Active Directory at UQ - Home

Download Report

Transcript Active Directory at UQ - Home 

Windows 2000 and Active
Directory Services at UQ
Scott Sinclair
Senior Systems Programmer
Software Infrastructure Group
[email protected]
Presentation Overview
•
•
•
•
•
•
•
The Players
The Field
The Rules
The Prizes
Active Directory in practice at UQ
Resources and references
Questions?
The Players
• Windows 2000 Advanced Server
– Provides Active Directory Services
– DCPROMO
• MIT Kerberos or equivalent – Solaris.
• Windows 2000 Professional Clients
– Downstream ‘Domains’
– Sorry… but it’s the future (well maybe…)
The Field
• Physically
–
–
–
–
–
University Campus Network.
Typically high-speed switched.
Reliable.
Multiple ‘sites’ – campuses.
Windows 2000 Professional-class desktops.
• Politically
– Multiple faculties, departments, colleges etc.
– Multiple rules for resource access.
– Existing (and rigid) structure.
The Rules
• Kerberos 5 (RFC 1510)
– ‘extended’ by Microsoft.
–
–
“Microsoft did not rewrite the Kerberos system - Microsoft filled in what had
been left blank in the standard”
"You can keep your existing Kerberos investment in place and introduce
Windows 2000 incrementally”
• Windows 2000 Forest and Trees
– includes ‘mixed mode’ to deal with existing NT 4
Domains etc. (NTLM vs. Kerberos Auth)
The Prizes
• Single Sign-On
– Authentication and Authorisation
• Centralised account management and maintenance
(if required or wanted)
– But not enforced on downstream domains.
•
•
•
•
•
Standardisation across campus networks.
Reduced administration overhead.
Increased (and/or enhanced) resource usage.
On demand software installation (MSI).
Microsoft’s idea of LDAP – and more.
Active Directory in practice
Case Study
• Engineering, Physical Sciences and Architecture
•
•
•
•
•
•
3 Labs
120 Windows 2000 Professional Clients
500 – 1000 user accounts (potentially)
23 Software Packages
12 Printers
Shared User space
Previously…
• Obtain class lists from each subject code.
• Automagically create required accounts based on
some unique ID – scripts, passwords, printing.
• Create policies and resource allocation based on
class lists and availability.
• Print and distribute as required.
• Wait…
• Begin dealing with users – or let support staff.
Sound familiar?
•
•
•
•
•
•
•
I forgot my password.
Why do I have two passwords?
Why do I have two usernames?
Which password do I use?
I can’t print to printer ‘X’.
I can’t login.
I forgot my password – again.
Authentication and Authorisation are the issues…
Existing UQ Infrastructure
• Kerberos 4 central account repository.
• myUQ Web Portal.
• Student, Staff and ‘External’ systems.
– POP3, IMAP, FTP, Web Servers…
•
•
•
•
•
Dial-in modem banks.
SQUID proxies.
PRISM.
Unix, Apple Macintosh and other existing labs.
LDAP Directory – as discussed earlier.
Active Directory methodology…
• All accounts already stored in the Active Directory
repository… imported from LDAP store (more…)
• Create appropriate OU structure based on faculty subject
codes, etc. (similar to NT4 procedure – schema snap-in).
• Set up local Windows 2000 Servers and Unix hosts for crossrealm authentication.
• Set up local Windows 2000 Servers to authenticate via
Kerberos to Unix K5 Servers - (ksetup & ktpass).
AD methodology (cont.)…
• Import user accounts from LDAP directory.
– LDIFDE (Lightweight Directory Access Protocol
Interchange Format) imports.
– CSVDE (Comma separated).
– For total control - ADSI, VB etc. or best of all – Perl.
– Typically around 15 minutes for 8000 accounts
AD methodology (cont.)…
• After imports completed…
–
–
–
–
Allocate resources based on OU’s, GPO’s etc.
Assign permissions to resources.
Test and re-test.
Hope and pray.
Results…
• Problems with password SALT.
• Windows 2000 Active Directory doesn’t like
dealing with Kerberos 4 Unix implementations.
• Works perfectly… provided you use Kerberos 5!
The future implementation
• Upgrade to Kerberos 5 – password change.
• Improved functionality of the Kerberos protocol.
• Windows 2000 Active Directory enabled campus.
• Single Sign On.
• All the other benefits mentioned earlier.
Resources
•
Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
•
Active Directory Services for Windows 2000 Technical
Reference (ISBN 0-7356-0624-2).
•
Microsoft Curriculum
–
–
2154A – Implementing and Administering Microsoft Windows
2000 Directory Services.
1561B - Designing a Microsoft Windows 2000 Directory Services
Infrastructure