Active Directory
Consolidation: Phase 3
Update
Colin Bell (cpbell)
April 4, 2013
Working High-Level WBS
Clarity, Governance, Change Management, and Documentation
1. Clarify transfer process and goals.
2. Transfer knowledge from Engineering w.r.t. current monitoring and
management techniques.
3. Establish Change Management controls inside IST w.r.t. NEXUS.
4. Establish Service Management controls inside IST w.r.t. NEXUS.
5. Establish IST based monitoring and audit capabilities to augment current
capabilities.
6. Document future (ADS retirement plans)
7. Transfer "ownership" and ultimate operational responsibility to IST.
Goal: Establish Service
Management (NEXUS/APEX)
• Incident Management (in progress)
• Change Management (draft in use)
• Release Management
– NEXUSTEST/APEXTEST (in progress)
– All DC’s => IST + decommission (in progress)
Goal: Document the Future
(reschedule – now end April 2013)
• Develop roadmap for migration of services
from ADS to NEXUS.
– Actual ‘moves’ are out-of-scope.
• Document shared monitoring, auditing,
and software management requirements.
• Document current and future roles and
responsibilities for all stakeholders +
established campus bodies.
Goal: Ultimate Operational
Responsibility on IST
• Move to minimize the number of Domain
Administrators in NEXUS.
• Consolidate top-level responsibilities in
IST (as an infrastructure service).
– “Handover the Keys” (ADAud2012 – MP5.0)
• Goal => MS2 – April 30, 2013
Goal: Meet Audit
Requirements (1)
• Overall Strategy and Plan
– Develop project plan and RAID log. Socialized
with project stakeholders. [ADAud2012-1.0-HP] (WNAG
is in loop. Exploring new platform for WNAG. Need tools. QUESTION:
how would CTSC like to be included? Email, SharePoint, Other?)
– Establish a management committee and
leverage it as a forum to discuss and resolve
critical project related decisions. [ADAud2012-2.0-HP]
(Terms of Reference + Procedures drafted, seen by Management Group
and WNAG. QUESTION: how should it now go to CTSC + UCIST?)
Goal: Meet Audit
Requirements (2)
• Test Plans and Test Cases
– Ensure test plan, scenarios, cases and results
are documented. [ADAud2012-3.0-MP] (Latest change
request is forcing analysis of this: AD-CHANGE-REQUEST-2013.7 ->
Privileged accounts on DCs for NetWrix.)
Goal: Meet Audit
Requirements (3)
• Documentation of Rollback Plans
– Ensure that each migration procedure defines
and tests a rollback plan. In cases where a
roll-back is not required due to risk level, the
decision is documented. [ADAud2012-4.0-MP] (many
migrations completed in Phase 2 – continuing to use Change
Management Procedure + documentation standards)
Goal: Meet Audit
Requirements (4)
• Active Directory Governance and
Operations
– Determine roles and responsibilities and
communicate accordingly across IST,
Engineering, and Security teams.
[ADAud2012-5.0-MP] (Change Management Procedure normalizes
work, RASCI Chart can now be built to formalize roles / responsibilities)
RASCI = {Responsible, Accountable, Support, Consulted, Informed}
[Goal => April 26, 2013]
Goal: Meet Audit
Requirements (5)
• Migration Strategy Planning
– Perform an analysis of application and
servers that leverage ADS. Develop a server /
application migration plan.
[ADAud2012-6.0-MP] (Already planned as part of the ‘Document the
Future’ effort. See previous slide – rescheduled end April 2013.)
– Workstations complete. [March 2013]
– Servers + Services [rescheduled end April 2013]
Goal: Meet Audit
Requirements (6)
• Object Migration Approach [ADAud2012-7.0-MP]
– Perform analysis on accounts that have not
been migrated.
– Review and clean up orphan accounts.
– Review privileged accounts and analyze if
access is still valid after migration.
– Perform analysis on accounts.
– Inventory service accounts and use
–
… started => more questions than answers!
Goal: Meet Audit
Requirements (7)
• Interoperability Requirements [ADAud2012-8.0-LP]
– Identify, document, and socialize WatIAM
integration requirements with key
stakeholders to ensure that all issues are
identified and addressed.
– Security Architecture + Identity Management Roadmap will serve
as the foundation for this. Is this an ongoing consideration?
Directory Object Audit /
Review + Future Capabilities
• Analysis (w/ help from pmatlock’s NetID work)
– NEXUS counts:
pure students (not on UW work term): 29821
alumni:
77527
expired:
128641
faculty:
2871
staff:
32547
retirees:
1413
applicants:
108484
– Staff #’s? Alumni #’s? Applicants? Students who are on co-op? Far
more analysis is required to understand!
Goals and Insights:
Object Analysis
• Verify: People who should not have
access do not.
• Verify: People have the minimum
privileges required to do their jobs.
• Implicit calculations of “Roles” from
various Security Groups makes this a
nightmare. Explicit is better than Implicit !
Questions: Object Analysis
• How much analysis should we do now?
• How much would a redesigned IDM help?
• How much process re-engineering is
required?
• What should a formal privileged account
creation process look like? Just ask for !
and !!-- is this really good enough?
Next Steps: Object Analysis
• Complete accounting for ALL OU, Domainlevel, Forest-level admins.
– Integrate findings with RASCI analysis
• Enterprise Architecture (up next) is crucial
to understanding this. Document
processes + systems, redesign for
improvements. Lots more work required!
Next Steps: Object Analysis
• Big piece of technology (NetWrix)
undergoing analysis via MAS Subgroup,
used in ADS, and preliminary steps
initiated for deployment on NEXUS
through Management Group.
• NetWrix has potential to give us on-going
audit + change reporting at AD Object
level. Will help-- work smarter, not harder.
AD Governance: Next Steps
• AD Steering Group meeting (2013-04-08)
– Will discuss progress / challenges there.
– Will seek Steering Approval for “Waterloo
Active Directory Governance Body (WADGB)”
• Once through WNAG, Management
Group, Steering … Then to CTSC +
UCIST.
Waterloo Active Directory
Governance Body (WAD-GB)
• A campus-wide ‘upper house’ to guide the
future of AD on campus.
• Goal: “to provide a second tier of control at
which campus entities can validate the
work of technical staff and express their
desires on matters of AD Governance”
• Essentially: let’s stay together… keep
everyone empowered and at the table.
Waterloo Active Directory
Governance Body (WAD-GB)
•
•
•
•
•
•
•
•
1 x Voting Position to the Faculty of Arts
1 x Voting Position to the Faculty of Applied Health Sciences
1 x Voting Position to the Faculty of Engineering
1 x Voting Position to the Faculty of Environment
1 x Voting Position to the Faculty of Mathematics
1 x Voting Position to the Faculty of Science
1 x Voting Position to the David R. Cheriton School of Computer Science
3 x Voting Positions to IST with suggested representation from:
– Infrastructure
– Networks
– Security
• Others? Library? Colleges? Thoughts?
Dates
• Start: Nov 2nd, 2012
• MS1: Dec 19, 2012 (completed)
– “Transfer Keys” > IST in APEX + NEXUS at
highest level.
• MS2: April 30, 2013 (at risk for slippage)
– “Work Complete” > By this point IST is only
party working at top-level of APEX + NEXUS.
Everything is documented.
Dates
• MS3: June 14, 2013
– “Project Complete”
• MS4: June 28, 2013
– “Project Closing Complete”