Upload
nelson-hodges
View
212
Download
0
Embed Size (px)
Citation preview
Windows 2000 and Active Directory Services at UQ
Scott SinclairSenior Systems Programmer
Software Infrastructure Group
Presentation Overview
• The Players
• The Field
• The Rules
• The Prizes
• Active Directory in practice at UQ
• Resources and references
• Questions?
The Players
• Windows 2000 Advanced Server
– Provides Active Directory Services
– DCPROMO
• MIT Kerberos or equivalent – Solaris.
• Windows 2000 Professional Clients– Downstream ‘Domains’
– Sorry… but it’s the future (well maybe…)
The Field
• Physically– University Campus Network.– Typically high-speed switched.– Reliable.– Multiple ‘sites’ – campuses.– Windows 2000 Professional-class desktops.
• Politically– Multiple faculties, departments, colleges etc.– Multiple rules for resource access.– Existing (and rigid) structure.
The Rules
• Kerberos 5 (RFC 1510)
– ‘extended’ by Microsoft.
– “Microsoft did not rewrite the Kerberos system - Microsoft filled in what had been left blank in the standard”
– "You can keep your existing Kerberos investment in place and introduce Windows 2000 incrementally”
• Windows 2000 Forest and Trees– includes ‘mixed mode’ to deal with existing NT 4
Domains etc. (NTLM vs. Kerberos Auth)
The Prizes
• Single Sign-On – Authentication and Authorisation
• Centralised account management and maintenance (if required or wanted)– But not enforced on downstream domains.
• Standardisation across campus networks.• Reduced administration overhead.• Increased (and/or enhanced) resource usage.• On demand software installation (MSI).• Microsoft’s idea of LDAP – and more.
Active Directory in practice
Case Study
• Engineering, Physical Sciences and Architecture
• 3 Labs
• 120 Windows 2000 Professional Clients
• 500 – 1000 user accounts (potentially)
• 23 Software Packages
• 12 Printers
• Shared User space
Previously…
• Obtain class lists from each subject code.
• Automagically create required accounts based on some unique ID – scripts, passwords, printing.
• Create policies and resource allocation based on class lists and availability.
• Print and distribute as required.
• Wait…
• Begin dealing with users – or let support staff.
Sound familiar?
• I forgot my password.
• Why do I have two passwords?
• Why do I have two usernames?
• Which password do I use?
• I can’t print to printer ‘X’.
• I can’t login.
• I forgot my password – again.
Authentication and Authorisation are the issues…
Existing UQ Infrastructure
• Kerberos 4 central account repository.
• myUQ Web Portal.• Student, Staff and ‘External’ systems.
– POP3, IMAP, FTP, Web Servers…
• Dial-in modem banks.• SQUID proxies.• PRISM.• Unix, Apple Macintosh and other existing labs.• LDAP Directory – as discussed earlier.
Active Directory methodology…
• All accounts already stored in the Active Directory repository… imported from LDAP store (more…)
• Create appropriate OU structure based on faculty subject codes, etc. (similar to NT4 procedure – schema snap-in).
• Set up local Windows 2000 Servers and Unix hosts for cross-realm authentication.
• Set up local Windows 2000 Servers to authenticate via Kerberos to Unix K5 Servers - (ksetup & ktpass).
AD methodology (cont.)…
• Import user accounts from LDAP directory.
– LDIFDE (Lightweight Directory Access Protocol Interchange Format) imports.
– CSVDE (Comma separated).
– For total control - ADSI, VB etc. or best of all – Perl.
– Typically around 15 minutes for 8000 accounts
AD methodology (cont.)…
• After imports completed…
– Allocate resources based on OU’s, GPO’s etc.
– Assign permissions to resources.
– Test and re-test.
– Hope and pray.
Results…
• Problems with password SALT.
• Windows 2000 Active Directory doesn’t like dealing with Kerberos 4 Unix implementations.
• Works perfectly… provided you use Kerberos 5!
The future implementation
• Upgrade to Kerberos 5 – password change.
• Improved functionality of the Kerberos protocol.
• Windows 2000 Active Directory enabled campus.
• Single Sign On.
• All the other benefits mentioned earlier.
Resources
• Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
• Active Directory Services for Windows 2000 Technical Reference (ISBN 0-7356-0624-2).
• Microsoft Curriculum– 2154A – Implementing and Administering Microsoft Windows
2000 Directory Services.– 1561B - Designing a Microsoft Windows 2000 Directory Services
Infrastructure