Beruflich Dokumente
Kultur Dokumente
Revision History
Version 7.120 1.0 7.120 1.1 Change Description Initial Release Updated client operating system compatibility information. For more information, please see Supported Operating Systems at the Client on page 2. Date 11/08/2009 12/01/2011
Capita Business Services Ltd 2011. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, translated or transmitted without the express written consent of the publisher. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Capita Childrens Services, Franklin Court, Priory Business Park, Bedford, MK44 3JZ Tel: 01234 838080 Fax: 01234 832082 http://sims.capita-cs.co.uk
C
01
Contents
02
Appendices .................................................................. 21
Appendix A Consolidating the Deployment ................................ 21 Consolidating the Provisioning Server .................................. 21 Consolidating the Client ........................................................ 24
Appendix B Migration from Earlier Versions of SLG Provisioning 24 Appendix C Using ConfigureDBPermissions to set SQL Server Permissions .................................................................................. 25 Appendix D Setting up Email Notifications using ConfigureEmailNotifications.......................................................... 26 Appendix E Further Reading ...................................................... 26
01
01
Introduction
This document outlines the overall design of Capita Childrens Services Active Directory Provisioning System, along with installation requirements and best practice advice for securing the system. For end user documentation, please refer to the Active Directory Provisioning 2 for System Administrators handbook, which will be available on product release. IMPORTANT NOTE: It is assumed that the reader is familiar with networking and security concepts.
Product Scope
Supported Active Directory Versions
This SIMS product is compatible and supported to operate with the following system versions:
Microsoft Active Directory 2008 operating under Windows Server 2008 Native Mode. Microsoft Active Directory 2008 operating under Windows Server 2003 Native Mode. Microsoft Active Directory 2008 operating under Windows Server 2000 Compatibility Mode. Microsoft Active Directory 2003 operating under Windows Server 2003 Native Mode.
Active Directory Provisioning: Technical Guide 1
01
Microsoft Active Directory 2003 operating under Windows Server 2000 Compatibility Mode.
We expect this product to operate with other Active Directory platforms and configurations but our testing, and therefore formal support at launch, will be limited to the above.
Data Provisioned
This SIMS product enables schools and Local Authorities to create and maintain Active Directory accounts for the following SIMS roles: Students (current pupil/students) Parents (pupil/student and applicant contacts using SIMS terminology) Staff (teaching and non-teaching staff) Pupil/student applicants (accepted or admitted in advance of their Date of Admission). The following person attributes in SIMS are used for this purpose: Legal Surname creates Surname AD attribute Legal Forename creates Forename AD attribute Main Email Address creates Email Address. The following are the attributes that can be used, in any partial combination in a template, to create user names and email addresses: Legal Surname Legal Forename Middle Name(s) Title School Name Two digit Admission Year Representation e.g. 06 (pupil/students only)
01
Four digit Admission Year Representation e.g. 2006 (pupil/students only) Cohort User definable code for representing the pupil/students cohort (pupils/students only) User-defined Character String. Passwords are generated by an algorithm and a change of password is forced when logging in for the first time. The following security or distribution groups may be created and maintained within the Active Directory using groups within SIMS: All Staff All Teachers All Parents All Students Parents by Year Group Students by Year Group Students by Registration Group Students by School Houses Students by Academic Class Students by Cohort SIMS System Manager Groups.
System Design
The provisioning system consists of two main components: the Provisioning Server the Provisioning Client.
01
The Provisioning Client tracks changes in a schools SIMS database or in the case of a central Local Authority hosted solution, multiple SIMS databases. The Provisioning Server then gathers these changes from the clients and applies them to an Active Directory. A conceptual model of the system is shown in the following diagram:
IMPORTANT NOTE: As supplied, a Provisioning Server communicates with a single domain. However it is possible to provision multiple domains from a single site. For more information, please see Provisioning Multiple Domains on page 16.
Provisioning Client
The Provisioning Client consists of three main components: SIMS, a change tracking application and a web service. The school level features for configuring the Provisioning Client are provided in SIMS as a setup screen. This includes options for selecting the people to provision and pointing the system towards the Provisioning Server by importing a configuration file. NOTE: Specific entities set up by the administrator of the Provisioning Server and domain control determines what kind of information is provisioned to the Active Directory. The Provisioning Client serves to provide this information. It is highly recommended that you install the Client Interface Web Services to the default location (C:\Program Files\SIMS\ADPServer\) as this makes it possible to automatically update the software for future release.
01
The change tracking application is designed to be run as a task in Microsoft Windows Scheduler and run at a time and frequency of the schools choosing. Although it places no load on the Provisioning Server (it just pings it when it has new changes), it is recommended that the task is run overnight to prevent it from interfering with the normal running of SIMS. The application can also be run directly by users, although in normal operation this should not be necessary. The changes detected by this application are stored in the SIMS SQL Server database until gathered by the Provisioning Server. The web service allows the Provisioning Server to gather these changes securely from the school.
Provisioning Server
The Provisioning Server consists of a number of components. The core of the Provisioning Server is a Windows Service that processes pending requests from clients and undertakes changes against the Active Directory by way of a set of ADSI based VB Scripts that are accessible to the administrator. The benefits of exposing the interactions in this manner are twofold: 1. The interactions with the Active Directory can be verified by a network administrator who is familiar with the target directory, to validate their robustness when run against that directory. 2. To allow a network administrator to customise the scripts. Customisations can be wide ranging from small tweaks to the scripts through to wholesale replacement, including, for example, writing the output to files rather than directly to the directory. The Windows Service is the only component of the server that requires any form of write access to the Active Directory. The service retrieves information about pending requests and clients, and stores logging information in a SQL Server 2005 Express database. At the time of writing, there are no indications that using the full version of SQL Server 2005 (as opposed to the Express version) offers any benefits, as the database usage is relatively light. All interactions with the Provisioning Server are performed via web services: 3. Provisioning Client interfaces these allow the Provisioning Clients to notify the Provisioning Server of new changes. 4. Provisioning Server Administration interfaces these allow the Provisioning Server to be configured and management tasks to be undertaken, e.g. registering a client or consolidating an account. NOTE: When consolidating accounts, there may be a small delay in the accounts being consolidated and showing up in AD or Sharepoint.
01
A browser-based management console is provided to allow the administration functions to be performed by an end user. These administration functions include: Registering clients Viewing logs Stopping and starting clients. For more information regarding the functionality of the console, please refer to the Active Directory Provisioning 2 for System Administrators handbook, which will be available on product release.
01
capitachildrensservicesMasterClientGuid capitachildrensservicesClientEntityGuids capitachildrensservicesSecurityAnswer capitachildrensservicesSecurityQuestion The attributes are created with OIDs in a range allocated to Capita by Microsoft and the capitachildrensservices naming prefix has also been registered with Microsoft to ensure that there are no clashes with schema extensions made by other third parties. Before installing the schema, it is highly recommended that you take a backup of your existing schema. To install the schema, run the ProvisioningSchemaExtensions.vbs file that can be found in the folder the provisioning server was installed into. It is suggested that this script is run directly on the root domain controller that is hosting the Active Directory schema container. NOTES: If you are running a Windows 2000 based Active Directory, schema extensions are disabled by default and you will need to enable them before you can perform the upgrade. For information on how to do this, please refer to the Microsoft documentation. This operation may take several minutes to complete and even longer to replicate across a domain tree.
01
Provisioning Server
The recommended topology for the Provisioning Server is shown in the following diagram. The aim of this topology is to limit access to the Provisioning Server itself particularly from any machine that is not fully trusted.
Figure 2 Recommended topology Details of the various components are outlined in the following sections. All components can be deployed individually via a standard installer.
01
SLG DMZ
Please refer to the SIMS Learning Gateway 2 Technical Guide for information on this system and more detailed information on how it integrates with AD Provisioning. It is only shown here to highlight the link between it and the account management web services.
01
The client interface web services The administration web services The Windows Service on the Provisioning Server itself.
10
01
1. To use domain authentication to authenticate clients. Where domain authentication is in use, the accounts assigned to clients for the purpose of provisioning should have no privileges beyond those necessary for establishing communication with this Web Server and performing the necessary SIMS tasks. For more information, please see Provisioning Client on page 12. 2. To use basic authentication. In this scenario your Web Server should be configured to run using SSL and each client should be provided with a unique username and password. Details of how to configure an IIS website to run under SSL can be found in Microsofts IIS documentation. Under no circumstances should the site be configured to allow anonymous access. No personal information, or information that directly feeds into the items being provisioned, is transmitted over this web service. Therefore unless basic authentication is in use, there is no need to secure the site with SSL. The application pool, in whose context the web service runs, should be configured to use the Network Service account. The Network Service account is a built in account with a minimal set of privileges on the local computer and accesses network resources (such as SQL Server) using the credentials of the computer account.
11
01
Provisioning Client
The recommended topology for the Provisioning Client (or each Provisioning Client in the case of multiple SIMS systems) is shown in the following diagram. The main aim of this topology is to isolate the SIMS Server from direct access to the Internet via a DMZ.
Figure 3 Provisioning client topology The various components shown on the diagram can be installed via a standard installer and are described in more detail in the following sections.
12
01
13
01
Hardware Requirements
The following are the recommended hardware requirements for running the system as per the topology described in the section on deploying and securing the system. To maximise the capabilities of the system, it is recommended that the server is designated solely for use with SLG.
NOTE: To take full advantage of a 64-bit operating system, SQL Server 2005 rather than SQL Server Express is required as SQL Server express runs under 32-bit emulation mode.
14
01
NOTE: This system should not come under heavy load and can easily be shared with any other lightweight web facing applications the school may be running.
15
01
Bandwidth requirements are relatively light as the amount of information required per request is relatively small, and as the server pulls data the circumstance of having lots of data thrown at the server at once is avoided. For most purposes, a 1Mbps or faster ADSL connection between the client (the school) and the server (the LA) should be sufficient.
16
01
17
01
Figure 5 Larger environments In both of the above scenarios it is important that the Active Directory Provisioning Service knows which domain to provision users into. This information must be specified when a client is registered using the Active Directory Management Console. The Organisational Unit Container Path field defines where Active Directory Provisioning Service creates objects in Active Directory. By default this is LDAP://RootDSE (this specifies that the default domain should be used). To specify a path to a child domain, the format LDAP://[DOMAIN]/[DOMAIN DISTINGUISHED NAME] must be used. For example, the child1 domain, named child1.mydomain.co.uk will have an organisational unit container path of LDAP://CHILD1/DC=childdomain,DC=mydomain,DC=co,DC=uk.
Custom Scripts
It is possible to customise the supplied scripts to provision to multiple domains. However, this is only recommended when you have specialist provisioning requirements that are not catered for by the supplied functionality for example, if you want to provision to different domains conditionally (for example, based on role). For more details on customising scripts contact CCS Technical Services.
18
01
Backups
The only aspect of the system where information is persisted outside of Active Directory itself, is in the SQL Server database installed on the Provisioning Server. This is used to hold logs, client information, created user account information and pending changes. It is important you arrange for regular backups of this database in order to facilitate a rapid rescue in the event of hardware failure. Should you be unable to restore this SQL Server database from a backup, then you will need to reregister all your clients and it is likely that pending changes will be lost and clients will be out of sync with the Provisioning Server. This is likely to result in queues being stopped for affected clients. If this should occur, then instructing your clients to use the re-provision changes functionality to transfer full information again will resolve the problem, but your system may be offline to some users until the process is complete. Due to the criticality of the database in managing the Active Directory provisioning requests, it is recommended that you store the database in a resilient parity based RAID system, to provide redundancy and minimise impact to clients in the event of a hardware failure. Please refer to the hardware requirements, for further details.
19
01
20
Appendices
Appendices
Appendix A Consolidating the Deployment ................................ 21 Appendix B Migration from Earlier Versions of SLG Provisioning 24 Appendix C Using ConfigureDBPermissions to set SQL Server Permissions .................................................................................. 25 Appendix D Setting up Email Notifications using ConfigureEmailNotifications.......................................................... 26 Appendix E Further Reading ...................................................... 26
21
Appendices
22
Appendices
23
Appendices
24
Appendices
To migrate data from SLG 1 to SLG 2: 1. Create an AD Provisioning Client with a dummy school name. 2. Run the SQLMigration.exe from the command prompt and specify the following parameters: ADP Server name Database name Database user ID and password The schools OU for SLG 1 The schools OU for SLG 2 The ADAM port number and distinguished (root) name. 3. Import the configuration.xml file from the Management Console and create a Provisioning Service in SIMS. 4. Edit the MigrateGroups.sql file with the correct service code (created in the Provisioning Service in SIMS) 5. Run the MigrateGroups.sql file on the SIMS database. 6. Run the Change Tracking Service to transfer the Groups information onto the Provisioning Server. This ensures the information is available for the SLG 2 site creation process.
25
Appendices
26