Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group

Published byNelson Hodges Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group"— Presentation transcript:

1 Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group s.sinclair@its.uq.edu.au

2 Presentation Overview The Players The Field The Rules The Prizes Active Directory in practice at UQ Resources and references Questions?

3 The Players Windows 2000 Advanced Server –Provides Active Directory Services –DCPROMO MIT Kerberos or equivalent – Solaris. Windows 2000 Professional Clients –Downstream ‘Domains’ –Sorry… but it’s the future (well maybe…)

4 The Field Physically –University Campus Network. –Typically high-speed switched. –Reliable. –Multiple ‘sites’ – campuses. –Windows 2000 Professional-class desktops. Politically –Multiple faculties, departments, colleges etc. –Multiple rules for resource access. –Existing (and rigid) structure.

5 The Rules Kerberos 5 (RFC 1510) –‘extended’ by Microsoft. –“Microsoft did not rewrite the Kerberos system - Microsoft filled in what had been left blank in the standard” –"You can keep your existing Kerberos investment in place and introduce Windows 2000 incrementally” Windows 2000 Forest and Trees –includes ‘mixed mode’ to deal with existing NT 4 Domains etc. (NTLM vs. Kerberos Auth)

6 The Prizes Single Sign-On –Authentication and Authorisation Centralised account management and maintenance (if required or wanted) –But not enforced on downstream domains. Standardisation across campus networks. Reduced administration overhead. Increased (and/or enhanced) resource usage. On demand software installation (MSI). Microsoft’s idea of LDAP – and more.

7 Active Directory in practice

8 Case Study Engineering, Physical Sciences and Architecture 3 Labs 120 Windows 2000 Professional Clients 500 – 1000 user accounts (potentially) 23 Software Packages 12 Printers Shared User space

9 Previously… Obtain class lists from each subject code. Automagically create required accounts based on some unique ID – scripts, passwords, printing. Create policies and resource allocation based on class lists and availability. Print and distribute as required. Wait… Begin dealing with users – or let support staff.

10 Sound familiar? I forgot my password. Why do I have two passwords? Why do I have two usernames? Which password do I use? I can’t print to printer ‘X’. I can’t login. I forgot my password – again. Authentication and Authorisation are the issues…

11 Existing UQ Infrastructure Kerberos 4 central account repository. myUQ Web Portal. Student, Staff and ‘External’ systems. –POP3, IMAP, FTP, Web Servers… Dial-in modem banks. SQUID proxies. PRISM. Unix, Apple Macintosh and other existing labs. LDAP Directory – as discussed earlier.

12 Active Directory methodology… All accounts already stored in the Active Directory repository… imported from LDAP store (more…) Create appropriate OU structure based on faculty subject codes, etc. (similar to NT4 procedure – schema snap-in). Set up local Windows 2000 Servers and Unix hosts for cross- realm authentication. Set up local Windows 2000 Servers to authenticate via Kerberos to Unix K5 Servers - (ksetup & ktpass).

13 AD methodology (cont.)… Import user accounts from LDAP directory. –LDIFDE (Lightweight Directory Access Protocol Interchange Format) imports. –CSVDE (Comma separated). –For total control - ADSI, VB etc. or best of all – Perl. –Typically around 15 minutes for 8000 accounts

14 AD methodology (cont.)… After imports completed… –Allocate resources based on OU’s, GPO’s etc. –Assign permissions to resources. –Test and re-test. –Hope and pray.

15 Results… Problems with password SALT. Windows 2000 Active Directory doesn’t like dealing with Kerberos 4 Unix implementations. Works perfectly… provided you use Kerberos 5!

16 The future implementation Upgrade to Kerberos 5 – password change. Improved functionality of the Kerberos protocol. Windows 2000 Active Directory enabled campus. Single Sign On. All the other benefits mentioned earlier.

17 Resources Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp Active Directory Services for Windows 2000 Technical Reference (ISBN 0-7356-0624-2). Microsoft Curriculum –2154A – Implementing and Administering Microsoft Windows 2000 Directory Services. –1561B - Designing a Microsoft Windows 2000 Directory Services Infrastructure

Download ppt "Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group"

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Understanding Active Directory

Understanding Active Directory
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Case Study: Newcastle University

Case Study: Newcastle University
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.

Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.
Active Directory Lecture 3 – Domain Services Primer.

Active Directory Lecture 3 – Domain Services Primer.
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.

Similar presentations

Ads by Google