Demonstrations of Interoperability with Windows 2000 Presented by Brad Waller
Presentation Contents During this presentation we will: Discuss the fundamentals of Windows 2000 Active Directory Explore the full capabilities of Windows 2000 and Windows XP clients as members of a Windows 2000 domain Examine some interoperability options between Active Directory and UNIX
Presentation Contents (con’t) Examine some interoperability options between Active Directory and Novell Netware 5.0 Access a Novell Netware 5.0 server using the Novell Windows Client Explore integration of Macintosh clients in an Windows 2000 Active Directory environment
Learning Tree International An independent technical training organization Web: www.learningtree.com Phone: 1-800-THE-TREE
Convergent Technology Alliance An independent technical consulting company We provide customized technical consulting services and technology solutions Please take one of our brochures for a more complete description of our capabilities Web: www.ctalliance.com
Introducing Your Presenter Current position and job responsibilities Background in computer technology
Presentation Roadmap Wrap-Up Active Directory Windows 2000 Professional UNIX Integration Wrap-Up Macintosh Netware
Active Directory Overview Active Directory (AD) is Microsoft’s latest version of directory services in Windows 2000 Replaces and greatly extends the Windows NT 4.0 Security Accounts Manager (SAM) database Available on every version of Windows 2000 Server AD is a collection of networked services and distributed databases that contain your enterprise’s configuration information Entities like users, groups, computers and resources are represented by logical objects stored in the AD database
An Active Directory Blue Print
Active Directory Logical Components The logical structure of AD provides a method for designing a hierarchy that makes sense to users and those who manage it The logical structure is used to organize all your network resources The logical AD structure includes these objects: Domains, Organizational Units, Trees and Forests
Active Directory Physical Structure AD physical structure helps to configure and manage network traffic and the logon process It defines where and when AD replication and user logon traffic occur The physical structure of AD is composed of Sites and Domain Controllers Sites are the equivalent of IP subnets Domain Controllers host the Active Directory database and associated services
Active Directory Supported Technologies AD is specifically designed to interoperate with a variety of other industry standard directories, services and namespaces including: DNS, DHCP, LDAP, Kerberos, X.509 Certificates, WINS, SNTP, NDS, NFS, SAM and more… TCP/IP is required as a network transport Additional transport protocols are supported
ACTIVE DIRECTORY DEMONSTRATION
Demo Roadmap Active Directory
Presentation Roadmap Wrap-Up Active Directory Windows 2000 Professional UNIX Integration Wrap-Up Macintosh Netware
Windows 2000/XP Professional For access to all AD/Windows 2000 capabilities, clients must be running Windows 2000 or Windows XP Professional The home version of XP doesn’t support domains Windows XP Professional provides very little increased domain functionality over Windows 2000 Professional Most of XP’s enhancements are primarily cosmetic
Intellimirror Intellimirror is a set of technologies integrated into and exclusively accessible to Windows 2000 Designed to increase availability and reduce the overall cost of supporting Windows 2000 clients The core of IntelliMirror consists of 3 features: User Data Management Software Installation and Maintenance User Settings Management Remote Windows 2000 Professional operating system installation is also supported
Intellimirror Features, Benefits and Supported Technologies
WINDOWS 2000 CLIENT DEMONSTRATION
Demo Roadmap Active Directory Windows 2000 Professional
Presentation Roadmap Wrap-Up Active Directory Windows 2000 Professional UNIX Integration Wrap-Up Macintosh Netware
Windows to UNIX Integration Windows 2000 provides some UNIX integration right out of the box Print to and from UNIX (lpr, lpd) FTP, HTTP, Telnet server and client Lightweight Directory Access Protocol (LDAP) Protocol to access the Active Directory database Kerberos v5 authentication A Windows add-on can be purchased from Microsoft that extend this default capability Known as “Windows Services for UNIX” (SFU)
Windows Services for UNIX v3.0 SFU provides services for integrating Windows servers and clients into UNIX-based environments Cost is $99, also available as a 120-day evaluation http://www.microsoft.com/windows/sfu/default.asp Runs on Microsoft Windows NT 4.0, Windows 2000, and Windows XP Professional Does not work with Windows 9x, Windows ME, or Windows XP Home Edition
Windows Services for UNIX v3.0 (con’t) SFU has been tested specifically with these UNIX versions only: Solaris 2.7, HP-UX 11, IBM AIX 4.3.3 and Red Hat Linux 7.0 But it should run on all UNIX variants Provides an NFS client, NFS server, C shell and KornShell command line environments Access to 60 UNIX commands 2-way password synchronization with complexity enforcement
Interix Interix is a native Windows 2000 subsystem that allows application and script migration from UNIX to Windows Runs on the Windows 2000 kernel Included with SFU Interix provides a complete environment for UNIX-based apps Over 300 tools and utilities Interix SDK accesses over 1900 UNIX API functions All SDKs are available for free download from various Microsoft websites http://www.microsoft.com and search on “SDK”
Kerberos v5 Kerberos is the primary authentication protocol in a Windows 2000 domain environment AD supports interoperability with other security services based on the MIT Kerberos v5 reference standard Kerberos test utilities are in the Windows 2000 SDK With minor configuration changes, Windows 2000/XP clients can authenticate to a UNIX Kerberos realm The configuration changes help a Microsoft client locate the UNIX Kerberos authentication server Configuration utilities are on the Windows 2000 Server CD in the \support\reskit\netmgmt\security folder
Kerberos v5 (con’t) Windows 2000 Domain Controllers can serve as the Key Distribution Center (KDC) server for MIT Kerberos-based client systems UNIX clients can use the kinit command and authenticate to the Windows 2000 domain There are some known Kerberos interoperability limitations: Only DES-MD5 and DES-CRC encryption is available Hierarchical trusts between Windows 2000 and Kerberos realms are not supported Microsoft’s KDC does not support post-dated tickets User/administrator accounts must have the password changed before UNIX Kerberos clients can use them
Microsoft clients access files and printers on a Microsoft server by using a proprietary protocol known as Server Message Block (SMB) SMB was tweaked and renamed Common Internet File Sharing (CIFS) in Windows 2000 Samba is a software suite that runs on a UNIX platform providing SMB file and print services to both UNIX and Windows clients It’s a free download http://us1.samba.org
SAMBA provides: A SMB server allowing access to files and printers on UNIX servers by Windows clients A standards-based Net BIOS Nameserver Microsoft browsing support A Samba SMB server can be the master browser An ftp-like SMB client can access resources from UNIX on other operating systems An extension to the client that supports back ups
UNIX DEMONSTRATION
Demo Roadmap Windows 2000 Professional UNIX Integration
Presentation Roadmap Wrap-Up Active Directory Windows 2000 Professional UNIX Integration Wrap-Up Macintosh Netware
Windows 2000 and Novell Netware Microsoft provides services in Windows 2000 to coexist and interoperate with Novell NetWare clients and servers NetWare clients access file and print services using Novell Core Protocol (NCP) NCP is not compatible with Microsoft’s SMB Versions 4, 5 and 6 of NetWare support Novell Directory Services (NDS) a forerunner of Active Directory NetWare versions 2 and 3 provide directory services through the Bindery Organizations running both NDS and AD potentially have multiple directories to maintain
Default Capabilities Out of the box Windows 2000 provides: NWLINK an IPX/SPX-compatible protocol Client Services for NetWare (CSNW) Allows client access to NetWare 3 and 4 servers Runs on Windows 2000/XP Professional (Requires NWLINK) Doesn’t support NWAdmin Gateway Services for NetWare (GSNW) Microsoft clients access the gateway using SMB Gateway clients don’t require NWLINK The gateway is an SMB to NCP translator GSNW runs on Windows 2000 Server NWLINK is required between the gateway and NetWare server
Services for NetWare Services for NetWare (SFN) is a Microsoft add-on consisting of 3 main components: Microsoft Directory Synchronization Services (MDSS) File Migration Utility (FMU) File and Print Services for NetWare (FPNW) The full-version of SFN is $149.00 http://www.microsoft.com/windows2000/sfn
Microsoft Directory Services Synchronization MDSS supports all major NetWare platforms It also includes support for IPX/SPX and TCP/IP network protocols Can deploy AD without replacing existing directories or the additional cost of managing two separate directories Provides 2-way NDS and 1-way bindery synchronization with NetWare 3.x and above Supports password synchronization and a NDS/Bindery directory migration service
Microsoft Directory Services Synchronization (con’t) 2-way synchronization duplicates NDS in AD and AD in NDS Dissimilar objects are mapped between directories Directory updates are forwarded one to the other Requires NDS schema modification to support AD GUIDs 1-way synchronization duplicates the Bindery in AD Bindery updates are forwarded to AD but not the reverse Migration mode moves users, groups and containers out of NDS/Bindery and into AD
File Migration Utility FMU allows large amounts of file data to move from all versions of NetWare to Windows 2000 Directory structures and security permissions are preserved Supports all major NetWare file systems and platforms Includes support for IPX/SPX and TCP/IP
File and Print Services for NetWare Enhances a NetWare network with Windows 2000 servers that look like a NetWare server to NetWare clients, users, and administrators Maintains a single logon for the clients FPNW emulates a NetWare 3.12 compatible file and print server
Novell’s Windows Client Novell’s Windows Client runs on the Windows 2000/XP platform and provides access to all NetWare services including NDS and Bindery Runs over TCP/IP and IPX/SPX Available as a free download from Novell http://download.novell.com/sdMain.jsp
NETWARE DEMONSTRATION
Demo Roadmap Windows 2000 Professional Netware
Presentation Roadmap Wrap-Up Active Directory Windows 2000 Professional UNIX Integration Wrap-Up Macintosh Netware
Windows 2000 Services for Macintosh Services for Macintosh (SFM) runs on a Windows 2000 server Macintosh PCs need only a Macintosh OS to function as workstations in a Windows 2000 domain SFM consists of the following components: File Services for Macintosh (MacFile) Print Services for Macintosh (MacPrint) Microsoft-User Authentication Module (MS-UAM) All SFM components are a free download at: http://www.microsoft.com/mac/products/sfm/default.asp
File Services for Macintosh “MacFile” MacFile allows Macintosh clients to access files stored on a Windows 2000 Server Files are accessible using either TCP/IP or AppleTalk An NTFS directory is designated as a “Mac-accessible volume” Legal file name and NTFS permissions are enforced Macintosh clients can also access some additional features provided by Windows 2000 Servers including: NTFS File System Filters Provides Disk Quotas and Encrypted File System (EFS) capabilities Large volume support Remote Access Services Virtual Private Networks (VPN) are supported
Print Services for Macintosh “MacPrint” MacPrint allows Macintosh users to send print jobs to a spooler on a Windows 2000 Server Requires the installation of the AppleTalk protocol The print job is spooled on the server Users can continue to work, rather than wait for their print jobs to complete Windows OS users can review the print jobs in the queue with Print Manager
Network Security SFM enforces security for Macintosh users in the same way it is enforced for Windows 2000 users The same user accounts and passwords are used by Windows 2000 and by Macintosh Kerberos authentication is not supported The standard Apple-UAM provides only minimal encryption, passwords could be intercepted And passwords can only be up to 8-characters
Microsoft-User Authentication Module (MS-UAM) MS-UAM provides secure authentication of Macintosh clients to Windows 2000 Servers running SFM Passwords can be up to 14 characters in length The latest version of MS-UAM includes support for NTLM v2 authentication and a MacOS X 10.1 compatible release Encryption is 128-bits strong
MACINTOSH DEMONSTRATION
Demo Roadmap Active Directory Macintosh
Presentation Roadmap Wrap-Up Active Directory Windows 2000 Professional UNIX Integration Wrap-Up Macintosh Netware
Presentation Wrap-Up In this presentation we will have: Discussed the fundamentals of Windows 2000 Active Directory Explored the full capabilities of Windows 2000 and Windows XP clients as members of a Windows 2000 domain Examined some interoperability options between Active Directory and UNIX
Presentation Wrap-Up (con’t) Demonstrations of Interoperability with Windows 2000 Presentation Wrap-Up (con’t) Examined some interoperability options between Active Directory and Novell Netware 5.0 Accessed a Novell Netware 5.0 server using the Novell Windows client Explored integration of Macintosh clients in an Windows 2000 Active Directory environment
Additional Information Supplemental information is available at our website Download a file containing some of the key screen shots shown during the presentation Download a copy of this PowerPoint presentation Web: www.ctalliance.com Just click on the links
Demonstrations of Interoperability with Windows 2000 ANY QUESTIONS ???