Automating Active Directory Management

1
Automating Active Directory Management
Robbie Allen Cisco Systems May 21st,
2002 Directory Experts Conference
2
Topics

• Introduction
• Build or Buy?
• Automated Migration to Active Directory
• Web-based Management Tools for Active
  Directory
• Automated Maintenance of Active Directory
• Question and Answer

3
Introduction
4
Active Directory Project at Cisco

• Windows 2000 JDP member
• Applied lessons learned from deploying other
  services (DNS, DHCP, NT4, etc.)
• Political issues were harder to solve than the
  technical ones
• Team consists of 9 people from various groups,
  4 of which do development/automation
• Have fully deployed Domain Controllers (13
  sites)
• Started migrating users in August 2001
• Will start migrating resources in August 2002

5
Goals of Deployment

• Architect it right the first time around
• Pizza-box hardware platform allows for
  horizontally scalable service
• Automate processes and proxy access to reduce
  the amount of manual work required to support
  AD
• High availability - limited impact due to DC
  failures
• Reduce the number of people that need direct
  admin access
• Make decisions based on demonstrated need, not
  potential need
• Be able to support new forests in the future
  with little additional incremental support cost

6
Build or Buy?
7
Build Pros and Cons

• Pros
• Can customize to meet your specific needs
• Can integrate more easily into existing
  enterprise management infrastructure
• Can fix bugs and add new features much quicker
• Can include any necessary business logic
• Cons
• Requires valuable programming expertise
• Will take significant amount of time to develop
  and test
• You build it, you support it

8
Build Active Directory APIs

• LDAP
• Many different flavors
• RFC 1823 C-style API
• NetLDAP Perl modules
• JNDI
• Platform independent!
• Directory independent, although the schema
  will vary
• ADSI
• Uses LDAP behind the scenes to access AD
• Easier to use than LDAP
• API of choice on the Windows platform

9
Buy Pros and Cons

• Pros
• Can get something up and running quickly
• May include many nice to have features that
  you would not have developed on your own
• Less prone to have bugs
• Cons
• Not a silver-bullet
• Harder to integrate into existing infrastructure
• Lack of granular security model
• Slower turnaround on new features or bug fixes
• Support costs should be considered

10
Buy Active Directory Tool Vendors
11
Build or Buy?

• Not mutually exclusive
• Depends on
• Available resources
• Available APIs
• Maturity of tools
• Timeline
• Budget
• Goals
• Odds are you will need to do both
• At Cisco we tend to build over buy, but we do
  an evaluation first

12
Automated Migration to Active Directory
13
Automated Migration Challenges

• Analogous to jumping from one moving car to
  another
• Challenges include
• Providing seamless access to resources
• Retaining all desktop settings
• Educating users why the migration is
  necessary/important
• Minimizing downtime
• Staying within budget
• If unsuccessful, you could severely impact
  business!
• Only way to accomplish all of it is to automate

14
Automated Migration Cisco Solution - Backend

• Scripts run daily to do the following
• Populate user accounts in AD
• Migrate group accounts from NT4 to AD
• Migrate SIDs from NT4 to AD
• Change logon script setting for targeted
  NT4users to AD migration script
• Passwords were the only thing we could not
  migrate (ADMTv2 may help)

15
Automated Migration Cisco Solution - Frontend

• GUI app gets launched from NT4 logon script
• High-level list of actions performed
• Enables AD user account
• Places AD account into local administrators group
• Copies NT4 account profile settings to AD account
• Creates computer account in AD
• Joins computer to AD
• Sets users password in AD
• Reboots machine
• Each action is written to a log file on the
  local machine
• Rollback feature allows for seamless recovery if
  a critical error occurs
• Only input needed from user is password to set
  in AD

16
Automated Migration Cisco Solution - Frontend
17
Automated Migration Cisco Solution - Frontend
18
Automated Migration Cisco Solution - Frontend
19
Automated Migration Cisco Solution - Frontend
20
Automated Migration Cisco Solution - Result

• Migrated 41,000 users (93 of company) in 7
  months with limited resources
• Less than 1 failure rate
• 631.20 per desktop to migrate from Win9x to
  Win2K and AD
• Industry average 2000-3100 per desktop
• Many lessons learned
• Multi-master issues
• Slow logon problems
• Application compatibility issues
• Trust expectations
• Source Gartner Group

21
Web-based Management Tools for Active Directory
22
Web-based Mgmt Tools Background

• Why not use MMC?
• GUI is hard to support in large enterprise
  environments
• Not easy to customize or integrate with existing
  apps
• Hard to build enforceable processes(e.g.
  supporting multiple forests)
• Problematic in some situations (e.g. setting
  passwords)
• No bulk update functionality
• No transaction logging
• Why use web-based tools?
• Customized feature set and business logic
• Client already installed
• Can do as much logging as necessary
• Can streamline processes
• Can provide access to data not available via any
  MMC

23
Web-based Mgmt Tools Cisco Solution - ADAM
24
Web-based Mgmt Tools Cisco Solution - ADAM

• AD Account Mgmt (ADAM)
• Replacement for web-based NT4 Account Management
  tool
• Primary interface for support staff and technical
  response center to manage users, groups, and
  computer accounts
• All users have ability to reset their password,
  manage their groups, create computer accounts
• Group Management functionality will not be
  incorporated until NT4 migrations are complete
• Bulk Update page reduces the need for other
  groups to develop automation scripts

25
Web-based Mgmt Tools Cisco Solution - ADRM
26
Web-based Mgmt Tools Cisco Solution - ADRM
27
Web-based Mgmt Tools Cisco Solution - ADRM

• AD Replication Mgmt (ADRM)
• Search and browse the AD site topology for a
  forest
• Modify site topology in the DB (will get
  provisioned later)
• Site Detail page includes all the DCs, subnets,
  links, and routers in the site
• Topology generation page provides a graphical
  view into theAD site topology
• Reports section contains links to the site
  topology generation and injection output,
  including useful exception reports

28
Web-based Mgmt Tools Cisco Solution - ADFM
29
Web-based Mgmt Tools Cisco Solution - ADFM

• AD Forest Mgmt (ADFM)
• Manage list of supported forests
• Manage the mapping of what data gets provisioned
  in each forest
• Manage OUs per forest
• Manage the list of supported applications
• Update login scripts and monitor login script
  replication
• Misc. forest query tools (e.g. RootDSE, list of
  DCs/GCs, etc.)

30
Web-based Mgmt Tools Cisco Solution - ADSM
31
Web-based Mgmt Tools Cisco Solution - ADSM

• AD Schema Mgmt (ADSM)
• Search or browse classes or attributes
• View detailed information about classes or
  attributes
• Parse and verify new extensions by uploading LDIF
  files
• Extend the schema with a verified set of
  extensions
• Made available to Engineering for testing Cisco
  product schema extensions

32
Web-based Mgmt Tools Cisco Solution - Result

• Developed several tools that manage many
  aspects of Ciscos AD infrastructure
• Allows us to support additional forests in the
  future with limited overhead
• Each app has its own provisioning component
• Multi-master replication has been problematic
• Team of 3 people develop and support the apps

33
Automated Maintenance of Active Directory
34
Automated Maintenance Background

• Goal Provision as much data as possible, and
  master as little data as possible in AD
• Reduce TCO and resource requirements by
  automating
• Benefits of automating data maintenance in AD
• Repeatable process that can be used for other
  forests
• Easier to troubleshoot data integrity issues
• Can keep history of changes made
• Have clean-up processes that removes stale data
• Streamline processes, limiting manual
  intervention
• Get creative with potential data sources!

35
Automated Maintenance Cisco Solution

• Employees (feed from HR)
• Groups (from NT4)
• SID History (from NT4)
• Mailboxes (feed from DB)
• Mail Aliases (feed from Email Group)
• Printers (feed from Printer Group)
• Site Topology (from Router Config File
  Repository)
• Schema Extensions (from ADSM)
• Organizational Units (from ADFM)
• DC Config (DNS settings, Event Logs settings,
  Hotfixes)
• Stale Computers (from AD)

36
Automated Maintenance Cisco Solution - Site
Topology Problem

• Configuring site topology in AD is a very
  manual, error prone and labor intensive
  process
• Requires constant maintenance due to
  changes in the network and IP renumbering
• Incorrectly configured site topology can result
  in difficult-to-troubleshoot replication
  issues between domain controllers
• Replication issues can impact directory-enabled
  applications and ultimately the end-users

37
Automated Maintenance Cisco Solution - Site
Topology Provisioning

• Site topology is similar to network topology
• Sites are analogous to LANs/MANs
• Site links are similar to WAN links
• Cisco Enterprise Management (EMAN)
  infrastructure downloads the router
  configuration files nightly for all routers
  globally
• Developed an algorithm that parses the router
  config files and generates a topology, which
  is stored in a DB
• Another process pulls the topology out of the DB
  and injects it into AD
• Several interesting projects have resulted

38
Automated Maintenance Cisco Solution - Result

• Most data is either injected on a nightly basis
  or proxied via a web interface very little
  is manually entered (i.e. via an MMC)
• Forced us to develop well defined processes for
  data management
• Greatly reduced the number of people that would
  require administrative access to AD
• Allows us to create additional forests which
  mirror production
• And most importantly, creates a structured,
  stable, and well maintained AD environment

39
Summary

• Build and Buy.
• Migrating a large number of users to AD can be
  extremely expensive. Automate to reduce costs
  and user impact.
• Building web-based management tools for AD
  provided Cisco with optimal customization and
  flexibility to manage AD.
• Automate the injection of data in AD as much as
  possible. Get creative with data sources.

40
Related Reading
41
Question and Answer