Transcript Windows 2000 - Distributed OS Features Part II

Windows 2000 - Distributed OS Features
Part II
Angelo Cavone
CPSC550 Distributed Operating Systems
Spring 2001
Dr. Zhang
Introduction



Windows 2000 Distributed Operating Systems
Features
Focus on Features of Windows 2000 Advanced
Server and Datacenter Server
Discussion Areas
 Active
Directory
 Microsoft Management Console
 Cluster Service
 Security Overview
Windows 2000 Background



Represents the next step in Microsoft’s evolution
towards a portable operating system.
Mostly built upon technologies provided under
Windows NT
Goals of Windows 2000
 Provide
flexibility, security object redundancy,
transparency and extensibility
Active Directory - Overview



Allows transparent access to remotely located
resources - exact location not required.
Designed to simplify management, strengthen
security and extend interoperability of resources in
distributed computing environments.
Provides a common storage location for:
 Objects
- ex: client server applications
 Files
 Printers
 People
- accounts
Active Directory - Overview



Incorporates a standard means for naming,
locating, accessing, managing and providing
security for AD objects
AD information provided to administrators, users
and applications thus yielding a tightly integrated
interface for accessing distributed resources
As the number of these objects increases the
importance of AD becomes magnified due to the
increase in management required
Active Directory - Implementation


Built upon Internet-standard technologies to
support Microsoft’s goal for a scalable, enterpriseclass operating system.
AD is a namespace incorporating features of
Domain Name System (DNS) and X.500 directory
service.
 DNS
allows IP address resolution
 X.500 - directory service analogous to white/yellow
pages - Basis for LDAP compatibility in Win 2000

Namespace - collection of objects and containers
organized in a hierarchical fashion.
Active Directory - Implementation


DNS is central to the functionality of AD - provides
scalability for Windows 2000
Multiple domains are organized into the Windows
2000 domain tree in a “bottom-up” manner
organizing a structure built as a tree of trees
 DNS
and AD have same hierarchical domain
structure - each stores unique information and
manage different objects
 Each use databases to resolve names
 AD clients query DNS to resolve the AD server’s IP
address
 DNS zones are stored in the AD
Active Directory - Architecture




Objects - represent named sets of attributes for
objects such as users, groups, machines,
applications
As Objects are created AD sets internal
management attributes such as a Globally Unique
Identifier (GUID), while user supplies own
attributes, i.e. user name, Logon ID, etc
Containers organize collections of related objects.
Tree structure organizes objects & containers Like popular file managers
Active Directory - Architecture

Schema describe various types of objects &
attributes associated with them
 Schema
are objects also saved in AD tree
 Active Directory Services Interfaces (ADSI) SDK
allows developers to define new or extend schema
 MMC snap-in for schema management

Security information also stored in AD
 Via AD
administrators set access privileges to
attributes individually
 Single copy storage conserves resources
Active Directory - Naming Formats

Security Principal Names & Security Identifiers
Names
that uniquely identify objects in a domain
Created on object inception
Identifies access principals

LDAP-related names
Industry
Standard directory access protocol used for
modification of AD information
Provides for interoperability with LDAP compliant
applications in heterogeneous networks
Active Directory - Naming Formats

Object GUIDs
Assigned
at object creation
Each is unique
128-bit value assigned by Directory System Agent

Logon Names
Each AD
user account requires a User Principal
Name (UPN)
Format: <user>@<DNS-domain-name>
Active Directory Hierarchy
Object Publishing



Creates objects directory containing requested
information or a reference to it
AD Information published when interesting to a
many users thus requiring
Characteristics of published information:
 Static
- infrequent modifications
 Structured - ex: a user profile

Connection points for C/S apps are published
 RPC
 Winsock
 COM
Active Directory Domains



AD built from one or more domains
Each domain requires domain controller & has a
DNS domain name
Domains satisfy network management goals:
 Security
Bounding - each sets own security policy
 Information Replication - each stores object info
 Set Group Policy - each defines a scope for policy
 Define Network Structure - organizations decide
division
 Administration Authority Delegation - administrative
tasks assigned along domain divisions
Active Directory Domains

AD Domain Structure:
 Trees
 set
of one or more domains with contiguous names
 > 1domain combined into hierarchical trees
 1st domain of structure is root
 domains containing root are contiguous
 <child domain>.<parent domain>
Active Directory Domains
 Forests
 Distributed
database construct
 Improves efficiency of network
 Trust
Relationships
 User
recognition across domains
 Users in domain A access domain B resources
 Organizational
 Various
Units
objects placed in a single domain
Active Directory Domain Structure
AD Multi-Master Replication






Replicas of directories created & placed throughout
the network
Improves performance, availability & flexibility for
distributed systems
Duplication provides server overlap - alternative
server assumes task when original becomes
unavailable
Units of replication called Naming Contexts (NC)
Replication activities tuned to keep data up to date
Update Sequence Numbers USNs - used to keep
track of updates - 64-bits
Active Directory Benefits

Administrators, Developers, Users
 Simplifies
Management
 Single
point administration of groups, network
resources, distributed applications, desktop configs.
 Strengthened
Network Security
 Single
point user logon
 Admin tools for security management for internal
desktop user, dial-up users or external customers
 Extends
 Std.
Interoperability
Interface for application integration &
synchronization allows Windows 2000 to operate with
different applications and devices
Microsoft Management Console
(MMC)




Common presentation service for management
applications under Windows 2000
Simplifies administration of Win2K systems thru
integration, delegation, task orientation, and
interface simplification
Integrated Internet Technologies allow network
wide administration
Available under Win95/98, Win NT
MMC Model
Microsoft Management Console Model
MMC Snap-Ins




MMC provides a common interface for snap-ins
which do the actual work
Snap-Ins are small management applications
which reside in the MMC
SA’s/Users can build custom apps from snap-ins
Types:
 Stand-Alone
- all required functionality
 Extension - adds functionality to a parent
 Combination - can be both
 MMC API encourages development of snap-ins
MMC Benefits






Task Orientation - MMC tools perform specific tasks
Integration - multiple tools available on single console
Customization - specific management tasks created as
needed
Delegation - customized tools provide more or less
functionality
Simplified Interface - same appearance regardless of
functionality - minimizes retraining
Extensibility - snap-in base functionality extended using
extension snap-ins
MMC User Interface
Cluster Service







Allows collection of independent computers on a
network to run a set of common applications
Presents single system image to both users and
applications
Improves system reliability via multiple servers
“Failover” feature circumvents server failure
Also provides load balancing
Primarily designed to provide failover for database
apps., messaging services & print/file servers
Extended version of cluster service under Win NT
Cluster Service Models

Two models employed in clustering technology
 Common
Resource Model - all resources within the
cluster are accessible
- ex: disk sharing
 provide scalability to applications

 Independent
Resource Model - one system at a
time owns a resource
Cluster Service Benefits

Cluster Service:
 Reduces
Unplanned Downtime
 via
overlapping servers applications or transactions
proceed to completion w/ minimal interruption
 Upgrade
Deployment
application upgrades performed transparently w/o
client interrupt
 transparent process movement

 Cluster Aware Applications
 Applications
exist to take advantage of clustering
• Microsoft SQL & Exchange Server, IBM DB2, DoubleTake
Windows 2000 Security

Windows 2000 security model provides:







Single user logon to access all system resources.
Strong user authentication and authorization.
Secure communication between internal and
external resources.
Configuration and management of security policies.
Automated security inspection.
Interoperability with other operating systems and
security policies.
Windows 2000 security API for application
development.
Windows 2000 Security Model

Based on authentication & authorization model
 Authentication
 Identify
user at logon
 Authorization
 Establishes
resource access rules
 Access Control Lists in AD set object permissions

Trust Relationships
 Logical
relationships that allow
authentication between domains
passthrough
Windows 2000 Security Protocols


Diffie-Hellman Technique - public key
cryptography - two entities agree on shared key
Digital Signatures - Hash Message
Authentication Coding (HMAC)
 MDS



(128-bit), SHA(160-bit), CBC (secret key)
Secure Socket Layer (SSL) - de facto std
Private-key encryption - DES 64-bit, NIST std.
Kerberos - primary authentication method
Windows 2000 & Kerberos


Provides for mutual authentication between
server & client
Features:
 Based
on tickets - used to validate connections to
resources - shared secret authentication
 Mature industry standard authentication protocol
 Faster server performance at initial connection
time
 Delegate authentication for multi-tier c/s apps
 Transitive Trust for inter-domain authentication
simplifies domain management in large networks
Windows 2000 Security Configuration



Security management provided via MMC snap-ins
Administrators can tailor security settings as
required via Security Templates
Security Template Features:
 Security
Policies for account & local policies
 Account
Policies - Passwords, acct lockouts, Kerberos
 Local Policies - User rights, security event logging
 Restricted
Group Administration
 Registry Security
 Local File System Security
 Local Services & Startup Security
Windows 2000 Smart Cards

Windows 2000 provides smart card security
capability

Credit card size w/ built-in micro-chip

Stores:
 User’s
private key
 Logon information
 Public key certificate for digital signing & encryption
Windows 2000 Encrypting File System



EFS allows desktop & laptop data to be encrypted
User selects files or folders to be encrypted locks out unauthorized individuals
Especially important for laptops - easily stolen or
lost
Windows 2000 IPSec



Security methods for data traversing networks
Conforms to Internets Engineering Task Force’s
IP Security Protocol - assures interoperability with
IPSec operating on other networks
IPSec features:
 Configurable
 Data
packets authenticated using Kerberos, Digital
Certificates or Passwords
 Guaranteed IP packet security across network
 Encrypts data transmitted network confidently
 Hides IP address of host generating packet
Conclusion




Overview of Win 2000 Internetworking Features
Win 2000 is a Significant Step towards networking
computing
Internet based applications & commerce will
continue to motivate incorporation of network
based technology by MS
APIs are available to encourage development of
apps using Win 2000 internetworking features
References






Galli, D.L. Distributed Operating Systems – Concepts & Practice.
Prentice Hall, Upper Saddle River, NJ, 2000.
Microsoft Corporation. Windows 2000 Server White Paper Series –
Active Directory Architecture. www.microsoft.com/windows2000/library
Microsoft Corporation. Windows 2000 Server White Paper Series –
Active Directory: Overview. www.microsoft.com/windows2000/library
Microsoft Corporation. Windows 2000 Server White Paper Series –
Microsoft Management Console: Overview.
www.microsoft.com/windows2000/library
Microsoft Corporation. Windows 2000 Server White Paper Series –
Microsoft 2000 Security Technical Overview.
www.microsoft.com/windows2000/library
Microsoft Corporation. Windows 2000 Server White Paper Series IP
Security for Microsoft Windows 2000 Server.
www.microsoft.com/windows2000/library