Active Directory Provisioning: Technical Guide

Applicable to 7.120 Onwards

Revision History
Version 7.120 1.0 7.120 1.1 Change Description Initial Release Updated client operating system compatibility information. For more information, please see Supported Operating Systems at the Client on page 2. Date 11/08/2009 12/01/2011

Capita Business Services Ltd 2011. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, translated or transmitted without the express written consent of the publisher. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Capita Doc Ref: AD_TECH7120/HBK/120111/SB

Providing Feedback on Documentation

We always welcome comments and feedback on the quality of our documentation including online help files and handbooks. If you have any comments, feedback or suggestions regarding the module help file, this handbook (PDF file) or any other aspect of our documentation, please email: Publications@capita.co.uk Please ensure that you include the module name, version and aspect of documentation on which you are commenting.

Capita Childrens Services, Franklin Court, Priory Business Park, Bedford, MK44 3JZ Tel: 01234 838080 Fax: 01234 832082 http://sims.capita-cs.co.uk

C
01

Contents

The AD Provisioning Technical Guide............................. 1

Introduction ................................................................................... 1 Product Scope................................................................................. 1 Supported Active Directory Versions....................................... 1 Data Provisioned..................................................................... 2 System Design ................................................................................ 3 Provisioning Client .................................................................. 4 Provisioning Server................................................................. 5 Deploying and Securing the System................................................ 6 Configuring the Active Directory ............................................. 6 Provisioning Server................................................................. 8 Provisioning Client ................................................................ 12 Securing Contact between the Provisioning Server and its Client(s)................................................................................ 14 Hardware Requirements ............................................................... 14 LA / Server Side Hardware ................................................... 14 SIMS/Client Side Hardware .................................................. 15 System Performance and Infrastructure Sizing ............................ 15 Best Practices for Using Provisioned Accounts ............................. 16 Provisioning Multiple Domains...................................................... 16 Single Provisioning Server .................................................... 16 Multiple Provisioning Servers................................................ 17 Custom Scripts...................................................................... 18 Backups ........................................................................................ 19

02

Appendices .................................................................. 21
Appendix A Consolidating the Deployment ................................ 21 Consolidating the Provisioning Server .................................. 21 Consolidating the Client ........................................................ 24

Appendix B Migration from Earlier Versions of SLG Provisioning 24 Appendix C Using ConfigureDBPermissions to set SQL Server Permissions .................................................................................. 25 Appendix D Setting up Email Notifications using ConfigureEmailNotifications.......................................................... 26 Appendix E Further Reading ...................................................... 26

The AD Provisioning Technical Guide

01

01

The AD Provisioning Technical Guide

Introduction ................................................................................... 1 Product Scope................................................................................. 1 System Design ................................................................................ 3 Deploying and Securing the System................................................ 6 Hardware Requirements ............................................................... 14 System Performance and Infrastructure Sizing ............................ 15 Best Practices for Using Provisioned Accounts ............................. 16 Provisioning Multiple Domains...................................................... 16 Backups ........................................................................................ 19

Introduction
This document outlines the overall design of Capita Childrens Services Active Directory Provisioning System, along with installation requirements and best practice advice for securing the system. For end user documentation, please refer to the Active Directory Provisioning 2 for System Administrators handbook, which will be available on product release. IMPORTANT NOTE: It is assumed that the reader is familiar with networking and security concepts.

Product Scope
Supported Active Directory Versions
This SIMS product is compatible and supported to operate with the following system versions:

Microsoft Active Directory 2008 operating under Windows Server 2008 Native Mode. Microsoft Active Directory 2008 operating under Windows Server 2003 Native Mode. Microsoft Active Directory 2008 operating under Windows Server 2000 Compatibility Mode. Microsoft Active Directory 2003 operating under Windows Server 2003 Native Mode.
Active Directory Provisioning: Technical Guide 1

01

The AD Provisioning Technical Guide

Microsoft Active Directory 2003 operating under Windows Server 2000 Compatibility Mode.
We expect this product to operate with other Active Directory platforms and configurations but our testing, and therefore formal support at launch, will be limited to the above.

Supported Operating Systems at the Client

Microsoft Windows Server 2008 64 bit Microsoft Windows Server 2008 32 bit Microsoft Windows Server 2003 64 bit Microsoft Windows Server 2003 32 bit Microsoft Windows 7 Professional 64-bit (SP1) Microsoft Windows 7 Professional 32-bit (SP1) Microsoft Windows Vista Business 32-bit (SP2) Microsoft Windows XP Professional 32-bit (SP2 and above)

Data Provisioned
This SIMS product enables schools and Local Authorities to create and maintain Active Directory accounts for the following SIMS roles: Students (current pupil/students) Parents (pupil/student and applicant contacts using SIMS terminology) Staff (teaching and non-teaching staff) Pupil/student applicants (accepted or admitted in advance of their Date of Admission). The following person attributes in SIMS are used for this purpose: Legal Surname creates Surname AD attribute Legal Forename creates Forename AD attribute Main Email Address creates Email Address. The following are the attributes that can be used, in any partial combination in a template, to create user names and email addresses: Legal Surname Legal Forename Middle Name(s) Title School Name Two digit Admission Year Representation e.g. 06 (pupil/students only)

Active Directory Provisioning: Technical Guide

The AD Provisioning Technical Guide

01

Four digit Admission Year Representation e.g. 2006 (pupil/students only) Cohort User definable code for representing the pupil/students cohort (pupils/students only) User-defined Character String. Passwords are generated by an algorithm and a change of password is forced when logging in for the first time. The following security or distribution groups may be created and maintained within the Active Directory using groups within SIMS: All Staff All Teachers All Parents All Students Parents by Year Group Students by Year Group Students by Registration Group Students by School Houses Students by Academic Class Students by Cohort SIMS System Manager Groups.

System Design
The provisioning system consists of two main components: the Provisioning Server the Provisioning Client.

Active Directory Provisioning: Technical Guide

01

The AD Provisioning Technical Guide

The Provisioning Client tracks changes in a schools SIMS database or in the case of a central Local Authority hosted solution, multiple SIMS databases. The Provisioning Server then gathers these changes from the clients and applies them to an Active Directory. A conceptual model of the system is shown in the following diagram:

Figure 1 AD Provisioning conceptual model

IMPORTANT NOTE: As supplied, a Provisioning Server communicates with a single domain. However it is possible to provision multiple domains from a single site. For more information, please see Provisioning Multiple Domains on page 16.

Provisioning Client
The Provisioning Client consists of three main components: SIMS, a change tracking application and a web service. The school level features for configuring the Provisioning Client are provided in SIMS as a setup screen. This includes options for selecting the people to provision and pointing the system towards the Provisioning Server by importing a configuration file. NOTE: Specific entities set up by the administrator of the Provisioning Server and domain control determines what kind of information is provisioned to the Active Directory. The Provisioning Client serves to provide this information. It is highly recommended that you install the Client Interface Web Services to the default location (C:\Program Files\SIMS\ADPServer\) as this makes it possible to automatically update the software for future release.

Active Directory Provisioning: Technical Guide

The AD Provisioning Technical Guide

01

The change tracking application is designed to be run as a task in Microsoft Windows Scheduler and run at a time and frequency of the schools choosing. Although it places no load on the Provisioning Server (it just pings it when it has new changes), it is recommended that the task is run overnight to prevent it from interfering with the normal running of SIMS. The application can also be run directly by users, although in normal operation this should not be necessary. The changes detected by this application are stored in the SIMS SQL Server database until gathered by the Provisioning Server. The web service allows the Provisioning Server to gather these changes securely from the school.

Provisioning Server
The Provisioning Server consists of a number of components. The core of the Provisioning Server is a Windows Service that processes pending requests from clients and undertakes changes against the Active Directory by way of a set of ADSI based VB Scripts that are accessible to the administrator. The benefits of exposing the interactions in this manner are twofold: 1. The interactions with the Active Directory can be verified by a network administrator who is familiar with the target directory, to validate their robustness when run against that directory. 2. To allow a network administrator to customise the scripts. Customisations can be wide ranging from small tweaks to the scripts through to wholesale replacement, including, for example, writing the output to files rather than directly to the directory. The Windows Service is the only component of the server that requires any form of write access to the Active Directory. The service retrieves information about pending requests and clients, and stores logging information in a SQL Server 2005 Express database. At the time of writing, there are no indications that using the full version of SQL Server 2005 (as opposed to the Express version) offers any benefits, as the database usage is relatively light. All interactions with the Provisioning Server are performed via web services: 3. Provisioning Client interfaces these allow the Provisioning Clients to notify the Provisioning Server of new changes. 4. Provisioning Server Administration interfaces these allow the Provisioning Server to be configured and management tasks to be undertaken, e.g. registering a client or consolidating an account. NOTE: When consolidating accounts, there may be a small delay in the accounts being consolidated and showing up in AD or Sharepoint.

Active Directory Provisioning: Technical Guide

01

The AD Provisioning Technical Guide

A browser-based management console is provided to allow the administration functions to be performed by an end user. These administration functions include: Registering clients Viewing logs Stopping and starting clients. For more information regarding the functionality of the console, please refer to the Active Directory Provisioning 2 for System Administrators handbook, which will be available on product release.

Deploying and Securing the System

As a product with write access to Active Directory, it is likely that someone wishing to compromise a network will consider the provisioning system to be a good target to exploit. It is therefore extremely important that the system is deployed in a secure manner and access to it is limited as far as possible. As such, this section outlines best practices to follow when deploying the system although it does not mitigate the need for the network administrator to validate and ensure the system is secure before making the system live. In recognition of the fact that in some installations equipment and budget is of concern, this guide also provides advice on how the system can be set up within tighter constraints. However, this is only possible for single sites and should not be considered to be as secure. For information on this method of deployment, please see Appendix A Consolidating the Deployment on page 21. The best practice advice in this document focuses on securing the Provisioning Server from external threats. It is assumed that the installation will be secured internally using your existing procedures for mission critical and sensitive corporate servers. As this is largely dependant on your own network and corporate organisation it is beyond the scope of this document to discuss.

Configuring the Active Directory

To enable the provisioning system to track users and groups between SIMS and your Active Directory, a small number of schema extensions are required within the Active Directory. These extensions are marked with an OID (Object Identifier) registered to Capita Childrens Services with Microsoft and take the form of multi-value strings. For more information, please refer to the Active Directory Provisioning 2 System Administrators handbook, which will be available on product release. The schema extension script adds five new attributes to the AD schema as listed below: capitachildrensservicesEntityGuid capitachildrensservicesClientGuid capitachildrensservicesHasBeenConsolidated
6 Active Directory Provisioning: Technical Guide

The AD Provisioning Technical Guide

01

capitachildrensservicesMasterClientGuid capitachildrensservicesClientEntityGuids capitachildrensservicesSecurityAnswer capitachildrensservicesSecurityQuestion The attributes are created with OIDs in a range allocated to Capita by Microsoft and the capitachildrensservices naming prefix has also been registered with Microsoft to ensure that there are no clashes with schema extensions made by other third parties. Before installing the schema, it is highly recommended that you take a backup of your existing schema. To install the schema, run the ProvisioningSchemaExtensions.vbs file that can be found in the folder the provisioning server was installed into. It is suggested that this script is run directly on the root domain controller that is hosting the Active Directory schema container. NOTES: If you are running a Windows 2000 based Active Directory, schema extensions are disabled by default and you will need to enable them before you can perform the upgrade. For information on how to do this, please refer to the Microsoft documentation. This operation may take several minutes to complete and even longer to replicate across a domain tree.

Active Directory Provisioning: Technical Guide

01

The AD Provisioning Technical Guide

Provisioning Server
The recommended topology for the Provisioning Server is shown in the following diagram. The aim of this topology is to limit access to the Provisioning Server itself particularly from any machine that is not fully trusted.

Figure 2 Recommended topology Details of the various components are outlined in the following sections. All components can be deployed individually via a standard installer.

Active Directory Provisioning: Technical Guide

The AD Provisioning Technical Guide

01

SLG DMZ
Please refer to the SIMS Learning Gateway 2 Technical Guide for information on this system and more detailed information on how it integrates with AD Provisioning. It is only shown here to highlight the link between it and the account management web services.

Provisioning Service Installation Package

ADPServer_Provisioning.msi

Provisioning Service Prerequisites for Installation

1. Microsoft Windows Server 2003 Service Pack 2 (32 or 64 bit) or Microsoft Windows Server 2008 (64 bit). 2. Microsoft .NET Framework 2 (or later) 3. A user account with write access to Active Directory (see the following section) 4. A user account for running SQL Server (see the following section) 5. IIS installed.

Provisioning Service Installation Notes

The Provisioning Server hosts the provisioning Windows Service and the SQL Server database that acts as its local data-store. The SQL Server should be configured to run under a user account with minimal privileges see Microsofts own best practice advice for securing SQL Server. The Windows Service should also be configured to run under a minimal user account. This account requires the following permissions: Read/write access to the Provisioning Server database installed in the local SQL Server. The assigning of permissions is done automatically during installation but customisation can be carried out using the ConfigureDBPermissions.exe. Read/write access to the Active Directory. It is strongly recommended that you limit the accounts write access to the smallest subset of the AD hierarchy as possible, based on your configuration. For example, if you intend to place all the provisioned objects under an organisational unit called Schools, then you should grant the account write access to only this area of the directory. Read access to the folder on the Provisioning Server under which the provisioning VB scripts are stored. Please note that no wider access to the file system is required. On the Provisioning Server, all inbound ports should be closed except for the port required to access SQL Server (by default TCP port 1433). Furthermore, it is recommended that the machine is physically secure and exposed to as minimal a part of your Intranet as possible. There are three services involved in the system that contact the SQL Server installation on the Provisioning Server machine:
Active Directory Provisioning: Technical Guide 9

01

The AD Provisioning Technical Guide

The client interface web services The administration web services The Windows Service on the Provisioning Server itself.

DMZ IIS Server Prerequisites for Installation

1. Microsoft Windows Server 2003 Service Pack 2 (32 or 64 bit) or Microsoft Windows Server 2008 (64 bit). 2. Microsoft .NET Framework 2 (or later) 3. IIS installed 4. Connectivity to the machine hosting the Provisioning Server.

DMZ IIS Server Installation Notes

Even when communication to remote clients is controlled via VPN, it is recommended that a DMZ (demilitarised zone) is put in place to isolate the Provisioning Server and its data-store from inbound client requests. The reasons for this are twofold: 1. The Provisioning Server effectively has permanent write access to at least a subset of the Active Directory. If someone were able to interfere with this, they would be able to expose and compromise aspects of a networks security. Hosting the web services in a DMZ isolates the Provisioning Server from direct access and restricts interactions with it to those exposed deliberately through secured web services. 2. Given the widely distributed environment of the provisioning system there is a large degree of uncertainty as to how secure the client end point of the connection is. Within the DMZ, the IIS Server is required to host a set of web services that allow the clients to notify the server when new updates are ready. In addition to the guidance given here, Microsofts best practice advice for securing an IIS installation should be followed.

DMZ IIS Server Securing the Provisioning Client Interfaces

This web service should be deployed in a website of its own and assigned to a port that is open on the DMZs Internet/client facing firewall. The website must be configured to use ASP .NET Version 2.0. The web service represents the only point of contact that a client should initiate with the Provisioning Server. Its functions are limited in scope, being confined to a simple notification to the server that a client has a new set of changes. Depending on the topology of your network, the IIS website hosting this service should be secured in one of two ways:

10

Active Directory Provisioning: Technical Guide

The AD Provisioning Technical Guide

01

1. To use domain authentication to authenticate clients. Where domain authentication is in use, the accounts assigned to clients for the purpose of provisioning should have no privileges beyond those necessary for establishing communication with this Web Server and performing the necessary SIMS tasks. For more information, please see Provisioning Client on page 12. 2. To use basic authentication. In this scenario your Web Server should be configured to run using SSL and each client should be provided with a unique username and password. Details of how to configure an IIS website to run under SSL can be found in Microsofts IIS documentation. Under no circumstances should the site be configured to allow anonymous access. No personal information, or information that directly feeds into the items being provisioned, is transmitted over this web service. Therefore unless basic authentication is in use, there is no need to secure the site with SSL. The application pool, in whose context the web service runs, should be configured to use the Network Service account. The Network Service account is a built in account with a minimal set of privileges on the local computer and accesses network resources (such as SQL Server) using the credentials of the computer account.

Intranet IIS Server Prerequisites for Installation

1. Microsoft Windows Server 2003 Service Pack 2 (32 or 64 bit) or Microsoft Windows Server 2008 (64 bit). 2. Microsoft .NET Framework 2 (or later) 3. IIS installed 4. Connectivity to the machine hosting the Provisioning Server.

Intranet IIS Server Installation Notes

Administration of the Provisioning Server can occur both through a browser based user interface, and through programmatic interactions with web services to allow scripting and automation of the functions. The intranet IIS Server is used to host both of these components. Both sites should be secured using domain security and access to them should be limited to as few individuals as possible. If you are not using the administration services for scripting, it is recommended that you block the inbound port used by the website hosting the web services. The browser based management console performs its operations through the administration web services, therefore it requires access to them. Both sites can be configured to share the same application pool. The IIS application pool used to host the websites should be configured to run under the network service account minimal privileges, following Microsofts best practice advice for securing IIS.

Active Directory Provisioning: Technical Guide

11

01

The AD Provisioning Technical Guide

Provisioning Client
The recommended topology for the Provisioning Client (or each Provisioning Client in the case of multiple SIMS systems) is shown in the following diagram. The main aim of this topology is to isolate the SIMS Server from direct access to the Internet via a DMZ.

Figure 3 Provisioning client topology The various components shown on the diagram can be installed via a standard installer and are described in more detail in the following sections.

Change Tracking Service Prerequisites for Installation

1. Microsoft Windows XP Service Pack 2, Microsoft Windows Server 2003 Service Pack 2 (32 or 64 bit). 2. Microsoft .NET Framework 2 (or later) 3. Connectivity to the machine hosting the SIMS SQL Server 4. Outbound connectivity to the Provisioning Server.

Change Tracking Service Installation Notes

The change tracking service is an application that can be set up in Microsoft Windows Scheduler to look for changes in the SIMS database. It requires an outbound connection to the Provisioning Server in order to inform it when there are new changes available. It should be configured to run under the network service account or an account with access to the SIMS database.

12

Active Directory Provisioning: Technical Guide

The AD Provisioning Technical Guide

01

DMZ IIS Server Prerequisites for Installation

1. Microsoft Windows Server 2003 Service Pack 2 (32 or 64 bit) or Microsoft Windows Server 2008 (64 bit). 2. Microsoft .NET Framework 2 (or later) 3. IIS installed 4. Connectivity to the machine hosting the Provisioning Server 5. Connectivity to the machine hosting the SIMS SQL Server.

DMZ IIS Server Installation Notes

Even when communication to remote clients is controlled via a VPN, it is recommended that a DMZ (demilitarised zone) is put in place to isolate the SIMS SQL Server from direct access. As the contents of this database is highly sensitive (names and addresses of children, for example), it is important that the database does not become exposed on the wider Provisioning Servers network. Within the DMZ, the IIS Server is required to host a web service that is accessed by the Provisioning Server to perform a transfer of change requests and to feedback user account information. This web service should be deployed in a website of its own and assigned to a port that is open on the DMZs Internet/Provisioning Server facing firewall. The website must be configured to use ASP .NET Version 2.0. Depending on the topology of your network, and the connection between your client and the Provisioning Server, the IIS website hosting this service should be secured in one of two ways: 1. To use domain authentication to authenticate the server. Where domain authentication is in use, the accounts assigned to servers for the purpose of provisioning should have no privileges beyond those necessary for establishing communication with this Web Server. 2. To use basic authentication. In this scenario, your Web Server should be configured to run using SSL and each client should be provided with a unique user name and password. Details of how to configure an IIS website to run under SSL can be found in Microsofts IIS documentation. IMPORTANT NOTE: Under no circumstances should the site be configured to allow anonymous access. A limited amount of personal information is supplied to the server via this web service (names and pastoral information), therefore either a secure VPN connection should be used or SSL configured on the website. The application pool, in whose context the web service runs, should be configured to use the Network Service account. In addition to the guidance given here, Microsofts best practice advice for securing an IIS installation should be followed.

Active Directory Provisioning: Technical Guide

13

01

The AD Provisioning Technical Guide

SIMS SQL Server

The SIMS SQL Server requires no special configuration. However, user rights do need to be granted to the accounts that the web service and the change tracking service have been set to run under. To do this, create those users as SIMS users in System Manager and assign them rights to the AD Provisioning profile.

Securing Contact between the Provisioning Server and its Client(s)

In a typical deployment of the AD Provisioning system, the clients are not on a single secure network as the Provisioning Server and clients are distributed over a wide geographical region and within multiple private networks. In this scenario, it is important that the communication channels between the clients and the server are as secure as possible. The recommendation is that, when the underlying connection is an Internet connection, a secure VPN is established to minimise the risk of data interception or client impersonation. The system can be deployed directly over the Internet (or any other network capable of supporting the http protocol). However, this is not recommended and should be considered insecure. Should you still choose to deploy in this scenario, you should minimise your risk by configuring the Web Servers to use SSL and then accessing all Web Servers via the https protocol.

Hardware Requirements
The following are the recommended hardware requirements for running the system as per the topology described in the section on deploying and securing the system. To maximise the capabilities of the system, it is recommended that the server is designated solely for use with SLG.

LA / Server Side Hardware

Provisioning Server
CPU Memory Hard Drive OS Intel 2.33Ghz Xeon or faster 4Gb A RAID 5 or 10 system providing 250Gb of storage Windows Server 2003 (32 or 64bit) or Windows Server 2008 (64 bit)

NOTE: To take full advantage of a 64-bit operating system, SQL Server 2005 rather than SQL Server Express is required as SQL Server express runs under 32-bit emulation mode.

14

Active Directory Provisioning: Technical Guide

The AD Provisioning Technical Guide

01

DMZ IIS Server

CPU Memory Hard Drive OS Intel 2.33GHz Xeon or faster 2Gb 250Gb Windows Server 2003 (32 or 64bit) or Windows Server 2008 (64 bit)

Intranet IIS Server

CPU Memory Hard Drive OS Intel 2.33GHz Xeon or faster 2Gb 250Gb Windows Server 2003 (32 or 64bit) or Windows Server 2008 (64 bit)

SIMS/Client Side Hardware

DMZ IIS Server
CPU Memory Hard Drive OS Intel 2.33 GHz Xeon or faster 2Gb 250Gb Windows Server 2003 (32 or 64bit)

NOTE: This system should not come under heavy load and can easily be shared with any other lightweight web facing applications the school may be running.

Change Tracking Service

This should be hosted on a machine that meets SIMS workstation requirements.

System Performance and Infrastructure Sizing

This section contains information that is based on provisional performance data and is subject to change as further testing is undertaken on the complete system. The performance tests undertaken to date show that, when, deployed as recommended, the system processed around 20,000 simple requests in a 12 hour period. The limiting factor was shown to be the rate at which the domain controller itself was able to process the write operations. The creation of Exchange mailboxes slows down this process, however, this has not yet been measured.

Active Directory Provisioning: Technical Guide

15

01

The AD Provisioning Technical Guide

Bandwidth requirements are relatively light as the amount of information required per request is relatively small, and as the server pulls data the circumstance of having lots of data thrown at the server at once is avoided. For most purposes, a 1Mbps or faster ADSL connection between the client (the school) and the server (the LA) should be sufficient.

Best Practices for Using Provisioned Accounts

As provisioning occurs automatically and largely transparently, it is important that care is taken over what rights provisioned accounts are granted automatically. Most importantly, provisioned accounts should not automatically be given any form of privileged access (for example, administrative rights or placed into the SharePoint Site Administrators group) or access to sensitive resources. IMPORTANT NOTE: SIMS user accounts must be created before they are provisioned. If you wish, for example, to place a provisioned account into the Site Administrator group and therefore give them more control over a SharePoint site, then this operation should be done manually through the Active Directory Management Console after verifying the account does in fact belong to who you expect. NOTE: After a user account has been provisioned into Active Directory it can be moved around a domains structure freely as the AD Provisioning system finds users via a unique identifier and not by relying on the structure of your Active Directory. Although you are free to create an Active Directory structure that meets your own needs, it is strongly recommended that you maintain the clientby-client grouping of Active Directory users and groups that the AD provisioning system creates. This will allow you to delegate any additional management of each clients section of the Active Directory to a local administrator.

Provisioning Multiple Domains

There are three ways in which the Provisioning Server can be used to provision multiple domains. These approaches and their pros and cons are outlined in the following sections.

Single Provisioning Server

As each client is pointed at an area of your Active Directory using an LDAP path, it is possible to point each client to different domains using the appropriate path. The downside of doing this is that the user account under which the Provisioning Server runs, will require write access across your domain tree or forest. In a situation with forests and domain trees, there may also be issues of bandwidth between the location of the Provisioning Server and the various domain servers involved, and this could impact the performance of the Provisioning Server.

16

Active Directory Provisioning: Technical Guide

The AD Provisioning Technical Guide

01

Multiple Provisioning Servers

It is possible to use multiple Provisioning Servers across your forest or domain tree with each server pointed at one or more domain controllers. By using a multiple Provisioning Server style configuration, you can restrict access to the user accounts they are running under, to just the portion of your Active Directory they require therefore, limiting exposure in the event of a server being compromised. Furthermore, in situations of limited bandwidth between domain controllers, it is possible to place the Provisioning Servers close to the corresponding domain controller, thus avoiding bandwidth issues or failure due to any downtime across more tenuous network links. In short, multiple Provisioning Servers enable you to make best use of your networks topology.

Active Directory Provisioning and Multiple Domains

Active Directory Provisioning supports an environment in which multiple domains are used to store user accounts. A number of configurations are supported; for a small to medium sized environment it is recommend that a single Provisioning Service is used to service multiple domains. For larger environments it is recommended that multiple provisioning services are used to service each domain.

Figure 4 Small to medium environments

Active Directory Provisioning: Technical Guide

17

01

The AD Provisioning Technical Guide

Figure 5 Larger environments In both of the above scenarios it is important that the Active Directory Provisioning Service knows which domain to provision users into. This information must be specified when a client is registered using the Active Directory Management Console. The Organisational Unit Container Path field defines where Active Directory Provisioning Service creates objects in Active Directory. By default this is LDAP://RootDSE (this specifies that the default domain should be used). To specify a path to a child domain, the format LDAP://[DOMAIN]/[DOMAIN DISTINGUISHED NAME] must be used. For example, the child1 domain, named child1.mydomain.co.uk will have an organisational unit container path of LDAP://CHILD1/DC=childdomain,DC=mydomain,DC=co,DC=uk.

Custom Scripts
It is possible to customise the supplied scripts to provision to multiple domains. However, this is only recommended when you have specialist provisioning requirements that are not catered for by the supplied functionality for example, if you want to provision to different domains conditionally (for example, based on role). For more details on customising scripts contact CCS Technical Services.

18

Active Directory Provisioning: Technical Guide

The AD Provisioning Technical Guide

01

Backups
The only aspect of the system where information is persisted outside of Active Directory itself, is in the SQL Server database installed on the Provisioning Server. This is used to hold logs, client information, created user account information and pending changes. It is important you arrange for regular backups of this database in order to facilitate a rapid rescue in the event of hardware failure. Should you be unable to restore this SQL Server database from a backup, then you will need to reregister all your clients and it is likely that pending changes will be lost and clients will be out of sync with the Provisioning Server. This is likely to result in queues being stopped for affected clients. If this should occur, then instructing your clients to use the re-provision changes functionality to transfer full information again will resolve the problem, but your system may be offline to some users until the process is complete. Due to the criticality of the database in managing the Active Directory provisioning requests, it is recommended that you store the database in a resilient parity based RAID system, to provide redundancy and minimise impact to clients in the event of a hardware failure. Please refer to the hardware requirements, for further details.

Active Directory Provisioning: Technical Guide

19

01

The AD Provisioning Technical Guide

20

Active Directory Provisioning: Technical Guide

Appendices

Appendices
Appendix A Consolidating the Deployment ................................ 21 Appendix B Migration from Earlier Versions of SLG Provisioning 24 Appendix C Using ConfigureDBPermissions to set SQL Server Permissions .................................................................................. 25 Appendix D Setting up Email Notifications using ConfigureEmailNotifications.......................................................... 26 Appendix E Further Reading ...................................................... 26

Appendix A Consolidating the Deployment

It is recognised that some users will wish to deploy the system onto a smaller number of physical machines than is recommended in this guide and this section gives advice on how to best do this for both the server and client. IMPORTANT NOTE: Although the system will function when deployed in this manner, Capita does not support this configuration as a secure system and by deploying in this fashion you must accept that you are exposing yourself to a greater risk of system compromise than if you deploy using the advice elsewhere in this guide. This is particularly the case if any aspect of your system connects to the Internet.

Consolidating the Provisioning Server

The recommended deployment for the Provisioning Server requires three physical machines and restricts access to the main server itself to machines hosting web services and websites. It is possible to use either two machines or just a single machine to host the system.

Active Directory Provisioning: Technical Guide

21

Appendices

Consolidating to Two Physical Machines

If you wish to host the system on two physical machines, then it is recommended that the Administration Web Services and Provisioning Server are hosted on one physical machine and a DMZ is kept in place to isolate your Provisioning Server from the clients, particularly if any connections to those clients run over the Internet. This results in a topology as follows:

Figure 6 Topology for consolidating to two machines

22

Active Directory Provisioning: Technical Guide

Appendices

Consolidating to a Single Machine

It is possible to deploy the entire Provisioning Server onto a single machine. However, by doing so you are placing a machine with write access to your Active Directory into an exposed public facing position (particularly if any Internet connections are involved). Given the number of services hosted, this will present a large surface to attack by anyone wishing to compromise your network. A deployment of this kind has the following topology:

Figure 7 - Topology for consolidating to a single machine

Active Directory Provisioning: Technical Guide

23

Appendices

Single Site, Single Machine

If you are deploying the entire system on a single site it is possible to also host the change tracking system on this machine. As there are no external connections involved, the risks associated with the other forms of consolidation are not relevant. However, you should take care to secure this server within your LAN. The topology for this kind of deployment is as follows:

Figure 8 - Topology for single site, single machine

Consolidating the Client

This section is work in progress and this document will be updated shortly with this information.

Appendix B Migration from Earlier Versions of SLG Provisioning

Before carrying out the migration of data from SLG 1 to SLG 2, ensure that the following activities have been carried out: ADPS has been installed and the Provisioning Database has been configured. An ADP Client has been created solely for use during the migration process. SLG 1 has been installed with administrative rights to ADAM and AD on the Domain Controller. IMPORTANT NOTE: The Schema Extensions must have been run before beginning the migration.

24

Active Directory Provisioning: Technical Guide

Appendices

To migrate data from SLG 1 to SLG 2: 1. Create an AD Provisioning Client with a dummy school name. 2. Run the SQLMigration.exe from the command prompt and specify the following parameters: ADP Server name Database name Database user ID and password The schools OU for SLG 1 The schools OU for SLG 2 The ADAM port number and distinguished (root) name. 3. Import the configuration.xml file from the Management Console and create a Provisioning Service in SIMS. 4. Edit the MigrateGroups.sql file with the correct service code (created in the Provisioning Service in SIMS) 5. Run the MigrateGroups.sql file on the SIMS database. 6. Run the Change Tracking Service to transfer the Groups information onto the Provisioning Server. This ensures the information is available for the SLG 2 site creation process.

Appendix C Using ConfigureDBPermissions to set SQL Server Permissions

During deployment of the provisioning system various user accounts are created and picked and some of these require permissions granting to the database. This can be done using the supplied configuration tool: ConfigureDBPermissions.exe is located in the same folder as the provisioning server was installed to (by default: C:\Program Files\SIMS\adpserver\provisioning). This tool is able to create SQL logins linked to Windows accounts or SQL Server type accounts using the options in the Create Account part of the dialog. In the Set Access Rights section of the dialog rights can be granted and revoked from the created accounts. As a shortcut, if the Automatically grant rights after account creation is selected then when an account is created the appropriate grants will be given to the account. Please note that this tool does not allow logins to SQL Server to be deleted, and if your requirements go beyond the basic functionality provided by this tool, then you will need to use the SQL Server Management Studio or write appropriate SQL scripts yourself.

Active Directory Provisioning: Technical Guide

25

Appendices

Appendix D Setting up Email Notifications using ConfigureEmailNotifications

The ConfigureEmailNotifications.exe can be used to send notifications of errors and warnings experienced by users in SLG, to the system administrator. This exe is located in the same folder as the provisioning server was installed to (by default: C:\Program Files\SIMS\adpserver\provisioning). 1. Double-click the ConfigureEmailNotifications.exe to display the Configure Email Notifications dialog. 2. In the Email Settings panel, enter the address for the normal email exchange server in the SMTP Server field. 3. Enter the email address of the originator of the email in the From field. This will usually be the email address of the system administrator. 4. In the To field, enter the email address of the intended recipient of the email. This may also be the email address of the system administrator. 5. The Subject field will be populated automatically. 6. Select the check box adjacent to the appropriate Notification Level, e.g. Error or Warnings to specify the nature of the notification. 7. Click the Test Settings button to send the email to the intended recipient. The recipient should check their inbox to ensure that the email has been received successfully. 8. Click the OK button. The details entered in the Email Settings panel will be retained for use next time the ConfigureEmailNotifications.exe is deployed.

Appendix E Further Reading

The following links provide useful background material on deploying servers and services in a secure manner: http://www.microsoft.com/technet/security/guidance/serversecurity.mspx http://www.microsoft.com/technet/security/guidance/serversecurity/service account/default.mspx

26

Active Directory Provisioning: Technical Guide