Glendale Community College
Office of Information Technology
    About |  Employees |  Students |  Library |  Enrollment |  Schedules |  Community Ed 
 

Active Directory, Lead - Cyril Azoulay

Members: Roger, John K, Susan, Josh K, Mark, Roger B, Steve, Jeremy

May 3, 2006

We met with BVA this week and every team leader presented their plan to the consultant. Tasks have been assigned and deadlines set. We have to go all the group policies and see what we will keep and what we won't. So far we investigated the "Default Domain policy" for the domain Acad and came up with some sort of agreements on the password policy side for the domain (Gccaz). Further meetings will follow as it is a time consuming task. The idea is to build the new policy as we go through in a vmware domain then export the policy, after testing, in the new domain. Discussions about keeping some local computer policies rather managing everything in AD took place but no significant decisions were taken.

April 20, 2006

Virtual testing updated:

After having received the 64 bits edition of Windows 2003 R2 Enterprise edition, I decided to upgradethe GSX server as it has 2 AMD 64 bits CPUs. Even though Vmware 3.x is a 32 bits application only, I read it runs smoother under a 64 bits operating system and it seems to be true as I can run 10 servers simultaneously which will allow us to perform tests on a larger scale of (virtual) machines.

DNS:

Having the test domain as AD Integrated zone we were able to create a secondaryDNS serverand replicate the zone.We needto test with a Linux box though to make sure that it will work with Bind as we would like to host this secondary DNS serveron the DMZ. More testing will follow.

New Gather2:

Rich and I set up a new (temporary?)Gather2 server based on a Windows 2003 R2 Enterprise 32Bits to test the new version of Arcserve (11.5) which allows disk staging backup (disk-to-disk-to-tape) and 64-bits platform support. More testing will follow.

Server consolidation:

We got a meeting with Vmware and HP concerning ESX server and how it virtualizes multiple servers in a very efficient manner. Also,ESX seems toallow multiple case scenarios on virtual machine redundancy and disaster recovery. A nice option is called P2V (physical to virtual) where you can take any (in 95% of the case) physical box and migrate it to a virtual environment.

April 6, 2006

We have been busy between meetings and seminars for new servers and SAN iscsi solution. Servers for the new AD and Softricity were ordered (Dell) and should be here in by the end of the month.

We also received yesterday Windows 2003 Enterprise Edition R2 version and today I spent some times tweaking the OS to allow a full unattended install which will allow us to save time when the servers will arrive.

Paldc1, the DC for the Paldream domain had a hardware failure yesterday but was restored today from scratch with a new disk. Softgride for any raison failed to deliver applications while the second DC was still up and running. A reboot of the Softricity server fixed the issue. Roger is trying to see if he can find some hints.

March 30, 2006

RADIUS service for wireless:

Josh asked me if he could integrate a Radius server (Linux box) in AD to maintain the wireless security. After having looked into it, I noticed that Windows 2003 server comes with this service. I sent documents to Josh about it in order to see if we could use this service in Windows rather than Linux. Testing will follow.

New servers design:

The design and partitioning for the DCs in the new AD and all the servers (Web, File, Print...) is being set in collaboration with the Innovation Center. We need to plan for now and the next following years having in mind what is currently working and not working in our current design.

ACAD:

Softricity servers (two) will integrate this domain to provide applications to the Palette users for Fall. This will be the first step to integrate Softricity in a large scale environment.

Gcweb:

This server will get a new volume soon to avoid the IIS log files (5Gb compressed on disk) to crash the server as they are dramatically filling up the disk . We have 14Gb free on the SAN that we can allocate to the server for a new volume.

This will allow three things:

  1. unload the system partition (which is 4Gb large only);
  2. allow the partition to be defragmented
  3. avoid the system to crash
  4. accelerate the backups

March 23, 2006

Backup / restore

The issues that we have now are to back up a huge quantity of data in a minimum of time. Due to some hardware limitations, we need to redo our strategy on the new system while trying to keep up on the current system.

One of the strategies is to centralize backups. Some testings are currently being performed on the GC-EMP domain. Gazaa became the backup storage for Gcweb, Gquiz, Gamble and Gazaa itself.

On the new system, if we go with Microsoft, we can use a feature called Volume Shadow Copy which allows users to restore themselves their documents if they are deleted, modified or remove from a directory like you would be able to do on Novell with the salvage command. Even though VSS allows you to backup/restore files quickly, we should have in mind that it is a complement to the normal backup on tape, not a replacement

Mac integration to AD

After having installed the Print and file sharing for Macintosh, Mac OS X workstations were added to the Paldream.edu domain successfully. Accessing files and printers were tested and seemed to work well so far. Further testing needs to be done to make sure of the reliability and some load tests should be performed.

Also, by default the Print and File sharing for Mac enables AppleTalk, which add another protocol to the layer on the file servers and it would be nice to be able to be true IP.

DHCP

It would be nice to have Microsoft DHCP used in the new domain as it brings a lot of features and it is really straightforward to use. We can think about multiple strategies for DHCP like implementing the service on each domain controllers to have redundancy and efficiency as they will be also the DNS servers. Some questions have risen though concerning the security (criteria to give an IP address to a computer like MAC address), the implementation on multiple subnets (do we need DHCP relays?) and how to manage the Superscope and Multicast scope. More testing are on their way.

Disk Quotas

Quotas have an important part in the new system. Right now, we can have and use quota on a volume, a tree and/or user basis. A strategy needs to be implemented as soon as we know for sure which file system we are going to use

DNS

Private and public have to be separated. How to do it? It is recommended to use standard DNS configuration on external DNS servers and use Active Directory Integrated mode for internal DNS server. New models have to be discussed with pros and cons.

Exchange 2003 migration

Migrating or recreating users? With Genesis it is possible to populate Active Directory and recreate all the users which were in ACAD in the new domain. Although this is something we can do, it is missing the SID of the users. For each domain, a SID is attributed to an object in AD (user, workstation, printer.) and the rights on files and folders are authorized based on the SID, not the name of the object. Recreating user objects in the new domain will discard their SIDs. It means that we have to recreate afterward the links between users, groups, public folders, mail boxes. Passwords can be resynchronized by Genesis.

Migrating allows keeping the former SIDs in the new domain. For each objects moved in the new domain, they will have 2 SIDs: one from the former domain, one for the new domain. The domain has to be in Windows 2000 native or Windows 2003 mode to work. The passwords canŐt be migrated too but can be reset by Genesis.

AD at GCC North

GCC North should be part of Active Directory. To do so, we will have to put a domain controller at North which will allow to: As far as we are going in a one domain / one forest configuration, we can set up North as a site part of the domain. By doing this it will allow to manage the replication frequency between the main campus and North on a schedule basis to prevent bandwidth bottleneck (if any). What needs to be replicated?

Disaster / recovery testing

Once a plan is set up in coordination with the backup team, we should perform and write procedures to allow the system team (or anyone trusted) to:

AD migration for users

At this point, the migration will be handy if we need to keep the SSID from the former domain in order to copy the data for the Exchange server as the other data (userŐs files) are stored on a Novell file server, it means that during a copy, those files will get the security from the parent directory which is, basically, the userŐs directory.

DFS

This section is part of the Microsoft File System. As for now we havenŐt decided yet if we are going to run this file system or AFS it is hard to go deeply into the details. Also, we are still testing in parallel those two file systems.

WSUS Server

WSUS stands for Windows Server Update Services and it replaces the famous Windows update functionality to patch servers and workstations for Windows 2000, XP (32/64bits) and Windows 2003 (32/64bits). Integrated with group policies, a server WSUS can target computers and servers per groups. We can imagine having 3 group categories: Employees, Palette and Servers. For each target, it is possible to define which patches can be deployed following an automatic process on a scheduled basis.

Security

The security of the new domain will be set at multiple levels.
  1. 1. Software level:
    • Antivirus (servers and workstations)
    • Microsoft Anti Spyware (workstations)
    • Patch and service packs update (servers and workstations)
    • Registry blockers (servers and workstations)
    • Intrusion / prevention (Blink?)
  2. Hardware:
    • Firewall
    • NAT?

    March 9, 2006

    DNS:

    Dale and I made some progress on it but the group needs to gather in order to stick to a configuration. Some testing like delegate a zone from a Linux DNS box to AD were successful but other aspects have still to be discusses.

    Backups:

    Jim and Iworked on the backup part of our current system having in mind the next generation of backups. Basically, gathering local backups on one server for a given domain would speed up the process and time could be saved to finish the backups on time. Once again, we're talking about a lot of data. Also, we are working on a process to send to an email server the result of the backup for each servers. Some programming may be involved.

    AD:

    I still have some issues between the domains to create trust relationships in order to test migration of users and computers. So far, I was unfortunate on this one.

    March 2, 2006

    DNS:

    Attempt to duplicate data between AD to a slave dns server on a Linux box in Vmware was successful. However we still need to find a way to feed automatically AD with new records (district changes...)

    DHCP:

    More testing are being run by Jeremy to see if we can split the scopes of IP addresses and if we can secure IPs by MAC address records.

    AD:

    The test platform was raised, forest and domain wide, to Windows 2003 functional level. The schema was updated to support new R2 features. Attempts to create trust relationships in order to test migration between domains (i.e. Paldream - Emp) didn't work following a RPC connection error. More testing will follow.

    February 23, 2006

    The AD schema on the test platform was extended in order to install Exchange 2003 in the domain. So far, it shouldn't affect any of the servers already in place. The installation went fine and SP2 for Exchange 2003 was installed as an update. On the virtual platform, we now have a Linux EL4 system to test DNS interoperability with AD. Further testing will follow by next week. Minor issues were solved on ghostbooster as we couldn't connect to the shared drives to read or write images in order to try the reimaging process.

    Basically, the File and Print service was enabled (for unknown reason it went off) and the IPX (former Novell) protocol was removed from the server. Checking on the Softricity server, I've noticed a security flow. One of the property for the server was set to "trust this server for delegation", means all the services may act with the domain administrator credentials. Means, if the computer is hacked, somebody could run a "home made" program as a service and hack the domain. Only DCs have this setting enabled by default so far as Kerberos is involved. Roger set up the proper setting back.

    February 16, 2006

    So far the physical test platform for AD is going well. We currently are using Windows 2003 in Native mode (true 2003 AD) with Softricity and it seems to run smoothly (i.e the demo done during the CTC meeting).

    Ghostbooster was moved from the Acad domain to the test vlan in order to test reimaging of the new Palette computers with Norton Ghost Server.

    Automatic local backups were created on the 1st DC and Softricity server to save daily data through the week. A full backup is performed on Sunday night and a differential through the week.

    A WSUS server was set up to allow weekly update of the domain computers and servers.

    February 2, 2006

    Following our last meeting, I'm redoing the virtual machines on the GSX server with appropriate names and the latest upgraded version of Vmware (V3.2.1 Build 19281). The goal is to have in parallel a virtual and a physical test domain to be able to try safely the impact of administrative changes (GPOs, OUs...), write procedures and documentations.

    Misc issues:
    *I'm trying to find a way to integrate a host file into AD DNS (assuming that the new domain will host everything for the campus) or a way to use it for the whole domain through the DNS servers.

GCC:
Our Experience. Your Success.