Welcome Services Getting Started Support and Tools Documentation  
 
 

CalNetAD Planning Committee

May 17, 2007

2195 Hearst, 101A Conference Room, 11AM-12PM

Updated: 5/31/2007

 

Agenda

 

  1. KDC Conversion Update (Karl Grose)

  2. Domain GPO Changes (John Weber)

  3. New LDAP Signing Requirements (John Weber)

  4. Move User Changes (Michael Leefers)

  5. Synchronization Changes (Karl Grose)

  6. Other Business

Notes

 

KDC Conversion Update

Karl updated the group on CalNet's progress towards moving KDC functions from MIT Kerberos to the native Active Directory KDC. Over 54,000 accounts now have pass phrases synchronized between MIT and AD.

Domain GPO Changes

John stated that when the cut over to AD occurs, a domain wide GPO will be setup to strip out the custom Kerberos keys in the registry that point to the MIT KDC. Users should still be able to use their UPN (username@BERKELEY.EDU) after this change is made, but more testing is needed.

New LDAP Signing Requirements

In accordance with the Campus Minimum Security Standards, CalNetAD will no longer accept simple LDAP binds over port 389. This will prevent the sending of clear-text credentials to the domain controllers. This change is scheduled to take place June 5.

Move User Changes

Michael Leefers demonstrated a new web application to move CalNet accounts into managed OUs. This application will also allow OU administrators to move the accounts back into the default (FSA) OU in CalNetAD. An OU admin who uses this application will also now need to have CalNet deputy privileges over the particular user's processing unit. Some CalNetAD OU administrators expressed concern about becoming deputies.

Synchronization Changes

Karl proposed some new synchronization enhancements. Instead of deleting a CalNet account when the user drops out of the CalNet name space, the synchronization process will instead move the user to a hidden "expired" OU. This is to prevent the accidental deletion of an active account by the synchronization process.

The second change is in how the synchronization process handles sAMAccountName collisions. Instead of skipping collisions, these accounts will be moved into a restricted container to be corrected. The CalNetAD Enterprise Administrators will handle these collisions on a case by case basis to inform OU administrators on proper account provisioning procedures.

There is no ETA on when these changes will be made to production.

Other Business

 

 

 

  
Contact Us