320 likes | 444 Views
Windows 2000 Remote Access. Remote Access Overview.
E N D
Remote Access Overview With Windows 2000 remote access, remote access clients connect to remote access servers and are transparently connected to the remote access server, known as point-to-point remote access connectivity, or transparently connected to the network to which the remote access server is attached, known as point-to-LAN remote access connectivity. This transparent connection allows remote access clients to dial-in from remote locations and access resources as if they were physically attached to the network.
Remote Access Overview Windows 2000 remote access provides two different types of remote access connectivity: • Dial-up remote access With dial-up remote access, a remote access client uses the telecommunications infrastructure to create a temporary physical circuit or a virtual circuit to a port on a remote access server. • Virtual private network (VPN) remote access With virtual private network remote access, a VPN client uses an IP internetwork to create a virtual point-to-point connection with a remote access server acting as the VPN server.
VPN Introduction • A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this by allowing the user to tunnel through the Internet or another public network in a manner that provides the same security and features formerly available only in private networks
Elements of a VPN Connection • VPN server • VPN client • Tunnel • VPN connection • Tunneling protocols • Tunneled data • Transit internetwork
VPN Connections • Creating the VPN is very similar to establishing a point-to-point connection using dial-up networking and demand-dial routing procedures. There are two types of VPN connections: • Remote Access VPN Connection • Router-to-Router VPN Connection
Common Uses of VPNs • Remote User Access Over the Internet
Common Uses of VPNs • Connecting Networks Over the Internet • Using dedicated lines to connect a branch office to a corporate LAN • Using a dial-up line to connect a branch office to a corporate LAN
Common Uses of VPNs • Remote Access over an Intranet
Common Uses of VPNs • Connecting Networks over an Intranet
Basic VPN Requirements • User Authentication • Address Management • Data Encryption • Key Management • Multiprotocol Support
TUNNELING Basics Tunneling is a method of using an internetwork infrastructure to transfer data for one network over another network.
TUNNELING Basics Tunneling technologies have been in existence for some time. Some examples of mature technologies include: • SNA tunneling over IP internetworks • IPX tunneling for Novell NetWare over IP internetworks • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Tunneling Protocol (L2TP) • IP Security (IPSec) Tunnel Mode
Tunneling Protocols Tunneling Protocols and the Basic Tunneling Requirements : • User Authentication • Token card support • Dynamic address assignment • Data compression • Data encryption • Key Management • Multiprotocol support
Tunneling Protocols Point-to-Point Protocol (PPP) • Phase 1: PPP Link Establishment • Phase 2: User Authentication • Password Authentication Protocol (PAP) • Challenge-Handshake Authentication Protocol (CHAP) • Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) • Phase 3: PPP Callback Control • Phase 4: Invoking Network Layer Protocol(s) • Data-Transfer Phase
Tunneling Protocols • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Forwarding (L2F) • Layer 2 Tunneling Protocol (L2TP)
Active Directory A core feature of distributed systems in Microsoft Windows 2000
Logical Structure in Active Directory • Active directory is the directory service used to store information about network objects and implements service that make information available within its domain and usable to users, computers and applications • It Is based on the Lightweight Directory Access Protocol (LDAP). LDAP is implemented for several UNIX OS and is derived from DAP and X.500 protocol • The Domain Name System(DNS) hierarchical naming system and Windows 2000 trust relationships provide a consistent, logical structure 1. Active directory stores information about objects in one or more domain 2. Trust Relationship: A logical relationship established between domains that allows pass-through authentication in which a trusting domain honors the logon authentications of a trusted domain
Domain Hierarchy in Active Direcotory • In Windows 2000, a domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network • Two-way hierarchy: not a flat structure as in Window NT 1 .Implicitly transitive. 2. Allow to search multiple domain in one query because each domain knows the domain immediately below and above it
Active Directory and DNS • DNS is a naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and vice versa • Similarities: window 2000 uses DNS naming standards for hierarchical naming of Active Directory domains and computers. For this reason, domain and computer objects are part of both the DNS domain hierarchy and the Active Directory domain hierarchy. Both share an identical domain structure. • Difference: although these domain hierarchies have identical names, they represent separate namespaces. In each namespace, specific rules determine how names can be created and used. DNS stores zones and resource records, and Active Directory stores domains and domain objects. Active directory stores information about objects in one or more domains.
Domain Controller in Active Directory • A domain controller is a computer that is running Windows 2000 Server and hosts Active Directory. Each domain controller must have a DNS server installed. • A domain controller stores directory partitions. Directory partitions (also known as "naming contexts") correspond to the logically distributed segments of Active Directory • Earlier versions of Windows NT used multiple domain controllers, only one of which was allowed to update the directory database. This single-master scheme required all changes to be replicated from the primary domain controller to the backup domain controllers. • In Windows 2000, every domain controller can receive changes, and the changes are replicated to all other domain controllers
DNS Hostnames and Window 2000 Computer Names • Windows NT 4.0 and earlier, DNS names were not required. A computer is identified primarily by a NetBIOS name — a name that is recognized by WINS (Windows Internet Name Service).Wins maps the name to a static IP address or to an address configured dynamically by the Dynamic Host Configuration Protocol (DHCP) • In Unix, NIS service provide the similar service for name resolution • For backward compatibility, window 2ooo computer DNS name has two parts 1. DNS hostname: computer's account that is stored in Active Directory, which is NetBIOS computer name 2. DNS suffix: DNS domain name
Active Directory andWindow 2000 Architecture • Two processor access mode: kernel and user • The security subsystem in user mode is the module in which Active Directory runs. The security reference monitor, which runs in kernel mode, is the primary authority for enforcing the security rules of the security subsystem • The tight integration of the directory service and security subsystem services is key to the implementation of windows 2000 distributed system. For example, Access to all directory objects first requires proof of identity authentication, which is performed by components of the security subsystem, and then validation of access permissions authorization, which is performed by the security subsystem in conjunction with the security reference monitor. The security reference monitor enforces the access control applied to Active Directory objects
Directory Service Architecture • Active Directory functionality can be described as a layered architecture in which the layers represent the server processes that provide directory services to client applications • Active Directory consists of three service layers and several interface and protocols • The three service layers accommodate the different types of information that are required to locate records in the directory database. Above the service layers in this architecture are the protocols and APIs (APIs are on the clients only) that enable communication between clients and directory services
Active Directory Data Model • The Active Directory data model is derived from the X.500 model of objects and attributes • An object is a distinct, named set of attributes that represents something concrete, such as a user, a printer, or an application • Container is a structural class of object • The universe of objects that can be stored in Active Directory is defined in the schema • Schema defines the objects and specifies the relationships between classes of objects
Location of the Schema in Active Directory • The objects stored in Active Directory are arranged in a logical hierarchy called the Directory Information Tree (DIT). • Active Directory includes a preconfigured database (commonly referred to as the base DIT) that contains the information that is required to install and run Windows 2000 and Active Directory • The Directory Information Tree is divided into directory partitions. A directory partition is a tree of directory objects that forms a unit of replication in Active Directory • All changes made to Active Directory are validated first against the schema
Active Directory Replication • Replication is the process by which the changes that are made on one domain controller are synchronized with all other domain controllers in the domain or forest that store copies of the same information. • Data integrity is maintained by tracking changes on each domain controller and updating other domain controllers in a systematic way • Replication topology is the set of connections by which domain controllers in a forest synchronize the directory partition replicas that they have in common. • The Knowledge Consistency Checker (KCC) is a built-in process that runs on all domain controllers and creates the replication topology for the forest. By default, the KCC runs at 15-minute intervals and designates the replication routes between domain controllers on the basis of the most favorable connections that are available at the time.