Templates and Sample Forms
This section provides templates and samples that you can customize and use in the deployment process. These templates represent documents that are commonly used, such as change control requests and email notifications of software changes. Your organization may require you to use organization-specific versions of these documents.
Simplified Environment Analysis and Zone Design Template
This template provides a framework for the information that the deployment team should collect, analyze, and document in evaluating the existing network infrastructure and how it will change after deployment. Depending on your environment and requirements, you might need to collect additional information, but this template describes the most common elements with examples that you can adapt to your organization.
-
Introduction
Use this section to provide a brief overview of the deployment plan. For example, document the features you plan to deploy, any primary goals that might affect design decisions, and any dependencies or special considerations, such as activities that require change control approval or enhanced permissions.
-
Network architecture
Use this section to capture details about your existing network configuration and Active Directory architecture. For example, you might want to record information about the Active Directory site, forest, and domain controllers, including trust relationships and domain and forest functional levels, if applicable.
You might also include details about your DNS configuration, including whether you have more than one DNS namespace and any port requirements, firewall restrictions, and any network connectivity issues. For details about the default ports used, see Default ports for network traffic and communication.
-
Server Suite-managed computers
Use this section to provide details about the existing UNIX, Linux, and Mac OS X computers on which you plan to deploy the Server Suite Agent.
-
Provisioning process
Use this section to describe the process for provisioning computers, groups, and users.
-
Rights, roles, and role assignments
Use this section to describe the rights, roles, role assignments, and configuration policies you require. For example, if you use the sudo program and the sudoers file, use this section to document how rights and roles defined in the sudoers file and whether the sudoers file is managed locally on each computer or in a central location.
-
Zone architecture
Use this section to identify the Active Directory schema you are using and where Server Suite-related objects are located in the Active Directory forest.
-
Deployment preparation in Active Directory
Use this section to summarize the deployment of Server Suite components into the existing Active Directory forest and domain.
-
Windows installation
Use this section to describe how zones will be created and configured.
-
UNIX deployment
Use this section to describes the deployment of Server Suite Agents on UNIX computers.
-
Group Policies
Use this section describes the group policies that will be deployed for UNIX computers.
Change Control Request Form
Most larger organizations require a formal change request to be submitted for any changes to Active Directory. The purpose of this template is to illustrate a request for creating new Active Directory organizational units, groups, and users. If the deployment team is not allowed to add UNIX groups and group members to Active Directory after the organizational structure if created, it is likely the project will experience delays.
Computer:
Change Requested:
Approved By:
Test Case Matrix Sample
To validate the pilot deployment, most organizations execute at least some formal testing of features and functionality. The purpose of this template is to suggest a basic set of test cases to execute that apply to most environments. These test activities apply to setting up your environment, installing the software, and performing common administrative tasks. You can skip any activities that don’t apply to your organization.
Testing Matrix
| Activity | Remarks | Date |
|---|---|---|
| Create the OU Structure with a script or manually | Active Directory setup activities | |
| Create the OU Permissions with a script or manually | ||
| Create Security Groups with a script or manually | ||
| Create Distribution Groups with a script or manually | ||
| Create the Zones Container with the Setup Wizard, a script, or manually | ||
| Create the Licenses Container with the Setup Wizard, a script, or manually | ||
| Create the service account for the Zone Provisioning Agent | ||
| Update the local or domain policy to allow the Zone Provisioning Agent service to Log on as a service right | ||
| Deploy the agent on computers | ||
| Create a zone with a script or Access Manager console | Access Manager console activity | |
| Delegate zone control with a script or using the Delegate Zone Control Wizard | ||
| Pre-Create Computer account | ||
| Import UNIX groups from group files or group NIS maps | ||
| Resolve mapping issues | ||
| Import UNIX users from passwd files or passwd NIS maps | ||
| Assign interactive users to the UNIX Login role | Authorization activities | |
| Assign users who need profile but not access to the listed role | ||
| Join computers to the domain using adjoin | You should prepare for migration and create one or more initial zones before you join the domain. | |
| Configure root-equivalent rights | ||
| Configure root-equivalent replacement role | ||
| Add an Active Directory group for the role | ||
| Test role access | ||
| Test role privileges control | ||
| Identify current management process (manual or automated) | UID consolidation activities | |
| Document the new management process | ||
| Define the business rule for assigning UIDs (for example, SID) | ||
| Identify active users to preserve, migrate, and keep | ||
| Run adfixid to change file ownership | ||
| Identify current management process (manual or automated) | GID consolidation activities | |
| Document the new management process | ||
| Define the business rule for assigning the primary GID values (for example, GID) | ||
| Identify the Active Directory groups for primary GID assignments | Domain Users | |
| Validate Active Directory log on credentials | User login activities | |
| Validate successful access to UNIX, Linux, Mac OS X | ||
| Validate successful application usage | ||
| Validate password complexity policy | ||
| Validate account lockout policy | ||
| Validate role enforcement | ||
| Validate single sign on | ||
| Validate password reset | ||
| Test period users validated | Clean up activities | |
| Test period groups validated | ||
| Test period roles validated | ||
| Run adrmlocal to remove local accounts |
Preliminary Software Delivery Notification Email Template
The purpose of this template is to notify users that they are scheduled to receive new software that will be delivered to their computers. This email notice should include a specific delivery date or a time frame estimate, if possible. Although you can delete this information from the email message you send out in your organization, this notice is most effective if users know specifically when the change is scheduled to occur. You can also customize the specific requirements or objectives that Server Suite is helping your organization achieve.
Colleagues:
The [Department Testing Server Suite] has successfully completed testing of the Server Suite software and is ready to begin the deployment portion of the project. The target date for deployment is [Scheduled time].
Deployment of this software will greatly enhance our ability to comply with multiple industry requirements to include [List objectives, such as: PCI, Sarbanes-Oxley compliance, Internal/External Security Audit, specific organization initiatives]. These requirements are in alignment with prioritized corporate business objectives.
The Server Suite software enables the streamlining of authentication, access controls and privileges, and auditing for all corporate IT systems. For the most part, deployment and streamlined authentication and authorizations services occurs “behind the scenes” with minimal, if any, user disruption. You should not notice any operational changes when the software is deployed to your computer.
Thank you for your cooperation,
[IT Department Signature]
Department-specific Announcement and Instructions Email Template
The purpose of this template is to notify users in a specific department that they are scheduled to transition to using Server Suite for authentication and authorization. This email notification indicates that you plan to join the computers in the department to an Active Directory domain during down time. Depending on your organization’s policies, this email may suggest users log on with their Active Directory credentials or explicitly state that they can continue to log on with their existing credentials.
Colleagues:
The [Specific department you are deploying to, such as: Accounting Department] is scheduled to begin the transition to Server Suite next week. In order to ensure a smooth transaction we simply ask that you log off of all systems before leaving for the weekend. When you return to work the following week, you should [be able to log on with your current user name and password].
If you experience any difficulties logging on, or with application connectivity, please submit a ticket or contact the support desk immediately. Several members of each department helped the IT team perform successful testing and validation of this new solution, and we anticipate a smooth transition.
Thank you for your cooperation,
[IT Department Signature]
General Announcement and Deployment Schedule Email Template
The purpose of this template is to notify a broader user community of the deployment schedule for multiple departments across the company. This sample also illustrates the type of notes you can incorporate into the email message to keep other groups informed of their status. The general announcement may also include portions of the other two email templates. For example, you may want to include the objectives the transition to Server Suite helps the company achieve or the instructions to use current or Active Directory credentials after migration.
Colleagues:
At the completion of the week, the [Server Suite Deployment Project Team] will allocate first response resources to the next department scheduled for deployment.
This is the schedule coordinated with the Department Heads throughout the company:
| Date | DEPARTMENT | REMARKS |
|---|---|---|
| 9 May 2017 | Information Technology | |
| 16 May 2017 | Accounting | |
| 23 May 2017 | Marketing | Pending EOQ Reports |
| 30 May 2017 | Security | |
| 6 Jun 2017 | Sales | |
| 13 Jun 2017 | Executive | |
| 20 Jun 2017 | PMO | |
| 27 Jun 2017 | Data Warehouse | Pending EOQ Reports |
| 3 Jul 2017 | Training | |
| 10 Jul 2017 | Business Development | |
| 17 Jul 2017 | Audit |
The IT Department would like to thank everyone to date for their work on this project, and look forward to a successful deployment. If you have any questions, please submit them to the [Server Suite_project] distribution list and include your contact information. We will respond with answers or contact you directly for more information.
Sincerely,
[IT Department | Server Suite Deployment Project Team]
Deployment Team Task Checklist
Before you install the pilot deployment, you should prepare a deployment checklist to ensure you have the information you need to successfully complete the deployment. For example, you should review port requirements, verify DNS resolution, and create one or more spreadsheets that describe the user and group accounts to be imported and any special relationships, such as membership in specific groups that need to be preserved or any special configuration you want to implement.
Creating a deployment checklist is optional, but can help you to collect detailed information about each of the computers targeted for deployment.
The following example illustrates information you can collect and record in a deployment team task checklist.
| Preparing computers for deployment | |
|---|---|
| Operating system, version, and patch level for target computers | |
| Host name and IP address for target computers | |
| Current disk space for target computers | |
| Review the details of the current DNS configuration For example: Is the address resolved through a UNIX DNS server, Windows DNS server, or settings in the /etc/hosts and /etc/resolv.conf files? Is the computer using a DNS server that has SRV records for Active Directory domain controllers? Are UNIX subnets registered and associated with Sites in Active Directory? Are you using a disjointed DNS namespace, where a UNIX computer name may be server.company.com but the Active Directory domain name is server.windows.company.com? Are you using DNS aliases and do they resolve correctly? Are there multiple network interfaces (NIC) in use? | |
| Current network time provider (NTP) For example, does the computer use a different server to determine the time than the Active Directory domain controller? | |
| Current firewall configuration For example, are there any firewalls blocking required ports between the UNIX computer and the Active Directory domain controllers for the registered sites? | |
| Current applications and services For example, do you have Perl, Samba, or OpenSSH deployed? Are the versions you have compatible with the Server Suite Agent or—if a Server Suite version is available—to be replaced by versions provided by Server Suite? Do you have existing authentication providers deployed? Are existing applications and services Kerberos-enabled or PAM-enabled? Are there other applications that require local users or groups? | |
| Current source of user and group information For example, are the /etc/passwd and /etc/group files the only source of user information for the users who access this computer or other identity stores, such as existing LDAP servers or NIS domains, used? Are there any specific users or groups that should remain locally defined? | |
| Current NSS configuration For example, have you reviewed the contents of the nsswitch.conf file to check for other sources of user and group information? | |
| Connectivity between this computer and the domain controller For example, is there a reply from the domain controller when you run the ping command? | |
| User names and UIDs checked for conflicts across the target group | |
| Zone requirements analyzed for the target group | |
| Zone identified for this computer | |
| Server Suite Agent installed and the computer joined to the domain | |
| Groups allowed or denied access identified for this computer | |
| Existing users and groups for this computer imported into Active Directory | |
| Imported user and group profiles mapped to Active Directory accounts | |
| Allowed or denied groups configured using parameter values or group policy |
If you use a deployment checklist, you can also include additional notes and details about the activities performed. For example, a partially completed checklist might look something like this:
| Preparing computers for deployment | |
|---|---|
| Operating system: Sun Solaris 10 with all patches applied (17-April-2017) | |
| Host name and IP address: aspen, 177.29.10.10 | |
| Current DNS configuration: Resolved through the enterprise DNS server, spider.ajax.org | |
| Current time source is NTP server: ntpd on solstice.ajax.org Change for deployment: Use SNTP on the Active Directory domain controller | |
| Current firewall configuration: No port issues | |
| Existing OpenSSH version to be replaced, no other issues found. | |
| Current source of user and group information: /etc/passwd, /etc/group, and NIS domain nwest03 have users who access aspen | |
| Connectivity with the domain controller: Verified by JR (2-May-2011). | |
| User names and UIDs checked for conflicts across the target group: Analyzed by JR and DC (4-May-2017). | |
| Zone requirements analyzed for the target group: Zones required for the target group are nwest01, swest02, corp-main, and nwest03 (9 May 2017). SF to recommend new extended zone descriptions for approval. | |
| Zone identified for this computer: nwest03 | |
| Server Suite Agent installed and the computer joined to the Active Directory domain: dc3colorado.ajax.org, OU: US-UNIX-Computers | |
| Groups allowed r denied access identified for this computer: Allowed access group—all_employees, oracle_sys Denied access—consultants, temps | |
| Existing users and groups for this computer imported into Active Directory: Completed by DC (20-May-2017). | |
| Imported user and group profiles mapped to Active Directory accounts: Work complete for users and groups that already had matching Active Directory candidates. Work in progress for the remaining profiles without any matching Active Directory candidate. Target date for completion: 31-May-2017 | |
| Allowed or denied groups configured using parameter values or group policy: TBD |
