Docstoc

Enterprise Directory Services Provision 2007 LandWarNet Conference Track 4

Document Sample
Enterprise Directory Services Provision 2007 LandWarNet Conference Track 4 Powered By Docstoc
					                                   2007 LandWarNet Conference

                            Track 4: LandWarNet Network Operations
                                                (NETOPS)



        Moving From one Theater
        to the Next Using
        Enterprise Directory Service
        (EDS)

                                                 Session 7
                                           23 August/ 0845 - 0945

Mr. Robert Bachert, ESTA/EICD
                                               Unclassified
Robert.bachert@us.army.mil, DSN 821-1855
                                                                     8/10/2011
                                                  Slide 1
                 2007 LandWarNet Conference
                 Track 4, Session 7: Moving from one
                    theater to the next using EDS

• PURPOSE: This session will provide vision, strategy and
  direction on EDS across the enterprise and its integral
  relationship with Net-Centric Enterprise Services (NCES).
  The intent of this session is provide and update to EDS-
  Lite, EDS-Provisioning Service and overview of EDS
  relationship to Joint directory services (JEDS).

• OBJECTIVES: By the end of this session you will be able
  to:

   – Understand the vision and the phases for EDS
   – Understand the concept of implementing EDS within the Army
     and how it is integrated with active directory and other
     directories
   – See the important of having a standard set of user attributes

                            Unclassified
                                                            8/10/2011
                               Slide 2
             2007 LandWarNet Conference

                 EDS Vision
                                    • Provide global identification
                                      and authentication
                                    • Accelerate movement of
                                      computing services for
                                      deployable units
                                    • Enable cross-theater access
                                    • Provide relevant Global
                                      Address List (GAL) to e-mail
                                      users
                                    • Synchronize directory data
                                      from other DoD, Federal,
   Army
LandWarNet                            State and Local authorities
                                    • Provide foundation for Army
                                      participation in Network-
                                      Centric Enterprise Services
                                    • Support IT consolidation
                     Unclassified
                                                          8/10/2011
                        Slide 3
                       2007 LandWarNet Conference

              EDS Road Ahead– Future
                                                           EDS-WEB Centric Phase 6
Enterprise Directory Services                                 WEB Services and new technology in
 – “Conceptual Evolution”                          EDS-NETCentric Phase 5
                                                                            place

                                                       EDS Integrated to initial WEB based
 Development and                        EDS-Heavy Phase 4           Services
   Transition to                       Full featured Data Capable, JEDS
 WEBCentric Vision                                 integrated
                                   EDS-Enterprise Phase 3
                                 Integration with all other systems / legacy &
                                                      LDIF
                            EDS- Enhanced Phase 2
                         Added Features and Data Access across AD
                                         Forests
                            EDS-Lite Phase 1
                    Connecting AD Forests to provide services to
       Army         support Identification, Login, Messaging, and
                                     Data Access

      EDS - Network Communication Layer                EDS Misc. Legacy / LDIF



     AD       AD       AD         AD Unclassified NT                   Win       DMS         UNIX
                                                                                               8/10/2011
                                             Slide 4
                      2007 LandWarNet Conference

                   EDS-Lite - Background
• Requirement: The EDS-Lite requirement originated from the multi-
  forest implementation of Active Directory (AD) and Exchange 2003,
  which resulted in each forest having a Global Address List (GAL)
  containing only its own users.
• Function: EDS-Lite consolidates and correlates identity data from
  the AD forests, Army Knowledge Online (AKO), and Global Directory
  Service (GDS) to create a Unified Army Global Address List (UAG)
  with the consolidated data written back into each forest’s directory.
    – This will allow Exchange 2003 users of MICROSOFT Outlook to locate
      and address email to any other AKO verified Army user.
    – The UAG includes user certificate information required for PKI encrypted
      messages and Electronic Data Interchange-Person Identifier (EDI-PI)
      information for enabling CAC logon.
• Future: EDS-Lite will be the single source for the UAG and will
  function as a baseline for future initiatives to extend the Army
  Enterprise Directory Services capability and interface with the Joint
  JEDS.

                                  Unclassified
                                                                      8/10/2011
                                     Slide 5
                      2007 LandWarNet Conference

     EDS Lite GAL Synchronization
                                              GDS
                                              GDS
                                                          PKI
                                                           PKI
                                       Attributes
                                        Attributes

MIIS HUB
                                 EDS-Lite
                           Unified GAL Synchronization                    UAG - Unified Army Gal

                                                                       Army-wide Management
     UAG
     UAG                                                                           and Service
                                                                    Joining of AKO Attributes
                                                GAL
                                                 GAL                             & GDS PKI Certs
                                               Updates
                                                Updates
                    AD Forests
                   Synchronization
                                                                  AD
                                                                  AD
            DC
            DC                                                   Garrison
                                                                  Garrison AD
           Garrison                                                         AD
            Garrison DC
                      DC                                                Deployed
                                                                         Deployed AD
                  Deployed                                                          AD
                   Deployed DC DC                                                Deployed
                                                                                  Deployed
                           Deployed
                            Deployed
            Domain Controllers                 NIPRNET                AD Forests


EDS & EDS-Lite promotes Modularity and Mobility
                                        Unclassified
                                                                                             8/10/2011
                                           Slide 6
                            2007 LandWarNet Conference

                                     EDS/EDS-Lite
(GAL SYNCH)
      EDS-Lite (GAL
        SYNCH)
                          EDS
          Directory, Discovery, Metadata              Unified GAL
                                                      •      EDS-Lite/GAL is a solution to address the
                                                             need for a unified Global Address List
                                                             (GAL) based on the multiple Forest
                                                             implementation of Microsoft Exchange
      DEERS       TAPDB                                      Server 2003.
                                                      Integrates AKO
GDS                                                   •      The solution, supporting Exchange 2003
                                                             users, will provide a directory containing
                                                             Army Knowledge Online (AKO) E-mail
              AKO      Forests      Updated                  addresses validated via AKO user account
                                    Attributes               information and AD Forest GAL Contacts
                                                             and GDS Certificates

                                   EDS-Lite
                                Data Integration

       EDS & EDS-Lite promotes Modularity and Mobility
                                             Unclassified
                                                                                            8/10/2011
                                                   Slide 7
                              2007 LandWarNet Conference

                                 Display Name
                       AKO                                  AD Forest
             Personnel Type                              Last Name
             Rank                                        First Name
             EDIPI ( EDS Lite Verifies)                  Initial
             @us.army.mil (EDS Lite                      Generation Qualifier
             Verifies)
                                                         Salutation
             Country (no source)
                                                         DoD Component (EA 1)
                                                         DoD Sub-Component (EA
* IAW AEI Directory                                      2)
Services Naming
Conventions and
Standards v5 dated           Tracy, Joan E. Mrs CIV USA AMC
June 2006– any blank
field spaces may be
                                 [joan.tracy@us.army.mil]
removed.
                                          Unclassified
                                                                                8/10/2011
                                             Slide 8
    2007 LandWarNet Conference

Enterprise User Attributes




            Unclassified
                                 8/10/2011
               Slide 9
   2007 LandWarNet Conference

Enterprise User Attributes




           Unclassified
                                8/10/2011
             Slide 10
                     2007 LandWarNet Conference

                     EDS-Lite Status
• Hub (AKO-DR)
   – Fully operational with connectivity to the AKO and GDS data consumers.
• Accreditation
   – Authority to Operate (ATO) was awarded 14 Nov 06.
   – Certificate to Operate (CTO) was signed 9 Jan 06 but runs concurrently
     with ATO.
• Initial Operational Capability (IOC)
   – IOC occurred 14 Aug 06 for 16K CONUS Forest Active Directory (AD)
     Exchange 2003 users with the system meeting all functional requirements.
   – Currently approximate 186K in the UAG and 240K user objects are being
     updated in CONUS.
   – INSCOM is expected to be the next Forest to be joined.
• DoD Enterprise Directory Services (JEDS)


                                 Unclassified
                                                                       8/10/2011
                                    Slide 11
                  2007 LandWarNet Conference

           EDS-Lite Status (cont.)
• Forest Joined to EDS-Lite
   – CONUS
• Forests Actively in Process of Joining EDS-Lite
   –   USAREUR
   –   USARPAC
   –   SWA
   –   INSCOM
• Forests for Which Implementation Coordination has not yet
  Occurred
   –   Accessions Command
   –   West Point
   –   Korea
   –   MEDCOM
   –   Corps of Engineers
   –   Army Reserve
   –   National Guard
                            Unclassified
                                                       8/10/2011
                              Slide 12
                 2007 LandWarNet Conference

            Enterprise Directory Service
            Provisioning EDS-P Version
• EDS-P Service developed by the Software Engineering Center-
  Ft Belvoir (SEC-B) in support of the Army Enterprise Directory
  Services.
• EDS-P will provision users, machines and accounts from the
  Generating Forest (GF) Active Directory and MS Exchange Mail
  servers to the Deployed Force (DF) Active Directory and MS
  Exchange servers.
• EDS-P service is designed to support the Warfighter train as they
  fights.
• The EDS-P service capability allows a seamless transition from a
  Generating Force location to a Deployed Force location.
• The functions of the EDS-P is to provision user and system
  objects from A GF Active Directory (AD) to a DF AD with little to
  no disruption in overall service to the Warfighter.

                           Unclassified
                                                            8/10/2011
                              Slide 13
         2007 LandWarNet Conference


        EDS-P Definition

Provisioning is defined as the movement of
user identities, data and services from a
Generating Force (GF) AD forest to and from a
Deployed Force (DF) AD forest




                  Unclassified
                                            8/10/2011
                    Slide 14
                   2007 LandWarNet Conference

               DF & EDS-P Guidance
• 15 July 05 memorandum Deployed AD forest’s “autonomously” as
  directed in the memorandum.
• The “autonomously” concept is interim until a robust provisioning
  tool can accommodate the AD migration from generating to
  deployable AD forest and back consistent with the various phases
  of deployment operations.
• The intent of the 15 July 05 memorandum is that while in garrison
  C4IM services would be provided by the installation DOIM and the
  deployable unit will provision back into the generating forces AD
  forest construct.
• The DF AD forest’s will always remain active and persistent to
  accommodate deployments, exercises and
  emergency/contingency operations (Full vs. nearly Empty)


                             Unclassified
                                                             8/10/2011
                               Slide 15
               2007 LandWarNet Conference

                 EDS-P Objective
• Restructure the Generating Force objects into the
Deployable Forces (DF) Active Directory environment
and reverse
• Depict the process of provisioning of objects between
the Generating Force and Deployable Forces forests and
reverse
• Restructure the Deployed Force objects into the
Deployable Forces (DF) Active Directory environment
and reverse in support of Modular Force



                        Unclassified
                                                   8/10/2011
                          Slide 16
                               2007 LandWarNet Conference

                        EDS-P Tool Capability
Graphical Interface that:                                    •   Be able to operate at the OU Level
     – Moves User/Group objects to the                       •   Developed Tool that does not
                                                                 require a trust between GF and DF
         deploying servers                                       Domains
     – Provides “Dial-tone” email service                    •   Developed Code to move OU AD
                                                                 information between GF and DF
     – Sets Security server settings for
         deployed environment                                •   Developed Code to move mail
                                                                 accounts between GF and DF
     – Sets Asset Management server                          •   “Dial-tone” email service (if no
         settings for deployed environment                       existing mail account)
                                                             •   Graphical User Interface between
                                                                 EDS-P tool set and GF/DF forests
                                                             •   Provisioning support for:
Glossary                                                          –   Single or multiple geographic sites
AD – Active Directory                                             –   AD Site/domains
Dial-tone – immediate email access to user                        –   Selected unit(s)
     without provisioned email content                            –   Single objects
DF – Deployed Force (Target systems)                              –   Working Code to move Domain
                                                                      Access for PC from GF to DF
EDS-P – Enterprise Directory Service –
                                                                  –   Provision GF Systems
     Provisioning Tool                                                Administration functions to
GF – Garrison Force (Source systems)                                  identified System Administrator for
                                                                      the DF (Security)
GUI – Graphical User Interface
                                                                  –   Notifies Administrator of failed
OU – Organizational Unit – Active Directory                           provisioning
     object                                                       –   Reporting
                                              Unclassified
                                                                                              8/10/2011
                                                Slide 17
2007 LandWarNet Conference

EDS-P Environment
       Deploy and Return
 Managed by the generating forest
            DOIM
           Network




         Unclassified
                                    8/10/2011
           Slide 18
                              2007 LandWarNet Conference

                      Unit Deploying Process
        Generating                      Deployable          #1 Move
         Forest                           Forest            Augmentees/Deploying
                                                            Users information
                                                            #2 Move Rear
                                                            Detachment/Stay Behind
                                                            information
                             #1
                                                            Information Moved
                                                                •AD Objects
                                                                       •Users
                                                                       •Computers
                                                                       •Printers
                                                                •Profiles
                             #2                                 •Groups
Assumptions:                                                    •Permissions
•Users live in the forest as determined by the                  •Additional
                                                                       •Mailbox
Commander within the constraints of the mission.                       •File Storage
•User profiles will be associated with the account that                •Portal Sites
the user is transferred to in the receiving forest.             •Etc...
•This also applies to units/users with non-organic
signal support.
                                             Unclassified
                                                                                       8/10/2011
                                               Slide 19
                            2007 LandWarNet Conference

              Provisioning Process for Units
               Returning from Deployment
   Generating                    Deployable               #1 Move Augmentees/Deploying
    Forest                         Forest                 Users information
                                                          #2 Move Rear Detachment/Stay
                                                          Behind information
                       #1
                                                          Information Moved
                                                              •AD Objects
                                                                     •Users
                                                                     •Computers
                       #2                                            •Printers
Assumptions:                                                  •Profiles
                                                              •Groups
•Users live in the forest as determined by the                •Permissions
Commander within the constraints of the mission.              •Additional
                                                                     •Mailbox
•User profiles will be associated with the account that              •File Storage
the user is transferred to in the receiving forest.                  •Portal Sites
•This also applies to units/users with non-organic            •Etc...
signal support.                                               Only difference is the direction of the Provisioning
                                           Unclassified
                                                                                              8/10/2011
                                            Slide 20
                           2007 LandWarNet Conference

                   EDS Road Ahead– Future
Enterprise Directory Services –
   “Conceptual Evolution”                                         EDS-WEB Centric Phase 6
                                                                 WEB Services and new technology in place

    Development and                                        EDS-NETCentric Phase 5
                                                       EDS Integrated to initial WEB based Services
Transition to WEBCentric                          EDS-Heavy Phase 4
          Vision                           Full featured Data Capable, JEDS integrated
                                         EDS-Enterprise Phase 3
                                   Integration with all other systems / legacy & LDIF

                                EDS- Enhanced Phase 2
                         Added Features and Data Access across AD Forests
                                EDS-Lite Phase 1
                    Connecting AD Forests to provide services to support
       Army          Identification, Login, Messaging, and Data Access

     EDS - Network Communication Layer                     EDS Misc. Legacy / LDIF



     AD       AD         AD          AD                          NT          Win        DMS           UNIX
                                             Unclassified
                                                                                                  8/10/2011
                                                Slide 21
                                  2007 LandWarNet Conference

                 Joint Enterprise Directory Services
                               (JEDS)

Today                                          Future
                       Application                                                  Enterprise
                        Application                            Application
                         Application                            Application          Services
                           Application

                                                                                          SOA
                                                                                        Enterprise
                                                                                         Services
                                                        Joint Enterprise
  JPAS                                                  Directory Service
                                       DEERS
                 LDAP
                 Directorie
       Active    s (Federal, GDS/PKI
     Directory   Coalition
                 Partners,
      Forests
                 CC/S/A…)
      CC/S/A


                                                 JPAS                                   GDS/PKI      DEERS


                                                                             LDAP
                                                                Active    Directories
                                                              Directory    (Federal,
                                               Unclassified    Forests     Coalition
                                                               CC/S/A      Partners,
                                                                          CC/S/A…)                8/10/2011
                                                 Slide 22
                             2007 LandWarNet Conference

                                 JEDS Vision
A Global Information Grid (GIG) Identity
   Locator Service
•   Provisioned from Component and DOD
    Authoritative Identity Sources
•   Staged to GIG users and applications
    through secure interfaces

Purpose
•   To provide GIG NetCentric SOA and users
    a single source for GIG digital identity              JEDS
    attribute information
•   To provide NCES People Discovery and
    Attribute Retrieval Services




                                           Unclassified
                                                                 8/10/2011
                                               Slide 23
                          2007 LandWarNet Conference

              JEDS Data Structure and Sources
•   Data Structure - Schema and Directory Information Tree (DIT)
     –   Harvesting side – Depends on authoritative provisioning source
     –   Core Directory – Relatively flat based on DMS/PKI upper DIT
     –   Publishing Side – Multiple DIT views, depending on customer requirements
•   DISA Global Directory Services (GDS)
     –   Source for PKI Email encryption certificate attributes
•   13 DoD Common Active Directory (AD) User Attributes
     –   Initial NIPRnet Sources – Army EDS-lite, NMCI White Pages, AF Dir Service, USMC
         GAL, Pentagon (PAED) GAL, STRATCOM GAL, and DISA GAL
     –   Initial SIPRnet Sources – Projected to be NIPRnet JEDS, COCOM GALs, REL DMZ AD
         Forest, others…
•   Future Sources
     –   DMDC DEERS – A broad list of common attributes to include EDI_PI
     –   DMS AD Forest for Organizational attributes (Blue Pages)
     –   JPAS and ScatteredCastles for Clearance attributes
•   Other attributes will be added as sources are identified and synchronization
    agreements can be worked out
     –   De-confliction keyed to Unique Identifiers (UIDs) - EDI_PI, Email, and SS#



                                         Unclassified
                                                                                      8/10/2011
                                            Slide 24
                         2007 LandWarNet Conference

          JEDS Attribute Sourcing & Storage
                                                Core Directory Services
                                                                       Directory
                                                                     Access Control

                                                                   Identity Association
                                                                   discovery & linkages
Attribute                                            Attribute
                    LDAP Sources
Provider                                            Integration
                                                      Engine
                                                                       Multi Master
                                                                   Directory Replication
    s
                      AD Sources
•GDS                                                               Filtered Replication
•DEERS
•JPAS                                                                    Identity
                    SOAP Sources                                     Synchronization
•DIMHRS
•Component                                                            (Provisioning)
AD Forests                                                            LDAP/LDAPS
                  CSV/LDIFFile Inputs
•Other                                                                  Access
Repositories                                          JEDS
   •VoIP                                          Core Directory
                                                  (Multi-Master     Directory Indexing
   •Devices    Oracle & Other DB Sources
   •etc                                             replicated
                                                    Directory             Custom
                                                    database)        Virtual DIT Views

                                              Auditing & Accounting Services
                                           Unclassified
                                                                                           8/10/2011
                                             Slide 25
                                  2007 LandWarNet Conference
                        JEDS Attribute Storage & Distribution
     Core Directory Services
                                                            Global Address List (LDAP/LADPS)
                                Directory
                              Access Control

                           Identity Association
                           discovery & linkages                   White Pages Web Interface

        Attribute          Multi Master Directory
   Integration Engine            Replication

                                                          Attribute Services for SOA (SAML/XML)
                            Filtered Replication
                                                                                                      Attribute
                          Identity Synchronization                                                   Consumers
                               (Provisioning)             Blue Pages Web Interface (Org Directory)


                               LDAP/LDAPS
                                 Access
                                                             Synch or Replication provisioning
          JEDS
      Core Directory        Directory Indexing
      (Multi-Master
        replicated
   Directory database)            Custom
                                                                      Filtered Replicas
                             Virtual DIT Views


Auditing & Accounting Services                       Unclassified
                                                                                                      8/10/2011
                                                       Slide 26
                2007 LandWarNet Conference

                     Conclusion
• Leverage the efforts of existing programs
• Use an Incremental approach
• EDS will allow global access to resources and
  information
• EDS is a critical enabler to move the Army forward with
  Joint Net-Centric initiatives (e.g., NCES)




                         Unclassified
                                                    8/10/2011
                           Slide 27
2007 LandWarNet Conference




  Questions?




        Unclassified
                             8/10/2011
          Slide 28

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:50
posted:8/10/2011
language:English
pages:28