Georgia Institute of Technology
PC photos

Windows Active Directory

crumb trail: Home >> OIT >> Active Directory
Production Design Pilot Information Georgia Tech Links Other Resources
 

Georgia Tech Active Directory Design

April 25, 2002

 

On this page:

Existing Infrastructure at Georgia Tech

University of Texas - Single forest, single domain

University of Michigan - Single forest, multiple domains

University of Stanford - Single forest, multiple domains

Proposed Design for GA Tech: Move to an Empty Root with a Single Account Domain

Kerberos Authentication

Existing Infrastructure at Georgia Tech

Existing Infrastructure at Georgia Tech diagram

All user accounts are in a single OU.

Departmental OU’s will be created to delegate administration of workstations, servers and printers.

Top

University of Texas - Single forest, single domain

University of Texas -single forest, single domain diagram

Single forest, single domain.

All user accounts are in a single OU.

Departmental OU’s will be created to delegate administration of workstations, servers and printers.

Top

University of Michigan - Single forest, multiple domains

Design of the University of Michigan Windows 2000 Forest diagram

Single forest, multiple domains.

All SSO accounts are in a dedicated, centrally managed OU in the root domain.

The creation of sub domains is carefully monitored and managed.

Top

University of Stanford - Single forest, multiple domains

University of Stanford -single forest, multiple domains diagram

Single forest, multiple domains.

All Single Sign On (SSO) accounts are in the win.stanford.edu domain, synchronized with Kerberos realm.

Sub domains are populated primarily with resources (workstations, servers). User accounts in these domains do not have single sign on with Kerberos realm.

Top

Proposed Design for GA Tech: Move to an Empty Root with a Single Account Domain

Proposed design for GA Tech: Move to an Empty Root with a Single Account Domain diagram

Empty root follows best practice of:

  • Establishing a clear separation between the forest level administrative groups and the account domain administrators.
  • Providing flexibility in the event of future reorganizations and optional integration scenarios.

Single Account Domain simplifies:

  • Trust relationship with the Prism Kerberos realm for SSO from a trusted forest.
  • Account synchronization with Data Warehouse/LDAP.GATech.EDU.
  • DNS is simplified: AD.GATech.EDU and ACCT.GATech.EDU will be delegated from the GATech.EDU domain (GATech.EDU is the core GA Tech DNS server).

Best Practices for when to create a new domain:

  • WAN links cannot handle the inter-site replication traffic; therefore the Active Directory database needs to be partitioned into smaller pieces.
  • Password length and restrictions, such as complexity and history, are enforced on all users and are domain-wide; therefore, all participants in the domain must agree on these parameters.
  • Trust relationships to external domains need to be established through NT 4-style, one way trusts. A group requiring such a trust may require a separate domain if the larger enterprise does not wish to take part in the trust.

Issues with Multiple Domains:

  • Requires more hardware: each domain would require a minimum of two domain controllers in addition to application servers.
  • Replication becomes complex since each domain controller maintains a copy of the Global Catalog.
  • DNS becomes more complicated.
  • Moving users between domains is more complex than moving them between OU’s.

If additional domains are needed it is recommended procedures be established to control their establishment, and specify items such as minimum hardware requirements and placement of domain controllers.

Top

Kerberos Authentication

Challenge: Demonstrate the viability of a Single Sign On solution for GA Tech that allows users to access Unix and Windows resources after being authenticated by the PRISM Kerberos realm.

Setup: A new test AD forest was created called ADtest.GATech.EDU. The domain controller and the workstation were configured to use the foreign Kerberos realm for authentication. A one way trust was established with ADTest.GATech.EDU trusting PRISM.GATech.EDU. Name mappings were created in AD that mapped the AD user account to the PRISM account.

Issue: After the user account was authenticated by the PRISM realm, the user was unable to logon to the local workstation.

Resolution: A network trace of the logon process was obtained and forwarded to Kerberos engineers in Redmond. They determined that the wrong encryption type was being used on the ticket that was being generated to grant access to the workstation. By changing the way the cross realm trust account was generated in PRISM, we were able to ensure that the correct encryption type was used.

Result: Users can log onto a Windows 2000 (or XP) workstation, be authenticated by the PRISM realm, and still have access to all resources in the AD domain, including group policy objects.

 

GT Active Directory Design