Welcome

1
Welcome
2
Stay Connected with Microsoft Ireland
http//www.microsoft.com/ireland/technet

• Stay connected by signing up for the new Irish
  TechNet Newsletter here http//www.microsoft.com/
  ireland/technet/technetflash/
  
• Get involved in local Microsoft Technology user
  groups let me know if youre interested.
  
• Just launched Technet Ireland www.Microsoft.com/ir
  eland/technet
  
• Great event line up next year!

3
Agenda

• 930 Setting the scene IOI
• 945 Active Directory and IPSec
• 11.00 Tea / Coffee
• 1115 MOM
• 1230 Lunch

4
A Crisis Of Complexity
5
Solving The ChallengeInfrastructure Optimization
6
Managed and consolidated IT Infrastructure wi
th maximum
automation
Fully automated management, dynamic resource
Usage , business linked SLAs
Managed IT Infrastructure with limited autom
ation
Uncoordinated, manual infrastructure
More Efficient Cost Center
Business Enabler
Strategic Asset
Cost Center
Based on the Gartner IT Maturity Model
7
Technology View of Model
8
Technology View of ModelOne Example
Security, Networking Monitoring

• LimitedInfrastructure
• Lack of standardized security measures
• Ad hock management of system configuration
• Limited to no monitoring of infrastructure

• Defense-in-depth security measures widely
  deployed
  
• Anti-malware protection (i.e. spyware, bots,
  rootkits, etc.)
  
• Firewall enabled on desktops, laptops servers
• Secure wireless networking
• Service level monitoring on desktops
• IPSec used to isolate critical systems

• Automated patch management (WU, Update Services,
  SMS)
  
• Edge firewall with lock-down configuration
• Standardized antivirus solution
• Firewall enabled on laptops
• New systems limited to those supported by IT
• Defined set of standard basic images

Automated, central management of

• Security updates for both clients servers
• Application compatibility testing
• Client server firewall mitigations
• Application and image deployment
• Server operations
• Reference image system
• Security event correlation

9
Technology View of ModelOne Example
Desktop Lifecycle

• Primary desktop OS is WinXP with images defined
  at corporate level
  
• Reference Image managed manually
• Automated software distribution, management and
  tracking
  
• Zero touch upgrade and install
• Application certification and compatibility
  testing

• Automated reference image system connected to
  OEM partner
  
• Automated patch management extended to servers
• Automated application compatibility testing

• Defined set of standard basic images
• Multiple desktop OS still exist at department
  level
  
• Automated patch management (WU, SUS, SMS)
• Light touch upgrade and install
• Departmental application testing

• No standard OS image
• All desktops are unique after deployment
• Inconsistent patch management
• Manually deploying and upgrading systems with
  DVDs or CDs
  
• Limited or ad hoc application testing

10
Technology View of ModelOne Example
Secure Manageable Messaging
Unified directory infrastructure for access and
messaging Block SPAM at gateway and mailbox stor
e Server anti-virus that uses multiple scanning e
ngines Monitor messaging server health

• Running any version of Exchange

• Secure web-based e-mail access
• Use an application-layer firewall to
  pre-authenticate web mail users before they reach
  the mailbox server
  

Security of mobile devices including remote reset
and remote wipe Detect potential service outages
and receive alerts in advance
11
Technology View of ModelOne Example
Data Protection Recovery

• Local user data stored randomly and not backed up
  to network
  
• Any backup happens locally
• No user state migration available for deployment

• Standards for local storage in My Docs but not
  redirected or backed up
  
• Any backup happens at workgroup level
• Backup/restore on critical servers
• Some automation of user state migration available
  for deployment

• Users store data to My Docs and synched to
  server
  
• Backup managed at company level
• Backup/restore of all servers with SLAs
• User state is preserved and restored for
  deployment

• Self managed backup and restore on all servers
  and desktop data with SLAs

12
Technology View of ModelOne Example
Identity Access Management

• Active Directory for Authentication and
  Authorization
  
• Users have access to admin mode
• Security templates applied to standard images
• Desktops not controlled by group policy

• Active Directory group policy and Security
  templates used to manage desktops for security
  and settings
  
• Desktops are tightly managed

• No server-based identity or access management
• Users operate in admin mode
• Limited or inconsistent use of passwords at the
  desktop
  
• Minimal enterprise access standards

• Centrally manage users provisioning across
  heterogeneous systems

13
Translating IOI into action

• Garrett Wallis - Microsoft Consulting Services,
  Ireland

14
Know what you have
15
Measure impact of change
Point Solutions
Integration Standards Based Common Tools Strateg
ically Aligned Exception Management
Core Applications
Server SAP Dev File Print Messa
ging Web
Client Messaging SAP Antivirus
Remote Control Office Internet FileNET Util
ities
Suppor t
Management
Security
File\Print\Fax Servers
Platform
Server Single Manufacturer Certified Installs S
tandard Build
Managed
Client Single Manufacturer Gold Build Version C
ontrol
Other devices (PDA, mobile, etc.)
File\Print\Fax Servers
Domain
Network Services DHCP etc.
Authentication AD, SSO, etc
Name Services DNS, WINS
Replication
Network
WAN
LAN
RAS
Internet
16
AD Forest, Domain and OU Design

• Common Practices/Tips and Tricks

17
Forest/Domain Design

• Majority of Active Directory Forests being
  implemented are single forest/single domain
  
• separate development/pre-production forests
• Multiple NT4 production domains collapsed into
  single domain
  
• Significant impact on administration
  centralised (some delegation of tasks)
  
• Tip Always start from single forest/single
  domain when planning
  
• Try to avoid non-technical influences
• Tip Two things that negatively affect AD
• Bad replication design
• Bad Group Policies

18
OU Design

• OU creation based on
• Delegation of Administration
• Application of GPOs
• Increasing use of security/WMI filtering of
  GPOs
  
• Choice of 3 basic models reflect
• Resources
• Geography
• BU Structure
• Tip use a top level OU
• Tip moving objects between OUs affects
• GPOs applied
• Scripts
• Tip Naming Conventions

19
Demo

• Different OU Strategies

20
GPOs

• Minimum should be
• Domain and Security policies
• Automatic updates
• Windows Firewall
• Remote Desktop/Remote Assistance/Remote Control
• Internet Explorer configuration
• Restricted Groups
• Office ADMs
• Tip Take as much configuration out of the
  standard build process into Group Policy as
  possible
  
• Tip netstat ano
• Tip Disable unused portions of GPOs
• Tip Naming Conventions
• Link Group Policy Settings Reference for Windows
  Server 2003 with Service Pack 1

21
Demo

• Group Policy application, and using security
  filtering in GPMC

22
IPSec

• Whats it about?
• Ensure only managed/known devices communicate
  with each other
  
• IPSec or 802.1x?
• Gathering momentum with Networking teams take
  control of the options!
  
• Whats achievable in standard environments?
• Domain Isolation (full or partial)
• Server Isolation in Isolated Domain
• What is an IPSec Policy
• Filters to identify machines and protocols/ports
• Actions to taken when traffic matches a filter
• Tip Mandatory - Ensure that core domain traffic
  - Domain Controllers, WINS, DNS, DHCP etc. etc.
  is filtered out and always allowed
  
• Tip Keep it simple, get comfortable
• Link IEEE 802.1X for Wired Networks and Internet
  Protocol Security with Microsoft Windows

23
Demo

• IPSec
• Domain Isolation
• Server isolation (if time permits)

24
Coffee Break
25
MOM

• Why MOM (from a field perspective?)
• Always asked What should we monitor in AD, or
  Exchange, or SQL?
  
• Answer what MOM monitors
• Knowledge driven intended to supply the
  resolution with the problem
  
• SO easy to integrate with other management tools
• Dell OpenManage Server Administrator, HP Insight
  Manager
  
• SLA evidence (Reporting)
• Why implement a mission critical environment
  without MOM?
  
• It isnt expensive
• Tip Check for MPs regularly
• Tip MOM on SQL SP4 gotchas

26
Demo

• MOM install (ish!!)
• MP import, including Dell, HP
• Agent deployment
• Reporting
• Create a Management Pack!
• Link MOM 2005 Resource Kit

27
For a single server deployment of MOM 2005

• Install Base OS - Windows Server 2003 Standard
  with SP1
  
• Install IIS and ASP.NET (Add Remove
  Programs...Windows Components...Etc.)
  
• Get updates (WSUS, SMS, Microsoft Update,
  other...)
  
• Create MOM and SQL Service Accounts, appropriate
  permissions and rights
  
• Install SQL Server 2000 (default installation,
  but specify DB path)
  
• Install SQL 2000 SP3a (SQL 2000 SP4 gotcha -
  KB902803)
  
• Install SQL 2000 Reporting Services (SQL
  Reporting Services SP2 gotcha too - KB902804)
  
• Install MOM Server - Check Prerequisites
• Install MOM Reporting - Check Prerequisites
• Install SQL 2000 Server SP 4
• Install SQL 2000 Reporting Services Service Pack
  2

28
Additional Links

• Service overview and network port requirements
  for the Windows Server system -
  http//support.microsoft.com/default.aspx?scidkb
  en-us832017
• MOM Management Packs - http//www.microsoft.com/ma
  nagement/mma/catalog.aspx
  
• Windows Server System Reference Architecture -
  http//www.microsoft.com/technet/itsolutions/wssra
  /raguide/default.mspx
  
• Windows XP Security Guide - http//www.microsoft.c
  om/technet/security/prodtech/windowsxp/secwinxp/de
  fault.mspx
  
• Windows Server 2003 Security Guide -
  http//www.microsoft.com/technet/security/prodtech
  /windowsserver2003/w2003hg/sgch00.mspx
  
• What's New in Windows Server 2003 R2 -
  http//www.microsoft.com/windowsserver2003/r2/what
  snewinr2.mspx

29
Stay Connected with Microsoft Ireland
http//www.microsoft.com/ireland/technet

• Stay connected by signing up for the new Irish
  TechNet Newsletter here http//www.microsoft.com/
  ireland/technet/technetflash/
  
• Get involved in local Microsoft Technology user
  groups let me know if youre interested.
  
• Just launched Technet Ireland www.Microsoft.com/ir
  eland/technet
  
• Great event line up next year!