General
Active Directory Forest :
Deployment of one Active Directory Forest will suffice for WWTC’s
requirments. There are not requirements for data isolation within WWTC’s Active
Directory configuration and any data separation can be performed using data isolation.
A single-forest was chosen because it is very cost-effective and requires the
least amount of administrative support. For example, with only one forest, the
global catalog does not require synchronization across forests and management
of a duplicate infrastructure is not required. An organizational forest model
will be used with user accounts and resources contained in the forest and
managed independently. The forest will be used to provide service and data
isolation. This has been chosen insteady of other models where resources and
users are isolated in separate forests.
Active Directory Domain :
WTC will use an Organizational Domain Forest to provide autonomous groups
within the forest as required. The New York office will have a separate domain
from the Hong Kong office since it will be largely autonomous. In addition, a
separate domain can be created to restrict access to confidential data. Since
WWTC will have few IT personnel to care for day-to-day IT support activities in
New York, the following functions will be maintained by forest-level
administration:
· Creating and removing domain controllers
· Monitoring the functioning of domain controllers
· Managing services that are running on domain
controllers
· Backing up and restoring the directory
Two domains will require that Group Policy settings as well as access
control /auditing settings( required forest-wide) are implemented separately to
each domain in the forest. This setup is considered a regional domain
configuration and will reduce traffic over wide area network (WAN) links. While
service administration will be carefully controlled at the Hong Kong office,
the following functions will be maintained within the New York office:
· Creating organizational units (OUs) and delegating
administration
· Repairing problems in the OU structure that OU
owners do not have sufficient access rights to fix
Instead of creating a separate forest root domain, the New York office
function as the forest root domain. It will be a parent domain to the other
offices. Service administrator accounts will reside on the New York root domain
while user accounts for each region will reside on the appropriate domain. For
administration purposes, the branch officeswill functions as child domains
under the New York root domain. This configuration was chosen because it is
much easier to manage than a configuration with a separate domain for
administrative accounts.
Active Directory Naming Convention:
WWTC.org is the Active Directory namespace used by WWTC. It is a registered
fully qualified domain name for WWTC. WWTC will use the same internal and
external namespace. WWTC.org will be used from inside and outside the
organization without a separate namespace for internal access to resources.
This means that the tree name (WWTC.org) is consistent for the private and
public (Internet) allowing users to logon with the same credentials internally
and externally. This requires a separate zone outside the firewall to provide
name resolution for public resources and does create security concerns to
ensure that clients accessing resources from outside the organization do not
have access to internal company resources. This also creates the requirement for
maintaining the records on both the internal and external DNS servers
simultaneously. The attached illustration shows this configuration.
Application Services:
Windows Server 2012 is
installed on the network and the following Active Directory features will be
implemented.
· Windows Deployment Services (WDS) will be
implemented to allows network-based installation of Windows Operating Systems
(OS) to reduce the complexity and cost of manual installation. This will
require a WDS Server as a member of the Active Directory Domain Services (AD
DS) domain. This also requires a Dynamic Host Configuration Protocol (DHCP)
server with an active scope sine PXE relies on DHCP for IP addressing.
· Smart Card Authentication will require valid user
principal names (UPNs) since they are required fo smart card login. Since a
certificate authority (CA) will issue the domain controller certificates, the
root certificate will be added to the Trusted Root Certification Authorities
group policy in Active Directory.
· IP Address Management (IPAM) will be implemented to
provide highly customizable administrative and monitoring capabilities for the
IP address infrastructure. IPAM will be used to discover, utilize, monitor,
audit, and manage IP address space in the network. This requires an IPAM server
that has connectivity to existing DHCP, DNS, DC, and NPS servers in the Active
Directory forest.WDS services will be hosted on the same computer as DHCP. This
requires that WDS is configured so that it doesn’t listen on Port 67 and DHCP
option 60 will be used to notify a booting PXE client that there is a listening
PXE server on the network. The server will also be configured to respond only
to known client computers. This ensures that client computers are added to Active
Directory before the image is deployed.
· File Classification Infrastructure (FCI) will be
implemented to ensure that automatic classification is performed. The different
classifications will be identified. Currently they are listed as Public and
Confidential. The proper classification will be applied to every file using
FCI. This process will be used to ensure that Confidential data is properly
stored on encrypted drives and that all confidential files are transmitted
using encrypted methods. Reporting based on these classification tabs will
allow administrators to detect and respond to violations of the WWTC’s data
classification policy.
· Failover cluster services will be implemented so
that the entire network has hardware, software, and storage redundancy. This
independent group of servers and storage devices will work together to increase
the availability of applications and services. If one clustered device fails,
another will provide the lost services (called failover). The cluster
validation wizard will be used to ensure that all network components are
compatible prior to implementation. It will also be used after implementation
and as new devices are added to the network to maintain this capability. By
implementing backup for all servers and storage, WWTC ensures that users
experience a minimum of disruptions in service.
· Cache encryption will be implemented to store
encrypted data by default. This means that data in cache is stored encrypted by
default providing data security without requiring entire drive encryption.
· BranchCache will be implemented to increase
performance, manageability, scalability, and availability. Duplicate files are
eliminated while hashes and local storage at branch offices drastically reduce
the amount of required WAN traffic.
· Bitlocker encryption will be used to protect all
user and server data. The benefit is that the entire drive is encrypted and
only requires the user’s normal authentication to access the data. The
bitlocker system on the wired network will be set up to automatically unlock
the system volume during boot to reduce the internal help desk calls because of
lost PINs. Group policy settings will be enforced that require either Used Disk
Space Only or Full Encryption is used when BitLocker is enabled on a drive.
Groups:
Users and computer accounts
will be grouped to simplify administration by controlling permissions and
rights rather than assigning them individually. Groups in Active Directory are
objects that reside in the domain. Groups have a scope that identifies the
extent that they are applied in the domain or forest. The three group scopes
for WWTC are outlined below:
· Domain localscope is used to manage accounts within
the domain. For example, a user group that requires access to a printer can be
setup so that access to a new printer can be done for the entire group at once
instead of doing a permission list for all five users. The five users will have
global scope and will be added to a domain local scope group that can be
assigned printer access.
· Global scope is used for directory objects that
require daily maintenance, such as user accounts, computer accounts, or groups
that require management across domains (such as a department in multiple
locations).
· Universal scope is used to consolidate groups that
span domains. Changes to global scope groups doesn’t affect the universal scope
group, but changes to the universal scope group causes the entire membership of
the group to be replicated to every global catalog in the forest.
The scope and Organizational
Unit setup has been outlined in the below diagram.
The above structure was chosen
so that Group Policy could be applied to a select group of users or resources
without having to set policies for each individual user.
