High Level Active Directory Design - Logical Level

Document Sample
High Level Active Directory Design - Logical Level Powered By Docstoc
					                           Milestone 2B - High
                                                                                Milestone 4A -
 Milestone 1- Business    level Active Directory      Milestone 2A - Active
                                                                              Generic Design and   Milestone 4B - Project   Milestone 4C - Case
    Requirements          Design Document for           Directory Design
                                                                              Migration Process       Closure Report               study
      Document             Transport and Main          Process Document
                                                                                  Document
                                  Roads




                           Milestone 3 - Proof of
                             Concept Design




Design & Proof of Concept for AD & ILM

Milestone 4A – Generic Design and Migration
Process Template



 Date              Name                             Position                          Action required                          Due date
                                                                                      (Review/Endorse/Approve)

 30/11/09          Simon Frappell                   Infrastructure Consultant         Internal review                          01/12/09
 04/12/09          Simon Frappell                   Infrastructure Consultant         Submitted for SWoG Review                09/12/09
 15/12/09          Roland Baier                     Program Director,                 Submitted for steering                   15/12/09
                                                    Foundation Services               committee approval




Prepared by                Simon Frappell
Branch/District            Foundation Services Program
Division/Region            Business Solutions Delivery
Location                   477 Boundary Street, Spring Hill
Version no.                1.0
Version date               11 December 2009
Status                     Final

C:\Docstoc\Working\pdf\841f8d07-7016-4cb5-b9c4-8ee79339ba0a.doc
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Document control sheet

Contact for enquiries and proposed changes
If there are any questions regarding this document or would like to provide a suggestion for
improvement, please contact:
Project Manager                          Roland Baier
Phone                                    0423 460 289

Version history

 Version no.            Date             Changed by                  Nature of amendment

        0.01             23/07/09        Simon Frappell

        0.02             04/12/09        Simon Frappell              Updated after Internal Review

                                                                     Minor updates through the document
        0.03              10/12/09        Simon Frappell             Update from Tracker v0.1 provided by SWoG
                                                                     members
                                          Janine Threlfo &
         1.0              11/12/09                                   Final quality review.
                                          Roland Baier




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 2 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Endorsement of Report
The following officers have endorsed this document.

Customer
                   Greg Booth
Name
Position           Director Strategy and Architecture (Enterprise Information and Systems)

Signature                                                                                    Date



Sponsor
                   Mark Delbridge
Name
                   A/Executive Director Operations and Asset Solutions (Business Solutions
                   Delivery)
Position

Signature                                                                                    Date



           The following officer has endorsed this document.

Name            Roland Baier

Position        Program Director Foundation Services (Business Solutions Delivery)

Signature                                                                                Date




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 3 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Contents

1          Purpose of This Template.......................................................................................... 7
1.1        Who Should Use This Template .................................................................................. 7
1.2        How to Use This Template .......................................................................................... 7
1.3        Assumptions of This Template .................................................................................... 7
1.4        Document Conventions ................................................................................................ 8

2          Introduction ................................................................................................................ 9
2.1        Background .................................................................................................................. 9
2.2        Summary ...................................................................................................................... 9
2.3        Purpose ......................................................................................................................... 9
2.4        In Scope...................................................................................................................... 10
2.5        Out of Scope............................................................................................................... 10
2.6        Audience .................................................................................................................... 10
2.7        Assumptions ............................................................................................................... 11
2.8        References .................................................................................................................. 11

3          Report Stakeholders ................................................................................................ 12

4          Government Enterprise Architecture .................................................................... 13
4.1        Technology Domains ................................................................................................. 13

5          Guiding Design Principles ....................................................................................... 15
5.1        Active Directory Design Principles ........................................................................... 15
5.2        Department ABC Migration Principles...................................................................... 15

6          Logical Active Directory Architecture ................................................................... 16
6.1        Directory Services Architecture ................................................................................. 16
6.1.1      Forests and Domains Functional Levels .................................................................... 16
6.1.2      Flexible Single Master Operation (FSMO) Role Holders ......................................... 18
6.1.3      Domain Controller Placement .................................................................................... 20
6.1.4      Global Catalog Placement .......................................................................................... 22
6.1.5      Organisation Unit Topology ...................................................................................... 23
6.1.6      Sites and Replication .................................................................................................. 25
6.1.7      Group Policy .............................................................................................................. 30
6.1.8      Active Directory Naming Conventions...................................................................... 33
6.1.9      Security ...................................................................................................................... 34
6.1.10     Antivirus..................................................................................................................... 37
6.1.11     Remote Access Authentication .................................................................................. 37
6.2        High Level Network Infrastructure ............................................................................ 38
6.2.1      Enterprise WAN Data Network ................................................................................. 38
6.2.2      Enterprise ADSL Network ......................................................................................... 38
6.2.3      Enterprise Metropolitan Data Network ...................................................................... 38
Department of Transport and Main Roads           Milestone 4A – Generic Design and Migration Process Template                   Page 4 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




6.3         Network Services (DNS, DHCP, WINS)................................................................... 39
6.3.1       DNS ............................................................................................................................ 39
6.3.2       DHCP ......................................................................................................................... 43
6.3.3       WINS ......................................................................................................................... 44
6.3.4       NTP - Time Synchronisation ..................................................................................... 45
6.4         Test and Development ............................................................................................... 46

7           Migration Approach ................................................................................................ 48
7.1         Summary .................................................................................................................... 48
7.2         Objectives and Goals ................................................................................................. 48
7.2.1       Business-related Objectives ....................................................................................... 48
7.2.2       Migration-related Goals ............................................................................................. 48
7.2.3       Migration Strategy ..................................................................................................... 48
7.3         Migration Environment .............................................................................................. 49
7.4         Migration Guidelines ................................................................................................. 49
7.5         Migration Process ...................................................................................................... 49
7.5.1       Test Environment ....................................................................................................... 49
7.5.2       Preparation ................................................................................................................. 49
7.5.3       Migration Stage .......................................................................................................... 49
7.5.4       Decommissioning of Replaced Resources ................................................................. 50
7.5.5       Rollback Plan ............................................................................................................. 50

8           Appendix A. – Definitions ....................................................................................... 51



Table of Figures
Figure 6-1 - Department ABC Active Directory ...................................................................... 17
Figure 6-2 - High Level Organisation Unit Structure .............................................................. 24
Figure 6-3 - Domain Controller Placement Decisions ............................................................. 27
Figure 6-4 - Site Topology Design ........................................................................................... 28
Figure 6-5 - Logical Site Replication Topology ...................................................................... 30
Figure 6-6 - Department ABC Group Strategy ........................................................................ 37
Figure 6-7 - Department ABC Enterprise WAN DATA Network Diagram............................ 38
Figure 6-8 - Enterprise ADSL Network Diagram .................................................................... 38
Figure 6-9 - Metropolitan Area Network Diagram .................................................................. 38
Figure 6-10 - Logical DNS Topology ...................................................................................... 39
Figure 6-11 - Conditional Forwarding Examples .................................................................... 40
Figure 6-12 – DHCP & Dynamic DNS .................................................................................... 43
Figure 6-13 - Time Synchronisation ........................................................................................ 46




Department of Transport and Main Roads            Milestone 4A – Generic Design and Migration Process Template                   Page 5 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Table of Tables
Table 1 - References ................................................................................................................. 11
Table 2 - Report Stakeholders .................................................................................................. 12
Table 3 - FMSO Role Placement ............................................................................................. 19
Table 4 – Site Tiering Rules ..................................................................................................... 25
Table 5 - Estimated Number of logical sites per tier................................................................ 25
Table 6 - Site Tier Breakdown ................................................................................................. 29
Table 7 - Group policy object naming ..................................................................................... 33




Department of Transport and Main Roads           Milestone 4A – Generic Design and Migration Process Template               Page 6 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




1 Purpose of This Template
The reusable template will accelerate the qualified Microsoft engineer through analysing and design
aspects and highlight the factors which are particular to a Government Agency.
This document will assist Queensland Government Agencies by providing a reusable High Level
(Logical) Active Directory design template which assists the IT specialist by accelerating the
development of an Active Directory design. When this document is coupled with the Active Directory
Design Process document it offers a start to finish process for preparing for and designing Active
Directory Domain Services.


1.1 Who Should Use This Template
This document is written for use by Queensland Government Agency IT specialists, generalists,
consultants, or anyone who needs to design a Windows Server 2008 Active Directory.


1.2 How to Use This Template
The template will provide a refined document structure of a logical Active Directory design, based on
an actual high level Active Directory design completed by Avanade for the Department of Transport
and Main Roads (TMR). It will provide a summary of each major heading of the document and
generic examples and descriptions where appropriate. Additionally the document to offer guidance on
how to complete sections of the document, and information that is relevant to TMR and Whole of
Government (WoG) based on findings from the Design & Proof of Concept for AD & ILM project.
Finally, placeholders for design decisions will be made and where applicable the document will
reference resources, tools, best practices, design considerations to assist Queensland Government
Agencies in making the appropriate design decisions.
A number of technical resources and references will be highlighted in this document and these are to
be used in accordance with this design template. As a rule of thumb, always make design decisions
based on best practices unless a specific business requirement is identified and justified.


1.3 Assumptions of This Template
In an effort to limit the scope of material in this guide, the following assumptions have been made:
     The decision to implement Active Directory has already been made. This template does not
         address the business or technical case to make a directory choice.
        This design is for use in a production environment. It is expected that a test environment will
         also be created to mirror the production environment in configuration.
        The reader has familiarity with the Microsoft infrastructure and directory services. This guide
         does not attempt to educate the reader on the features and capabilities of Microsoft products.
         The product documentation covers that information.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 7 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




1.4 Document Conventions
In order to assist the reader in identifying key pieces of information in this document, these will be
highlighted as follows:


Guidance - This information provides guidance to the IT specialist in how to complete sections of
document template.



Example - - This information is a generic example of text that can be used by the IT specialist to
accelerate the documentation process. The document uses the example of Department ABC and these
sections provide example details for designing Active Directory for Department ABC.



TMR Information: Information relevant to all Queensland Government agencies based on project
findings.



Placeholder for Design decisions and Rationales:



         Note: An additional piece of key technical information that may assist the reader in
          understanding a fact relating to a section of the document.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 8 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




2 Introduction

2.1 Background
The background is intended to inform the reader of the relevant events that have taken place prior to
this project.
Provide a background of the projects that have been undertaken leading to the design of Active
Directory.
Describe how this project will be managed, if by streams, of phases, or any other means.
Explain how other streams of work are related to this document and their relevance.


2.2 Summary
The summary is intended to provide an overview of the work completed in the conceptual design phase
and to explain what this document will achieve.

With Active Directory, Department ABC will be introducing a technology that enables connectivity
throughout the organisation. In essence Active Directory is an enterprise directory that provides
management of users, groups and computers. Furthermore it offers secure access to network
resources.

Use this paragraph to briefly reflect on the significant decisions made in the conceptual design phase.

Department ABC requirements have been used as the basis to design the Conceptual Active Directory
structure. During the conceptual design, it was determined that Department ABC’s Active Directory
will utilise the single forest, single domain model as it’s the easiest to administer and the least
expensive to maintain, and is the best model to support structured collaboration.
This ‘High Level Active Directory Design’ document provides the next step in the design process by
evolving the Conceptual Active Directory Design through more detailed logical and functional
technical specifications to the set of core infrastructure and processes that are in scope. This
document incorporates more concrete decisions about system components, such as construct, function,
usage, placement and integration based on the conceptual design.


2.3 Purpose
The section is intended to explain the purpose of the document, including the objectives, goals, the
inputs and outputs are expected from the document. Also describe where this document fits into the
larger project.

The ‘High Level Active Directory Design document’ describes the overall Active Directory
architecture, domain model and network services necessary to support the conceptual design and
requirements identified by Department ABC. This document is intended to:

        Provide sufficient technical detail required to develop a detailed design.
        Provide high level migration approach for the implementation of the designed Active
         Directory Domain Services.



Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 9 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




        Provide a reference point for on-going technical support and other internal Department ABC
         technical groups.

Where appropriate, design decisions will be made and documented. These decisions will be based on
Department ABC’s business and technical requirements, architectural best practice guides such as
Avanade’s extensive industry knowledge and guiding design principles. Where multiple design options
are available these will be identified. Some parts of the design will be dependent upon infrastructure
resources already deployed within Company ABC’s environment, in these cases the dependencies will
be noted and validated.


2.4 In Scope
The results of this design work will inform strategic direction for how the integration of systems within
the IT environment may be achieved when using a single centralised source of information. The design
was created in anticipation of future business and infrastructure requirements, allowing for flexibility
and extensibility. The following items are considered in scope for this document:

         Logical design of Active Directory Domain Services


2.5 Out of Scope
The following items are considered out of scope for this document:

        Externally facing (extranet, internet) Active Directory Domain Services.
        Specific support for mobile devices.
        Application Compatibility/Migration process.
        Email Services Compatibility/Migration process.
        File Services consolidation/migration.
        Software Deployment Services Migration.
        Operational design or run guides.
        Delegated Administration model.
        Detailed design and configuration steps.
        Migration Approach.


2.6 Audience
The intended audience for this document is the following:

        Project team members.
        Department technology stakeholders.
        Department Solution Working Group.

         Note: This document is directed at a technical audience.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 10 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




2.7 Assumptions
Assumptions - This section highlights all of the assumed critical items and interdependencies
identified in the project.


2.8 References
At all design decision points in this template refer back to a best practice resource or example for
additional context. The following documents are good references to have in the development of a
document of this nature and should be considered a part of the Active Directory High Level Design.



Document Reference                       Comments                                   Importance
Requirements                                                                        Essential input
                                         Authored: Internal
Documentation
Conceptual Design - Active                                                          Optional input
                                         Authored: Internal
Directory Services

Windows Server System                                                               Recommended
                                         Authored: Microsoft (Apr05)
Reference Architecture
Microsoft Infrastructure                                                            Required Reading
Planning and Design –
                                         Authored: Microsoft (Feb08)
Active Directory Solution
Accelerator
Methodology                              Authored: Internal or WoG                  Recommended
                                         Authored: Microsoft                        Recommended
Microsoft TechNet articles               Links provided as footnotes
                                         throughout the document
Environment Site Reports                 Authored: Internally                       Recommended
Infrastructure Discovery                                                            Essential input
                                         Authored: Internally
Documentation
                                         Authored: Queensland                       Required Reading
QGCIO - Architecture and
                                         Government Chief Information
Information Standards
                                         Office (Apr09)
QGCIO - Queensland                       Authored: Queensland                       Required Reading
Government Enterprise                    Government Chief Information
Architecture 2.0                         Office (Oct09)
Departmental policies and                Authored: Internal or QGCIO-               Optional input
standards                                based
                                                       Table 1 - References




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 11 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




3 Report Stakeholders
In preparing this document, consultation has occurred with each of the parties noted below.

    Stakeholder Area                 Stakeholder                     Responsibility                  Interest/context
                                    Representative




                                               Table 2 - Report Stakeholders




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template     Page 12 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




4 Government Enterprise Architecture
The High Level Active Directory Design for Department ABC aligns to the Government Enterprise
Architecture (GEA) in the following fashion.
                                                                                                                                                                                                                                                                                                    Management & Control
                                                                 Personal Productivity                                                         Collaboration Software                                      Business Intelligence & Data Warehouse Platforms
                                                  Standard Office Suites                                   Web Browser                            eMail & Calendaring                                                                                                      Systems Management                      Security Software
 Desktop & Productivity




                                  Microsoft Office 2002                                                                                        Lotus Domino
                                                                                                                                                                                                                Data Mining Tools        Extract, Transform & Load               Software
                                                                                                                                                                                                                                                    Tools
                                                                                                                                                                                                            Cognos
                                                  Web Page Authoring                                    Desktop Publishing                                                                                                                                                      IT Service Desk                     Identify and Access
                                                                                                                                                                                                                                                                                                                        Management
                                                                                                                                                  Real Time and Team                                                                                                                                              Notes         Bespoke
                                            Special Purpose Productivity Tools                             File Viewers                              Collaboration                                                                                                                                                Novell (QT)
                                 Micrografx Flowcharter Geomedia (standard & professional)                                                     Notes
                                                                                                                                                                                                                Data Quality Tools         Business Intelligence
                                 Microsoft Project      Geomedia WebMap Professional                                                                                                                                                            Platforms                      Remote Desktop                        Directory Services
                                 Sidra                  Geomedia Objects                              Multimedia & Graphics                                                                                                                                                     Management                        Novell (QT)
                                 CivilPro               Geomedia Transportation Manager                 Design Software                           Content Management
                                 AutoCad                  & Analyst                                                                            Notes
                                 Visio 2000, 2002, 2003 Mapinfo Professional
                                                                                                                                                                                                                                                                             Systems Configuration                          PKI
                                 Paintshop Pro
                                                                                                                                                                                                                                                                                  Management



                                                                                                                                                                                                                                         Integration Software                ICT Asset Management                     Network Security
                                 Application Development                      Application Delivery                                        Software Engines                                      Database Management
                                                                                                                                                                                                                                                                           Novell ZenWorks V3.2
                                         Software                              Platform Software                                                                                                      Systems                                                              Novell ZenWorks 4.x
                                      Requirements Mgmt                      Application Server Software          Business Process Management                Reporting Engines                        Relational DBMS                     Application Integration
                                                                                                                            Engines                                                              SQL Server (inc. MSDE)                         Platforms
                                                                             Tomcat                                                                                                                                                                                            Software Licence                    Intrusion Prevention &
                                                                                                                                                                                                 Oracle RDBMS 9.2.x
                                                                             OC4J                                                                                                                                                                                                Management                               Detection
                                  Analysis, Design, Modelling                                                                                                                                    Oracle RDBMS 10.1.x
      Application Environments




                                                                             JBOSS
                                             Tools                                                                                                          GIS Server Engines                   Oracle RDBMS 10.2.x
                                                                             .Net                                     Business Rules Engines
                                                                                                                                                                                                                                          Messaging Middleware
                                   Autodesk Map 2004
                                                                                Portal Server Software                                                 Geomedia WebMap Professional                                                                                                                                      Encryption
                                                                                                                                                                                                   Object Oriented DBMS                                                     Application Management
                                    Application Development                                                                                            Oracle Spatial
                                      Tools & Environment                                                                                              Mapinfo MapExtreme Java
                                                                                                                           Workflow Engines
                                    .Net (VB, C#, asp)                                                                                                 Examin GBM Mobile                                                                  Transaction Processing
                                    JEE           Borland C++                                                                                                                                           Desktop DBMS                             Monitors
                                                                                  Web Server Software                                                                                               MS Access 2000
                                    Notes         VB6                                                                                                                                                                                                                         DBMS Management                      Antivirus & Antimalware
                                                                             IIS v3                                                                                                                 MS Access XP
                                    VB Document Generator                                                                                                                                           Lotus Approach
                                                                             IIS v4
                                    Access (97/2000/2003)                                                                                                     Search Engines
                                                  OC4J                       Apache
                                    Delphi                                                                                                                                                             Non-Relational DBMS
                                                                             Notes Domino
                                                                                                                                                                                                                                                                             Batch Job Scheduling                     Content Filtering
                                                                             Novell Zenworks (QT)                                                                                                       Embedded DBMS
                                     Software Testing Tools

                                                                                                                                                                                                   Database Replication &
                                   Software Change & Config                                                                                                                                              Clustering
                                             Mgmt                                                                                                                                                                                                                          Availability & Performance              Security Administration
                                                                                                                                                                                                                                                                                  Management                              Software



                                                                                                                                                                        Operating Systems & Utilities                                   Storage Management                   Network Management                  Security Event Management
                                       Server Hardware                      Desktop Hardware                  General Purpose Mobile
                                                                                                                     Devices                                   Operating Systems               OS Clustering & Availability                  Storage Devices
                                        Entry Level Server                       Desktop PCs
                                                                                                                Laptops & Notebook PCs                  Desktop                                         Software                       SAN Storage
                                    IA-32 Servers                          Desktop PCs
                                    Sun (Sparc) Servers                                                                                                 Windows XP 2002 SP2                                                            Hitachi Thunder SAN                                                        Vulnerability Management
                                                                                                                                                        Wintel                               Virtual User Interface Software           Tape Storage
                                         Mid-range Server                                                                                               Windows NT4 Server OS                                                          Ultrium / LTO
                                                                              Desktop Terminals                                                         Windows 2000 & 2003 & 2008                                                     Super DLT
                                                                                                                   Handheld Devices                     Server OS                                                                      DDS / DAT
                                                                                                                                                        NetWare                                                                                                                                                     Security Information
Hardware, Devices &




                                                                                                               PDA's - Windows Mobile 2003                                                      Virtual Machine Software
                                        Mainframe Server                                                                                                NetWare (6) Server OS
 Systems Software




                                                                                                                                                                                                                                       Backup, Recovery & Archive                                                      Management
                                                                               Desktop Printers                PDA's - Palm OS
                                                                                                                                                        UNIX                                                                                    Software
                                                                            Laser Printers                                                              Linux Server OS                                                               Arcserve
                                                                                                                                                        Sun Solaris 8, 9 Server OS         Application and Operating System
                                                                              Desktop Scanners                            Tablet PCs                                                             Deployment Services
                                                                                                                                                             File & Print Services
                                                                                                                                                         Novell Netware                                                               Storage Management Software
                                                                                                                                                                                                   Supporting Utilities                ArcServe

                                                                      Special Purpose Devices
                                           Remote Sensors                     Mobile Telephones               Embedded Software Tools


                                       Dedicated IP Telephony                                                    Other Audio & Video
                                              Devices                                Faxes
                                                                                                                       Devices
                                                                                                              Polycom suite of products
                                         Desktop Telephones                  Multi-Function Devices




                                                                     Network Hardware                                                                                          Network Software                                      Bandwidth & Other Network
                                                                                                                                                                                                                                             Services
                                         LAN Devices              Network Performance Devices              Voice Network Devices                                            Network Name & Address
                                                                                                                                                                                    Service                                               Bandwidth Provision
Network




                                 Wireless Networking Devices     Network Cabling & Infrastructure          Radio Network Devices                                            Network Monitoring Node
                                                                                                                                                                                   Software                                                   VPN Services

                                                                                                                                                                             Caching & Proxy Service
                                   Content Switches & Load             MAN & WAN Devices                  Network Security Devices
                                          Balancers                                                                                                                                                                                     Remote Access Services
                                                                 QT – Wide Area Network Services                                                                                                                                        VPN (QT)


                                                                                                                                                                                                                                                                                                                                      MR Technology Portfolio Wallchart V1.0
                                                                                                                                                                                                                                                                                                                                                 Last Updated: 12-06-2008




4.1 Technology Domains
This section outlines the technology domains encompassed in this design with reference to the GEA
Technology Portfolio Framework.

                           Hardware, Devices &                                                                                                                                            Management & Control
                            Systems Software
                                       Operating Systems &                                                                                                                                                           Security Software
                                             Utilities

                                                Operating Systems                                                                                                       Identity and Access                                                                         Directory Services
                                                                                                                                                                           Management
                                            Windows Server 2008 R2
                                                                                                                                                             Novell Identity Manager                                                                 Novell eDirectory Services
                                            OS
                                                                                                                                                                                                                                                     Microsoft Active Directory
                                                                                                                                                                                                                                                     Services




Department of Transport and Main Roads                                                                                                                 Milestone 4A – Generic Design and Migration Process Template                                                                                                     Page 13 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




T-5.2.2 Directory Services
This domain includes components that map logical names to physical addresses in a network;
directories are repositories for information about network-based entities, such as applications, files,
printers, and people. Directory services provide a consistent way to name, describe, locate, access,
manage, and secure information about these resources. An example is Microsoft’s Windows 2000
Directory Services.


T-5.2.1 Identity and Access Management
This domain includes systems that allow an enterprise to keep track of the many user accounts
throughout the enterprise - not only on in-house-designed applications but also on purchased
packages such as those from SAP and PeopleSoft. Sophisticated identity management systems contain
middleware that gives the ability to interoperate with many types of directory systems. An example of
such a system is Novell’s nSure offering.
Access management services provide an enterprise with the ability to separate out authorised users of
their ICT systems from potential users not so authorised and, in the case of the former, allocate to the
user the pre-determined levels of access and capability. The system also provides management
functions such as adding new authorised users, deleting and modifying others, and changing the levels
and types of permission associated with each user.


T-3.5.1 Operating Systems
This domain includes the main control programs that run a computer and set the standard for running
application programs. It is the first program loaded when the computer is turned on, and it resides in
memory at all times. An operating system is responsible for functions such as memory allocation,
managing programs and errors, and directing input and output [Gartner]. An example is IBM’s
OS/400, an operating system for midrange computers and Microsoft Windows for microcomputers.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 14 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5 Guiding Design Principles
This section is a placeholder to detail the guiding principles of the design. These principles are not
requirements or assumptions but are key concepts that are used to guide the design. They will assist
the IT Specialist in making certain design decision, and they should be referred back to throughout the
design process.

As with any design it is beneficial to complete tasks with the end result in mind. Clearly defining the
guiding principles will ensure that the design will assist in achieving a broader strategy. In this design
there are two categories that these guiding design principles fall into: Active Directory Design and
Migration approach.


5.1 Active Directory Design Principles
The following guiding design principals will be used to help shape the design for Department ABC:

        Centralisation and consolidation of Active Directory infrastructure.
        Virtualisation is the preferred infrastructure platform.
        Reduce total cost of ownership.


5.2 Department ABC Migration Principles
The following prioritised guiding design principals will be used to help shape the sequencing of
activities in the migration approach for Department ABC:

        Minimise disruption to the production environment.
        Minimise administrative overhead.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 15 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




6 Logical Active Directory Architecture
The Logical Directory Architecture section allows the IT specialist to discuss the various logical
components of the Active Directory Architecture, such as the Directory Services Architecture, the
physical Network Infrastructure, and the Network Services that utilised by Active Directory.


6.1 Directory Services Architecture
A Directory Services Architecture should cover, but is not limited to, the following headings:

        Selected domain and forest model, the number of forests and domains, and the selected
         domain namespace.
        An overview of the forest and domain configurations, including the functional levels that the
         forest and domain will operate at.
        FSMO Roles and configurations within the forest/s & domain/s
        Domain Controller placement and the types of domain controllers which may be used in the
         domain (Writeable & Read-Only).
        Global Catalog placement and configurations.
        High level Organisation Unit Topology.
        Site Categorisations or tiering, if applicable, and Site Replication characteristics.
        Group Policy – AD Domain and Domain Controller Policy, Server Policies, Computer
         Policies, User Policies.

Provide a summary of the selected forest/domain model defined in the conceptual design.

The Department ABC Active Directory architecture is based on a single-domain forest model. Further
information is provided below regarding decisions and the configuration of the logical components of
the Directory Structure Architecture.

TMR Information: Generic domain namespace for agility - For a Queensland Government
agency it’s recommended that the domain name space be kept generic to provide extensibility and
flexibility in the design to cater for regular changes to the organisational structure.


6.1.1      Forests and Domains Functional Levels
Describe how the domains within the forest will operate in a Windows Server 2008 domain with the
selected functional level and the versions of domain controllers that can exist in the domain.
If there is a requirement to upgrade an existing domain it’s important to understand which different
Windows OS versions can participate as domain controllers.
 Describe the use of Kerberos in the forest and domain, and explain how this will work for cross-forest
trusts, if applicable.

Domain and forest functionality, introduced in Windows Server 2008 Active Directory, provides a way
to enable domain-wide or forest-wide Active Directory features within the ABC network environment.
Different levels of domain functionality and forest functionality are available, and the selection of
these forest functional and domain functional levels restricts the operating system of the domain
controllers that can exist in the ABC domain.

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 16 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




If all domain controllers in domain are running Windows Server 2008 R2 and the functional level is
set to Windows Server 2008 R2, all domain-wide and forest-wide features are available. When
Windows NT 4.0, Windows 2000, Windows 2003, and Windows 2008 ‘vanilla’ domain controllers are
included a domain or forest with domain controllers running Windows Server 2008 R2, Active
Directory features are limited. Thus, to maximise the functionality of the AD infrastructure the forest
and domain functional level will be raised to Windows Server 2008 R2. Windows 2008, Windows
2003, Windows 2000 and Windows NT 4.0 domain controllers will not be supported in domain


6.1.1.1 Forests
Describe the forest configuration, including the numbers of forests and domains, the selected
namespace, and NetBIOS names. Describe function of this forest, i.e. Resource Forest, Organisation
Forest, etc.
Define the forest functional levels of each forest to be implemented. Also detail the configuration of
forests trusts if required.
A single forest is ideal. It is easier to manage as well as being cheaper to implement, maintain, and
support. Multiple forests are necessary if legal, schema, administrative, or application requirements
dictate the decision. Leverage the Microsoft resources and best practices to assist with the decision
process.

Department ABC Active Directory infrastructure consists of a single AD forest and single domains.
The Domain Name System (DNS) namespace for the domains is abc.internal. The NetBIOS name is
abc. The domain will be a central repository of information about users and computers within the
Department ABC environment. The proposed Department ABC environment is represented in ....

                       <Insert Queensland Government agency specific diagram here>
                                         Figure 6-1 - Department ABC Active Directory


6.1.1.1.1 Forest Configurations
Placeholder for Design decisions and Rationales:

        For each forest in the design, what are the forest functional levels?

TMR Information: Identify the required feature set - Windows Server 2008 R2 forest functional
level enables Government Agencies to leverage features above Windows Server 2003 & 2008
functional level such as, ‘Active Directory Recycle Bin, which provides the ability to restore deleted
objects in their entirety while AD DS is running’.1


         Note: All domains within the forest must also operate in Windows Server 2008 R2 domain
          functional level and must exclusively comprise of Windows Server 2008 R2 domain
          controllers.


6.1.1.2 Domains
If there are multiple forests, then there will need to be one domain per forest, minimum.


1
 For further information relating to domain and forest functionality refer to - Understanding Domain and
Forest Functionality

Department of Transport and Main Roads        Milestone 4A – Generic Design and Migration Process Template   Page 17 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




For each domain describe the domains its function, some examples are to separate a business unit
because of legal requirements, or to cater for different administrative units that need to be
autonomous.
A single domain is the default configuration for each forest. Add domains only as necessary to solve
technical and business concerns that can’t be solved within a single domain. Additional domains cost
more to install and increase the hardware and software needed to run the domain controllers in each
domain. Leverage the Microsoft resources and best practices to assist with the decision process.


6.1.1.2.1 Domain Configurations
Placeholder for Design decisions and Rationales:

         For every domain in each forest, what are the domain functional levels?

TMR Information: Identify the required feature set - The Windows Server 2008 R2 Domain
Functional level will enabled functionality beyond the Windows Server 2003 & 2008 features such
as, Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication
protocol, Last Interactive Logon Information, which displays the time of the last successful
interactive logon for a user, from what workstation, and the number of failed logon attempts since
the last logon, and Fine-grained password policies, which make it possible for password policies and
account lockout policies to be specified for users and global security groups in a domain.


         Note: The selected functional level does not affect which operating systems you can run on
          workstations and member servers that are joined to the domain or forest. The solution will
          allow the coexistence of existing server platforms.


6.1.2      Flexible Single Master Operation (FSMO) Role Holders
Describe the forest and domain FSMO roles, use of the table below could assist in this.
Describe the considerations of placing FSMO roles, and complete the table to illustrate FSMO
placement. If there are more than one forest you will have multiple Schema and Domain Naming
FSMO roles, and additional RID, PDC Emulator and Infrastructure Master roles for every domain
within the forest. Extend the table if necessary to account for more forests or domains.
Consider availability and disaster recovery requirements when placing FSMO roles.
Utilise Microsoft best for optimal placement of FSMO roles 2 and also leverage the Microsoft
resources and best practices to assist with making these decisions.

In addition to the network services in Section 6.3 , Windows 2008 Active Directory domain controllers
utilise a Single Operation Master method called FSMO (Flexible Single Master Operation) to perform
schema updates in a single master fashion to prevent conflicts.
The FSMO roles are assigned to one or more DCs during the DCPROMO process. The following
table summarises the number of FSMO roles to be allocated the default locations and the selected host
in ABC.local:



2
 For further information on FSMO placements refer to - FSMO placement and optimization on Active Directory
domain controllers

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 18 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




                                  Number of DCs
       FSMO Role                  holding this role in        Default Location           FSMO roles in domains
                                  ABC.local

       Schema                     One                         The first DC in the
                                                              first domain in the
                                                              forest (i.e. the Forest
       Domain Naming              One
                                                              Root Domain)

       RID                        One                         The first DC in a
                                                              domain (any domain,
                                                              including the Forest
       PDC Emulator               One
                                                              Root Domain, any
                                                              Tree Root Domain,
       Infrastructure             One                         or any Child Domain)

                                                 Table 3 - FMSO Role Placement

When placing these FSMO roles certain best practices and considerations must be taken into account
to ensure that the FSMO roles function correctly and that the FSMO role owner is available when
dependent activities take place.
The Schema Master and Domain Naming Master should reside on the same server, and that machine
should be a Global Catalog server. By default, they will all reside on the first domain controller
installed in the ABC.local forest.

          Note: According to Microsoft, the Domain Naming master needs to be on a Global Catalog
           server. If the Domain Naming master and Schema master are separated, then make sure they
           are both on Global Catalog servers.

TMR Information: Consider lockdown and/or tight control of Forest FSMO roles - Forest
FSMO roles and are unique to the forest. The schema master and domain naming master roles should
be placed on the same domain controller as they are rarely used and should be tightly controlled.

In a multiple domain environment there are specific constraints around the placement of the
Infrastructure Master such as, the Infrastructure Master should not be on the same server that acts as
a Global Catalog. The Global Catalog contains information about every object in the forest. When the
Infrastructure Master, which is responsible for updating Active Directory information about cross
domain object changes, needs information about objects not in its domain, it contacts the Global
Catalog server for this information. If they both reside on the same server, then the Infrastructure
Master will never think there are changes to objects that reside in other domains because the Global
Catalog will keep it constantly updated. This would result in the Infrastructure Master never
replicating changes to other domain controllers in the domain.

          Note: In a single domain environment it is not an issue as there are no phantoms3, and so the
           infrastructure master has no work to do.




3
    For further information on phantoms refer to - Disaster Recovery: Active Directory Users and Groups

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 19 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




         Note: Since only one PDC emulator is permitted in a forest, any legacy Windows NT 4.0
          workstations or servers added to the domain will need to contact that specific AD site for
          authentication.

         Note: Windows NT 4.0 Server based computers located in remote sites that authenticate via
          slow WAN links may experience considerable delays during the logon process. This delay will
          only occur when a user attempts to login to a Windows NT 4.0 system that has been migrated
          to the domain.

TMR Information: Consider how internal & external organisation change and their frequency
affects the design - In a single forest domain model, as outlined above the Infrastructure Master
role can be placed on a Global Catalog, however from a scalability perspective it may be a
requirement to configure the domain to allow for the addition of other domains, due to Machinery of
Goverment or internal organisational restructure. If this change is likely, and there is at least two
Global Catalog servers in the domain, place the Infrastructure Master on a non-Global Catalog
server, as it will require less configuration if an additional domain is added in the future.

TMR Information: Leverage best practises and use default configurations unless there is good
reason not to - When considering placement of the Infrastructure Master, PDC Emulator and RID
Master roles it’s Microsoft best practice to move them to the second domain controller in the
domain.4

TMR Information: Consider legacy Windows NT 4.0 systems - If there are some legacy
Windows NT 4.0 Servers still in use in the Queensland Government agency the PDC Emulator
FSMO role holder may receive more traffic than other FSMO role holders, thus the second domain
controller in the domain should be a server that can handle the additional load.

Each of the FSMO role holders will be direct replication partners and have high bandwidth
connections to one another as well as a Global Catalog server.

Placeholder for Design decisions and Rationales:

         For every forest / domain in the design explain:

                Where the Schema Master is located?
                Where the Domain Naming Master is located?
                Where the PDC Emulator Master is located?
                Where the RID Master is located?
                Where the Infrastructure Master is located?

         How will this affect the designs availability and scalability?


6.1.3      Domain Controller Placement
Briefly describe the importance domain controller placement has on authentication, user logon
performance, application of group policies, etc.


4
 For further information on FSMO placements refer to - FSMO placement and optimization on Active Directory
domain controllers

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 20 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Discuss the types of domain controllers and how this may be relevant to this design and provide an
example of where a Read-Only domain controller could be implemented if this is relevant.
Consider availability and disaster recovery requirements when placing domain controllers, such as
the existence of a business continuity/disaster recovery site.
Place domain controllers in hub and satellite locations when appropriate. Most hub locations require
one or more domain controllers. Satellite offices might require a domain controller depending on
WAN link characteristics, number of clients, and resources.
Remember to repeat this decision process for every domain in every forest.
Make reference to the policies and standards that are used internally relating to security and the
placement of infrastructure at a remote site or data centre.

Placement of Domain Controllers has an impact on the time it takes for a user to log on to the
network. As a workstation starts, it downloads Group Policy objects that are applied to it in order to
establish the machine’s configuration. After a user logs in, it downloads a second set of Group Policy
objects which are specific to the user. Domain Controller placement determines how quickly these
policies can be downloaded.
In addition to providing policies, Domain Controllers provide authentication services. Large sites
(more than 500 users) can benefit from additional domain controllers, as loads on a Domain
Controller during a peak period can result in slower authentication.
Windows Server 2008 R2 offers two styles of domain controllers, the standard and familiar writeable
domain controller and a Read-Only Domain Controller (RODC) which hosts complete, read-only
copies of the partitions of the Active Directory database and a read-only copy of the SYSVOL folder
contents. RODCs can selectively cache credentials, allowing them to address some of the challenges
that can be encountered in remote location and perimeter networks (also known as DMZs) that may
lack the physical security that is commonly found in data centres and larger sites5. Decisions related
to writeable or read-only domain controller selection will be made at the detailed design level.
Network topology and link utilisation are also key underlying drivers for placement of domain
controllers, this is discussed further in relation to site tiering and replication.
Finally, fault tolerance is a consideration with Domain Controller placement. There needs to be
enough Domain Controllers to meet availability requirements should a controller become unavailable.

TMR Information: Define clear rules – For example when tiering sites a general rule can be made
that sites with more than 100 users will require a domain controller & global catalog in order to
provide a positive user experience, this is to ensure adequate login performance.

TMR Information: Keep refining Domain Controller placement rules - As knowledge of the
Queensland Government agency physical sites improve or changes the defined rules should be
further refined to meet specific business needs. This refinement process continues through to detailed
design and deployment.

TMR Informaiton: Consider network security zones - Network security zones must be observed
and considered when detailing the placement of domain controllers. In TMR’s case domain
controllers were only placed in internal and secure network zones, as there were no requirements for


5
 For further information relating to planning and deployment of RODC’s refer to - Read-Only Domain
Controller Planning and Deployment

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 21 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




domain controllers to be exposed to perimeter or external network zones. By not exposing domain
controllers to perimeter zones the “attack surface” is significantly reduced.

Placeholder for Design decisions and Rationales:

         Which sites will have domain controllers?
         How will you determine the number of domain controllers at a site?
         Do network security zones impact domain controller placement?


6.1.4      Global Catalog Placement
Describe the importance of Global Catalogs and this relevant to the Queensland Government Agency.
If this design is for a multiple forests and domains, explain how the responsibilities of the Global
Catalog are different and the impact on the design.
If a forest consists of only one domain, then all domain controllers should be configured as global
catalog servers. However if scalability is required determine whether this needs to includes the adding
domains as this may impact the placement of Global Catalogs on every DC.
Identify any applications that have been identified which have a high utilisation of a Global Catalog
such as Microsoft Exchange. Discuss how this will impact the placement of Global Catalogs.
Consider availability and disaster recovery requirements when placing Global Catalogs.
Explain the relationship and dependencies between FSMO roles and Global Catalogs and determine if
this is relevant in this design.
Configure domain controllers as global catalog servers only when there is a technical reason to do so.
Exceptions may be made when a population of travelling users requires high-performance global
catalog services in sites outside the users’ domains.
Keep the number of global catalog servers to a minimum to reduce cost, management, and complexity
of configuration and maintenance.
The design of the global catalog servers must be repeated for every forest.

The Global Catalog is a distributed directory service, containing a partial replica of all objects within
an Active Directory forest. This directory is then used for searches (e.g. printers), can be used for
locating home servers for mailboxes, and is part of the login process. The catalog is stored on
designated Domain Controllers in addition to the full replica of the directory for the controller’s
domain.
Correct placement of Global Catalog servers can improve login performance, and can be heavily
utilised by some applications, one example is Microsoft Exchange Server 2007.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 22 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




TMR Information: Consider Scalability - In the TMR design scalability of the forest is important.
So to reduce the amount of configuration required to add another domain to the forest, it was
determined that Domain Controllers which hold the Infrastructure Master Role will not be
configured as Global Catalog servers (as per Microsoft KB 6).

TMR Information: Consider login performance - In order to provide sufficient performance for
users, all Domain Controllers outside the central site will be designated as Global Catalog servers.
This will also provide redundancy for users authentication requests at remote sites.

Placeholder for Design decisions and Rationales:

         What sites will have global catalog servers?

         Note: Domain controllers designed as standby servers for the Infrastructure Master role will
          not be Global Catalog servers, in order to streamline the process of relocating this role.


6.1.5      Organisation Unit Topology
As a general rule it is important to design the OU structure in a twostep process:
Firstly, design the OU structure based on configuration and the management of objects with Active
Directory. Think about how the objects are grouped, how the support teams are divided to manage the
objects in the enterprise.
Second, evaluate the OU structure based on how group policies will be applied to the various objects
and groups in the domain. Consider how to group the objects, and how group policies can be filtered
or targeted. The more complicated the filtering or targeting methods incorporated the more
complicated group policy troubleshooting will become.
Describe the selected organisation model and the proposed OU structure. It’s recommended to
include a diagram to assist in discussing the OU structure.

Within an Active Directory domain, Organisational Units (OUs) are used to store objects such as
users, groups, computers and servers. These OUs are similar in nature to folders on a file-system, in
that they have a hierarchy, and that objects can only exist in a single folder.
OUs can be used to delegate administrative rights over a group of objects (by delegating control of an
OU to an administrator), and to assign Group Policy Objects (such as configuration settings) to users
and computers. Group Policy can also be filtered using groups, adding a second mechanism to control
the scope of a policy. Finally, an OU structure can be utilised by applications, such as System Centre
Configuration Manager 2007 (SCCM) to manage workstations, distribute patches, applications and
more.
An OU structure is generally defined based on the way in which an organisation will be supported.
The flexibility of filtering Group Policy using security groups means that delegation becomes a more
significant influence on design. Organisations with de-centralised support models may be structured
around a geographic model, with OUs representing areas such as states. Organisations with differing
application requirements for each business unit, but a single centralised support group may structure
their OUs around their organisation chart.


6
 For further information refer to Microsoft Support - “FSMO placement and optimization on Active Directory
domain controllers” & “Phantoms, tombstones and the infrastructure master”

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 23 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




In many cases, a hybrid model is required to meet the needs of both administrative delegation and
policy application.7
The following illustration supports the design decisions in the remainder of this section.

                       <Insert Queensland Government agency specific diagram here>
                                    Figure 6-2 - High Level Organisation Unit Structure

TMR Information: Carefully consider the OU Model - TMR’s OU hybrid (geographic-resource)
model will align with the envisioned Transport and Main Roads administrative delegation model.
This OU model will provide benefits to Transport and Main Roads as they have functional groups
which have users spread across multiple locations, and because their geographic boundaries also
represent the breakdown of the User Services teams. The hybrid model will also provide a facility to
manage resources of a given type together, such as servers by service, groups, workstations/laptops,
printers, etc.

Other Queensland Government agencies may need to consider wholly owned subsidiaries and
separate company models sharing common AD infrastructure. This is known exist in a number of
departments. This information must be identified during the requirements gathering process as it will
impact the OU model and structure that suites the business.

TMR Information: Consider how objects are grouped together - It is important to consider how
the users, workstations, and groups are currently managed in the environment and ensure that the
new model and structure aligns to this.

TMR Information: Consider the Standard Desktop Environment (SDE) - group policies will be
applied to the OU Structure to control user and workstation configurations. Reassess the defined
structure to ensure that the SDE can managed appropriately.

TMR Information: Consider how groups or WMI queires can be used to filter application of
group policies in the enterprise.

Placeholder for Design decisions and Rationales:

        How are the Active Directory objects grouped together?
        What OU Model was selected?
        How will the OU be structured?
        What are the top level folders?
        What are the second level folders?
        How will group policies be applied to the domain and will this affect the OU Structure?
        Where will servers be placed? Can they be managed by server role?
        Where will the administrator accounts be placed, how will group policy apply?




7
 For further information on OU Models refer to Microsoft TechNet Magazine - http://technet.microsoft.com/en-
us/magazine/2008.05.oudesign.aspx?pr=blog

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 24 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




6.1.6      Sites and Replication

6.1.6.1 Site Categorisation
To facilitate the design process, sites have been categorised into logical groups, or “tiers”. These tiers
have been defined based on the current understanding of infrastructure needs and requirements,
including availability requirements, consolidation objectives, and operating cost/effort requirements.

Provide a summary of how physical sites will be tiered in this design. This is often based on a number
of things not limited to:

         Site availability.
         Number of users vs.WAN.
         Cost of deploying extra servers.
         Application requirements.
         Backup and support facilities.

Describe the difference between each site tier and how this affects authentication/logon AD
replication between different sites.
Explain the rules you have used to determine the site tiering by using tables similar to the following.

                     Tier                          No. of                     Network Links
                                                   Workstations
                     1
                     2
                     3
                     4
                                                   Table 4 – Site Tiering Rules

                                            Tier                  Number of
                                                                  logical Sites
                                            1
                                            2
                                            3
                                            4
                                    Table 5 - Estimated Number of logical sites per tier

Provide some real examples of sites that have been classified into each tier, and why they have been
classified in that way.

Using these classifications, server placement for various services can be planned and high-level
estimates of server numbers can be obtained for planning purposes. These site categories are a guide
only, each site will need to be assessed for suitability and exceptions will be made due to various
factors (e.g. network utilisation, high-latency, criticality of site, type of network activity, etc).



Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 25 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




When planning the placement of infrastructure services, the following criteria must be taken into
consideration:

          Availability requirements – can the site provide the necessary facilities to support a service’s
           needs?
          Number of users vs. WAN connectivity – is there enough bandwidth to meet the needs of
           users?
          Cost of deploying extra servers – intent is to minimise the number of sites with servers in
           them.
          Application requirements – is there an application in use (client- or server-based) at a site
           that requires specific infrastructure (such as heavy use of Global Catalog).
          Backup and recovery facilities – there are minimal IT support staff on-site at lower tier sites.

The guiding design principles will assist you in making decisions regarding the site topology and
placement of domain controllers. Example is to “Capitalise on investments made in network
infrastructure”, so the server placement decisions throughout the design may attempt to centralise
infrastructure wherever possible.

Below are some high level observations about the characteristics of sites within Department ABC as
well as some approximations of the number of sites of each type:

Summarise this section with a list of the various sites tiers and the distinctions that have been made
during the categorisation process.

Given the high speed connections and resiliency of the network and the close proximity of central
sites, it is recommended combining these sites as a single logical site8 (i.e. the majority of their
infrastructure servers will be located at the central data centre).
1 site (Head Office) has more than 1500 users and will require many infrastructure servers
1 site (Redundant Site) will provide site redundancy for Active Directory services and will require
many infrastructure servers.
## sites have 100 – 500 users (will require some infrastructure servers)
## sites have 6 – 99 users (may not require infrastructure servers)
## sites have 5 or less users (no infrastructure servers)




8
    For further information refer to - Overview of Active Directory Sites and Services

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 26 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




TMR Information: Consider how fast WANs will affect the Site Topology - The majority of
Domain Controllers will be located at the SHOC data centre. To ensure that clients in the other high-
speed Brisbane CBD network locations use these Domain Controllers, they will be configured to be
part of the central AD site.

TMR Information: Consider how physical sites without infrastructure will be treated - Sites
without domain controllers still need to be members of a defined AD site in order to locate services
(such as authentication, DFS replicas, etc). By placing them into the SHOC AD site, they will
consistently use the servers located in the central site.

TMR Information: Consider how physical sites with infrastructure will be treated - Any site
with domain controllers will be configured as an AD site of its own. This will ensure that
workstations will be directed to a local domain controller rather than traversing and relying on the
resiliency of WAN links.


6.1.6.1.1 Domain Controller Placement Guidelines
The following information will provide some insight to the future design decisions and domain
controller placement activities. The overall goal of domain controller placement for ABC is to
eliminate unnecessary domain controllers from remote locations as it reduces the support costs
required to maintain a remote infrastructure.
There are many variables to consider when evaluating whether a location requires its clients to have
local authentication or whether they can rely on WAN link for authentication and queries.
The following flow diagram, created with reference to best practice and Microsoft TechNet9, assists in
showing the decision making process defining if placement and type of a domain controller is
necessary and if so the type of domain controller to deploy.
                                         Is there a directory-
                                         enabled application                                                   Can the remote branch
     Is the risk of a WAN
                                          (such as Business                   Can the domain                    domain controller be
    outage great enough to                                                                                                                       Place a writeable domain
                                 Yes      Directory or White       Yes         controller be           Yes     administered remotely,      Yes
    warrant a local domain                                                                                                                       controller at the location
                                        Pages) that requires a              physically secured?                or is there sufficient IT
          controller?
                                           writeable domain                                                      knowledge locally?
                                              controller?

               No

                                   No

     Is the performance of
     applications and user
                                                 No                                  No                                  No
      logon over the WAN
          acceptable?



               Yes


                                                                          Resolve this situation by           Resolve this situation by
     Do not place a domain              Place an RODC at the             doing one or more of the            doing one or more of the
    controller at the location                 location                   following:                          following:

                                                                         - Relocate or remove the            - Relocate or remove the
                                                                         application that requires           application that requires
                                                                         reliable access to a                reliable access to a
                                                                         writeable DC.                       writeable DC.
                                                                         - Provide physical security         - Provide sufficient IT
                                                                         - Upgrade the WAN                   experience at the location.
                                                                         reliability and/or
                                                                         performance



                                                  Figure 6-3 - Domain Controller Placement Decisions

The diagram clearly highlights noteworthy characteristics of a physical site that can affect the
decisions to place a domain controller and the type of domain controller to be placed.



9
 For further information on the Placement of Domain Controllers refer to - Planning Regional Domain
Controller Placement

Department of Transport and Main Roads                           Milestone 4A – Generic Design and Migration Process Template                           Page 27 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




One characteristic that is important to understand about the environment is the resilience and
performance of the site’s WAN links, as this will determine the links are capable of supporting users at
a physical site where there is no domain controller.
The presence of directory-enabled applications at the physical site (applications which read or write
to a directory service at a high frequency) will in most cases require a local domain controller to
ensure acceptable application performance. The type of domain controller will depend on the type of
application being hosted at the local site (i.e. writeable, read-only access to the directory).
Local physical site security will also need to be assessed as it’s important to ensure the domain
controllers are being placed in a secure location.

Most Government agencies have strict infrastructure placement policies which must be adhered to. To
be in line with QGCIO policies the domain controller will need to be categorised so the appropriate
policy can be applied.

If a domain controller is stolen or physically compromised it contains information about all user
accounts in the domain. If a site is deemed unsecure it may not be a suitable place to deploy domain
controller and other measures will need to be taken.
Finally the capability of local support groups can impact the placement of a domain controller. If it’s
determined there is a lack of skills onsite to support the local domain controller placement needs to be
reconsidered, or otherwise sufficient training should be given to the onsite support teams.
The final decision of whether sites will require a domain controller and the type of domain controller
will rest in the detailed design project stream.


6.1.6.2 Active Directory Site Topology
Describe the logical boundaries between sites and the functional reasoning for placing a site.

Active Directory sites provide logical boundaries for locating directory services. They provide a
workstation with a mechanism to find the closest Active Directory Service like a Distributed File
System (DFS) replica, or the nearest Domain Controller for authentication. As such, they play a key
role in logon performance. Sites are defined as one or a collection of TCP/IP subnets.

Placeholder for Design decisions and Rationales:
        What rules have been created to determine the site tiers?
        Will there be server-less sites, and how will users authenticate?
        What are the expected site replication partners?


                       <Insert Queensland Government agency specific diagram here>
                                             Figure 6-4 - Site Topology Design




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 28 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




                             Tier-1                    Tier-2                     Tier-3                    Tier-4++

 Example
 Logical Sites


 Active
 Workstations


 Network Link


 Site Primary
 Replication
 Partner


 Infrastructure
 Required

                                               Table 6 - Site Tier Breakdown


6.1.6.2.1 Cost and WAN Link Speeds
Provide a summary of what information will need to be used calculate cost and site links in the
detailed design.

For the logical site topology design site links will be defined using accurate bandwidth values that
have been acquired through a detailed assessment of the network site architecture. Effective
bandwidth, which accounts for capacity and utilisation data, will be used to define the Site Link costs
during the Detailed Site Topology design.


6.1.6.3 Active Directory Site Links
Describe the parameters of a site link, and list any key considerations, specific to the Queensland
Government agency, that need to factored in to the design.

Site links are used to model the amount of available bandwidth between two sites. As a general rule,
any two networks connected by a link that is slower than LAN speed are considered to be connected by
a site link. A fast link that is near capacity has a low effective bandwidth, and can also be considered a
site link. Site links have four parameters:

        Cost - The cost value of a site link helps the replication system determine when to use the link
         when compared to other links. Cost values will determine the paths that replication will take
         through the network.
        Replication schedule - A site link has an associated schedule that indicates at what times of
         day the link is available to carry replication traffic.
        Replication interval - The replication interval indicates how often the system polls domain
         controllers on the other side of the site link for replication changes.



Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template       Page 29 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




        Transport - The transport that is used for replication.


This Diagram shows the logical site topology for Department ABC’s Active Directory replication.
Given the number of slow links to remote location, sites will be defined within AD Sites and Services
to optimise and schedule AD replication. The site topology is based on a multi-tiered architecture
which reflects the overall WAN infrastructure shown previous sections.

                       <Insert Queensland Government agency specific diagram here>
                                         Figure 6-5 - Logical Site Replication Topology


6.1.6.4 Active Directory Replication
Describe Active Directory replication and provide insight to the detailed design decisions.

With Windows 2008 Active Directory, intra-site replication can occur on a change notification basis
(by default, every 15 seconds) between domain controllers in each site.
Inter-site replication can occur on a scheduled basis (default is every 180 min) this can be changed
depending on network bandwidth and availability. Detailed replication schedules will be determined
in detailed design.


6.1.7      Group Policy
The group policy section will describe the various group policies that are to be applied to the domain.
This section can include a breakdown of the following policies:

         Domain
         Domain Controller
         Server
         Computer
         User

Briefly describe the typical default settings of the policy and identify important settings which are
suspected to be changed.

The objective of this section is to provide a Group Policy strategy for replicating the existing
Department ABC configuration and security policies being applied through Novell. These group
policy settings will likely be phased into the environment over time.


6.1.7.1 AD Domain Policy
These policies are used to create a standard domain level security configuration for all user accounts
within the domain. The implementation of Active Directory includes the configuration of the domain
level group policies. These policies affect all user objects stored within the domain. The following
settings are sample list of policy settings that can be used in default Domain Policy.

        Account Policies – Password Policy.
        Account Policies – Account Lockout Policy.
        Account Policies – Kerberos Policy.


Department of Transport and Main Roads         Milestone 4A – Generic Design and Migration Process Template   Page 30 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




        Local Policies – Audit Policy.
        Local Policies – Security Options.

All security settings applied within the domain will support the development and the inclusion of
existing Department ABC Security Standards. The only exception to these policies may be service
accounts placed within the designated OUs. The nature of service accounts often requires these
accounts to function outside of the restrictions imposed by the domain policy. If absolutely necessary,
the designated OUs will be configured to block the inheritance of the domain policy.

Placeholder for Design decisions and Rationales:

         Will the default policies be changed, or new ones created?


6.1.7.2 Domain Controller Security Policies
In most cases the default Windows Server 2008 security policies are effective in securing domains and
domain controllers against various types of threats. In addition to security policies, Active Directory
data is protected by default auditing settings on key directory objects.

Placeholder for Design decisions and Rationales:

         Will the default policies be changed, or new ones created?


6.1.7.3 Server Policy
A GPO can be applied to the Server OU within the domain. Server GPOs will be used to address the
security configuration of servers that are not domain controllers.

Placeholder for Design decisions and Rationales:

         Are User configuration settings required?

TMR Information: Optimise the performance of group policy application - There should be no
relevant User Configuration settings for a Server Policy, and this will eliminate the redundant
processing of that section of the GPO.


6.1.7.4 Computers Policy
This will eliminate the reduntant processing of that section of the GPO. The following are settings
typical in enterprise AD environment:

        Event log settings to ensure the appropriate level of auditing is occurring as well as
         configures the specific events for auditing such as account logon events, account management
         events, and system events.
        Configured with a standard windows installation file location and service pack installation
         ensures that a central location for OS updates is utilised.
        Disables Remote Assistance feature.
        Disables the ability of locally installed shared printers from being published in the directory.
        Utilisation of “Restricted Groups” allows for ease of updating workstation local group
         updates.

Explain this as a real world example:

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 31 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Some of Department ABC sites such as, Rockhampton, Mackay, Cairns, and Metropolitan Sites are
enforcing specific Power Saving Policies for all users in those locations. To enforce this policy,
Department ABC AD administrators can configure a computer policy and apply it to the Regional
Sites Child-level Users OU. Additionally they can enhance the Group Policy by using Group Policy
Preferences that utilise more advanced targeting techniques.

Placeholder for Design decisions and Rationales:

         Are User configuration settings required?

TMR Information: Optimise the performance of group policy application - There should be no
relevant User Configuration settings for a Server Policy, and this will eliminate the redundant
processing of that section of the GPO.


6.1.7.5 User Policy
Numerous settings are available to enforce user policies. It will be necessary for Department ABC to
conduct further analysis to determine what appropriate settings for Department ABC users are. The
following are common settings for user policies often found in enterprise AD environment:

        Hardware tab is unavailable (users cannot use the Hardware tab to view or change the device
         list or device properties).
        User does not have access to the Security Tab in windows explorer.
        Users are limited in the MMC permitted snap-ins and snap-in extensions.
        All links to Windows Update are removed.
        Screen saver password protect is enabled and configured for 10 minutes.
        Users are prohibited from changing the TCP/IP configuration.
        Users are prompted for a password when resuming from hibernate/suspend.

Explain this as a real world example:
Some of Department ABC sites such as, Rockhampton, Mackay, Cairns, and Metropolitan Sites are
enforcing specific Screensaver Password Policies for all users in those locations. To enforce this
policy, Department ABC AD administrators can configure a user policy and apply it to the Regional
Sites Child-level Users OU. Additionally they can enhance the Group Policy by using Group Policy
Preferences that utilise more advanced targeting techniques.

Placeholder for Design decisions and Rationales:

         Are Computer configuration settings required?

TMR Information: Optimise the performance of group policy application - There should be no
relevant Computer Configuration settings for a Server Policy, and this will eliminate the redundant
processing of that section of the GPO.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 32 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




6.1.8      Active Directory Naming Conventions
This section details the various naming conventions that are used when building and configuring
Active Directory. It is important to adopt existing naming conventions where possible, or update an
existing naming convention rather than creating a separate convention just for Active Directory.


6.1.8.1 Servers and Workstations
Insert server & workstation naming standards.

6.1.8.2 Domain Accounts
Insert domain account naming standards.


6.1.8.3 Groups
Insert group naming convention.


6.1.8.4 Organisational Units
Describe the OU naming convention.
The Organisation Unit structure and naming convention should be descriptive enough to understand
what the OU is used for. If you intend to use scripting or automation to manage administrative
processes don’t use spaces in the OU name.

As Organisational Units are used to provide a structure to delegate administration of objects within a
domain, they will be assigned names related to the objects stored within.
There is no complex Naming Convention for OUs, they simply need to be names with no spaces in
order to facilitate scripting and automation, e.g. SoftwareDistribution.


6.1.8.5 Group Policy Objects
The example text below provides a good general approach to group policy naming. However evaluate
its applicability against the environment and the requirements.

Group policy object naming will be implemented for any administrator created policy, excluding in-
built Default Domain and Default Domain Controller policies. The name will consist of three main
components, type, description and version.

Object                         Possible Values          Description
Segment 1                      CO, UO, CU               Denotes the policy object type:
                                                        CO – Computer Policy Only
                                                        UO – User Policy Only
                                                        CU – Computer and User Policy
Segment 2                      Free form                Description of the Group Policy object


Segment 3                      001 – 999                Version number of the policy

                                           Table 7 - Group policy object naming



Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 33 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




         Note: Each segment of the                    object     is   to    be    separated      by        a   dash   (“-“).
          E.g. CO-DefaultUserSettings-001.


6.1.8.6 Sites
Most organisations have a physical site naming convention. Determine whether this existing
convention can be leveraged for the naming of AD sites.
In most cases the AD site design is the mapping of the physical network to the logical site construct
within Active Directory.

Microsoft recommends using valid DNS names when you create a new site name. Otherwise, the site
will be available only where a Microsoft DNS server is used.
DNS host names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus
sign (-), and the period (.). Period characters are allowed only when they are used to delimit the
components of domain style names. In the Windows 2000& 2003 domain name system (DNS) and in
the Microsoft Windows Server 2008 DNS, the use of Unicode characters is supported. Other
implementations of DNS do not support Unicode characters. Avoid Unicode characters if queries will
be passed to the servers that use non-Microsoft implementations of DNS.




6.1.9      Security
This section is used to describe the:

         Types of groups used within the environment.
         The use of the Schema, Enterprise and Domain administrator groups.
         Administrator roles and responsibilities.
         The use of domain administrator accounts within the domain.
         Delegated administrators.
         Explain the group strategy.

Active Directory security in scope of this deliverable details the security group model and the top level
GPO’s for Department ABC infrastructure.


6.1.9.1 Security Group Model
Use this section to describe the security group model that is intended for the domain administration.
Identify if the current security group model can be adapted or if a new one needs to be established.

6.1.9.1.1 Group Types
Windows 2008 groups can be of type security or distribution. Distribution groups are created for the
purpose of mail services and bear no security rights. Group types can be converted from security or
distribution when the domain is set to at least Windows 2000 native functional level.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template         Page 34 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




6.1.9.2 Schema, Enterprise and Domain Administrators
Describe the importance of these Active Directory security groups. Describe how these Active
Directory security groups will be restricted and controlled to prevent unauthorised changes.

The Schema, Enterprise and Domain Administrators are responsible for running the infrastructure as
a whole. They have access to everything stored within the domain, not by delegation but as a feature
of their role. As a Domain Admin is easily able to leverage their privileges to the Schema and
Enterprise administration level a distinction is only made for consistency reasons but does not reflect
the real security boundaries.
Considering this, Domain Administrator privileges should be given only to highly trusted and
competent personnel, as an incompetent or malicious use of their privileges might heavily impact the
infrastructure.

TMR Information: Consider security of the special Active Directory administration groups -
Standard practice is to keep the Enterprise Administrators and Schema Administrators groups empty
and only add a user into them when they are to be used. Administrative staff wishing to make
changes to the schema, site topology, etc, must first acquire authorisation in line with the change
control and request system (Request for Change / Production Change Request Note) and approved
by the Change Advisory board. This ensures no unauthorised or accidental changes are made.

Placeholder for Design decisions and Rationales:

         How will these groups be managed and/or audited?


6.1.9.3 Administrative Roles and Responsibilities
Defining Administrative roles and responsibilities is outside the scope of this document. An
administration model will be provided in the detailed design phase.


6.1.9.4 Department ABC Domain Administrator Accounts
Use this section to describe how the existing server support administrator accounts will be managed
in the enterprise.

The AD will be primarily supported by the Server support team in when the system production. The
level of administrative authority granted should be strictly regulated.

TMR Information: RunAs increases security - A normal user account should be used for all
situations and preferably invoke the RunAs command to operate with administrative priviledges. It is
only recommended to log on with an account with Administrative privileges when required to
perform specific administrative tasks where RunAs will not suffice.

Placeholder for Design decisions and Rationales:

         How will these groups be managed and/or audited?

These users will logon with a normal network user account with restricted privileges. In order to
execute specific administrative tasks (or perhaps even development activities) they will use a
secondary credential through the command Run As. This will ensure improved security of the
environment by avoiding malicious Trojans that use the current logged user rights to access the
system. Furthermore this action assists to avoid possible mistakes in day-to-day activities. If a user /

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 35 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




administrator executes a task that they should not, the task will not be performed due the restricted
access features of their logged in user account.10


6.1.9.5 Delegated Administrators
In the future, the new environment will be administered by the Server operations team. At present, the
whole group will have the same administrator privileges; there is no differentiation between the roles
performed by the support team. This means all of the support team would have the Domain Admin
privileges in the new environment.
The current model is not recommended going forward, due to the high level of privileges available to
all administrative users. It is recommended that the Domain Administrator rights be allocated to a
restricted number of people, and the access of the accounts be managed (i.e. not utilised on a daily
basis).
While administrative delegation is not within the scope of this document, the detailed design phase
will define and outline these delegation requirements.


6.1.9.6 Group scope
Each security and distribution group has a scope that identifies the extent to which the group is
applied in the domain tree or forest. There are three different scopes: universal, global, and domain
local.11


6.1.9.7 Microsoft Recommend Strategy
Microsoft has a few recommended group strategies depending on the environment being used, in the
case of a large amount of domains, usually Microsoft recommends the A G U DL P strategy, which
means: Accounts inside a Global Group, Global Groups inside of a Universal Group, Universal
Groups inside a Domain Local Group, Domain Local Groups inside of a Local Groups (at the
resource) and the respective permissions are applied to the Local Group. This is a good strategy when
the company has many domains.


6.1.9.8 Department ABC Group Strategy
A single domain environment, like AD, suggests the use of the Microsoft Strategy A  G  DL  P,
which makes the administrative process easier and the user logon process faster by avoiding the use of
Universal Groups in all operations.




10
     For further information refer to “Local User and Group Best Practices”
11
     “Group scope” http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 36 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




                                         Figure 6-6 - Department ABC Group Strategy

Placeholder for Design decisions and Rationales:

          What security group model will be used to manage Active Directory Groups?
          How will this be implemented?


6.1.10 Antivirus
Use this section to describe how the Antivirus solution will be managed on domain controllers.

TMR Information: Test AntiVirus services – TMR have existing Windows Server 2008 and
Windows Server 2008 R2 operating systems in the environment and the current Antivirus services
are used.


6.1.11 Remote Access Authentication
Explain how Active Directory will be integrated into the existing remote access solutions, based on the
requirements specified.

Placeholder for Design decisions and Rationales:

          How will Active Directory integrate with the existing Remote Access Authentication services?

Windows Server 2008 – Network Policy Server12 is a role that is capable of providing integration with
the existing remote access solution and two-factor authentication methods.




12
     For further information refer to Microsoft TechNet - Network Policy Server Infrastructure

Department of Transport and Main Roads        Milestone 4A – Generic Design and Migration Process Template   Page 37 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




6.2 High Level Network Infrastructure
Understanding the physical network structure of Department ABC is crucial to the accurate design of
an Active Directory. The network topology helps shape decisions of the Active Directory design such
as, the Site Topology, Site Replication, Domain Controller Placement, Global Catalog Placement, and
many other aspects of the logical & detailed design process.


6.2.1      Enterprise WAN Data Network
                       <Insert Queensland Government agency specific diagram here>
                          Figure 6-7 - Department ABC Enterprise WAN DATA Network Diagram

Detail observations which have been made regarding the Enterprise WAN infrastructure. Make
specific note to facts which are relevant to the design, such as the type of network, the speed of the
links, the network topology (hub and spokes, ring, fully connected or mesh), also the network
resilience of links, and any known issues.


6.2.2      Enterprise ADSL Network
                       <Insert Queensland Government agency specific diagram here>
                                      Figure 6-8 - Enterprise ADSL Network Diagram

Detail observations which have been made regarding the Enterprise ADSL (backup network)
infrastructure. Make specific note to facts which are relevant to the design, such as the type of
network, the speed of the links, the network topology (hub and spokes, ring, fully connected or mesh),
also the network resilience of links, and any known issues.


6.2.3      Enterprise Metropolitan Data Network
                       <Insert Queensland Government agency specific diagram here>
                                     Figure 6-9 - Metropolitan Area Network Diagram

Detail observations which have been made regarding the Enterprise WAN infrastructure. Make
specific note to facts which are relevant to the design, such as the type of network, the speed of the
links, the network topology (hub and spokes, ring, fully connected or mesh), also the network
resilience of links, and any known issues.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 38 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund



6.3 Network Services (DNS, DHCP, WINS)
Describe how network services will be implemented and integrated with in the design. It’s important for
these services to be working correctly prior to the implementation of Active Directory. It is important to
have an understanding of the existing network services as AD has a strong dependency on DNS
services.


6.3.1      DNS
The Domain Name System (DNS) is a hierarchical, distributed database that contains mappings of
names to various types of data (such as IP addresses).
As stated in the conceptual design the DNS service will be installed on Active Directory domain
controllers. Active Directory-Integrated DNS zone data will be automatically replicated to all domain
controllers using Active Directory replication. Clients will be configured to reference internal DNS
servers as the primary and secondary servers.


6.3.1.1 Summary
Use this section briefly reflect on some decisions made in the conceptual design phase, and to highlight
how integration (if required) will work.

The DNS role will be installed on all Active Directory domain controllers. DNS zone data will be
automatically replicated to all domain controllers using Domain-wide Active Directory replication.
Clients will be configured to reference internal DNS servers.
The DNS zone will be stored as Active Directory-Integrated DNS zones (configured to permit secure
updates only), allowing for dynamic updates to all servers (from clients) and a high degree of fault
tolerance.
Requests for External (Internet) addresses to Active Directory-Integrated DNS will be resolved using
standard DNS forwarding to the External BIND-DNS servers, which are configured to forward
unresolved queries to the External DNS services. The External DNS servers will then perform a
recursive lookup on behalf of the clients, negating the need for clients to access the internet directly for
lookups.
The ‘Figure 4-4 – Logical DNS Topology’ below illustrates how DNS client in different tiered sites
(explained in Section - 6.1.6.1 – “Site Categorisation”), will query their closest DNS server(s), it also
shows the expected conditional forwarding flow between authoritative DNS servers of the different
internal (private) zones and external zones.

                        <Insert Queensland Government agency specific diagram here>
                                             Figure 6-10 - Logical DNS Topology


6.3.1.2 Integration with existing DNS
This section is focused on explaining how AD DNS is integrated with the existing DNS services.
 It describes how queries are handled by the existing DNS services, and how queries are handled by
Active Directory-Integrated services. A diagram of the logical view of the DNS topology can be used to
help demonstrate this.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 39 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund

Placeholder for Design decisions and Rationales:

         How will Active Directory Integrated-DNS work with the existing DNS systems?
         How will DNS services be replaced by Active Directory?
         What functions will each DNS service perform?
         Will there be primary or secondary zones?
         Will Stub zones be implemented?

TMR Information: Integration with existing DNS infrastructure - This supports TMR’s decisions
made in the conceptual design to utilise Active Directory-Integrated DNS for Domain controller
locater, Active Directory domain names, and Active Directory DNS objects. Additionally it means that
the Active Directory-Integrated DNS server is not required to host the non-AD related DNS zones,
instead passing the request to the existing BIND-DNS servers authoritative for that zone. Coexistence
between the authoritative DNS zones is facilitated via forwarding.13


6.3.1.2.1 Forwarding
Use this section to explain the technical reasoning for decisions on forwarding.

Windows Server 2008 has mechanisms through which external queries to the local DNS domain can be
resolved. Unresolved DNS queries can be handled by the following forwarder mechanisms:
Standard Forwarders (All other DNS domains) - Forward all queries that cannot be resolved locally to
another designated DNS server(s).
Conditional Forwarding – Provides granular control for name resolution over the traditional
“standard (unconditional) forwarders” mechanism. Conditional forwarding provides directed and
controlled DNS queries to specific DNS domains.
As stated in the previous design decision “All Active Directory-Integrated DNS servers will be
authoritative for the internal AD namespace only”, therefore in the event that a local DNS server
cannot resolve a name resolution query for a client, the DNS server may forward that request onto
another DNS server for resolution and this is achieved through conditional forwarding.

Placeholder for Design decisions and Rationales:

         How will forwarding be configured internal to external?
         How will forwarding be configured external to internal?
         How will the DNS services resolve internet addresses?
         What other DNS configurations are important?

                             <Insert Queensland Government agency specific diagram here>
                                         Figure 6-11 - Conditional Forwarding Examples




13
     For further information about Configuring DNS for a Heterogeneous UNIX and Windows Environment




Department of Transport and Main Roads        Milestone 4A – Generic Design and Migration Process Template   Page 40 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund

TMR Information: Coexistence with BIND-DNS - TMR’s existing DNS infrastructure is running
BIND-DNS. Integration and coexistence methods were considered a high priority of the TMR design.


6.3.1.3 Server Placement
Describe the DNS placement, and how this differs to the Domain controller placement.
Depending on the DNS infrastructure in most cases the placement of DC’s will be dictate the placement
of DNS servers, especially if Active Directory Integrated-DNS is being u

The placement of DNS servers will be dictated by the domain controller placement policy, as the DNS
role is installed and configured on each AD Domain Controller (refer to Section 0 – “Domain
Controller Placement”).

Placeholder for Design decisions and Rationales:

        Where will DNS servers be located?
        Will all domain controllers offer DNS Services?

         Note: There are security considerations that need to be adhered to when installing DNS
          services on a domain controller, for both the standard and Active Directory-Integrated DNS
          server service.14


6.3.1.4 Availability
Describe how DNS will be resilient in this design.

Microsoft Windows Server 2008 DNS allows zone data to be stored in the directory and automatically
replicated to other domain controllers. This can occur on a per domain basis or across all domain
controllers in the forest. Active Directory supports multi-master replication which enables an Active
Directory-integrated DNS zone to be updated on any domain controller that hosts the zone. This ensures
there is no single point of failure.

Placeholder for Design decisions and Rationales:
        Are there single points of failure in the design?
        How else can you address DNS availability?

6.3.1.5 Dynamic DNS
Dynamic DNS reduces the need for manual administration of zone records and is a standard practice in
most DNS implementations.
Describe how DNS resource records will be updated (manually or dynamically) when a new IP address
is issued through DHCP, or a workstation changes location.
Describe the security aspects of Dynamic DNS.




14
  For further reference see “Security information for DNS”, http://technet.microsoft.com/en-
us/library/cc783606(WS.10).aspx




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 41 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund

Active Directory integrated zones can be configured for manual update, dynamic update, or secure
update. Access Control Lists (ACLs) specify the list of groups or users allowed to update resource
records in such zones. This prevents unauthorised users from making changes to a zone or record in an
attempt to compromise the normal operating environment.
Dynamic updates alone can be viewed as a security risk because they allow any client to register any
record. To mitigate this risk, secure dynamic updates can be introduced on Active Directory-integrated
zones ensuring only authenticated clients can register records.

Placeholder for Design decisions and Rationales:

         How will resource records be updated?


6.3.1.6 DNS Hierarchy and Client Queries
Describe the expected behaviour of the designed or existing DNS hierarchy and client queries.
Describe how internal or external queries are managed in the DNS hierarchy and the use of root hints.

The typical behaviour of a DNS server when a client queries for a name that is unknown, is to perform a
recursive query against internet root DNS servers (Microsoft Windows Server 2008 DNS provides
recursive queries against “root hints”. Root hints provide a list of authoritative Internet root DNS
servers), however the default behaviour is not suitable to this design.
The DNS hierarchy in the context of this document refers to the process of how DNS queries external to
the Active Directory forest are resolved. The DNS hierarchy provides controlled external name
resolution by limiting those DNS servers which contact the internet or other DNS servers external to the
forest.

Placeholder for Design decisions and Rationales:

         What is the designed DNS hierarchy?

TMR Information: Root Hints - The Active Directory-Integrated DNS Server service is on a private
network and an internal BIND-DNS server will be setup as forwarder for any unresolved query,
therefore there is no requirement for root hints.


6.3.1.7 Client Configuration
Describe how the DNS client will be configured.

The DNS settings considered for client configuration include the DNS server lists and suffix search list.
It is expected these will be set and maintained on most clients via DHCP.
Clients configured to automatically obtain TCP/IP information will receive DNS server lists and suffix
search lists from the DHCP service (refer to section 6.3.2, “DHCP”).
Refer to <Insert Queensland Government agency specific diagram here>
Figure 6-10 - Logical DNS Topology” to understand the way in which clients will query their closest
DNS server(s).

Placeholder for Design decisions and Rationales:
        How will DNS clients be configured?




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 42 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund

        What is DNS the client configuration?
        How will DNS clients find a DNS server?


6.3.2      DHCP
This section is focused on explaining how DHCP is utilised in the design.
It describes how IP addresses are allocated to DHCP clients and the relationships with DNS.

The DHCP service is the primary mechanism in the delivery of IP address allocation services to
Department ABC. As defined in the conceptual design there will be no implementation of DHCP roles
as part of the AD design. This reflects Department ABC technical and business requirements to coexist
with the existing address allocation service.

6.3.2.1 Interoperability with DNS
Describe the relationship between DHCP and dynamic updates.

Interoperability of DHCP with DNS is natively supported in Windows Server 2008. Windows Server
2008 DHCP services can perform dynamic updates (by default Host A and PTR records) in the DNS
namespace for any of its clients that support dynamic updates.

Explain the existing DHCP solution and specify the intended objective (use existing systems or migrate
to Windows DHCP Services.

Clients that support dynamic updates are:

        Windows 2000.
        Windows XP.
        Windows Vista.
        Windows 7.
        Windows Server 2003.
        Windows Server 2008.

There are two approaches to designing Windows Server 2008 DHCP dynamic updates:

        DHCP dynamically updates DNS A and PTR records only if requested by the DHCP client
         (Applies to clients who support dynamic updates).
        The DHCP server always performs the update on behalf of the client. This is the current
         behaviour.

                        <Insert Queensland Government agency specific diagram here>
                                         Figure 6-12 – DHCP & Dynamic DNS

Placeholder for Design decisions and Rationales:

         How will Host A and TRP records be updated in DNS?




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 43 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund

TMR Information: Integration with existing DHCP services – It was important that the design
aligned with TMR’s requirement of coexisting with the existing DHCP service. Dynamic updates will
be performed via the present mechanism, so no additional configuration is required.


6.3.2.2 Subnets
All subnets will be defined in Active Directory and associated with an Active Directory site. Detailed
subnet information will be available in Detailed Design.

          Note: Careful coordination with the Queensland Government agency network services teams
           will be necessary throughout the life of the project to ensure Active Directory subnets are
           properly represented.


6.3.2.3 DHCP Relay Agents
Based on the existing DHCP solution, the objectives and requirements listed in Section 6.3.2, explain if
there is a requirement for DHCP Relay Agents.

No DHCP Relay Agents will be deployed in Department ABC environment since existing DHCP
services will be utilised.


6.3.3       WINS
Although Windows Server 2008 uses DNS for name resolution instead of the Windows Internet Name
Service (WINS) NetBIOS name resolution method that is used in Microsoft Windows NT 4.0–based
networks, most organizations still require WINS since there are applications that require it.

Explain that the WINS service is not supported in TCP/IP v6 and as a result is being phased out of most
environments.
Describe the existing applications that are dependent on WINS.
Determine if the Queensland Government Agency is planning to retire WINS or are planning on
deploying an IPv6-only environment.
Determine if the use of the Windows Server 2008 GlobalNames Zones (GNZ) feature is suitable to the
Queensland Government agency.
GNZ is intended to aid the retirement of WINS and it's worth noting that it is not a replacement for
WINS as it has some limitations.15

Specifically, the WINS service converts NetBIOS names to IP addresses on a LAN or WAN. WINS is
not required for deployment of Active Directory, it’s mostly used to support legacy clients (Win 9x and
NT 4.0 Clients) and applications which access resources using NetBIOS names. It is an older service
that uses NetBIOS over TCP/IP (NetBT). WINS and NetBT do not support Internet Protocol version 6
(IPv6) protocols, therefore, they are being phased out in many networks.

Placeholder for Design decisions and Rationales:
          Will WINS be replaced by GlobalNames Zones?


15
     For further information refer to - Providing Single-Label DNS Name Resolution




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 44 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund

        How are the legacy WINS dependant applications going to be managed?


6.3.4      NTP - Time Synchronisation
Describe how the domain controllers will retain the correct time across the enterprise.

The Time Synchronisation service aims to provide an accurate reference time with which all clients
(Server and Workstation) can synchronise.

Placeholder for Design decisions and Rationales:

        What system is being used to manage time across the enterprise?
        Will domain controllers be used as a time source?

         Note: It’s important to note that servers hosted on VMware are configured to use NTP and not
          ESX host as time source, as this can cause problems with Domain Controllers.


6.3.4.1 Reference Clock Source
Describe the existing NTP infrastructure and the relevant time sources.
Explain the hierarchy and make reference to how the different stratum time sources are used.

Reference clock sources provide time-dissemination services based on the Coordinated Universal Time
(UTC). National governments and other institutions typically provide these services to the general
public via a number of mediums, as listed below:

        Internet (e.g. Melbourne University’s NTP time source at ntp.cs.mu.oz.au)
        Radio Time Service (e.g. Australian Broadcast Commission)
        Satellite Time Service (e.g. Spectracom NetClock 9185 GPS)
        Modem Time Service
        Local System Clock (Time Server e.g. Router, Unix Server, Windows Server, etc)

Department ABC have an existing NTP infrastructure in place for production systems, in consists of the
following:

        Two existing Stratum-1 time sources.
        Stratum-1 time sources - acquires time from a Satellite Time Service (Stratum-0).

Department ABC uses Unix-based NTP Servers (Stratum-2) to provide time to all servers, workstations
and all other network devices on the network.
The current time hierarchy implemented within the environment is capable of supporting the AD based
on the objectives and requirements provided by Department ABC.

Placeholder for Design decisions and Rationales:

         What are the existing time source stratum servers, will they be utilised?




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 45 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund

6.3.4.2 Windows Time Service
Determine whether NTP or SNTP will be used in the design. Explain the different between the two
protocols.

The Windows Time Service (W32Time) is used in a Windows network to synchronise time amongst
Windows clients. It is essential for security based services such as Kerberos to have clients and servers
synchronised appropriately as large discrepancies can cause authentication issues. The Windows Time
Service can use the following standard protocols:

          Network Time Protocol (NTP) (default selection)
          Simple Network Time Protocol (SNTP), a simplified version of NTP.

SNTP is a simplified version of the NTP time protocol. The primary difference between the two is that
SNTP does not have the error management and complex filtering systems that NTP provides. 16

Placeholder for Design decisions and Rationales:

          How will time be synchronised in the domain?

6.3.4.3 Windows Time Hierarchy
Use this section to explain the selected time hierarchy and the various models that exist. It is a standard
practice to use the default windows behaviour unless there is a requirement stating otherwise.

There are a number of ways in which Windows Time Service can be established in a Windows Server
2008 network as detailed below:
A domain hierarchy synchronisation model (Default Windows Server 2008 behaviour)
A manually specified synchronisation model
A manually specified synchronisation model requires the configuration of an authoritative time source
for all Windows clients. The following Figure 6-13 illustrates a path of time synchronisation between
Windows clients in a domain hierarchy and the path for non-domain members:

                        <Insert Queensland Government agency specific diagram here>
                                             Figure 6-13 - Time Synchronisation

Placeholder for Design decisions and Rationales:

          What is the synchronisation model being used in the design?


6.4 Test and Development
While it is best practice to implement a Test and Development environment to manage the lifecycle of
Active Directory, it is important to evaluate whether the agency is currently managing Test and
Development environments in their current state.
Implementing two additional Active Directory environments into an organisation that doesn’t have
processes or a framework in place to manage them appropriately would likely result in a disparate



16
     For further information refer to “Windows Time Service Architecture”




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 46 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund

environment which is of no use to the production environment and costly to the business and support
groups.
There are a number

The section does not include the high level design of a Test or Development environment in Department
ABC as part of the implementation of the new Enterprise AD solution.
The envisaged target state for Department ABC is a single directory service to rationalise the complex
replication of directory information that currently occurs. It was deemed to be introducing additional
complexity without any short term benefits to implement an additional Development directory service(s)
as part of this piece of work.
In the longer term it is recommended that Test and Development environments are designed and
implemented to support the target enterprise AD and provide a means for managing change and
mitigating risks.
Test and Development environments better equip Department ABC for the testing of changes to an
Active Directory implementation prior to applying to production. Test domains provide an environment
for testing potentially high impact infrastructure changes such as schema extensions, Group Policy
changes, and new security policies.
Depending on requirements, support for other types of testing may include:

        Performance.
        Stress.
        Application.
        Integration.
        User Acceptance.
        High Availability.
        Disaster Recovery.

Best practice Development and Test environments are logically and physically isolated. The Test and
Dev environments would exist as separate Windows Server 2008 Active Directory forests. Test & Dev
must be implemented based on the AD design, however the requirements for availability will differ. In
most cases Test and Dev environments are virtually hosted to reduce costs, are scaled down versions of
the production environment, but are identical in configuration.
To ensure this configuration is kept identical across the three environments processes need to be put
into place. So to get the most out of implementing additional environments, Department ABC would
need to couple the Test & Dev implementation with the development of an Active Directory environment
lifecycle. Details of this framework are not covered in this document.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 47 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




7 Migration Approach
The Migration Plan document describes an infrastructure migration project from an existing
infrastructure, operating system or system application to a new technical infrastructure solution or
infrastructure. The solution can be applied to an environment, infrastructure, servers, users,
workstations, laptops or data.
The Scope and Approach document may also provide some insight into the overall migration strategy.
Migration is critical to success of the project. Migration can range from an upgrade, install or
restructure. Without well-tested migration paths and tools, the new solution may fail because legacy
components introduce risks that were never accounted for during design.


7.1 Summary
Provide an overall summary of the contents of this document. Some readers may need to know only the
plan’s highlights. The summary also provides an introduction to the document’s basic contents before
readers go on to the details.


7.2 Objectives and Goals
The Objectives and Goals section defines the primary reasons that were used to create the migration
approach and the key objectives and goals of that approach. Identifying the drivers and migration
objectives informs the Queensland Government Agency that the document has carefully considered the
situation and has created an appropriate migration approach.


7.2.1      Business-related Objectives
The Business-related Objectives section identifies the business objectives that are the reasons for the
migration. This may include such things as better manageability, greater scalability, improved security,
and improved availability. This information may be derived from the Vision and Approach document or
other appropriate documents.


7.2.2      Migration-related Goals
The Migration-related Goals section defines the migration goals. This could be described in such
categories as the amount of disruption that will occur or the impact on security.


7.2.3      Migration Strategy
The Migration Strategy section describes the specific elements that will be migrated. It describes the
current and future environmental aspects of the migration, the time frame within the overall solution,
and the sequence of events in which the elements will be migrated.


7.2.3.1 Tools
The Tools section identifies the tools that will be employed to support this migration strategy. They may
be migration tools, testing tools, training tools, and so on, and they may include tools from third parties.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 48 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund

7.2.3.2 Implications
The Implications section describes the impacts or interruptions caused by the migration and anything
that might occur in conjunction with the migration to ensure success. This may include training,
acquisition of hardware, changes in user environment, network interruption, facilities and support.


7.3 Migration Environment
The Migration Environment section provides details on the existing and/or future environment in which
the application or system will operate and the people who will use it. It describes all relevant aspects of
the current environment and the future environment (hardware, software and facilities).


7.4 Migration Guidelines
The Migration Guidelines section describes what guidelines, such as what trust exists between domains
or where user accounts reside, need to be followed within this environment.


7.5 Migration Process
The Migration Process section describes how the migration will be conducted. It includes information
on the test environment, preparatory activities, tools, description of the migration process, the
decommissioning of replaced resources, and a rollback plan.
There are subsections for two stages. This does not imply, however, that the project will have only two
stages. Create as many stages as appropriate for the project.
Outlining the migration process ensures that migration will be conducted in a logical and controlled
manner.


7.5.1      Test Environment
The Test Environment section describes the test environments that, to the extent possible, replicate the
production environment. This should include identification of all environmental attributes that must be
in place. There may be more than one environment. A series of them could be phased in to control
testing. For example, users could be included after the initial phase.


7.5.2      Preparation
The Preparation section identifies and describes all tasks, such as acquisition, test, and training,
required to prepare for migration. It also describes the task sequences, durations, responsibilities, and
expected results.


7.5.3      Migration Stage
The Migration Stage section describes the migration process. It identifies what is migrated and in what
order.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 49 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund

7.5.4      Decommissioning of Replaced Resources
The Decommissioning of Replaced Resources section describes how existing resources will be taken
offline. This should include criteria that will determine when and how those resources will be
decommissioned.


7.5.5      Rollback Plan
The Rollback Plan section describes how, if problems do occur, a Queensland Government agency can
roll back to the prior system or configuration.




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 50 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




8 Appendix A. – Definitions
           Terms, abbreviations               Meaning
           and acronyms
           ACL                                Access Control List
           AD DS                              Active Directory Domain Services
           BSD                                Business Solutions Delivery
           CSC                                Customer Service Centres
           DC                                 Domain Controller
           DNS                                Domain Naming Service
           DHCP                               Dynamic Host Configuration Protocol
           EI&S                               Enterprise Information & Systems
           ESU                                Enterprise Security Unit
           FSMO                               Flexible Single Master of Operations
           GPO                                Group Policy Object
           ILM                                Identity& Lifecycle Management
           IT                                 Information Technology
           ITO                                Information Technology Officer
           ITS                                Information Technology Services
           IP                                 Internet Protocol
           LDAP                               Lightweight Directory Access Protocol
           LDS                                Light-weight Directory Services
           LAN                                Local Area Network
           MRJ                                Main Roads Jurisdiction
           NAB                                Notes Address Book
           NAL                                Novell Application Launcher
           NOS                                Network Operating System
           NPS                                Windows Server 2008 Role - Network Policy Server
           IDM                                Novell Identity Management
           OU                                 Organisational Unit
           PDC                                Primary Domain Controller
           PoC                                Proof of Concept
           PKI                                Public Key Infrastructure




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 51 of 52
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund


           Terms, abbreviations               Meaning
           and acronyms
           QGCIO                              Queensland Government Chief Information Office
           QGCTO                              Queensland Government Chief Technology Office
           RID                                Relative Identification number
           SITO                               Senior Information Technology Officer
           SWoG                               Solution Working Group
           SOE                                Standard Operating Environment
           DEPARTMENT ABC                     Department ABC
           WAN                                Wide Area Network
           WINS                               Windows Internet Naming Service




Department of Transport and Main Roads       Milestone 4A – Generic Design and Migration Process Template   Page 52 of 52

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:102
posted:5/20/2012
language:
pages:52