Sponsored Links
This presentation is the property of its rightful owner.
1 / 29

Welcome PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Welcome. Stay Connected with Microsoft Ireland http://www.microsoft.com/ireland/technet. Stay connected by signing up for the new Irish TechNet Newsletter here: http://www.microsoft.com/ireland/technet/technetflash/

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Stay Connected with Microsoft Ireland http://www.microsoft.com/ireland/technet

  • Stay connected by signing up for the new Irish TechNet Newsletter here: http://www.microsoft.com/ireland/technet/technetflash/

  • Get involved in local Microsoft Technology user groups – let me know if you’re interested.

  • Just launched Technet Ireland www.Microsoft.com/ireland/technet

  • Great event line up next year!


  • 9:30 Setting the scene – IOI

  • 9:45 Active Directory and IPSec

  • 11.00 Tea / Coffee

  • 11:15 MOM

  • 12:30 Lunch




& Delivery

A Crisis Of Complexity

Solving The Challenge:Infrastructure Optimization

The IOM Journey frees resources and provides the foundation for organizational agility

Managed and

consolidated IT


with maximum


Fully automated


dynamic resource

Usage , business

linked SLA’s

Managed IT


with limited


Uncoordinated, manual


More Efficient Cost Center

Business Enabler

Strategic Asset

Cost Center

* Based on the Gartner IT Maturity Model

Technology View of Model

Technology View of ModelOne Example

Security, Networking & Monitoring


Lack of standardized security measures

Ad hock management of system configuration

Limited to no monitoring of infrastructure

Automated patch management (WU, Update Services, SMS)

Edge firewall with lock-down configuration

Standardized antivirus solution

Firewall enabled on laptops

New systems limited to those supported by IT

Defined set of standard basic images

Defense-in-depth security measures widely deployed

Anti-malware protection (i.e. spyware, bots, rootkits, etc.)

Firewall enabled on desktops, laptops & servers

Secure wireless networking

Service level monitoring on desktops

IPSec used to isolate critical systems

Automated, central management of:

Security updates for both clients & servers

Application compatibility testing

Client & server firewall mitigations

Application and image deployment

Server operations

Reference image system

Security event correlation

Technology View of ModelOne Example

Desktop Lifecycle

  • Primary desktop OS is WinXP with images defined at corporate level

  • Reference Image managed manually

  • Automated software distribution, management and tracking

  • Zero touch upgrade and install

  • Application certification and compatibility testing

  • Automated reference image system connected to OEM partner

  • Automated patch management extended to servers

  • Automated application compatibility testing

  • Defined set of standard basic images

  • Multiple desktop OS’ still exist at department level

  • Automated patch management (WU, SUS, SMS)

  • Light touch upgrade and install

  • Departmental application testing

  • No standard OS image

  • All desktops are unique after deployment

  • Inconsistent patch management

  • Manually deploying and upgrading systems with DVDs or CDs

  • Limited or ad hoc application testing

Technology View of ModelOne Example

Secure Manageable Messaging

Unified directory infrastructure for access and messaging

Block SPAM at gateway and mailbox store

Server anti-virus that uses multiple scanning engines

Monitor messaging server health

Running any version of Exchange

Secure web-based e-mail access

Use an application-layer firewall to pre-authenticate web mail users before they reach the mailbox server

Security of mobile devices including remote reset and remote wipe

Detect potential service outages and receive alerts in advance

Technology View of ModelOne Example

Data Protection & Recovery

  • Local user data stored randomly and not backed up to network

  • Any backup happens locally

  • No user state migration available for deployment

  • Standards for local storage in “My Docs” but not redirected or backed up

  • Any backup happens at workgroup level

  • Backup/restore on critical servers

  • Some automation of user state migration available for deployment

  • Users store data to “My Docs” and synched to server

  • Backup managed at company level

  • Backup/restore of all servers with SLAs

  • User state is preserved and restored for deployment

  • Self managed backup and restore on all servers and desktop data with SLAs

Technology View of ModelOne Example

Identity & Access Management

  • Active Directory for Authentication and Authorization

  • Users have access to admin mode

  • Security templates applied to standard images

  • Desktops not controlled by group policy

  • Active Directory group policy and Security templates used to manage desktops for security and settings

  • Desktops are tightly managed

  • No server-based identity or access management

  • Users operate in admin mode

  • Limited or inconsistent use of passwords at the desktop

  • Minimal enterprise access standards

  • Centrally manage users provisioning across heterogeneous systems

Translating IOI into action

Garrett Wallis - Microsoft Consulting Services, Ireland

Know what you have

Measure impact of change




Standards BasedCommon Tools

Strategically AlignedException Management








Messaging SAP

Antivirus Remote Control



Suppor t



File\Print\Fax Servers



Single Manufacturer

Certified Installs

Standard Build



Single Manufacturer

Gold Build

Version Control

Other devices (PDA, mobile, etc.)

File\Print\Fax Servers



DHCP etc.


AD, SSO, etc









AD Forest, Domain and OU Design

Common Practices/Tips and Tricks

Forest/Domain Design

  • Majority of Active Directory Forests being implemented are single forest/single domain

    • separate development/pre-production forests

    • Multiple NT4 production domains collapsed into single domain

    • Significant impact on administration – centralised (some delegation of tasks)

  • Tip: Always start from single forest/single domain when planning

    • Try to avoid non-technical influences

  • Tip: Two things that “negatively affect” AD

    • Bad replication design

    • Bad Group Policies

OU Design

  • OU creation based on

    • Delegation of Administration

    • Application of GPO’s

      • Increasing use of security/WMI filtering of GPO’s

  • Choice of 3 basic models reflect

    • Resources

    • Geography

    • BU Structure

  • Tip: use a top level OU

  • Tip: moving objects between OU’s affects

    • GPOs applied

    • Scripts

  • Tip: Naming Conventions


  • Different OU Strategies


  • Minimum should be

    • Domain and Security policies

    • Automatic updates

    • Windows Firewall

    • Remote Desktop/Remote Assistance/Remote Control

    • Internet Explorer configuration

    • Restricted Groups

    • Office ADM’s

  • Tip: Take as much configuration out of the standard build process into Group Policy as possible

  • Tip: netstat –ano

  • Tip: Disable unused portions of GPO’s

  • Tip: Naming Conventions

  • Link: Group Policy Settings Reference for Windows Server 2003 with Service Pack 1


  • Group Policy application, and using security filtering in GPMC


  • What’s it about?

    • Ensure only managed/known devices communicate with each other

    • IPSec or 802.1x?

    • Gathering momentum with Networking teams – take control of the options!

  • What’s achievable in standard environments?

    • Domain Isolation (full or partial)

    • Server Isolation in Isolated Domain

  • What is an IPSec Policy

    • Filters to identify machines and protocols/ports

    • Actions to taken when traffic matches a filter

  • Tip: Mandatory - Ensure that core domain traffic - Domain Controllers, WINS, DNS, DHCP etc. etc. is filtered out and always allowed

  • Tip: Keep it simple, get comfortable

  • Link: IEEE 802.1X for Wired Networks and Internet Protocol Security with Microsoft Windows


  • IPSec

    • Domain Isolation

    • Server isolation (if time permits)

Coffee Break


  • Why MOM (from a field perspective?)

    • Always asked “What should we monitor in AD, or Exchange, or SQL?”

      • Answer – what MOM monitors

    • Knowledge driven – intended to supply the resolution with the problem

    • SO easy to integrate with other management tools

      • Dell OpenManage Server Administrator, HP Insight Manager

    • SLA evidence (Reporting)

    • Why implement a mission critical environment without MOM?

    • It isn’t expensive

    • Tip: Check for MP’s regularly

    • Tip: MOM on SQL SP4 gotchas


  • MOM install (ish!!)

  • MP import, including Dell, HP

  • Agent deployment

  • Reporting

  • Create a Management Pack!

  • Link: MOM 2005 Resource Kit

For a single server deployment of MOM 2005

  • Install Base OS - Windows Server 2003 Standard with SP1

  • Install IIS and ASP.NET (Add Remove Programs...Windows Components...Etc.)

  • Get updates (WSUS, SMS, Microsoft Update, other...)

  • Create MOM and SQL Service Accounts, appropriate permissions and rights

  • Install SQL Server 2000 (default installation, but specify DB path)

  • Install SQL 2000 SP3a (SQL 2000 SP4 gotcha - KB902803)

  • Install SQL 2000 Reporting Services (SQL Reporting Services SP2 gotcha too - KB902804)

  • Install MOM Server - Check Prerequisites

  • Install MOM Reporting - Check Prerequisites

  • Install SQL 2000 Server SP 4

  • Install SQL 2000 Reporting Services Service Pack 2

Additional Links

  • Service overview and network port requirements for the Windows Server system - http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

  • MOM Management Packs - http://www.microsoft.com/management/mma/catalog.aspx

  • Windows Server System Reference Architecture - http://www.microsoft.com/technet/itsolutions/wssra/raguide/default.mspx

  • Windows XP Security Guide - http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx

  • Windows Server 2003 Security Guide - http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

  • What's New in Windows Server 2003 R2 - http://www.microsoft.com/windowsserver2003/r2/whatsnewinr2.mspx

Stay Connected with Microsoft Ireland http://www.microsoft.com/ireland/technet

  • Stay connected by signing up for the new Irish TechNet Newsletter here: http://www.microsoft.com/ireland/technet/technetflash/

  • Get involved in local Microsoft Technology user groups – let me know if you’re interested.

  • Just launched Technet Ireland www.Microsoft.com/ireland/technet

  • Great event line up next year!

  • Login