Windows 2000 Interoperability with Unix
Download
Report
Transcript Windows 2000 Interoperability with Unix
Windows 2000
Ian Blyth
Senior System Engineer
Microsoft Ltd
Agenda
Overview
Active Directory
Interoperability with Unix and DNS
Security
Windows 2000 Professional
Mainstream business desktop
Full featured:
Easiest Windows Yet !
Industrial Strength Reliability
Standards-based Security
State-of-the-art mobile support
Plug and Play, USB, IR, Hot
Docking
Higher performance
Increased Manageability
Lowest TCO Desktop System
Windows 2000 Server
Mainstream Business Server
Full featured:
Active Directory
Windows Management Tools
Kerberos and PKI Security
Windows Terminal Support
COM+
Enhanced Internet Services
Up to 4-way SMP
Windows 2000 Advanced Server
Powerful Mid-range Solution
Full featured:
Windows 2000 Server Features
TCP/IP Load Balancing
Enhanced MSCS Clustering
Up to 8 GB Main Memory
Up to 8-way SMP
Windows 2000 Datacenter Server
Highest Performance
Full Featured:
Optimized for:
All Windows 2000 Advanced
Server Features
Up to 16-way SMP
Up to 64 GB Main Memory
4 node clustering
OLTP, Data Warehousing
Technical Computing and
Modeling
Tested for the Data Center
Active Directory
Directory and Security
Active Directory
Windows 2000 Server
What is Active Directory?
Active Directory is an integral part of Windows
2000 Server that delivers essential network
operating system services:
Focal point for management of network
elements (users, applications, devices, etc.)
Trusted repository of security data for
authentication and authorization
Open platform for application development
and integration with other systems
Start with the data store
Evolved from Exchange DS
Indexed storage technology
Supports well over 1 Million
objects (tested with much
more!)
Data Store
Add An Object Model
Native LDAP support
Extensible schema
Integrated security
Data Store
Replicate for availability
Highly optimized replication
Multi-master
Per attribute
Loosely consistent
Add more domains
Link domains into trees
Kerberos transitive trusts
Or into forests
Fast lookup via Global Catalog Service
msn.com
microsoft.com
Global Data Availability
Windows 2000 Forest
acme.com
asia.acme.com
europe.acme.com
xyx.com
= Global Catalog
Replica
Active Directory Catalogs
Are replicated within a forest
Uses same replication and storage mechanisms
as domain replicas
Each catalog holds selectable attributes from all
objects in the forest
Enables efficient cross-domain data sharing
Combining DNS and
LDAP
Domain Name System Server
xyz.com
192.23.14.5
rose.com
194.49.94.2
tulip.com
10.91.77.6
. . .
LDAP Server
. . .
1) Find xyz.com
AD
Client
2) Access directory data
192.23.14.5
Hook to the Internet
Takes advantage Internet naming
DNS = namespace root
Global namespace = DNS + LDAP
DNS
com
microsoft
students
Domain: microsoft.com
com
bizpart
Windows NT
Domain: bizpart.com
dsys
Vera Kark
MargretJ
sarahj
thorj
CN=Sarahj,OU=dsys,OU=Windows NT,DC=microsoft,DC=com
Available Replication
Topologies
Intra-Site Replication: AD replication
between DCs within a Site
Intersite Replication: AD replication
between Sites
Site is an area of fast connectivity
Example Domains and
Sites
ROOT
Site London
CHILD
ROOT-DC1
ROOT-DC2
CHILD-DC1
ROOT-DC3
Site Aberdeen
Site Manchester
Predictability Of Intra-Site
Replication
Replication Bytes
25,000,000
Users
20,000,000
Global
Groups
Universal
Groups
Volumes
15,000,000
10,000,000
5,000,000
0
0
2000
4000
# of Objects
6000
Replication Bytes
Intra-Site And Inter-Site
Replication Bytes Comparison
4,500,000
4,000,000
3,500,000
3,000,000
2,500,000
2,000,000
1,500,000
1,000,000
500,000
0
Users (InterSite)
Users (IntraSite)
0
500
# of Objects
1000
Simplifies Management
Delegate Management
Tasks to Office Admins
Users
Marketing
Root
Machines
Personnel
Devices
Applications
Color Printer in
Building 6
Give ‘Personnel’ Members
the HR Application
Active Directory organizes users and network
resources hierarchically to simplify management
Strengthens Security
Kerberos
X.509
Smart Card
Users
Marketing
Root
Machines
Extranet
Devices
Applications
Restrict Access Rights of
Extranet Users
PKI Certificates
Active Directory provides Internet-ready security
services to protect data while facilitating access
Extends Interoperability
Application: Exchange
mailbox information
Users
Finance
Root
Machines
Policy: Give Personnel
access to ‘Change
Salary’ Menu Options
Devices
Applications
Personnel
Policy: Give Finance
more bandwidth at the
end of the month
Active Directory provides a platform for integrating and
extending systems through open interfaces, connectors
and synchronization mechanisms
Directory Enabled Apps
Infrastructure by Active Directory
Extend schema and UI
Program via ADSI/ADO
Publish service binding information
Configure via Group Policy
Just In Time application download
Change notification
Windows 2000 Active Directory
Windows Users
• Account info
• Privileges
• Profiles
• Policy
Other
Directories
• White pages
• E-Commerce
Windows Servers
• Mgmt profile
• Network info
• Services
• Printers
• File shares
• Policy
Network Devices
• Configuration
• QoS policy
• Security policy
Active
A Focal Point for:
Directory • Manageability
• Security
• Interoperability
Other NOS
• User registry
• Security
• Policy
E-Mail Servers
• Mailbox info
• Address book
Windows Clients
• Mgmt profile
• Network info
• Policy
Applications
• Server config
• Single Sign-On
• App-specific
directory info
• Policy
Internet
Firewall Services
• Configuration
• Security Policy
• VPN policy
Active Directory provides a focal point for
management, security and interoperability
Windows 2000
Interoperability
Microsoft’s Interoperability
Strategy
Make the Windows
Platform work well
with existing
systems
Simplify access to
data and applications
on existing systems
Develop solutions
based on standards
Management
Applications
Data
Network
Why Microsoft Cares About
Interoperability
Customers have told us that they
will continue to have mixed
environments
Significant investment in existing
data & applications
Interoperability is a key
requirement
Designed to Integrate With
Existing Systems
Built on latest internet standards
Existing Applications
LDAP, TCP/IP, DHCP & DNS, SSL, HTTP, DEN
Full support for Microsoft Exchange Server,
Microsoft SQL Server, BackOffice Logo’d apps
Existing Operating Systems
Windows NT 3.5x and 4.0
Down-level client support for Win 3.x, Win 9x
Apple Macintosh and AppleTalk
NetWare: NDS synchronization; Print/file services
UNIX: NFS services, telnet, scripting and security
S/390 and OS/400: Transaction & Queuing gateway
Terminal Services (Thin Client)
Fully
integrated with Windows 2000
Server Family (add/remove service)
Two operating modes
Remote
Administration
Application Serving
Launch
and application or desktop
Leverages Multilingual server
capability
RDP feature and performance
enhancements
Remote Control
Customer Interoperability
Requests
Leverage Existing Network
Resources
Leverage Existing UNIX Knowledge
Simplify Network Administration
Simplify Account Management
Microsoft Windows
Services for UNIX 2.0
Leverage Existing Network
Resources
Leverage Existing UNIX Knowledge
Korn Shell, UNIX Utilities
Simplify Network Administration
NFS Client, Server, Gateway
Telnet Client, Server, PERL, Windows
Technology
Simplify Account Management
NIS Migration Wizard, Server,
Password Synch
Leverage Existing Network
Resources
Management
Windows
Clients
UNIX Server
Applications
Windows
NT Server
Data
Windows
Services for UNIX
Network
UNIX
NetWare
Server
UNIX
clients
Leverage Existing UNIX Knowledge
Simplify Network Administration
Management
Services for UNIX 2.0
Applications
Data
Windows 2000
Network
UNIX
Telnet Client and Server
Scripting – PERL and Shell
Command line
Windows Installer
Windows Scripting Host
Windows Management
Instrumentation
Microsoft Management Console
Simplify Account Management
Management
Services for UNIX 2.0
Applications
Network
UNIX
Windows 2000
Data
NIS Migration Wizard
Server for NIS
Password Synch
Active Directory
Supported
V1 – Solaris, HP-UX and DEC/Tru
Unix
V2 – Linux, AIX and SGI Unix
Directories and the Internet
Internet
DNS
?
C1.com C2.com C3.com C4.com C5.com C6.com
Active Directory:
Uses DNS as the ‘top level’ locator service
Object names fully describe their location
Dynamic DNS
DNS And Active Directory
SRV Records to locate
services (req’d.)
DDNS for Dynamic Update (desired)
Windows® 2000 DNS also provides:
Incremental Zone Transfer
Active Directory Integrated
Single replication topology
Multi-master replication
Secure Dynamic update
Tip: BIND 8.1.2 or higher is sufficient to use with AD
DNS Implementations
No existing DNS infrastructure
Deploy Microsoft DNS
Existing DNS meets requirements
Existing DNS not adequate:
Choice 1: Update Server
Choice 2: Migrate to Microsoft DNS
Choice 3: Delegate a subdomain to
Microsoft DNS
®
Windows 2000 Security
Security Features
Kerberos
v5 (RFC 1510)
Smart Card
PPTP, L2TP and IPSec
PKI X.509
SSL 3.0
Security Configuration Manager
Auditing
128 bit encryption
Radius support
Encrypted File System
Integrate Security with AD
Account Management
OUs for delegation and policy
Groups for access control
Per property access setting
DC=streetmarket,
DC=com
OU=
Mftg
OU=
Users
OU=
OU=
Marketing Engineering
OU=
Printers
OU=
Groups
Feel free to modify
your telephone #
Integrate Security
Public Key
X.509
Integrated management
Certificate services
Certificate mapping
Smart card logon
Code signing
Secure applications
Reader
Cert
SC
X.509
Blending Intranets &
Extranets
Authorization
Authentication
Kerberos
File
System
Windows
2000
Smart Card
X.509/PKI
Active Directory
Certificates
Active Directory:
Supports Intranet & Extranet
authentication
One authorization model
Directory Services
Active Directory is the Best Long-Term Directory
Network Devices
Servers
Users
Scalable without complexity
Standards-based
Flexible security model
Facilitates directory
consolidation
Broad Industry Support
Applications
Clients
Baan, Cisco, SAP AG