$Id: andrew.txt,v 1.1.1.1 2003/02/25 19:35:04 wcw Exp $ --------- ChangeLog --------- 0.1 - 04/03/02 - Initial version ------------ 1.0 Overview ------------ This document describes the features and options that Computing Services plans to provide for Windows machines joined to the Andrew forest. Machines that do not exist in any Windows forest are not relevant in this dicussion. --------------------- 2.0 Base Differential --------------------- At the core, the ANDREW forest provides linkages between Windows identities and the Andrew ID. Computing Services plans to focus on development and delivery of services in this forest and has no plans to provide additional Windows forest functionality outside of this forest. In short, your Andrew identity will only be useful in this forest and no other forest. Anything existing in other forests will not be implemented by Computing Services. ------------------ 3.0 Forest Options ------------------ The two forest options are to have your own domain within the forest or to partcipate in the primary Andrew domain. 3.1 Having your own Domain -------------------------- ** I don't think we want to initially roll this out unless there is ** clear demonstrated demand but figured to put it on the floor as an ** option. The main benefit of this option is that you will not be limited by the namespace. However, given the security issues discussed in XXX, you will not have domain administrator access nor will the department have physical access to this machine. We can distribute these machines between Wean and Cyert but that's the best option currently available. This service will be offered on a cost recovery basis and pricing will provided as all needs and requests are evaluated. This is not the recommended approach. 3.2 Participating in the Primary Domain --------------------------------------- This is the Computing Services supported and recommend choice for Windows machines. The Windows machines in the Computing Services clusters use this option. Computers will be created in a default Organizational Unit (OU). Other OUs will be created to allow customizations. The issues to note with this approach are: 1) You will not be able to create your own users as this is a shared namespace. If you need IDs they will need to be created as sponsored accounts. ** We're already looking at ways (as part of the whole portal foo) to ** allow "loosely affiliated" ids. This depends on the funding and ** timeline of the portal project. 2) You may not be able to create global Windows groups. ** The exact group mechanism system is still being discussed. We may ** be providing global groups via LDAP or AFS pts and provide some ** form of central group management 3) You will not be able to automatically change the global schema. Some applications may require this in order to work, like Exchange. 4) Only Kerberos services will be available. NTLMv2, NTLMv1, etc. will not be available. This means that any service that does not support Kerberos (e.g. Exchange) will not be usable in this forest. ------------------------------------------- 4.0 Joining a computer to the Andrew Forest ------------------------------------------- 1. Register the machine in Netreg and set the domain suffix to ANDREW.WIN.CMU.EDU if you are in the primary Andrew domain. 2. In netreg there will be a plugin that allows machines to be joined to the primary ANDREW domain. When activated, the plugin performs the following actions . creates the computer object . sets the ACLs appropriately (whatever that means) ** The exact UI has yet to be defined. 3. Once the object is created in the active directory, the user can then join the machine to the domain using his password. ** How do you do this krb bootstrap? Some program to download that sets the registry foo so you can then do the auth? 2.0 Core Features Delivered Today * Andrew ID/Single sign on * Departmental OU creation * "Core" software automatically installed 3.0 Features Delivered Tomorrow * Per Person OU for multiple machine config? * Windows AFS support * Roaming profiles * laptop support * Windows/LDAP group synchronization * Bunches of software available from Add/Remove Programs * Automatic notification of new software * Forced updates of software older than a specific version