Active Directory Certificate Services
Active Directory Certificate Services Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing certificates in software security systems that use public key technologies. You can use AD CS to create one or more certification authorities (CA) to receive certificate requests, verify the information in the requests and the identity of the requester, issue certificates, revoke certificates, and publish certificate revocation data. Applications supported by Active Directory Certificate Services include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private networks (VPN), IP security (IPSec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.
Active Directory Domain Services
Active Directory Domain Services (AD DS) stores information about users, computers, and other devices on the network. AD DS helps administrators securely manage this information and facilitates resource sharing and collaboration between users. AD DS is also required to be installed on the network in order to install directory-enabled applications such as Microsoft Exchange Server and for applying other Windows Server technologies such as Group Policy.
Active Directory Federation Services
Active Directory Federation Services (AD FS) provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications that use a single user account. AD FS accomplishes this by securely federating, or sharing, user identities and permissions, in the form of digital claims, between partner organizations.
Active Directory Lightweight Directory Services
Organizations that have applications which require a directory for storing application data can use Active Directory Lightweight Directory Services (AD LDS) as the data store. AD LDS runs as a non-operating-system service. Therefore, AD LDS does not require deployment on a domain controller. Running as a non-operating-system service allows multiple instances of AD LDS to run at the same time on a single server, and each instance can be configured independently for servicing multiple applications.
Active Directory Rights Management Services (AD RMS)
Active Directory Rights Management Services is information protection technology that works with AD RMS -enabled applications to help safeguard digital information from unauthorized use. Content owners can define exactly how a recipient can use the information, such as who can open, change, print, forward, or take other actions with the information. Organizations can create custom usage rights templates such as “Confidential – Read-Only” that can be applied directly to information such as financial reports, product specifications, customer data, and e-mail messages.
Application Server provides a complete solution for hosting and managing high-performance distributed business applications. Integrated services, such as the .NET Framework, Web Server Support, Message Queuing, COM+, Windows Communication Foundation, and Failover Clustering support improve productivity throughout the application life cycle, from design and development through deployment and operations.
Dynamic Host Configuration Protocol Server
The Dynamic Host Configuration Protocol (DHCP) allows servers to assign, or lease, IP addresses to computers and other devices that are enabled as DHCP clients. Deploying DHCP servers on the network automatically provides computers and other TCP/IP based network devices with valid IP addresses and the additional configuration parameters these devices need./these are known as DHCP options, which allow them to connect to other network resources, such as DNS servers, WINS servers, and routers.
Domain Name System (DNS) provides a standard method for associating names with numeric Internet addresses. This lets users refer to network computers by using easy-to-remember names instead of a long series of numbers. Windows DNS services can be integrated with DHCP services, eliminating the need to add DNS records as computers are added to the network.
Fax Server sends and receives faxes, and lets you manage fax resources such as jobs, settings, reports, and fax devices on this computer or on the network.
File Services provides technologies for storage management, file replication, distributed namespace management, fast file searching, and streamlined client access to files, such as UNIX-based client computers. Hyper-V™
Hyper-V provides the services that you can use to create and manage virtual computing environments and their resources. Virtual computers operate in an isolated operating environment. This lets you to run multiple operating systems at the same time. You can use a virtualized computing environment to improve the efficiency of your computing resources by using more of your hardware resources.
Network Policy and Access Services
Network Policy and Access Services delivers many different methods to give users local and remote network connectivity, to connect network segments, and to allow network administrators to centrally manage network access and client health policies. With Network Access Services, you can deploy VPN servers, dial-up servers, routers, and 802.11-protected wireless access. You can also deploy RADIUS servers and proxies, and use Connection Manager Administration Kit to create remote access profiles to let client computers to connect to the network.
Print and Document Services
Print and Document Services enables you to centralize print server and network printer management tasks. With this role, you can also receive scanned documents from network scanners, and route the documents to a shared network resource, a Windows SharePoint Services site, or to e-mail addresses.
Remote Desktop Services
Remote Desktop Services provides technologies that enable users to access Windows-based programs that are installed on a remote desktop server, or to access the Windows desktop itself, from almost any computing device. Users can connect to a remote desktop server to run programs and to use network resources on that server. Web Server (IIS)
The Web Server (IIS) role in Windows Server 2008 R2 lets you share information with users on the Internet, an intranet, or an extranet. Windows Server 2008 R2 delivers IIS 7.5, a unified Web platform that integrates IIS, ASP.NET, and Windows Communication Foundation.
Windows Deployment Services
You can use Windows Deployment Services to install and configure remotely Windows operating systems on computers that have Pre-boot Execution Environment (PXE) boot ROMs. Administration overhead is decreased through the implementation of the WdsMgmt Microsoft Management Console (MMC) snap-in that manages all aspects of Windows Deployment Services. Windows Deployment Services also provides end-users an experience consistent with Windows Setup.
Windows Server Update Services
Windows Server Update Services allows network administrators to specify the Microsoft updates that should be installed, to create separate groups of computers for different sets of updates, and to obtain reports on the compliance levels of the computers and on the updates that must be installed.
Organizational Units (OUs) will be set up for each location. There will be two OUs for each: management and employee. These OUs will be used to control user access to resources and login. Administrators will be able to move users through the organization if their roles change without having to recreate their accounts. Kudler Fine Food’s explosive growth has brought the company to the point where it is time to shift paradigms to a new, modern network and information technology infrastructure. The cornerstone of this new Infrastructure is going to be Windows Server 2008 R2 (W2k8R2).
W2k8R2 is able to maximize IT efficiencies and security using the Active Directory system of administration and organization. It uses a forest-based system which we will use to efficiently manage Kudler’s multiple existing and future locations.
The root of the Kudler domain will be physically located in La Jolla at Corporate Headquarters. It will be named kudler.com. The La Jolla branch Domain Controller will be lajolla.kudler.com. Each subsequent branch will also have a Domain Controller, also in the root kudler.com domain, and also named it’s location. Del Mar will have delmar.kudler.com as its DC and Encinitas will have encinitas.kudler.com as its local DC.
Each DC will hold a copy of the global catalog for fault tolerance purposes. This will enable each location to provide login services in the event that the link to corporate headquarters is broken.
Having a single domain with Domain Controllers spread out at each location will make security maintenance a simpler task. With only one domain, connected via site links, a single administrator can push security policies to remote locations. This enables lower administration costs because each site does not require an admin on payroll. This model also allow corporate to ensure that proper policies are being implemented, and followed, at all locations.
Another advantage of this model is that users only need to be input in to one Active Directory and they will be able to access their login at any authorized company location. Authorized locations will be enforced with Organizational Units (OUs). Users will be placed in OUs that signify what resources they are allowed to access. The Corporate OU will be allowed to login at any location. Each store will also have an OU named for them, and employees at those stores will only be able to log in at their store. A benefit in ease of administration is that if a user moves stores, they do not need a new account. They only need to be moved in to the new applicable OU.
In order to ensure the system runs smoothly there will be new ongoing Management Tasks. These will ensure that the system is kept up to date and that necessary legal and security requirements are met. It will be up to Kudler Management to determine the form requirements, or authorize P&G to draft them, but the follow should be considered at a minimum:
1) New User Form: This will be completed at employee onboarding. It will contain a Notice of Monitoring and Proper Use rules so that in the event of any misconduct by the employee legal action can take place. It will also give the system administrator all the information needed to create the user’s account and place them in the proper OUs. When the form is completed it should be faxed (since it requires a signature) to headquarters immediately for action.
2) Employee Transfer Form: This will be completed if an existing employee moves from one store to another. This will be used to move the employee’s account from their existing OU to the new proper one. It will include things like username, current location, new location, and effective date. Store managers can complete it online and email it to corporate administrators.
3) Employee Termination Form: This form will be sent from a store manager to terminate an employee’s access to the network. It will contain the username, current location, and effective date.
4) Active Directory Backup: A procedure will need to be vetted that backs up the current Active Directory State and verifies it. The process periodicity will need to be determined as well as the backup location. We recommend that it be completed at least weekly and the backup be replicated to each of the company sites. This ensures that in the event of a Active Directory malfunction that all users, group policies, and computer accounts can be restored. The purpose of replicating it to each site is so that if any site is destroyed, the other sites still have it. This is less costly than dedicated offsite storage.
5) Business Data Backup: A procedure for business data, ie: invoices, billing statements, payroll, personnel files, inventory control, etc, must be created as well. Like the AD Backup, we recommend that it be replicated to each site, and for the same reasons. However we recommend that the periodicity of this backup be done at least daily, possibly even hourly, due to the extremely high value of the data to the business. P&G can begin implementation immediately if these methods are acceptable to Kudler.
Kudler Fine Food’s new IT Infrastructure is based on Windows Active Directory. Active Directory requires properly configured Domain Name Services (DNS) in order to function. We will be configuring Active Directory Integrated DNS in the new Infrastructure rollout.
While DNS and Active Directory naming conventions can be the same, they do not necessarily HAVE to be the same. We will be using a tiered approach to DNS that will not directly mimic the AD naming convention. The tiers will be based on geographic location, unlike the AD naming convention that is unified.
The DNS hierarchy will be arranged like this:
As previously discussed, each store will have a Active Directory Domain Controller as well. There is no need for Read-Only Domain Controllers (RODCs) in Kudler’s architecture. Each store’s AD Domain Controller will host a copy of the Global Catalog. This will ensure that in the event of a site link outage that each store is still able to process logins.
Active Directory Sites and Services will handle domain Controller Replication natively. Each store will be assigned a network subnet. That subnet will be entered in as the network ID for that store’s site. Since Kudler has high speed links at all current sites, replication will be set to occur at all times, using high-bandwidth. A site-link called “CA-Intra-State” will be created and used for these connections.
The strategy will be different for new stores outside California. Each new state that Kudler expands to will have a single location connected to La Jolla via a high-speed link. This location, like those in California, will be set to to always replicate using high-bandwidth. A new site-link for each state will be created called “StateX-Corp-Sync”.
Where things differ now is that each subsequent site in that new state will have a low-speed connection the state hub. A site link called “StateX-Intra-State” will be created, and each site in that state will be added to that link. It will be set to a low-speed link and told to only replicate when needed. This will preserve bandwidth but still ensure that remote sites get updates from corporate, albeit at a slower pace.
If Kudler continues to grow past two or three states, it would be worth looking at regionalizing so that La Jolla does not have to process all the load.
Kudler Fine Food. (2013). Retrieved from
http://https://ecampus.phoenix.edu/secure/aapd/cwe/citation_generator/web_01_01.asp Morimoto, R., Noel, M., Droubi, O., Mistry, R., & Amaris, C. (2010). Windows Server® 2008 R2 unleashed. Indianapolis, IN: Sams.
Panek, W. (2011). MCTS: Windows Server® 2008 R2 complete study guide (exams 70-640, 70- 642 and 70-643). Indianapolis, IN: Wiley Technology.