“The State of the Forest” Colorado State University’s Active Directory Environment Presented by the ACNS Windows Group Windows Administrators Advisory Group Meeting Feb 22 2011 Get-PresentationAgenda • • • • • • • Background on current state of AD Forest Active Directory Basics AD Site status Diagram of Active Directory Process and data replication eID -> AD provisioning process GAL Population • Please ask questions at any time History of AD at CSU (ColoState.EDU) • Windows 2000 Implementation committee chose public DNS namespace for forest root. • ColoState.EDU consisted of one site (Default-FirstSite-Name) for some time. • “Business” site added a few years later to help with problems implementing MOM. • “Denver Center” site came (and went). • “eFort” site created to support systems at state DR facility in Denver. • “CSURoot” site recently added to fix Exchange GC and DC selection issues. Active Directory Incidents • Over the years, many one-off errors replicating with various DCs across campus. • Summer 2010 – Exchange outage for a few hours due to unexplained behavior related to Business site. • Summer 2010 – Various replication issues manifested as inability to view info in AD Sites and Services from Server 2008 systems. Active Directory Basics • A Forest is a complete instance of the Active Directory database • A Domain is a “partition” of the AD database which contains objects (users, computers, GPOs, groups, OUs, etc.) local to an administrative unit • The Forest contains a number of partitions, including individual domains, System, Configuration, Schema, DNS data, application data, etc. Active Directory Basics • Domain Controller ▫ A Windows server that hosts a single domain’s directory partition, plus schema and configuration partitions for the entire forest ▫ A DC performs authentications only for the domain to which it belongs • Global Catalog ▫ A Domain Controller that hosts all data a DC stores, in addition to a partial, read-only replica of every other domain partition in the forest • Every GC is a DC, but not all DCs are GCs What are Active Directory Sites? • AD Sites represent the physical structure (topology) of the underlying network • Sites… ▫ Facilitate efficient directory replication ▫ Aide in the Windows authentication process ▫ Allow clients to locate nearest server providers • Sites are defined by IP subnets • Sites are logical boundaries used extensively by Microsoft Exchange services Status of Active Directory Sites • Four AD Sites are defined today ▫ Default-First-Site-Name ~90% of forest domain controllers live here ▫ CSURoot ACNS managed central site for Exchange ▫ Business Maintained by College of Business for Exchange ▫ eFort State of Colorado disaster recovery datacenter in Denver – ACNS DC and DNS servers are located here AD Sites in the COLOSTATE Forest • The following diagram illustrates the AD Sites currently defined in COLOSTATE. • Note that we have also noted the datacenter location where key servers are hosted in addition to showing the AD Domain to which these key servers are joined. Diagrams of Active Directory • The following picture was generated by the Microsoft AD Topology Diagrammer • This represents the COLOSTATE root domain, the 34 child domains, and 92 domain controllers Diagrams of Active Directory • The following picture was also generated by the Microsoft AD Topology Diagrammer • This is a different view of our AD Site environment, showing all servers in each site (regardless of domain) • This picture also shows the inter-site replication links between all domain controllers in the forest (not all DCs replicate across site boundaries) Additional AD Details • Currently there are 34 child domains consisting of 92 domain controllers ▫ Two domains have only one domain controller – a non-optimal configuration • Currently there are 30 Global Catalog servers • DC version breakdown: ▫ 21 DCs running Windows Server 2003 ▫ 12 DCs running Windows Server 2008 ▫ 59 DCs running Windows Server 2008 R2 eID to Active Directory • Process managed by ACNS Windows Group • Entire Process written in Powershell ▫ Windows Powershell ISE ▫ Microsoft.Exchange.Management.PowerShell.E20 10 (Microsoft) ▫ ActiveDirectory Module (Microsoft) ▫ Custom Modules created by CSU eID to Active Directory Updates • Single updates initiated by actions at eID ▫ Password changes ▫ Update to E-mail settings • Recently Updated eIDs Synced Nightly ▫ Monday through Friday ▫ Sync all records changed in the last 3 days • Full eIDAD Sync on Weekends ▫ Jobs run on Saturday and Sunday mornings GAL Population • eIDAD Process Populates the GAL • eID Users in the GAL ▫ eIDs with Central Exchange Mailboxes ▫ Primary eIDs that do not have a Central Exchange Mailbox set to MailUser RecipientType • Other Objects in the GAL ▫ Central Exchange Resources (DLs, Rooms, etc.) ▫ Business Exchange Users and Resources GAL User Examples • Central Exchange User: ▫ Baatz, Lance • Primary eID set as MailUser ▫ Tomlin, Mike (EID) • Associate eIDs (by defaults appear as eID) ▫ bcowher • Person with Central Exchange and Business Account (dual entries appear in the GAL): ▫ Noll, Chuck ▫ Noll, Chuck Deprovisioning • Faculty, Staff, and Associate eIDs (eIDAD) ▫ Disabled 30 days after status is updated in HR • Student eIDs (eIDAD) ▫ Disabled 1 year after status is updated in Banner • Exchange Mailboxes (Separate process) ▫ Mailboxes removed 45 days after eligibility is loss ▫ Notifications are sent starting at day 15 (approx) Questions?