active directory consolidation: phase 3 update · active directory consolidation: phase 3 update...
TRANSCRIPT
Active Directory
Consolidation: Phase 3
Update
Colin Bell (cpbell)
February 7, 2013
Working High-Level WBS
Clarity, Governance, Change Management, and Documentation
1. Clarify transfer process and goals.
2. Transfer knowledge from Engineering w.r.t. current monitoring and
management techniques.
3. Establish Change Management controls inside IST w.r.t. NEXUS.
4. Establish Service Management controls inside IST w.r.t. NEXUS.
5. Establish IST based monitoring and audit capabilities to augment current
capabilities.
6. Document future (ADS retirement plans)
7. Transfer "ownership" and ultimate operational responsibility to IST.
Goals: Governance
• Document Terms of Reference for a
Governance body with campus-wide
representation. (underway – Feb 22, 2013)
• Establish controls so all parties have a
voice. (change management procedure)
• Establish grievance process so that
parties can lodge complaints. (underway-
need test case)
Current Involvement (1)
• Executive Steering Group
– Dave Wallace (IST), Olga Vechtomova (ENG)
– Colin Bell (IST), Bruce Campbell (IST), Marko
Dumancic (ENV), Erick Engelke (ENG),
Martin Timmerman (IST)
Current Involvement (2)
• Monitoring, Audit, and Software
Management (MAS Subgroup)
– ENG => Daniel Delattre, Erick Engelke, Hon
Tam
– IST => Colin Bell, Mike Cocker, John Mayall
– ARTS => Nevil Bromley
Current Involvement (3)
• Governance (GOV Subgroup)
– Colin Bell (IST), Erick Engelke (ENG), Martin
Timmerman (IST)
Goal: Establish Service
Management (NEXUS/APEX) • Incident Management (in progress)
• Change Management (draft in use)
• Release Management (imminent –
decommissioning of DC + rebuild to be
test case)
Goal: Document the Future (in progress / targeted – March 2013)
• Develop roadmap for migration of services
from ADS to NEXUS.
– Actual ‘moves’ are out-of-scope.
• Document shared monitoring, auditing,
and software management requirements.
• Document current and future roles and
responsibilities for all stakeholders +
established campus bodies.
Goal: Ultimate Operational
Responsibility on IST • Move to minimize the number of Domain
Administrators in NEXUS.
• Consolidate top-level responsibilities in
IST (as an infrastructure service).
– “Handover the Keys” (ADAud2012 – MP5.0)
• Goal => MS2 – April 30, 2013
Goal: Meet Audit
Requirements (1) • Overall Strategy and Plan
– Develop project plan and RAID log. Socialized
with project stakeholders. [ADAud2012-1.0-HP] (today is
first step of socialization, project plans and RAID log to be released to
successive groups in coming weeks)
– Establish a management committee and
leverage it as a forum to discuss and resolve
critical project related decisions. [ADAud2012-2.0-HP]
(completed initial group, expansion coming)
Goal: Meet Audit
Requirements (2)
• Test Plans and Test Cases
– Ensure test plan, scenarios, cases and results
are documented. [ADAud2012-3.0-MP] (started and
underway – Change Management Procedure will help control work)
Goal: Meet Audit
Requirements (3)
• Documentation of Rollback Plans
– Ensure that each migration procedure defines
and tests a rollback plan. In cases where a
roll-back is not required due to risk level, the
decision is documented. [ADAud2012-4.0-MP] (many
migrations completed in Phase 2 – any future work will rely on Change
Management Procedure + RAID Log)
Goal: Meet Audit
Requirements (4) • Active Directory Governance and
Operations
– Determine roles and responsibilities and
communicate accordingly across IST,
Engineering, and Security teams.
[ADAud2012-5.0-MP] (Change Management Procedure normalizes
work, RASCI Chart can now be built to formalize roles / responsibilities)
RASCI = {Responsible, Accountable, Support, Consulted, Informed}
Goal: Meet Audit
Requirements (5) • Migration Strategy Planning
– Perform an analysis of application and
servers that leverage ADS. Develop a server /
application migration plan.
[ADAud2012-6.0-MP] (Already planned as part of the ‘Document the
Future’ effort. See previous slide – March 2013.)
Goal: Meet Audit
Requirements (6) • Object Migration Approach [ADAud2012-7.0-MP]
– Perform analysis on accounts that have not
been migrated.
– Review and clean up orphan accounts.
– Review privileged accounts and analyze if
access is still valid after migration.
– Perform analysis on accounts.
– Inventory service accounts and use.
. … to be planned w/ MAS Subgroup + EAWG.
Goal: Meet Audit
Requirements (7) • Interoperability Requirements [ADAud2012-8.0-LP]
– Identify, document, and socialize WatIAM
integration requirements with key
stakeholders to ensure that all issues are
identified and addressed.
… much work done in Phase II. Work in Phase III to be
planned with input from EAWG – IdM Analysis.
Change Management
Procedure (1) Change?
What is cause?
Verify Ticket exists and
update RAID Issue Log
Create 'Risk' RAID entries for
any risks identified in
Change Request Form
Feature / Change RequestProblem / Incident
Is there a complete service interruption?
Follow Emergency Response (Repair)
or DRP
Calculate Risk (likelihood vs.
impact)
No
Is the change global or universal in scope?
(Require Domain-level or Enterprise privs?)
Follow Client Support Procedure for affected Client
No
Yes
Verify update of Ticket and RAID Log
Apply AD Operations judgement framework
Complete Root Cause Analysis
(RCA) Procedure
Change is eligible for batching?
NoThis should be a
Problem / Incident
Submit 'Change Requests' for
remediation actions.
Verify update of Ticket and 'Issue'
RAID Log
Apply AD Management
judgement framework
Submit to Governance Committee
requires Governanceoversight
ChangeGranted?
Update all associated
RAID "Risks" and/or Tickets
Communicate and make changes
Yes
No
Communicate and make changes
does not requireGovernance oversight
University of Waterloo
NEXUS / Active Directory Change Procedure
Version 0.4 - DRAFT
YesYes
Research and Document Threat /
Cause
High Risk / Imminent Danger?
No Yes
Resolved? Yes
No
Perform pre-authorized risk mitigation actions.
(from RCA and/or OJF)
Change Management
Procedure (2) Working to
Model the data
required for
Change
Management
Dates
• Start: Nov 2nd, 2012
• MS1: Dec 19, 2012 (completed)
– “Transfer Keys” > IST in APEX + NEXUS at
highest level.
• MS2: April 30, 2013
– “Work Complete” > By this point IST is only
party working at top-level of APEX + NEXUS.
Everything is documented.
Dates
• MS3: June 14, 2013
– “Project Complete”
• MS4: June 28, 2013
– “Project Closing Complete”