active directory external trust – scenario 1 web viewactive directory external trust –...
TRANSCRIPT
ACTIVE DIRECTORY EXTERNAL TRUST – SCENARIO 1
Sainath K.E.VMicrosoft MVP – Directory Services
TABLE OF CONTENTS
1 Executive Summary.............................................................................................................................3
2 Solution Overview...............................................................................................................................4
3 Architectural Diagram..........................................................................................................................6
4 Scope of Work.....................................................................................................................................7
4.1 Work Plan....................................................................................................................................7
4.1.1 Initiation Phase....................................................................................................................7
4.1.2 Infrastructure Readiness......................................................................................................7
4.1.3 Build Process........................................................................................................................9
1 Executive SummaryXYZ Corp is based in United States provides food, industrial products and services worldwide. With 10,000 employees in 10 Countries who are committed to develop world class industrial products, XYZ Corp is committed to world in a responsible way.
XYZ Corp recently done several acquisitions and engaged SKV Consulting to provide uniform solution to access resources, there are multiple solutions involved in providing access to resources between XYZ Corp and acquired Organizations, but XYZ Corp want the solution to be agile and requires seamless connectivity to the resources with minimum Administrative overhead.
XYZ Corp is built on Microsoft Datacenter Suite of products which includes Microsoft System Center Suite, Dynamics CRM , Microsoft Exchange and SharePoint. SKV provides single vendor solution to XYZ Corp on the following Active Directory Trust implementation.
a) Design: SKV will perform assessment of XYZ Corp existing Active Directory and Networking infrastructure which helps in successful Active Directory trust implementation. SKV Consulting team will liaise with XYZ Corp Active Directory and Networking team to get the required documentation and understand critical Networking components. SKV team will work closely with XYZ Corp infrastructure team to understand the Server infrastructure which includes virtualization infrastructure.
b) Installation: SKV will follow Microsoft Enterprise standards and proven Waterfall model for installation of required Microsoft Service, Software and Operating System stack with strict Program Management to ensure the tasks are completed within agreed time frame.
c) Configuration: SKV will follow Microsoft Enterprise configuration standards for installing and configuring Microsoft Active Directory Trusts , validate the Trusts and monitor the trusts before hand over to XYZ Corp
d) Integration: SKV will perform testing of required Applications and Account delegation to ensure the successful implementation of Active Directory Trusts
e) Hand Over: SKV will perform successful hand over to XYZ Corp Active Directory team with required Design and Build documentation
SKV approach for implementation of Active Directory Trusts considers Technical , Performance and Business aspects of the use of SKV experience in AD Trust implementation. SKV success to help XYZ Corp is predicted upon having experience resource who understand both Business and Technology stack.
2 Solution OverviewXYZ Corp has done major acquisitions lately and there is a strong requirement for establishing safe communication between XYZ Corp and acquired Organizations resources. XYZ Corp does not like the idea of adding the acquired companies under their existing Active Directory forest and want to establish external Active Directory Trust and separate Active Directory Delegation model to manage resources. The acquired company is ABC Corp
MCorp employees will be accessing resources of ABC Corp but ABC Corp will not be accessing resources of MCorp. The solution provided by SKV will establish secure communication, manage resources from required Security Groups and seamless integration of ABC Corp applications respectively.
SKV proposed to create an Active Directory One-Way External Non Transitive Trust between XYZ Corp and ABC Corp, with this trust type, XYZ Corp employees will be successfully able to access abc resources but vice versa is not possible. The External trust will be configured with Selective Authentication rather than Domain-Wide authentication which exposes all the users from Trusted Domain to access any resources to Trusting Domain, Selective Authentication over an Active Directory External Forest Trust restrict access to those users in Trusted Forest who have been explicitly granted permission to access computer objects.
In this proposal SKV highlights the process involved in Installing, Configuring and Integrating Microsoft Active Directory Trusts. The objective will be identified and refined at the beginning of the project. After the initial assessment of the XYZ Corp and ABC Corp infrastructure, SKV Consulting will perform architectural design of the proposed solution.
The solution proposed by SKV for XYZ Corp consists of the following phases.
A. Phase 1 – Planning Gathering of information Business Plan Business Strategy and Objectives for Active Directory Trust Service Integration methodologies
B. Phase 2 -- Infrastructure Assessment Server Infrastructure Storage Infrastructure Network Infrastructure Security Infrastructure Backup solutions overview
C. Phase 3 -- Operations Analysis
Change Management processes Incident Management processes Lifecycle Management processes Service Catalogs Service Request processes
D. Phase 4 – Build Phase Prepare For Installation
Identify the Server Roles Identity Group Policy requirement License Management Network Access Strategy Hardware Sizing and assessment Storage sizing and planning File and Print Server management Public Key Infrastructure Design Backup and Recovery planning Patch Management planning Virtual Machine Infrastructure Planning and Design Active Directory Trust Planning and Design Account Management Planning and Design Active Directory Delegation Planning and Design Organizational Unit Planning and Design
Configuration Process Windows Servers
Configuring Network Connectivity on all Virtual Machines Configuring Active Directory and Group Policy Configuring File and Print Services Patch Management Configuring Identity Management Configuring Security Configuring Remote Access and Network Access Protection Configuring Clustering and High Availability Configuring Backup and Restore
Active Directory Trusts Group Membership validation Configuring Active Directory External Trusts Configure Selective Authentication DNS Server Configuration
Integration Process Test Selective Authentication configuration Test Resource access from XYZ Corp to ABC Corp
3 Architectural Diagram
4 Scope of Work
4.1 Work PlanSKV will perform phase approach to accomplish successful implementation Microsoft Active Directory Trust implementation. The key phases of the engagement are listed below
Initiation Phase – Kick-off Meetings Phase 1 : Infrastructure Readiness Phase 2 : Build Process Phase 3 : Post Implementation Tasks
4.1.1 Initiation Phase
SKV Project Manager will lead a kick-off meeting with XYZ Corp to review, plan and prepare for Active Directory Trust implementation activities specified in this proposal.
Activities / Tasks:
SKV’s Project Manager will review the following project management work products with XYZ Corp:
Introduction of the teams, their roles and responsibilities SKV’s Project Plan & Schedule Review Project Change Management and Approval process Review Project Closeout process
4.1.2 Infrastructure Readiness
Infrastructure planning activities requires XYZ Corp existing infrastructure to be stable and meet the deployment and configuration requirements. This activity is intended to gather information regarding Servers, Network, Storage, Access Management and Security.
Activities / Tasks:
Server Management: SKV to provide the request for Windows Server Operating System including Versions to XYZ Corp. XYZ Corp to provision Windows Server Licenses for implementation activities. SKV Consulting to perform the server sizing for the Private Cloud
implementation. The Virtual Servers will meet the XYZ Corp Operating System Standards, SKV to configure the Virtual Servers and follow XYZ’s existing Storage Management, Disk Management, Identity Management, Patch Management, Backup and Restore policies.
Server Backup and Recovery management along with Virtual Machine Snapshot management are managed by XYZ Corp resources. XYZ Corp uses Microsoft System Center Operations Manager for reporting health conditions, Performance issues of Virtual Servers.
Virtualization Tier Management: SKV will configure Active Directory Trusts on Domain Controllers hosted on Virtual infrastructure.
Virtual Machines management which are out of scope of engagement will be managed by XYZ Corp. XYZ Corp to manage Virtual Machines migration activities, Backup and Recovery of virtual machines.
Storage Management: Storage Replications and monitoring are managed by XYZ Corp. Provisioning of LUN’s, backup activities of Windows Server data and backup verification are managed by XYZ Corp. Virtual Machine snapshot management will be managed by XYZ Corp , creation of necessary additional Hard disks for Virtual Machines will be provisioned by XYZ Corp.
Network and Security Management: XYZ Corp to manage Virtualization Networking components which involves creation of Virtual Switches, VLAN configuration, VLAN tagging for all the virtual machines. XYZ Corp to manage PXE Boot networking capabilities and NAP capabilities for virtual machines. XYZ Corp will be managing the Firewall rules and configuration of Firewall ports on all the Virtual Servers.
Provisioning Internet Protocol Addresses, configuring Virtual LAN ( VLAN’s ), Configuration of Access Control Policies on the Routers / Switches are managed by XYZ Corp. Housekeeping of Firewall rules and Backup on Network configuration are managed by XYZ Corp.
Access Management: SKV require access on the virtual infrastructure for configuring and implementing Active Directory Trusts. SKV to identify the Security Groups requirement, User Accounts, Service account requirements and submit the request to XYZ Corp. XYZ Corp to manage User Account creation, Group Policy management, Password Policy Management and Security Groups creation.
4.1.3 Build ProcessThis phase describes the key high level stages involved in building the Active Directory Trust infrastructure.
Activities / Tasks:
Active Directory Assessment: Before creating the Forest trust below are some of the assessment tasks that SKV consulting team will be performing on XYZ Corp infrastructure
Forest Function Level should be Windows Server 2008 and above
Domain Functional Level should be Windows Server 2008 and above
DNS Server Configuration
Firewall Port configuration
Accounts Requirement
Active Directory Domain Trust Configuration
Selective Authentication Configuration
a) Checking Forest Functional Level : In our initial discussion with XYZ Corp, the Active Directory infrastructure Is running on Windows Server 2008 R2 with no legacy Domain Controllers in place.This operation can be performed on Root domain and by logging as Administrator navigate to
1. Start Run Domain.msc
2. Right click on the Domain and select Properties
3. On the General Tab, Forest Functional Level will be listed
b) Checking Domain Functional Level: This operation can be performed on Root domain and by logging as Administrator navigate to
1. Start Run Domain.msc
2. Right click on the Domain and select Properties
3. On the General Tab, Domain Functional Level will be listed
c) Firewall Ports Configuration: Domain trusts span different networks and requires firewall ports to be opened , below are the list of ports needs to be opened for successful domain trust
Task Outbound Ports
Inbound Ports From–To
Set up trusts on both sides from the internal forest
LDAP (389 UDP and TCP)
N/A
Internal domain domain controllers–External domain domain controllers (all ports)
Microsoft SMB (445 TCP) Kerberos (88 UDP)
Endpoint resolution — portmapper (135 TCP) Net Logon fixed port
Trust validation from the internal forest domain controller to the external forest domain controller (outgoing trust only)
LDAP (389 UDP)
N/A
Internal domain domain controllers–External domain domain controllers (all ports)
Microsoft SMB (445 TCP)
Endpoint resolution — portmapper (135 TCP) Net Logon fixed port
LDAP (389 UDP and TCP)
External server–Internal domain PDCs (Kerberos)
Windows NT Server 4.0 directory
External domain domain controllers–Internal domain domain controllers
d) DNS Server Configuration : DNS settings are critical for Active Directory Trust to function. Below is the configuration settings done on DNS server
Create Conditional Forwarder on each forest pointing to other Forest Domain. SKV will be creating conditional forwarder for ABC Corp in XYZ Corp DNS Server and a Conditional forwarder for XYZ Corp in ABC Corp DNS server
Note: Another method is by creating Secondary zones of each forest Primary zone
e) Security Account Requirement: To successfully create Active Directory Domain Trusts, users should be member of Domain Admins group or Enterprise Admin group respectively.
f) Active Directory Domain Trusts Configuration: In this step SKV consultant will create one-way External Outgoing Trust which allows resources.To create a one-way, outgoing, external trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS
name) of the external domain, and then click Next.5. On the Trust Type page, click External trust, and then click Next.6. On the Direction of Trust page, click One-way: outgoing, and then click Next.7. On the Sides of Trust page, click This domain only, and then click Next.8. On the Outgoing Trust Authentication Level page, do one of the following, and then
click Next: Click Selective authentication.
9. On the Trust Password page, type the trust password twice, and then click Next.10.On the Trust Selections Complete page, review the results, and then click Next.11.On the Trust Creation Complete page, review the results, and then click Next.12.On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.
13.On the Completing the New Trust Wizard page, click Finish.
g) Selective Authentication: XYZ Corp Users want to access certain Resources of ABC Corp, SKV Consulting has chosen Selective Authentication as the solution which does not allow XYZ Corp users to access all the resources of ABC Corp respectively. Configure Allowed to Authenticate on the resources which requires access to groups. Below procedure should be made on ABC Corp Active Directory domain and add XYZ Corp user group
1. Open Active Directory Users and Computers.2. Under View, ensure that Advanced Features is selected.3. In the console tree, click the Computers container or the container where your
computer objects reside. 4. Right-click the computer object that you want users in the trusted domain or forest
to access, and then click Properties.5. On the Security tab, do one of the following:
In Group or user names, click the user names or group names for which you want to grant access to this computer, select the Allow check box next to the Allowed to Authenticate permission, and then click OK.
Click Add. In Enter the object names to select, type the name of the user object or group object for which you want to grant access to this resource computer, and then click OK. Select the Allow check box next to the Allowed to Authenticate permission, and then click OK.