Docstoc

High Level Active Directory Design Logical Level

Document Sample
High Level Active Directory Design Logical Level Powered By Docstoc
					                            Milestone 2B - High
                                                                                Milestone 4A -
 Milestone 1- Business     level Active Directory     Milestone 2A - Active
                                                                              Generic Design and   Milestone 4B - Project   Milestone 4C - Case
    Requirements           Design Document for          Directory Design
                                                                              Migration Process       Closure Report               study
      Document              Transport and Main         Process Document
                                                                                  Document
                                   Roads




                           Milestone 3 - Proof of
                             Concept Design




Design & Proof of Concept for AD & ILM

Milestone 2B – High Level Active Directory
Design



 Date              Name                             Position                          Action required                          Due date
                                                                                      (Review/Endorse/Approve)

 30/11/09          Simon Frappell                   Infrastructure Consultant         Submitted for Internal Review            01/12/09
 02/12/09          Simon Frappell                   Infrastructure Consultant         Submitted for SWoG Review                09/12/09
 15/12/09          Roland Baier                     Program Director,                 Submitted for steering                   15/12/09
                                                    Foundation Services               committee approval.




Prepared by                Simon Frappell
Branch/District            Foundation Services Program
Division/Region            Business Solutions Delivery
Location                   477 Boundary Street, Spring Hill
Version no.                1.0
Version date               10 December 2009
Status                     Final

D:\Docstoc\Working\pdf\6881feba-507c-4719-a570-aec0c1303760.doc
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Document control sheet

Contact for enquiries and proposed changes
If there are any questions or suggestions for improvements regarding this document, please
contact:
Project Manager              Roland Baier
Phone                        0423 460 289

Version history

 Version no.            Date             Changed by                  Nature of amendment
                                                                     Rough draft submitted informally to SWoG.
 0.01                   13/11/09         Simon Frappell
                                                                     Minor changes through the document.
                                                                     Addition of Test/Dev section.
 0.02                   30/11/09         Simon Frappell              Addition of Migration Approach section.
                                                                     Addition of GEA section
                                                                     Inclusion of references and attachments
                                                                     Incorporated feedback from Avanade internal
 0.03                   01/12/09         Simon Frappell              review.
                                                                     Submitted for formal SwoG review.
                                                                     Addition of Table of Figures
                                                                     Addition of Table of Tables
 0.04                   08/12/09         Simon Frappell
                                                                     Update from Tracker v0.1 provided by SWoG
                                                                     members
                                         Janine Threlfo,
 1.0                    11/12/09                                     Final quality review.
                                         Roland Baier




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design         Page 2 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Endorsement of Report
The following officers have endorsed this document.

Customer
                   Greg Booth
Name
                   Director Strategy and Architecture (Enterprise Information and Systems)
Position

Signature                                                                                        Date



Sponsor
                   Mark Delbridge
Name
                   A/Executive Director Operations and Asset Solutions (Business Solutions
                   Delivery)
Position

Signature                                                                                        Date



           The following officer has endorsed this document.

Name            Roland Baier

Position        Program Director Foundation Services (Business Solutions Delivery)

Signature                                                                                  Date




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design          Page 3 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Contents

1          Introduction ................................................................................................................ 7
1.1        Background .................................................................................................................. 7
1.2        Summary ...................................................................................................................... 7
1.3        Purpose ......................................................................................................................... 8
1.4        In Scope........................................................................................................................ 8
1.5        Out of Scope................................................................................................................. 8
1.6        Audience ...................................................................................................................... 9
1.7        Assumptions ................................................................................................................. 9
1.7.1      Design .......................................................................................................................... 9
1.7.2      Migration ...................................................................................................................... 9
1.8        References .................................................................................................................. 10
1.9        Document Conventions .............................................................................................. 10

2          Report Stakeholders ................................................................................................ 12

3          Government Enterprise Architecture .................................................................... 14
3.1        Technology Domains ................................................................................................. 14

4          Guiding Design Principles ....................................................................................... 16
4.1        Active Directory Design Principles ........................................................................... 16
4.2        Transport and Main Roads Migration Principles ....................................................... 16

5          Logical Active Directory Architecture ................................................................... 18
5.1        Directory Services Architecture ................................................................................. 18
5.1.1      Forests and Domains Functional Levels .................................................................... 18
5.1.2      Flexible Single Master Operation (FSMO) Role Holders ......................................... 19
5.1.3      Domain Controller Placement .................................................................................... 21
5.1.4      Global Catalog Placement .......................................................................................... 22
5.1.5      Organisation Unit Topology ...................................................................................... 23
5.1.6      Sites and Replication .................................................................................................. 27
5.1.7      Group Policy .............................................................................................................. 33
5.1.8      Active Directory Naming Conventions...................................................................... 35
5.1.9      Security ...................................................................................................................... 38
5.1.10     Antivirus..................................................................................................................... 40
5.1.11     Remote Access Authentication .................................................................................. 41
5.2        High Level Network Infrastructure ............................................................................ 42
5.2.1      Enterprise WAN Data Network ................................................................................. 42
5.2.2      Enterprise ADSL Network ......................................................................................... 44
5.2.3      Enterprise Metropolitan Data Network ...................................................................... 45
5.3        Network Services (DNS, DHCP, WINS)................................................................... 46
5.3.1      DNS ............................................................................................................................ 46
5.3.2      DHCP ......................................................................................................................... 51

Department of Transport and Main Roads           Milestone 2B – High Level Active Directory Design                              Page 4 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.3.3      WINS ......................................................................................................................... 53
5.3.4      NTP - Time Synchronisation ..................................................................................... 53
5.4        Test and Development ............................................................................................... 55

6          Migration Approach ................................................................................................ 57
6.1        Background ................................................................................................................ 57
6.2        TMR Migration Milestones ....................................................................................... 57
6.3        Approach .................................................................................................................... 58
6.4        Migration Scope ......................................................................................................... 58
6.5        Requirements ............................................................................................................. 58
6.6        Migration Strategy Summary ..................................................................................... 59
6.6.1      Avanade Connected Methods for Technology Infrastructure .................................... 60
6.6.2      Phased Migration ....................................................................................................... 60
6.6.3      Deployment Strategy.................................................................................................. 61
6.7        Plan & Analyse stage ................................................................................................. 62
6.7.1      Discover and Gather Information on Existing Environment ..................................... 62
6.8        Reiterative Design, Build, Test stage ......................................................................... 65
6.8.1      Develop Active Directory Detailed Design ............................................................... 66
6.8.2      Develop Detailed Migration Design .......................................................................... 67
6.8.3      Develop Corporate AD Deployment Plan ................................................................. 67
6.8.4      Establish Infrastructure Lab ....................................................................................... 68
6.8.5      TMR Migration Milestone – Design Completion and Sign off ................................. 69
6.9        Deploy stage ............................................................................................................... 70
6.9.1      TMR Migration Milestone – Deploy Corporate AD to Data Centre ......................... 70
6.9.2      TMR Migration Milestone – Deploy Corporate AD to Pilot Site.............................. 74
6.9.3      TMR Migration Milestone – Deploy Corporate AD to all Production Sites ............. 79
6.10       TMR Priorities and Next Steps .................................................................................. 82
6.10.1     Develop the High Level Design and Migration Approach into Detailed Design
           documents .................................................................................................................. 82
6.10.2     Novell File Services ................................................................................................... 83
6.10.3     Novell Print Services ................................................................................................. 83
6.10.4     Novell ZENWorks ..................................................................................................... 84
6.10.5     Migration of SHOCAD infrastructure ....................................................................... 84
6.10.6     Migration of Tactical AD applications ...................................................................... 85

7          Appendix A. – Attachments .................................................................................... 86
7.1        TMR BRS - Active Directory Services ...................................................................... 86
7.2        Requirements Traceability Matrix ............................................................................. 86
7.3        Conceptual Design - Active Directory Services ........................................................ 86
7.4        Active Directory for SharePoint Server Detailed Design Document ........................ 86
7.5        MR Infrastructure Discovery ..................................................................................... 86
7.5.1      MR Site Audit Report ................................................................................................ 87
7.6        Transport Discovery for TMR AD & ILM POC ....................................................... 87

8          Appendix B. – Definitions ........................................................................................ 88
Department of Transport and Main Roads          Milestone 2B – High Level Active Directory Design                             Page 5 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Table of Figures
Figure 5-1 - Transport and Main Roads Active Directory ....................................................... 18
Figure 5-2 - High Level Organisation Unit Structure .............................................................. 24
Figure 5-3 - Domain Controller Placement Decisions ............................................................. 29
Figure 5-4 - Site Topology Design ........................................................................................... 31
Figure 5-5 - Logical Site Replication Topology ...................................................................... 32
Figure 5-6 - TMR Group Strategy............................................................................................ 40
Figure 5-7- QT Remote Access Architecture ........................................................................... 41
Figure 5-8 - TMR Enterprise WAN DATA Network Diagram ............................................... 42
Figure 5-9 - Enterprise ADSL Network Diagram .................................................................... 44
Figure 5-10 - Metropolitan Area Network Diagram ................................................................ 45
Figure 5-11 - Logical DNS Topology ...................................................................................... 47
Figure 5-12 - Conditional Forwarding Examples .................................................................... 49
Figure 5-13 – DHCP and Dynamic DNS ................................................................................. 52
Figure 5-14 - Time Synchronisation ........................................................................................ 55
Figure 6-1- Deploy Corporate AD to Data Centre ................................................................... 70


Table of Tables
Table 1 - References ................................................................................................................. 10
Table 2 - Report Stakeholders .................................................................................................. 13
Table 3 - FMSO Role Placement ............................................................................................. 20
Table 4 – Site Tiering Rules ..................................................................................................... 27
Table 5 - Estimated Number of logical sites per tier................................................................ 27
Table 6 - Site Tier Breakdown ................................................................................................. 31
Table 7 - Server naming convention ........................................................................................ 35
Table 8 - Group naming convention ........................................................................................ 36
Table 9 - Group policy object naming ..................................................................................... 37
Table 10 - Migration Requirements ......................................................................................... 59




Department of Transport and Main Roads           Milestone 2B – High Level Active Directory Design                          Page 6 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




1 Introduction

1.1 Background
Prior to the amalgamation of the Qld Transport and Main Roads, Main Roads worked with Avanade in
preparing a submission to the Queensland Government GITC Services Provision Fund (SPF). The
submission sought funding for a Proof of Concept (POC) of the Microsoft products, Server 2008
Active Directory (AD) and Identity Lifecycle Manager (ILM). As a result two streams of work were
commissioned:
     1. The creation of a High Level Design for an Active Directory.
     2. The design and conduct of a Proof of Concept Lab.
This document is a component of “The creation of a High Level Design for an Active Directory”
stream of work for the Department of Transport and Main Roads (TMR). In the past months through
discovery work, requirements gathering and design processes the project has produced a „Business
Requirement Specifications‟ document, and an „Active Directory Conceptual Design‟ document, both
of which are important inputs for this High Level Active Directory design of Windows Active
Directory 2008 for TMR.


1.2 Summary
With Active Directory, TMR will be introducing a technology that enables connectivity throughout the
organisation. In essence Active Directory is an enterprise directory that provides management of users,
groups and computers. Furthermore it offers secure access to network resources.
Transport and Main Roads‟ requirements have been used as a strong basis to design the Conceptual
Active Directory structure. During the conceptual design, it was determined that Transport and Main
Roads Active Directory will utilise the single forest, single domain model as it‟s the easiest to
administer and the least expensive to maintain, and is the best model to support structured
collaboration. The Active Directory is to be named “CORPORATE.LOCAL” and will represent the
Active Directory internally; the name is private and will not be visible to internet and external entities
such as other government agencies or partners. For consistency TMR‟s Active Directory will be
referred to as the Corporate AD for the rest of this document.
The site topology is designed to make the most efficient use of TMR‟s current network topology with
the goal of ensuring logon and other associated Active Directory communications stay local to TMR
network before venturing over a WAN link. The design takes into account site redundancy and will
utilise the Polaris site as a redundant Active Directory site.
Corporate AD will operate under its own independent Active Directory-Integrated DNS zone. All
existing TMR core network services - DNS, DHCP, and NTP services - will be utilised with a strong
focus on coexistence with the Corporate AD.
For the management of user and computer objects in Corporate AD the Organisation Unit hybrid
model was selected. It offers more flexibility than other models for administrative delegation of Active
Directory objects and the application of Group Policies; this will enable TMR administrators to
function efficiently and effectively.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 7 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




This document provides the next step in the design process by evolving the conceptual design. It
incorporates more concrete decisions about system components, such as construct, function, usage,
placement and integration based on the conceptual design.
This document also offers a migration approach which defines the viable migration options and
processes to reach TMR Migration Milestones and to develop the best high level approach based on
project scope, goals and project requirements. The migration approach begins with Novell eDirectory,
and a tactical implementation of Active Directory, and highlights TMR Migration Milestones that
achieve particular objectives and describes how these objectives are working towards the common
goal of decommissioning Novell infrastructure.


1.3 Purpose
The „High Level Active Directory Design document‟ describes the overall Active Directory
architecture, domain model and network services necessary to support the conceptual design and
requirements identified by Department of Transport and Main Roads (TMR). This document is
intended to:
         Provide sufficient technical detail required to develop a detailed design.
        Provide high level migration approach for the implementation of the designed Active
         Directory Domain Services.
        Provide a reference point for on-going technical support and other internal TMR technical
         groups.
Where appropriate, design decisions will be made and documented. These decisions will be based on
TMR‟s business and technical requirements, architectural best practice guides such as Avanade‟s
extensive industry knowledge and guiding design principles. Where multiple design options are
available these will be identified. Some parts of the design will be dependent upon infrastructure
resources already deployed within the TMR environment, in these cases the dependencies will be
noted and validated.


1.4 In Scope
The results of this design work will inform strategic direction for how the integration of systems
within the IT environment may be achieved when using a single centralised source of information. The
design was created in anticipation of future business and infrastructure requirements, allowing for
flexibility and extensibility. The following items are considered in scope for this document:
        Logical design of Active Directory Domain Services for TMR.
        Migration overview outlining the best high level approach based on the project scope, goals,
         and stated project requirements.


1.5 Out of Scope
The following items are considered out of scope for this document:
        External Active Directory Domain Services.
        Application Compatibility/Migration process.
        Lotus Notes Application Compatibility/Migration process.
        File Services consolidation/migration.


Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 8 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




        Software Deployment Services Migration.
        Operational design or run guides.
        Delegated Administration model.
        Detailed design and configuration steps.


1.6 Audience
The intended audience for this document is the following:
        Design and Proof of Concept for AD & ILM Project team members.
        Transport and Main Roads technology stakeholders.
        Transport and Main Roads Solution Working Group.
        Whole of Government representatives.
        Microsoft SPF Fund representatives.

         Note: This document is directed at a technical audience.


1.7 Assumptions
1.7.1      Design
        There is an available business continuity site available for hosting disaster recovery
         components of the design.
        Network resiliency is capable of supporting 24x7 availability requirements for remote sites.
        Existing anti-virus standards and processes are adequate to support the Corporate Active
         Directory infrastructure.
        Virtualisation technologies will be utilised unless there is a justified reason not to.
        VMware ESX Server is TMR‟s the virtual solution of choice.
        Information provided during the Request for Information is; complete, up-to-date and
         accurate.
        References to Active Directory specific site names or server names, for example, are subject
         to change.

1.7.2      Migration
        The corporate.local AD implementation in Spring Hill Office Complex as part of the
         SharePoint project is completed.
        Novell IDM configuration is successfully replicating all user accounts from Novell to a
         staging area within corporate.local domain.
        Novell IDM solution is performing one-way synchronisation from Novell to Corporate AD,
         and all user account administration, such as name changes, password changes, are occurring
         within the Novell eDirectory.
        Physical TMR sites with infrastructure function autonomously, as services are provided
         locally.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design     Page 9 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




1.8 References
The following documents have been referenced in the development of this document and are
considered a part of the Active Directory High Level Design and Migration Approach:

           Document Reference                                      Comments
                                                                   Authored: Transport and Main Roads &
           TMR BRS - Active Directory Services
                                                                   Avanade Australia (Sep09)
           Conceptual Design - Active Directory                    Authored: Transport and Main Roads &
           Services                                                Avanade Australia (Oct09)

           Windows Server System Reference
                                                                   Authored: Microsoft (Apr05)
           Architecture
           Microsoft Infrastructure Planning and
           Design – Active Directory Solution                      Authored: Microsoft (Feb08)
           Accelerator
           Active Directory for SharePoint Server                  Authored: Department of Main Roads &
           Detailed Design                                         Avanade Australia (Oct09)
           Avanade Connected Methods for                           Authored: Avanade Australia (Oct06) updated
           Technology Infrastructure                               (Feb08)
                                                                   Authored: Microsoft
           Microsoft TechNet articles                              Links provided as footnotes throughout the
                                                                   document
           MR Site Audit Report                                    Authored: Department of Main Roads (Sep08)
                                                                   Authored: Department of Main Roads &
           MR Infrastructure Discovery
                                                                   Avanade Australia (Aug08)
           Transport Discovery for TMR AD & ILM                    Authored: Department of Main Roads &
           POC                                                     Avanade Australia(May09)
           QGCIO - Architecture and Information                    Authored: Queensland Government Chief
           Standards                                               Information Office (Apr09)
           QGCIO - Queensland Government                           Authored: Queensland Government Chief
           Enterprise Architecture 2.0                             Information Office (Oct09)
           Departmental policies and standards                     Authored: Department of Transport and Main
           Information Security Framework                          Roads(Jul08)

                                                       Table 1 - References



1.9 Document Conventions
In order to assist the reader in identifying key pieces of information in this document, these will be
highlighted as follows:




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design         Page 10 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Design Decision: This is a brief summary of a design decision. It highlights the key characteristic of
the decision, and is followed by an explanation.

Rationale – The reasoning or principle that underlies the design decision.

         Note: An additional piece of key information that may assist the reader in understanding a
          section of the document.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 11 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




2 Report Stakeholders
           In preparing this document, consultation has occurred with each of the parties noted below:

 Stakeholder                 Stakeholder                   Responsibility                 Interest/context
 area                        representative
 Queensland                  Scott McKinnon                Coordinate project             This project has been
 Government                                                interactions with the          supported by the Queensland
 Microsoft Services                                        fund                           Government Microsoft
 Provision Fund                                                                           Services Provision Fund

 Transport and Main          Julian Carroll                General Manager                Joint customer
 Roads                                                     Business Solutions
                                                           Delivery
 Transport and Main          Cathi Taylor                  General Manager                Joint customer
 Roads                                                     Enterprise
                                                           Information and
                                                           Systems (CIO)

 Transport and Main          Malcolm Sturges-              Executive Director             Customer delegate
 Roads                       Britton                       Operations and Asset
                                                           Solutions (BSD)                Dependencies from TMR
                                                                                          ICT Portfolio of work

 Transport and Main          Greg Booth                    Director Strategy and          Customer delegate
 Roads                                                     Architecture (EI&S)
                                                                                          TMR technology strategy
 Transport and Main          Mark Delbridge                Director Capability            Project sponsor
 Roads                                                     and Strategic
                                                           Investment (BSD)               TMR business solutions
                                                                                          strategy

 Transport and Main          Dom Lacanau                   Director Business              Project user
 Roads                                                     Infrastructure (EI&S)
                                                                                          TMR infrastructure
                                                                                          operations
 Transport and Main          Dennis McLaughlin             Director Business              TMR business applications
 Roads                                                     Applications (EI&S)            management
 Transport and Main          Gavin Hitchcock               Director Business              EI&S business services
 Roads                                                     Services (EI&S)                coordination
 Transport and Main          Leith Cunningham              Executive Director             Dependencies from TMR
 Roads                                                     Delivery Solutions             ICT Portfolio of work
                                                           (BSD)

 Transport and Main          Lloyd Carter                  Director Information           Provide direction in
 Roads                                                     Governance (EI&S)              information policies and
                                                                                          standards

 Qld Treasury                Paul Day                      Manager Strategy               Project user

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design                 Page 12 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




 Stakeholder                 Stakeholder                   Responsibility                 Interest/context
 area                        representative
                                                           and Architecture
                                                                                          Coordinate Treasury
                                                                                          participation

 CITEC                       Adam Garner                   IDES Solution                  Project user
                                                           Authority CITEC
                                                                                          Provide expert advice
                                                                                          regarding IDES program

 Avanade Australia           Dean Oelkers                  Avanade account                Account manage Avanade
 Pty Ltd                                                   manager                        engagement with TMR

                                                                                          Point of escalation for TMR
                                                                                          sponsor

                                               Table 2 - Report Stakeholders




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design               Page 13 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




3 Government Enterprise Architecture
The High Level Active Directory Design for TMR aligns to the Government Enterprise Architecture
(GEA) in the following fashion.
                                                                                                                                                                                                                                                                                                   Management & Control
                                                                 Personal Productivity                                                         Collaboration Software                                      Business Intelligence & Data Warehouse Platforms
                                                  Standard Office Suites                                   Web Browser                            eMail & Calendaring                                                                                                     Systems Management                      Security Software
 Desktop & Productivity




                                  Microsoft Office 2002                                                                                        Lotus Domino
                                                                                                                                                                                                                Data Mining Tools        Extract, Transform & Load              Software
                                                                                                                                                                                                                                                    Tools
                                                                                                                                                                                                            Cognos
                                                  Web Page Authoring                                    Desktop Publishing                                                                                                                                                     IT Service Desk                     Identify and Access
                                                                                                                                                                                                                                                                                                                       Management
                                                                                                                                                  Real Time and Team                                                                                                                                             Notes         Bespoke
                                            Special Purpose Productivity Tools                             File Viewers                              Collaboration                                                                                                                                               Novell (QT)
                                 Micrografx Flowcharter Geomedia (standard & professional)                                                     Notes
                                                                                                                                                                                                                Data Quality Tools         Business Intelligence
                                 Microsoft Project      Geomedia WebMap Professional                                                                                                                                                            Platforms                     Remote Desktop                        Directory Services
                                 Sidra                  Geomedia Objects                              Multimedia & Graphics                                                                                                                                                    Management                        Novell (QT)
                                 CivilPro               Geomedia Transportation Manager                 Design Software                           Content Management
                                 AutoCad                  & Analyst                                                                            Notes
                                 Visio 2000, 2002, 2003 Mapinfo Professional
                                                                                                                                                                                                                                                                            Systems Configuration                          PKI
                                 Paintshop Pro
                                                                                                                                                                                                                                                                                 Management



                                                                                                                                                                                                                                         Integration Software               ICT Asset Management                     Network Security
                                 Application Development                      Application Delivery                                        Software Engines                                      Database Management
                                                                                                                                                                                                                                                                          Novell ZenWorks V3.2
                                         Software                              Platform Software                                                                                                      Systems                                                             Novell ZenWorks 4.x
                                      Requirements Mgmt                      Application Server Software          Business Process Management                Reporting Engines                        Relational DBMS                     Application Integration
                                                                                                                            Engines                                                              SQL Server (inc. MSDE)                         Platforms
                                                                             Tomcat                                                                                                                                                                                           Software Licence                    Intrusion Prevention &
                                                                                                                                                                                                 Oracle RDBMS 9.2.x
                                                                             OC4J                                                                                                                                                                                               Management                               Detection
                                  Analysis, Design, Modelling                                                                                                                                    Oracle RDBMS 10.1.x
      Application Environments




                                                                             JBOSS
                                             Tools                                                                                                          GIS Server Engines                   Oracle RDBMS 10.2.x
                                                                             .Net                                     Business Rules Engines
                                                                                                                                                                                                                                          Messaging Middleware
                                   Autodesk Map 2004
                                                                                Portal Server Software                                                 Geomedia WebMap Professional                                                                                                                                     Encryption
                                                                                                                                                                                                   Object Oriented DBMS                                                    Application Management
                                    Application Development                                                                                            Oracle Spatial
                                      Tools & Environment                                                                                              Mapinfo MapExtreme Java
                                                                                                                           Workflow Engines
                                    .Net (VB, C#, asp)                                                                                                 Examin GBM Mobile                                                                  Transaction Processing
                                    JEE           Borland C++                                                                                                                                           Desktop DBMS                             Monitors
                                                                                  Web Server Software                                                                                               MS Access 2000
                                    Notes         VB6                                                                                                                                                                                                                        DBMS Management                      Antivirus & Antimalware
                                                                             IIS v3                                                                                                                 MS Access XP
                                    VB Document Generator                                                                                                                                           Lotus Approach
                                                                             IIS v4
                                    Access (97/2000/2003)                                                                                                     Search Engines
                                                  OC4J                       Apache
                                    Delphi                                                                                                                                                             Non-Relational DBMS
                                                                             Notes Domino
                                                                                                                                                                                                                                                                            Batch Job Scheduling                     Content Filtering
                                                                             Novell Zenworks (QT)                                                                                                       Embedded DBMS
                                     Software Testing Tools

                                                                                                                                                                                                   Database Replication &
                                   Software Change & Config                                                                                                                                              Clustering
                                             Mgmt                                                                                                                                                                                                                         Availability & Performance              Security Administration
                                                                                                                                                                                                                                                                                 Management                              Software



                                                                                                                                                                        Operating Systems & Utilities                                   Storage Management                  Network Management                  Security Event Management
                                       Server Hardware                      Desktop Hardware                  General Purpose Mobile
                                                                                                                     Devices                                   Operating Systems               OS Clustering & Availability                  Storage Devices
                                        Entry Level Server                       Desktop PCs
                                                                                                                Laptops & Notebook PCs                  Desktop                                         Software                       SAN Storage
                                    IA-32 Servers                          Desktop PCs
                                    Sun (Sparc) Servers                                                                                                 Windows XP 2002 SP2                                                            Hitachi Thunder SAN                                                       Vulnerability Management
                                                                                                                                                        Wintel                               Virtual User Interface Software           Tape Storage
                                         Mid-range Server                                                                                               Windows NT4 Server OS                                                          Ultrium / LTO
                                                                              Desktop Terminals                                                         Windows 2000 & 2003 & 2008                                                     Super DLT
                                                                                                                   Handheld Devices                     Server OS                                                                      DDS / DAT
                                                                                                                                                        NetWare                                                                                                                                                    Security Information
Hardware, Devices &




                                                                                                               PDA's - Windows Mobile 2003                                                      Virtual Machine Software
                                        Mainframe Server                                                                                                NetWare (6) Server OS
 Systems Software




                                                                                                                                                                                                                                       Backup, Recovery & Archive                                                     Management
                                                                               Desktop Printers                PDA's - Palm OS
                                                                                                                                                        UNIX                                                                                    Software
                                                                            Laser Printers                                                              Linux Server OS                                                               Arcserve
                                                                                                                                                        Sun Solaris 8, 9 Server OS         Application and Operating System
                                                                              Desktop Scanners                            Tablet PCs                                                             Deployment Services
                                                                                                                                                             File & Print Services
                                                                                                                                                         Novell Netware                                                               Storage Management Software
                                                                                                                                                                                                   Supporting Utilities                ArcServe

                                                                      Special Purpose Devices
                                           Remote Sensors                     Mobile Telephones               Embedded Software Tools


                                       Dedicated IP Telephony                                                    Other Audio & Video
                                              Devices                                Faxes
                                                                                                                       Devices
                                                                                                              Polycom suite of products
                                         Desktop Telephones                  Multi-Function Devices




                                                                     Network Hardware                                                                                          Network Software                                      Bandwidth & Other Network
                                                                                                                                                                                                                                             Services
                                         LAN Devices              Network Performance Devices              Voice Network Devices                                            Network Name & Address
                                                                                                                                                                                    Service                                               Bandwidth Provision
Network




                                 Wireless Networking Devices     Network Cabling & Infrastructure          Radio Network Devices                                            Network Monitoring Node
                                                                                                                                                                                   Software                                                   VPN Services

                                                                                                                                                                             Caching & Proxy Service
                                   Content Switches & Load             MAN & WAN Devices                  Network Security Devices
                                          Balancers                                                                                                                                                                                     Remote Access Services
                                                                 QT – Wide Area Network Services                                                                                                                                        VPN (QT)


                                                                                                                                                                                                                                                                                                                                     MR Technology Portfolio Wallchart V1.0
                                                                                                                                                                                                                                                                                                                                                Last Updated: 12-06-2008




3.1 Technology Domains
This section outlines the technology domains encompassed with reference to the GEA Technology
Portfolio Framework.

                            Hardware, Devices &                                                                                                                                               Management & Control
                             Systems Software
                                        Operating Systems &                                                                                                                                                            Security Software
                                              Utilities

                                                 Operating Systems                                                                                                         Identity and Access                                                                       Directory Services
                                                                                                                                                                              Management
                                            Windows Server 2008 R2
                                                                                                                                                                Novell Identity Manager                                                                   Novell eDirectory Services
                                            OS
                                                                                                                                                                                                                                                          Microsoft Active Directory
                                                                                                                                                                                                                                                          Services




Department of Transport and Main Roads                                                                                                                 Milestone 2B – High Level Active Directory Design                                                                                                               Page 14 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




T-5.2.2 Directory Services
This domain includes components that map logical names to physical addresses in a network;
directories are repositories for information about network-based entities, such as applications, files,
printers, and people. Directory services provide a consistent way to name, describe, locate access,
manage, and secure information about these resources.


T-5.2.1 Identity and Access Management
This domain includes systems that allow an enterprise to keep track of the many user accounts
throughout the enterprise - not only on in-house-designed applications but also on purchased packages
such as those from SAP and PeopleSoft. Sophisticated identity management systems contain
middleware that gives the ability to interoperate with many types of directory systems. An example of
such a system is Novell‟s nSure offering.
Access management services provide an enterprise with the ability to separate out authorised users of
their ICT systems from potential users not so authorised and, in the case of the former, allocate to the
user the pre-determined levels of access and capability. The system also provides management
functions such as adding new authorised users, deleting and modifying others, and changing the levels
and types of permission associated with each user.


T-3.5.1 Operating Systems
This domain includes the main control programs that run a computer and set the standard for running
application programs. It is the first program loaded when the computer is turned on, and it resides in
memory at all times. An operating system is responsible for functions such as memory allocation,
managing programs and errors, and directing input and output [Gartner]. An example is IBM‟s
OS/400, an operating system for midrange computers and Microsoft Windows for microcomputers.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 15 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




4 Guiding Design Principles
As with any design it is beneficial to complete tasks with the end result in mind. Clearly defining the
guiding principles will ensure that the design will assist in achieving a broader strategy. In this design
there are two categories that these guiding design principles fall into: Active Directory Design and
Transport and Main Roads Migration.


4.1 Active Directory Design Principles
The following guiding design principals will be used to help shape the design for Transport and Main
Roads:
        Centralisation and consolidation of Active Directory infrastructure.
        Virtualisation is the preferred infrastructure platform.
        Reduce total cost of ownership.
        Capitalise on the investments made in the Network Services infrastructure.
        Gain efficiencies via optimisation and virtualisation technologies, asset management, and
         service management.
        Increase reliability and quality of enterprise directory services.
        Be compatible with the current and projected network operating system.
        Be compatible with the current and projected infrastructure servers.
        Align with WoG initiatives.


4.2 Transport and Main Roads Migration Principles
The following prioritised guiding design principals will be used to help shape the sequencing of
activities in the migration approach for Transport and Main Roads:
         Minimise disruption to the production environment:
             o      Maintain user access to data and resources during and after the migration.
             o      Maintain user access to applications during and after the migration.
             o      Maintain usability and performance during and after the migration.
         Reduce Risk and Maximise "quick wins":
             o      Consider a phased approach versus a big bang.
             o      Deploy key features first.
         Minimise administrative overhead:
             o      Minimise the coexistence period.
             o      Creating seamless migration of user accounts.
             o      Maintain users' passwords.
             o         Minimise the number of workstation visits by Administrators or support personnel.
             o      Maintain permissions to resources.
             o      Automate where possible.
         System security:

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 16 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




             o      Lessen impact on the security policy, other than improving it.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 17 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5 Logical Active Directory Architecture

5.1 Directory Services Architecture
5.1.1      Forests and Domains Functional Levels
The Transport and Main Roads Active Directory architecture is based on a single-domain forest
model. The domain name will be corporate.local.
Domain and forest functionality, introduced in Windows Server 2008 Active Directory, provides a
way to enable domain-wide or forest-wide Active Directory features within the TMR network
environment. Different levels of domain functionality and forest functionality are available, and the
selection of these forest functional and domain functional levels restricts the operating system of the
domain controllers that can exist in the TMR corporate.local domain.
If all domain controllers in corporate.local are running Windows Server 2008 R2 and the functional
level is set to Windows Server 2008 R2, all domain-wide and forest-wide features are available. When
a domain or forest contains domain controllers running a mixed group of operating systems (Windows
NT 4.0, Windows 2000, Windows 2003, Windows 2008 „vanilla‟ or R2) Active Directory features are
limited. Thus, to maximise the functionality of the corporate.local AD infrastructure the forest and
domain functional level will be raised to Windows Server 2008 R2. Windows 2008, Windows 2003,
Windows 2000 and Windows NT 4.0 domain controllers will not be supported in corporate.local.
Transport and Main Roads Active Directory infrastructure consists of a single AD forest and single
domains. The Domain Name System (DNS) namespace for the domains is corporate.local. The
NetBIOS name is Corporate. The Corporate domain will be a central repository of information for
users and computers within the Transport and Main Roads environment. The proposed Transport and
Main Roads environment is represented in Figure 5-1 - Transport and Main Roads Active Directory

5.1.1.1 Forests
.




                                                    corporate.local

                                 Figure 5-1 - Transport and Main Roads Active Directory




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 18 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.1.1.1.1 Forest Configurations
Design Decision: The Transport and Main Roads forest will function in Windows Server 2008 R2
forest functional level.

     Rationale - Windows Server 2008 R2 forest functional level enables Transport and Main Roads
to leverage features above Windows Server 2003 functional level such as „Active Directory Recycle
Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running‟.1

         Note: All domains within the forest must also operate in Windows Server 2008 R2 domain
          functional level and must exclusively comprise of Windows Server 2008 R2 domain
          controllers.


5.1.1.2 Domains

5.1.1.2.1 Domain Configurations
Design Decision: All domain controllers in the corporate.local domain will be running Windows
Server 2008 R2 operating system and the domain functional level will be Windows Server 2008 R2.

    Rationale – The Windows Server 2008 R2 Domain Functional level will provide functionality
beyond the Windows Server 2003 features:
        Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication
         protocol,
        Last Interactive Logon Information, which displays the time of the last successful interactive
         logon for a user, from what workstation, and the number of failed logon attempts since the last
         logon,
        Fine-grained password policies, which make it possible for password policies and account
         lockout policies to be specified for users and global security groups in a domain.

         Note: The selected functional level does not limit the operating system versions of
          workstations and member servers that are joined to the domain or forest. The solution will
          allow the coexistence of existing server platforms.(TAAA-004)


5.1.2      Flexible Single Master Operation (FSMO) Role Holders
In addition to the network services noted in section 4.1, Windows 2008 Active Directory domain
controllers utilise a Single Operation Master method called FSMO (Flexible Single Master Operation)
to perform schema updates in a single master fashion to prevent conflicts.
The FSMO roles are assigned to one or more DCs during the DCPROMO process. The following table
summarises the number of FSMO roles to be allocated the default locations and the selected host in
corporate.local:




1
 For further information relating to domain and forest functionality refer to - Understanding Domain and
Forest Functionality

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design     Page 19 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




                                 Number of DCs
FSMO Role                        holding this role in       Default Location            FSMO roles in corporate.local
                                 Corporate.local

Schema                           One                        The first DC in the SHOCDC001.corporate.local
                                                            first domain in the
                                                            forest (i.e. the Forest SHOCDC001.corporate.local
Domain Naming                    One
                                                            Root Domain)

RID                              One                        The first DC in a   SHOCDC002.corporate.local
                                                            domain (any
                                                            domain, including SHOCDC002.corporate.local
PDC Emulator                     One
                                                            the Forest Root
                                                            Domain, any Tree SHOCDC002.corporate.local
Infrastructure                   One                        Root Domain, or any
                                                            Child Domain)

                                                 Table 3 - FMSO Role Placement

When placing these FSMO roles certain best practices and considerations must be taken into account
to ensure that the FSMO roles function correctly and that the FSMO role owner is available when
dependent activities take place.
The Schema Master and Domain Naming Master should reside on the same server, and that machine
should be a Global Catalog server. By default, they will all reside on the first domain controller
(SHOCDC01) installed in the corporate.local forest.

         Note: According to Microsoft, the Domain Naming master needs to be on a Global Catalog
          server. If the Domain Naming master and Schema master are separated, then make sure they
          are both on Global Catalog servers.

Design Decision: For the corporate.local single forest/domain the Schema Master and Domain
Naming Master roles will reside on the first domain controller (SHOCDC001) in the corporate.local
domain.

     Rationale – These FSMO roles are the forest FSMO roles and are both unique to the forest. The
schema master and domain naming master roles should be placed on the same domain controller as
they are rarely used and should be tightly controlled.
In a multiple domain environment there are specific constraints around the placement of the
Infrastructure Master such as, the Infrastructure Master should not be on the same server that acts as a
Global Catalog. The Global Catalog contains information about every object in the forest. When the
Infrastructure Master, which is responsible for updating Active Directory information about cross
domain object changes, needs information about objects not in its domain, it contacts the Global
Catalog server for this information. If they both reside on the same server, then the Infrastructure
Master will never think there are changes to objects that reside in other domains because the Global
Catalog will keep it constantly updated. This would result in the Infrastructure Master never
replicating changes to other domain controllers in the corporate.local domain.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design                 Page 20 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




         Note: In a single domain environment like Corporate AD this is not an issue as there are no
          phantoms2, and so the infrastructure master has no work to do.3

Design Decision: For the corporate.local single forest/domain the Infrastructure Master, PDC
Emulator and RID Master roles will be placed on the second domain controller (SHOCDC002) in the
corporate.local domain

     Rationale - This placement is not mandatory like the Infrastructure Master and the Global
Catalog servers above, but is recommended. There are some legacy Windows NT 4.0 Servers still in
use in Transport and Main Roads, and as a result the PDC Emulator may receive more traffic than
other FSMO role holders, thus the second DC should be a server that can handle the additional load.

         Note: Since only one PDC emulator is permitted in a forest, any legacy Windows NT 4.0
          workstations or servers added to corporate.local will need to contact the PDC emulator
          located in the Spring Hill Office Complex Data Center (SHOC) for authentication.

         Note: For corporate.local Windows NT 4.0 Server based computers located in remote sites
          authentication via slow WAN links may experience considerable delays during the logon
          process. This delay will only occur when a user attempts to login to a Windows NT 4.0 system
          that has been migrated to the corporate.local domain.

Each of the FSMO role holders will be direct replication partners and have high bandwidth
connections to one another as well as a Global Catalog server.

5.1.3      Domain Controller Placement
Placement of Domain Controllers has an impact on the time it takes for a user to log on to the network.
As a workstation starts, it downloads Group Policy objects that are applied to it in order to establish
the machine‟s configuration. After a user logs in, it downloads a second set of Group Policy objects
which are specific to the user. Domain Controller placement determines how quickly these policies
can be downloaded.
In addition to providing policies, Domain Controllers provide authentication services. Large sites
(more than 500 users) such as the Spring Hill Office Complex can benefit from additional domain
controllers, as loads on a Domain Controller during a peak period can result in slower authentication.
Windows Server 2008 R2 offers two styles of domain controllers; the standard and familiar writeable
domain controller and a Read-Only Domain Controller (RODC) which hosts complete, read-only
copies of the partitions of the Active Directory database and a read-only copy of the SYSVOL folder
contents. RODCs can selectively cache credentials, allowing them to address some of the challenges
that can be encountered in remote location and perimeter networks (also known as DMZs) that may
lack the physical security that is commonly found in data centres and larger sites4. Decisions related to
writeable or read-only domain controller selection will be made at the detailed design level, but
TMR‟s decision flow will be discussed in Section 5.1.6.1.1 - Domain Controller Placement
Guidelines.


2
  For further information on phantoms refer to - Disaster Recovery: Active Directory Users and Groups
3
  For further information on FSMO placements refer to - FSMO placement and optimization on Active Directory
domain controllers
4
  For further information relating to planning and deployment of RODC‟s refer to - Read-Only Domain
Controller Planning and Deployment

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 21 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Domain controller placement must also adhere to both the TMR Network Management Standards and
the Information Standard 18 – Information Security (IS18) policies.
Finally, fault tolerance is a consideration with Domain Controller placement. There needs to be
enough Domain Controllers to meet availability requirements should a controller become unavailable.
Design Decision: Domain controllers will be placed at Tier 1 – 3 sites.

     Rationale - Sites with more than 100 users will require a domain controller in order to provide a
positive user experience, this is to ensure adequate login performance). (TAAA-055)

         Note: The rules associated with the tiering of network sites are explained in Section 5.1.6 –
          “Sites and Replication”.

Design Decision: Tier 1 sites will have a second Domain Controller; Tier 2 sites with more than [n]
users will have a second Domain Controller.

     Rationale - During the detailed design phase, a specific threshold will be identified for
determining which sites will require additional Domain Controllers.


Design Decision: Additional Domain Controllers will be placed in both the central data centre
SHOC and Polaris redundant site.

     Rationale - The specific number of servers for each location will be determined during the
detailed design phase, however in order to meet the required level of availability (Platinum) it is
expected and recommended that additional Domain Controllers be placed in both data centres.


Design Decision: All corporate.local domain controllers will be present in the green zone.

    Rationale – This is the most secure internal TMR network zone. There are no requirements for
corporate.local domain controllers to be exposed to perimeter or external network zones. By not
exposing domain controllers to perimeter zones the “attack surface” is significantly reduced.

5.1.4      Global Catalog Placement
The Global Catalog is a distributed directory service, containing a partial replica of all objects within
an Active Directory forest. This directory is then used for searches (e.g. printers), can be used for
locating home servers for mailboxes, and is part of the login process. The distributed data repository is
stored on designated Domain Controllers in addition to the full replica of the directory for the
controller‟s domain.
Correct placement of Global Catalog servers can improve login performance, and can be heavily
utilised by some applications, one example is Microsoft Exchange Server 2007.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 22 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Design Decision: All domain controllers located at Tier 1 sites will be Global Catalogs with the
exception of the Infrastructure Master (IM) role holder and the designated standby IM servers.

    Rationale - Domain Controllers that hold the Infrastructure Master Role will not be configured
as Global Catalog servers (as per Microsoft KB articles 223346 and 2480475).(BAAA-011)

         Note: Domain controllers designed as standby servers for the Infrastructure Master role will
          not be Global Catalog servers, in order to streamline the process of relocating this role.

Design Decision: All domain controllers located at Tier 2 – 3 sites will also be Global Catalog
servers.

     Rationale - In order to improve performance for users, all Domain Controllers outside the
central site will be designated as Global Catalog servers. This will also provide redundancy for users
authentication requests at remote sites. (TAAA-055)

5.1.5      Organisation Unit Topology
Within an Active Directory domain, Organisational Units (OUs) are used to store objects such as
users, groups, computers and servers. These OUs are similar in nature to folders on a file-system, in
that they have a hierarchy, and that objects can only exist in a single folder.
OUs can be used to delegate administrative rights over a group of objects (by delegating control of an
OU to an administrator), and to assign Group Policy Objects (such as configuration settings) to users
and computers. Group Policy can also be filtered using groups, adding a second mechanism to control
the scope of a policy. Finally, an OU structure can be utilised by applications, such as System Centre
Configuration Manager 2007 (SCCM) to manage workstations, distribute patches, applications and
more.
An OU structure is generally defined based on the way in which an organisation will be supported.
The flexibility of filtering Group Policy using security groups means that delegation becomes a more
significant influence on design. Organisations with de-centralised support models may be structured
around a geographic model, with OUs representing areas such as states. Organisations with differing
application requirements for each business unit, but a single centralised support group may structure
their OUs around their organisation chart.
In many cases, a hybrid model is required to meet the needs of both administrative delegation and
policy application6. The following illustration Figure 5-2 - High Level Organisation Unit Structure
supports the design decisions in the remainder of this section.




5
  For further information refer to Microsoft Support - “FSMO placement and optimization on Active Directory
domain controllers” and “Phantoms, tombstones and the infrastructure master”
6
  For further information on OU Models refer to Microsoft TechNet Magazine - http://technet.microsoft.com/en-
us/magazine/2008.05.oudesign.aspx?pr=blog

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design    Page 23 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




       High Level OU Structure -
       corporate.local
                            Groups
                                                                                              Child-OU1


                                                          Functional Enterprise Information   Child-OU2
                                                           Groups         & Systems

                                                                                              Child-OU3




                                                      Delegated
                                                      Admins
                 Directory Administrator Accounts                                             Accounts
                                                            TMR           Service Centre
                                                         Administrators
                                                                                               Groups
                      Service Management




       corporate.local        TMR
                                                      Server
                                                      Roles
                       Domain Controllers
                                                                                                Test
                                                            Servers         SharePoint

                        Service Accounts                                                         Dev




                                                      Regional
                                                      Sites
                                                                                                                 Users


                                                           Regional          Metropolitan     Capital Hill    Workstations     Laptops
                                                            Sites

                                                                                                                Printers


                                                                                                             Security Groups




                                      Figure 5-2 - High Level Organisation Unit Structure

Design Decision: The corporate.local Organisational Unit (OU) structure is based on hybrid
geographic-resource model.

     Rationale – This model will align with the envisioned Transport and Main Roads administrative
delegation model. This OU model will provide benefits to Transport and Main Roads as they have
functional groups which have users spread across multiple locations, and because their geographic
boundaries also represent the breakdown of the User Services teams. The hybrid model will also
provide a facility to manage resources of a given type together, such as servers by service, groups,
workstations/laptops, printers, etc.



Department of Transport and Main Roads              Milestone 2B – High Level Active Directory Design                             Page 24 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Design Decision: Domain Controllers will remain in the default system-created OU (“Domain
Controllers”).

     Rationale - A number of default policies refer to this OU, moving Domain Controllers elsewhere
is not recommended. While it is technically feasible to move domain controllers to another OU, it can
introduce unnecessary complexity into the environment as some applications assume that Domain
Controllers are stored in that particular OU.


Design Decision: A set of Tier-2 Organisational Units will be used for grouping user accounts and
workstations based on the location (“Regional Sites”) that the user/workstation/resource is based in.

      Rationale – This will ensure that administrators can delegate management responsibilities of
these objects based on the site location or functional grouping. Additionally this set of Organisational
Units can be extended to support Project or virtual teams that are distributed across multiple physical
sites, however it‟s expected that this be decided on a case by case basis. It will also be the most likely
location for Standard Desktop Environment group policies to control user and workstation
configurations. (BAAA-004, BAAA-028, BAAA-029, BAAA-032, TAAA-023, TAAA-026, TAAA-
029, TAAA-030, TAAA-033, TAAA-037, TAAA-039)


Design Decision: Active Directory security groups will be used to further filter the application of
Group Policy objects to users and computers.

     Rationale - To facilitate functional position/role-based deployment of applications and
configuration settings, users will be grouped based on their position/role. This will simplify the
allocation of collections of software packages to users. To further refine and consolidate the
application of policies, Active Directory security groups will be used to limit the scope of certain
policies. This reduces the need to create extremely granular OUs, while retaining a high degree of
flexibility. (BAAA-021, BAAA-020, TAAA-005, TAAA-037)


Design Decision: A set of Tier-2 Organisational Units will be used for storing security groups
(“Groups”), distribution lists and contact objects based on the organisational structure and functional
groups.

     Rationale - These objects do not receive Group Policy settings, however administrative control of
them needs to be delegated. To assist with this, and to ensure that groups are managed centrally, they
will be stored in a designated area of the OU structure. This will also provide a method for filtering
group policies to a selected group of users to assign Power User rights, or restricting local
administrator rights on workstations.. (BAAA-041, TSAA-018, TSAA-019)


Design Decision: A set of Tier-2 Organisation Units will be used for the grouping TMR
administrator accounts, such as Service Centre, User Services and Business Infrastructure
administrator accounts and groups (“Delegated Admins”).

     Rationale – The Administration OU is created as a separate second-level OU as its common that
different policies are applied to administrative accounts, making it impractical to create administrator
accounts as a sub-OU of another second-level OU. (BAAA-040, BAAA-041, TAAA-029, TAAA-030,
TAAA-041)



Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 25 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Design Decision: A set of Tier-2 Organisational Units will be used for grouping of servers by
services/role (“Server Roles”) that is provided, such as Print Server, File Server, Database Server,
Mail Server, etc.

     Rationale – This will ensure servers of the same service/role can be managed identically and will
allow administrators to apply consistent group policies to servers of the same service/role, such as
security, remote desktop access, and other computer configuration policies. (BAAA-013, BAAA-007,
TAAA-001, TAAA-051)
The Tier-2 Organisational Unit used for grouping of servers by services/role will be managed by a
single team within TMR. To facilitate delegation of administrative rights to these services, servers will
be placed into child-OUs based on the primary service they provide. For example, an OU would be
created to hold all SQL servers, with administrative control delegated to the SQL support team.
Servers hosting multiple services will need to be placed into a shared OU.
In addition to the top-level TMR OUs, other special top-level OUs will be created to represent special
accounts like Active Directory Administrator Accounts, Service Accounts, and Service Management
Accounts.
The 3 top-level OUs will be used to delegate the administration of Active Directory to respective
Functional Groups. In addition, second-level OUs will be created beneath TMR to permit
Administrators to further delegate rights down to their respective site specific administrators.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 26 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.1.6      Sites and Replication

5.1.6.1 Site Categorisation
To facilitate the design process, sites have been categorised into logical groups, or “tiers”. These tiers
have been defined based on the current understanding of infrastructure needs and requirements,
including availability requirements, consolidation objectives, and operating cost/effort requirements.
Certain sites can be considered to be the same logical site, due to high speed network connections. For
example, Spring Hill Office Complex (SHOC), other Metropolitan Area Network sites, and other
‟high speed‟ sites are grouped together to form a single logical site (with their infrastructure services
hosted at a central data centre). To better demonstrate this, the sites can be classified into various
levels or tiers similar to those shown in the table below:

                     Tier                          No. of                    Network Links*
                                                   Workstations
                     1                             n/a                       1Gbit/sec –
                                                                             10Mbit/sec
                     2                             25-500                    <10Mbit/sec –
                                                                             4Mbit/sec
                     3                             6-24                      4Mbit/sec –
                                                                             0.5Mbit/sec
                     4                             1-5                       4Mbit/sec –
                                                                             0.5Mbit/sec
                                                Table 4 – Site Tiering Rules

                                            Tier                 Number of
                                                                 logical Sites
                                            1                    2
                                            2                    27
                                            3                    55
                                            4                    56
                                    Table 5 - Estimated Number of logical sites per tier

* This is the lowest bandwidth point between the site and central SHOC site.

         Important Note: The workstation numbers and bandwidth information used to determine the
          logical site estimates in “Table 5” were collated from raw data obtained through an official
          „Request for Information‟ (RFI). This data set still requires further work and analysis by TMR
          and is therefore subject to change.

         Note: The analysed data will need to be reassessed during the detailed design phase. Site
          assessment for infrastructure placement is normally a continuous process during detailed
          design and deployment phases.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 27 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




The Spring Hill Office Complex (SHOC) site and Polaris (Redundant site) will be used to host
services with high availability requirements. These two sites are considered to be Tier-1 sites,
providing relatively specialised facilities for servers (such as replication between the two sites).
Using these classifications, server placement for various services can be planned and high-level
estimates of server numbers can be obtained for planning purposes. These site categories are a guide
only, each site will need to be assessed for suitability and exceptions will be made due to various
factors (e.g. network utilisation, high-latency, criticality of site, type of network activity, etc).
When planning the placement of infrastructure services, the following criteria must be taken into
consideration:
          Availability requirements – can the site provide the necessary facilities to support a service‟s
           needs?
          Number of users vs. WAN connectivity – is there enough bandwidth to meet the needs of
           users?
          Cost of deploying extra servers – intent is to minimise the number of sites with servers in
           them.
          Application requirements – is there an application in use (client- or server-based) at a site
           that requires specific infrastructure (such as heavy use of Global Catalog).
          Backup and recovery facilities – there are minimal IT support staff on-site at lower tier sites.
The majority of decisions relating to server placement are based on the trade-off between
centralisation of infrastructure servers and network bandwidth. One of the guiding principles of the
Design & Proof of Concept for AD & ILM Project is to “capitalise on investments made in network
infrastructure”, so the server placement decisions throughout this document attempt to centralise
infrastructure wherever possible. The possibilities of increasing the network bandwidth for various
sites to reduce the number of servers they will host or increase the number of supported users will be
investigated during the detailed design phase.
Below are some high level observations about the characteristics of sites within Transport and Main
Roads as well as some approximations of the number of sites of each type, based on the raw data
obtained through the RFI:
          Given the high speed connections and close proximity of some sites, for example Spring Hill
           Office Complex (SHOC), Metropolitan Area Network sites and other ‟high speed‟ sites,
           Microsoft best practice recommends combining these sites as a single logical site7 (i.e. the
           majority of their infrastructure servers will be located at SHOC).
          1 site (SHOC) has more than 1500 users and will require many infrastructure servers
          1 site (Polaris) will provide site redundancy for Active Directory services and will require
           many infrastructure servers.
          27 sites have 25 – 500 users (will require some infrastructure servers)
          55 sites have 6 – 24 users (may not require infrastructure servers)
          56 sites have 5 or less users (no infrastructure servers)




7
    For further information refer to - Overview of Active Directory Sites and Services

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 28 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.1.6.1.1 Domain Controller Placement Guidelines
The following information will provide some insight to the future design decisions and domain
controller placement activities. The overall goal of domain controller placement for TMR is to
eliminate unnecessary domain controllers from remote locations as it reduces the support costs
required to maintain a remote infrastructure.
There are many variables to consider when evaluating whether a location requires its clients to have
local authentication or whether they can rely on WAN link for authentication and queries.
The following flow diagram, created with reference to best practice and Microsoft TechNet8, assists in
showing the decision making process defining if placement and type of a domain controller is
necessary and if so the type of domain controller to deploy.

                                                                                                                                            Can the remote domain
    Is the risk of a WAN outage great            Is there a directory-enabled
                                                                                            Can the domain controller be                   controller be administered                Place a writeable domain controller at
    enough to warrant a local domain      Yes     application that requires a        Yes                                          Yes                                          Yes
                                                                                                physically secured?                     remotely, or is there sufficient IT                       the location
                controller?                      writeable domain controller?
                                                                                                                                              knowledge locally?




                   No

                                            No




          Is the performance of
    applications and user logon over                          No                                          No                                           No
          the WAN acceptable?




                  Yes




Do not place a domain controller at the                                                    Resolve this situation by doing
                                                 Place an RODC at the location                                                          Resolve this situation by doing
               location                                                                    one or more of the following:
                                                                                                                                        one or more of the following:
                                                                                           - Relocate or remove the
                                                                                                                                        - Relocate or remove the
                                                                                             application that requires reliable
                                                                                                                                          application that requires reliable
                                                                                             access to a writeable DC.
                                                                                                                                          access to a writeable DC.
                                                                                           - Provide physical security
                                                                                                                                        - Provide sufficient IT experience
                                                                                           - Upgrade the WAN reliability
                                                                                                                                          at the location.
                                                                                             and/or performance




                                                            Figure 5-3 - Domain Controller Placement Decisions

The diagram highlights noteworthy characteristics of a physical site that can affect the decisions to
place a domain controller and the type of domain controller to be placed.
One characteristic that is important to understand about the environment is the resilience and
performance of the site‟s WAN links. This will determine the network links are capable of supporting
users at a physical site where there is no domain controller. (TAAA-059, TAAA-061)
The presence of directory-enabled applications at the physical site (applications which read or write to
a directory service at a high frequency) will in most cases require a local domain controller to ensure
acceptable application performance. The type of domain controller will depend on the type of
application being hosted at the local site (i.e. writeable, read-only access to the directory).
Local physical site security will also need to be assessed as it‟s important to ensure the domain
controllers are being placed in a secure location.

                   TMR have strict infrastructure placement policies which must be adhered to. The domain
                    controller will need to be categorised so the appropriate policy can be applied.




8
 For further information on the Placement of Domain Controllers refer to - Planning Regional Domain
Controller Placement

Department of Transport and Main Roads                                           Milestone 2B – High Level Active Directory Design                                                                Page 29 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




If a domain controller is stolen or physically compromised it contains information about all user
accounts in the domain. If a site is deemed unsecure it may not be a suitable place to deploy a domain
controller and other measures will need to be taken. (TAAA-053)
Finally the capability of local support groups can impact the placement of a domain controller. If it‟s
determined there is a lack of skills onsite to support the DC, placement needs to be reconsidered, or
sufficient training should be given to the onsite support teams.
The final decision of whether sites will require a domain controller and the type of domain controller
will rest in the detailed design project stream.

5.1.6.2 Active Directory Site Topology
Active Directory sites provide logical boundaries for locating directory services. They provide a
workstation with a mechanism to find the closest Active Directory Service like a Distributed File
System (DFS) replica, or the nearest Domain Controller for authentication. As such, they play a key
role in logon performance. Sites are defined as one or TCP/IP subnet or a collection of TCP/IP
subnets.
Design Decision: The SHOC logical site consisting of (Spring Hill Office Complex, Ann Street,
Capital Hill, Dickens Street, Wharf Street (Metro DO), Mineral House, 260 Queen Street, 239
George Street, Transport House, etc), will be considered a single Active Directory site.

     Rationale - For the purposes of these sites, the majority of Domain Controllers will be located at
the SHOC data centre. To ensure that clients in the other Brisbane CBD locations use these Domain
Controllers, they will be configured to be part of this AD site.


Design Decision: Physical sites without domain controllers will be added to the SHOC site.

    Rationale - Sites without domain controllers still need to be members of a defined AD site in
order to locate services (such as authentication, DFS replicas, etc). By placing them into the SHOC
AD site, they will consistently use the servers located in the central site. (TAAA-062)


Design Decision: Physical sites with a domain controller will have their own site established.

     Rationale - Any site with domain controllers will be configured as an AD site of its own. This will
ensure that workstations will be directed to a local domain controller rather than traversing and
relying on the resiliency of WAN links. (BAAA-019, TAAA-062)




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 30 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




          Domain Structure



                                                    corporate.local




           Site Model




          Physical Network




                                             Figure 5-4 - Site Topology Design




                             Tier-1                    Tier-2                      Tier-3          Tier-4
                                                                                                   BOWC
                                                                                   GREC
                                                       EAGA                                        GOOC
 Example                     SHOC                                                  BUNC
                                                       TOOP                                        HPTM
 Logical Sites               Polaris                                               BURV
                                                       DARP                                        INNC
                                                                                   DEAP
                                                                                                   PROC

 Active
                                n/a                    25-500                       6-24            1-5
 Workstations

                           1Gbit/sec -              8Mbit/sec –                 4Mbit/sec –      4Mbit/sec –
 Network Link
                           10Mbit/sec                2Mbit/sec                  0.5Mbit/sec      0.5Mbit/sec

 Site Primary
 Replication                  Tier-1                   Tier-1                      Tier-1            n/a
 Partner


 Infrastructure
                               Yes                       Yes                      Possibly           No
 Required

                                               Table 6 - Site Tier Breakdown


5.1.6.2.1 Cost and WAN Link Speeds
For the logical site topology design site links will be defined using accurate bandwidth values that
have been acquired through a detailed assessment of the network site architecture. Effective
bandwidth, which accounts for capacity and utilisation data, will be used to define the Site Link costs
during the Detailed Site Topology design.

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design        Page 31 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.1.6.3 Active Directory Site Links
Site links are used to model the amount of available bandwidth between two sites. As a general rule,
any two networks connected by a link that is slower than LAN speed are considered to be connected
by a site link. A fast link that is near capacity has a low effective bandwidth, and can also be
considered a site link. Site links have four parameters:
         Cost - The cost value of a site link helps the replication system determine when to use the link
          when compared to other links. Cost values will determine the paths that replication will take
          through the network.
         Replication schedule - A site link has an associated schedule that indicates at what times of
          day the link is available to carry replication traffic.
         Replication interval - The replication interval indicates how often the system polls domain
          controllers on the other side of the site link for replication changes.
         Transport - The transport that is used for replication.


Figure 5-5 - Logical Site Replication Topology shows the logical site topology for the corporate.local
active directory replication. Given the number of slow links to remote location, sites will be defined
within AD Sites and Services to optimise and schedule AD replication. The site topology is based on a
multi-tiered architecture which reflects the overall WAN infrastructure shown in Figure 5-8, Figure
5-9, and Figure 5-10.
                                                                                                             DARP-Site
                                                                                                                                                                                                               TOOP-Site
                       EAGA-Site
                                                                                                                                                                                                                                                     Every site has at least one domain
                                                                                                                                                                                                                                                     controller (DC) that is also a Global
                                                                                                                                                                                                                                                     Catalog Server (GC).
                                                                                                                                                        Site Link
                                                                                                                       Replication




                                                           Re                                    Site Link
                                                                pli                                                                                                                                        n
                                                                      ca                                                                                                                               tio
                                                                           tio                                                                                                                    ca
                                                                                 n                                                                                                          pli
                                                                                                                                                                                       Re

                                                                                                                                                                                                                                        Site Link
                                               Site Link



                                                                                                                                            Replication
                                                                                 SHOC-Site                                                                                                                     Polaris-Site
                                                                                                                                                                                                                                                                        Site link costs will be defined to
        Site Link                                                                                                                                                                                                                                                       ensure each Tiered site will use
                                                                                                                                                                                                                                                                        a Tier-1 site as a primary
                                                                                                                                                                                                                                                                        replication partner
                                                     n
                                              atio
                                       plic                                                                                                                                                                                                   Site Link
                                 Re                                                                                                                                                                            Re
                                                                                                                                                                                                                    plic
                                                                                                                                                               Re                                                          atio
                                                                                                                                                                    pli                                                           n
                                                                                        n




                                                                                                                                                                          ca
                                                                                     tio




                                                                                                                                                                               tio                                                                                          All sites have a direct
                                                                                 i ca




                                                                                                                                                                                   n
                                                                                                                                             Re
                                                                             pl




                                                                                                                tion




                                                                                                                                                                                                                                                                            connection to the Spine
                                                                       Re




                                                                                                                                                 plic
                                                                                                             Replica




                                                                                                                                                                                                                                                                            (Testra IP WAN, Telstra RAS
                                                                                                                                                  atio




                           Site Link                                                                                                                                       Site Link
                                                                                                                                                    n




                                                                                                                                                                                                                                                                            IP Network).



GREC-Site                                                                                                                                                                                                                                      REDC-Site
                                                                                     Site Link                                       Site Link




                                                                                                                                                                                                                                      MKYP-Site
                                                                                                                                                                                                                Legend
                    BUNC-Site
                                                                                                                                                                                                                Tier-1 Sites (e.g. SHOC-Site) are high-speed central
                                                                                            BURV-Site                                                          DEAP-Site                                        sites and will be the primary replication partner for all
                                                                                                                                                                                                                sites. These sites will also provide authentication for
                                                                                                                                                                                                                Tier-4 sites that have no infrastructure.
                                                                                                                                                                                                                                                                               Tier-1 Sites
                                                                                                                                                                                                                Tier-2 Sites (e.g. NATA-Site) are remote sites with
                                                                                                                                                                                                                more than 25 workstations and direct connection to
                                                                                                                                                                                                                the network Spine.
                                                                                                                                                                                                                                                                               Tier-2 Sites
                                                                                                                                                                                                                Tier-3 Sites (e.g. EAGA-Site) are remote sites with 6
                                                                                                                                                                                                                to 24 workstations and direct connection to the
                                                                                                                                                                                                                network Spine.
                                                                                                                                                                                                                                                                               Tier-3 Sites
                                                                                                                                                                                                                Tier-4 Sites (e.g. BOWC-Site) are remote sites with
                                                                                                                                                                                                                less than 5 workstations and is not represented in
                                                                                                                                                                                                                this diagram as there is no infrastructure required
                                                                                                                                                                                                                and therefore no logical site.




                                                                                            Figure 5-5 - Logical Site Replication Topology




Department of Transport and Main Roads                                                                Milestone 2B – High Level Active Directory Design                                                                                                                             Page 32 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.1.6.4 Active Directory Replication
With Windows 2008 Active Directory, intra-site replication can occur on a change notification basis
(by default, every 15 seconds) between domain controllers in each site.
Inter-site replication can occur on a scheduled basis expected to be every 15 – 30 min (default is every
180 min) depending on network bandwidth and availability. Detailed replication schedules will be
determined in detailed design.

5.1.7        Group Policy
The objective of this section is to provide a Group Policy strategy for replicating the existing
Transport and Main Roads configuration and security policies being applied through Novell. These
group policy settings will likely be phased into the environment over time.

5.1.7.1 Corporate AD Domain Policy
These policies are used to create a standard domain level security configuration for all user accounts
within the Corporate.local domain. The implementation of Active Directory includes the
configuration of the domain level group policies. These policies affect all user objects stored within
the domain. The following are sample list of policy settings that can be used in Corporate AD default
Domain Policy:
          Account Policies – Password Policy.
          Account Policies – Account Lockout Policy.
          Account Policies – Kerberos Policy.
          Local Policies – Audit Policy.
          Local Policies – Security Options.
All security settings applied within the Corporate AD domain will support the development and the
inclusion of existing TMR Security Standards. The only exception to these policies may be service
accounts placed within the designated OUs of Corporate AD domain. The nature of service accounts
often requires these accounts to function outside of the restrictions imposed by the domain policy. If
absolutely necessary, the designated OUs will be configured to block the inheritance of the domain
policy.

5.1.7.2 Domain Controller Security Policies
In most cases the default Windows Server 2008 security policies are effective in securing domains and
domain controllers against various types of threats. In addition to security policies, Active Directory
data is protected by default auditing settings on key directory objects.
Design Decision: Domain and Domain Controller Policy settings will be further strengthened to
improve protection.

     Rationale - All changes to the default policy settings will be done in accordance with Microsoft
best practice9. (TAAA-069)




9
    For further information refer to - Best Practice Guide for Securing Active Directory Installations

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design           Page 33 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.1.7.3 Server Policy
A GPO can be applied to the Server OU within the Corporate AD domain. Server GPOs will be used
to address the security configuration of servers that are not domain controllers.
Design Decision: All Computer Policies will disable the User Configuration Settings, this will
eliminate the processing that section of the GPO.

     Rationale – There should be no relevant User Configuration settings for a Server Policy, and this
will eliminate the unneeded processing of that section of the GPO.

5.1.7.4 Computers Policy
Design Decision: All Computer Policies will disable the User Configuration Settings, this will
eliminate the processing that section of the GPO.

     Rationale – There should be no relevant User Configuration settings for a Server Policy, and this
will eliminate the unneeded processing of that section of the GPO.
This will eliminate the unneeded processing of that section of the GPO. The following are settings
typical in enterprise AD environment:
        Event log settings to ensure the appropriate level of auditing is occurring as well as configures
         the specific events for auditing such as account logon events, account management events, and
         system events.
        Configured with a standard windows installation file location and service pack installation
         ensures that a central location for OS updates is utilised.
         Disables Remote Assistance feature.
         Disables the ability of locally installed shared printers from being published in the directory.
        Utilisation of “Restricted Groups” allows for ease of updating workstation local group
         updates.

5.1.7.5 User Policy
Design Decision: All User Polices will disable the Computer Configuration Settings section of the
GPO

    Rationale - For the same reason computer policies disable user configuration settings, to save
processing time.
Numerous settings are available to enforce user policies. It will be necessary for TMR to conduct
further analysis to determine what appropriate settings for TMR users are. The following are common
settings for user policies often found in enterprise AD environment:
        Hardware tab is unavailable (users cannot use the Hardware tab to view or change the device
         list or device properties).
         User does not have access to the Security Tab in windows explorer.
         Users are limited in the MMC permitted snap-ins and snap-in extensions.
         All links to Windows Update are removed.
         Screen saver password protect is enabled and configured for 10 minutes.
         Users are prohibited from changing the TCP/IP configuration.
         Users are prompted for a password when resuming from hibernate/suspend.

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 34 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




Put into a real world scenario, some TMR sites, Rockhampton, Mackay, Cairns, and Metropolitan
Sites are enforcing specific screensaver password policies for all users in those locations. To enforce
this policy, TMR AD administrators can configure a user policy and apply it to the Regional Sites
Child-level Users OU. Additionally they can enhance the Group Policy by using Group Policy
Preferences that utilise more advanced targeting techniques.

5.1.8      Active Directory Naming Conventions

5.1.8.1 Servers and Workstations
As described in the “Transport Discovery for TMR AD & ILM POC” document, the current server
naming convention at TMR uses the format:
SSSSPPXX
Where SSSS is the site code, PP indicates the server platform/role, and XX is a number for
uniqueness.
An example server name is: SHOCDC01
As a suggestion, the existing TMR server naming standard can identify the Domain Controller as the
server role, by using a “DC” in the server platform/role segment:
Table 7 - Server naming convention

Object                 Possible Values        Description
Segment 1              SHOC, etc.             This segment denotes the site name of where the server is
                                              located.
Segment 2              DC,SQL,etc             Denotes the server role:
                                                       DC= Domain Controller
                                                       SQL=SQL Server
                                                                Note: Other server roles might be created
                                                                 accordingly with future needs.
Segment 3              001, 002, 003…         When there are more than one server in the same site, role
                                              and function, a sequential number must be used to
                                              differentiate the servers.


E.g.: SHOCDC01 (Site=SHOC, Function=DC, ServerNumber=001)

         Note: Server numbering for Corporate DCs will start at 001, while server numbering for
          Extranet DCs will start at 011, in order to differentiate between the two domains. For example
          SHOCDC001 for a DC in Corporate; and SHOCDC011 for a DC in the Extranet.


5.1.8.2 Domain Accounts
All accounts created at the domain level must follow the TMR general standards. The following
information provides a suggestion only.
All domain accounts should have the following format:


Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design          Page 35 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




         General User:
               o    First initial, middle initial, first five letters of surname.
               o    e.g. JABlogg (for user Joseph Andrew Bloggs).
         Domain Administrative User:
               o    First initial, middle initial, first five letters of surname, followed by “_da”.
               o    e.g. JABlogg_da (for administrative user Joseph Andrew Bloggs).
         Service Accounts:
               o    SVC_<description of service>.

5.1.8.3 Groups
The Group Naming Convention will be:
Object                         Possible Values                             Description
Segment 1                      GG, DL, L.                                  Denotes the Group Scope:
                                                                           GG – Global Group
                                                                           DL – Domain Local Group
                                                                           L – Local Group
Segment 2                      Free form                                   For GG, should contain the members of
                                                                           this group, e.g. „EIS‟.
                                                                           For DL and L groups should contain details
                                                                           of the location and/or server name of the
                                                                           resource.
Segment 3                      Free form                                   Name of the Resource that this group is
                                                                           given permission to. E.g.
                                                                           „SharePointPortal‟.
                                                                           Note: This segment is only applicable to
                                                                           DL and L group scopes.

                                            Table 8 - Group naming convention

E.g.: DL_EIS_SharePointPortal

5.1.8.4 Organisational Units
As Organisational Units are used to provide a structure to delegate administration of objects within a
domain, they will be assigned names related to the objects stored within.
There is no complex Naming Convention for OUs; they simply need to be names with no spaces in
order to facilitate scripting and automation, e.g. SoftwareDistribution.
The details for the Organisation Unit Topology are defined in the Section 5.1.5 in this document.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design             Page 36 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.1.8.5 Group Policy Objects
Group policy object naming will be implemented for any administrator created policy, excluding in-
built Default Domain and Default Domain Controller policies. The name will consist of three main
components; type, description and version.
Object                         Possible Values                             Description
Segment 1                      CO, UO, CU                                  Denotes the policy object type:
                                                                           CO – Computer Policy Only
                                                                           UO – User Policy Only
                                                                           CU – Computer and User
                                                                           Policy
Segment 2                      Free form                                   Description of the Group Policy
                                                                           object


Segment 3                      001 – 999                                   Version number of the policy

                                           Table 9 - Group policy object naming

         Note: Each segment of the object is to be separated by a dash (“-“).
          E.g. CO-DefaultUserSettings-001.


5.1.8.6 Sites
Microsoft recommends using valid DNS names when you create a new site name. Otherwise, the site
will be available only where a Microsoft DNS server is used.
DNS host names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus
sign (-), and the period (.). Period characters are allowed only when they are used to delimit the
components of domain style names. In the Windows 2000 and 2003 domain name system (DNS) and
in the Microsoft Windows Server 2008 DNS, the use of Unicode characters is supported. Other
implementations of DNS do not support Unicode characters. Avoid Unicode characters if queries will
be passed to the servers that use non-Microsoft implementations of DNS.
Incorporating existing TMR‟s naming standards where, the <location ID> is the standard corporate
four letter identifier for the physical site of the site subnet. In districts, this a 3 letter location and the
final letter also identifies the primary customer at the site.
3 Letter locations for districts:
               ROC – Rockhampton.
               EME – Emerald.
               MKY – Mackay.
               BAR – Barcaldine.
               TOW – Townsville.
               CLO – Cloncurry.
               CAI – Cairns.
               WAR – Warwick.
               ROM – Roma.
               GYM – Gympie.
               TOO – Toowoomba.

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design               Page 37 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




               MET – Metropolitan.
               NER – Nerang.
               BUN – Bundaberg.
The 4th letter identifies the customer:
               D - District office.
               A - Asset Services (RoadTek).
               P - Works Depot (RoadTek).
               U – N/A.
               X – N/A.
               C - Customer Service Centre (QT).
               M - Maritime Safety Queensland (MSQ).
               Q - Queensland Government Agency Program (QGAP).


Design Decision: Sites will be named according to the physical/geographical location they represent,
using the relevant 4 character site code, e.g. “SHOC” for Spring Hill Office Complex.

     Rationale - This is the current naming convention standard for network sites in TMR, existing
standards and conventions will be incorporated wherever possible. (TAAA-031)

5.1.9      Security
Active Directory security in scope of this deliverable details the security group model and the top level
GPO‟s for TMR infrastructure.

5.1.9.1 Security Group Model

5.1.9.1.1 Group Types
Windows 2008 groups can be of type security or distribution. Distribution groups are created for the
purpose of mail services and bear no security rights. Group types can be converted from security or
distribution when the domain is set to at least Windows 2000 native functional level.

5.1.9.2 Schema, Enterprise and Domain Administrators
The Schema, Enterprise and Domain Administrators are responsible for running the infrastructure as a
whole. They have access to everything stored within the domain, not by delegation but as a feature of
their role. As a Domain Admin is easily able to leverage their privileges to the Schema and Enterprise
administration level a distinction is only made for consistency reasons but does not reflect the real
security boundaries.
Considering this, Domain Administrator privileges should only be given to highly trusted and
competent personnel, as an incompetent or malicious use of these privileges will impact heavily
impact on the infrastructure.
Design Decision: The Enterprise Admins and Schema Admins groups must have no members in the
domain.

      Rationale – Standard practice is to keep the Enterprise Administrators and Schema
Administrators groups empty and only add a user into them when they are to be used. Administrative
staff wishing to make changes to the schema, site topology, etc, must first acquire authorisation in line
with the change control and request system (Request for Change / Production Change Request Note)


Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 38 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




and approved by the Change Advisory board. This ensures no unauthorised or accidental changes are
made. (BAAA-014) (BAAA-016)

5.1.9.3 Administrative Roles and Responsibilities
Defining Administrative roles and responsibilities is outside the scope of this document. An
administration model will be provided in the detailed design phase.

5.1.9.4 TMR Domain Administrator Accounts
The Corporate AD will be primarily supported by the Server support team in when the system
production. The level of administrative authority granted should be strictly regulated.


Design Decision: TMR will nominate users requiring Domain Administrator access in the domain.

    Rationale – TMR will determine the users that require Domain Admin access for on-going
support of the AD solution. (TAAA-029, TAAA-052)
Design Decision: Every support person who needs elevated privileges to perform specific tasks must
use a second administrative account to perform these tasks.

     Rationale – It is recommended to log on with an account with Administrative privileges only
when required to perform administrative tasks. A normal user account should be used for all other
situations. (TAAA-027, TAAA-052, BAAA-014)
These users will logon with a normal network user account with restricted privileges. In order to
execute specific administrative tasks they will use a secondary credential through the command Run
As. This will ensure improved security of the environment by avoiding malicious Trojans that use the
current logged user rights to access the system. Furthermore this action assists to avoid possible
mistakes in day-to-day activities. If a user / administrator executes a task that they should not, the task
will not be performed due the restricted access features of their logged in user account.10

5.1.9.5 Delegated Administrators
In the future, the new environment will be administered by the Server operations team. At present, the
whole group will have the same administrator privileges; there is no differentiation between the roles
performed by the support team. This means all of the support team would have the Domain Admin
privileges in the new environment.
The current model is not recommended going forward, due to the high level of privileges available to
all administrative users. It is recommended that the Domain Administrator rights be allocated to a
restricted number of people, and the access of the accounts be managed (i.e. not utilised on a daily
basis).
While administrative delegation is not within the scope of this document, the detailed design phase
will define and outline these delegation requirements.




10
     For further information refer to “Local User and Group Best Practices”

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 39 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.1.9.6 Group scope
Each security and distribution group has a scope that identifies the extent to which the group is applied
in the domain tree or Forest. There are three different scopes: universal, global, and domain local11.

5.1.9.7 Microsoft Recommend Strategy
Microsoft has a few recommended group strategies depending on the environment being used, in the
case of a large amount of domains, usually Microsoft recommends the A G U DL P strategy, which
means: Accounts inside a Global Group, Global Groups inside of a Universal Group, Universal
Groups inside a Domain Local Group, Domain Local Groups inside of a Local Groups (at the
resource) and the respective permissions are applied to the Local Group. This is a good strategy when
the company has many domains.

5.1.9.8 TMR Group Strategy
A single domain environment, like Corporate AD, suggests the use of the Microsoft Strategy A  G
 DL  P, which makes the administrative process easier and the user logon process faster by
avoiding the use of Universal Groups in all operations.




                                              Figure 5-6 - TMR Group Strategy




Design Decision: The TMR group strategy will be A G DL P

     Rationale – This approach follows Microsoft best practices designed to help the definition and
management of access to resources within a single domain. As TMR‟s environment is a single
forest/domain there is no need to use groups with a universal scope. (BAAA-004, TAAA-005)

5.1.10 Antivirus
Corporate AD design does not have unique anti-virus requirements. It is assumed that existing anti-
virus standard and processes are adequate to support the TMR Active Directory infrastructure. This is
currently being done successfully in production for the existing corporate.local domain.


11
     “Group scope” http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 40 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.1.11 Remote Access Authentication
TMR‟s Remote Access Architecture provides users with the ability to remotely access resources and
data from outside the corporate network. Internet Broadband Connect (IBC), Wireless Broadband
Connect (WBC) and PSTN Dial-in services are provided and include the issuing of an RSA token to
the approved individual.
The solution provides the end user with two-factor authentication via the Cisco ACS (Radius Server).
No enterprise Directory Service - Novell eDirectory or Active Directory - is utilised as an authority for
remote access.

                               WBC                                                                                                                                                                                                                                                                                                                                                                      Legend
                               Users
                                                                                                                                                                                                                                                                                                                                                                                                        RSA (user)
                                                                                                                                                                                                                                                                                                                                                                                                        Authentication
                                                                                                                                                                                                                                                                                                                                IBC Users
                                                                                                                                                                                                                                                                                                                                                                                                        User data traffic
                    QT/MR SOE Laptop

                                                          Internet
                                                                                                                                                                                                                                                                                                                           QT/MR SOE Laptop



                       APN:
                 wb.qdot.qld.gov.au

                                               VPN
                                            Concentrator
                                            SHOCVC01                                                                                                        CISCO VPN 3000 CONCENTRATOR SERIES




             Telstra NextG
                                                                                                                                         SYSTEM                     ETHERNET LINK STATUS EXPANSION MODULES
                                                                                                                                                                                                        INSERTION STATUS
                                                                                                                                                                     1    2     3
                                                                                                                                                                                                         RUN STATUS
                                                                                                                                                                                          1   2   3   4
                                                                                                                                                                                                                                                                              CPU UTILIZATION
                                                                                                                                                                                                                     FAN STATUS POWER SUPPLIES
                                                                                                                                                                                                                                                                              ACTIVE SESSIONS
                                                                                                                                                                                                                                   A
                                                                                                                                                                                                                                                                              THROUGHPUT
                                                                                                                                                                                                                                                           B




            Wireless Network



         TELSTRA NETWORKS
                                                                                                                                                                                                                                                                                                                              QT/MR Network RSA Authenication                                                            Dial-in
                                                    RAS Firewall
                           Telstra IP WAN                                                                                                                                                                                                                                                                                                                                                                                Users
                                                   (SHOCFW02)
                                                      ä

                                                          POWER   STATUS     HA
                                                                                    CONSOLE   MODEM

                                                                                                      COMPACT FLASH
                                                                                                                      TX/RX   1   LINK   TX/RX   2   LINK   TX/RX   3   LINK   TX/RX   4   LINK   TX/RX
                                                                                                                                                                                                          5   LINK   TX/RX
                                                                                                                                                                                                                             6   LINK   TX/RX
                                                                                                                                                                                                                                                7   LINK   TX/RX
                                                                                                                                                                                                                                                                   8   LINK




                                                          ALARM             FLASH
                                                                  SESSION                                                10/100             10/100             10/100             10/100             10/100             10/100             10/100              10/100




                                                                                                                                                                                                                                                                                                                                                                                                            QT/MR SOE Laptop



                                                                                                                                                                                                                                                                                                                                                           Dial-in Router at each DO and Citec




                                                                                                                                                                                                                                                                                                                     Sun083 – Primary   Sun081 – Replica
                                                    Cisco ACS                                                                                                                                                                                                                                                        RSA/ACE Server     RSA/ACE Server

                                                                                                                                                                                                                                                                                                RSA Authentication

                                                                                                                                                                                                                                                                                                                                                                                     Revision History                   Revision History
                                                                                    Author: Julian Richardson                                                                                                                                                                                                                             QT Remote Access
       QT Remote Access Architecture                                                Date: 01/11/2007                                                                                                                                                                                                                                         Architecture
                                                                                                                                                                                                                                                                                                                                                                                                                       A B
                                                                                                                                                                                                                                                                                                                                                                A - Original created. jzricha             06/07/2007




                                              Figure 5-7- QT Remote Access Architecture




As illustrated in the figure above, Directory Services is not a dependency of the existing remote access
architecture. As there are no dependencies between directory services and the remote access
architecture the integration of Active Directory is not required. (TSAA-016)




Department of Transport and Main Roads                    Milestone 2B – High Level Active Directory Design                                                                                                                                                                                                                                                                                                        Page 41 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.2 High Level Network Infrastructure
Understanding the physical network structure of Transport and Main Roads is crucial to the accurate
design of an Active Directory. The network topology helps shape decisions of the Active Directory
design such as; the Site Topology, Site Replication, Domain Controller Placement, Global Catalog
Placement, and many other aspects of the logical and detailed design process.

5.2.1       Enterprise WAN Data Network
                       Cloncurry
                     District Office
                                            Mt Isa Vehicle
                                              Inspector
                                                                           Mareeba
                                                                            CSC
                                                                                      Portsmith
                                                                                       Marine
                                                                                                  Portsmith
                                                                                                   Depot
                                                                                                              Manunda
                                                                                                               Depot
                                                                                                                        Kamerunga Major
                                                                                                                           Projects                    DTMR ENTERPRISE
                                                Mt Isa CSC
                                                  Cloncurry
                                                    Depot
                                                                                                                                                      WAN DATA NETWORK
                                                                                                                                                                  LEGEND                                   512 Kbps Frame Proxy
                                  Ingham Depot                             Innisfail Atherton Cairns District Woree Cairns Smithfield Smithfield
                                                                             CSC       CSC        Office      Depot CSC Regional Office Depot                            This is a                              512 Kbps GBIP
                                                                                                                                                                      diagrammatic
                            Ingham Courthouse                                                                                                                                                                   1,024 Kbps GBIP
                                                                                                                                                                  representation of the
                                                                                                                                                                      QT/MR WAN
                               Townsville Marine                                                                                                                                                                2,048 Kbps GBIP
                                                                                                                                                                    Network and was
           Townsville
            District               Garbutt CSC
                                                                                                                                                                    created from the                        2,048 Kbps Frame Proxy
                                                                                                                                                                       Sitemaster
             Office            Charters Towers                                                                                                                    Document. For more                              4 Mbps GWIP
                                 Courthouse                                                                                                                        detailed information
                                                                                                                                                                       refer to the                            10 Mbps GWIP
                                 Ayr courthouse
                                                                                                                                                                       Sitemaster                               20 Mbps GWIP
                                                                                                                                                                        Document
                                    Bowen CSC                                                                                                                                                                 100 Mbps Ethernet
                                                                                                                                                                   Updated on the 9th of
                                Townsville MSQ                                                                                                                      September 2009
                                                                                                                                                                                                               100 Mbps GWIP
                                                                                                                                                                                                                 Gigabit Fibre
                                  Cluden Depot                                                                                                                       Author: Timothy
                                                                                                                                                                        Dunning                               ADSL Connection
                                                                                                                                                                         Ver 1.8


          Emerald District                                                                                                                                                                         Airlie Beach Marine              Mackay Forgan
              Office             Blackwater CSC
                                                                                                                                                                                                                                   Bridge Site Office
                                                                                                                                                                                                   Proserpine CSC
                                    Emerald                                                                                                                                                                                            Mackay
                                Vehicle Inspection                                                                                                                                                                                     Marine
                                                                                                                                                                                                   Mackay CSC
                                                                                                                                                                                                                                     Mackay
                                                                                                                                                                                                   Mackay Depot
                                 Winton QGAP                                                                                                                                                                                      District Office
               Barcaldine
                                                                                                                                                                                                                           Managed
                District                                                                                                                                                                           Hay Point Marine
                                 Winton Depot                                                                                                                                                                              Ethernet
                 Office
                                                                                                                                                                                                   Cannonvale QGAP
                               Longreach CSC
                                   Barcaldine
                                   Workshop
                                                        Wireless                                                                                                                  Rockhampton Depot
                                                         Link                                                                                                                                                              Gladstone Marine
                              Barcaldine Depot
                                                                                                                                                                                       Midgee Depot
                 Roma
                                 Roma Depot                                                                                                                                            Biloela QGAP                         Rockhampton
             District Office
                                                                                                                                                                                                                            District Office
                                                                                                                                                                                     Yeppoon QGAP
                               Charleville CSC
                                                                                                                                                                                       Gladstone
                                                                                                                                                                                          CSC                               Gladstone MSQ
           Ruthvern St            Kingaroy CSC
                                                                                                                                                                            Bundaberg Marine                  Bundaberg
           Toowoomba             Harristown CSC
                                                                                                                                                                                                                CSC
           District Office
                               Toowoomba Depot                                                                                                                             QTV Building RTCS
                                                                                                                                                                                                            Bundaberg
                                   Dalby CSC                                                                                                                               Bundaberg Plant Hire
                                                                                                                                                                                                             Regional



            Warwick
          District Office
                                     Texas QGAP

                                 Inglewood QGAP
                                                                                      Telstra                                                                                Hervey Bay CSC

                                                                                                                                                                            Hervey Bay Marine
                                                                                                                                                                                                              Office




                                                                                     IP WAN
                                                                                                                                                                            Maryborough CSC
                                Stanthorpe QGAP

                                    Warwick CSC

                                 Goondiwindi CSC

                                                                                                                                                                            Maroochydore CSC
                                                                                                                                                                                                                         Maroochydore TMC
                                                                                                                                                     2048 Kbps               Mooloolaba Marine
                                 Gailes Site Works                                                                                                  Frame Proxy                                                          Jowarra Park Depot
                                 Drewvale Site Office                                                                                                                         Caloundra CSC
          Darra – Strathaird                                                                                                                                                                                             Kunda Park
                Street            Darra Site Office                                                                                                                            Nambour CSC
                                                                                                                                                                                                                         Gympie Material Lab
                                   Brassall Depot                                                                                                                           Maroochydore MMTC
            Burpengary           Brisbane City CSC                                                                                                                              Gympie CSC                   Gympie
            Weighbridges                                                                                                                                                                                     District
                                  Chermside CSC                                                                                                                            Gympie Vehicle Insp.               Office
                                 Clontarf Site Office                                                                                                                          Tewantin CSC
           Metropolitan          Darra Depot - PHS
                                                                                                                                                                             Caboolture CSC
            WAN Sites
                                     Darra VIIS
                                                                                                                                                                             Caboolture Depot
                                   Deagon Depot
                                                                                                                                                                           Moreton Regional Office
                         Eagle Farm Depot - Hervey St
                                   Fortis House /
                                  Growcom House
                                                                                                                                                                             Southport – Rapid Transit Office
                                 Greenslopes CSC
                                                                                                                                                                             Helensvale CSC                                        Logan DO
                                Minda Unit - Herston
                                                                                                                                                                             Currumbin Waters CSC
                                    Ipswich DO
                                                                                                                                                                             Burleigh Waters CSC

                                                                                                                                                                             Southport Transit Centre
                                Ipswich North CSC
                                                                                                                                                                             Southport Marine                                         Cotton St
                                  Logan City CSC
                                                                                                                                                                              Southport CSC
                               Logan Training Centre                                                                                                                                                         Nerang
                                                                                                                                                                              Southport Sand
                                                                                                                                                                                                          Traffic Centre                  Private
                                  Macgregor CSC                                                                                                                               Bypass Station                                               Fibre
                                                                                                                                                                              Coombabah Depot
                            Milton Personalised Plates                                                                                                                                                    Nerang
                                                                                                                                                                                                       District Office
                             Mt Cotton Driver Training                                                                                                                        Beenleigh CSC
                                                                                                                                                                                                                                       Beaudesert
                                  Nundah Stores                                                                                                                              Stapylton Soils Lab
              Windsor DR                                                                                                                                                                                                                 Depot
                Centre           Pinkenbah Marine                                                                                                                              Bundall CSC
                                                                                                                                                                              Beaudesert
                                  Cleveland CSC
                                                                                                                                                                                QGAP
              Stones Corner
              Regional Office      Dunwich CSC

                                 Herston Soils Lab
                                                                                                                                                                           SPRING HILL
                 Redbank                                                                                                                           SHOC                      OFFICE
                                   Redbank CSC
                (Dinmore to
                  Goodna
                                                                                                                                                    ADSL                    COMPLEX
                                   Redcliffe CSC                                                                                                Interconnect                                                      CITEC
                  Office)
                                    Rosalie CSC

                   Zillmere       Sherwood CSC
                     CSC
                                  Strathpine CSC                                                                  For more Information on the
                                                                                                                  Untrusted ADSL Network see                                                                               For more Information on the
                                   Wynnum CSC                                                                      the ADSL Network Diagram                                                                                MAN Network see the MAN
                                                                                                                                                                                                                                Network Diagram




                                                                   Figure 5-8 - TMR Enterprise WAN DATA Network Diagram



Department of Transport and Main Roads                                          Milestone 2B – High Level Active Directory Design                                                                                                                   Page 42 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




The following are observations made regarding TMR‟s Enterprise WAN Data Network structure
which is represented in Figure 5-8:
         The cloud represents a Telstra hosted Government Wideband IP (GWIP), and Government
          Business IP (GBIP) / (BDSL or Frame proxy) network. The SDH network backbone uses IP
          protocol augmented with MPLS routing;
               o GWIP - is wideband IP services for Government; Access ranges from 2Mbps to 1Gbps
                  and is usually delivered by fibre (Ethernet).
               o BDSL - Telstra term for G.SHDSL.
        All sites are single hop from the Spring Hill Office Complex or CITEC Office.
        In the Metropolitan Network Area all site links are 1Gpbs connections.
               o Exceptions to this rule are Mary St, Leichardt St, and 295 Ann St which have 100Mbps
                  network speed.
        All Brisbane and Gold Coast Sites attach to the Telstra GWIP have 4Mbps network speed.
        All District Offices attach to the Telstra GWIP and have 10Mbps network speed.
        All Regional sites attach to the Telstra GBIP and have 2Mbps network speed.
        All Small (Satellite) Sites attach to the Telstra GBIP and have 256Kbps – 1536Kbps network
         speed.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 43 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.2.2      Enterprise ADSL Network
                                                                                                                                  DTMR ENTERPRISE
                                                                                                                                 ADSL DATA NETWORK
                                                                                                                                          LEGEND                                   1,500 Kbps ADSL Type 3
                                                                                                                                                                                      24 Mbps ADSL Type 3
                                                                                                                                                                                         10 Mbps GWIP
                                                                                                                                                                                        100 Mbps GWIP
                                                                                                                                                                                          Gigabit Fibre
                                                                                                                                            This Diagram is a
                                                                                                                                          representation of the
                                                                                                                                              QT/MR WAN
                                                                                                                                            Network it is not a
                                                                                                                                           precise diagram of
                                                                                                                                               the network
                                                                                                                                           Updated on the 31st of
                                                                                                                                               August 2009

                                                                                                                                             Author : Timothy
                                                                                                                                                 Dunning
                                                                                                                                                 Ver 1.5


                                                                                                                                                                           Mackay Bypass
                                                                                                                                                                             Site Office

                                                                                                                                                                          Bowen Crown Boat Harbour


                                                                                                                                                                                                        Mackay
                                                                                                                                                                                                     District Office




                                                                                                                                                          Gladstone Boatshed
                                                                                                                                                                                                  Rockhampton
                                                                                                                                                          Roslyn Bay Boat Harbour                 District Office


                                                                       Telstra RAS                                                                        Moura QGAP

                                                                                                                                                          Roslyn Bay Boat Harbour



                                                                         Private
                                                                         Telstra                                                                          Yeppoon Site Office




                 Toowoomba
                 District Office
                                       Anzac Avenue

                                   Hampton Site Office
                                                                          Network
                                                                       IP ADSL                                                                                                       Bundaberg
                                                                                                                                                                                      District


                                                                          WAN                                                                     Urangan
                                                                                                                                                                                       Office




                                                                                                                                                    Maroochydore Sebel Site Office

                                                                                                                                                    Cooran Site Office




                                                                                                                                                    Federal Site Office
                                                                                                                                                                                     Gympie
                Metropolitan Sites
                                                                                                                                                                                     District
                                                                                                                                                                                      Office

                                          Herston Site Office



                                        Redbank Site Office




                                      Boggo Road Site Office

                                         Capalaba Site Office



                                            Joyner Site Office
                                                                                                                                                   Mermaid Beach Site Office



                                                                                                                                                                                   Nerang
                                          Murarrie QML Office                                                                                                                   District Office




                                                                                                 All ADSL Connections go                           SPRING HILL
                                                                                                                                                                                     TU Test lab
                                                                                                 through this GWIP Line to                           OFFICE
                                                                                                   SHOC and then to the       SHOC
                                                                                                                             Firewall 2
                                                                                                                                                    COMPLEX
                                                                                                     Enterprise Network
                                                                                                                                                                                         CITEC




                                                                                                                                                                                                  For more Information on the
                                                                        For more Information on the                                                                                               MAN Network see the MAN
                                                                        WAN Enterprise Network see                                                                                                     Network Diagram
                                                                         the WAN Network Diagram




                                                                 Figure 5-9 - Enterprise ADSL Network Diagram

The following are observations of the ADSL Network which is represented in Figure 5-9:
        The cloud represents a Telstra hosted ADSL Type 3 network. The SDH network backbone
         uses IP protocol augmented with MPLS routing;
               o ADSL Type 3 - business grade broadband service, providing high-speed data services
                  with symmetric upstream and downstream data transfer. Speeds utilised by Transport
                  and Main Roads are 1.5Mbps and 24Mbps.
               o All sites are a single hop to Spring Hill Office Complex.
               o All sites are two hops to CITEC, through Spring Hill Office Complex Gigabit fibre
                  connection.



Department of Transport and Main Roads                                 Milestone 2B – High Level Active Directory Design                                                                                                        Page 44 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.2.3          Enterprise Metropolitan Data Network
                                    For more Information on the
                                    WAN Enterprise Network see
                                                                                                                  For more Information on the
                                                                                                                  Untrusted ADSL Network see
                                                                                                                                                           DTMR ENTERPRISE
                                     the WAN Network Diagram                                                       the ADSL Network Diagram

                                                                                                                                                          MAN DATA NETWORK
                                                                                                                                                           LEGEND                            10 Mbps GWIP
                                                                                                                                                                                             100 Mbps GWIP



                                   Telstra                                                                    Telstra RAS                                                                     Gigabit Fibre
                                                                                                                                                                                         Backup Gigabit Fibre




                                  IP WAN                                                                        Private                                      This Diagram is a
                                                                                                                                                           representation of the
                                                                                                                                                               QT/MR WAN
                                                                                                                                                             Network it is not a
                                                                                                                                                            precise diagram of


                                                                                                              IP Network                                        the network
                                                                                                                                                            Updated on the 31st of
                                                                                                                                                                August 2009

                                                                                                                                                              Author : Timothy
                                                                                                                                                                  Dunning
                                                                                                                                                                  Ver 1.1




                            CITEC

                                                                                                SPRING HILL
                                                                                                  OFFICE
                                                                                                 COMPLEX


                                                                                                                    SHOC ADSL
                                                                                                                    Interconnect




          Brunswick      183                                  Transport      420                    Mineral      239                            Dickens       Capital                Queen          400
                                        Ann St                                         Oxygen                                         BMTMC
              St        Wharf St                                House      George St                House      George St                           St           Hill                   St        Boundary St




         Hawthorn       196            Zurich                     Nathan
            St         Wharf St        House                      Depot




                                                                   Figure 5-10 - Metropolitan Area Network Diagram

The following are observations of the Metropolitan Area Network which is represented in Figure 5-10:
           The two clouds represent the same Telstra networks defined in the previous sections.
                      o Telstra IP WAN (Enterprise WAN DATA Network) – a Telstra hosted Government
                         Wideband IP (GWIP), and Government Business IP (GBIP) / (BDSL or Frame proxy)
                         network. The SDH network backbone uses IP protocol augmented with MPLS
                         routing.
                      o Telstra RAS Private IP Network (Enterprise ADSL Network) - a Telstra hosted ADSL
                         Type 3 network. The SDH network backbone uses IP protocol augmented with MPLS
                         routing.
           The Spring Hill Office Complex site has connections to both Telstra IP Networks
           All Metropolitan sites listed have Gigabit Fibre connections to SHOC
           All Metropolitan sites have backup links to CITEC
           Four sites; Hawthorn St, 196 Wharf St, Zurich House, Nathan Depot are child sites to 183
            Wharf St.
                      o They connect to both SHOC and CITEC by routing through the 183 Wharf St site.




Department of Transport and Main Roads                                     Milestone 2B – High Level Active Directory Design                                                              Page 45 of 89
Design and Proof of Concept for AD & ILM
Supported by the Queensland Government Microsoft Services Provision Fund




5.3 Network Services (DNS, DHCP, WINS)
5.3.1      DNS
The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any
resource connected to the Internet or a private network as stated in the conceptual design the DNS
service will be installed on Active Directory domain controllers. Active Directory-Integrated DNS
zone data will be automatically replicated to all domain controllers using Active Directory replication.
Clients will be configured to reference internal DNS servers as the primary and secondary servers.

5.3.1.1 Summary
The section briefly reflects on some decisions made in the conceptual design phase.
The DNS role will be installed on all Active Directory domain controllers. DNS zone data will be
automatically replicated to all domain controllers using Domain-wide Active Directory replication.
Clients will be configured to reference internal DNS servers.
The Corporate.local DNS zone will be stored as Active Directory-Integrated DNS zones (configured
to permit secure updates only), allowing for dynamic updates to all servers (from clients) and a high
degree of fault tolerance.
Requests for External (Internet) addresses to Active Directory-Integrated DNS will be resolved using
standard DNS forwarding to the QDOT BIND-DNS servers, which are configured to forward
unresolved queries to the External DNS services. The External DNS servers will then perform a
recursive lookup on behalf of the clients, negating the need for clients to access the internet directly
for lookups.
The „Figure 4-4 – Logical DNS Topology‟ below illustrates how DNS client in different tiered sites
(explained in Section - 5.1.6.1 – “Site Categorisation”), will query their closest DNS server(s), it also
shows the expected conditional forwarding flow between authoritative DNS servers of the different
internal (private) zones and external zones.




Department of Transport and Main Roads       Milestone 2B – High Level Active Directory Design   Page 46 of 89
                                                           EXTERNAL                                       DMZ                                              Tier 1 Sites                                                                             Tier 2 – 3 Sites                        Tier 4 Sites
                                                                                                                       DNS Configuration              QDOT
                                                             External                                                      Update                   BIND-DNS
                                                              DNS                                          DMZ                                                                                                                                        corporate.local
                                                                                                        BIND-DNS
                 INTERNET         Forwarded Queries                             Forwarded Queries                          Forwarded Queries
                                                                                                                                                                                                      Fo
                                                                                                                                                s                                                        rw
                                                                                                                                          rie                                 Fo                                      a rd
                                                                                                                                  d   Que                                        r   wa                                      ed
                                                                                                                       w   a rd e                                                         rd                                      Qu
                                                                                                                                                                                                                                     e
                                                                                                                   For                                                                         ed                                        ri e
                                                                                                                                                                                                                                                s
                    LEGEND                                                                                                                                                                          Qu




                                                                                                                                                          Fo
                                                                                                                                                                                                       e   ri e
                                                                                                                                                                                                                  s




                                                                                                                                                             rw
   Conditional




                                                                                                                                                                  a rd
                                                                                                                                                                       ed
   Forwarding




                                                                                                                                                                           Qu
                                                                                                                                                                                                                                                                             Prefe
                                                                                                                                                                                                                                                                                     re d




                                                                                                                                                                              e
   BIND-DNS




                                                                                                                                                                              ri e
                                                                                                                                                                                   s
   Configuration update                                                                                                                                                                                                                                                      Alternat
                                                                                                                                                                                                                                                                                     e
                                                                                                                                                                  r   ed
   Preferred DNS                                                                                                                                           e   fe                                                                                                 Prefered
                                                                                                                                                        Pr
   Server
                                                      Police.qmail.qld.gov.au                         extranet.local
   Alternate or Secondary
   DNS Server                                                                                                                                                                  e
                                                                                                                                                                             at
                                                                                                                                                                        rn
                                                                                                                                                                   te
   Active Directory-Integrated                                                                                                                                  Al
   DNS                                                                                                                                                                                                                                               Altern
                                                                                                                                                                                                                                                            ate


   BIND-DNS Infrastructure




                                                                                                    Figure 5-11 - Logical DNS Topology


5.3.1.2 Integration with existing DNS
This section is focused on the integration of the internal (private) DNS namespaces. It describes how queries for corporate.local will be handled by the QDOT
DNS services, and how queries for qdot.qld.gov.au and other internal (private) namespaces which are external to the Active Directory-Integrated DNS zones will
be handled by the corporate.local DNS services. The logical view of the DNS topology is shown in the „Figure 5-11 - Logical DNS Topology‟ assists in
demonstrating this.
Design Decision: All corporate.local Active Directory-Integrated DNS servers will be authoritative for the corporate.local namespace only

      Rationale –This supports decisions made in the conceptual design to utilise Active Directory-Integrated DNS for Domain controller locater, Active Directory
domain names, and Active Directory DNS objects. Additionally it means that the Active Directory-Integrated DNS server is not required to host the non-AD
related DNS zones, instead passing the request to the QDOT BIND-DNS servers authoritative for that zone. Coexistence between the authoritative DNS servers is
facilitated via conditional forwarding.




Department of Transport and Main Roads           Milestone 2B – High Level Active Directory Design                                                                                                                                                                                              Page 47 of 89
5.3.1.2.1 Forwarding
Windows Server 2008 has mechanisms through which external queries to the local DNS domain can
be resolved. Unresolved DNS queries can be handled by the following forwarder mechanisms:
     Standard Forwarders (All other DNS domains) - Forward all queries that cannot be resolved
     locally to another designated DNS server(s).
     Conditional Forwarding – Provides granular control for name resolution over the traditional
     “standard (unconditional) forwarders” mechanism. Conditional forwarding provides directed and
     controlled DNS queries to specific DNS domains.
As stated in the previous design decision “All corporate.local Active Directory-Integrated DNS
servers will be authoritative for the corporate.local namespace only”, therefore in the event that a local
DNS server cannot resolve a name resolution query for a client, the DNS server may forward that
request onto another DNS server for resolution and this is achieved through conditional forwarding.
Design Decision: The corporate.local forest root DNS servers will use conditional forwarding in
response to DNS queries for internal (private) namespaces hosted by QDOT BIND-DNS.

     Rationale – Using conditional forwarding is an efficient method of resolving DNS queries for
zones hosted on another server. Using conditional forwarding means that the AD DNS server is not
required to host the non-AD related DNS zones, instead passing the request to the QDOT BIND-DNS
servers‟ authoritative for that zone. (TAAA-057, TAAA-067)
Design Decision: The QDOT BIND-DNS servers will use conditional forwarding in response to
DNS queries for the corporate.local namespace hosted by Active Directory-Integrated DNS servers.

     Rationale – Using conditional forwarding means that the QDOT BIND-DNS server is not
required to host the AD related DNS zones, instead passing the request to the Active Directory-
Integrated servers‟ authoritative for corporate.local. (TAAA-057, TAAA-067)

        Note: The list of authoritative servers in the forwarding rules will need to be maintained by
         Network Services if the authoritative list of DNS servers changes.

Design Decision: The corporate.local forest root DNS servers will use standard forwarding to QDOT
BIND-DNS in response to all other DNS domain queries that cannot be resolved locally, or if a
conditional forwarding rule does not exist.

     Rationale – This will ensure that queries to all other DNS domains, which are not covered by a
specific conditional forwarding rule, will be managed correctly through the existing DNS
infrastructure. (BAAA-001, TAAA-057)
As illustrated in Figure 5-12 - Conditional Forwarding Examples” when corporate.local is queried for
an external DNS namespace, such as the internet (www.google.com), this will be forwarded to the
QDOT BIND-DNS located in the central site SHOC. This integrates with the existing DNS
infrastructure to forward internet queries to the External DNS servers to resolve via a recursive lookup
on behalf of the clients.
As with the previous example; any DNS query directed at corporate.local for internal (private)
namespaces, such as qdot.qld.gov.au (server.qdot.qld.gov.au), will be conditionally forwarded to the
QDOT BIND-DNS located in the central site (SHOC) and will be resolved by these servers.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design     Page 48 of 89
DNS queries directed at corporate.local for the locally hosted Active Directory-Integrated zone will be
resolved locally and as a result will not be forwarded on.
               corprorate.local

               Domain Name                      Forwarder IP Address
               Qdot.qld.gov.au;                 165.240.0.77
                                                165.240.227.77
                                                165.240.4.22                                INTERNET
                                                165.240.4.23

               Transport.qld.gov.au;            165.240.0.77
                                                165.240.227.77
                                                165.240.4.22
                                                165.240.4.23

               Mainroads.qld.gov.au;            165.240.0.77
                                                165.240.227.77
                                                165.240.4.22                                               CITEC
                                                165.240.4.23                                                DNS
               Streams.its                      165.240.0.77
                                                165.240.227.77
                                                165.240.4.22
                                                165.240.4.23

               Other DNS domains                165.240.0.77
                                                165.240.227.77
                                                165.240.4.22
                                                165.240.4.23                                                   QDOT BIND-DNS
                                                                                                                  Servers

                                       shocdc01.corporate.local                                                  qdot.qld.gov.au
                                          www.google.com                                                      transport.qld.gov.au
                                                                                                              mainroads.qld.gov.au
                                        server.qdot.qld.gov.au                                                     streams.its
                                                                                                                       *.*
                                                                       CORPORATE
                                                                       DNS Servers

                                                                       corporate.local




                                              Figure 5-12 - Conditional Forwarding Examples


5.3.1.3 Server Placement
The placement of DNS servers will be dictated by the domain controller placement policy, as the DNS
role is installed and configured on each Corporate AD Domain Controller (refer to Section 5.1.3 –
“Domain Controller Placement”).
Design Decision: The DNS Service will be installed on all Corporate.local domain controllers

     Rationale – Enabling and configuring the DNS role on all Domain Controllers provides a highly
scalable and available DNS service to support the Corporate AD environment. There are additional
benefits in enabling DNS services on all domain controllers and enabling Active Directory-integrated
DNS zones. (BAAA-012, TAAA-068, BAAA-014)

        Note: There are security considerations that need to be adhered to when installing DNS
         services on a domain controller, for both the standard and Active Directory-Integrated DNS
         server service.12


5.3.1.4 Availability
Microsoft Windows Server 2008 DNS allows zone data to be stored in the directory and automatically
replicated to other domain controllers. This can occur on a per domain basis or across all domain
controllers in the forest. Active Directory supports multi-master replication which enables an Active




12
  For further reference see “Security information for DNS”, http://technet.microsoft.com/en-
us/library/cc783606(WS.10).aspx

Department of Transport and Main Roads                 Milestone 2B – High Level Active Directory Design                      Page 49 of 89
Directory-integrated DNS zone to be updated on any domain controller that hosts the zone. This
ensures there is no single point of failure.
Design Decision: Active Directory-integrated DNS zones with domain-wide replication will be
implemented for both forward and reverse lookups zones.

     Rationale – The benefits of this configuration are realised in the security and efficiency of DNS
replication by leveraging Active Directory replication mechanisms and the elimination of a single-
points of failure. It is the default setting for DNS zone replication in Windows Server 2008. (BAAA-
012, TAAA-068)

5.3.1.5 Dynamic DNS
Active Directory integrated zones can be configured for manual update, dynamic update, or secure
update. Access Control Lists (ACLs) specify the list of groups or users allowed to update resource
records in such zones. This prevents unauthorised users from making changes to a zone or record in an
attempt to compromise the normal operating environment.
Dynamic updates alone can be viewed as a security risk because they allow any client to register any
record. To mitigate this risk, secure dynamic updates can be introduced on Active Directory-integrated
zones ensuring only authenticated clients can register records.
Design Decision: The “Secure only” dynamic update option will be implemented on all DNS zones
(forward and reverse).

     Rationale - Non-secure updates pose a significant security risk as they allow updates from un-
trusted sources. Configuring a DNS zone to allow only secured updates ensures that DNS records are
only updated by the appropriate user or system. (BAAA-014, BAAA-015)

5.3.1.6 DNS Hierarchy and Client Queries
The typical behaviour of a DNS server, when a client queries for a name that is unknown, is to
perform a recursive query against internet root DNS servers (Microsoft Windows Server 2008 DNS
provides recursive queries against “root hints”. Root hints provide a list of authoritative Internet root
DNS servers), however the default behaviour is not suitable to this design.
Design Decision: Root hints will be removed from Active Directory-Integrated DNS servers.

     Rationale - The Active Directory-Integrated DNS Server service is on a private network and an
internal DNS server will be setup as forwarder for any unresolved query, therefore there is no
requirement for root hints. (TAAA-057)
The DNS hierarchy in the context of this document refers to the process of how DNS queries external
to the Active Directory forest are resolved. The DNS hierarchy provides controlled external name
resolution by limiting those DNS servers which contact the internet or other DNS servers external to
the forest.
Design Decision: Existing QDOT DNS services centrally located at SHOC will process all
unresolved DNS queries from Active Directory-Integrated DNS Services.

     Rationale –This caters for the requirement to utilise existing DNS services for the management of
workstations and non-AD hosted services. The existing QDOT DNS services will be responsible for
handling all unresolved queries no configuration changes are required to the QDOT DNS services.
This includes resolving internal namespaces as well as forwarding externally to CITEC and other
services. (TAAA-057)

Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design      Page 50 of 89
Design Decision: Domain Controller service records (SRV) will be created in QDOT BIND-DNS to
ensure that the Active Directory services can be found by computers attempting to locate a domain
controller.

     Rationale – As the solution is compliant with UNIX BIND-DNS Version 9.3.2-PA or later, SRV
records can be used are supported in QDOT BIND-DNS. In cases where a QDOT BIND-DNS server
is queried for the Corporate AD the SRV record will be used to locate a domain controller. (TAAA-
067)

5.3.1.7 Client Configuration
The DNS settings considered for client configuration include the DNS server lists and suffix search
list. It is expected these will be set and maintained on most clients via DHCP.
Design Decision: The DNS server lists will include at least two Active Directory-Integrated DNS
server IP addresses (applies to all clients i.e. workstations and servers). This will be provided by the
QDOT DHCP services.

     Rationale – Providing two DNS servers will offer some redundancy if a DNS server is offline.
The secondary server should be located in a different site, such as Polaris, to ensure that the DNS
service can survive a site/data centre failure.


Design Decision: The DNS suffix search list is populated based by the QDOT DHCP services
during IP address allocation. The two entries will be corporate.local and qdot.qld.gov.au.

      Rationale – This will ensure that workstations are capable of quickly resolving records hosting in
the Active Directory-integrated DNS. DNS suffix search list or search method to be used by the client
when it performs DNS query searches for short, unqualified domain names. The default will be
corporate.local to ensure quick resolution of short names, and then qdot.qld.gov.au will be the next in
the list.
Clients configured to automatically obtain TCP/IP information will receive DNS server lists and suffix
search lists from the DHCP service (refer to section 5.3.2, “DHCP”).
Refer to Figure 5-11 - Logical DNS Topology” to understand the way in which clients will query their
closest DNS server(s).

5.3.2      DHCP
The DHCP service is the primary mechanism in the delivery of IP address allocation services to
Transport and Main Roads. As defined in the conceptual design there will be no implementation of
DHCP roles as part of the Corporate AD design. This reflects Transport and Main Roads technical and
business requirements to coexist with the existing address allocation service.

5.3.2.1 Interoperability with DNS
Interoperability of DHCP with DNS is natively supported in Windows Server 2008. Windows Server
2008 DHCP services can perform dynamic updates (by default Host A and PTR records) in the DNS
namespace for any of its clients that support dynamic updates.
The QDOT DHCP servers are configured to update DNS records on behalf of client in order to
provide automatic and secure registration of client Host A and PTR records into the QDOT DNS
system.

Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design    Page 51 of 89
Design Decision: Dynamic update of Host A and PTR records in QDOT DNS for workstations will
continue to be performed by QDOT DHCP services.

     Rationale – This aligns with the requirement to coexist with the existing DHCP services hosted
by TMR. Dynamic updates will be performed via the present mechanism, so no additional
configuration is required.
Clients that support dynamic updates are:
        Windows 2000.
        Windows XP.
        Windows Vista.
        Windows 7.
        Windows Server 2003.
        Windows Server 2008.
There are two approaches to designing Windows Server 2008 DHCP dynamic updates:
        DHCP dynamically updates DNS A and PTR records only if requested by the DHCP client
         (Applies to clients who support dynamic updates).
        The DHCP server always performs the update on behalf of the client. This is the current
         behaviour.
Design Decision: The default dynamic update behaviour will be implemented so that DHCP clients
initiate the request to dynamically update records (PTR and A) in AD DNS.

    Rationale – This is the default behaviour of Windows XP. The current workstation SDE is
Windows XP SP3; therefore the default behaviour will be retained. (TAAA-022)
                                                    DNS dynamic
                       DNS server                                                                  DHCP server
                                                    update of
                                                    pointer (PTR) name
                                              4

                                                                          IP lease
                                                                   acknowledgment           2
                    DNS dynamic
                                         3
                         update of                                                      1
                    host (A) name                                                               IP lease request

                                             DHCP client
                                                                      `

                                                                      “HostName”

                                             Figure 5-13 – DHCP and Dynamic DNS


5.3.2.2 Subnets
All subnets will be defined in Active Directory and associated with an Active Directory site. Detailed
subnet information will be available in Detailed Design.

        Note: Careful coordination with the Transport and Main Roads network components will be
         necessary throughout the life of the project to ensure Active Directory subnets are properly
         represented.



Department of Transport and Main Roads            Milestone 2B – High Level Active Directory Design                Page 52 of 89
5.3.2.3 DHCP Relay Agents
No DHCP Relay Agents will be deployed in Transport and Main Roads environment since existing
DHCP services will be utilised.

5.3.3      WINS
Similar to DNS, the Windows Internet Naming Service (WINS) supports name resolution, i.e. the
automated conversion of computer names to network addresses, for Windows networks.
Specifically, the WINS service converts NetBIOS names to IP addresses on a LAN or WAN. WINS
is not required for deployment of Active Directory; it‟s mostly used to support legacy clients (Win 9x
and NT 4.0 Clients) and applications which access resources using NetBIOS names. It is an older
service that uses NetBIOS over TCP/IP (NetBT). WINS and NetBT do not support Internet Protocol
version 6 (IPv6) protocols; therefore, they are being phased out in many networks.
Design Decision: WINS roles will not be implemented on any domain controllers for the Corporate
AD.

     Rationale - Transport and Main Roads currently do not have any legacy dependencies on WINS
services or GlobalNames zones for NetBIOS resolution; therefore the role is not required.

5.3.4      NTP - Time Synchronisation
The Time Synchronisation service aims to provide an accurate reference time with which all clients
(Server and Workstation) can synchronise.
Design Decision: The use of the Network Time Protocol (NTP) protocol has been selected as the
preferred method for time synchronisation.

     Rationale - Clients (servers and workstations) will make use of NTP and rely on a single
centralised time source based on Coordinated Universal Time (UTC) using a Local System Clock
located in the Demilitarised Zone (DMZ). This time will be provided by a hierarchical architecture of
timeservers which is the default configuration when implementing Windows Server 2008 Active
Directory.

        It‟s important to note that servers hosted on VMware are configured to use NTP and not ESX
         host as time source, as this can cause problems with Domain Controllers.


5.3.4.1 Reference Clock Source
Reference clock sources provide time-dissemination services based on the Coordinated Universal
Time (UTC). National governments and other institutions typically provide these services to the
general public via a number of time sources, as listed below:
        Internet (e.g. Melbourne University‟s NTP time source at ntp.cs.mu.oz.au)
        Radio Time Service (e.g. Australian Broadcast Commission)
        Satellite Time Service (e.g. Spectracom NetClock 9185 GPS)
        Modem Time Service
        Local System Clock (Time Server e.g. Router, Unix Server, Windows Server, etc)
Transport and Main Roads have an existing NTP infrastructure in place for production systems, it
consists of the following:

Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design   Page 53 of 89
          Two existing Stratum-1 time sources.
          Stratum-1 time sources (Time.qdot.qld.gov.au) acquires time from a Satellite Time Service
           (Stratum-0).
          Transport and Main Roads uses Unix-based NTP Servers (Stratum-2) to provide time to all
           servers, workstations and all other network devices on the network.
The current time hierarchy implemented within the environment is capable of supporting the
Corporate AD based on the objectives and requirements provided by Transport and Main Roads.
Design Decision: Corporate AD Domain Controllers will synchronise time with ‟Time.qdot.gov.au‟
which is the local Reliable Time Source (Stratum-1). The Corporate AD Domain Controllers will
function as Stratum-2 time sources for all network devices which are members of the Corporate AD
domain.

     Rationale - This design decision is following Transport and Main Roads guiding principle to
capitalise on existing investments in network services. This service is sufficient to ensure Kerberos
authentication will function correctly; all members of domains and forests in a network should use the
same time source so that the time on all network computers is synchronised. (TAAA-064)

5.3.4.2 Windows Time Service
The Windows Time Service (W32Time) is used in a Windows network to synchronise time amongst
Windows clients. It is essential for security based services such as Kerberos to have clients and servers
synchronised appropriately as large discrepancies can cause authentication issues. The Windows Time
Service can use the following standard protocols:
          Network Time Protocol (NTP) (default selection).
          Simple Network Time Protocol (SNTP), a simplified version of NTP.
Design Decision: The Internet standard Network Time Protocol (NTP) will be used to synchronise
time.

     Rationale - NTP is the default time synchronisation protocol used by the Windows Time Service
in Windows Server 200813. It is the preferred Internet standard protocol as it includes discipline
algorithms necessary to synchronise client clocks to the millisecond. The benefits of the NTP protocol
are:
            Accurate to the millisecond,
            Built in error management,
            Offers complex filtering,
            Increased stability over SNTP,
            Authenticated Time Packets (when used in a domain model).
SNTP is a simplified version of the NTP time protocol. The primary difference between the two is that
SNTP does not have the error management and complex filtering systems that NTP provides.

5.3.4.3 Windows Time Hierarchy
There are a number of ways in which Windows Time Service can be established in a Windows Server
2008 network as detailed below:


13
     For further information refer to “Windows Time Service Architecture”

Department of Transport and Main Roads    Milestone 2B – High Level Active Directory Design   Page 54 of 89
        A domain hierarchy synchronisation model (Default Windows Server 2008 behaviour).
        A manually specified synchronisation model.
Design Decision: The default domain hierarchy synchronisation model will be implemented for the
purpose of time propagation throughout the environment.

     Rationale - A domain hierarchy synchronisation model is the default configuration when
implementing Windows Server 2008 Active Directory. This approach requires the least amount of
effort to implement as it is the default operational behaviour of Windows Server 2008.
A manually specified synchronisation model requires the configuration of an authoritative time source
for all Windows clients. The following Figure 5-14 illustrates a path of time synchronisation between
Windows clients in a domain hierarchy and the path for non-domain members:
          EXTERNAL                                                  INTERNAL NETWORK


                                                                      Production Forest




                                                                                                                          PRODUCTION NETWORK
                                         TIME.QLD.GOV.AU
                                            (stratum-1)



                                                                             PDC Emulator



                                         UNIX NTP Servers
                                            (stratum-2)


                                                                           Domain Controllers      Corporate
                                                                                                  Workstations
                                                                             corporate.local
            INTERNET
                                            Server
                                     (non-domain member)




                                             Figure 5-14 - Time Synchronisation



5.4 Test and Development
This section does not include the high level design of a Test or Development environment in TMR as
part of the implementation of the new Enterprise AD solution.
The envisaged target state for TMR is a single directory service to rationalise the complex replication
of directory information that currently occurs. To implement an additional Development directory
service(s) as part of this piece of work was deemed to be introducing additional complexity without
any short term benefits.
In the longer term it is recommended that Test and Development environments are designed and
implemented to support the target enterprise AD and provide a means for managing change and
mitigating risks.
Test and Development environments better equip TMR for the testing of changes to an Active
Directory implementation prior to applying to production. Test domains provide an environment for
testing potentially high impact infrastructure changes such as schema extensions, Group Policy
changes, and new security policies.

Department of Transport and Main Roads        Milestone 2B – High Level Active Directory Design                  Page 55 of 89
Support for other types of testing may include depending on requirements
        Performance.
        Stress.
        Application.
        Integration.
        User Acceptance.
        High Availability.
        Disaster Recovery.
Best practice Development and Test environments are logically and physically isolated. This has
inherent complexities relating to access management of applications and systems which are only
accessible from the production network with production credentials. Production systems such as email
and the corporate intranet are not accessible from isolated development and test environments.
The Test and Dev environments would exist as separate Windows Server 2008 Active Directory
forests. Test and Dev must be implemented based on the corporate.local design; however the
requirements for availability will differ. In most cases Test and Dev environments are virtually hosted
to reduce costs and scaled down versions of the production environment, but are identical in
configuration.
To ensure this configuration is kept identical across the three environments specific processes need to
be put in place. So to get the most out of implementing additional environments, TMR will need to
couple the Test and Dev implementation with the development of an Active Directory environment
lifecycle. Details of this framework are not covered in this document.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design   Page 56 of 89
6 Migration Approach
The main objective of a Migration Approach is to identify the viable migration options to reach TMR
Migration Milestones and to develop the best high level approach based on project scope, goals and
project requirements.


6.1 Background
Parallel to this project another TMR Active Directory project was undertaken by EI&S, to facilitate the
implementation of a SharePoint Server collaboration portal and a directory service solution in the TMR
production environment. The environment was introduced to provide authentication of external
customer and partner user access in the perimeter network zone. The design was based on the TMR
Conceptual Active Directory Design, supporting information provided by Avanade and TMR, captured
as business and technical requirements, industry best practices, and Avanade‟s comprehensive
experience developing similar environments, which is clearly visible in the form of this document. The
use of this existing collateral facilitated the accelerated design and implementation of the SharePoint
AD.
This background is relevant to this migration approach as the SharePoint AD design outlines that TMR
will have two separate Active Directory forests with one domain in each:
        corporate.local - is the internal AD used for corporate staff accounts.
        extranet.local - is the DMZ based directory service used for storing customer and partner
         accounts.
The corporate.local domain is the expected target starting point for the restructure and deployment
activities that are defined in this migration approach and the TMR Migration Milestones.


6.2 TMR Migration Milestones
The migration-related milestones that have been identified are:
         TMR Sign-off of Active Directory Detailed Design and Migration Design documents – The
          development, validation and more importantly the sign-off of the key design documents for the
          enterprise Corporate Active Directory.
         Deploy Corporate AD to Data Centre - The implementation of the Corporate AD design into
          the Data Centre resulting in Enterprise Active Directory Service Readiness.
         Deploy Corporate AD to Pilot Site – The deployment of Corporate AD to the Pilot Site will
          mark the first instance where TMR users and workstations are completely migrated to
          Corporate AD and removed from the local Novell Services.
         Deploy Corporate AD to all Production Sites – The deployment to all production sites will
          mark the beginning of the rolling deployment of Active Directory Infrastructure and AD Sites
          to replace the site‟s remote Novell Services, and the migration of users and workstations to
          Corporate AD.
These TMR Migration Milestones each achieve a particular objective but are all working towards the
goal of decommissioning Novell infrastructure.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design   Page 57 of 89
6.3         Approach
This document has been developed using the following steps:
        Review the High Level Active Directory Design sections.
        Review TMR business drivers.
        Identify the Coexistence Strategy for the Phased Migration.
        Incorporate Avanade Connected Methods for Technology Infrastructure.
        Make a decision on migration approach for TMR Migration Milestones.
        Identify dependencies and assumptions.
        Highlight TMR Priorities and Next Steps.


6.4 Migration Scope
As this document is aimed at a technical audience, it will focus on technical information and migration
options. Basic product documentation falls outside the scope of the Migration Approach.
The specific configuration and migration details of each component will not be defined in the Migration
Approach, as they will be specified in the detailed migration design stages of the Executing Phase.
Some examples of the scope of this document include:
In scope:                                                    Out of scope:
        Phased migration approach                                     Detailed Application Migration steps
        TMR migration milestones                                      Detailed migration steps
        Sequencing for the migration of services                      Product specific migration steps
         and functions
                                                                       Naming Conventions
        Decommissioning planning
                                                                       Physical migration requirements
        Dependencies between migration
                                                                       Roles and responsibilities
         activities
                                                                       TMR‟s Tactical AD (CITEC)
        Devices managed in Novell eDirectory.
                                                                       TMR‟s SHOCAD
                                                                       Change Management
                                                                       Training


6.5         Requirements
The requirements provided by TMR to the Design & Proof of Concept for AD & ILM project have been
developed by the business, solution architects, solution working group and the steering committee, for
TMR users and with its businesses in mind.
Requirements have been comprehensively mapped in a separate document (refer to Requirements
Traceability Matrix). Applicable requirements will be referenced throughout this document by their
requirement IDs. There are several requirements that apply specifically to the migration, they are listed
below:




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design             Page 58 of 89
  Requirement                                                                                Requirement
                                                                                             Type
                                                                                             Business
  Req.
               Item Description                                                              /Technical
  ID#
                                                                                             /Other
  BAAA         Business Requirement
  BAAA-        The solution will provide the basis for the consolidated Directory
                                                                                             Business
  042          services.
  BAAA-        The completed migration will result in eDirectory being
                                                                                             Business
  043          decommissioned.
  TMAA         General / Environment
  TMAA-        The migration approach will inform strategies to cater for Application
                                                                                             Technical
  002          Deployment Services.
  TMAA-        The migration approach will provide a strategy for applications which
                                                                                             Technical
  011          are dependent on Novell eDirectory to be migrated to Active Directory.
  TMAA-        The migration approach will provide a strategy for the migration of
                                                                                             Technical
  012          certificate services
  TMAA-        The migration approach will provide a strategy for the migration of
                                                                                             Technical
  020          existing workstation configuration policies.
  TMAA-        The migration approach will provide a strategy to migrate the
                                                                                             Technical
  021          functionality of all existing login scripts.
  TMAA-        The migration approach will provide strategy for the migration of SOE
                                                                                             Technical
  024          Desktop Deployment services.
  TMAA-        A phased approach to the migration of existing directory services is
                                                                                             Technical
  049          desired.
               The migration approach will provide sequencing for the migration of
  TMAA-
               services and functions from various eDirectory instances to Active            Technical
  050
               Directory until eDirectory can be decommissioned.
                                         Table 10 - Migration Requirements



6.6 Migration Strategy Summary
The Migration Strategy describes the specific elements that will be migrated. It describes the current and
future environmental aspects of the migration and the sequence of events in which the elements will be
migrated.
In the High Level Active Directory design it‟s determined what the enterprise Corporate AD will look
like, the next step is to understand how TMR can migrate the existing environment to the enterprise
Corporate AD. There are three components to planning the migration from Novell to Windows Server
2008:
        Building the new environment.
        Determine the TMR deployment strategy.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design       Page 59 of 89
        Determine the TMR migration process for moving existing services, users and data to the new
         environment.
This is weighed against business considerations like appetite for change, key dates, costs, etc, and a
strategy is then formulated.
The migration approach will use Avanade Connected Methods for Technology Infrastructure (ACM for
TI), to assist in describing the migration approach and will allow TMR to leverage Avanade‟s best
practices and implementation experience. The ACM for TI will refer to the Plan, Analyse, Design,
Build, Test, and Deploy as stages. The final Deploy stage will be broken down into different TMR
Migration Milestones of deployment focussed on achieving a specific goal or objective.

6.6.1      Avanade Connected Methods for Technology Infrastructure
The ACM for TI is a methodology for planning, delivering, and maintaining Microsoft-centric solutions.
ACM for TI serves as a vehicle for continuous improvement, evolving based on best practices from
implementation experience and ongoing research and development.
There are six stages within the methodology: Plan, Analyse, Design, Build, Test, and Deploy. These
stages define the methodology processes at the highest level.

6.6.2      Phased Migration
It is desired by TMR that a phased approach to the migration of the existing directory services is taken.
It‟s understood that both directories will remain in place for the duration of the entire migration effort
and directory synchronisation must be established. It‟s an objective in this migration approach to
highlight where it‟s possible to reduce the coexistence period.
The costs associated with a slow phased migration tend to be higher for two reasons:
        Time and Materials - the work is carried out over a longer period of time;
        Operational Overhead – TMR must manage and support two different infrastructure systems
         simultaneously.
With Avanade‟s existing knowledge of TMR‟s business and technical environment this phased
migration period can be significantly reduced and the coexistence period kept short.

6.6.2.1 Phased Migration Approach
A Phased Migration is the desired approach for the migration of the existing environment to the new
Windows Server 2008 R2 Active Directory environment known as Corporate AD.

        Note: Due to the large scale and complexity of the migration and the dependencies that exist
         between existing Business Critical systems and Novell services, TMR will be required to
         maintain an environment that contains both Active Directory and Novell eDirectory services
         until all the dependent services are migrated to the new environment.

A phased migration will allow Active Directory and Novell eDirectory to run in parallel, and will utilise
the existing Identity Management solution (Novell IDM) to manage the coexistence. This allows TMR
to perform targeted migration tasks (other than synchronising the two directory services), such as
replacing applications that are dependent on Novell eDirectory with Active Directory-compatible
applications, and implementing equivalent services within the Corporate AD. As noted in the “Align
with WoG initiatives.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design     Page 60 of 89
Transport and Main Roads Migration Principles”, the migration must aim to minimise disruption to the
production environment and reduce risk to critical systems for the duration of the migration.
A phased migration reduces the risk of data loss because you can migrate in managed slices and the
process can be reversed if necessary. However, maintaining two separate directory services can, over
time, add additional administrative costs to the migration. While this negates the migration principle to
“reduce administrative overhead”, it has been decided that reducing risk and minimising disruption to
production systems through a controlled migration was of a higher importance. The benefit is that
incremental gains will be identified and realised in the form of decommissioning of Novell servers at a
particular site, or the migration of key Novell services to Windows. It‟s important to ensure that these
incremental gains do not impact the overall enterprise migration, resulting in increased total cost of
ownership (TCO) for directory services across the board.
During the development of this phased migration the focus has been to reduce the coexistence period
wherever possible. Avanade has been able to leverage its existing knowledge of TMR to achieve this in
a number places throughout the document.

6.6.3      Deployment Strategy
This section discusses the deployment strategy for the „TMR Migration Milestone - Deploy Corporate
AD to all Production Sites‟ milestone. It covers the reasoning, benefits and logistics of selecting the
method of deployment and the preferred way of grouping users and computers to achieve a successful
migration.
A rolling deployment model will be used to complete deployment activities in a staggered manner, as
there are too many dependencies in the current environment to achieve an all at once or „big bang‟
deployment strategy. The benefits of a rolling deployment are:
        The project team can gauge the response from users and learn from user input.
        A smaller project team is required to perform the migration activities.
        The project teams will become more efficient as the migration progresses, as they are allocated a
         specific set of activities in the deployment such as „preparation‟ and they will move from site to
         site doing only „preparation‟ tasks. Other teams will follow the „preparation‟ team in sequential
         order to perform only deploy, migrate, transition, or decommissioning activities (examples of
         these activities are explained later in the document).
        Minimises the business impact on end users.
        Reduces impact on operations and support teams.
To realise a rolling deployment you must select a method of appropriately grouping the users and
computers so that when one group of users and computers are moved another group is not affected.
There are a number ways to group users and computers, and some examples of these are by Sites and
Services, Application Dependencies, Functional Groups, Business Units, Divisions, or a hybrid model
can be used.
In this instance Avanade have been advised that physical TMR sites with Novell infrastructure function
autonomously, as services are provided locally. This will provide the perfect approach of grouping the
deployments into a number of smaller deployments which can be run independently to each other. To
provide some additional control and order during the deployments the hybrid method is utilised, and this
would involve migrating a single physical site by working through each Functional Group until all users
and computers are migrated and activities are completed.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design    Page 61 of 89
6.7 Plan & Analyse stage
The Plan stage is used to set the basis for the more formal planning and analysis that will take place
during the Analyse stage. The primary activities accomplished during the Plan stage are the formation of
the core team and the designating of tasks that are considered preparation work. The important tasks are
discussed in this document, and relevant considerations and recommendations will be highlighted in
each section.
The Analyse stage is the process of creating a baseline understanding of the customer's existing
environment, including the technologies used, operational capabilities, training and communication
requirements, and other needs.
The first steps necessary are the identification, assessment, and preparation tasks to ensure that the
design and the migration process can occur swiftly with the objective to reduce the coexistence period.
These analysis activities are used as inputs for the design stage activities.

6.7.1      Discover and Gather Information on Existing Environment
This discovery activity is required to discover and analyse the current state of the environment,
including any changes that have occurred through normal operational activities since the corporate.local
domain was implemented in production. It also involves gathering the relevant documentation that has
been created in previous pieces of work. The areas of interest for the detailed analysis are the Network
Infrastructure, Windows Infrastructure, Novell eDirectory, Novell IDM components, and the
Operational processes and practices. Additionally the analysis incorporates a review of the
documentation that has been generated as part of the”Design & Proof of Concept for AD & ILM” such
as the Corporate AD design documents:
        Business Requirements Specifications.
        Conceptual Active Directory design.
        High Level Active Directory design.
        Proof of Concept Design.
        SharePoint AD design.

6.7.1.1 Network Infrastructure Analysis
The Infrastructure Analysis will involve performing a complete assessment of the Site Infrastructure,
Network Infrastructure (LAN, WAN, VPN), Network Services (DHCP, DNS), Server/desktop hardware
platform, operating systems and version.

        An assessment of the current state of the TMR network services has been taken (e.g. DHCP and
         DNS), it has been noted there is an internal project underway to replace this solution before Jan
         2011.

        Perform a detailed assessment of TMR Sites, such as; assessing the site availability
         requirements, number of active users at the site, network utilisation, application dependencies,
         and backup and recovery facilities.


6.7.1.2 Windows Infrastructure Analysis
Analysis of the Windows Infrastructure Services will identify all Windows Active Directory domains
that are in production and the services that require migration to the Corporate AD.



Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design   Page 62 of 89
        A gap analysis of the current Corporate AD implementation and the enterprise AD design,
         including a health check and best practice analysis, will need to be completed to ensure that the
         environment is in a known and sound state.

        An analysis of the Tactical AD will need to occur to identify the applications and dependencies
         that exist on that AD. A separate project stream will need to migrate applications implemented
         in Tactical AD as per TMR consolidation goals.

        An analysis of Windows 2003 SHOCAD will need to occur to identify the applications and
         dependencies that exist on that AD. A separate project stream will need to migrate applications
         and servers implemented in SHOCAD as per TMR consolidation goals. It‟s understood that this
         AD is primarily used to manage Windows servers in the environment. As there are no user
         access and permissions managed in SHOCAD is expected that the migration to Corporate AD
         will be less complex than Tactical AD.


6.7.1.3 Novell Infrastructure Analysis
The Novell Infrastructure Analysis will look at clearly identifying the services and configurations of the
various Novell directories, Novell services and the infrastructure implemented to support them. It‟s
expected that the following services will be in scope of this analysis:
        eDirectory Services.
        File Services.
        Application Dependencies.
        Printing Services.
        Certificate Services.
        Asset Management Services.
        Software Distribution Services.
Part of this analysis will also be to identify which of these services are utilised by the TMR sites and
whether service layering occurs, as this will directly impact the site migration approach and
decommissioning process discussed later in this document.

6.7.1.3.1 eDirectory Services
There are 3 distinct eDirectories within TMR‟s Novell Architecture each with a specific role to play,
and they are the eBizTree, QdotTree, and the MetaTree directories. The analysis of these Novell
directories is intended to reveal the relationships and dependencies between the eDirectories and other
services. It will also identify the various eDirectory partitions that are used for the various TMR sites for
replication and synchronising to Novell IDM.

        An analysis of each identified eDirectory Tree will need to occur to discover and review the
         directory including; users (internal and external), their attributes that are present in this
         directory; dependent business critical applications; the replication to sites and synchronisation
         to Novell IDM.

        Review of all policies applied by Novell and locally on workstations and servers will need to be
         understood and reviewed. Active Directory will be replacing the management of the users and
         computers and these policies in the environment by using group policies.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design      Page 63 of 89
        TMR will have the opportunity to enforce corporate policy to control the workstation
         configurations as part of the Standard Desktop Environment. Configurations that are currently
         applied via Novell policies will be replicated in Active Directory. If all aspects of a user profile
         need to be migrated (screensavers, desktop shortcuts, favourites, etc) it‟s expected that the time
         required by the migration process will be lengthened.


6.7.1.4 Novell Identity Management (IDM) Analysis
Within TMR the IDM solution plays a very important role in managing identity as the driver for all
identity synchronisation between the Novell eDirectory and other directory services. Many applications
are dependent on the synchronisation of objects between the different repositories of identity. This
analysis will focus on understanding these relationships and dependencies with IDM and the
configurations of the drivers responsible for the synchronisation.

        The Novell IDM configuration will need to be reviewed to understand the user account attribute
         flow between the various directories, both Novell and Windows. Most importantly it will be to
         analyse the existing driver configuration to synchronise the user account and attributes from
         Novell eDirectory to the corporate.local domain which is to be implemented to support the TMR
         SharePoint initiative.

        The IDM solution is a critical tool for this migration as it will be responsible for synchronising
         objects (i.e. user accounts) between the Novell eDirectory and the Corporate AD to provide a
         coexistence and simplified sign-on environment for TMR.

        A feature comparison will be required to determine whether Novell IDM solution will be able to
         run on a Windows operating system without a loss of functionality required to sustain the
         current responsibilities. Avanade has completed some work on this as part of the “RACF Proof
         of Concept” project and it was determined that for the purpose of the RACF Proof of Concept
         changing the operating system would not affect the goals of the project. As a result Avanade has
         an understanding of the current architecture and thus the process will be accelerated.


6.7.1.4.1 File & Print Services
The Novell File Services are utilised by the TMR as the primary data storage service. There are
hundreds of Novell servers in the environment offering File Services to users. Each of the services has
its own unique folder structure and security model. To allow the migration of the file services from
Novell an analysis of the Data Architecture and Security Model will need to be performed. This will
allow for a detailed and structured migration design to be formulated.
The existing Novell iPrint (Novell's version of IP printing) service has localised print servers at almost
every site. Print services are typically co-hosted (service layered) on servers performing multiple roles,
including file services, and directory services. The server configuration and the level of service layering
are different depending on the location.

        It‟s understood that Main Roads (MR) completed a MR Site Audit Report in September 2008
         which included an audit of all active MR user sites and includes a list of all physical servers
         deployed at the sites and the services that reside on them. Daily reports are also available
         which detail the disk usage for the TMR server fleet; however it‟s been noted that the security
         permissions (trustee) information is not presented in this report.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design      Page 64 of 89
          With Avanade‟s current understanding of the data architecture and security model of the Novell
           File Services, it‟s recommended a data and security cleanup activity be undertaken to simplify
           the execution of the migration.

          Identify the dependencies that applications have on the Novell file system, such as MS Access
           Databases, and other applications that may store configuration or databases on a network
           drive.

          TMR will need to perform an audit of all printers as part of this analysis process, detailing
           Name, Model, Make, Port, Drivers, etc, as this will be utilised as an input to the creation of a
           detailed migration design.


6.7.1.5 Operations Analysis
The Operations Analysis will be focussed on identifying the processes, standards, controls, and tools,
required to operate and manage the Corporate AD according to defined service levels
It will highlight procedures and tasks that need to be updated or created, based on the current and
required operations procedures and tasks for managing the SHOCAD Active Directory.
This analysis will feed into the future Operations Design activity which will be based on the principles
of the Microsoft Operations Framework (MOF14). MOF "adopts and adapts" Information Technology
Infrastructure Library (ITIL15), and combines these collaborative industry best practices with specific
guidelines for running Microsoft Active Directory.

          The Operations Analysis will also be focussed on identifying Role Based Administrative
           Delegation for use within the Corporate AD.

          TMR‟s Windows 2003 Active Directory (SHOCAD) environment is currently managed by the
           Server Services team, however all administrators have equal access as domain administrators
           despite the different roles and responsibilities. The analysis of current processes and practices
           will provide the ground work required for designing an effective Detailed Operations Design
           for the Corporate AD.


6.7.1.6 Analysis Summary
Due to Avanade‟s previous engagements with TMR much of the required information is already known
or has been documented as part of the discovery work done prior to the conceptual and high level
design. Previous findings revealed in these documents will simply need to be validated to ensure
accuracy for the design stage ahead. All findings in this analysis stage are inputs for creating an
accurate Infrastructure Lab and Detailed Design for the deployment and migration to Corporate AD.


6.8 Reiterative Design, Build, Test stage
The Design stage begins with the establishment of the infrastructure lab. This is where all of the core
infrastructure and operational components are initially brought together.
The Design stage leverages an iterative design, build, and test process that spans across the Design,
Build, and Test stages. During this portion of the Design stage, the High Level Active Directory design
will be developed to a detailed level, along with the migration design, deployment plan and build and


14
     For further information refer to Microsoft Operations Framework 4.0
15
     For further information on ITIL refer to - Information Technology Infrastructure Library

Department of Transport and Main Roads    Milestone 2B – High Level Active Directory Design     Page 65 of 89
test plans which created to test the design. The infrastructure lab is then leveraged in the Build and Test
stages to build a representation of the design so it can be tested against while being further developed
and refined.
From a migration perspective the primary focus of the Design stage is to identify the preferred approach
to achieving the specified TMR Migration Milestones.

6.8.1      Develop Active Directory Detailed Design
Before implementing Active Directory a detailed design task must be undertaken to design the new
enterprise Corporate Active Directory environment.
The detailed design document will build upon the High Level design to provide detailed information
relating to the forest and domain structures and configurations, technical infrastructure topology
(Network, Sites, Servers, Workstations), dependencies relating to software and infrastructure
components, detailed hardware specifications, including disk layouts, memory configurations, and
network components, implementation of infrastructure to support availability, reliability, and monitoring
requirements, security configuration and settings (templates, registry, etc.).
This section provides an overview of the related activities and high level tasks required to produce the
detailed design.

6.8.1.1 Review and Refine Requirements
The objectives of this task are to review and validate the TMR Business Requirements Specification
document that was updated during the previous Analyse stage and to further define detailed technical
and process related requirements specific to infrastructure. Also, during this task, it will be necessary to
lock these requirements. This allows the project team to have a static reference point from which the
detailed design can be developed so that Project Management can instil the necessary change control
procedures as part of delivery.

6.8.1.2 Review existing design documentation
This document, the High Level Active Directory Design Document for TMR provides a high level
overview of the various technical infrastructure components and how they interact with one another.
This should be thoroughly reviewed, with a focus on the infrastructure and Active Directory
architecture, as the Detailed Active Directory Design Document will build upon and expand on this
document.
Additionally EI&S have developed and implemented detailed design for AD (SharePoint AD) to support
a point SharePoint solution and this also needs to be included as an accelerator and an input to the
creation of the detailed design document. The “Active Directory for SharePoint Server Detailed Design
Document” was based on the TMR “Business Requirements Specifications” (BRS) document and the
TMR “Conceptual Active Directory Design” document, which supports information provided by TMR
captured as business and technical requirements, industry best practices, and Avanade‟s comprehensive
experience developing similar environments.

6.8.1.3 Create Detailed Active Directory Design
Before the design activities begin, it‟s important that dependent tasks in reviewing the requirements and
design documents are completed as the Detailed Active Directory Design will expand upon the
comprehensive technical design aspects of the architecture, as well as the design decisions outlined in
the TMR High Level Active Directory Design.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design      Page 66 of 89
        It‟s important to note that the Design, Build, Test stages are part of an iterative design process.
         During design iterations, the infrastructure will extend upon what was initially built in the
         infrastructure lab during the Build and Test stages in the previous iterations.


6.8.1.4 Create Infrastructure Build Guide
The Infrastructure Build Guide documents the process for building the infrastructure. The Infrastructure
Build Guide should provide detailed guidance on how to build and configure each component that
makes up the infrastructure supporting the architecture.

6.8.2      Develop Detailed Migration Design
The development of the detailed migration design document will build upon the migration approaches
which have been highlighted in this document. It will provide more detail around the pre-migration tasks
for preparing the environment for migration, the migration procedures which discuss the execution of
steps for migrating users, groups, workstations, servers and more. It will also cover the post-migration
tasks that are required to conclude the migration with data restoration, disaster recovery, rollback
measures and decommissioning procedures.

6.8.3      Develop Corporate AD Deployment Plan
Deployment planning requires much effort, must start early on and follow the iterative process in
tandem with the design, build, and test process. The main objective of the Deployment Planning activity
is to minimise the business impact due to the change by working out optimum schedules and durations,
mitigating risks, keeping the costs low, and maximising the user experience in terms of user
transparency, user readiness, and maintaining user excitement to adopt the change. It will also provide
some insight to the logistics for the utilisation or replacement of existing server hardware in the
deployment process.
The Deployment Planning activity addresses the deployment planning tasks necessary to ensure that all
aspects of the solution are ready for the pilot and production deployments. This process is also used to
provide an assessment and readiness review to validate and confirm the designs, core requirements,
implementation processes, support and operations facilities, end user readiness, training, and
communications.

6.8.3.1 Identify Pilot Group
The objective of the Test Pilot Infrastructure activity is to validate and refine each feature of the overall
Detailed Infrastructure Design solution in the customer's production environment by deploying the
required solution to a representative group of end users. The objective for this process is to identify a
suitable group of users that represents a TMR production site.

        Avanade recommends that the Pilot group should consist of users that exist in an autonomous
         site (Pilot Site).

        It has been determined that a typical remote TMR site functions autonomously and does not
         require Novell services from the central data centre.

        It is vitally important to ensure that migration and support processes are tested for a variety of
         probable scenarios. To streamline the pilot migration the selection of an autonomous pilot site
         with minimal application dependencies would be ideal, as Novell services and the significant
         application remediation process is to be managed separately.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design       Page 67 of 89
6.8.4      Establish Infrastructure Lab
The Infrastructure Lab plays a key part in the iterative design, build, and test process; it provides the
ability to rapidly confirm functional capability as expressed in the TMR Business Requirements
Specification document.

6.8.4.1 Determine Infrastructure Lab Requirements
By reviewing the existing high level design documentation and the migration approach documentation a
list of requirements will need to be established to list the various systems that need to be built in the
Infrastructure Lab. The outcome from this process will be an Infrastructure Lab Requirements document
which will inform the Infrastructure Lab design.

        TMR will need to decide on factors such as:

               A centralised lab or several labs distributed across the organisation's various sites

               Dedicated project lab or shared across multiple projects

               Need to purchase new equipment or reuse of existing hardware

               Multiple server hardware of leverage the use of virtual server software

               Using an ad hoc or temporary lab versus permanent lab.

        Avanade recommends that TMR invest in a centralised, dedicated infrastructure lab that is run
         on a virtualised environment. The site topology can be emulated through the use of network
         devices or through network throttling software. Virtualisation will save on effort and hardware
         costs to commission the Infrastructure Lab and at the conclusion of the project the
         Infrastructure Lab can be adopted as a TMR development or pre-production environment as an
         accurate representation of end-state production. At this stage the scope of the Infrastructure
         Lab can be extended to be shared across other project ventures as a development or testing
         platform.


6.8.4.2 Design Infrastructure Lab
The design of the Infrastructure Lab will be a collaborative exercise involving a representative from
each design stream. The team will design the Infrastructure Lab to resemble the proposed production
environment as much as possible. This can include hardware, network topology, infrastructure
architecture, application servers, storage, etc.
Refer to the High Level and Detailed Active Directory Design documents when designing the lab. It is
likely that more details will be identified and changes will be made to the infrastructure lab during the
detailed design, build, and testing later in the Design stage and during the Build and Test stages.

        The TMR Infrastructure Lab should represent the network site topology, legacy systems and
         their configurations in the infrastructure lab, such as a representation of the Novell
         Infrastructure Services and the Novell IDM solution. The TMR migration will require both the
         legacy technology and configuration in addition to the proposed end state to enable proper
         testing of migration processes. The legacy systems implementation and configuration will need
         to be managed by SME‟s from within TMR to ensure it is a correct representation of production



Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design      Page 68 of 89
6.8.4.3 Deploy and Configure Infrastructure Lab
Building the Infrastructure Lab is about building the physical components of the lab, ensuring network
connectivity, and preparing any systems with the base operating system. It‟s normal for additional
configuration of servers, workstations, and other devices to occur later in the Design stage and during
the Build and Test stages as part of the iterative design, build, and test activities, as the Detailed Designs
are developed.

6.8.4.4 Testing and Validation of Infrastructure Lab
The testing and validation of the Infrastructure Lab will enable Avanade to validate and test the Detailed
Design solution from a system perspective. It allows the tests to be executed in a controlled
environment, and monitored for any unexpected results. It will also provide an opportunity to confirm
the solution against the traceability matrix (within the BRS) and should follow the lifecycle of the
project.

6.8.5      TMR Migration Milestone – Design Completion and Sign off
The completion and sign-off of the Active Directory Detailed Design and Detailed Migration Design
documents is an important milestone to this process. It signifies the end of the reiterative design, build,
test process and the start of the deploy stage.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design       Page 69 of 89
6.9 Deploy stage
The Deploy stage begins with the deployment of the Corporate AD to the Spring Hill Office Complex
data centre where the existing Active Directory infrastructure will be added to and restructured to align
with the design documentation. This will prepare the Corporate AD for applications owners to begin
consuming this service.

This will be followed by the deployment of the system to a physical site, known as the pilot site, which
is representative of a typical TMR site. The pilot environment may be a scaled down implementation on
the production infrastructure, a staging environment, or other environments as defined by the customer.
Whatever the case, it should be logically identical to the production environment in order to provide the
best situation for acceptance testing. The pilot deployment is rigorously tested using previously created
test plans. The pilot site deployment concludes with a formal acceptance test with significant customer
involvement and the transition to the infrastructure run team.
The final deployment is to incorporate the lessons learned from the Pilot Site deployment and migration
into the rolling deployment and migration of Corporate AD to all production sites. Part of this migration
is to evaluate whether the decommissioning of the site Novell servers.

6.9.1       TMR Migration Milestone – Deploy Corporate AD to Data Centre
This TMR Migration Milestone is significant as its conclusion will declare that the Corporate AD is
ready for application owners to begin consuming it as a service (Application Readiness State). It will
also demonstrate coexistence with the Novell Services, as at this TMR migration milestone there are no
services being migrated to Corporate AD, instead an additional service is being offered. At this stage in
the migration the workstations are members of the domain and the Novell is still the primary source of
identity.
                             SharePoint AD                                                                        Corporate AD
                                                                                                                                                  Applications
      Applications
                                                                               TRANSFORMATION




                 Novell Server                                                                    Novell Server

                                                      Corporate.local
                                                     Domain Controllers
                                                                                                                                        Corporate.local
                                 Novell IDM Server                                                                 Novell IDM Server   Domain Controllers




                                   SHOC                                                                              SHOC



                                                      Figure 6-1- Deploy Corporate AD to Data Centre

The environment will include Active Directory implemented into production as per the SharePoint AD
point solution that was completed mid-November 2009. This solution will use the “Active Directory for
SharePoint Server Detailed Design Document” as a starting point; it is a single site implementation of
what will be the enterprise Corporate AD solution. Additionally the Novell IDM solution is to be
integrated with the current SharePoint AD solution to allow the automated creation and management of
user account in the Active Directory.
The Novell Services remain unchanged in the current environment and still offer core services like
authentication, file services, asset management, software distribution, patching, etc.
The information within this section will highlight relevant best practices, considerations and
recommendations to this deployment.




Department of Transport and Main Roads                          Milestone 2B – High Level Active Directory Design                                    Page 70 of 89
6.9.1.1 Dependencies
Most of the individual migration approaches depend on the availability of new infrastructure, but there
are also some dependencies in between migration activities. These dependencies have been identified to
aid in the deployment planning and sequencing:
        TMR Migration Milestone – Design Completion and Sign off.
        Establishment of Infrastructure Lab.
        Implementation of SharePoint AD.
        Novell IDM connection and synchronisation of all user accounts and passwords to SharePoint
         AD.

6.9.1.2 High Level Steps
The following information is a summary of the high level steps detailed in the approach section:
        Preparation
             o Review the gap analysis between SharePoint AD and Corporate AD as designed.
             o Evaluate IDM configuration for SharePoint AD.
             o Run Microsoft Active Directory Best Practice Analyser against SharePoint AD.
        Deploy
             o    Transform SharePoint AD to Corporate AD:
                       Reconfiguration of the Forest/Domain/Domain Controllers as per detailed design
                        and gap analysis.
                       Commission additional DC‟s in data centre.
                       Ensure that TMR user accounts are in the appropriate OU structure.
        Migrate
             o There is no migration steps for users, workstations of servers required in this stage of the
               migration.
        Transition to run
             o Transition from Project team to Infrastructure Run Team to support the production
               environment.
        Decommissioning
             o Core infrastructure services are still provided by Novell therefore TMR are not in a
               position to decommission any Novell Servers.
        Exit
             o    Milestone Achievement - Corporate AD is in an Application Readiness State.

6.9.1.3 Approach
The high level approach for the deployment of Corporate AD to the SHOC Data Centre is to evaluate
the current AD environment then to transform the SharePoint AD that was implemented for TMR
SharePoint into the enterprise Corporate AD.
The gap analysis that is to be completed in the analysis stage will determine the differences between the
current SharePoint AD and the enterprise Corporate AD. This analysis will also include the evaluation




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design     Page 71 of 89
of the Novell IDM driver configuration, to determine that it will be suitable after the OU structure is
modified according to the detailed design.

          Run the Microsoft Active Directory Best Practice Analyser on Active Directory to ensure that
           it‟s still configured according to best practice prior and post the transformation activity.16

The transformation of SharePoint AD to Corporate AD will involve the commissioning of additional
DCs within the central SHOC site with the objective of scaling out the infrastructure to conform to the
enterprise Corporate AD detailed design. Additionally some configurations changes will need to be
made to align to the Corporate AD Detailed Design, for example but not limited to:
          Restructuring the OUs.
          Implementing the appropriate group policies.
          The addition of Global Catalog (GC) roles.
          Removal of the Global Catalog (GC) role from the Infrastructure Master FSMO server.
Once the SHOC site infrastructure is representative of the Corporate AD detailed design and the Novell
IDM solution is determined to be successfully synchronising user accounts from Novell to Corporate
AD the service can be advertised as being in an “Application Readiness State”.
When the Corporate AD reaches “Application Readiness State” other applications hosted in the Tactical
AD may be migrated to the Corporate AD. These applications should be carefully assessed and a
migration plan for each should be developed before the migration of these applications begins.

          Recommendation: It‟s recommended by Avanade that once the Corporate AD is in „Application
           Readiness State‟ a change freeze should be mandated to prevent further applications from being
           implemented into Tactical AD. Additionally actions should be taken to evaluate and eventually
           migrate the applications to the Corporate AD. These actions are out of scope for this document.

TMR will benefit in the decommissioning of the SHOCAD. The consolidation of the Windows
SHOCAD domain to Corporate AD can be started anytime after the transformation process has been
completed. It is understood that the purpose of the SHOCAD is to manage Windows Servers in the
environment. With the Corporate AD implemented, OU structure created and group policies created the
SHOCAD Windows servers, without dependencies on the SHOCAD, can be migrated to the Corporate
AD and the SHOCAD decommissioned.

6.9.1.4 Considerations
The following have been identified as considerations based on Avanade‟s current knowledge of the
TMR environment and the Corporate AD design:
          As the OU structure for Corporate AD will be changed as part of the transformation and the
           Novell IDM solution is creating user accounts in a staging OU in Active Directory, it‟s expected
           that the TMR user accounts will need to be relocated to their respective OU folder. This will
           take time as there are thousands of accounts to manipulate, it may also require some
           reconfiguration of IDM to ensure that moving an account will not affect the synchronisation
           process.




16
     For further information refer to - Best Practices Analyser for Active Directory Domain Services




Department of Transport and Main Roads    Milestone 2B – High Level Active Directory Design            Page 72 of 89
        Note: TMR‟s current version of Novell IDM is v3.5.1 and is to be upgraded to v3.7.x; as this
         version will run on a Windows Server 2008 operating system and allow the synchronisation of
         users and passwords to the Corporate AD hierarchical OU structure.

        Avanade recommends the AD migration should capitalise on TMR‟s investment with IDM
         rather than investing in another identity management / synchronisation tool at this stage in the
         migration.

        Applications and servers located in Tactical AD and SHOCAD should be migrated to Corporate
         AD as a separate project stream:
              o    The migration of the Tactical Active Directory applications should be treated as part of
                   the larger application remediation work. Each application will need to be identified,
                   assessed, ranked and a migration plan will need to be established for each application. It
                   may be possible to utilise Infrastructure to establish and test the migration plans for
                   these applications.
              o    The migration of servers from the SHOCAD domain to Corporate AD will include
                   Lotus Notes (Domino) servers, application servers and then others.
        Adding servers to the data centre will incur operational implications as they will need to be
         transitioned to, and supported and managed by the existing TMR server support teams. As the
         Corporate AD is scaled out the load on the operations teams will increase. The Avanade project
         team and the TMR server support teams responsible will be involved in the infrastructure
         transition task.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design      Page 73 of 89
6.9.2      TMR Migration Milestone – Deploy Corporate AD to Pilot Site
The next significant TMR Migration Milestone is the deployment of Corporate AD infrastructure to a
Pilot Site. This is when the first users and computers will be migrated to Corporate AD and they will be
logging into the domain as the primary directory services and receiving group policies. The selection of
this Pilot Site should have already been completed as a task within the Plan stage and it should be a
signed off and acceptable representation of a typical TMR autonomous site as per the requirements
detailed in Section 6.8.4.1.
The objective of deploying to a pilot site is to run through the design, migration and test plans
formulated in the Infrastructure Lab in a real production environment. It also provides an opportunity for
users to give feedback about how features work through User Acceptance Testing (UAT). This feedback
can be used to resolve issues or to create a contingency plan. The feedback can also help determine the
level of support needed after full deployment.
Ultimately, the pilot assists with the decision to proceed with a full deployment or to slow the
deployment in order to resolve problems that could jeopardise the migration.
The Pilot Site deployment will be considered completed when all users, workstations, and non-Novell
servers at the pilot site have been migrated to the Corporate AD and applications specific to that site
have been remediated to work with Active Directory. Once the site specific Novell Services, such as
File and Print, Asset Management, Software Distribution, Patch Distribution, etc, are migrated to an
equivalent technology, the decommissioning of the local Novell servers can begin.
Compared to the previous milestone this deployment and migration will have a greater impact on the
TMR operations teams, as this is the first instance where both users and workstations are migrated and
active in the Corporate AD.

6.9.2.1 Dependencies
Most of the individual migration approaches depend on the availability of new infrastructure, but there
are also some dependencies in between migration activities. Any dependency mentioned in a previous
deployment phase will also be a dependency of this phase. These dependencies have been identified to
aid in the deployment planning and sequencing:
        TMR Migration Milestone – Design Completion and Sign off.
        Implementation of SharePoint AD into production.
        Novell IDM connection and synchronisation of all user accounts to SharePoint AD.
        TMR Migration Milestone – Deploy Corporate AD to Data Centre.
        Migration of site specific Novell services:
             o        File services
             o        Print services
             o        Novell ZenWorks
                         Software Distribution
                         Asset Management
                         Patch Distribution
        Remediation of site specific Novell dependant applications.




Department of Transport and Main Roads    Milestone 2B – High Level Active Directory Design   Page 74 of 89
        Remediation of Novell login scripts.
        Configuration of Corporate AD Group Policies to enforce corporate policy.
        Preparation of service desk facilities and infrastructure to support pilot
        Training of support staff and pilot user group

6.9.2.2 High Level Steps
The following information is a summary of the high level steps which are provided in more detail in the
Approach section:
        Preparation
             o Confirm all pilot users accounts exist in Corporate AD domain.
             o Evaluation and remediation of Novell dependent applications
        Deploy
             o        Pre-stage and deploy Windows Server 2008 R2 to the pilot site.
             o        Promote member server to domain controller and configure the Active Directory Site.
             o        Configure the Active Directory Site.
             o        Test Active Directory site and services are functional.
        Migrate
             o        Migrate user and workstations to Corporate AD:
                        Creating the Computer Account
                        Joining the Computer to corporate.local domain.
                        Removal of the Novell Login Client.
                        Testing migration of site user and workstation base.
        Transition to run
             o Conduct UAT for all migrated users and document the results.
             o Transition Active Directory from Project team to Infrastructure Run Team to support the
                production environment.
        Decommissioning
             o Evaluation and decommissioning of site specific Novell servers
        Exit
             o Prepare for migration to all production sites by incorporating lessons learned from the
                 Pilot migration.
             o        Milestone Achievement - Corporate AD has been deployed to its first physical site and
                      users and workstations are logging on as members of the corporate.local domain.




Department of Transport and Main Roads     Milestone 2B – High Level Active Directory Design    Page 75 of 89
6.9.2.3 Approach
The deployment of the Windows infrastructure to the pilot site is the first step in the approach. When the
Pilot Site domain controller is commissioned the domain controller configuration and AD site
configuration will need to be validated to ensure that the system is functioning as expected.

          Recommendation: Use Install from Media (IFM) to pre-populate AD DS with system state data
           that was backed up from an existing domain controller. This data can reside on a CD, DVD, or
           local hard disk partition. Using IFM greatly reduces the time that is required to install directory
           information by reducing the amount of data that is replicated over the network.17

          Recommendation: Microsoft provides deployment checklists that can be used to validate the
           creation of an additional domain controller in an Active Directory domain; these will be
           included in the test plan documentation.18

An evaluation of Pilot site applications will need to occur and some remediation will need to occur to
migrate these applications to Corporate AD.

          Recommendation: The application remediation work is significant and will require a lot of
           effort; this work will need to be started as early as possible as it has potential to slow the
           migration process.

The IDM synchronisation for Corporate AD should have created all TMR user accounts in the domain
and they should be placed in the appropriate OU structure. Therefore only workstations will need to be
migrated to the domain, and this can be done programmatically, as there are a myriad of tools that can
perform this task automatically.
This is the first time in the migration when workstations exist in the Corporate AD and group policies
will be applied to these workstations to enforce the corporate policies. This is when validation of the
translation of Novell policies and login scripts to Corporate AD group policy can occur.
Creating the computer account is a matter of an administrator adding the computer to the corporate.local
domain. The manual process of joining a computer to the domain will automatically create the account
in the default computer resource container in Corporate AD.

          Recommendation: To reduce effort, create the computer accounts programmatically, this will
           also allow the administrator to specify where in AD the computer account is created.

Group policies will start applying when the users and computers are joined to the Corporate AD
domain. The first time the users login to the domain a number of group policies will be applied to the
machine. These policies will perform the same tasks as the Novell policies and will ensure that the
existing Standard Desktop Environment (SDE) is retained.
The login script remediation portion of the migration ensures that login scripts are collected and
properly reengineered for use in the Windows 2008 environment. These login scripts will be remedied
and combined into group policies. This will be possible due to the inclusion of the users into various
AD groups or OU‟s based on their previous Novell server contexts. The group policy preferences will




17
     For further information refer to - Installing an Additional Domain Controller by Using IFM
18
     For further information refer to - AD DS Deployment Guide & Checklists




Department of Transport and Main Roads    Milestone 2B – High Level Active Directory Design       Page 76 of 89
map drives to a user‟s computer based on the group that the user resides in. This is an opportunity to
validate the design and performance of Group Policies in a real Corporate AD production environment.

        Recommendation: Group Policy Preferences can be used to replace Novell login scripts.

At this point in the migration both users and computers exist in both Corporate AD and Novell, however
there are a number of services that are offered by Novell that are not yet offered by the Corporate AD.
Based on the identification of the pilot site Avanade has estimated the pilot will run for 20 days to allow
ample time for User Acceptance Testing (UAT).
To begin the decommissioning of the local Novell server any service that is offered by that server needs
to be moved to a central site or migrated to an equivalent technology within the organisation.

6.9.2.4 Considerations
The following have been identified as considerations based on Avanade‟s knowledge of the TMR
environment and the Corporate AD design:
        Local configuration of workstations is required to complete the migration process such as
         joining the workstations to corporate.local domain, and removing or reconfiguration of the
         Novell Client.
        Local configuration of workstations is required to complete the migration process such as:
             o     Joining the workstations to corporate.local domain.
             o     Network configurations.
             o     Removal or reconfiguration of the Novell Client and other applications.
        Application remediation is a significant piece of work and it may be discovered that some
         applications cannot be easily remediated to work with Corporate AD.
        Applications can have dependencies on the Novell file system, such as a department‟s group
         drive. As the group share also contains other data, it may require that the applications and group
         data be moved at the same time.
        During the decommissioning process it‟s important to note that the identification of service
         layering on the Novell server will increase the complexity of the migration and
         decommissioning process at the pilot site. Each independent service that the local Novell server
         offers will need to be targeted.
        The Novell File and Print services will need to be moved to the central Novell servers, or
         migrated to an equivalent technology. This is discussed at a high level in the TMR Priorities and
         Next Steps later in the document.
        The Novell IDM synchronisation for Corporate AD should have created all TMR user accounts
         in the domain and they should be placed in the appropriate OU structure. This process will have
         been tested and validated in the pilot deployment. Therefore only workstations will need to be
         migrated to the domain, using the same validated methods as the Pilot deployment.
        Creating the computer account is a matter of an administrator adding the computer to the
         corporate.local domain. The manual process of joining a computer to the domain will
         automatically create the account in the default computer resource container in Corporate AD.

        Recommendation: To reduce effort, create the computer accounts programmatically, this will
         also allow the administrator to specify where in AD the computer account is created, however
         this would not join the computer to the domain.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design     Page 77 of 89
          Group policy will start applying once the users and computers are added to the Corporate AD
           domain and login. These policies will perform the same configuration tasks as the Novell
           policies and will ensure that the existing Standard Desktop Environment (SDE) is enforced.
          The group policy preferences will determine which group the user resides in and will map the
           necessary drives to their machine. This is an opportunity to again validate the design and
           performance of Group Policies in a real Corporate AD production environment.

          Recommendation: Group Policy Preferences can be used to replace Novell login scripts.19

          Users and computers for the site will exist in both Corporate AD and Novell eDirectory.
           Services that are offered by Novell are not yet offered by the Corporate AD. Therefore, to begin
           the decommissioning of the local Novell server any service that is offered by a Novell server
           needs to be moved to a central site or migrated to an equivalent technology within the
           enterprise.




19
     For further information refer to - Information about new Group Policy preferences in Windows Server 2008




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design          Page 78 of 89
6.9.3 TMR Migration Milestone – Deploy Corporate AD to all Production
Sites
The deployment of Corporate AD to all Production Sites will involve the progressive rolling
deployment and migration of all production sites. This Deployment Strategy is discussed in Section
6.6.3 - Deployment Strategy in the beginning of the Migration Approach. The decommissioning of the
Novell servers allows TMR to realise incremental benefits by reducing the overall numbers of their
Novell Servers.
The TMR Migration Milestones are sequential and it‟s important that the previous deployments are
completed and the lessons learned are realised and incorporated into the design or deployment plan prior
to moving to the next deployment. This is especially important for the Deployment of Corporate AD to
Pilot Site, as it will assist with the decision to proceed with a full production site deployment or to slow
the deployment in order to resolve problems that could jeopardise the migration.
In this phase the deployment and migration approach is not that much different to the approach defined
in Pilot Site deployment, except it is highly dependent on the timely migration of specific Novell
services to an equivalent technology and will be considered complete when all remote Novell site
servers are decommissioned or are no longer utilised for core services. The process for deploying to all
production sites will differ from Pilot Site deployment, as it will have a stronger dependency on the
centralisation or the completed migration of services away from Novell.
During the production rollout, testing and support activities remain important while iterative cycles of
deployment, testing, validation, and support become the primary focus.

        Recommendations and considerations provided in the previous section will also apply to this
         deployment phase.


6.9.3.1 Dependencies
Most of the individual migration approaches depend on the availability of new infrastructure, but there
are also some dependencies in between migration activities. Any dependency mentioned in a previous
deployment phase will also be listed as a dependency of this phase. These dependencies have been
identified to aid in the deployment planning and sequencing:
        TMR Migration Milestone – Design Completion and Sign off.
        Establishment of Infrastructure Lab.
        Implementation of SharePoint AD into production.
        Novell IDM connection and synchronisation of all user accounts to SharePoint AD.
        TMR Migration Milestone – Deploy Corporate AD to Data Centre.
        TMR Migration Milestone – Deploy Corporate AD to Pilot Site.
        Remediation or centralisation of Novell dependant applications.
        Migration of site specific Novell services.
             o        File services.
             o        Print services.
             o        Novell ZenWorks.
                        Software Distribution.




Department of Transport and Main Roads    Milestone 2B – High Level Active Directory Design    Page 79 of 89
                        Asset Management.
                        Patch Distribution.
        Implementation of Corporate AD Group Policies.
        Remediation of Novell login scripts.
        Preparation of service desk facilities and infrastructure to support pilot.
        Training of support staff and pilot user group.

6.9.3.2 High Level Steps
The following information is a summary of the high level steps some of which are provided in more
detail in the Approach section:
        Preparation
             o Confirm all pilot users accounts exist in Corporate AD domain.
             o Evaluation and remediation of Novell dependent applications.
        Deploy
             o        Determine if the target production site requires a domain controller, and if so:
                        Pre-stage and deploy Windows Server 2008 R2 to the production site.
                        Promote member server to domain controller.
                        Configure the Active Directory Site.
                        Test Active Directory site and services are functional.
        Migrate
             o        Migrate user and workstations to Corporate AD:
                        Creating the Computer Accounts
                        Reconfiguration of workstations and users.
                        Testing migration of site user and workstation base.
        Transition to run
             o Stabilising the deployment.
             o Transition Active Directory from Project team to Infrastructure Run Team to support the
               production environment.
        Decommissioning
             o Evaluation and decommissioning of site specific Novell servers
        Exit
             o Milestone Achievement – Corporate AD has been deployed to all production sites, and
               numerous Novell servers are in a position to be decommissioned.
             o Project Closure report to list final versions of all major project deliverables, sign-off by
               the team and management, and a summary of the next steps that need to be taken.

6.9.3.3 Approach
Lessons learned from the pilot deployment are very important to this stage of the migration, as they will
allow the evolution of the migration design and test plans. Any issues that were identified during the




Department of Transport and Main Roads     Milestone 2B – High Level Active Directory Design        Page 80 of 89
pilot deployment should be clearly documented and this will help the development of contingency plans
and will determine the level of support needed post-deployment.
The approach to others sites is much the same as the pilot site however TMR must identify whether the
target production site requires a local domain controller. This will be defined in the Active Directory
Detail Design. Due to the number of users, the network bandwidth, and other reasons specified in the
design, some sites may not require a local domain controller and Active Directory Site to be
provisioned. Instead these server-less sites are incorporated into the central SHOC site and the
deployment and commissioning of a domain controller can be skipped.
Sites that do require a domain controller can be sequenced from small, medium, to large sites, based on
the number of workstations and users located at the site. This number is generally indicative of the time
and effort required to migrate the entire site. This will allow TMR to achieve “quick wins” by targeting
the migration of smaller sites and decommissioning the dedicated Novell servers.

        Important Note: The rest of the approach is much the same as specified in the TMR Migration
         Milestone – Deploy Corporate AD to Pilot Site approach section, however for readability it
         will be reiterated below.

The Novell IDM synchronisation for Corporate AD should have created all TMR user accounts in the
domain and they should be placed in the appropriate OU structure. This process will have been tested
and validated in the pilot deployment. Therefore only workstations will need to be migrated to the
domain, using the same validation methods as the Pilot deployment.
Creating the computer account is a matter of an administrator adding the computer to the corporate.local
domain. The manual process of joining a computer to the domain will automatically create the account
in the default computer resource container in Corporate AD.

        Recommendation: To reduce effort, create the computer accounts programmatically, this will
         also allow the administrator to specify where in AD the computer account is created.

Group policy will start applying once the users and computers are added to the Corporate AD domain
and login. These policies will perform the same configuration tasks as the Novell policies and will
ensure that the existing Standard Desktop Environment (SDE) is enforced.
The group policy preferences will determine which group that the user resides in and will map the
necessary drives to their machine.

        Recommendation: Group Policy Preferences can be used to replace Novell login scripts.

Users and computers for the site will exist in both Corporate AD and Novell eDirectory. Services that
are offered by Novell are not yet offered by the Corporate AD. Therefore, to begin the decommissioning
of the local Novell server any service that is offered by a Novell server needs to be moved to a central
site or migrated to an equivalent technology within the enterprise.

6.9.3.4 Considerations
The following have been identified as considerations based on Avanade‟s knowledge of the TMR
environment and the Corporate AD design:
        Hardware considerations; the purchase of new servers, or the reuse of existing server hardware
         with adequate specifications.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design   Page 81 of 89
        Logistics management needs to be a part of the deployment due to the deployment, building and
         installing of a large numbers of servers across a large number of remote sites, and
         reconfiguration of every workstation at the sites.
        Local configuration of a large number of workstations is required to complete the migration
         process such as:
             o     Joining the workstations to corporate.local domain.
             o     Network configurations.
             o     Removal or reconfiguration of the Novell Client and other applications.
        Migration of mobile/roaming workstations, and workstations that are turned off.
        Application remediation is a significant piece of work and it may be discovered that some
         applications cannot be easily remediated to work with Corporate AD.
        Applications can have dependencies on the Novell file system, such as a departments group
         drive. As the group share also contains other data, it may require that the applications and group
         data be moved at the same time.
        During the decommissioning process it‟s important to note that the identification of service
         layering on the Novell server will increase the complexity of the migration and
         decommissioning process at the pilot site. Each independent service that the local Novell server
         offers will need to be targeted.
        The Novell File and Print services will need to be moved to the central SHOC Novell servers, or
         migrated to an equivalent technology. This is discussed at a high level in the TMR Priorities
         and Next Steps section.
        The Novell ZenWorks suite provides critical services to the workstations at remote sites. These
         services will need to be moved to the central SHOC Novell servers, or migrated to an equivalent
         technology. This is discussed at a high level in the TMR Priorities and Next Steps section.
        The additional operational overhead will fall onto the existing TMR server services and user
         services teams as TMR are now supporting users and workstations in both Active Directory and
         Novell eDirectory.
        The decommissioning of site specific Novell servers will increase the complexity rollback and
         should only be done once significant testing and validation work has been completed.
        A backup, snapshot or virtualisation of the Novell server can be done prior to the
         decommissioning of a server.


6.10 TMR Priorities and Next Steps
These are the activities which have been determined to have strong dependencies in the migration
process, and it‟s recommended these activities begin as soon as possible.

6.10.1 Develop the High Level Design and Migration Approach into
Detailed Design documents
As indicated in Section 6.2 in this document the very first TMR Migration Milestone and the most
important „next step‟ in this process is to further develop the Active Directory High Level and Migration
Approach designs using the existing collateral that has been formed in the course of this project.
Also take into account other projects external to the Design & Proof of Concept for AD & ILM Project,
as these external projects may have beneficial requirements to incorporate. Examples of some external
projects are:
        TMR SharePoint Active Directory– EI&S,




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design     Page 82 of 89
        Replacement of ARMIS - Road Systems Information (RSI),
        Universal Passwords – EI&S.
        Service Now – EI&S.
Aligning these projects will ensure that the directory service that is delivered will cater for the needs of
the business.
Additionally the infrastructure that has been implemented as part of the TMR SharePoint
implementation can be used as a starting point for the migration designs and plans which are to be
developed. Operational processes that have been put in place to support the environment can be
leveraged and further developed as part of the design process.

6.10.2 Novell File Services
For the migration of Novell File Services, TMR will need to undertake some preparation work as
suggested in the analysis stage, similar to an assessment and consolidation activity where the Novell
data architecture and the security permissions are cleaned up and flattened out before migration begins.
Similar to the Deployment Strategy, Avanade suggests the File migration effort is broken into a series of
smaller migrations of individual servers and volumes. Discrete data access containers need to be
defined as part of this preparation exercise; these are homogeneous groups of data accessed by a single
well-defined group, functional group, division or user site; or, a set of data accessed by multiple, clearly
defined groups, departments, divisions, or user sites. The inability to define discrete data access
containers increases the complexity which must be managed during the coexistence phase of the
migration and the amount of risk involved in the migration. Being unable to identify these containers
increases the administrative overhead during the migration.
TMR will need to select a solution to replace Novell File services. In order to make an informed
decision a thorough analysis of TMR‟s requirements should be undertaken, followed by an assessment
of possible products. At a minimum, it‟s expected the solution should be able to provide the same
functionality that already exists and retain the security permissions. In this scenario Windows File
Services will be used as an example.
To retain the security permissions from Novell to Windows they need to be converted from Novell
Trustees and Inherited Rights Masks to Access Control Lists (ACL). Migration tools such as Quest NDS
Migrator are capable of migrating file data and security permissions to Windows servers. In the past
Queensland Rail used a similar tool when they separated from Queensland Transport to migrate their
data from the existing Novell platform to a Windows platform. Leveraging this experience and
knowledge would benefit the project.
Other considerations to the File Services migration include fixing incompatible file permissions (i.e. in
Novell an organisation can be the trustee of a directory or file), the continued synchronisation of
security permissions, physical storage devices, the tiering of these storage devices, and the backup
solution that will be used.
It is important to note that until a replacement for Novell File services is determined, TMR cannot
completely decommission the Novell environment.

6.10.3 Novell Print Services
To begin the migration of print services an assessment of the print queues and print devices must be
done. The expected output of the assessment should be in the form that can be scripted to import and
create the new print queues.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design      Page 83 of 89
The migration approach for Print Services is much simpler than File Services, as co-existence approach
for the printers is not necessary. Existing print services in Netware will not be impacted by the addition
of another print service. Having multiple queues pointing to the same print device will not cause any co-
existence issues, as the print device will be able to handle jobs from multiple queues.
Print queues which currently exist on a Novell server can be recreated in a Windows Print Server via a
scripted process which uses NDS reports as an input file.
It is important to note that until a replacement for Novell Print services is determined, TMR cannot
completely decommission the Novell environment, however the migration is less complex than other
services.

6.10.4 Novell ZENWorks
The process of remediating and repackaging the applications which are published by Novell Application
Launcher (NAL) / ZenWorks is normally a substantial piece of work that should be started sooner rather
than later. Additionally it should be noted that if a new Standard Desktop Environment is expected in
the future an application compatibility effort is required. To eliminate double handling of applications
TMR should ensure the application remediation, and repackaging and the application compatibility for
Standard Desktop Environment (SDE) are completed as part of the same project.
It‟s assumed that TMR will implement Microsoft System Centre Configuration Manager 2007 (SCCM
2007) to replace the functionality provided by NAL/ZENWorks.
The challenges surrounding migration of NAL/ZENworks environments must be addressed individually.
Avanade has experience in repackaging applications and deploying them via SCCM 2007 and
recommends this approach to ensure the reliability of logo-certified msi applications and the ease with
which applications can be repackaged into an .msi format. Other options such as Application
Virtualisation can be explored to assist in decoupling the application from the operating system.
It is important to note that until a replacement for NAL/ZENWorks is determined, TMR cannot
completely decommission the Novell environment. There are several Line-of-Business applications
delivered by NAL/ZENWorks that will still be required in the new environment.

6.10.5 Migration of SHOCAD infrastructure
In line with TMR‟s goals to have the Corporate AD as the central repository for managing users and
computers in the organisation the migration of SHOCAD to Corporate AD will need to occur. Once the
TMR Migration Milestone – Deploy Corporate AD to Data Centre has been achieved TMR will be in a
position to migrate systems away from SHOCAD in a separate project stream.
Many of the systems present in SHOCAD only exist in the domain to facilitate the management of the
servers. There are no user accounts in the domain, except the administrator accounts, therefore the
migration will not need to take into account the end users or access management issues as they are
managed by the application independently.
A thorough analysis of the servers and services that exist in SHOCAD will need to be done as outlined
in the Analysis stage, a migration plan and testing should be also completed before these systems are
migrated to Corporate AD. Ensuring that all dependencies are either removed or migrated from
SHOCAD is important before it can be decommissioned.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design   Page 84 of 89
6.10.6 Migration of Tactical AD applications
Once the TMR Migration Milestone – Deploy Corporate AD to Data Centre has been achieved TMR
will be in a position to migrate systems away from Tactical AD in a separate project stream. If the
migration of these applications is to be considered Avanade recommends that a freeze is placed on the
Tactical AD to prevent any additional applications from being implemented into that environment.
All of the systems present in Tactical AD exist in the domain to facilitate the management of the
servers, and all TMR users that utilise the applications require an account in the Tactical AD domain.
This account was created as a replica of the Novell eDirectory user account and is granted access to the
application through the use of Active Directory security groups. Users authenticate against the Tactical
AD to these access applications.
A thorough analysis of applications that exist in Tactical AD will need to be done as outlined in the
Analysis stage, a migration plan and testing should be also completed before these systems are migrated
to Corporate AD. This will also have some repercussions on operational processes that have been put in
place to manage the objects within the directory.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design   Page 85 of 89
7 Appendix A. – Attachments
This section contains any relevant or referenced documentation that are not easily available or online.


7.1 TMR BRS - Active Directory Services
This document presents the business and technical requirements for the „Design and Proof of Concept
for AD & ILM‟ Project.


 G:\BS&I\Solutions &
Investments Division\Solution Delivery\FS Program\2.Projects\2.Strategic\0.POC\3.Deliverables\1.Concept\TMR BRS - Active Directory Services v



7.2 Requirements Traceability Matrix
This document shows the relationship between any requirement and the products or services that
implement or verify that requirement, to check the coverage of testing, to provide status of requirement
delivery, and to aid impact analysis of a change of requirements.


 G:\BS&I\Solutions &
Investments Division\Solution Delivery\FS Program\2.Projects\2.Strategic\0.POC\3.Deliverables\1.Concept\Supporting doco\AD & ILM POC - Requ



7.3 Conceptual Design - Active Directory Services
The purpose of this document is to provide a conceptual overview of the development of a strategic
implementation of an Active Directory (AD) for TMR.



Conceptual Design -
Active Directory Services v1.1.doc


7.4 Active Directory for SharePoint Server Detailed Design
Document
The purpose of this document is to provide a detailed framework for implementing the Transport and
Main Roads directory environment using Active Directory (AD) infrastructure for the purpose of
supporting SharePoint Server. The document will be made available on request.




7.5 MR Infrastructure Discovery
The Main Roads Infrastructure Discovery document provides an overview of the current infrastructure
as it is relevant to the Enterprise Directory Services project. The document will be made available on
request.




Department of Transport and Main Roads     Milestone 2B – High Level Active Directory Design                 Page 86 of 89
7.5.1      MR Site Audit Report
The MR Site Audit Report completed in September 2008 is an audit of all active MR user sites and
includes a list of all physical servers deployed at the sites and the services that reside on them. This
document is contained within the MR Infrastructure Discovery document and will be made available on
request.


7.6 Transport Discovery for TMR AD & ILM POC
This document is intended to be a reference point for the Main Roads “Tactical Active Directory” and
“Active Directory with ILM POC” projects. It is based on a document created for Main Roads in August
2008. The document will be made available on request.




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design   Page 87 of 89
8 Appendix B. – Definitions
           Terms, abbreviations           Meaning
           and acronyms
           ACL                            Access Control List
           AD DS                          Active Directory Domain Services
           BSD                            Business Solutions Delivery
           CSC                            Customer Service Centres
           DC                             Domain Controller
           DNS                            Domain Naming Service
           DHCP                           Dynamic Host Configuration Protocol
           EI&S                           Enterprise Information & Systems
           ESU                            Enterprise Security Unit
           FSMO                           Flexible Single Master of Operations
           GPO                            Group Policy Object
           ILM                            Identity& Lifecycle Management
           IT                             Information Technology
           ITO                            Information Technology Officer
           ITS                            Information Technology Services
           IP                             Internet Protocol
           LDAP                           Lightweight Directory Access Protocol
           LDS                            Light-weight Directory Services
           LAN                            Local Area Network
           MRJ                            Main Roads Jurisdiction
           NAB                            Notes Address Book
           NAL                            Novell Application Launcher
           NOS                            Network Operating System
           NPS                            Windows Server 2008 Role - Network Policy Server
           IDM                            Novell Identity Management
           OU                             Organisational Unit
           PDC                            Primary Domain Controller
           PoC                            Proof of Concept
           PKI                            Public Key Infrastructure




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design   Page 88 of 89
           Terms, abbreviations           Meaning
           and acronyms
           QGCIO                          Queensland Government Chief Information Office
           QGCTO                          Queensland Government Chief Technology Office
           RID                            Relative Identification number
           SITO                           Senior Information Technology Officer
           SWoG                           Solution Working Group
           SOE                            Standard Operating Environment
           TMR                            Transport and Main Roads
           WAN                            Wide Area Network
           WINS                           Windows Internet Naming Service




Department of Transport and Main Roads   Milestone 2B – High Level Active Directory Design   Page 89 of 89

				
DOCUMENT INFO