Windows NT at DESY
Download
Report
Transcript Windows NT at DESY
Windows NT at DESY
Status
report
new developments for the automation
of administrative tasks
outlook to our preparations
8/26/98
The DESY WindowsNT Group
1
Summary - Domain Structure
one domain model
DESY group structure in the flat NT4 name space
special naming conventions
40 living groups
group administrators
TEM is used for user/group administration
NetInstall is used for the application support
http://www.mddinc.com
http://netsupport.gmbh.de
DESY
8/26/98
The DESY WindowsNT Group
2
Summary - (central) Infrastructure
1 PDC
2 BDC (Hamburg + Zeuthen)
1 Home Directory Server Cluster at Hamburg
2 nodes plus 70 GByte RAID3/5
1 Application Server Cluster at Hamburg
2 nodes plus 35 Gbyte RAID3/5
1 Mail Server
2 Print Server (Hamburg + Zeuthen)
1 Utility Server, 1 IIS, 1 Dfs Server
2 WINS (Hamburg + Zeuthen)
1 Server at Zeuthen
32 GByte RAID
1 Server at Zeuthen
16 GByte SW RAID
DESY
8/26/98
The DESY WindowsNT Group
3
NEWS
statistics
NetInstall in production since mid of May
~ 800 NT clients (active on the domain during last 2 month)
1300 registered users
nearly 600 daily active users/PC’s (connected to central
servers)
200 Yellow
60 Green
Mail Server in production
Application/Script Server
DESY
8/26/98
The DESY WindowsNT Group
4
Workstations online
DESY
8/26/98
The DESY WindowsNT Group
5
Connections during the day
DESY
8/26/98
The DESY WindowsNT Group
6
Users on Home Directory Servers
DESY
8/26/98
The DESY WindowsNT Group
7
NetInstall Status
Production environment
just now with 200 and 60 active workstations
To get simple access and support for
central services the NI environment is necessary.
basic setup: Perl, Scripting Host, userconfig.,
home directory setup
Problems with the green setup
remote support, helpdesk, complicated package setup
HERA controls and Zeuthen with own NI databases
replicated from the central ASG-DB plus own packages
Migration to NI5 in Autumn
hierarchical databases, multiple servers
internal replication,…., still SMS compliant ----> the right time to jump on
DESY
8/26/98
The DESY WindowsNT Group
8
NT Mail
in production since April/Mai
problems with the logging scheme of the inbox
IMAP server from UW V11.237
the MTA is sendmail V8.8.6
the client is Netscape Communicator V4.05
sendmail is not able to append new mail on an open inbox
workaround under test
a possible migration to PMDF is in discussion (end of
the year)
DESY
8/26/98
The DESY WindowsNT Group
9
Domain automation - the tasks
Tasks for group administrators
most of them handled with the TEM
user account maintenance (password reset, management of parts of the user
environment like mail forwarding, user registry updates, …)
group management
more global tasks
creating new user accounts (embedded in the common DESY user registry)
creating new global user groups
moving users (homedir’s) between servers and/or groups
moving group file systems/shares between servers
Dfs maintenance
print server maintenance
DESY
8/26/98
The DESY WindowsNT Group
10
Domain automation - the problems
Most of the scripts and programs must run under a
domain administrator account.
The responsible persons to do the jobs are normal users
without special privileges, perhaps group admins.
Security has to be guaranteed over the whole process
authentication
user rights - who is allowed to do what
Integrity of the systems has to be guaranteed
job/task control (to execute it at the right place and time)
checks for parameters
DESY
8/26/98
The DESY WindowsNT Group
11
Domain automation - approach
Core of the solution will be the MS Transaction Server
The access should be flexible as much as possible
normally from a web browser over the IIS
direct by special applications
independent from programming and script languages
simple and central management/maintenance
central management of the jobs/tasks - one configuration file
access control by the help of the transaction server
DESY
8/26/98
The DESY WindowsNT Group
12
Domain automation - scheme
Client indirect - via SSL
.DLL
Script / Program
Execution
IIS
ASP
Transaction
Server
DomainAuto.cfg
Configuration
File
Client direct
Roles
DESY
8/26/98
The DESY WindowsNT Group
13
IIS & Transaction Server
Why accessing the IIS via SSL?
Necessary to ensure secure access and authentication over the
LAN/internet - “password” security Level is required
Certificate Authority - self made, planed to become sub CA from DFN
(CERT)
DCOM interface is used to access the transaction server
Authentication is done automatically (NTLM-A.)
Packet privacy is used
Object and functions are defined by the DLL added to the transaction
server
Set scriptObj = CreateObject(“DomainAuto.DomainAuto.1”)
scriptObj.InvokeScript (“scripname”, “param1 param2”)
DESY
8/26/98
The DESY WindowsNT Group
14
Inside the MTS
%WINDIR%\system32\DomainAuto.cfg
#comment
#format: (separator = tab)
#ScriptName Script Role Flag0/1
DeleteComputer C:\scripts\dc.bat
#
DeleteUser
C:\scripts\du.bat
Roles
RoleDC
1
Admins
0
RoleDC:
GroupAdm
usg_
Admins:
DomainAdmins
Scripts
Set obj = CreateObject(“DomainAuto.DomainAuto.1”)
.
.
.
obj.InvokeScript(“DeleteUser”,”name ..”)
C:\scripts\dc.bat
C:\scripts\du.bat
DESY
8/26/98
The DESY WindowsNT Group
15
NT5 preparations
first steps
setup of a test domain
planing of requirements
task list
Usage of Technology already available
IIS
Transaction Server
DESY
8/26/98
The DESY WindowsNT Group
16
The DESY WindowsNT Group
Henner Bartels
[email protected]
Volker Heynen
[email protected]
Ernst-Axel Knabbe
[email protected]
Wolfgang Krechlok
[email protected]
Klaus-Dieter Perger
[email protected]
Rolf Rettinger
[email protected]
Helga Schwendicke
[email protected]
Cristian Trachimow
[email protected]
Gunter Trowitzsch
[email protected]
(not fulltime)
(not fulltime)
DESY
8/26/98
The DESY WindowsNT Group
17