Windows NT at DESY

Transcript Windows NT at DESY

Windows NT at DESY
Status
report
new developments for the automation
of administrative tasks
outlook to our preparations
8/26/98
The DESY WindowsNT Group
1
Summary - Domain Structure


one domain model
DESY group structure in the flat NT4 name space





special naming conventions
40 living groups
group administrators
TEM is used for user/group administration
NetInstall is used for the application support
http://www.mddinc.com
http://netsupport.gmbh.de
DESY
8/26/98
The DESY WindowsNT Group
2
Summary - (central) Infrastructure
1 PDC
2 BDC (Hamburg + Zeuthen)
1 Home Directory Server Cluster at Hamburg
2 nodes plus 70 GByte RAID3/5
1 Application Server Cluster at Hamburg
2 nodes plus 35 Gbyte RAID3/5
1 Mail Server
2 Print Server (Hamburg + Zeuthen)
1 Utility Server, 1 IIS, 1 Dfs Server
2 WINS (Hamburg + Zeuthen)
1 Server at Zeuthen
32 GByte RAID
1 Server at Zeuthen
16 GByte SW RAID
DESY
8/26/98
The DESY WindowsNT Group
3
NEWS

statistics




NetInstall in production since mid of May




~ 800 NT clients (active on the domain during last 2 month)
1300 registered users
nearly 600 daily active users/PC’s (connected to central
servers)
200 Yellow
60 Green
Mail Server in production
Application/Script Server
DESY
8/26/98
The DESY WindowsNT Group
4
Workstations online
DESY
8/26/98
The DESY WindowsNT Group
5
Connections during the day
DESY
8/26/98
The DESY WindowsNT Group
6
Users on Home Directory Servers
DESY
8/26/98
The DESY WindowsNT Group
7
NetInstall Status

Production environment
just now with 200 and 60 active workstations

To get simple access and support for
central services the NI environment is necessary.
basic setup: Perl, Scripting Host, userconfig.,
home directory setup

Problems with the green setup
remote support, helpdesk, complicated package setup

HERA controls and Zeuthen with own NI databases
replicated from the central ASG-DB plus own packages

Migration to NI5 in Autumn
hierarchical databases, multiple servers
internal replication,…., still SMS compliant ----> the right time to jump on
DESY
8/26/98
The DESY WindowsNT Group
8
NT Mail

in production since April/Mai




problems with the logging scheme of the inbox



IMAP server from UW V11.237
the MTA is sendmail V8.8.6
the client is Netscape Communicator V4.05
sendmail is not able to append new mail on an open inbox
workaround under test
a possible migration to PMDF is in discussion (end of
the year)
DESY
8/26/98
The DESY WindowsNT Group
9
Domain automation - the tasks

Tasks for group administrators




most of them handled with the TEM
user account maintenance (password reset, management of parts of the user
environment like mail forwarding, user registry updates, …)
group management
more global tasks






creating new user accounts (embedded in the common DESY user registry)
creating new global user groups
moving users (homedir’s) between servers and/or groups
moving group file systems/shares between servers
Dfs maintenance
print server maintenance
DESY
8/26/98
The DESY WindowsNT Group
10
Domain automation - the problems



Most of the scripts and programs must run under a
domain administrator account.
The responsible persons to do the jobs are normal users
without special privileges, perhaps group admins.
Security has to be guaranteed over the whole process



authentication
user rights - who is allowed to do what
Integrity of the systems has to be guaranteed


job/task control (to execute it at the right place and time)
checks for parameters
DESY
8/26/98
The DESY WindowsNT Group
11
Domain automation - approach


Core of the solution will be the MS Transaction Server
The access should be flexible as much as possible




normally from a web browser over the IIS
direct by special applications
independent from programming and script languages
simple and central management/maintenance


central management of the jobs/tasks - one configuration file
access control by the help of the transaction server
DESY
8/26/98
The DESY WindowsNT Group
12
Domain automation - scheme
Client indirect - via SSL
.DLL
Script / Program
Execution
IIS
ASP
Transaction
Server
DomainAuto.cfg
Configuration
File
Client direct
Roles
DESY
8/26/98
The DESY WindowsNT Group
13
IIS & Transaction Server

Why accessing the IIS via SSL?



Necessary to ensure secure access and authentication over the
LAN/internet - “password” security Level is required
Certificate Authority - self made, planed to become sub CA from DFN
(CERT)
DCOM interface is used to access the transaction server



Authentication is done automatically (NTLM-A.)
Packet privacy is used
Object and functions are defined by the DLL added to the transaction
server
Set scriptObj = CreateObject(“DomainAuto.DomainAuto.1”)
scriptObj.InvokeScript (“scripname”, “param1 param2”)
DESY
8/26/98
The DESY WindowsNT Group
14
Inside the MTS
%WINDIR%\system32\DomainAuto.cfg
#comment
#format: (separator = tab)
#ScriptName Script Role Flag0/1
DeleteComputer C:\scripts\dc.bat
#
DeleteUser
C:\scripts\du.bat
Roles
RoleDC
1
Admins
0
RoleDC:
GroupAdm
usg_
Admins:
DomainAdmins
Scripts
Set obj = CreateObject(“DomainAuto.DomainAuto.1”)
.
.
.
obj.InvokeScript(“DeleteUser”,”name ..”)
C:\scripts\dc.bat
C:\scripts\du.bat
DESY
8/26/98
The DESY WindowsNT Group
15
NT5 preparations

first steps




setup of a test domain
planing of requirements
task list
Usage of Technology already available


IIS
Transaction Server
DESY
8/26/98
The DESY WindowsNT Group
16
The DESY WindowsNT Group

Henner Bartels
[email protected]

Volker Heynen
[email protected]

Ernst-Axel Knabbe
[email protected]

Wolfgang Krechlok
[email protected]

Klaus-Dieter Perger
[email protected]

Rolf Rettinger
[email protected]

Helga Schwendicke
[email protected]

Cristian Trachimow
[email protected]

Gunter Trowitzsch
[email protected]
(not fulltime)
(not fulltime)
DESY
8/26/98
The DESY WindowsNT Group
17