and ES Acti&e ?irector" name!ace a defined in

the f'nctiona$ !ecification+

2.5.2 ocation an$ Role o# Domain Controllers

C$ic; thi $in; to et the mot '!)to)date information a(o't the domain contro$$er #ithin thien&ironment8htt!833###+oaef+tate+!a+'3ite3ef3Ser&ice

http://var/www/apps/Services/AMT%20OPERATIONS%20-%20APPLICATION%20DEPLOYMENT/ACTIVE%20DIRECTORY%20%5BWin%20AD%20-%20Domain%20Cont%20-%20DFS%20-%20DNS%20-%20MUSER%5D/Domain%20Controller/Domain%20Controllers.xlshttp://var/www/apps/Services/AMT%20OPERATIONS%20-%20APPLICATION%20DEPLOYMENT/ACTIVE%20DIRECTORY%20%5BWin%20AD%20-%20Domain%20Cont%20-%20DFS%20-%20DNS%20-%20MUSER%5D/Domain%20Controller/Domain%20Controllers.xlshttp://var/www/apps/Services/AMT%20OPERATIONS%20-%20APPLICATION%20DEPLOYMENT/ACTIVE%20DIRECTORY%20%5BWin%20AD%20-%20Domain%20Cont%20-%20DFS%20-%20DNS%20-%20MUSER%5D/Domain%20Controller/Domain%20Controllers.xls


12/27


ES Acti&e ?irector" .rani*ation Unit B.U

Thi diaram ho# the .rani*ation Unit B.U for the ES Acti&e ?irector" name!ace a defined in

the f'nctiona$ !ecification+ A!!$ication reide in A%%S+STATE+%A+US BA%%S and 'er acco'nt reide

in USER+A%%S+STATE+%A BUSER and MUSER+A%%S+STATE+%A+US BMUSER+

2.5.3 "PPS Domain

AMT contro$ and manae the A%%S domain and define and maintain a$$ $e&e$ of .U tr'ct're+ AMTrecommendation for .U in the A%%S domain are8

.U de!th ho'$d not eFceed fo'r $e&e$

The to! $e&e$ .U i the Aenc" .U and conit of the aenc"D 2)diit code

The econd $e&e$ conit of the er&er .U and er&ice acco'nt .U

/o#er $e&e$ .U recommendation are8

> character maFim'm $enth9 o!tiona$ if it a!!$ie to the aenc"D IT adminitration mode$

Gro'! ma" (e !$aced in a$$ .U tartin from the Aenc" .U

.U are $oc;ed do#n (" defa'$t #ith chane initiated thro'h the initia$ de!$o"ment !roce or a er&ice

re'et BRemed" tic;et+ C'rrent$", de$eated !ermiion o&er .U #ithin the A%%S domain are not

'!!orted+ Machine acco'nt are .N/Y created (" AMT thro'h the initia$ de!$o"ment !roce or aer&ice re'et+

?e$eated !ermiion to the A%%S domain i retricted to maintain ta(i$it" and ec'rit" for a$$ aencie

and a!!$ication+ ES !eronne$ hand$e a$$ chane re'et inc$'din, ('t not $imited to, er&er

creation3de$etion, er&ice acco'nt et'!, and ro'! !o$ic" !$acement+ BG%. creation and manaement are

dic'ed in de!th in a $ater ection+

2.5. )SER Domain an$ +)SER Domain

A$$ e$f)reitered 'er are ho'ed in the %A/oin .U for the USER domain+ AMT define and

maintain the to! three $e&e$ of the MUSER .U tr'ct're+

AMT recommendation for .U in the MUSER domain are8

.U de!th ho'$d not eFceed fo'r $e&e$ The to! $e&e$ .U i the Aenc" .U and conit of the aenc"D 2)diit code

The econd $e&e$ conit of the a!!$ication name and 'er container

AMT create .U (e$o# the a!!$ication name ('t the aenc" adminiter them

/o#er $e&e$ .U recommendation are8

> character maFim'm $enth if it a!!$ie to the aenc"D IT adminitration mode$

Gro'! ma" (e !$aced in a$$ .U tartin from the Aenc" .U



13/27


AMT i&e aencie de$eated !ermiion o&er their .U+ An aenc" can adminiter on$" that !ortion of

the director" that !ertain to them Btheir o#n .U+ Since the MUSER+A%%S+STATE+%A+US domain

enforce tihter ec'rit" !o$icie, ES Too$ i the on$" '!!orted mean of maintainin 'er acco'nt in

the MUSER domain+ S'(mit a re'et for ES !eronne$ to confi're ES Too$ acce for the aenc"

a!!$ication+

Within the MUSER+A%%S+STATE+%A+US domain8

Aenc" Adminitrator can create, de$ete, or modif" 'er and ro'! o(-ect and a!!$" .U ro'!

!o$icie to 'er+ The aenc" !ro&ide the !o$ic" and ES !ro&ide inta$$ation aitance+ A'thori*ed MUSER .UAdmin can 'e the ES Too$ #e(ite8 htt!833###+eftoo$+tate+!a+'3

to create, modif", and de$ete 'er #ithin the aenc"D .U9 create Common#ea$th em!$o"ee

acco'nt and &endor acco'nt9 reet !a#ord9 and 'n$oc; acco'nt+ o#e&er, the ES Too$

cannot chane incorrect$")entered em!$o"ee I?+

.UAdmin can a$o 'e the Acti&e ?irector" Uer and Com!'ter Manaement Cono$e Sna!)in

to !erform &ario' ta;+

.UAdmin can !erform thee ro$e #ith the ES Too$ and Acti&e ?irector" Uer and Com!'ter

Manaement Cono$e Sna!)in8

'o$e ESF &oo$ AD sers and Comp"ters

?e$eate .U)A!!).UA?MIN mem(erhi! L

Ena($e3dia($e an acco'nt L L

Create3de$ete3modif" ro'! L

Create3de$ete3modif" 'er L

Modif" a$$ !ro!ertie of a 'er Breet !a#ord, ro'! mem(erhi!, and a$$ other!ro!ertie eFce!t Em!$o"ee I?, SamAcco'ntName, and '$$Name BCN

L L

https://www.esftools.state.pa.us/https://www.esftools.state.pa.us/


14/27


Active Directory '"$es of En*a*ement

3.1 R)ESOFE'"E+E'(OVERVIEW

Thi ection dic'e ES Standard and a!ect of er&ice !ro&ided for the Acti&e ?irector"+

3.2 '"+I'CO'VE'(IO'SNamin con&ention !ro&ide a tandard a!!roach to namin different o(-ect and he$! to tro'($ehoot and

$ocate o(-ect+ A$$ o(-ect a$o need a detai$ed decri!tion of 'e+ Namin con&ention are a fo$$o#8

Namin con&ention !ro&ide a tandard a!!roach to namin different o(-ect #ithin Acti&e ?irector" and

he$! to tro'($ehoot and $ocate o(-ect+ A$$ o(-ect a$o need a detai$ed decri!tion of 'e+ A decri!tionfie$d i a&ai$a($e for a$$ Uer, Inet.r%eron, Com!'ter, Gro'!, .U and Container o(-ect #ithin Acti&e

?irector"+

3.2.1 Serer 'ames

When a er&er name i (aed on $ocation, (ro#in or earchin (" the firt !art of the er&er name

ret'rn a$$ er&er from a$$ aencie Bfor eFam!$e, earchin on :G ret'rn a$$ :G er&er from a$$

aencie+ Since m'$ti!$e aencie eFit in the ame $ocation, 'e the t#o)diit aenc" code at the frontof the er&er name to $ocate an aenc"D er&er, rather than the $ocation name+

A a$$ ne# er&er are ('i$t, the recommended namin tandard i AA///ELLL, #here8

AA Aenc" code

/// /ocation code9 for eFam!$e8 CTC Common#ea$th Techno$o" Center, W/. Wi$$o#

.a;, CAM Cameron Street

'nction code9 for eFam!$e8 :T :i*Ta$;, EL EFchane Ser&er, IS We( Ser&er, S@

S@/ Ser&er, A% A!!$ication

E En&ironment9 for eFam!$e8 T Tet $a(, S Stain, ? ?e&e$o!ment, % %rod'ction,

R?iater Reco&er"

LLL Uni'e n'm(er that increment (aed on 'e

The recommended c$'ter namin tandard i Ser&er nameSCBEBLLL, #here8

SC Ser&er C$'ter

E En&ironment9 for eFam!$e8 T Tet $a(, S Stain, ? ?e&e$o!ment, % %rod'ction,

R?iater Reco&er"

LLL Uni'e n'm(er9 for eFam!$e8 001 Bho'$d (e the ame a the er&erD name

If the a!!$ication i hoted and manaed (" ES, the !redefined t#o)diit code i EN for Enter!rie+

3.2.2 Serice "cco-nts

A an aenc" ha more a!!$ication hoted in the A!!$ication A?, more er&ice acco'nt m't (e 'edfor a!!$ication+ The recommended namin tandard i AASRELLL, #here8

AA Aenc" code

SR Ser&ice acco'nt9 for eFam!$e8 CTC Common#ea$th Techno$o" Center, W/. Wi$$o#

.a;, CAM Cameron Street

'nction code9 for eFam!$e8 :T :i*Ta$;, EL EFchane Ser&er, IS We( Ser&er, S@

S@/ Ser&er, A% A!!$ication

E En&ironment9 for eFam!$e8 T Tet $a(, S Stain, ? ?e&e$o!ment, % %rod'ction

LLL Uni'e n'm(er that increment (aed on 'e

If the a!!$ication i hoted and manaed (" ES, the !redefined t#o)diit code i EN for Enter!rie+



15/27


3.2.3 )ser "cco-nts

The Enter!rie Ser&er team !erform an initia$ ('$; creation of 'er acco'nt (aed on an EFce$

!readheet that the aenc" !ro&ide+ o$$o# thi namin tandard for thee acco'nt8

A 'er name ha three !art8 a firt name, a $at name, and a midd$e initia$+ Ue thee !art to contr'ct a

'er acco'nt name #here the &aria($e are irtName, /atName and Midd$eName and On re!reent an

inteer n'm(er of character of the &aria($e from the $eft+ or eFam!$e, O6God*i$$a i e'a$ to God*i+ If a

!artic'$ar 'er acco'nt name a$read" eFit, fo$$o# thi $it 'nti$ a 'ni'e 'er name i fo'nd8 1 ) O1irtNameO


16/27


infratr'ct're+ ?irector")ena($ed a!!$ication ho'$d reide in Co)/ocation or Manaed Ser&ice for

o!tima$ director" accei(i$it" and !erformance+

Certain er&er or er&ice confi'ration 'ch a I%SEC are re'ired for a$$ comm'nication #ith the

domain+ Contact "o'r AAM for detai$+

A::"+*($+!' R%'+)+!8 +! ESF C;L*($+!

3.3.3 "pplications Resi$ing in "gency ocation

Some aencie chooe to ho'e a$$ of their er&er in a $ocation o'tide the !h"ica$ and $oica$ $oca$e of

the ES+ Aencie that need to $e&erae the enter!rie architect're and ha&e identified re'irement to

'e the ES Acti&e ?irector" can $e&erae the ES A? er&ice acro the net#or;+ Thi confi'ration

re'ire caref'$ !$annin and ana$"i to a&oid 'neF!ected !ro($em+ Aencie in thi it'ation ho'$d

contact their AAM immediate$" for f'rther aitance+

Another Acti&e ?irector" o!tion for remote 'e of director" er&ice i to ditri('te a domain contro$$er

to a remote ite Bdecentra$i*ed domain contro$$er+ The ES A? i de!$o"ed and o!timi*ed for a hih

&o$'me hotin en&ironment and therefore re'ire architect'ra$ chane to accommodate a ditri('ted

architect're+ Accommodatin thi re'irement in&o$&e m'$ti!$e dein and faci$it" conideration that an

aenc" ma" or ma" not (e a($e to f'$fi$$+ Some factor that affect the deciion for decentra$i*ed domain

contro$$er are8

ES A? dein conideration for remote !$acement of domain contro$$er 'ch a ite

to!o$o"3GC !$acement, re!$ication $atenc", and ec're net#or; tranmiion

ES or aenc" acce to !h"ica$ remote domain contro$$er add cot and ri; to manain and

ec'rin the oret

%ot)de!$o"ment manaement and monitorin of ES chane to domain contro$$er in&o$&e

added com!$eFit" and cot

ES m't acti&e$" manae the rea$ a&ai$a($e (and#idth or (and#idth 'arantee from aenc" to

ES for Acti&e ?irector" o!eration

ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 1> . 25


17/27


Thi $it demontrate #h" decentra$i*ed domain contro$$er are the $eat !referred method and not a

c'rrent$" '!!orted o$'tion+ o#e&er the ES i committed to addrein the emerin ('ine need

of the Common#ea$th+

If "o'r aenc" re'ire a ditri('ted domain contro$$er or remote 'e of the ES Acti&e ?irector", contact

"o'r AAM to re'et a con'$tation+ %$eae inc$'de the nat're of "o'r re'et and a$$ re$e&ant

information+

A::"+*($+!' R%'+)+!8 +! A8%!*# L*($+!



18/27


3. ESF RO)PPOIC8O09EC(S%POS&

ES im!$ement domain !o$icie that inc$'de !a#ord, machine acco'nt, and 'er acco'nt !o$icie+ The

aenc" maintain and a!!$ie ro'! !o$ic" at the .U $e&e$ in Co)/ocation+ The c'rrent ES domain

!o$ic" for MUSER+A%%S+STATE+%A+US i8

%o$icy Defa"$t

Settin*

Settin* Confi*"ration

%assword %o$icy

Enforce !a#ord hitor" 1 > 24 i the maFim'm &a$'e

MaFim'm !a#ord ae 42 >0

Mimim'm !a#ord ae 0 2

Mimim'm !a#ord $enth 0 5

%a#ord m't meet com!$eFit" re'irement ?ia($ed Ena($ed

Store !a#ord 'in re&ere encr"!tion ?ia($ed ?ia($ed

Acco"nt +oc,o"t %o$icy

Acco'nt $oc;o't d'ration ?ia($ed Acco'nt i $oc;ed o't

'nti$ Adminitrator'n$oc; it

Not a!!$ied to A%%S domain

Acco'nt $oc;o't threho$d ?ia($ed 6 Acco'nt $oc;ed o't after 6 fai$ed attem!t

Reet acco'nt $oc;o't co'nter after ?ia($ed 520 ai$ed attem!t reet after 12 ho'r

A"dit %o$icy

A'dit acco'nt $oon e&ent No a'ditin S'cce, ai$'re

A'dit acco'nt manaement No a'ditin S'cce, ai$'re

A'dit director" er&ice acce No a'ditin No a'ditin

A'dit $oon e&ent No a'ditin S'cce, ai$'re

A'dit o(-ect acce No a'ditin ai$'re

A'dit !o$ic" chane No a'ditin S'cce, ai$'re

A'dit !ri&i$ee 'e No a'ditin ai$'re

A'dit !roce trac;in No a'ditin No a'ditin

A'dit "tem e&ent No a'ditin ai$'re

Sec"rity Options

A$$o# "tem to (e h't do#n #itho't ha&in to $o on ?ia($ed

Retrict C?)R.M acce to $oca$$" $oed)on 'er on$" Ena($e i$e er&er ma" need to hare C?)R.M

Retrict f$o!!" acce to $oca$$" $oed)on 'er on$" Ena($e

Smart card remo&a$ (eha&ior No action orce $ooff

Event +o* %o$icy

MaFim'm a!!$ication $o i*e 612 ;i$o("te 606> ;i$o("te

MaFim'm ec'rit" $o i*e 612 ;i$o("te 10240 ;i$o("te

MaFim'm "tem $o i*e 612 ;i$o("te 606> ;i$o("te

ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 1= . 25


19/27


%o$icy Defa"$t

Settin*


%re&ent /oca$ G'et ro'! from accein a!!$ication $o ?ia($ed Ena($ed

%re&ent /oca$ G'et ro'! from accein ec'rit" $o ?ia($ed Ena($ed

%re&ent /oca$ G'et ro'! from accein "tem $o ?ia($ed Ena($ed

Retain a!!$ication $o Not defined

Retain ec'rit" $o Not defined

Retain "tem $o Not defined

Retention method for a!!$ication $o A needed

Retention method for ec'rit" $o A needed

Retention method for "tem $o A needed

E&ent /o AC/ Not confi'red Ena($ed Confi're the Reitr" o that on$" domain

adminitrator can c$ear e&ent $o

System Services

A$erter A'tomatic

Com!'ter :ro#er A'tomatic

?C% C$ient A'tomatic

?itri('ted i$e S"tem A'tomatic

?itri('ted /in; Trac;in C$ient A'tomatic

?itri('ted Tranaction Coordinator A'tomatic

?NS C$ient A'tomatic

E&ent /o A'tomatic

I%SEC Ser&ice A'tomatic

/icene /oin A'tomatic

/oca$ ?i; Manaer A'tomatic

Meener A'tomatic

Net /oon A'tomatic

%$' and %$a" A'tomatic

%rint S!oo$er A'tomatic

%rotected Storae A'tomatic

Remote %roced're Ca$$ BR%C A'tomatic

Remote Reitr" A'tomatic

Remo&a($e Storae A'tomatic

Secondar" /oon A'tomatic

Sec'rit" Acco'nt Manaer A'tomatic

Ser&er A'tomatic

Sm!t&c A'tomatic

S"tem E&ent Notification A'tomatic

ES ACTIE ?IRECT.RY RU/ES . ENGAGEMENT %AGE 1< . 25


20/27


%o$icy Defa"$t

Settin*


Ta; Sched'$er A'tomatic

TC%3I% Net:I.S e$!er A'tomatic

Windo# Time A'tomatic

Wor;tation A'tomatic

A!!$ication Manaement Man'a$

C$i!:oo; Man'a$

Net#or; ??E Man'a$

Net#or; ??E ?S?M Man'a$

Remote Acce Connection Manaer Man'a$

R&! Man'a$

Fi$e System %o$icy

Winnt and a$$ '(fo$der Adminitator

SYSTEM

CREAT.R3.WNER

?omain Uer

'$$ Contro$

'$$ Contro$

'$$ Contro$

Read

WinntRe!air Adminitator '$$ Contro$

WinntS"tem2confi Adminitator

SYSTEM

CREAT.R3.WNER

?omain Uer

'$$ Contro$

'$$ Contro$

'$$ Contro$

/it

WinntS"tem2!oo$ Adminitator

SYSTEM

CREAT.R3.WNER

%o#er Uer B#3 on$"

?omain Uer

'$$ Contro$

'$$ Contro$

'$$ Contro$

'$$ Contro$

Read

P$o !artitionQ Adminitator

SYSTEM

CREAT.R3.WNER

E&er"one

'$$ Contro$

'$$ Contro$

'$$ Contro$

None

Contro$ %ane$

ide Screen Sa&er ta( Not confi'red Not confi'red Uer ho'$d not (e a($e to chane thecreen a&er

Screen a&er eFec'ta($e name Not confi'red Not confi'red 2)(it $oon creen a&er

%a#ord !rotect the creen a&er Not confi'red Not confi'red %a#ord !rotection needed

Screen a&er timeo't Not confi'red Not confi'red

&ermina$ Services

Set time $imit for diconnected eion Not confi'red Ena($ed End a diconnected eion8 1 da"

Set time $imit for acti&e ('t id$e Termina$ Ser&iceeion

Not confi'red Ena($ed Id$e eion $imit8 1 da"



21/27


%o$icy Defa"$t

Settin*


Terminate eion #hen time $imit are reached Not confi'red Ena($ed

3.5 ROES"'DRESPO'SI0II(IES

Thi ta($e o't$ine the adminitrati&e and manaement ta; re!oni(i$itie for ES, C'tomer, and

com(ined AMT and C'tomer+ AMT ha com!$eted mot of it re!oni(i$itie in ettin '! Acti&e?irector"+

'o$e/'esponsi-i$ity ESF 'eponsi-i$ity C"stomer 'esponsi-i$ity

Domain Mana*ement

SM. L

Re!$ication L

?omain %o$ic" L

%a#ord %o$ic" L

Schema Manaement L

Gro'! %o$ic" BCommon L

Domain Contro$$er

Maintain o!eratin "tem L

A!!$" er&ice !ac;3ec'rit" ro$$'!

!ac;ae3!atche

L

A!!$" ec'rit" tem!$ate L

?iater reco&er" L

?e!$o"3Inta$$ ?C L

O Mana*ement

Create to! $e&e$ BAenc" .U L

%ermiion on to! $e&e$ L

Create Secondar"3Tertiar" L

%ermiion on econd and third $e&e$ .U L

Create ro'! !o$icie L L B.U on$" for aenc" in Co)/ocation

ser Mana*ement

Create 'er L

Create ro'! L

Modif" 'er L

Modif" ro'! L

?e$ete 'er L

?e$ete ro'! L

Create machine acco'nt L

?e$ete machine acco'nt L



22/27


3.: +O'I(ORI'

Since Acti&e ?irector" i 'ch a critica$ com!onent of the ES infratr'ct're and the a!!$ication r'nninin thi en&ironment, monitorin and manain Acti&e ?irector" i eentia$ to en're the a&ai$a(i$it" and

!erformance of aenc" ('ine a!!$ication+

ES o!eration de$i&er an enter!rie)c$a o$'tion for o!eration manaement and monitorin of

Windo# er&er, Windo# infratr'ct're inc$'din Acti&e ?irector", and +NET Enter!rie Ser&er 'ch

a S@/ Ser&er+

ES manae critica$ f'nction to en're that Acti&e ?irector" er&ice are o!erationa$ and !erformin at

a hih deree of re$ia(i$it"+ The Acti&e ?irector" ea$th Indicator that ES conider critica$ are8

A(i$it" for 'er to $o on 'ic;$" to acce to net#or; reo'rce

@'ic; re!one to /?A% 'erie

Conitent data on a$$ domain contro$$er

Re!$ication occ'r #ithin eF!ected timeframe

@'ic; re!one to correctin o'tae

A$$ ro$e mater '! and r'nnin

Sta($e C%U 'ae on domain contro$$er

Red'ced WAN traffic

To monitor thee A? critica$ f'nction, M.M 'e thee indicator to en're ES A? hea$th8 No error or #arnin in re$e&ant $o 'ch a A?, RS, /SASS, and man" more

Re!$ication $atenc"

C%U 'ti$i*ation

ree !ace

?i; 'e'e $enth

/?A% !in3@'er" time

Cache hit rate

Ro$e ho$der !rioritie

3.; SEC)RI(8

3.;.1 Win$os 2


23/27


3.;.2 Win$os +et!o$s o# "-t!entication

Windo# method of a'thentication thro'h IIS are8

Met.od Description

Anon"mo' A$$ 'er a'thenticate a the IUSRmachinename acco'nt+

Ue on$" for 'nretricted !art of the ite+

:aic :aic a'thentication re'et a 'er name and !a#ord for &erification, ('t the 'er detai$ are tranmitted to the er&er in

c$ear teFt+ Sec'rit" i not &er" ood (eca'e the !ac;et can (e interce!ted and credentia$ to$en+

Sec'rit" can (e increaed (" 'in the Sec're Soc;et /a"er BSS/, #hich !ro&ide a ec're comm'nication channe$ for the

tranfer of eniti&e information+

?iet ?iet a'thentication re'et a 'er name and !a#ord (efore a$$o#in acce to the retricted area of a ite+ ?iet

a'thentication doe not end the credentia$ 'in c$ear teFt a (aic a'thentication doe9 intead it 'e a hahin mechanim to

encr"!t the data (efore tranmiion+

Interated In interated Windo# a'thentication the 'erD NT domain or Acti&e ?irector" er&ice acco'nt i 'ed for a'thentication+ Since

interated Windo# encr"!t tranmitted data, it i idea$ for intranet o$'tion+

3.;.3 Certi#icate "-t!entication

Certificate a'thentication 'e a certificate, or ;e", tored on the c$ient com!'ter to &erif" the 'er

identification+ The certificate i a'tomatica$$" !reented for a'thentication #hen a retricted reo'rce ire'eted+ If a certificate i not !reent, acce i ranted 'in the 'et acco'nt+ Certificate can (e

ma!!ed to a in$e NT domain or Acti&e ?irector" acco'nt Bman")to)one ma!!in or each certificate

can (e ma!!ed to a e!arate acco'nt Bone)to)one ma!!in+

3.;. Forms "-t!entication

orm a'thentication 'e a c'tom #e( !ae to re'et a 'er $oon credentia$ for retricted area of a

#e( ite+ The $oon form doe not !erform 'er &erification9 it i o$e$" for co$$ectin a'thentication

detai$+ C'tom code &a$idate the 'er credentia$ aaint a data tore for a'thentication+ After the 'erha (een a'thenticated, a to;en i ret'rned+ The to;en &erifie the 'er for each '(e'ent acce to a

retricted !art of a #e( ite+

Ue coo;ie or a c'tom mechanim 'ch a a 'ni'e identifier in the UR/ 'er" trin or hidden fie$d

to identif" 'er after the" ha&e $oed on+

3.;.5 Recommen$e$ "-t!entication +et!o$s

We recommend thee a'thentication method8

Met.od Description

Intranet ite We recommend Interated Windo# a'thentication if the #e( ite meet thi criteria8A$$ 'er ha&e an NT domain or Acti&e ?irector" acco'nt+

Acce i eFc$'i&e$" thro'h Internet EF!$orer+

No 'nretricted area eFit+

EFtranet ite An" one of three form of a'thentication are 'ita($e if the #e( ite meet thi criteria8

Uer are from (oth interna$ and eFterna$ o'rce+

Some 'nretricted area eFit+

S'ita($e a'thentication are8

:aic a'thentication

Certificate a'thenticationorm a'thentication

Certificate a'thentication !ro&ide eam$e a'thentication (" a$$o#in aociated certificate to NT domain or Acti&e ?irector"

acco'nt+ Certificate a'thentication i a &er" ec're o$'tion for eniti&e data tored on the #e( ite+

Ue form a'thentication if "o' do not #ant to create NT domain or Acti&e ?irector" acco'nt for "o'r eFterna$ 'er+ We a$o

!refer form a'thentication if the cot of manain certificate o't#eih the added ec'rit" &a$'e+

:aic a'thentication re'et a 'er name and !a#ord for &erification+ SS/ !ro&ide a ec're comm'nication channe$ for the

tranfer of eniti&e information+



24/27


After a 'er i a'thenticated, &erif" acce riht for the re'eted reo'rce+ If the reo'rce i a fi$e

"tem reo'rce 'ch a a tem!$ate fi$e, chec; the AC/+ If the 'er i8

/ited in the AC/ and ha 'fficient !ri&i$ee to !erform the re'eted f'nction, rant acce+

Not $ited in the AC/ or doe not ha&e 'fficient acce !ri&i$ee, den" acce to the reo'rce+

3.;.: "pplication Sec-rity

PAL8+! A::"+*($+!

EFterna$ contit'ent m't ha&e a %A/oin acco'nt to ha&e acce and in$e in)on to a$$ ES #e(

ite+ Acco'nt that 'e %A/oin to $oin to the tate #e(ite are ho'ed #ithin the

USER+A%%S+STATE+%A+US domain+ Thi domain doe not ha&e an" acco'nt retriction 'ch a

$oc;o't, minim'm !a#ord $enth, or !a#ord trenth+ The contit'ent manae thee acco'nt Bfor

eFam!$e, chanin a !a#ord+ Thee Internet 'er acco'nt do not ha&e an" acce to the interna$%A+/C/ en&ironment+

S


25/27


Active Directory and App$ication Deve$opment 'eso"rces

Thi a!!endiF 'mmari*e im!ortant reference to Acti&e ?irector" conce!t and com!onent+

.1 "C(IVEDIREC(OR8RESO)RCES

?einin and ?e!$o"in ?irector" and Sec'rit" Ser&ice8htt!833technet2+microoft+com3#indo#er&er3en3$i(rar"3d2ff116)1512)4=e4)acdc)

=cae1(6


26/27


.2 "PPIC"(IO'DEVEOP+E'(RESO)RCES

The Acti&e ?irector" !ro&ide rich '!!ort for $ocatin and #or;in #ith A? o(-ect+ Re&ie# thee $in;

to doc'ment, ite, and am!$e code that he$! #ith the de!$o"ment, adminitration, and de&e$o!ment of

a!!$ication ('i$t '!on Acti&e ?irector", Acti&e ?irector" Ser&ice Interface BA?SI, and ?irector"

Ser&ice+

Acti&e ?irector" Schemahtt!833mdn2+microoft+com3en)'3$i(rar"3m>54


27/27


0 Appendi A 2 Sc.ema Mana*ement %rocess

The ES #or; c$oe$" #ith and !artici!ate in the Architect'ra$ Standard Committee BASC+ The ASC

#or; #ith aencie to 'ndertand e&o$&in ('ine re'irement and he$! to $e&erae, !rotect, and

eFtend the eFitin Common#ea$th infratr'ct're+ Thi doc'ment decri(e Acti&e ?irector" a it eFit

toda" in ES+ The A? !rod'ct and A? in the Common#ea$th BCW.%A i &at$" more com!$eF and

encom!ain+

When "o' thin; a(o't the chema, remem(er8

Schema chane are $o(a$+ An entire foret ha a in$e chema that i $o(a$$" re!$icated+ A co!" of the

chema eFit on e&er" domain contro$$er in the foret+ When "o' eFtend the chema, "o' do o for the

entire foret+

Schema addition are not re&eri($e+ When a ne# c$a or attri('te i added to the chema, it cannot (e

remo&ed+ An eFitin attri('te or c$a can (e dia($ed ('t not remo&ed+ See ?ia($in EFitin C$ae

and Attri('te athtt!833mdn2+microoft+com3en)'3$i(rar"3m>56

Ms - Msl - Coloc - Esf Active Directory Roe

Documents

Transcript of Ms - Msl - Coloc - Esf Active Directory Roe