1 / 17

Windows 2000 and Active Directory Services at UQ

Windows 2000 and Active Directory Services at UQ. Scott Sinclair Senior Systems Programmer Software Infrastructure Group s.sinclair@its.uq.edu.au. Presentation Overview. The Players The Field The Rules The Prizes Active Directory in practice at UQ Resources and references Questions?.

jasper-flynn
Download Presentation

Windows 2000 and Active Directory Services at UQ

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows 2000 and Active Directory Services at UQ Scott SinclairSenior Systems Programmer Software Infrastructure Group s.sinclair@its.uq.edu.au

  2. Presentation Overview • The Players • The Field • The Rules • The Prizes • Active Directory in practice at UQ • Resources and references • Questions?

  3. The Players • Windows 2000 Advanced Server • Provides Active Directory Services • DCPROMO • MIT Kerberos or equivalent – Solaris. • Windows 2000 Professional Clients • Downstream ‘Domains’ • Sorry… but it’s the future (well maybe…)

  4. The Field • Physically • University Campus Network. • Typically high-speed switched. • Reliable. • Multiple ‘sites’ – campuses. • Windows 2000 Professional-class desktops. • Politically • Multiple faculties, departments, colleges etc. • Multiple rules for resource access. • Existing (and rigid) structure.

  5. The Rules • Kerberos 5 (RFC 1510) • ‘extended’ by Microsoft. • “Microsoft did not rewrite the Kerberos system - Microsoft filled in what had been left blank in the standard” • "You can keep your existing Kerberos investment in place and introduce Windows 2000 incrementally” • Windows 2000 Forest and Trees • includes ‘mixed mode’ to deal with existing NT 4 Domains etc. (NTLM vs. Kerberos Auth)

  6. The Prizes • Single Sign-On • Authentication and Authorisation • Centralised account management and maintenance (if required or wanted) • But not enforced on downstream domains. • Standardisation across campus networks. • Reduced administration overhead. • Increased (and/or enhanced) resource usage. • On demand software installation (MSI). • Microsoft’s idea of LDAP – and more.

  7. Active Directory in practice

  8. Case Study • Engineering, Physical Sciences and Architecture • 3 Labs • 120 Windows 2000 Professional Clients • 500 – 1000 user accounts (potentially) • 23 Software Packages • 12 Printers • Shared User space

  9. Previously… • Obtain class lists from each subject code. • Automagically create required accounts based on some unique ID – scripts, passwords, printing. • Create policies and resource allocation based on class lists and availability. • Print and distribute as required. • Wait… • Begin dealing with users – or let support staff.

  10. Sound familiar? • I forgot my password. • Why do I have two passwords? • Why do I have two usernames? • Which password do I use? • I can’t print to printer ‘X’. • I can’t login. • I forgot my password – again. Authentication and Authorisation are the issues…

  11. Existing UQ Infrastructure • Kerberos 4 central account repository. • myUQ Web Portal. • Student, Staff and ‘External’ systems. • POP3, IMAP, FTP, Web Servers… • Dial-in modem banks. • SQUID proxies. • PRISM. • Unix, Apple Macintosh and other existing labs. • LDAP Directory – as discussed earlier.

  12. Active Directory methodology… • All accounts already stored in the Active Directory repository… imported from LDAP store (more…) • Create appropriate OU structure based on faculty subject codes, etc. (similar to NT4 procedure – schema snap-in). • Set up local Windows 2000 Servers and Unix hosts for cross-realm authentication. • Set up local Windows 2000 Servers to authenticate via Kerberos to Unix K5 Servers - (ksetup & ktpass).

  13. AD methodology (cont.)… • Import user accounts from LDAP directory. • LDIFDE (Lightweight Directory Access Protocol Interchange Format) imports. • CSVDE (Comma separated). • For total control - ADSI, VB etc. or best of all – Perl. • Typically around 15 minutes for 8000 accounts

  14. AD methodology (cont.)… • After imports completed… • Allocate resources based on OU’s, GPO’s etc. • Assign permissions to resources. • Test and re-test. • Hope and pray.

  15. Results… • Problems with password SALT. • Windows 2000 Active Directory doesn’t like dealing with Kerberos 4 Unix implementations. • Works perfectly… provided you use Kerberos 5!

  16. The future implementation • Upgrade to Kerberos 5 – password change. • Improved functionality of the Kerberos protocol. • Windows 2000 Active Directory enabled campus. • Single Sign On. • All the other benefits mentioned earlier.

  17. Resources • Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp • Active Directory Services for Windows 2000 Technical Reference (ISBN 0-7356-0624-2). • Microsoft Curriculum • 2154A – Implementing and Administering Microsoft Windows 2000 Directory Services. • 1561B - Designing a Microsoft Windows 2000 Directory Services Infrastructure

More Related