Table of Contents
GWDG's Active Directory
The Active Directory forest (abbreviated AD) comes from GWDG's PC-Network and has always evolved over the years. Its structure is divided into different domains. A domain is an organizational construct that manages and networks computer and user. Such integration enables centralized administrative management and the use of shared resources. The allocation of administrative privileges can also be limited by the parts of a domain structures, so-called Organizational Units (OU).
The most significant feature of the Active Directory structure is the “single sign on”. This allows a user with a single authentication to access all hosts and services for which he is entitled, without having to log in each time. By default, each user has only one account. If a person multiple roles in the system, they can also use multiple accounts. An administrator has, for example, in addition to his normal user account an administrator account.
The aim is to facilitate access to resources on the network for users through centralized management of user IDs, computers and printers. At the same time it eases the workload and improves the support from the GWDG for the IT executives in the institutes.
Our AD-specific services:
- File Services: Every user has a directory on the file server GWDG to store his data, which is backed up daily. Upon request, common data areas for institutions or departments are set up.
- Printing Services: Documents to selectively print on specialty printers GWDG or the Institute printers
- Exchange Instructions: e-mail, calendar and address are common.
- SharePoint administrative services: That allow a very good document- and information-centric workgroup collaboration.
- The workplace environment: The institutes orient on our standard Windows workstation. In order to facilitate the management of jobs there are techniques such as Microsoft Windows Server Update Services (WSUS), Sophos Enterprise Console or the central software distribution who are used.
Connection to Active Directory
Inside the GÖNET
The Active Directory of the GWDG is accessible for users and computers within the entire GÖNET. From the local institutes, users can log in directly to the devices managed in the Active Directory with their GWDG account. During the login process, the familiar working environment is loaded with a GWDG ID from the user profile, which is stored on the Personal Drive of the user account. In addition, device and user settings (so-called group policies) are synchronized with the Active Directory and set during login. Thus, all important settings are made before starting work on the device and the user finds the familiar working environment.
Outside the GÖNET
However, if a device leaves the institute and is used from outside the GÖNET, no connection to the Active Directory can be established at the next login. The consequences are long waiting times during the login process and temporary profiles because the personal drive cannot be accessed. For these cases, the GWDG provides a VPN solution using the VPN client AnyConnect, which can be used before the user logon (so-called device VPN). The connection between the device and Active Directory is established by the software and the login works as usual. This VPN solution can be activated by institute administrators via policy and does not require any manual installation on the device.
After activation, another icon appears in the lower right corner of the Windows device login screen.
One click opens the AnyConnect window. Here a connection to the VPN service of the GWDG via vpn.gwdg.de (or alternative accesses, see Overview) can be established.
The GWDG registration data are required to establish the connection. The account that is to be used to log on to the Windows PC should be used here.
After the VPN connection is established, you can continue with the user login as usual.