1 / 122

Local Administrator Meeting

Local Administrator Meeting 2-25-03 Brian Drendel What will we talk about today? Announcements Win2k Migration Progress Key Server Retired New WinXP Ghost Image Site Netbios Block Fermilab Active Directory Structure Beams Division OU Structure Administering the BD OU

JasminFlorian
Download Presentation

Local Administrator Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Local Administrator Meeting 2-25-03 Brian Drendel

  2. What will we talk about today? • Announcements • Win2k Migration Progress • Key Server Retired • New WinXP Ghost Image • Site Netbios Block • Fermilab Active Directory Structure • Beams Division OU Structure • Administering the BD OU

  3. Win2k Migration Progress • Win2k Migration Progress • Workstations: • 458 Users/463 Computers in Fermi • 95 computers on Beams browse list • Servers • Win2k: www-bdnew, Beamssrv1, Beams-Fmpro, beams-prt-srv, beams-backup, Beams-flexlm • WinNT: Beams-cdrom, beamsappsrv1, beamsappsrv2 • Further Concerns • Macintoshes • BD-Controls Domain

  4. No more Key Server! • Announcements • Win2k Migration Progress • Key Server Retired • New WinXP Ghost Image • Site Netbios Block • Fermilab Active Directory Structure • Beams Division OU Structure • Local Admin Administrative Setup • Administrative Task Examples

  5. Key Server Retired • Key Server Retired Feb. 17th. • Email warnings • Help desk tickets • Key server error messages.

  6. Casper the friendly ghost image! • Announcements • Win2k Migration Progress • Key Server Retired • New WinXP Ghost Image • Site Netbios Block • Fermilab Active Directory Structure • Beams Division OU Structure • Local Admin Administrative Setup • Administrative Task Examples

  7. Casper the friendly ghost image! • Latest Drive Image • Office XP Pro • Exceed 8 • Kerberos FTP • Jim Smedinghoff custom ACNET configuration • Remote Registry Service • Needed for SP Management • Turn it back on

  8. Site Netbios Block • Announcements • Win2k Migration Progress • Key Server Retired • New WinXP Ghost Image • Site Netbios Block • Fermilab Active Directory Structure • Beams Division OU Structure • Local Admin Administrative Setup • Administrative Task Examples

  9. Site Netbios Block • Network • NetBIOS Block • 137, 138, 139, 445 ports blocked in three stages • Fermi DCs • Site with exemptions for servers • Entire Site • Possible solution for offsite connectivity • VPN • Site VPN in Beta • BD Controls VPN • Cross Platform

  10. Win2k Domain Structure at Fermilab • Announcements • Fermilab Active Directory Structure • Root Domain • Child Domains • Organizational Units (OU) • BD OU • Beams Division OU Structure • Local Admin Administrative Setup • Administrative Task Examples

  11. Active Directory • Active Directory allows us to organize and manage domain objects: • Users • Computers • Printers • Global Groups • Shares • What does the Fermilab Active Directory structure look like?

  12. Root Domain • The Root Win2k Domain is called WIN.FNAL.GOV. • Contains two Domain Controllers (FCC and WH). • Owned, managed and maintained by Computing Division. • BD has no administrative access to this domain. • Functions of Domain: • Used only for security. • Can push policies down to other OUs • Legal Banner • Minimum password length

  13. Child Domains • Announcements • Fermilab Active Directory Structure • Root Domain • Child Domains • Organizational Units (OU) • BD OU • Beams Division OU Structure • Local Admin Administrative Setup • Administrative Task Examples

  14. Child Domains • Active Directory Objects are connected to the Win.fnal.gov domain via separate child domains. • Child Domains: • Have a two way transitive trust with Win. • Must be approved by Computer Security. • Fermi Domain: All users and computers at Fermilab • Other Domains: Critical System??? • Computer Security does not allow: • Unattached Domains. • Child Domains of the Child Domains.

  15. Child Domains • Fermi Child Domain • Contains all users, computers, printers, global groups and shares for the entire Fermilab Windows desktop community. • Contains all Child Domain user accounts. • Domain Controllers scattered throughout the site. • The BD Domain Controller is called Bert.

  16. Organizational Units • Announcements • Fermilab Active Directory Structure • Root Domain • Child Domains • Organizational Units (OU) • BD OU • Beams Division OU Structure • Local Admin Administrative Setup • Administrative Task Examples

  17. Organizational Units • Child Domains are further broken down into Organizational Units (OUs). • Each Division has its own OU. • Management to each OU is delegated to managers in their respective Divisions. • BD OU • Has all Beams Division users, computers, printers, global groups and shares. • Managed by the BD/Networking Group.

  18. BD OU • Announcements • Fermilab Active Directory Structure • Root Domain • Child Domains • Organizational Units (OU) • BD OU • Beams Division OU Structure • Local Admin Administrative Setup • Administrative Task Examples

  19. BD OU Management • The BD OU is further broken down into Sub-OUs for: • Computers • Users • Groups • Printers • File Shares

  20. BD OU in Detail • Announcements • Fermilab Active Directory Structure • Beams Division OU Structure • Win2k Admin Guide • Users • Computers • Printers • Global Groups • Shares • Local Admin Administrative Setup • Administrative Task Examples

  21. Win2k Admin Guide • The Win2k Admin guide covers administration of the BD OU. • Covers specific details for administration by: • BD Active Directory Administrators (BD\Network Group) • Local Administrators • More detail can be found in my Win2k Admin Guide Document located at http://www-bdnew.fnal.gov/network/Win2k-Adminguide/Adminguide.htm

  22. Users • Announcements • Fermilab Active Directory Structure • Beams Division OU Structure • Win2k Admin Guide • Users • Computers • Printers • Global Groups • Shares • Local Admin Administrative Setup • Administrative Task Examples

  23. Users • We now want to take a few moments to explore each of the subOUs within the Fermi\BD OU. • Users • Computers • Printers • Shares • Global Groups

  24. User’s OU • The BD User’s OU is further divided by the org chart. • Each department/group has their own OU. • Each department/group OU is further broken down into a General and Special OU. • Management of Users is covered in the users portion of the Win2k Admin Guide: http://www-bdnew.fnal.gov/network/Win2k-Adminguide/users.htm

  25. 5 Types of Fermi Domain Accounts • There are five types of users in the Fermi Domain: • Users: • Admins: • Managers: • Captive Accounts: • Service Accounts:

  26. User Accounts • Every user that wants to access Fermi Domain resources has a user account. • All of your everyday work. • The account does not have administrative privileges across multiple computers. • Equivalent of your Kerberos Principal. • Cannot share your password • Cannot send your password over the network. • User accounts are cloned to the Fermi Domain to maintain Beams Domain access. • Username has the format of Fermi\{username}. • Users live in AD in the Fermi\BD\Users\{Department or Group}\General • Only Computing Division creates accounts. • You can apply for a user account at http://www-bdnew.fnal.gov/network/add_user.asp.

  27. Admin accounts • Every users that needs administrative access to objects in the Fermi Domain needs an Admin account. • Not for your everyday work. • The account is delegated administrative functions in the domain. • A user must be a registered sysadmin (https://miscomp.fnal.gov/sysadmindb/). • Can be used by LOCALADMINS • Manage desktop computers. • Manage Departmental SubOU. • Username has the format of Fermi\{username}-admin • CD stores these accounts in a separate location in AD. • You can apply for a user account at http://www-bdnew.fnal.gov/network/add_user.asp.

  28. Manager Accounts • Each Division assigns no more than three administrators to perform advanced Active Directory Administration for their respective Division. • The account is used to create active directory structure, move users and create group policy. • Username has the format of Fermi\{username}-mgr • CD stores these accounts in a separate location in AD • These accounts are assigned. There is no web application form.

  29. Captive Accounts • These are domain accounts that require a shared login to a dedicated console. • Computing Security does not allow users to share their account passwords, so user accounts can not be used for this function. • These accounts need Win2k Policy Committee and CD Security approval. • Accounts names are of the form Fermi\bd-cap-{function}. • Accounts are stored in Active Directory in Fermi\BD\Users\{Department or Group}\Special • Accounts can be applied for at http://computing.fnal.gov/pcmanagers/captiveform.html.

  30. Service Accounts • When accounts are required to run applications, a shared service account is used. • Computing Security does not allow users to share their account passwords, so user accounts can not be used for this function. • Win2k Policy Committee and CD Security approval. • A Shared Service Account has the following requirements: • Run software as an unattended service, like Unix daemons • Use Domain account authentication • Usage of this account over the network • Sharing of the account password between multiple administrators • These accounts need Accounts names are of the form Fermi\bd-srv-{function}. • Accounts are stored in Active Directory in Fermi\BD\Users\{Department or Group}\Special • Accounts can be applied for at http://www-win2k.fnal.gov/pub/Docs/Sharing_service_accounts.doc.

  31. Users OU Users are stored in Active Directory in Fermi\BD\Users\{Department or Group}\General.

  32. Computers • Announcements • Fermilab Active Directory Structure • Beams Division OU Structure • Win2k Admin Guide • Users • Computers • Printers • Global Groups • Shares • Local Admin Administrative Setup • Administrative Task Examples

  33. BD Computers OU • The BD Group OU is further divided by the org chart. • Each department/group has their own OU. • Each department/group OU is further broken down into a Desktop, Laptop and Server OU. • The GPO applied on Servers different from Desktops, different from laptops. • Management of Computers is covered in the computers portion of the Win2k Admin Guide: http://www-bdnew.fnal.gov/network/Win2k-Adminguide/computers.htm

  34. Computers OU Computers are stored in Fermi\BD\Computers\{Department or Group}\{Computer Type}.

  35. Printers • Announcements • Fermilab Active Directory Structure • Beams Division OU Structure • Win2k Admin Guide • Users • Computers • Printers • Global Groups • Shares • Local Admin Administrative Setup • Administrative Task Examples

  36. Printers • Printers are published in Active Directory. • The Win2k Print queues still live on beams-prt-srv • Additionally, the printers are published in Active Directory. • Makes adding printers easier for the client computers. • Management of Printers is covered in the printers portion of the Win2k Admin Guide: http://www-bdnew.fnal.gov/network/Win2k-Adminguide/printers.htm

  37. Printers Computers are stored in Fermi\BD\Printers\

  38. Global Groups • Announcements • Fermilab Active Directory Structure • Beams Division OU Structure • Win2k Admin Guide • Users • Computers • Printers • Global Groups • Shares • Local Admin Administrative Setup • Administrative Task Examples

  39. Global Groups • Win2k Domain permissions are assigned by global groups. • Beams Domain global groups are cloned to the Fermi Domain to maintain Beams Domain access. • Global groups follow the naming convention Fermi\BD {group name}. • Management of Global Groups is covered in the global groups portion of the Win2k Admin Guide: http://www-bdnew.fnal.gov/network/Win2k-Adminguide/groups.htm

  40. Global Groups Computers are stored in Fermi\BD\Global Groups\

  41. Shares • Announcements • Fermilab Active Directory Structure • Beams Division OU Structure • Win2k Admin Guide • Users • Computers • Printers • Global Groups • Shares • Local Admin Administrative Setup • Administrative Task Examples

More Related