windows 2000 and active directory services at uq scott sinclair senior systems programmer software...
TRANSCRIPT
Windows 2000 and Active Directory Services at UQ
Scott SinclairSenior Systems Programmer
Software Infrastructure Group
Presentation Overview
• The Players
• The Field
• The Rules
• The Prizes
• Active Directory in practice at UQ
• Resources and references
• Questions?
The Players
• Windows 2000 Advanced Server
– Provides Active Directory Services
– DCPROMO
• MIT Kerberos or equivalent – Solaris.
• Windows 2000 Professional Clients– Downstream ‘Domains’
– Sorry… but it’s the future (well maybe…)
The Field
• Physically– University Campus Network.– Typically high-speed switched.– Reliable.– Multiple ‘sites’ – campuses.– Windows 2000 Professional-class desktops.
• Politically– Multiple faculties, departments, colleges etc.– Multiple rules for resource access.– Existing (and rigid) structure.
The Rules
• Kerberos 5 (RFC 1510)
– ‘extended’ by Microsoft.
– “Microsoft did not rewrite the Kerberos system - Microsoft filled in what had been left blank in the standard”
– "You can keep your existing Kerberos investment in place and introduce Windows 2000 incrementally”
• Windows 2000 Forest and Trees– includes ‘mixed mode’ to deal with existing NT 4
Domains etc. (NTLM vs. Kerberos Auth)
The Prizes
• Single Sign-On – Authentication and Authorisation
• Centralised account management and maintenance (if required or wanted)– But not enforced on downstream domains.
• Standardisation across campus networks.• Reduced administration overhead.• Increased (and/or enhanced) resource usage.• On demand software installation (MSI).• Microsoft’s idea of LDAP – and more.
Active Directory in practice
Case Study
• Engineering, Physical Sciences and Architecture
• 3 Labs
• 120 Windows 2000 Professional Clients
• 500 – 1000 user accounts (potentially)
• 23 Software Packages
• 12 Printers
• Shared User space
Previously…
• Obtain class lists from each subject code.
• Automagically create required accounts based on some unique ID – scripts, passwords, printing.
• Create policies and resource allocation based on class lists and availability.
• Print and distribute as required.
• Wait…
• Begin dealing with users – or let support staff.
Sound familiar?
• I forgot my password.
• Why do I have two passwords?
• Why do I have two usernames?
• Which password do I use?
• I can’t print to printer ‘X’.
• I can’t login.
• I forgot my password – again.
Authentication and Authorisation are the issues…
Existing UQ Infrastructure
• Kerberos 4 central account repository.
• myUQ Web Portal.• Student, Staff and ‘External’ systems.
– POP3, IMAP, FTP, Web Servers…
• Dial-in modem banks.• SQUID proxies.• PRISM.• Unix, Apple Macintosh and other existing labs.• LDAP Directory – as discussed earlier.
Active Directory methodology…
• All accounts already stored in the Active Directory repository… imported from LDAP store (more…)
• Create appropriate OU structure based on faculty subject codes, etc. (similar to NT4 procedure – schema snap-in).
• Set up local Windows 2000 Servers and Unix hosts for cross-realm authentication.
• Set up local Windows 2000 Servers to authenticate via Kerberos to Unix K5 Servers - (ksetup & ktpass).
AD methodology (cont.)…
• Import user accounts from LDAP directory.
– LDIFDE (Lightweight Directory Access Protocol Interchange Format) imports.
– CSVDE (Comma separated).
– For total control - ADSI, VB etc. or best of all – Perl.
– Typically around 15 minutes for 8000 accounts
AD methodology (cont.)…
• After imports completed…
– Allocate resources based on OU’s, GPO’s etc.
– Assign permissions to resources.
– Test and re-test.
– Hope and pray.
Results…
• Problems with password SALT.
• Windows 2000 Active Directory doesn’t like dealing with Kerberos 4 Unix implementations.
• Works perfectly… provided you use Kerberos 5!
The future implementation
• Upgrade to Kerberos 5 – password change.
• Improved functionality of the Kerberos protocol.
• Windows 2000 Active Directory enabled campus.
• Single Sign On.
• All the other benefits mentioned earlier.
Resources
• Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
• Active Directory Services for Windows 2000 Technical Reference (ISBN 0-7356-0624-2).
• Microsoft Curriculum– 2154A – Implementing and Administering Microsoft Windows
2000 Directory Services.– 1561B - Designing a Microsoft Windows 2000 Directory Services
Infrastructure