1 / 66

Windows 2000 Active Directory Services Usage Guide

Windows 2000 Active Directory Services Usage Guide. version = 09Dec99 status = in progress. Why this Talk. Review what W2ks Active Directory Services (ADS) enables and what it is Review how W2ks ADS might effect how existing services are designed, deployed and managed

lee
Download Presentation

Windows 2000 Active Directory Services Usage Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows 2000 Active Directory Services Usage Guide version = 09Dec99 status = in progress

  2. Why this Talk • Review what W2ks Active Directory Services (ADS) enables and what it is • Review how W2ks ADS might effect how existing services are designed, deployed and managed • Review some implementation details we have learned • Discuss what services could make sense to start developing or piloting or today?

  3. Agenda • What is the Microsoft Active Directory Service • Directory Enabled Networking / Policy Based Management • Policy Based Management Development Roadmaps • Customer Relationship Management Solutions • Service Partitioning • Implementations • Next Steps

  4. What does ADS enable? Building block for the creation of service offerings where shifting the roles and responsibilities for service reporting, management and feature expansion from the Network Service Provider to Customer and the Customer’s customers can be easily achieved.

  5. What is ADS…a DNS, LDAP and X.500 directory Root Users Machines Devices Applications Marketing Personnel = Container = Object

  6. What is ADS…a DNS, LDAP and X.500 directory (1) • Domain Naming context rooted on “objectCategory” CN=Domain-DNS,CN=… entry • Schema Class and Attribute definitions require “attributeId” w/ OID value syntax and “lDAPdisplayName” attributes • Information organized hierarchically as objects within Organizational Unit (OU) containers • Every ADS object supports specific or inherited Access Control List security

  7. What is ADS…a DNS, LDAP and X.500 directory (2) • Forest and Tree structure supports representation of large business entity including departments, customers and wholesalers • Within a Tree namespace partitioning can be used to achieve the same levels or heirarchy • Implicit Hierarchical and Transitive trusts lowers initial configuration overhead • Inter - Forest trusts allow for mergers and eCommerce relationships to be defined

  8. …a Relational Database • RDMS that is useful anytime easy to manage, efficient distributed presence is required • RDMS optimized for • Distributed, Replicated, Delegated Admin • Sparse objects • Lots of index creation and rebuild in support of queries • Reuse of record and field definitions in other tables • Data sets are assumed to not change rapidly • Not a replacement for traditional RDMS services • i.e. financials/billing/accounting/subscriber Mgmt • existing databases can be primary that populates ADS when changes occur or reverse

  9. ….a Front End Processor • Authentication • RADIUS (PAP, CHAP, MsCHAP) / LDAP SASL / SmartCards [Certs] / Kerberos / NTLM / HTTP / SMTP / NNTP • Exchange adds POP3 / IMAP4 auth support • Any client (i.e. SecureId) that can do these protocols • Single sign-on dependant on client auth caching support • Query • LDAP / ADSI / OLEDB / … • Any client device that can do these protocols • Custom - Add new FEP protocol services

  10. Microsoft Active Directory • Windows Clients • Mgmt profile • Network info • Policy • Windows Servers • Mgmt profile • Network info • Services • Printers • File shares • Policy • Windows Users • Account info • Privileges • Profiles • Policy • Other • Directories • White pages • E-Commerce • Network Devices • Configuration • QoS policy • Security policy • Management • Focal Point For: • Users & resources • Security • Delegation • Policy Active Directory • Other NOS • User registry • Security • Policy • Firewall Services • Configuration • Security Policy • VPN policy • Applications • Server config • Single Sign-On • App-specificdirectory info • Policy • E-Mail Servers • Mailbox info • Address book Internet

  11. Directory Enabled Networking • Microsoft and Cisco / Adhoc Working group • DEN information model specification in ’97 • LDAP schema representation created • Taken over by Distributed Mgmt Task Force ‘98 • http://www.dmtf.org • CIM 2.2 - 2.3 expected to absorb DEN Information model additions…appx. Q1 2000 • IETF working group plans to post LDAP schema implementation post CIM 2.3 • LDAP schema implementation which required flattening and denormalization • aka Policy Based Management (PBM)

  12. What is Policy Based Mgmt? • Policies applied based on service object storage location or security group membership • Hierarchical supporting global down to service level specific policy settings • if (match policyXyz) • then do action1, 2, … • Bottom Up Policy • End Station initiated policy processing • i.e. Dialup, QOS, VPN service request events • Top Down Policy • Provisioned (/Pushed/Polled) policy processing • i.e. static, intermittently chaning service configurations

  13. Logical PBM Architectures 1. Policy Store 1b. Policy “State Machine” Store [optional] 2c. Policy “Change Notification” Server [optional] 2. Policy Server 2b. Policy Server “Gateway” [optional] 3. Service Control CPE, eCommerce, B2B, hosting, messaging, etc. 3. Service Control

  14. Evolving PBM Standards • Policy Store • LDAP, CIM derived LDAP, CIM, MIB, PIB, CMIP… • Policy “State Machine” Store • Custom in-memory RDMS and LDAP servers • Policy Server [/Gateway] • RADIUS, COPS, DIAMETER, LDAP, … • Policy “Change Notification” Service • Custom function callback routines • Msft COM Event Sources & Sinks • Service Control • CLI, WMI, SNMP, TMN, SS7, …

  15. Microsoft PBM Solutions • User DialUp and VPN’s • Internet Authentication Service RADIUS policies • IAS Policy “State Machine” Store • Commercial IAS RADIUS proxy • Voluntary or mandatory tunnels, Availability times, Call back settings, Filters, IP settings, Radius parameters, Name/Realm cracking rules • QOS • W2ks End station signaling, marking and scheduling • Quantitative IntServ support i.e. Netmeeting, Wmt40+ • Qualitative AppId/SubId support i.e. SAP, PeopleSoft • Qualitative DS and SQL replication being investigated • DCLASS(IntServ), TCLASS(DiffServ) policy updates

  16. Microsoft QOS PBM (1) • QOS Policy Enforcement Approaches • Top Down (aka Provisioned) • Bottom Up (aka End Station event driven) • Top Down / Provisioned Options • VPN’s, Routes, Filters, DiffServ, etc. • Bottom Up / End Station Options • Quantitative • Flow Classifier (src/dst/port) and Flow Specifier (data rate, peak, latency, jitter, loss) are known, DCLASS object from Policy Server can modify initial request settings • Qualitative • Flow Specifier only knows flow AppId and SubId, TCLASS object from Policy Server can modify initial request settings

  17. Microsoft QOS PBM (2) • Edge and Core approaches • IntServ/PerFlow state and shaping possible at the Edge • DiffServ/Aggregate possible in the Core • What you call the Edge can move further down or up the line as desire for expended network device flow processing cycles decreases/increases • Layered Policy Enforcement Processing points allows for enforced SLA at Edge and/or in the Core

  18. Microsoft PBM Solutions (1) • IPSEC • Classify by IP Src/Dst/Port, • Filter Action Permit (permit/request/require), Tunnel Mode, Security Method, Authentication Method, Connection Type (all/lan/remoteAccess) • Security • ACL’s, Users, Groups, Services, PXE setup, …. • Software • Hotfixes, OS upgrades, Service Packs, 3rd party, …. • Script processing • Startup, Shutdown, Scheduler(aka crontab) updates

  19. Microsoft PBM Solutions (2) • Group Policy Container / Group Policy Template • Extensible model for custom policy based settings • Default “Computer” or “User” configuration settings • i.e. CyberOffice configurations, disk quotas, etc. • Futures – • DHCP policy managed address space for in support of load balancing • Routing protocol settings (OSPF/BGP), filters, net to net tunnels • Routing per user policies • ServiceXyz i.e. eCommerce, B2B, hosting, messaging, etc.

  20. Cisco PBM Solutions • User DialUp and VPN’s • NAS configuration • Cisco Network Services / Active Directory (CNS/AD) • QOS (qualitative and provisioned) • AccessVPN (CPE net to HQ net star configurations) • AccessRegistrar (Merit RADIUS server acquisition) • Cisco Active Directory / Unix (AD/X) • Active Directory Replica service for Solaris & HPUX • Windows authentication services not available

  21. Other PBM Solutions • Ascend • User DialUp and VPN’s and NAS configuration via RADIUS • 3Com Dynamic Access • Configured QOS, pushed aggregate marking • …etc

  22. PBM Dev Roadmaps • Policy Store • Policy Server • Service Control • Management • Installer

  23. PBM Dev – Policy Store • Recall Evolving Standards = LDAP Schema, CIM derived LDAP Schema, CIM, MIB, PIB, CMIP… • Option = Store Service and Policy Class/Attribute Instances in Active Directory Service • Derive from ADS category 1 classes • Derive your own from “TOP” • Derive from evolving CIM LDAP schema • Note use versioning on dev systems to avoid requiring domain reinstall to test new releases

  24. PBM Dev – Policy “State Machine” Store • High performance writes implying non-replicated or limited replication • Review IAS “State Server” SDK if you require a way to hook into RADIUS policy events • Option 1 - Internet Locator Service • In-memory LDAP service on tcp/1002 • Option 2 – W2ks In-Memory Database Service • Option 3 – database cache rich RDMS/SQL70 setup • Option 3 - Custom State Machine storage. . • All – Review COM+ Load Balancing Services for optional State Machine application fail over functionality

  25. PBM Dev – Policy Store Refs • Msdn / Platform SDK / Networking Services / AD / ADProgGuid / Extending the Schema • Msdn / Platform SDK / Management Services / Group Policy / About Group Policy / Providing Policy for your Application • Msdn / Platform SDK / Index on “Group Policy, implementation and Active Directory structure”

  26. PBM Dev – Policy Store Refs (1) • Msdn / Platform SDK / Networking Services / Networking Security / IAS / Working With a State Server • Msdn / Platform SDK / Msg & Collab Svcs / WinNetMtg30Sdk / Using NetMtg / Internet Locator Service API • Start / Help / Index / Site Server ILS service • Msdn / Platform SDK / Services Provided by COM+ / In-Memory Database • Msdn / Platform SDK / Svcs Provided by COM+ / Load Balancing

  27. PBM Dev – Policy Server • Recall Evolving Standards = RADIUS, COPS, DIAMETER, LDAP, … • Option = Host on W2ks and leverage built in Group Policy API support • Read from directory services it is responsible for or accept registration directly from services • Locates via GC lookup service storage location and security group membership to decide effective policies • Read from DS interval polling time policies to which you want to register for change event notifications

  28. PBM Dev – Policy “Change Notification” Server • Policy change notification and immediate push updates to services • Option 1 – Custom update UI that triggers policy push update when policy changes applied • Option 2 – LDAP “persistent search” settings applied to policy managed OU’s • Statically define set of policies to enable “Change Event” notification in order to scale solution

  29. PBM Dev – Policy Server Refs • Msdn / Platform SDK / Networking Services / Networking Security / IAS • <todo: add IETF COPS draft url> • <todo: add IETF DIAMETER draft url> • Msdn / Platform SDK / Networking Services / LDAP API / Using the LDAP API in a Client Application • Msdn / Platform SDK / Management Services / Group Policy

  30. PBM Dev – Service Control • Recall Evolving Standards = CLI, WMI, SNMP, TMN, SS7, … • Option = Expand on service’s OS support for any of the above to enable PBM of service • Option = Migrate service’s control OS or core OS to W2ks and reuse the existing API support for these management protocols

  31. PBM Dev – Service Control (1) • Hosting Device Publication in Policy Store • Use Msft open source LDAP client w/ SASL Kerberos authentication support (TBD) • CLI routine requesting domain and container to self publish in • Local storage denoting publication complete and location or • Admin snap-in for manual creation/publication of hosting device object • CLI routine for statically configuring location that Admin snap-in manually published object representation

  32. PBM Dev – Service Control (2) • Service Publication in Policy Store • Use Msft open source LDAP client w/ SASL Kerberos authentication support (TBD) • CLI routine requesting domain and container to self publish in • Local storage denoting publication complete and location or • Admin snap-in for manual creation/publication of hosting device object • CLI routine for statically configuring location that Admin snap-in manually published object representation

  33. PBM Dev – Service Control Refs • Msdn / Platform SDK / Management Services / WMI • Msdn / Platform SDK / Networking Services / SNMP • <todo: add Vertel Reference url for TMN> • <todo: add Parlay Reference url for SS7>

  34. PBM Dev – Management • Recall Evolving Standards = ??? • Option = Create a Microsoft Management Console Snap-In • One for mgmt of Service and Policy instances • Create your custom snap-in • Create creation wizard or • Extend ADS category 1 classes MMC snap-in • Add creation wizard pages for mandatory attributes

  35. PBM Dev – Management Refs • Msdn / Platform SDK / Networking Services / AD / ADProgGuid / Extending the User Interface for Directory Objects • <todo: add Msdn / Platform SDK reference for GPE Extensions>

  36. PBM Dev – Installer • Recall Evolving Standards = AcmeSetup, SetupAPI’s, InstallShield, … • Option = Use the W2k Windows Installer • Derive from Platform SDK Windows Installer sample code or • Build your own from scratch using Windows Installer Documentation

  37. PBM Dev – Installer Refs • Software defined using Microsoft Installer .MSI files is easily managed and self reparing • http://www.microsoft.com/windows/professional/technical/whitepapers/installer.asp, http://msdn.microsoft.com/winlogo/appspec.doc • Natively Author MSI • http://msdn.microsoft.com/vstudio/downloads/vsi/default.asp, http://www.microsoft.com/msj/0998/windowsinstallertop.htm, http://wwwinstallsheild.com, http://www.wisesolutions.com • Repackaging Software in MSI • equivalent to before and after snap shooting • ZAP’s only work for “published” software deployments • Veritas WinInstall LE included in platform to provide simple repackaging of software to MSI • http://www.microsoft.com/windows/server/Deploy/management/wininstall/default.asp, http://www.veritas.com

  38. PBM Dev – Installer Refs (1) • Msdn / Platform SDK / Management Services / Setup / Windows Installer

  39. Customer Relationship Mgmt • aka Enterprise Application Integration (EAI) • Services /Acronyms • OLTP – On Line Transaction Processor • ERP – Enterprise Resource Planning • ETL – Extraction, Transformation & Loading • DW – Data Warehouse • DM – Data Mart (vertical team DW) • OLAP – On Line Analytical Processing • CRM future according to Siebel Systems • 2.2 billion software market • 54% compounded annualized growth rate • Lucent sites that this growth will involve both software and hardware updates

  40. CRM – Food Chain • OLTP -> ERP -> [ETL ->] DW | DM ->[ETL->] OLAP • CRM <-> OLTP | ERP | ETL | DW | DM | OLAP • CRM <-> Data Network Security & Resources • Identity is the aggregated summary of Xyz • Most often identity data in too many places • Not all identity is exposed through directory interfaces • No single place to access or manage aggregated identity Meta Directories can play the key role in creating and presenting CRM interfaces

  41. CRM – Food Chain (1) Customer Service Representatives and Delegated Ops Front End PBM Tasks Support Calls & some CCE/PBM Tasks PBM Services Environment CRM Environment “Denormalized Access” CCE Tasks Partial 2-Way Synchronization Partial 2-Way Synchronization Customer Care Environment = Vertical Application/Database Services SLA Data . . . Billing Orders

  42. CRM – Meta Directory Sync • Two way connectors included for sync with • Novell NDS, LDAP (i.e. Exchange 5.5, NSCP, etc.) • One way connectors included for sync with • /etc/passwd, /etc/shadow • Connectors creatable via ADSI, OLEDB, etc for sync with • SQL, Oracle, DB2, etc. or flat file databases • Exchange one way connectors for sync with • Lotus Notes, GroupWise, etc. • LDIF Directory Sync Bulk import/export tool

  43. CRM –Meta Directory Sync (2) • Microsoft is commitment to directory interoperability • Helping customers reduce the cost and complexity of directory management • Acquired Zoomit on Wed 07Jul99 • Zoomit's technologies being integrated with Active Directory Services • ISV solutions also available i.e. IsoCor and MetaConnect

  44. Service Partitioning Architecture - Services • Desire Highly Available and Scalable Services • SLC = Stateless Clusters • Used for services where changes need not be persisted • Requests spread out over set of nodes in cluster • Host failures usually result in rerouting of requests • Implemented using network or platform SLC solution • SFC = Stateful Clusters • Used for services where changes must be persisted • Requests are partitioned across available clusters • Host failures usually handled via fail over or some form of fault tolerant recovery • Implemented using HW or platform SFC solution

  45. Service Partitioning Architecture - Services (1) • RFS = Reliable File Service • SSM = Service State Machine • RDMS = Relational Database Service • DS = Directory Service • AS = Autonomous System encapsulating DataCenter Network layer 3 address space

  46. Service Partitioning Architecture - SLC • Must use “Scaling Out” for Stateless services • “Scaling Up” may eventually reach a current technology ceiling for you service requirements • “Scaling Up” has implied level of risk associated with a given node • “Scaling Out” Stateless services • Microsoft Network Load Balancing Service (NLBS) • Cisco Local Director, F5 Labs BigIP, RnD Web Service Director, Alteon AceDirector, etc. • NLBS currently supports 32 node clusters • More nodes per cluster can be achieved by linking clusters together with DNS Round Robin

  47. Service Partitioning Architecture - SFC • Must use “Scaling Out” for Stateful services • “Scaling Up” may eventually reach a current technology ceiling for you service requirements • “Scaling Up” has implied level of risk associated with a given node “Scaling Out” Stateful services • Microsoft Cluster Service (MSCS) • Marathon Technologies, Stratus Melody, etc. • MSCS currently supports N + 1 clustering • Where N = 1 max today on AdvancedServer, N = 3 on DataCenter, N = more to follow with OEM solutions • Active/Active configuration also supported

  48. Svc Part, Architecture - DataCenter SLC updates from outside sources at scheduled times. Additional SFC RFS, SSM & RDMS . . . . . . use DS to lookup SFC partition . . . . . . . . . SFC RFS, SSM & RDMS SLC DS SLC RFS & RDMS use DS to lookup SFC partition SLC HTTP, SMTP, POP3, IMAP4, LDAP, etc. . . . Application/services requests

  49. Implementation – Headless Ops • Templates for jumpstart setup of Ds host roles – initial domain root, replica, child, child replica • ftp://ftp.microsoft.com/services/isn/ops/setup/$oem$w2ks.zip • Out-Of-Band hardware and software • TTY access = Compaq IRC | Phoenix Firmware | Apex Emerge RSA | … • Power control = Compaq IRC | Apc Masterswitch | … • Vt100 Terminald = Seattle Labs | Interix | … • Couple with recovery models to enable “Lights Out Operation” • Note fixed IP’s required for DC’s operating DNS service for domain

  50. Implementation - Integration • Windows NT 4.0 hosted services plug in as Member Servers • Services see domain via downlevel domain support • Gain unlimited scaling of downlevel domains • Multidomain support within a single W2ks domain install • Easy migration from Windows NT 4.0 hosted services to Windows 2000 hosted services

More Related