View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Windows 2000 - Distributed OS Features Part II
Angelo Cavone
CPSC550 Distributed Operating Systems
Spring 2001
Dr. Zhang
Introduction
Windows 2000 Distributed Operating Systems Features
Focus on Features of Windows 2000 Advanced Server and Datacenter Server
Discussion Areas Active Directory Microsoft Management Console Cluster Service Security Overview
Windows 2000 Background
Represents the next step in Microsoft’s evolution towards a portable operating system.
Mostly built upon technologies provided under Windows NT
Goals of Windows 2000 Provide flexibility, security object redundancy,
transparency and extensibility
Active Directory - Overview Allows transparent access to remotely located
resources - exact location not required. Designed to simplify management, strengthen
security and extend interoperability of resources in distributed computing environments.
Provides a common storage location for: Objects - ex: client server applications Files Printers People - accounts
Active Directory - Overview Incorporates a standard means for naming,
locating, accessing, managing and providing security for AD objects
AD information provided to administrators, users and applications thus yielding a tightly integrated interface for accessing distributed resources
As the number of these objects increases the importance of AD becomes magnified due to the increase in management required
Active Directory - Implementation Built upon Internet-standard technologies to
support Microsoft’s goal for a scalable, enterprise-class operating system.
AD is a namespace incorporating features of Domain Name System (DNS) and X.500 directory service. DNS allows IP address resolution X.500 - directory service analogous to white/yellow
pages - Basis for LDAP compatibility in Win 2000 Namespace - collection of objects and containers
organized in a hierarchical fashion.
Active Directory - Implementation DNS is central to the functionality of AD - provides
scalability for Windows 2000 Multiple domains are organized into the Windows
2000 domain tree in a “bottom-up” manner organizing a structure built as a tree of trees DNS and AD have same hierarchical domain structure -
each stores unique information and manage different objects
Each use databases to resolve names AD clients query DNS to resolve the AD server’s IP
address DNS zones are stored in the AD
Active Directory - Architecture Objects - represent named sets of attributes for
objects such as users, groups, machines, applications
As Objects are created AD sets internal management attributes such as a Globally Unique Identifier (GUID), while user supplies own attributes, i.e. user name, Logon ID, etc
Containers organize collections of related objects. Tree structure organizes objects & containers -
Like popular file managers
Active Directory - Architecture Schema describe various types of objects &
attributes associated with them Schema are objects also saved in AD tree Active Directory Services Interfaces (ADSI) SDK
allows developers to define new or extend schema MMC snap-in for schema management
Security information also stored in AD Via AD administrators set access privileges to
attributes individually Single copy storage conserves resources
Active Directory - Naming Formats Security Principal Names & Security Identifiers
Names that uniquely identify objects in a domainCreated on object inceptionIdentifies access principals
LDAP-related namesIndustry Standard directory access protocol used for modification of AD informationProvides for interoperability with LDAP compliant applications in heterogeneous networks
Active Directory - Naming Formats Object GUIDs
Assigned at object creationEach is unique128-bit value assigned by Directory System Agent
Logon NamesEach AD user account requires a User Principal Name (UPN)Format: <user>@<DNS-domain-name>
Object Publishing Creates objects directory containing requested
information or a reference to it AD Information published when interesting to a
many users thus requiring Characteristics of published information:
Static - infrequent modifications Structured - ex: a user profile
Connection points for C/S apps are published RPC Winsock COM
Active Directory Domains AD built from one or more domains Each domain requires domain controller & has a
DNS domain name Domains satisfy network management goals:
Security Bounding - each sets own security policy Information Replication - each stores object info Set Group Policy - each defines a scope for policy Define Network Structure - organizations decide
division Administration Authority Delegation - administrative
tasks assigned along domain divisions
Active Directory Domains AD Domain Structure:
Trees set of one or more domains with contiguous names > 1domain combined into hierarchical trees 1st domain of structure is root domains containing root are contiguous <child domain>.<parent domain>
Forests Distributed database construct Improves efficiency of network
Trust Relationships User recognition across domains Users in domain A access domain B resources
Organizational Units Various objects placed in a single domain
Active Directory Domains
Replicas of directories created & placed throughout the network
Improves performance, availability & flexibility for distributed systems
Duplication provides server overlap - alternative server assumes task when original becomes unavailable
Units of replication called Naming Contexts (NC) Replication activities tuned to keep data up to date Update Sequence Numbers USNs - used to keep
track of updates - 64-bits
AD Multi-Master Replication
Administrators, Developers, Users Simplifies Management
Single point administration of groups, network resources, distributed applications, desktop configs.
Strengthened Network Security Single point user logon Admin tools for security management for internal
desktop user, dial-up users or external customers Extends Interoperability
Std. Interface for application integration & synchronization allows Windows 2000 to operate with different applications and devices
Active Directory Benefits
Common presentation service for management applications under Windows 2000
Simplifies administration of Win2K systems thru integration, delegation, task orientation, and interface simplification
Integrated Internet Technologies allow network wide administration
Available under Win95/98, Win NT
Microsoft Management Console (MMC)
MMC Snap-Ins MMC provides a common interface for snap-ins
which do the actual work Snap-Ins are small management applications
which reside in the MMC SA’s/Users can build custom apps from snap-ins Types:
Stand-Alone - all required functionality Extension - adds functionality to a parent Combination - can be both MMC API encourages development of snap-ins
MMC Benefits Task Orientation - MMC tools perform specific tasks Integration - multiple tools available on single console Customization - specific management tasks created as
needed Delegation - customized tools provide more or less
functionality Simplified Interface - same appearance regardless of
functionality - minimizes retraining Extensibility - snap-in base functionality extended using
extension snap-ins
Cluster Service Allows collection of independent computers on a
network to run a set of common applications Presents single system image to both users and
applications Improves system reliability via multiple servers “Failover” feature circumvents server failure Also provides load balancing Primarily designed to provide failover for database
apps., messaging services & print/file servers Extended version of cluster service under Win NT
Cluster Service Models Two models employed in clustering technology
Common Resource Model - all resources within the cluster are accessible - ex: disk sharing provide scalability to applications
Independent Resource Model - one system at a time owns a resource
Cluster Service Benefits Cluster Service:
Reduces Unplanned Downtime via overlapping servers applications or transactions
proceed to completion w/ minimal interruption Upgrade Deployment
application upgrades performed transparently w/o client interrupt
transparent process movement Cluster Aware Applications
Applications exist to take advantage of clustering• Microsoft SQL & Exchange Server, IBM DB2, DoubleTake
Windows 2000 Security Windows 2000 security model provides:
Single user logon to access all system resources. Strong user authentication and authorization. Secure communication between internal and external
resources. Configuration and management of security policies. Automated security inspection. Interoperability with other operating systems and
security policies. Windows 2000 security API for application
development.
Windows 2000 Security Model Based on authentication & authorization model
Authentication Identify user at logon
Authorization Establishes resource access rules Access Control Lists in AD set object permissions
Trust Relationships Logical relationships that allow passthrough
authentication between domains
Windows 2000 Security Protocols Diffie-Hellman Technique - public key
cryptography - two entities agree on shared key Digital Signatures - Hash Message
Authentication Coding (HMAC) MDS (128-bit), SHA(160-bit), CBC (secret key)
Secure Socket Layer (SSL) - de facto std Private-key encryption - DES 64-bit, NIST std. Kerberos - primary authentication method
Windows 2000 & Kerberos Provides for mutual authentication between
server & client Features:
Based on tickets - used to validate connections to resources - shared secret authentication
Mature industry standard authentication protocol Faster server performance at initial connection
time Delegate authentication for multi-tier c/s apps Transitive Trust for inter-domain authentication
simplifies domain management in large networks
Windows 2000 Security Configuration Security management provided via MMC snap-ins Administrators can tailor security settings as
required via Security Templates Security Template Features:
Security Policies for account & local policies Account Policies - Passwords, acct lockouts, Kerberos Local Policies - User rights, security event logging
Restricted Group Administration Registry Security Local File System Security Local Services & Startup Security
Windows 2000 Smart Cards Windows 2000 provides smart card security
capability
Credit card size w/ built-in micro-chip
Stores: User’s private key Logon information Public key certificate for digital signing & encryption
Windows 2000 Encrypting File System EFS allows desktop & laptop data to be encrypted
User selects files or folders to be encrypted - locks out unauthorized individuals
Especially important for laptops - easily stolen or lost
Windows 2000 IPSec Security methods for data traversing networks Conforms to Internets Engineering Task Force’s
IP Security Protocol - assures interoperability with IPSec operating on other networks
IPSec features: Configurable Data packets authenticated using Kerberos, Digital
Certificates or Passwords Guaranteed IP packet security across network Encrypts data transmitted network confidently Hides IP address of host generating packet
Conclusion Overview of Win 2000 Internetworking Features
Win 2000 is a Significant Step towards networking computing
Internet based applications & commerce will continue to motivate incorporation of network based technology by MS
APIs are available to encourage development of apps using Win 2000 internetworking features
References Galli, D.L. Distributed Operating Systems – Concepts & Practice.
Prentice Hall, Upper Saddle River, NJ, 2000. Microsoft Corporation. Windows 2000 Server White Paper Series –
Active Directory Architecture. www.microsoft.com/windows2000/library Microsoft Corporation. Windows 2000 Server White Paper Series –
Active Directory: Overview. www.microsoft.com/windows2000/library Microsoft Corporation. Windows 2000 Server White Paper Series –
Microsoft Management Console: Overview. www.microsoft.com/windows2000/library
Microsoft Corporation. Windows 2000 Server White Paper Series – Microsoft 2000 Security Technical Overview. www.microsoft.com/windows2000/library
Microsoft Corporation. Windows 2000 Server White Paper Series IP Security for Microsoft Windows 2000 Server. www.microsoft.com/windows2000/library