TMC s Recommendations for Enterprise Active Directory Services voip training

Document Sample
TMC s Recommendations for  Enterprise Active Directory Services  voip training Powered By Docstoc
					                                              State of Alaska

        Recommendations for Enterprise Active Directory Services
             AD Working Group, Technology Management Council




*** FINAL ***
                                                   State of Alaska
        Document
        ID:
        Title:        Recommendations for Enterprise Directory Services
        Supersedes:   Enterprise Messaging and Directory Services Strategy Vision
        Status:       Recommended by Technology Management Council 01/22/2008;
                      Reviewed by Administrative Service Directors 01/22/2008;
                      Approved by Enterprise Investment Board __/__/200_;
        Version:      1.14
        Date          1/22/2008
        Author:       AD Working Group, Technology Management Council, State of Alaska
        Applies to:   State Of Alaska Enterprise Directory
        Scope:        Enterprise
        Purpose:      This document outlines the vision of the end result of this program,
                      that is to say, the overall goal of the program and the benefits that the
                      State Of Alaska can expect to see when the program is completed.
        Summary:      These Recommendations revise the Enterprise Plan initially approved as
                      the Enterprise Messaging and Directory Services Vision in October
                      2006. This document outlines the State’s objectives and how the State
                      will move toward this vision and further lays out the scope of the Initial
                      Enterprise Active Directory project.




                                                                                                   Page 2 of 27
1.13.
                                               Table of Contents

        Executive Summary .....................................................................................................4
          Action Plan …………………………………………………………………………………………………….… 6
        Background…………………………………………………………………………………………………………….7
        Program Objectives .....................................................................................................8
        Active Directory Alternatives and Options ................................................................... 10
        Option A -- Single Forest and Single Domain for All Agencies ..………………………………….11
        Overview ………………………………………………………………………………………………………...... 11
          Pros ...................................................................................................................... 12
          Cons ..................................................................................................................... 12
        Option B – Decentralized: Multiple Forest and Multiple Domain .................................... 13
          Overview ............................................................................................................... 13
          Pros ................................................................................................................... . 13
          Cons ..................................................................................................................... 14
        Option C - Recommended Approach – Blended Forest and Multiple Domain .................. 15
           Overview ……………………………………………………………………………………………………….. 15
           Pros ………………………………………………………………………………………………………………. 16
          Cons ………………………………………………………………………………………………………………. 16
        IT Services Impacted by AD – Support Considerations and Recommendations ……                                                    17
          Summary of TMC Recommendations for Common IT Services…………………………….... 17
          Collaboration Tools ................................................................................................ 18
          Desktop Provisioning (Enterprise) ........................................................................... 17
          Desktop Support (Initially Departmental, working toward Enterprise) ....................... 19
          Email Services (Enterprise) ..................................................................................... 19
          File Server Consolidation (Both) .............................................................................. 19
          Help Desk Services (Both) ...................................................................................... 19
          Integration with Voice over Internet Protocol (VoIP) Phones (Enterprise) .................. 20
          LANDesk ............................................................................................................. 20
             Patch Services …..…………………………………………………………………………………………. 20
          Printers (Both) ………………………………………………………………………………………………….21
          Server Backup & Recovery (Both - Enterprise and Departmental) …………………….... 21
          SharePoint (Both) ……………………………………………………………………………………………..21
          Training (Both) ………………………………………………………………………………………………… 21
          Utility Services (Enterprise) …………………………………………………………………………….... 22
        Roles and Responsibilities ……………………………………………………………………………………. 23
        Glossary of Terms ..................................................................................................... 25




                                                                                                                                           Page 3 of 27
1.13.
Executive Summary

         The State of Alaska, in an effort to provide quality, cost effective, enterprise
         network services, has been reviewing alternatives for implementing an Active
         Directory (AD) solution. This document outlines the Technology Management
         Council‟s (TMC‟s) vision and strategy.

         After looking at AD and the services associated with it, the TMC recognizes that
         some infrastructure services may be delivered in a less costly manner without
         lowering effectiveness and in a more standardized manner by using a centralized
         approach. The TMC has directed the AD Project Team to develop the simplest
         design possible for AD while recognizing that security and applications issues
         will dictate that other forests and domains will likely be required.

         The State of Alaska will develop an Active Directory (AD) implementation
         design that will consist of a single enterprise forest that contains state assets for
         authentication within the Executive Branch. Enterprise Technology Services
         (ETS) will administer the Enterprise AD and will meet all security needs required
         by Statute or Regulations. Service Level Agreements will be developed to define
         and measure these enterprise services.

         In an effort to provide quality and cost effective enterprise network services, the
         AD design will focus on the following efficiencies:

               Identifying Economies of Scale
               Reducing Spending
               Leveraging Technical Skill Sets (a commodity in demand w/ less than
                optimal supply – especially in Alaska)
               Implementing Common and Best Practices across the enterprise with a
                phased approach
               Increasing Data and Systems Security
               Coordinating Policy Decisions and Implementations
               Centralizing and Consolidating to optimize infrastructure and staffing
                investments
               Finding the optimum balance between Centralized and Agency services.


         To begin to capture some of the benefits of a new approach, the TMC is making
         a number of recommendations that will allow the State to realize some cost
         savings, increase standardization of processes and products, and centralize some
         services.




                                                                                                 Page 4 of 27
1.13.
Executive Summary, cont.

          An “early adopter” proposal will allow agencies currently running Novell to
          convert to Windows and Active Directory. This will give Enterprise Technology
          Services (ETS), the central IT commodity provider, an opportunity to build and
          demonstrate their ability to provide the same high level of service that
          departments currently enjoy. It also gives ETS a chance to refine their processes
          for customer service, change control, and to develop effective Service Level
          Agreements. Multiple departments would like to participate as “early adopters”
          (Administration, Commerce, Education and Early Development in Anchorage,
          Governor‟s Office, Law, and Fish and Game). Including the Department of
          Administration and the Governor‟s Office will demonstrate and go a long way to
          convince other departments of ETS‟s ability to provide effective and responsive
          centralized services.

          The TMC recognizes that a balance must be struck between agency and ETS
          services. Business specific applications clearly belong under the control of the
          departments, but many of the infrastructure services lend themselves to a more
          centralized approach. The intent is to implement an annual, iterative process to
          review and revise the short, medium and long term action items and tasks.

          The table on the following page summarizes the TMC‟s Action Plan.




                                                                                              Page 5 of 27
1.13.
Executive Summary, cont.


                  Action Items                         Resource                     Benefits
   Short Term (0-12 months)                                        Cost           Standardi-
                                                                  Savings           zation        Centralization
   Build out current AD for early adopters         ETS                X               X                 X
   Update IT inventory for AD early adopters       IT Managers                        X
   Conduct a User Training Survey                  ETS                                X
   Conduct a Technical Training Survey             ETS                                X
   Conduct End-User Desktop Satisfaction Survey    ETS                                X
   Enterprise contracts for desktop, laptops,      DGS
   printers                                                           X               X                 X
   Desktop replacement process                     All Depts          X               X
   Clearinghouse for visits to remote locations    All Depts          X
   Centralize file servers as appropriate          ETS                X                                 X
   Service Level Agreements                        ETS                                X
   Self Service & Password Resets                  All Depts          X               X                 X
   Enterprise Antivirus Services                   ETS - SSO          X               X                 X
   Real time views of the Network                  ETS                X                                 X
   Infrastructure Optimization (ROI) Survey        All Depts.        X                X                 X
   Medium Term (1-2 years)                                         Cost
                                                                  Savings      Standardization    Centralization
   Standardize procedures and common desktop       All Depts
   support processes                                                                  X
   Common Helpdesk tool for desktop support        All Depts          X               X                 X
   VoIP migration into the Enterprise AD           ETS                                X                 X
   Coordinate procurement of technical training    ETS               X                X                 X
   Long Term (2-4 years)                                           Cost
                                                                  Savings      Standardization    Centralization
   Centralized Help Desk services for Tier 1       All Depts          X               X                 X
   Enterprise patch services for workstations      ETS                X               X                 X
   Departmental implementation of LANDesk          All Depts          X               X                 X

                 DGS       Division General Services      ETS – SSO   ETS – State IT Security Office




                                                                                                            Page 6 of 27
1.13.
Background

        Lessons Learned At the conclusion of the Enterprise Exchange project, it was
        recognized that improvements need to be made to the communication,
        governance, and planning processes used to manage the overall Active Directory
        (AD) and Messaging and Calendaring program. For example, some technical
        decisions made by Microsoft and the Technical Advisory Group (TAG) about
        archiving, help desk support, and email retention affected policy and planning,
        and occurred outside the IT governance process. There was no defined and
        agreed upon process for individual agencies to appeal decisions made by the
        TAG, or for the TAG to determine when it was appropriate to escalate a decision.
        The Exchange project also continued a precedent set during the Cisco Security
        Agent (CSA) project: Implementing an enterprise initiative without adequate
        consideration of the impact on individual agencies. This means the individual
        agencies assume additional, ongoing work for what some departments‟ refer to
        as “unfunded mandates”.


        Planning for Project 2 – Enterprise Active Directory Services The Department
        of Administration requested that the Technology Management Council (TMC)
        review and update the Enterprise Messaging and Directory Services Strategy Vision,
        recommend how the TAG should operate and fit into the State‟s IT Planning
        Governance Structure, and how to improve communication.

        The TMC was asked to identify the options for deploying AD and provide their
        recommendations on how to proceed. They were asked to put together an
        overarching vision of what enterprise services should look like in two to three
        years, including common services such as Active Directory, SharePoint, File
        Server Sharing, Desktop, Help Desk, Security and Staffing.




                                                                                             Page 7 of 27
1.13.
Program Objectives

         The Technology Management Council has reviewed and modified the State‟s critical
         objectives described in the October 2006 Enterprise Messaging and Directory Services
         Strategy Vision and Scope and recommends that these be incorporated in to the enterprise
         AD design.

         Objectives
                Single Authentication / Active Directory
                Single Enterprise Exchange e-mail, calendaring and mobile devices support
                Support for Enterprise Data Security Requirements
                Appropriate Staffing, Training and Responsive Change Management
                Ability to Consolidate/Migrate File and Print Services
                Provide Similar Service Delivery Level to All Locations
                Responsible Customer Service
                Infrastructure Optimization Return on Investment (ROI) Survey
                Active Directory as the State‟s authoritative directory service

         Single Authentication / Active Directory
         The State will deploy an Enterprise Active Directory environment that can be used for
         single sign-on authentication and authorization for applications.

         Single Enterprise Exchange email, calendaring and mobile devices support
         The State will deploy a single, centrally managed enterprise Exchange email and
         calendaring system. Support for mobile devices is essential.

         Support for Data Security Requirements
         Most state agencies are entrusted with some form of confidential, sensitive or classified
         information. In many cases there may be specific State or Federal Laws which govern the
         level of physical, administrative or system security that needs to be in place. An
         enterprise approach for information, file and database security must be implemented.

         Appropriate Staffing, Training Requirements and Associated Costs, and
         Change Management
         Appropriate staffing, training and change management requirements will be identified
         throughout the various phases of the Enterprise Active Directory Services series of
         projects. During the initial project/phase, i.e. migration of all Departments to Active
         Directory Services, there are no plans for substantive staffing changes. As subsequent
         phases are planned, staffing requirements will be analyzed and recommendations made
         to ensure that the State can implement the project in an effective and efficient manner.

         Training requirements and associated costs for each project/phase will be identified to
         ensure that State IT staff possesses the required knowledge and skills to ensure successful
         implementation and ongoing support requirements are met.

         Consistent and clear change management processes are required to ensure that change
         requests are evaluated for potential impacts and that escalation of critical change
         requests occur in an expeditious manner while allowing for thorough analysis. The State
                                                                                                       Page 8 of 27
1.13.
        has established a Configuration Management Board comprised of qualified technologists
        drawn from all departments to ensure that change requests are evaluated in an
        environment in which each potentially affected department‟s concerns can be heard,
        analyzed, and all solutions and changes are to be agreed upon by consensus.

        Ability to Consolidate/Migrate File and Print Services
        Several departments have indicated their need for Active Directory user authentication to
        be the basis for access to data files and applications. The Active Directory design will
        need to support departmental file and print requirements. Consolidation and
        centralization of file servers will occur in locations and situations where appropriate.

        Provide Similar Service Delivery Level to All Locations
        Although a majority of State employees are located in Anchorage and Juneau, one third
        are located in other locations throughout the State. Because of logistical constraints, the
        service level in remote locations is often limited or costly. Business needs should drive
        the balancing of administration, service delivery and cost. If the testing or initial
        deployment proves to be inadequate for the business needs of an agency, an adequate
        solution will need to be found and deployed. Active Directory, with all that it
        encompasses – file and print, application services, etc. -- should be designed to ensure
        equitable provision of services across the State.

        Responsible Customer Service
        Many departments pointed out that their users were accustomed to very responsive
        departmental support. A goal will be to ensure that user support responsibilities and
        escalations are well defined and appropriately staffed so customer service remains
        responsive. Service Level Agreements (SLAs) will define acceptable customer service
        responses for commonly encountered problems.

        Infrastructure Optimization ROI Survey
        Return on Investment tools (ROI) can be used to look at the most effective way to
        improve IT productivity, provide higher service levels, and free resources for innovation.
        ROI tools can be very useful to view large projects such as the Enterprise AD. The
        Microsoft assessment tool should be undertaken by each department individually to
        determine:
                - Where we are now
                - Where we want to be
                - What risks we might encounter
                - What the schedule will be
                - Salary metrics/ IT labor costs – annual labor costs per PC and server
                - Service levels – number of service desk calls per PC per year
                - Business agility- amount of time to deploy new applications
                - Infrastructure
        This assessment/questionnaire is free to large Microsoft customers such as the State of
        Alaska and the process takes about 3 days per department. Results from the ROI
        assessment could be used to determine how to proceed with staffing and training as part
        of the AD project.

        Active Directory as the State’s authoritative directory service
        While existing applications may be maintained in the SUN LDAP (referred to as LDAP in
        this document), agencies should begin adapting their applications to take full advantage
        of the authentication and directory attributes stored in AD. All new applications will be
        designed to authenticate to AD.
                                                                                                      Page 9 of 27
1.13.
Active Directory Alternatives and Options

        Options
             The TMC considered the following alternative approaches when developing these
             recommendations to support the orderly build up and deployment of the centralized
             Active Directory.

                  1.   Option A. Single Forest and Single Domain for All Agencies All
                       Departments / All State Employees in a centralized non-dedicated resource
                       forest using a centrally managed Enterprise Exchange and Calendaring system.
                       Directory objects for three to five departments will be substantially migrated to
                       the Enterprise Active Directory, allowing these “early adopters” to deploy file
                       and print services.

                  2.   Option B. Multiple Forests and Multiple Domains Decentralized
                       environment. Each Department has the option to establish their own forest or to
                       join in the forest maintained by ETS. All Directory objects are migrated to the
                       Enterprise Active Directory. File Server consolidation may occur where design is
                       feasible. All departments use the centrally managed Enterprise Exchange and
                       Calendaring system. Directory objects for three to five departments will be
                       substantially migrated to the Enterprise Active Directory, allowing “early
                       adopters” to deploy file and print services.

                  3.   Option C. (Recommended Approach). Blended environment The
                       Enterprise Technology Services will maintain a centralized forest for Exchange
                       and for departments who do not want to manage their own forest. The
                       Enterprise AD will be used for authentication for enterprise services within the
                       Executive Branch and for departments that require no unique AD
                       implementations. ETS will administer the Enterprise AD and develop and
                       maintain service level agreements (SLAs) which define and measure these
                       enterprise services. Directory objects for three to five departments will be
                       substantially migrated to the Enterprise Active Directory, allowing “early
                       adopters” to deploy file and print services.




                                                                                                           Page 10 of 27
1.13.
Option A -- Single Forest and Single Domain for All Agencies

        Overview
            A centralized system for all state employees serving within the Executive Branch allows
            for a single authentication and supports enterprise Exchange email, calendaring, and
            other messaging services. Additionally, the State will design Active Directory for other
            uses such as File and Print Services. Enterprise Technology Services (ETS) will assume
            responsibility for the maintenance of the enterprise suite of infrastructure services, but
            ownership and control of the objects within the enterprise will remain under agency
            discretion. Microsoft and the initial planning team felt that this would allow the State of
            Alaska to benefit from a centralized offering and consolidation, without sacrificing the
            relationships between agency IT Staff and agency end users.




                                                                                                                                                                                     Single Forest/Single Domain with Multiple
                                                 Exchange OU                                                                                             Sharepoint                  Organizational Units (OUs).
                                                                                                                                                           OU?                       This design model for Active Directory has a
                                                Server Server                                                                                                                        single domain root and then organizes local
                                                                                                                                                     Server
                                                                                                                 Policy
                                                                                                                                                                                     units as a hierarchy beneath the domain.
                                                                                                                                                                                     Each organizational unit shares the same
                                                  VOIP OU?                                                                                                  OCS OU?                  directory schema and configuration settings.
                                                                                                                                                                                     The users, workstations, and other agency
                                                                                                              Alaska.gov
                                                Server     Server                                                                                                                    groups resources would be located in agency
                                                                                                                                                                                     OUs. Users, when authorized, have access to
                                                                                                                                                                                     resources defined anywhere in the directory.




                         DEC OU                          DNR OU                 F&G OU                      Revenue OU              Commerce OU                     Labor OU                    Educ. OU                        Gov OU
                                                  User Group                  User Group                     User Group                    Group                User   Group                                                 User Group
                      User Group                  Obj                                                                               User                                                     User Group
                                 Server                 Obj Server            Obj   Obj Server               Obj Obj Server                 Obj Server          Obj     Obj Server                      Server               Obj   Obj Server
                      Obj   Obj                                                                                                     Obj                                                      Obj   Obj



                                          Law OU                        DOA OU                          DPS OU                DMVA OU                       Corr OU                     HSS OU                          DOT OU

                                             Group                   User Group                                                   Group                                              User Group
                                      User                                                       User    Group             User                      User     Group                                              User    Group
                                              Obj Server             Obj   Obj Server                          Server              Obj Server                       Server           Obj   Obj Server                          Server
                                      Obj                                                        Obj      Obj              Obj                       Obj       Obj                                               Obj      Obj




             * Microsoft regards this as the most straight forward, least traffic, least admin required, least complex, least number of servers to act as
             domain controllers.
             * OU level (agency) admins still have limited control at the local level
             * Group policies can be implemented by ETS for local level resources
             * Trust relationships are domain-wide with local authorization control to local resources
             * Domain Admins can override local admin if they choose to
             * Some Group Policies can only be controlled domain wide, and must be identical for the entire State domain
             * If any group trusts a non SOA domain, they would expose all resources in the SOA domain
             * Strict naming standards for computers/users/groups must be established to prevent name collisions




                                                                                                                                                                                                                                                Page 11 of 27
1.13.
Option A -- Single Forest and Single Domain for All Agencies, cont.

        Pros
               1.   Timing. Microsoft had to deliver a solution. The only way to complete Exchange
                    project within tight timelines was to use a cookie cutter solution. If separate forests
                    and multiple domains were required, each department would have to be audited.
               2.   Design simplicity
               3.   Ultimate security
               4.   Management across the enterprise is easier
               5.   Cost – Although the initial design did not recommend it, fewer domain controllers
                    could be necessary in a single forest.
               6.   Dedicated, full time staff allows for more specialization. Individual agencies do not
                    have to train staff on IT functions and can focus on their business mandates. Trained
                    staff to implement, operate and maintain new enterprise environments.
               7.   The level of authority available in a single forest accommodates agencies without
                    complex security requirements

        Cons
               1.  Inflexible. All trouble shooting would have to be coordinated through ETS; agencies
                   will have no way of knowing what is going on within AD. Agencies will have to wait
                   for a central resource (ETS) to make services available. Since agencies don‟t control
                   their environment, they will have to go through a centralized change process for
                   even the most simple of changes.
               2. Data isolation. Several agencies operate under a federal mandate which requires that
                   their data be isolated, and require authoritative control over data. There is no
                   boundary in a single forest environment to allow data to be easily isolated.
               3. Loss of control. Relying on a centralized system results in a loss of control over down
                   time by individual agencies. There is no opportunity for individual agencies to
                   creatively restore services. Agencies rely on one centralized body to restore services.
               4. Disparate treatment for different agencies. Life and safety issues must be first
                   priority in one forest. In the event of trouble or disaster, public safety agencies and
                   applications take precedence over other agency missions. Other agencies have lower
                   priority for service restoration, affecting their ability to meet their business mandates.
               5. Security. Security will have to be set at the highest level to protect those agencies
                   with most restrictive security needs. Agencies with extensive public interactions may
                   not require a high level of security and it will be more difficult for them to easily
                   accommodate the public.
               6. Loss of control. Loss of control over print sharing and data will affect individual
                   agencies ability to recover in event of a disaster.
               7. Rigid design limits ability in the future to adapt AD environment to new business
                   environments – especially at the individual agency level.
               8. Complex design. A single forest would require the same number of objects as
                   multiple forests, but the forest design would be more complex.
               9. Increased potential for enterprise-wide loss of service in one forest. There are many
                   areas where one person could make a change negatively affecting all customers.
               10. Potential bottleneck for delivery of services because the entire Enterprise is relying
                   on a limited number of positions in a single agency.
               11. Loss of agency-specific knowledge. In a decentralized environment, Domain
                   Administrators may perform other business functions within an agency, & are more
                   knowledgeable of & aligned with their agency‟s business requirements & mandates.
                                                                                                                Page 12 of 27
1.13.
 Option B – Decentralized: Multiple Forest and Multiple Domain

        Overview
            A decentralized system for all state employees serving within the Executive Branch could
            still allow for a single authentication and support enterprise Exchange email,
            calendaring, and other messaging services. Distributed redundant authentication can still
            support centralized authentication, although cached authentication could be allowed.
            Domains and users should be configured similarly by departments to ease moving
            employees between departments. Additionally, the State will design Active Directory for
            other uses such as File and Print Services. Enterprise Technology Services (ETS) will
            assume responsibility for the maintenance of the enterprise suite of infrastructure
            services, but ownership and control of the objects within the enterprise will remain under
            agency discretion.



                                     Exchange OU                                                                                                           Sharepoint                        Multiple Forests Federated
                                                                                                                                                             OU?
                                                                                                                                                                                             This design model for Active Directory has multiple
                                     Server Server                                                                                                                                           Forests. Each domain organizes locat units as either
                                                                                                                                                        Server
                                                                                                                                                                                             unique subdomains or organizational units according to
                                                                                                                   Policy
                                                                                                                                                                                             its needs. Each domain root may establish its own
                                       VOIP OU?                                                                                                             OCS OU?
                                                                                                                                                                                             unique schema and configuration settings. The user
                                                                                                                                                                                             pool is maintained in agency domain. Users, when
                                                                                                            Alaska.gov
                                     Server   Server
                                                                                                                                                           Server     Server
                                                                                                                                                                                             authorized, have rights to access resources in other
                                                                                                                                                                                             agency domains.


                                                                                                         Federated Trusts                                                                                                                       Policy
                                                                                                                                                                                                                                      DOT.Alaska.gov

                       Policy                                                                                                                                                                                                              Group User
                                                                                                                                                                                                                                  Server
                                                                                                                                                                                                                                            Obj  Obj
              Educ.Alaska.gov

                      Group User
             Server
                       Obj  Obj
                                                                                                                                                                                                                                                 Policy
                                                                                                                                                                                                                                       DMVA.Alaska.g
                                                                                                                                                                                                                                           ov
                            Policy                                                                                                                                                                                                          Group User
                                                                                                                                                                                                                                      Server
                                                                                                                                                                                           Policy                                            Obj Obj
                      HSS.Alaska.gov
                                                                                                                                                                                 HSS.Alaska.gov
                          Group User
                 Server
                           Obj  Obj                                                                                                                                                      Group User
                                                                                                                                                                                Server
                                                                          Policy                                                                                                          Obj  Obj                                     Policy
                                                                 DEC.Alaska.gov                                                                                                                                               Law.Alaska.gov

                                                                         Group User                                                                                                                                                   Group User
                                  Policy                        Server                                                                                                                                                       Server
                                                                          Obj  Obj                                                                                                                                                     Obj Obj
                          Fish.Alaska.gov
                                                                                                                     Policy                                  Policy
                        Server
                                 Group User                                                                                                            Labor.Alaska.g
                                  Obj  Obj                                                                 Corr.Alaska.gov
                                                                                                                                                             ov
                                                                                                                                                                                                                                       Policy
                                                                                                          Server
                                                                                                                   Group User
                                                                                                                                                      Server
                                                                                                                                                            Group User                                                        Commerce.Alas
                                                                                                                    Obj  Obj                                 Obj Obj                                                             ka.gov
                                                       Policy
                                                                                                                                                                                                                                      Group User
                                               DPS.Alaska.gov                                                                                                                                                    Policy
                                                                                                                                                                                                                             Server
                                                                                                                                                                                                                                       Obj  Obj
                                                                                             Policy                                       Policy                                         Policy
                                                     Group User                                                                 Revenu.Alaska.g                                                         Gov.Alaska.gov
                                              Server
                                                      Obj  Obj                      DNR.Alaska.gov                                                                             DOA.Alaska.gov
                                                                                                                                      ov
                                                                                                                                                                                                                Group User
                                                                                                                                                                                                       Server
                                                                                            Group User                                   Group User                                     Group User               Obj  Obj
                                                                                   Server                                       Server                                         Server
                                                                                             Obj  Obj                                     Obj  Obj                                       Obj  Obj


             * Maximum hierarchical flexibility
             * Distributed Active Directory Administration (more effort – more flexibility)
             * Most User Objects would exist in the Alaska.gov domain
             * Trusts would need to be established between forests (more effort – more data isolation)
             * Multiple forests would allow for multiple schemas (more effort – more flexibility, more numerous but less complex schemas)
             * Requires more servers to act as Domain controllers (2 per agency at minimum)




                                                                                                                                                                                                                                                          Page 13 of 27
1.13.
Option B – Decentralized: Multiple Forest and Multiple Domain, cont.

        Pros
               1.   Flexible design. Gives State more flexibility (than single forest) to adapt AD
                    environment to new business needs.
               2.   Well defined security boundaries and liabilities. Security breaches are easier to
                    identify and risk to the enterprise is minimized in the event of a compromise.
               3.   Scope and scale of system failures are limited. Problems only affect that portion
                    of the system.
               4.   Responsive to individual agency needs. Allow organizations to respond more
                    quickly to changing business or technical requirements.
               5.   More productive development environment to meet individual agency needs
               6.   Individual agencies have more leverage over Domain Administrators if they
                    work for agency, as opposed to if they report to ETS.
               7.   Agency staff develop more knowledge of individual agency business
                    requirements and needs than centralized staff.

        Cons

               1.   Duplicate efforts. Every department must have their own forest.
               2.   More hardware and redundant hardware costs. Physical hardware to support
                    each forest is required.
               3.   Agency staff may lack in depth technical knowledge, eg schema. Smaller,
                    individual agencies may not have ability to maintain subject matter experts in
                    AD.
               4.   More stringent change management processes required.
               5.   Requires more staff statewide. Harder to achieve economies of scale for staffing
                    in smaller locations/rural areas.
               6.   May be more difficult for individual agencies to provide specialized services
                    such as fax services, VoIP or Office Communication Services due to lack of
                    technical knowledge.
               7.   Duplicate processes for installation and configuring software must be
                    created/maintained by each department.




                                                                                                        Page 14 of 27
1.13.
Option C - Recommended Approach – Blended Forest and Multiple
Domain

        Overview
            Under this alternative, each department would have the option of electing to manage
            their own forest. An approval process would be established for a department to request
            their own forest. TMC will develop a bulleted list of why an agency might need or want
            an agency forest and include recommendations for a request/review/ approval process.

            Common services can work if a user object is in a department forest, depending on the
            trust relationship that is built.

            The centralized, or enterprise, forest will be used to provide enterprise services. If a
            department wants to consume these services, eg Exchange, their IT staff must design
            how to consume services or move user objects to the central forest in order to consume
            services. An agency‟s business needs will determine what they do.

            Enterprise Technology Services will maintain a centralized forest for Exchange and for
            departments who do not want to manage their own forest. While an open environment
            such as this will require more involvement by agencies and more resources to manage, it
            lends itself to enterprise efficiencies. Keeping the model and architecture as open as
            possible will position Alaska to take advantage of future possibilities.

               SOA Forest
                                             Exchange OU                                                                                                           Sharepoint
                                                                                                                                                                     OU?
                                            Server Server
                                                                                                                                                                Server
                                                                                                                 Policy


                                                VOIP OU?                                                                                                             OCS OU?

                                                                                                              Alaska.gov
                                            Server      Server                                                                                                    Server Server




                    DEC OU                            DNR OU               F&G OU                         Revenue OU                       Commerce OU                           Labor OU                       Educ. OU                      Gov OU
                                                User Group               User Group                           User Group                          Group                       User   Group                                                 User Group
                 User Group                     Obj Obj Server                                                                             User                                                            User Group
                            Server                                       Obj Obj Server                       Obj Obj Server                       Obj Server                 Obj     Obj Server                      Server               Obj Obj Server
                 Obj Obj                                                                                                                   Obj                                                             Obj Obj



                                                                   DOA OU                                                                                                                            HSS OU                           DOT OU
                        Law SubDomain                                                            DMVA                        DPS SubDomain                       Corr. SubDomain
                                                                 User Group                    SubDomain                                                                                           User Group
                                                                                                                                                                                                                               User    Group
                              Group      User                    Obj Obj Server                                                    Group       User                     Group        User          Obj Obj Server                            Server
                                                                                                      Group                   Server                                                                                           Obj      Obj
                       Server Obj        Obj                                                                                Server Obj         Obj               Server Obj          Obj
                                                                                                       Obj                                            Server
                                                                                                                User
                                                                                            Server
                                                                                                                Obj
                               Policy                                                                                                 Policy                               Policy
                                                                                                     Policy

                           PLEASE NOTE – THIS IS AN EXAMPLE OF A LAYOUT. THIS IS NOT HOW SPECIFIC
                                                AGENCIES WOULD BE DEPLOYED.
                                                                                                                       Federated Trusts


                                             Policy                                                                                                                                                             Policy
                                                                                   Policy                                    Policy                                  Policy
                                                                                                                                                                                                       HSS.Alaska.gov
                                      DPS.Alaska.gov                      Educ.Alaska.gov                              Labor.Alaska.gov                        DEC.Alaska.gov                                    Group
                                            Group                                                                         Group                                          Group                         Server     Obj
                                     Server                                                                                       Server
                                             Obj                                  Group                                    Obj                                            Obj
                                                                         Server                                                                           Server
                                                                                   Obj



             Blended Approach
             This approach is similar to the single/single approach but allows flexibility for security, development, and other requirements.
             Most of the user objects exist in the Alaska.gov domain – where they do not, the agency in question agrees to forgo enterprise
             services (like Email for VOIP). This approach allows aspects of both the “single/single” model and the “forests for everyone”
             approach.
             This approach would benefit substantially if we implemented Windows 2008 rather than Windows 2003.




                                                                                                                                                                                                                                                            Page 15 of 27
1.13.
Option C - Recommended Approach – Blended Forest and Multiple
Domain, cont.

        Pros

               1. The central forest would provide a stable environment for other agencies which
               includes consolidated email, calendaring, etc.

               2. An ENTERPRISE Directory – for Exchange email, SharePoint, OCS – will allow
               commonality of a shared platform but the State could still have separate forests or
               integrated forests to allow agencies to leverage directory of record. One approach would
               be to build user objects in an agency forest with a trust relationship to the common
               directory.

               3. Allows those departments with a significant business need for a forest of their own to
               have one. For example, a significant business need may be related to information
               security.


        Cons
                   1.   Requires more involvement by agencies.
                   2.   Requires more resources to manage, both technically and for high level oversight
                        as departments request approvals for their own forests.




                                                                                                           Page 16 of 27
1.13.
IT Services Impacted by AD – Support Considerations and
Recommendations

        Common Services – such as calendaring and email – are very important. TMC is in favor
        of creating an environment that will allow for common services. This section describes
        the TMC‟s recommendations about how support should be provided and how common
        IT services should be defined.

        In this section, the names enclosed in parenthesis identify TMC recommendations for
        whether this should be an enterprise (Enterprise), departmental (Department), or both
        enterprise and departmental (Both) responsibility.

        TMC‟s recommendations for common IT services are summarized in the table below:



                      Summary of Recommendations for Common IT Services
              IT Service                        Recommendation                                Responsibility
         Collaboration Tools   Address after AD Project                                Both
         Desktop Provisioning1.1. State should purchase services for                   Enterprise
                               provisioning & asset recovery; including
                               requirement to send certified document of all
                               assets recovered to meet security requirement.
                            2. 2. Contract management should occur at the
                               enterprise level, as should disposal of old PCs.
                            3. 3. Implement Enterprise PC replacement cycle.
         Desktop Support       1. Establish a process to allow coordination            Initially Dept, working
                               among departments with onsite visits to remote          toward Enterprise
                               locations.
                               2. Establish statewide procedures and common
                               processes for all departments to use.
         File Server           1. TMC recommends that agencies be able to              Both
         Consolidation         deploy non-consolidated file & print servers. AD
                               file structure and naming conventions should be
                               designed to accommodate shared file services.
                               2. Establish a process to allow coordination
                               among departments for onsite visits and shared
                               servers for remote locations.
         Help Desk Services    Adopt the following definition for levels of help       Both
                               desk support:
                               - Self service: Enterprise solution to password
                               resets and changes which includes automated
                               self-serve process
                                - Level 1: Password resets, basic MS Office
                               questions, field initial calls, typically resolved on
                               the phone during the initial call.
                               - Level 2: On-Site resolution is needed
                               (physically or remote control).
                               - Level 3: Subject matter expert, software
                               developer is needed to resolve.
                                                                                                           Page 17 of 27
1.13.
                      TMC Recommendations for Common IT Services, cont.

             IT Service                        Recommendation                                  Responsibility
        Integration with VoIP    Integrate VoIP into the enterprise AD                  Enterprise
        LANDesk                  All departments should adopt the use of                Both
                                 LANDesk. The use of common toolsets and
                                 methodologies by all departments can position
                                 the State to leverage enterprise initiatives such as
                                 Desktop Provisioning & Helpdesk Support and
                                 enhance the State‟s desktop and server security
                                 management.
        Patch Services           All departments should implement LANDesk               Both:
                                 Patch Management services and enterprise               Servers = Dept
                                 participation in the patch management process          Workstations = Enterprise
                                 should be designed and implemented.
        Printers                 Implement a bulk purchase program.                     Both
        SharePoint               A set of SharePoint guidelines should be               Both
                                 developed for Departments to follow.
        Training                 1. ETS should conduct an End User training             Both
                                 survey and a Technical training survey to
                                 determine what training is needed.
                                 2. ETS should coordinate procurement and
                                 scheduling of enterprise technical training
                                 courses. Research should be done to determine
                                 the optimal training delivery options for end
                                 users.
        Utility Services         Security and monitoring tools should be selected       Enterprise
                                 for the enterprise. These services should be
                                 deployed and managed on an enterprise basis
                                 with services available to all state agencies.



        Collaboration Tools (Both)
                         Recommendation Address after AD Project

        Desktop Provisioning (Enterprise)
               Procurement, configuration and deployment of PCs with standard software can be
               accomplished at the enterprise level by working with a vendor – e.g., Dell, IBM, etc. - to
               establish a number of images from which agencies can select when ordering a new PC. A
               vendor will provision a desktop with a standard image and ship directly to the office.
               Contract management should occur at the enterprise level, as should disposal of old PCs.
               This provides an opportunity for the state to reduce acquisition and support costs and
               provide a managed cycle replacement.
                        Recommendation 1 State should purchase services for provisioning & asset
                        recovery; including requirement to send certified document of all assets
                        recovered to meet security requirement.
                        Recommendation 2 Contract management should occur at the enterprise level, as
                        should disposal of old PCs.
                        Recommendation 3 Implement Enterprise PC replacement cycle.


                                                                                                            Page 18 of 27
1.13.
        Desktop Support (Initially Departmental, working toward Enterprise)
               Most desktop support is done remotely. General office software support should be
               available at the enterprise level. However, until standardized desktops are fully
               provisioned, support should remain departmental. Statewide policies, procedures and
               common processes should be developed that all departments follow.
                       Recommendation 1. Establish a process to allow coordination among
                       departments with onsite visits to remote locations.
                       Recommendation 2. Establish statewide procedures and common processes for
                       all departments to use.

        Email Services (Enterprise)
               The enterprise will provision email servers and services.

        File Server Consolidation (Both)
              Base images, delivery and disposal can be accomplished at an enterprise level.
              Agency support for file and print server consolidation is divided. To further this
              discussion, TMC has prepared the following table:
          Non-Consolidated Server                               Consolidated Server
           Disaster Recovery is faster on smaller servers.  The larger costs are managing people
           Less expensive to manage a discreet unit of             on the server itself & security, which are
             people on a server                                     not affected by consolidation
           Microsoft servers work better with multiple          More risk if all on one server
             small-mid size servers rather than one „super-  No hardware quantity cost savings
             size‟ computer                                      One large server would not be less
           Easier to manage privacy and business needs             expensive than multiple smaller
             with agency servers                                    servers.
           Departments want to be able to control the           Patching and updates are more efficient
             directory structures                                Cost of Recovery is higher
           Performance will be better                           Cost savings related to FTE‟s
                                                                    supporting the hardware
              Recommendation 1. TMC recommends that agencies be able to deploy non-consolidated
              file & print servers. AD file structure and naming conventions should be designed to
              accommodate shared file services.
              Recommendation 2 Establish a process to allow coordination among departments for
              onsite visits and shared servers for remote locations.

        Help Desk Services (Both)
               A 24x7 centralized point of contact to triage all help center calls should be established at
               the enterprise level. During the work day, the centralized contact would direct requests
               to individual agencies. The Enterprise call center would handle all calls after hours and
               on weekends. A self-service, automated process for resetting passwords would be
               implemented. Changing the levels to define enterprise levels will be difficult until the
               State has a common help desk system, enterprise provisioning and standardized remote
               control.
                        Recommendation Adopt the following definition for levels of help desk support:
                        - Self service: Enterprise solution to password resets and changes which includes
                        automated self-serve process
                         - Level 1: Password resets, basic MS Office questions, field initial calls, typically
                        resolved on the phone during the initial call.
                        - Level 2: On-Site resolution is needed (physically or remote control).
                        - Level 3: Subject matter expert or software developer is needed to resolve.
                                                                                                                 Page 19 of 27
1.13.
        Integration with Voice over Internet Protocol (VoIP) Phones (Enterprise)
              The current Cisco contract allows the contractor to tie into Enterprise AD at the end of
              the Telephone Replacement Project. Doing so would eliminate the significant
              administrative overhead currently associated with maintaining directory databases in the
              call managers. However, TMC is concerned that continuing with Cisco may leave the
              state with an orphaned product.
                       Recommendation Integrate VoIP into the enterprise AD

        LANDesk
              LANDesk Management Suite software has been selected as the State of Alaska‟s standard
              for Asset Management (inventory, discovery and tracking of computers), Remote
              Control, Patch Management, and Application Deployment services.

              LANDesk has been adopted for use by the following agencies:
                   Department of Public Safety
                   Department of Transportation and Public Facilities
                   Department of Labor
                   Department of Commerce
                   Department of Health & Social Services
                   Department of Administration
                   Department of Natural Resources
                   Department of Law
                   Department of Fish & Game
                   Department of Corrections

              LANDesk has not yet been adopted by the following agencies:
                   Department of Environmental Conservation
                   Governor‟s Office
                   Department of Military & Veterans Affairs
                   Department of Education & Early Development
                   Department of Revenue

                      Recommendation All departments should adopt the use of LANDesk. The use of
                      common toolsets and methodologies by all departments can position the State to
                      leverage enterprise initiatives such as Desktop Provisioning & Helpdesk Support
                      and enhance the State‟s desktop and server security management.

           Patch Services – (Both: Servers = Department, Workstations = Enterprise)
                      LANDesk can be used to manage and deploy Patch Services for security and
                      functional upgrades on servers and workstations.

                      Server patching is typically a complex process with many dependencies that
                      must be evaluated. Server patching should follow State of Alaska security
                      requirements, but should remain a departmental responsibility to ensure that
                      agency-specific mission critical applications are patched and secured in a manner
                      that ensures the viability of these services

                      Workstation patching will initially be accomplished through departmental
                      application of patching through LANDesk, but is envisioned to migrate toward
                      more of an enterprise service over time as the State moves toward a commonly
                      shared desktop environment. Workstation patch distributions could be created

                                                                                                          Page 20 of 27
1.13.
                     and published through an enterprise service and implemented by agency staff.
                     Use of a common toolset such as LANDesk would enable verification of patch
                     deployment results (% of success), would enable installation of patches with
                     required rebooting to be scheduled for non-business hours, and could reduce the
                     time required for the State to respond to critical patching requirements.
                     Provision needs to be made to accommodate exception requests for specific
                     groups within agencies based on business needs. A waiver process will include
                     an alternative patch management plan to ensure that the State‟s security
                     requirements are being met.
                             Recommendation All departments should implement LANDesk Patch
                             Management services and enterprise participation in the patch
                             management process should be designed and implemented.

        Printers (Both)
             To best ensure responsiveness, printers are best maintained at the department level.
             However, printer purchase can and should be consolidated where it makes sense for
             economies of scale.
                             Recommendation Implement a bulk purchase program

        Server Backup & Recovery (Both – Enterprise and Departmental)
             Servers managed by ETS are ETS‟s responsibility for backup and recovery. Departments
             are responsible for backup and recovery of their own equipment.

        SharePoint (Both)
             SharePoint Portals (Internet) will need to be implemented in such a way that they can be
             subordinated to a central Sharepoint Portal in the future. Office SharePoint (Intranet)
             may be deployed along with other applications in each agency. Office SharePoint
             implementations will be authenticated against the Enterprise Active Directory in case
             other agencies need access to the Office SharePoint applications created. A set of
             implementation guidelines will be necessary for Agencies implementing SharePoint
             Portal. An Enterprise SharePoint implementation is a post-Enterprise Active Directory
             project.
                      Recommendation A set of SharePoint guidelines should be developed for
                      Departments to follow.

        Training (Both)
             Currently the State does not have a way to plan for and coordinate IT training. Ongoing
             IT training is required for both end users and technical staff. Holding classes in Alaska
             instead of flying individuals down south for training can save the State significant
             dollars. The Exchange and Active Directory projects along with the Enterprise
             Agreement with Microsoft have created more training needs. Employees could benefit
             from shared training opportunities.
                      Recommendation1. ETS should conduct an End User training survey and a
                      Technical training survey to determine what training is needed.
                      Recommendation 2. ETS should coordinate procurement and scheduling of
                      enterprise technical training courses. Research should be done to determine the
                      optimal training delivery options for end users.




                                                                                                         Page 21 of 27
1.13.
        Utility Services (Enterprise)
              Centralized utility services should be coordinated an at enterprise level for anti-virus
              definitions and updates, LANDesk, data backup and recovery, realtime network
              performance monitoring, and security.
                       Recommendation Security and monitoring tools should be selected for the
                       enterprise. These services should be deployed and managed on an enterprise
                       basis with services available to all state agencies.




                                                                                                         Page 22 of 27
1.13.
Roles and Responsibilities for Active Directory

          AD Project Management Team Create and manage overall project plan and
          schedule and provide direction and tasks for the TAG. Responsible for communications
          with Agencies and for integrating approved changes into the scope of work. Responsible
          for overall design and rollout of the enterprise service offerings. Confirm proposed
          changes are technically sound and correctly implemented. Responsible for Contractor
          resource coordination and quality assurance.

          Administrative Services Team (AST) Consists of Administrative Service
          Directors (ASDs) of each department. The AST reviews and approves recommendations
          from the TMC that have fiscal impacts and follows up with departmental staff to ensure
          they are keeping on schedule.

          Configuration Management Board (CMB) Consists of one representative from
          each department, plus one representative each from ETS‟s Security, Mid-Tier, and
          Network sections. Representatives are appointed by the department‟s Administrative
          Services Director. Responsible for reviewing any proposed changes affecting the
          enterprise network, directory and/or messaging infrastructure and ensuring that a
          structured process is used to consider proposed changes and incorporating them into the
          enterprise directory and messaging infrastructure. The CMB shall request that impact
          analysis of proposed changes be performed when necessary, review CMB requests, make
          decisions and communicate decisions made to affected groups and individuals. The
          department‟s Designated IT Manager or ASD can escalate a CMB decision to the TMC
          Coordinator in ETS, who will schedule the matter for TMC review. If the Designated IT
          Manager or ASD notes such an escalation in the USD ticket documenting the CMB
          request/decision, the CMB decision will not be implemented until the TMC has reviewed
          the appeal.

          Enterprise Investment Board (EIB): A five person board consisting of the
          Commissioner of the Department of Administration, The Governor‟s Chief of Staff, The
          Director of the Governor‟s OMB, the Chair of the Administrative Services Team and the
          Chair of the Technology Management Council. This board is the top IT governance body
          in the State of Alaska, answering to the Office of Management and Budget and tasked
          with allocating IT portfolio investments, authorizing IT project investments, monitoring
          IT portfolio investments and leveraging IT commonalities across the enterprise. Reviews
          and approves recommendations from the TMC for the AD project. Final arbitrator when
          decisions can not be made at lower level.

          Technical Advisory Group (TAG): The Technology Advisory Group is made up
          of representatives from each agency and ETS and acts as a technical review board
          for the Enterprise Active Directory & Messaging Services project. The TAG will
          ensure that department requirements are met; will work with ETS to create
          policies, procedures, and processes to manage the new directory and messaging
          services; will represent the departments in communicating departmental tasks
          and reporting on status. The TAG will communicate necessary project
          information to their departmental IT staff.


                                                                                                     Page 23 of 27
1.13.
        Technology Management Council (TMC): The Technology Management
        Council consists of the Chief Technology Officer (ETS Director) and one
        representative from each of the 6 Service Areas. This group is tasked with
        providing technical review and advice to the Administrative Services Team
        (AST) and the EIB, certifying compliance with Enterprise IT Standards,
        maintaining the relevance of Enterprise IT standards, approving exceptions to
        the IT standards and evaluates and recommends Enterprise IT Policy. Reviews
        and approves TAG work products. Reviews and arbitrates departmental appeals
        of CMB decisions.




                                                                                        Page 24 of 27
1.13.
Glossary of Terms

          Authentication - The act of establishing or confirming something (or someone) as
          authentic, that is, that claims made by or about the thing are true. Authentication of an
          object may mean confirming its provenance. Authentication of a person often consists of
          verifying their identity. In computer security, authentication is the process of
          attempting to verify the identity of the sender of a communication such as a request to
          log in. The sender being authenticated may be a person using a computer, a computer
          itself or a computer program. Single Authentication is the concept of a user verifying
          their identity once in order to gain authorization for all of the resources that they need
          to perform their job.


          Authorization - In security engineering and computer security, authorization, is a
          part of the operating system that protects computer resources by only allowing those
          resources to be used by resource consumers that have been granted authority to use
          them. Resources include individual files or items data, computer programs, computer
          devices and functionality provided by computer applications. Examples of consumers
          are computer users, computer programs and other devices on the computer.


          Domain: A logical group of computers running the Microsoft Windows operating
          system that share a central directory database. This central database, known as the Active
          Directory, contains the user accounts and security information for the resources in that
          domain. Each person who uses computers within a domain receives his or her own
          unique account, or user name. This account can then be assigned access to resources
          within the domain. The computers in a domain can share physical proximity on a small
          LAN or they can be located in different parts of the world. As long as they can
          communicate, their physical position is irrelevant.

                  Child domain. A child domain is a member domain of a Windows Active
                  Directory but is not the root domain of that Active Directory.




                                                   Root
                                                  Domain




                               Child                                      Child
                              Domain                                     Domain




                                                                                                       Page 25 of 27
1.13.
        Domain Administrator: This is a group on Windows 2000 and Windows 2003
        Domain Controller (DC) servers. Its members are allowed administrative privileges for
        the entire domain. By default the group has the local Administrator account on the
        Domain Controller.

        Enterprise Active Directory: The Enterprise Active Directory will be the
        authoritative Active Directory (AD) authentication service for the State of Alaska.
        Centralized services will be provisioned to authenticate against this AD. New
        applications developed for the Enterprise or with potential multi-agency use will be
        developed to authenticate against this AD rather than LDAP or possible Agency ADs.

        Forest: At the top of the Active Directory structure is the Forest; a collection of one or
        more domains that share a common schema, configuration, and global catalog. It is the
        collection of every object, its attributes and rules in the AD. The forest holds one or more
        transitive, trust-linked Trees. A tree holds one or more Domain and domain trees, again
        linked in a transitive trust hierarchy. Essentially, trees are aggregated together via trusts
        to create a "forest".

        Global Catalog: The global catalog is a distributed data repository that facilitates
        searching and logons in an Active Directory forest. The global catalog allows users and
        applications to locate objects in any domain in the forest by searching on an important
        attribute of the object (for example, search on the user‟s last name to locate the user object
        or search on a building name to find a printer in that building). One or more domain
        controllers are designated as global catalog servers because they host the global catalog,
        which is built automatically by the Active Directory replication system.

        Group Policy object (GPO): A logical concept that is used to represent a single
        collective set of computer and/or user policies. It is given a unique name, such as a
        globally unique identifier (GUID). A GPO can be associated with one or more Active
        Directory containers, such as a site, domain, or organizational unit. Multiple containers
        can be associated with the same GPO, and a single container can have more than one
        associated GPO.

        Objects: Objects in the database can include printers, users, servers, clients, shares,
        services, etc. and are the most basic component of the directory.

        Schema: A schema defines the list of attributes that describe a given type of object. For
        example, let's say that all printer objects are defined by name, type and speed attributes.
        This list of attributes comprises the schema for the object class "printers". The schema is
        customizable, meaning that the attributes that define an object class can be modified.

        SharePoint: A new server program that is part of the 2007 Microsoft Office system.
        This product can be used to facilitate collaboration, provide content management
        features, implement business processes, and supply access to information that is essential
        to organizational goals and processes. SharePoint sites can be created quickly to support
        specific content publishing, content management, records management, or business
        intelligence needs. It can also be used to conduct effective searches for people,
        documents, and data, participate in forms-driven business processes, and access and
        analyze large amounts of business data.
                                                                                                         Page 26 of 27
1.13.
        Tree: A set of Windows NT /2000/2003 domains connected together through transitive,
        bidirectional trusts, sharing a common schema, configuration, and global catalog. All
        trees in a given forest trust each other through transitive bidirectional trust relationships.




        When a root domain and at least 1 child domain have been created, a "tree" is formed.
        You can see that the structure begins to take the shape of a tree with branches and sub-
        branches.




        Trust Relationship (Transitive Trusts): An automatic trust association between
        parent and child domains and between root domains in a Windows Active Directory
        forest. For example, if domain A trusts B, and B trusts C, then A automatically trusts C.

        User Object: This is an object with specific attributes in the Active Directory, and that
        represents an individual person.




                                                                                                         Page 27 of 27
1.13.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:5/30/2010
language:English
pages:27