Active Directory Presentation

“The State of the Forest”
Colorado State University’s
Active Directory Environment
Presented by the
ACNS Windows Group
Windows Administrators Advisory Group Meeting
Feb 22 2011
Background on current state of AD Forest
Active Directory Basics
AD Site status
Diagram of Active Directory
Process and data replication
eID -> AD provisioning process
GAL Population
• Please ask questions at any time
History of AD at CSU (ColoState.EDU)
• Windows 2000 Implementation committee chose
public DNS namespace for forest root.
• ColoState.EDU consisted of one site (Default-FirstSite-Name) for some time.
• “Business” site added a few years later to help with
problems implementing MOM.
• “Denver Center” site came (and went).
• “eFort” site created to support systems at state DR
facility in Denver.
• “CSURoot” site recently added to fix Exchange GC
and DC selection issues.
Active Directory Incidents
• Over the years, many one-off errors replicating
with various DCs across campus.
• Summer 2010 – Exchange outage for a few
hours due to unexplained behavior related to
Business site.
• Summer 2010 – Various replication issues
manifested as inability to view info in AD Sites
and Services from Server 2008 systems.
Active Directory Basics
• A Forest is a complete instance of the Active
Directory database
• A Domain is a “partition” of the AD database
which contains objects (users, computers, GPOs,
groups, OUs, etc.) local to an administrative unit
• The Forest contains a number of partitions,
including individual domains, System,
Configuration, Schema, DNS data, application
data, etc.
Active Directory Basics
• Domain Controller
▫ A Windows server that hosts a single domain’s
directory partition, plus schema and configuration
partitions for the entire forest
▫ A DC performs authentications only for the
domain to which it belongs
• Global Catalog
▫ A Domain Controller that hosts all data a DC
stores, in addition to a partial, read-only replica of
every other domain partition in the forest
• Every GC is a DC, but not all DCs are GCs
What are Active Directory Sites?
• AD Sites represent the physical structure
(topology) of the underlying network
• Sites…
▫ Facilitate efficient directory replication
▫ Aide in the Windows authentication process
▫ Allow clients to locate nearest server providers
• Sites are defined by IP subnets
• Sites are logical boundaries used extensively by
Microsoft Exchange services
Status of Active Directory Sites
• Four AD Sites are defined today
▫ Default-First-Site-Name
 ~90% of forest domain controllers live here
▫ CSURoot
 ACNS managed central site for Exchange
▫ Business
 Maintained by College of Business for Exchange
▫ eFort
 State of Colorado disaster recovery datacenter in
Denver – ACNS DC and DNS servers are located here
AD Sites in the COLOSTATE Forest
• The following diagram illustrates the AD Sites
currently defined in COLOSTATE.
• Note that we have also noted the datacenter
location where key servers are hosted in addition
to showing the AD Domain to which these key
servers are joined.
Diagrams of Active Directory
• The following picture was generated by the
Microsoft AD Topology Diagrammer
• This represents the COLOSTATE root domain,
the 34 child domains, and 92 domain controllers
Diagrams of Active Directory
• The following picture was also generated by the
Microsoft AD Topology Diagrammer
• This is a different view of our AD Site
environment, showing all servers in each site
(regardless of domain)
• This picture also shows the inter-site replication
links between all domain controllers in the forest
(not all DCs replicate across site boundaries)
Additional AD Details
• Currently there are 34 child domains consisting
of 92 domain controllers
▫ Two domains have only one domain controller – a
non-optimal configuration
• Currently there are 30 Global Catalog servers
• DC version breakdown:
▫ 21 DCs running Windows Server 2003
▫ 12 DCs running Windows Server 2008
▫ 59 DCs running Windows Server 2008 R2
eID to Active Directory
• Process managed by ACNS Windows Group
• Entire Process written in Powershell
▫ Windows Powershell ISE
▫ Microsoft.Exchange.Management.PowerShell.E20
10 (Microsoft)
▫ ActiveDirectory Module (Microsoft)
▫ Custom Modules created by CSU
eID to Active Directory Updates
• Single updates initiated by actions at eID
▫ Password changes
▫ Update to E-mail settings
• Recently Updated eIDs Synced Nightly
▫ Monday through Friday
▫ Sync all records changed in the last 3 days
• Full eIDAD Sync on Weekends
▫ Jobs run on Saturday and Sunday mornings
GAL Population
• eIDAD Process Populates the GAL
• eID Users in the GAL
▫ eIDs with Central Exchange Mailboxes
▫ Primary eIDs that do not have a Central Exchange
Mailbox set to MailUser RecipientType
• Other Objects in the GAL
▫ Central Exchange Resources (DLs, Rooms, etc.)
▫ Business Exchange Users and Resources
GAL User Examples
• Central Exchange User:
▫ Baatz, Lance
• Primary eID set as MailUser
▫ Tomlin, Mike (EID)
• Associate eIDs (by defaults appear as eID)
▫ bcowher
• Person with Central Exchange and Business
Account (dual entries appear in the GAL):
▫ Noll, Chuck
▫ Noll, Chuck
• Faculty, Staff, and Associate eIDs (eIDAD)
▫ Disabled 30 days after status is updated in HR
• Student eIDs (eIDAD)
▫ Disabled 1 year after status is updated in Banner
• Exchange Mailboxes (Separate process)
▫ Mailboxes removed 45 days after eligibility is loss
▫ Notifications are sent starting at day 15 (approx)

similar documents