Minutes Waterloo Polaris Advisory Group (WPAG) December 14, 2000

Attendees:

Nevil Bromley Arts Tim Farrell IST
Bruce Campbell Engineering Computing Ray White IST (Chair)
Erick Engelke Engineering Computing Jim Johnston MFCF
Hon Tam Engineering Computing Stephen Sempson Science (Secretary)
Trevor Bain Environmental Studies  

Invited Guests:

Terry Stewart Applied Health Science (AHS) Martin Timmerman Information System and Technology (IST)
Vic Neglia Arts Roy Wagler IST
Clayton Tucker MFCF Scott Nicoll Science
Manfred Grisebach IST  

Regrets:

Daniel Delattre AHS Dennis Herman ESAG Representative

This was a special meeting with extra guests. The purpose here for communication about MS Active Directory with respect to what Engineering is doing, and what the University of Waterloo is doing.

Submitted items:

Q: (Nevil) A very quick overview of the current Polaris2000 domain structure and maybe the Active Directory (AD) domain structure as well (maybe even invite Manfred or Roy Waggler as it's creator if a WPAG consensus would like to see/hear this).
A: (Bruce)
Fig.1

"Because an AD domain can contain millions of objects, many organizations will be able to convert from a multiple domain model to a single domain model. A single domain model simplifies management that must take place at the domain level, such as some security technologies. One can combine domain resources in Organizational Units (OUs) that best suits the organization's requirements, rather than creating and administering multiple domains. Objects can easily move between OUs within the domain, nest OUs within each other, and create new OUs as the need arises." (Microsoft Skills, pp. 15)

Note: "The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains - each domain can implement its own OU hierarchy." (Microsoft Skills, pp. 13)

Fig. 2 Authentication method

This is not a real domain/part of the domain. This is just the authentication method to be used for userid's and passwords to verify the claims of the user logging in. Is really just a glorified password file. There have been some debates as to whether this is one forest or two. This is some of the things that have been discussed in the campus AD.

Fig. 3 Replication benefits of Fig. 1

"A domain can have one or more domain controllers. A small organization that uses a single local area network may need only one domain with two domain controllers to provide adequate availability and fault taolerance. AD uses multi-master replication, in which no single domain controller is the master domain controller. Domain controllers might hold different information for short periods of time untill all of the domain controllers have synchronized their changes to AD." (Microsoft Skills, pp. 21)

Some other models of a secure domain include:
Fig. 4

Fig. 5

Caution: "To create fault tolerance for AD, you must have two or more domain controllers in the forest root of your organization. If you only have one domain controller in the forest root of your organization, and that domain controller fails after you upgrade other child domains, you cannot run the AD installation wizard again to create new domain controller for the forest root. In case of a failure such as this, you must restore the domain controller from a backup or recreate your entire AD structure." (Microsoft Skills, pp. 15)

(Roy) Reg Quinton sees AD as a security measure for authenticating users.
(Bruce) The secure AD can still delegate authority.
(Vic) Can other non-Win2000 authenticate against it?
(Bruce) Yes, there is support with PAM.PDC and Radius should cover anything you need.
(Ray) The main issues Microsoft does not talk to everything, yet. That is the real issue here in having to adopt to it.
(Bruce) It is unsure if native LDAP will adopt.
(Vic) Any concerns of licensing?
(Ray) There is no client license, that is the beauty of it.
(Erick) Radius authentication is not connect dependent, it is just a request and a supply. This is not a problem for educational institutions. Microsoft has promised licenses for whatever we need to do here. The Radius program (????) has been co-written and we have not come up with a password mode yet.
(Manfred) In the AD we had proposed included a level above which was for administration.
(Bruce) Yes, that would make it more of a circle, so that some person in Math can take care of passwords for outsiders to their faculty.

Q: (Nevil) A time table of the two Active Directory Domains for prototype and full production states and what differences may lie between those two states.
A: (Ray) Nevil currently has a lab up and running in the Arts faculty. Engineering will also have a lab up and running for the first of January. The Polaris AD domain will go into production mode in January. The time line for the AD project was to report on progress for February 2001. Changing from proto-type to production was not fully discussed becuse the results from USIST may modify it. USIST would like a report on December 15, 2000 which is a general overview.

(Roy) With respect to the question of comparing a single domain to multi-domain, what happens to the AD campus project when you go live in January. I image everyone would want this to work best for the University of Waterloo, not to do the best for Engineering and put up walls. I do not think this is the way to proceed.
(Bruce) One can have multiple domains, there are pros and cons to both directions. With the one domain model, students can logon from anywhere. If it was multiple domains, students would lose that ability. If a foreign domain did not have packages installed which a student may require, then they lose again.
(Erick) It would be a horrible mistake if you go with more than one forest.
(Vic) Is this true if all domains are in the same forest?
(Ray) Yes, if in a different domain (or forest) there would be no sharing of Group Policies (GPO's).
(Erick) There would be too much duress in administering with multiple domains, if we had it this way, we would only deal with Engineering.
(Bruce) We recently did a check of student activity, which showed that 95% of our lages are used by Engineering students and 5% by students outside of Engineering. So there is a benefit which would be lost. We may be able to recover some of the benefits in this setup with Terminal Server.
(Manfred) Accounts that exist within one forest can easily be granted permissions to resources within all domains within that forest because of transitive two-way trusts. Between forests explicit trusts have to be
created to allow similar access to resources. Within one domain (within one forest) delegation of control at the OU level does work.

Q: (Nevil) An outline of how the distributed management is expected to work in the Active Directories (a key item as I view it as one of the reasons Eng. Comp. has decided to go on their own).
A: (Bruce) We have to agree on all these things we have discussed and in that case it makes sense to have one Domain.

(Vic) If we have separate domains, can we still push out software?
(Bruce) We can do like Xhier.
(Erick) Where we do have a need to, we can do this.
(Vic) If there are political problems, can you still do this and does this solve any of the problems?
(Erick) If we have a priority in Engineering to do something everything else would have a lower priority.
(Vic) Everyone likes roaming between faculties.
(Erick) We are not going to have lock down like before, one can just drag and drop machines to different OU's.
(Vic) I am wondering on the impacts of all user computers being identical.
(Bruce) No, this does not have to happen.
(Vic) so Staff can comfortably exist within different domains?
(Erick) I think they would be more content if in the same domain, for sharing of files, printing, etc.
(Vic) If you mean on the Faculty level, is not important to differenciate, but I do not know of any departmental boundaries.
(Erick) I would look at the two diagrams Bruce has drawn and see if you can exist in one of them. Otherwise you must take care of all setups and software installs yourself. With GPO's you can control software updates and downloads with blockages of inheritance.
(Ray) The difference is Arts can make links to GPO's and get immediate changes made to those GPO's or they can take a copy which is then static from that point. Any changes must be manually made or authorized by Arts.
(Terry) Problems will always happen, we know and live with that.
(Ray) Yes, if have new software, can still have problems with implementations.
(Erick) There is more flexibility this way.
(Manfred) The interaction between domains requires more interaction between administrators.
(Ray) Whether one, two or three domains, these problems will still exist.
(Terry) Is there an opportunity to get the six faculties and have all of us working together. This would save on so many ES student setups as an example.
(Trevor) ES needed NT for the software, which is why we are not currently part of Polaris. We have not excluded this Win2000 AD setup due to the inherent ability to run our specific software.
(Vic) Are we to expect to have a Polaris Domain for students and a Domain for the Faculty.
(Bruce) If you want it that way. The Engineering's Associate Dean of Computing stated that if we were to have one for faculty and then one for students, then the domain would not be Polaris, but Engineering.
(Erick) Right now, there are over 1000 Polaris95 machines which are in Engineering and looking at going this way.
(Bruce) We are not forcing anyone to this domain, rather we are inviting you to join. You must make that decision. If what we are doing is what you want, then ok. If it is not, then there are no hard feelings if other faculties want to make different decisions.
(Terry) No door slam later.
(Bruce) This will continue cooperatively. If up to Eric and myself, we would try to squeeze Engineering into one domain. There in not enough time for more.
(Scott) So we can all expect to continue to work with Engineering.
(Bruce) Always a possibility.
(Scott) So, Engineering cannot force us, but we can choose it.
(Hon) I can comment that if you do go on your own, it is a lot of work to do. With one Domain Controller, you cannot see all the replication that is needed to go on. Learning to navigate the error messages and work cohesively with Microsoft's software support is a lot of work and communication skills.
(Terry) Yes, that is why we had the campus projects.
(Erick) Looking at the campus the way it is now, I could easily guess that twelve or so domains even now, would need to be created. Each of these Domains will then need people to learn as Manfred and Hon have.

Q: (Nevil) A discussion or listing of what facilities resources or capabilities we may miss or lack as a result of going with either domain as a whole or as individuals (ie. if Arts goes one way and Science or Math goes the other, what will happen to those non-Arts students taking arts courses).
A: (Tim) I think we are in the two domain system now with Polaris and NT. Are we going down the road where new student applications will be easier to incorporate?

(Erick) I believe so, we do seem to be moving to small applications like web browsers, etc.
(Ray) This is why we are moving towards this, like the SISP project needing another authentication machine.
(Bruce) We always will need deal with interfaces to other machines, like MACs, etc.
(Ray) It is true that SISP has all the students (and prospective students) in a database, but with different perspectives.
(Manfred) Are you thinking of MAC access in this model?
(Erick) Yes, and Math is currently doing this.
(Jim) We do have this concurrently working with Samba mounts in Math. It does have limitations to watch for, especially with share directories.
(Roy) You have mentioned MAC's and now Polaris Lite, can a student with WindowsME@home get to their files through the domain you are suggesting?
(Erick) Yes they can, and printing also.
(Roy) What about licensed software?
(Bruce) Technically, the software is only a mount, but yes licensing is a problem. A user must buy the software.
(Terry) Does another model of the AD involve more money?
(Ray) Yes, they both do. The 'X' number of domains is not as big and issue as updating the workstations. If one is all alone, yes, for servers and expertise.
(Bruce) If alone, you would have to maintain locally.
(Nevil) You pointed out that if Engineering went on their own, Engineering students would be 'locked in' to Engineering and all other students would be 'locked out'.
(Bruce) Yes.
(Nevil) It would be a definite lose to the students in that case.
(Vic) A question to Math and ES, in dealing with the test domains now, what is the problems which you currently see that you would not want.
(Math, ES) If we could fit into either model, we would so long as we could administer the OU's, etc.
(Roy) Everyone would be empowered, there would be no real lose of administrative control.
(Terry) I think all of the faculties have all similar needs in dealing with faculty, staff, and students with computing needs.
(Hon) One argument for separate domains which I can think of deals with the one person who may hold the key to the whole domain has a lot of pressure to deal with. Two or Three domains can reduce the pressure that is felt since not so many users and computers would be affected by decisions perceived as right or wrong. Thus, the politics and pressures to stay with one domain are also good reasons for separate domains.
(Manfred) A corollary to that, if something is critical you will make mistakes, but every domain admin must come to learn about these things the same way.
(Bruce) In deciding how long to continue with Polaris95, some of the factors involved are when it is financially possible to move. I can see that we will definately have 2 OS's (Polaris95 and Polaris2000?) for a while. One should move as soon as possible, but the question is when.
(Vic) So, in a year from now?
(Bruce) Yes, and some of the problems with this concurrency is we will be spending half of our time on both OS's. This must happen since there have been cracks in W95 and things creeping up, or faculty software which they must have. So within two years for a total change over.
(Nevil) Is that progression or maintenance for Polaris95?
(Bruce) Do not count on development.
(Scott) Can you think of an argument to not go with one domain?
(Hon) This is a difficult question, we both have common goals and it is hard to see which is better.
(Vic) Are there reasons for non-students?
(Bruce) You are really asking for reasons to join the other model, I do not have enough information to come to a decision for that.
(Erick) One is best off to get all people into one domain, for reasons of sharing, administrative headaches, etc. as anyone here can attest.
(Bruce) For special needs, one can set up a member server to deal with more secure or sensitive user issues.

Information items:

(Daniel) What are the main issues when you would switch from one AD to another?
(Hon) If set, besides software, one must throw away everything and recreate.

(Daniel) Is it possible to have 2 AD's in a faculty and what are the benefits or disadvantages?
(Hon) Yes, it is possible to have 2, and this would add much more confusion on who does what.

(Daniel) How easy or difficult is it to setup trusts relationships between AD's?
(Hon) There are no transitive trusts between two forests.

(Daniel) Could we somehow have a test case?
(Hon) The current test case is Engtest and Engtest2 for the common domain.

(Daniel) Could we have documentation online about all the progress that has been made in our current Polaris AD?
(Hon) I will work on getting the documentation up at the end of this term.



Created by: sempson@sciborg.uwaterloo.ca 2000/12/18
Revised by: sempson@sciborg.uwaterloo.ca 2000/12/19