Windows 2000 and Active Directory Services at UQ

Scott SinclairSenior Systems Programmer

Software Infrastructure Group

s.sinclair@its.uq.edu.au

Presentation Overview

• The Players

• The Field

• The Rules

• The Prizes

• Active Directory in practice at UQ

• Resources and references

• Questions?

The Players

• Windows 2000 Advanced Server

– Provides Active Directory Services

– DCPROMO

• MIT Kerberos or equivalent – Solaris.

• Windows 2000 Professional Clients– Downstream ‘Domains’

– Sorry… but it’s the future (well maybe…)

The Field

• Physically– University Campus Network.– Typically high-speed switched.– Reliable.– Multiple ‘sites’ – campuses.– Windows 2000 Professional-class desktops.

• Politically– Multiple faculties, departments, colleges etc.– Multiple rules for resource access.– Existing (and rigid) structure.

The Rules

• Kerberos 5 (RFC 1510)

– ‘extended’ by Microsoft.

– “Microsoft did not rewrite the Kerberos system - Microsoft filled in what had been left blank in the standard”

– "You can keep your existing Kerberos investment in place and introduce Windows 2000 incrementally”

• Windows 2000 Forest and Trees– includes ‘mixed mode’ to deal with existing NT 4

Domains etc. (NTLM vs. Kerberos Auth)

The Prizes

• Single Sign-On – Authentication and Authorisation

• Centralised account management and maintenance (if required or wanted)– But not enforced on downstream domains.

• Standardisation across campus networks.• Reduced administration overhead.• Increased (and/or enhanced) resource usage.• On demand software installation (MSI).• Microsoft’s idea of LDAP – and more.

Active Directory in practice

Case Study

• Engineering, Physical Sciences and Architecture

• 3 Labs

• 120 Windows 2000 Professional Clients

• 500 – 1000 user accounts (potentially)

• 23 Software Packages

• 12 Printers

• Shared User space

Previously…

• Obtain class lists from each subject code.

• Automagically create required accounts based on some unique ID – scripts, passwords, printing.

• Create policies and resource allocation based on class lists and availability.

• Print and distribute as required.

• Wait…

• Begin dealing with users – or let support staff.

Sound familiar?

• I forgot my password.

• Why do I have two passwords?

• Why do I have two usernames?

• Which password do I use?

• I can’t print to printer ‘X’.

• I can’t login.

• I forgot my password – again.

Authentication and Authorisation are the issues…

Existing UQ Infrastructure

• Kerberos 4 central account repository.

• myUQ Web Portal.• Student, Staff and ‘External’ systems.

– POP3, IMAP, FTP, Web Servers…

• Dial-in modem banks.• SQUID proxies.• PRISM.• Unix, Apple Macintosh and other existing labs.• LDAP Directory – as discussed earlier.

Active Directory methodology…

• All accounts already stored in the Active Directory repository… imported from LDAP store (more…)

• Create appropriate OU structure based on faculty subject codes, etc. (similar to NT4 procedure – schema snap-in).

• Set up local Windows 2000 Servers and Unix hosts for cross-realm authentication.

• Set up local Windows 2000 Servers to authenticate via Kerberos to Unix K5 Servers - (ksetup & ktpass).

AD methodology (cont.)…

• Import user accounts from LDAP directory.

– LDIFDE (Lightweight Directory Access Protocol Interchange Format) imports.

– CSVDE (Comma separated).

– For total control - ADSI, VB etc. or best of all – Perl.

– Typically around 15 minutes for 8000 accounts

AD methodology (cont.)…

• After imports completed…

– Allocate resources based on OU’s, GPO’s etc.

– Assign permissions to resources.

– Test and re-test.

– Hope and pray.

Results…

• Problems with password SALT.

• Windows 2000 Active Directory doesn’t like dealing with Kerberos 4 Unix implementations.

• Works perfectly… provided you use Kerberos 5!

The future implementation

• Upgrade to Kerberos 5 – password change.

• Improved functionality of the Kerberos protocol.

• Windows 2000 Active Directory enabled campus.

• Single Sign On.

• All the other benefits mentioned earlier.

Resources

• Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

• Active Directory Services for Windows 2000 Technical Reference (ISBN 0-7356-0624-2).

• Microsoft Curriculum– 2154A – Implementing and Administering Microsoft Windows

2000 Directory Services.– 1561B - Designing a Microsoft Windows 2000 Directory Services

Infrastructure