General

Active Directory Forest :

Deployment of one Active Directory Forest will suffice for WWTC's requirments. There are not requirements for data isolation within WWTC's Active Directory configuration and any data separation can be performed using data isolation. A single-forest was chosen because it is very cost-effective and requires the least amount of administrative support.

For example, with only one forest, the global catalog does not require synchronization across forests and management of a duplicate infrastructure is not required.

An organizational forest model will be used with user accounts and resources contained in the forest and managed independently. The forest will be used to provide service and data isolation. This has been chosen insteady of other models where resources and users are isolated in separate forests.

Active Directory Domain :

WTC will use an Organizational Domain Forest to provide autonomous groups within the forest as required. The New York office will have a separate domain from the Hong Kong office since it will be largely autonomous. In addition, a separate domain can be created to restrict access to confidential data. Since WWTC will have few IT personnel to care for day-to-day IT support activities in New York, the following functions will be maintained by forest-level administration:

· Creating and removing domain controllers

· Monitoring the functioning of domain controllers

· Managing services that are running on domain controllers

· Backing up and restoring the directory

Two domains will require that Group Policy settings as well as access control /auditing settings( required forest-wide) are implemented separately to each domain in the forest. This setup is considered a regional domain configuration and will reduce traffic over wide area network (WAN) links. While service administration will be carefully controlled at the Hong Kong office, the following functions will be maintained within the New York office:

· Creating organizational units (OUs) and delegating administration

· Repairing problems in the OU structure that OU owners do not have sufficient access rights to fix

Instead of creating a separate forest root domain, the New York office function as the forest root domain. It will be a parent domain to the other offices. Service administrator accounts will reside on the New York root domain while user accounts for each region will reside on the appropriate domain. For administration purposes, the branch officeswill functions as child domains under the New York root domain. This configuration was chosen because it is much easier to manage than a configuration with a separate domain for administrative accounts.

Active Directory Naming Convention:

WWTC.org is the Active Directory namespace used by WWTC. It is a registered fully qualified domain name for WWTC. WWTC will use the same internal and external namespace. WWTC.org will be used from inside and outside the organization without a separate namespace for internal access to resources. This means that the tree name (WWTC.org) is consistent for the private and public (Internet) allowing users to logon with the same credentials internally and externally.

This requires a separate zone outside the firewall to provide name resolution for public resources and does create security concerns to ensure that clients accessing resources from outside the organization do not have access to internal company resources. This also creates the requirement for maintaining the records on both the internal and external DNS servers simultaneously. The attached illustration shows this configuration.

Application Services:

Windows Server 2012 is installed on the network and the following Active Directory features will be implemented.

· Windows Deployment Services (WDS) will be implemented to allows network-based installation of Windows Operating Systems (OS) to reduce the complexity and cost of manual installation. This will require a WDS Server as a member of the Active Directory Domain Services (AD DS) domain. This also requires a Dynamic Host Configuration Protocol (DHCP) server with an active scope sine PXE relies on DHCP for IP addressing.

· Smart Card Authentication will require valid user principal names (UPNs) since they are required fo smart card login. Since a certificate authority (CA) will issue the domain controller certificates, the root certificate will be added to the Trusted Root Certification Authorities group policy in Active Directory.

· IP Address Management (IPAM) will be implemented to provide highly customizable administrative and monitoring capabilities for the IP address infrastructure. IPAM will be used to discover, utilize, monitor, audit, and manage IP address space in the network. This requires an IPAM server that has connectivity to existing DHCP, DNS, DC, and NPS servers in the Active Directory forest.

WDS services will be hosted on the same computer as DHCP. This requires that WDS is configured so that it doesn't listen on Port 67 and DHCP option 60 will be used to notify a booting PXE client that there is a listening PXE server on the network. The server will also be configured to respond only to known client computers. This ensures that client computers are added to Active Directory before the image is deployed.

· File Classification Infrastructure (FCI) will be implemented to ensure that automatic classification is performed. The different classifications will be identified. Currently they are listed as Public and Confidential. The proper classification will be applied to every file using FCI. This process will be used to ensure that Confidential data is properly stored on encrypted drives and that all confidential files are transmitted using encrypted methods. Reporting based on these classification tabs will allow administrators to detect and respond to violations of the WWTC's data classification policy.

· Failover cluster services will be implemented so that the entire network has hardware, software, and storage redundancy. This independent group of servers and storage devices will work together to increase the availability of applications and services. If one clustered device fails, another will provide the lost services (called failover).

The cluster validation wizard will be used to ensure that all network components are compatible prior to implementation. It will also be used after implementation and as new devices are added to the network to maintain this capability. By implementing backup for all servers and storage, WWTC ensures that users experience a minimum of disruptions in service.

· Cache encryption will be implemented to store encrypted data by default. This means that data in cache is stored encrypted by default providing data security without requiring entire drive encryption.

· BranchCache will be implemented to increase performance, manageability, scalability, and availability. Duplicate files are eliminated while hashes and local storage at branch offices drastically reduce the amount of required WAN traffic.

· Bitlocker encryption will be used to protect all user and server data. The benefit is that the entire drive is encrypted and only requires the user's normal authentication to access the data. The bitlocker system on the wired network will be set up to automatically unlock the system volume during boot to reduce the internal help desk calls because of lost PINs.

Group policy settings will be enforced that require either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive.

Groups:

Users and computer accounts will be grouped to simplify administration by controlling permissions and rights rather than assigning them individually. Groups in Active Directory are objects that reside in the domain. Groups have a scope that identifies the extent that they are applied in the domain or forest. The three group scopes for WWTC are outlined below:

· Domain localscope is used to manage accounts within the domain. For example, a user group that requires access to a printer can be setup so that access to a new printer can be done for the entire group at once instead of doing a permission list for all five users. The five users will have global scope and will be added to a domain local scope group that can be assigned printer access.

· Global scope is used for directory objects that require daily maintenance, such as user accounts, computer accounts, or groups that require management across domains (such as a department in multiple locations).

· Universal scope is used to consolidate groups that span domains. Changes to global scope groups doesn't affect the universal scope group, but changes to the universal scope group causes the entire membership of the group to be replicated to every global catalog in the forest.

The scope and Organizational Unit setup has been outlined in the below diagram.

The above structure was chosen so that Group Policy could be applied to a select group of users or resources without having to set policies for each individual user.