Search Stanford:

Strategic Vision

• Overview
• Technology Principles

Documents by Service Area

• Authentication
• Authorization
• Backups
• Calendar
• Desktop Management
• Directory
• Email
• Identity Management
• Integration
• Networking
• Storage
• Voice
• WWW Services
• Windows Infrastructure

Related Pages

• Planning Documents
• IT Services Projects
• Project Management Office

• IT Services
• Strategic Vision
• Windows Infrastructure

Windows Infrastructure Strategic Vision

Written by Ross Wilper, updated 1/26/07

This document presents the strategic vision for the Windows Infrastructure services provided by and managed by IT Services.

This includes statements for Windows components of:

• Authentication of users, hosts, and services, also covered by the Authentication Vision
• Authorization, also covered by the Authorization Vision
• Identity Management, also covered by the Identity Management Vision
• Directory services, also covered by the Directory Vision
• Desktop management, also covered by the Desktop Management Vision
  
  

and Windows service offerings:

• Windows Domain services
• BigFix Patch Management
• Distributed File System services
• Exchange infrastructure service

Purpose and Users

The goal of the Stanford Windows Infrastructure is to work in conjunction with Unix Infrastructure to abstract the idiosyncratic differences between Unix and Windows platforms to provide heterogeneous infrastructure delivery. It also provides specific infrastructure to Windows servers and services. By providing this managed infrastructure, much of the complexity of offering services on Windows or mixed platforms is alleviated for service owners.

Driving principals:

• Interoperability: When supporting (Windows) idiosyncratic infrastructure, strive for delivery that allows for greatest interoperability with other platforms. Use open protocols when possible, support proprietary protocols/functions when necessary.
  
  
• Reliability: This service is essential for many staff activities. Service should be stable, secure, fault-tolerant, and possess sufficient capacity to service requests in a timely manner.
  
  
• Usability: Services should be easy for client IT organizations to leverage. Security needs for intrusion prevention and data protection must be balanced with the end-user needs for ease of use.
  
  Windows domain services are offered to schools and departments. Typically schools create their presence as a child Domain and departments create their presence as an Organizational Unit object in a shared child Domain. In both cases, Domain services are then supported by local IT for their community. Exchange infrastructure support is provided in the form of directory services and the establishment of Exchange administrative groups for schools or departments that request them.

Technologies

Stable core technologies:

• Microsoft Active Directory provides Authentication, Authorization and Directory services.
  • Authentication services are provided via Kerberos version 5 and NTLMv2 (NT Lan Manager version 2) protocols.
  • Authorization information is provided via Microsoft Security Identifiers (SIDs) included in NTLMv2 credentials or in PAC extensions to Kerberos TGTs.
  • Directory services are based on LDAP version 3 standards.
  • RADIUS infrastructure supporting PEAP-MSCHAPv2 for potential WPA deployment and other mechanisms for VPNs and other access points.
• Common Internet File System for distributed file services (also known as Server Message Block (SMB).
  • Distributed File System (DFS) for naming and location services for CIFS file stores.
• Group Policy Objects are served from Active Directory and CIFS for user and host management.
• Microsoft Terminal Services Licensing Server communicates with the Microsoft License Clearing House to support Terminal Services (and MetaFrame servers).
  • Windows 2000 and Windows 2003 TS-CALs supported
• Identity Management data import
  • Java Registry harvester (winharvester) for Account/Person Data
  • kpasswd protocol integration for password synchronization
  • Windows services to manage attribute visibility and privilege group information
• BigFix patch management service
• Exchange 2003 collaboration services.
  
  

Emerging technologies: (see Research below)

• Exchange as a campus service offering
• Public Key Infrastructure and pkinit support in Windows Kerberos
• AES support in Windows Kerberos
• Software Deployment through GPO
• WebAuth support for Microsoft IIS 6.0 or IIS 7.0
• 64-Bit Windows versions

Deprecated technologies: (see Projects below)

• Windows Internet Naming System (WINS)
• Java Registry harvester (winharvester) for Account/Person Data
• Windows NT Server 4.0
  • Security Accounts Manager (SAM) Domains.
    
    

Other technologies in use: (These technologies are currently deployed and useful in specific circumstances, but either are not attractive for broader use or have a limited scope of applicability -- we are neither recommending expanding them nor recommending eliminating them at this time.)

• Microsoft Dynamic DNS is used to provide name resolution for Active Directory clients to locate Active Directory Services.
• Microsoft Certificate Services is used to provide LDAP over SSL. We do not plan to expand this without broader PKI planning.

Projects

First:

• Complete transition of existing RADIUS clients to Windows Internet Authentication Service (IAS) RADIUS.
• Implement two-way trust between the Windows Active Directory and MIT Kerberos 5 realm to improve single sign-on experience. This requires action by existing Windows Infrastructure clients for possibly incorrectly configured servers.
• Develop disaster recovery (offsite) for Windows Infrastructure services for business continuity in a level 3 disaster.
• Improve Macintosh Client support (AD for logon). Due to the behavior of the present Macintosh AD client (10.4), not all features work correctly.
• Work with campus Windows administrators to deploy and support Microsoft Windows Vista as a supported Windows Infrastructure client operating system.
• Work with campus Windows Infrastructure clients to develop 10.5 (Leopard) support.
• (Ongoing) Migration Support for schools and departments to retire legacy NT4 domain services.
  
  

Next:

• Improve support for providing Domain services to individuals - Allow self registration of end user computers to receive logon support and basic (best practice, software deployment) policy support.
• "Windows Server 2007"? (code name Longhorn) Active Directory upgrade.
• "Exchange Server 2007"? (Exchange 12) collaboration services upgrade.
• Replace the existing winharvester data import process with direct import from registry (slog process).
• Add Linux and Macintosh patch support to Bigfix implementation.
• Develop Active Directory in Application Mode (AD/AM) to store data in the schema used by OpenLDAP.
  
  

Later:

• Testing and coordination with user community to sunset Windows Internet Naming System (WINS).

Research

• Exchange email and collaboration services are being reviewed for viability as a service to be offered to the Stanford community. The current focus would be around reliability-clustered mailbox servers and load balanced front-end Outlook Web Access (OWA) servers. Service would include connectivity for Windows Mobile 5 devices.
  
  
• Exchange 12, the next version of Microsoft Exchange is being investigated. This version makes some changes to the Exchange architecture that improve support for anti-malware and anti-spam activities and improves fault-tolerance and failover capabilities.
  
  
• Exchange is being reviewed as a possible solution for unified messaging (voicemail/email-to-speech/fax).
  
  
• Common Internet File System (CIFS) is being reviewed as an alternative for campus distributed file services needs.
  
  
• World Wide Web Distributed Authoring and Versioning (WebDAV) is being investigated to provide WAN connectivity to files stored Windows file sharing stores (CIFS service or other Windows file sharing). This is necessary because the campus has blocked the ports required by Windows file sharing at the campus gateways.
  
  
• 64-Bit Windows to host Active Directory services and other Windows servers. Windows Server 2003 R2 64-bit editions are now being used in production.
  
  
• Develop native WebAuth support for Internet Information Server (IIS). Supported platform may be IIS 6.0 or IIS 7.0.
  
  
• Development for the Windows "Longhorn" Server upgrade for the Windows Infrastructure service is underway. The target platform is Windows "Longhorn" Server 64-bit "Core" edition for Active Directory domain controllers.
  
  
• Investigating the use of hardware virtualization for production Active Directory domain controllers. The hardware available to run servers has increased in speed, but the requirements have grown much more slowly. Hardware virtualization would allow for more efficient use of resources.
  
  

Longer-Term:

• Currently, Active Directory Federation Services (ADFS) and shibboleth are not interoperable though they are similar protocols. Tracking progress by Microsoft to become interoperable.
• Reviewing the viability of providing software deployment using Windows group policy. Initial target would be to advertise ESS software on end-user desktops. Could possibly be used to automatically deploy BigFix clients or other critical software.
  
  
• Microsoft Windows Authority Manager: Investigate possible use of MS Authority Manager to provide role-based authorization for Windows services. This functionality may be available from I2 middleware as well.
  
  
• Microsoft Rights Management Server: Investigating RMS as a possible tool for Digital Rights Management. Microsoft's RMS uses certificates to protect content, so deployment of this technology would require a public key infrastructure (PKI) to manage.
  
  
• Smart Card Log On/PKInit Logon: Investigating Windows logon via smart card. A Stanford-wide PKI/certificate infrastructure would be required to manage the user certificates. If smart cards are deployed they could provide stronger authentication by superseding passwords and/or multifactor authentication for "trusted" accounts.
  
  
• Stanford Authority Manager: Investigate use of Stanford Authority Manager or other automated process to streamline Windows Domain services delegation roles/tasks. This is currently a manual process.
  
  
• Investigating providing Remote Installation Services (RIS), Windows Deployment Services (WDS), or other Windows package deployment. Goal is to provide a way to build a Windows machine with all security fixes already in place and with recommended configurations. This requires a licensing model to ensure compliance.
  
  
• Investigating an import of hardware location data into Active Directory. Data could be collected from NetDB or other source to provide enhanced "services near me" service.
  
  
• Password integration: Current password synchronization method only allows for passwords to be changed in Network Identity Manager or SUNetID management web pages. Develop support for password changes sourced from Windows using I2 password change work or custom application.
  
  
• (Ongoing) Track feature changes in Windows Service Packs and Releases.
  
  
• (Ongoing) Leadership in the Windows-Hied Community