The Active
Directory consolidation project aims to simplify the campus into a single
Active Directory for teaching and administration purposes.
Active
Directory is Microsoft’s directory, a sort of phone book which holds lists of computers
and users with associated attributes. For users, it contains attributes
with information like passwords (irreversible hashes), home directory pointers,
preferred Email addresses, and groupings that declare one a student, a member
of one or more departments, and members of other lists which might access to
certain databases or other resources.
Three
existing Active Directories (ADS, Artsfaculty and
Nexus) will be folded into one: Nexus. The merged directory will contain
all users on campus, and will be used to manage access to many campus
databases, SharePoint servers, wireless access, Email, and directly manage at
least 6,000 campus workstations.
The project
is being led by Erick Engelke, Director of
Engineering Computing, and the project team is well represented by IST and IT
staff from the faculties.
We are at a long anticipated milestone, within hours
WatIAm will be provisioning accounts into nexus as
well as ADS.
·
WatIAm will take a week or more to fully catch up
with all existing accounts.
·
Watiam is connected to (some) faculty fileservers to
provision new user accounts as needed, on others a script needs to be run.
·
Issues
have been resolved for special cases:
o
Co-op
students employed on campus will move in AD location, but will retain their
home resources
o
Student
transfers, or subsequent grad studies will result in users and their resources
moving
o
Faculty
and staff transfers will result in a warning message to system administrators
noting that their resources should move, and decisions should be made about
their group memberships
·
Exchange
(connect.uwaterloo.ca) is now using nexus authentication.
·
IST
fileservers for home directories and profiles are in place and in use for
academic support, Faculty of Environment and AHS.
·
196
workstations have been migrated from ADS to nexus,
this is more than 10% of ADS now converted.
The first 100 or so are the hard ones where you learn challenges. The rest will be much easier.
See also my
blog entry: http://engineeringcomputing.blogspot.com/2012/01/tail-of-two-domains-limited-time.html
The project is progressing well
·
All
250,000 user accounts and group affiliations from ADS have been copied to nexus
or merged with nexus accounts, including passwords. ADS users can log into nexus seamlessly.
·
Passwords
are automatically synchronized, changing a password in ADS copies that change
to nexus
·
WatIAm is weeks away from automatically creating
accounts in nexus as it already does in ads.
Once this is complete, nexus will always have every active campus userid and password, so we can start moving databases and
corporate systems.
·
Group
policy objects (part of software delivery) are copied from ADS to nexus in
anticipation of sets of workstations starting to be moved from ADS to
nexus. There are approximately2,000 workstations to move, as we ramp up the conversions we
will grow more confident and streamlined in this operation.
Initial stages of the project were to identify
challenges, create a design for the resultant directory, and test the
transition technologies on separate test systems.
The week of July 25th, 2011 we will
begin the first major steps on production systems. We will create trusts
between ADS and Nexus.
The only noticeable effect for most people will
be that the login screen will allow them to log into other domains that weren’t
listed before. People are encouraged to not attempt to change their login
domain.
This stage will be used to copy accounts from
ADS to Nexus, but only for users who haven’t used Nexus in the year 2011,
including those who have never used Nexus. Regular Nexus users will not
be moved yet.
The timing of this stage allows us to prepare
for freshmen students arriving for September. They already have ADS
accounts for Quest, this will copy their accounts and
password for use in the Nexus labs.
Future stages will involve
· Enhancements to WatIAm,
the system which manages Userid creation on campus
· Merging accounts for those who
frequently use Nexus and ADS
· Moving workstations and file servers
to Nexus
· Moving specific technologies like Sharepoint servers and wireless authentication to Nexus
· Moving corporate database systems to
Nexus