Binarycse

Computing For Everyone

Sun05202012

Last update09:47:49 AM

Identity Management

Identity and Access Management

  • Print
Details
Category: Network Technology
Published on Thursday, 11 June 2009 16:03
Written by Administrator
Hits: 1567

Identity and Access Management is a Core Infrastructure Optimization capability and the foundation for implementing many capabilities in the Infrastructure Optimization Model. The following table lists the high-level challenges, applicable solutions, and benefits of moving to the Standardized level in Identity and Access Management.

Phase 1: Assess

The Assess phase primarily takes inventory of which directory services, if any, are used in your organization. You will define the reasons for each directory service and how they are used. If your organization does not have a directory service in place, you will need to examine how identities are currently managed and what processes are in place to secure access to data resources; these can be formal/documented or informal/undocumented processes.

Phase 2: Identify

The directory service design process begins by identifying the technologies available to provide the service and what your organization’s needs are in the implementation of a directory service.

An Active Directory infrastructure is required by the Core Infrastructure Optimization Model and provides foundational support for many services required by the organization, including messaging and collaboration, systems management, and security services. Active Directory is the network-focused directory service included in Microsoft Windows 2000 and Windows Server 2003.

Phase 3: Evaluate and Plan

The Evaluate and Plan phase leads you through the planning and design process for to meet your organizations needs. It is imperative that you manage information relating to employees and their use of computing resources with a single, coherent authentication system, one that possesses the characteristics required for the most efficient management of this information.

  • It should be organized and presented as a directory.

  • A common method of querying should be supported, regardless of the type of data being requested.

  • Information with similar characteristics should be managed in a similar manner.

The ways in which information is grouped and managed should be determined by the organization, in ways that complement the organization's existing systems.

Designing the Directory Service

When designing the service, five categories of directories are used:

  • Specific-use directories

  • Application directories

  • Network-focused directories

  • General-purpose directories

  • Metadirectories

An Active Directory administrator has complete control over how information is presented in the directory. The information can be grouped into containers called organizational units (OUs) that are often arranged to facilitate the hierarchical storage of data. The types of data stored in the directory are defined using a schema specifying classes of data called objects. A user object, for example, is the User class defined in the schema. Attributes of the user object store information; for example, user name, password, and telephone number. The administrator can update the schema to include new attributes or classes as required.

Designing the Active Directory Structure

The logical structure of Active Directory can be considered as a number of logical directories called domains. The collection of domains is called a forest because directory data in each domain is typically organized in a tree-like structure to reflect the organization.

The process for designing the logical structure consists of the following steps:

  1. Logical Structure Design Requirements. The Active Directory functions for administrative delegation are central to the logical structure design. Administration of specific OUs can be delegated to achieve autonomy or isolation of a service or data. Administrative delegation is done to meet the legal, operational, and organizational structure requirements.

  2. Forest Design. A forest design model is chosen after the appropriate number of forests is determined in the service design process; for example, when multiple directories are necessary or object definitions vary within an organization. With few exceptions, we recommend that you maintain a single forest to be able to standardize the directory service.

  3. Domain Design. A domain model is then chosen for each forest.

  4. Forest Root Design. Forest root decisions are based on the domain design. If a single-domain model is chosen, the single domain functions as the forest root domain. If a regional-domain model is chosen, the forest owner needs to determine the forest root.

  5. Active Directory Namespace Planning. After the domain model is determined for each forest, the namespace for the forest and domains should be defined.

  6. DNS Infrastructure to Support Active Directory. After the Active Directory forest and domain structures have been designed, the Dynamic Name System (DNS) infrastructure design for Active Directory can be completed.

  7. Creating an Organizational Unit Design. OU structures are unique to the domain, not the forest, so each domain owner is responsible for designing the OU structure for their domain.

Rendering the Logical Design

After the service design steps are completed, you can create a logical design that can be used to communicate the design to others, and to verify the integrity of the proposed design. This logical design should provide the required level of detail to allow the designers and IT professionals to understand the proposed design and to ensure that it meets the requirements of the services that they are responsible for within the overall enterprise design. The following diagram is an example of logical design. In the following example, the corporate forest uses a regional-domain model, which was chosen so that replication across the WAN could be carefully controlled.

image005.jpg

Phase 4: Deploy

After you perform a high-level assessment of your current environment and determine your Active Directory deployment goals, you can determine the deployment strategy that works best for your environment. The following figure shows the steps for defining the Active Directory deployment process.

image006.jpg

The Active Directory deployment strategy that you apply varies according to your existing network configuration. For example, if your organization currently runs Windows 2000, you can simply upgrade your operating system to Windows Server 2003. If your organization currently runs Microsoft Windows NT® 4.0 or a non-Windows network operating system, however, you must design an Active Directory infrastructure before you upgrade to Windows Server 2003.

Your deployment process might involve restructuring existing domains, either within an Active Directory forest or between Active Directory forests. You might need to restructure your existing domains after you deploy Windows Server 2003 Active Directory or after organizational changes or corporate acquisitions.

Operations

The goal of directory services is to ensure that information is accessible through the network by any authorized requester via a simple and organized process. The following resources provide information on operating Active Directory in your organization after it has been implemented and all objects are defined. Operating an Active Directory infrastructure requires proper administration of domain and forest trusts, Windows time service, SYSVOL, the global catalog, Active Directory backup and restore, inter site replication, the Active Directory database, and domain controllers.