Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group

Slides:



Advertisements
Similar presentations
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Advertisements

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Active Directory: Final Solution to Enterprise System Integration
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Understanding Active Directory
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Case Study: Newcastle University
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.
Active Directory Lecture 3 – Domain Services Primer.
Overview of Active Directory Domain Services Lesson 1.
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.
9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Designing Active Directory for Security
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Active Directory Harikrishnan V G 18 March Presentation titlePage 2 Agenda ► Introduction – Active Directory ► Directory Service ► Benefits of Active.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Active Directory Maryam Izadi. Topics Covered NT Vs 2000/2003 Active Directory LDAP MMC.
Implementing Group Policy. Overview What is Group Policy Introduction to Group Policy Group Policy Structure How Group Policy Settings Are Applied in.
1 Windows 2008 Configuring Server Roles and Services.
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
Module 1: Introduction to Active Directory Infrastructure
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Module 1: Implementing Active Directory ® Domain Services.
W2K Integration in the Kerberos5 based AFS cell le.infn.it Enrico M. V. Fasanelli I.N.F.N. – Sezione di Lecce Catania,
1 Group Policies (Week 11, Monday 3/19/2007) © Abdou Illia, Spring 2007.
Active Directory Infrastructure Microsoft Windows 2003 Active Directory Infrastructure MCSE Exam
1 Active Directory Administration Tasks And Tools Active Directory Administration Tasks Active Directory Administrative Tools Using Microsoft Management.
Integrating Active Directory with eDirectory ™ Using Novell Account Manager Reid Oakes Technical Team Manager Novell, Inc.
OVERVIEW OF ACTIVE DIRECTORY
Module 10: Identity and Access Services in Windows Server 2008 Active Directory.
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Active Directory.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
1 Introduction to Active Directory Directory Services Uniquely identify users and resources on a network Provide a single point of network management.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Secure Connected Infrastructure
Overview of Active Directory Domain Services
(ITI310) SESSIONS 6-7-8: Active Directory.
Active Directory Administration
Active Directory Stored collection of information about objects
Unit 3 NT1330 Client-Server Networking II Date: 1/6/2016
Getting Started.
Getting Started.
ACTIVE DIRECTORY An Overview.. By Karan Oberoi.
Unit 6 NT1330 Client-Server Networking II Date: 7/19/2016
Presentation transcript:

Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group

Presentation Overview The Players The Field The Rules The Prizes Active Directory in practice at UQ Resources and references Questions?

The Players Windows 2000 Advanced Server –Provides Active Directory Services –DCPROMO MIT Kerberos or equivalent – Solaris. Windows 2000 Professional Clients –Downstream ‘Domains’ –Sorry… but it’s the future (well maybe…)

The Field Physically –University Campus Network. –Typically high-speed switched. –Reliable. –Multiple ‘sites’ – campuses. –Windows 2000 Professional-class desktops. Politically –Multiple faculties, departments, colleges etc. –Multiple rules for resource access. –Existing (and rigid) structure.

The Rules Kerberos 5 (RFC 1510) –‘extended’ by Microsoft. –“Microsoft did not rewrite the Kerberos system - Microsoft filled in what had been left blank in the standard” –"You can keep your existing Kerberos investment in place and introduce Windows 2000 incrementally” Windows 2000 Forest and Trees –includes ‘mixed mode’ to deal with existing NT 4 Domains etc. (NTLM vs. Kerberos Auth)

The Prizes Single Sign-On –Authentication and Authorisation Centralised account management and maintenance (if required or wanted) –But not enforced on downstream domains. Standardisation across campus networks. Reduced administration overhead. Increased (and/or enhanced) resource usage. On demand software installation (MSI). Microsoft’s idea of LDAP – and more.

Active Directory in practice

Case Study Engineering, Physical Sciences and Architecture 3 Labs 120 Windows 2000 Professional Clients 500 – 1000 user accounts (potentially) 23 Software Packages 12 Printers Shared User space

Previously… Obtain class lists from each subject code. Automagically create required accounts based on some unique ID – scripts, passwords, printing. Create policies and resource allocation based on class lists and availability. Print and distribute as required. Wait… Begin dealing with users – or let support staff.

Sound familiar? I forgot my password. Why do I have two passwords? Why do I have two usernames? Which password do I use? I can’t print to printer ‘X’. I can’t login. I forgot my password – again. Authentication and Authorisation are the issues…

Existing UQ Infrastructure Kerberos 4 central account repository. myUQ Web Portal. Student, Staff and ‘External’ systems. –POP3, IMAP, FTP, Web Servers… Dial-in modem banks. SQUID proxies. PRISM. Unix, Apple Macintosh and other existing labs. LDAP Directory – as discussed earlier.

Active Directory methodology… All accounts already stored in the Active Directory repository… imported from LDAP store (more…) Create appropriate OU structure based on faculty subject codes, etc. (similar to NT4 procedure – schema snap-in). Set up local Windows 2000 Servers and Unix hosts for cross- realm authentication. Set up local Windows 2000 Servers to authenticate via Kerberos to Unix K5 Servers - (ksetup & ktpass).

AD methodology (cont.)… Import user accounts from LDAP directory. –LDIFDE (Lightweight Directory Access Protocol Interchange Format) imports. –CSVDE (Comma separated). –For total control - ADSI, VB etc. or best of all – Perl. –Typically around 15 minutes for 8000 accounts

AD methodology (cont.)… After imports completed… –Allocate resources based on OU’s, GPO’s etc. –Assign permissions to resources. –Test and re-test. –Hope and pray.

Results… Problems with password SALT. Windows 2000 Active Directory doesn’t like dealing with Kerberos 4 Unix implementations. Works perfectly… provided you use Kerberos 5!

The future implementation Upgrade to Kerberos 5 – password change. Improved functionality of the Kerberos protocol. Windows 2000 Active Directory enabled campus. Single Sign On. All the other benefits mentioned earlier.

Resources Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability Active Directory Services for Windows 2000 Technical Reference (ISBN ). Microsoft Curriculum –2154A – Implementing and Administering Microsoft Windows 2000 Directory Services. –1561B - Designing a Microsoft Windows 2000 Directory Services Infrastructure