670 likes | 889 Views
Windows 2000 Active Directory Services Usage Guide. version = 09Dec99 status = in progress. Why this Talk. Review what W2ks Active Directory Services (ADS) enables and what it is Review how W2ks ADS might effect how existing services are designed, deployed and managed
E N D
Windows 2000 Active Directory Services Usage Guide version = 09Dec99 status = in progress
Why this Talk • Review what W2ks Active Directory Services (ADS) enables and what it is • Review how W2ks ADS might effect how existing services are designed, deployed and managed • Review some implementation details we have learned • Discuss what services could make sense to start developing or piloting or today?
Agenda • What is the Microsoft Active Directory Service • Directory Enabled Networking / Policy Based Management • Policy Based Management Development Roadmaps • Customer Relationship Management Solutions • Service Partitioning • Implementations • Next Steps
What does ADS enable? Building block for the creation of service offerings where shifting the roles and responsibilities for service reporting, management and feature expansion from the Network Service Provider to Customer and the Customer’s customers can be easily achieved.
What is ADS…a DNS, LDAP and X.500 directory Root Users Machines Devices Applications Marketing Personnel = Container = Object
What is ADS…a DNS, LDAP and X.500 directory (1) • Domain Naming context rooted on “objectCategory” CN=Domain-DNS,CN=… entry • Schema Class and Attribute definitions require “attributeId” w/ OID value syntax and “lDAPdisplayName” attributes • Information organized hierarchically as objects within Organizational Unit (OU) containers • Every ADS object supports specific or inherited Access Control List security
What is ADS…a DNS, LDAP and X.500 directory (2) • Forest and Tree structure supports representation of large business entity including departments, customers and wholesalers • Within a Tree namespace partitioning can be used to achieve the same levels or heirarchy • Implicit Hierarchical and Transitive trusts lowers initial configuration overhead • Inter - Forest trusts allow for mergers and eCommerce relationships to be defined
…a Relational Database • RDMS that is useful anytime easy to manage, efficient distributed presence is required • RDMS optimized for • Distributed, Replicated, Delegated Admin • Sparse objects • Lots of index creation and rebuild in support of queries • Reuse of record and field definitions in other tables • Data sets are assumed to not change rapidly • Not a replacement for traditional RDMS services • i.e. financials/billing/accounting/subscriber Mgmt • existing databases can be primary that populates ADS when changes occur or reverse
….a Front End Processor • Authentication • RADIUS (PAP, CHAP, MsCHAP) / LDAP SASL / SmartCards [Certs] / Kerberos / NTLM / HTTP / SMTP / NNTP • Exchange adds POP3 / IMAP4 auth support • Any client (i.e. SecureId) that can do these protocols • Single sign-on dependant on client auth caching support • Query • LDAP / ADSI / OLEDB / … • Any client device that can do these protocols • Custom - Add new FEP protocol services
Microsoft Active Directory • Windows Clients • Mgmt profile • Network info • Policy • Windows Servers • Mgmt profile • Network info • Services • Printers • File shares • Policy • Windows Users • Account info • Privileges • Profiles • Policy • Other • Directories • White pages • E-Commerce • Network Devices • Configuration • QoS policy • Security policy • Management • Focal Point For: • Users & resources • Security • Delegation • Policy Active Directory • Other NOS • User registry • Security • Policy • Firewall Services • Configuration • Security Policy • VPN policy • Applications • Server config • Single Sign-On • App-specificdirectory info • Policy • E-Mail Servers • Mailbox info • Address book Internet
Directory Enabled Networking • Microsoft and Cisco / Adhoc Working group • DEN information model specification in ’97 • LDAP schema representation created • Taken over by Distributed Mgmt Task Force ‘98 • http://www.dmtf.org • CIM 2.2 - 2.3 expected to absorb DEN Information model additions…appx. Q1 2000 • IETF working group plans to post LDAP schema implementation post CIM 2.3 • LDAP schema implementation which required flattening and denormalization • aka Policy Based Management (PBM)
What is Policy Based Mgmt? • Policies applied based on service object storage location or security group membership • Hierarchical supporting global down to service level specific policy settings • if (match policyXyz) • then do action1, 2, … • Bottom Up Policy • End Station initiated policy processing • i.e. Dialup, QOS, VPN service request events • Top Down Policy • Provisioned (/Pushed/Polled) policy processing • i.e. static, intermittently chaning service configurations
Logical PBM Architectures 1. Policy Store 1b. Policy “State Machine” Store [optional] 2c. Policy “Change Notification” Server [optional] 2. Policy Server 2b. Policy Server “Gateway” [optional] 3. Service Control CPE, eCommerce, B2B, hosting, messaging, etc. 3. Service Control
Evolving PBM Standards • Policy Store • LDAP, CIM derived LDAP, CIM, MIB, PIB, CMIP… • Policy “State Machine” Store • Custom in-memory RDMS and LDAP servers • Policy Server [/Gateway] • RADIUS, COPS, DIAMETER, LDAP, … • Policy “Change Notification” Service • Custom function callback routines • Msft COM Event Sources & Sinks • Service Control • CLI, WMI, SNMP, TMN, SS7, …
Microsoft PBM Solutions • User DialUp and VPN’s • Internet Authentication Service RADIUS policies • IAS Policy “State Machine” Store • Commercial IAS RADIUS proxy • Voluntary or mandatory tunnels, Availability times, Call back settings, Filters, IP settings, Radius parameters, Name/Realm cracking rules • QOS • W2ks End station signaling, marking and scheduling • Quantitative IntServ support i.e. Netmeeting, Wmt40+ • Qualitative AppId/SubId support i.e. SAP, PeopleSoft • Qualitative DS and SQL replication being investigated • DCLASS(IntServ), TCLASS(DiffServ) policy updates
Microsoft QOS PBM (1) • QOS Policy Enforcement Approaches • Top Down (aka Provisioned) • Bottom Up (aka End Station event driven) • Top Down / Provisioned Options • VPN’s, Routes, Filters, DiffServ, etc. • Bottom Up / End Station Options • Quantitative • Flow Classifier (src/dst/port) and Flow Specifier (data rate, peak, latency, jitter, loss) are known, DCLASS object from Policy Server can modify initial request settings • Qualitative • Flow Specifier only knows flow AppId and SubId, TCLASS object from Policy Server can modify initial request settings
Microsoft QOS PBM (2) • Edge and Core approaches • IntServ/PerFlow state and shaping possible at the Edge • DiffServ/Aggregate possible in the Core • What you call the Edge can move further down or up the line as desire for expended network device flow processing cycles decreases/increases • Layered Policy Enforcement Processing points allows for enforced SLA at Edge and/or in the Core
Microsoft PBM Solutions (1) • IPSEC • Classify by IP Src/Dst/Port, • Filter Action Permit (permit/request/require), Tunnel Mode, Security Method, Authentication Method, Connection Type (all/lan/remoteAccess) • Security • ACL’s, Users, Groups, Services, PXE setup, …. • Software • Hotfixes, OS upgrades, Service Packs, 3rd party, …. • Script processing • Startup, Shutdown, Scheduler(aka crontab) updates
Microsoft PBM Solutions (2) • Group Policy Container / Group Policy Template • Extensible model for custom policy based settings • Default “Computer” or “User” configuration settings • i.e. CyberOffice configurations, disk quotas, etc. • Futures – • DHCP policy managed address space for in support of load balancing • Routing protocol settings (OSPF/BGP), filters, net to net tunnels • Routing per user policies • ServiceXyz i.e. eCommerce, B2B, hosting, messaging, etc.
Cisco PBM Solutions • User DialUp and VPN’s • NAS configuration • Cisco Network Services / Active Directory (CNS/AD) • QOS (qualitative and provisioned) • AccessVPN (CPE net to HQ net star configurations) • AccessRegistrar (Merit RADIUS server acquisition) • Cisco Active Directory / Unix (AD/X) • Active Directory Replica service for Solaris & HPUX • Windows authentication services not available
Other PBM Solutions • Ascend • User DialUp and VPN’s and NAS configuration via RADIUS • 3Com Dynamic Access • Configured QOS, pushed aggregate marking • …etc
PBM Dev Roadmaps • Policy Store • Policy Server • Service Control • Management • Installer
PBM Dev – Policy Store • Recall Evolving Standards = LDAP Schema, CIM derived LDAP Schema, CIM, MIB, PIB, CMIP… • Option = Store Service and Policy Class/Attribute Instances in Active Directory Service • Derive from ADS category 1 classes • Derive your own from “TOP” • Derive from evolving CIM LDAP schema • Note use versioning on dev systems to avoid requiring domain reinstall to test new releases
PBM Dev – Policy “State Machine” Store • High performance writes implying non-replicated or limited replication • Review IAS “State Server” SDK if you require a way to hook into RADIUS policy events • Option 1 - Internet Locator Service • In-memory LDAP service on tcp/1002 • Option 2 – W2ks In-Memory Database Service • Option 3 – database cache rich RDMS/SQL70 setup • Option 3 - Custom State Machine storage. . • All – Review COM+ Load Balancing Services for optional State Machine application fail over functionality
PBM Dev – Policy Store Refs • Msdn / Platform SDK / Networking Services / AD / ADProgGuid / Extending the Schema • Msdn / Platform SDK / Management Services / Group Policy / About Group Policy / Providing Policy for your Application • Msdn / Platform SDK / Index on “Group Policy, implementation and Active Directory structure”
PBM Dev – Policy Store Refs (1) • Msdn / Platform SDK / Networking Services / Networking Security / IAS / Working With a State Server • Msdn / Platform SDK / Msg & Collab Svcs / WinNetMtg30Sdk / Using NetMtg / Internet Locator Service API • Start / Help / Index / Site Server ILS service • Msdn / Platform SDK / Services Provided by COM+ / In-Memory Database • Msdn / Platform SDK / Svcs Provided by COM+ / Load Balancing
PBM Dev – Policy Server • Recall Evolving Standards = RADIUS, COPS, DIAMETER, LDAP, … • Option = Host on W2ks and leverage built in Group Policy API support • Read from directory services it is responsible for or accept registration directly from services • Locates via GC lookup service storage location and security group membership to decide effective policies • Read from DS interval polling time policies to which you want to register for change event notifications
PBM Dev – Policy “Change Notification” Server • Policy change notification and immediate push updates to services • Option 1 – Custom update UI that triggers policy push update when policy changes applied • Option 2 – LDAP “persistent search” settings applied to policy managed OU’s • Statically define set of policies to enable “Change Event” notification in order to scale solution
PBM Dev – Policy Server Refs • Msdn / Platform SDK / Networking Services / Networking Security / IAS • <todo: add IETF COPS draft url> • <todo: add IETF DIAMETER draft url> • Msdn / Platform SDK / Networking Services / LDAP API / Using the LDAP API in a Client Application • Msdn / Platform SDK / Management Services / Group Policy
PBM Dev – Service Control • Recall Evolving Standards = CLI, WMI, SNMP, TMN, SS7, … • Option = Expand on service’s OS support for any of the above to enable PBM of service • Option = Migrate service’s control OS or core OS to W2ks and reuse the existing API support for these management protocols
PBM Dev – Service Control (1) • Hosting Device Publication in Policy Store • Use Msft open source LDAP client w/ SASL Kerberos authentication support (TBD) • CLI routine requesting domain and container to self publish in • Local storage denoting publication complete and location or • Admin snap-in for manual creation/publication of hosting device object • CLI routine for statically configuring location that Admin snap-in manually published object representation
PBM Dev – Service Control (2) • Service Publication in Policy Store • Use Msft open source LDAP client w/ SASL Kerberos authentication support (TBD) • CLI routine requesting domain and container to self publish in • Local storage denoting publication complete and location or • Admin snap-in for manual creation/publication of hosting device object • CLI routine for statically configuring location that Admin snap-in manually published object representation
PBM Dev – Service Control Refs • Msdn / Platform SDK / Management Services / WMI • Msdn / Platform SDK / Networking Services / SNMP • <todo: add Vertel Reference url for TMN> • <todo: add Parlay Reference url for SS7>
PBM Dev – Management • Recall Evolving Standards = ??? • Option = Create a Microsoft Management Console Snap-In • One for mgmt of Service and Policy instances • Create your custom snap-in • Create creation wizard or • Extend ADS category 1 classes MMC snap-in • Add creation wizard pages for mandatory attributes
PBM Dev – Management Refs • Msdn / Platform SDK / Networking Services / AD / ADProgGuid / Extending the User Interface for Directory Objects • <todo: add Msdn / Platform SDK reference for GPE Extensions>
PBM Dev – Installer • Recall Evolving Standards = AcmeSetup, SetupAPI’s, InstallShield, … • Option = Use the W2k Windows Installer • Derive from Platform SDK Windows Installer sample code or • Build your own from scratch using Windows Installer Documentation
PBM Dev – Installer Refs • Software defined using Microsoft Installer .MSI files is easily managed and self reparing • http://www.microsoft.com/windows/professional/technical/whitepapers/installer.asp, http://msdn.microsoft.com/winlogo/appspec.doc • Natively Author MSI • http://msdn.microsoft.com/vstudio/downloads/vsi/default.asp, http://www.microsoft.com/msj/0998/windowsinstallertop.htm, http://wwwinstallsheild.com, http://www.wisesolutions.com • Repackaging Software in MSI • equivalent to before and after snap shooting • ZAP’s only work for “published” software deployments • Veritas WinInstall LE included in platform to provide simple repackaging of software to MSI • http://www.microsoft.com/windows/server/Deploy/management/wininstall/default.asp, http://www.veritas.com
PBM Dev – Installer Refs (1) • Msdn / Platform SDK / Management Services / Setup / Windows Installer
Customer Relationship Mgmt • aka Enterprise Application Integration (EAI) • Services /Acronyms • OLTP – On Line Transaction Processor • ERP – Enterprise Resource Planning • ETL – Extraction, Transformation & Loading • DW – Data Warehouse • DM – Data Mart (vertical team DW) • OLAP – On Line Analytical Processing • CRM future according to Siebel Systems • 2.2 billion software market • 54% compounded annualized growth rate • Lucent sites that this growth will involve both software and hardware updates
CRM – Food Chain • OLTP -> ERP -> [ETL ->] DW | DM ->[ETL->] OLAP • CRM <-> OLTP | ERP | ETL | DW | DM | OLAP • CRM <-> Data Network Security & Resources • Identity is the aggregated summary of Xyz • Most often identity data in too many places • Not all identity is exposed through directory interfaces • No single place to access or manage aggregated identity Meta Directories can play the key role in creating and presenting CRM interfaces
CRM – Food Chain (1) Customer Service Representatives and Delegated Ops Front End PBM Tasks Support Calls & some CCE/PBM Tasks PBM Services Environment CRM Environment “Denormalized Access” CCE Tasks Partial 2-Way Synchronization Partial 2-Way Synchronization Customer Care Environment = Vertical Application/Database Services SLA Data . . . Billing Orders
CRM – Meta Directory Sync • Two way connectors included for sync with • Novell NDS, LDAP (i.e. Exchange 5.5, NSCP, etc.) • One way connectors included for sync with • /etc/passwd, /etc/shadow • Connectors creatable via ADSI, OLEDB, etc for sync with • SQL, Oracle, DB2, etc. or flat file databases • Exchange one way connectors for sync with • Lotus Notes, GroupWise, etc. • LDIF Directory Sync Bulk import/export tool
CRM –Meta Directory Sync (2) • Microsoft is commitment to directory interoperability • Helping customers reduce the cost and complexity of directory management • Acquired Zoomit on Wed 07Jul99 • Zoomit's technologies being integrated with Active Directory Services • ISV solutions also available i.e. IsoCor and MetaConnect
Service Partitioning Architecture - Services • Desire Highly Available and Scalable Services • SLC = Stateless Clusters • Used for services where changes need not be persisted • Requests spread out over set of nodes in cluster • Host failures usually result in rerouting of requests • Implemented using network or platform SLC solution • SFC = Stateful Clusters • Used for services where changes must be persisted • Requests are partitioned across available clusters • Host failures usually handled via fail over or some form of fault tolerant recovery • Implemented using HW or platform SFC solution
Service Partitioning Architecture - Services (1) • RFS = Reliable File Service • SSM = Service State Machine • RDMS = Relational Database Service • DS = Directory Service • AS = Autonomous System encapsulating DataCenter Network layer 3 address space
Service Partitioning Architecture - SLC • Must use “Scaling Out” for Stateless services • “Scaling Up” may eventually reach a current technology ceiling for you service requirements • “Scaling Up” has implied level of risk associated with a given node • “Scaling Out” Stateless services • Microsoft Network Load Balancing Service (NLBS) • Cisco Local Director, F5 Labs BigIP, RnD Web Service Director, Alteon AceDirector, etc. • NLBS currently supports 32 node clusters • More nodes per cluster can be achieved by linking clusters together with DNS Round Robin
Service Partitioning Architecture - SFC • Must use “Scaling Out” for Stateful services • “Scaling Up” may eventually reach a current technology ceiling for you service requirements • “Scaling Up” has implied level of risk associated with a given node “Scaling Out” Stateful services • Microsoft Cluster Service (MSCS) • Marathon Technologies, Stratus Melody, etc. • MSCS currently supports N + 1 clustering • Where N = 1 max today on AdvancedServer, N = 3 on DataCenter, N = more to follow with OEM solutions • Active/Active configuration also supported
Svc Part, Architecture - DataCenter SLC updates from outside sources at scheduled times. Additional SFC RFS, SSM & RDMS . . . . . . use DS to lookup SFC partition . . . . . . . . . SFC RFS, SSM & RDMS SLC DS SLC RFS & RDMS use DS to lookup SFC partition SLC HTTP, SMTP, POP3, IMAP4, LDAP, etc. . . . Application/services requests
Implementation – Headless Ops • Templates for jumpstart setup of Ds host roles – initial domain root, replica, child, child replica • ftp://ftp.microsoft.com/services/isn/ops/setup/$oem$w2ks.zip • Out-Of-Band hardware and software • TTY access = Compaq IRC | Phoenix Firmware | Apex Emerge RSA | … • Power control = Compaq IRC | Apc Masterswitch | … • Vt100 Terminald = Seattle Labs | Interix | … • Couple with recovery models to enable “Lights Out Operation” • Note fixed IP’s required for DC’s operating DNS service for domain
Implementation - Integration • Windows NT 4.0 hosted services plug in as Member Servers • Services see domain via downlevel domain support • Gain unlimited scaling of downlevel domains • Multidomain support within a single W2ks domain install • Easy migration from Windows NT 4.0 hosted services to Windows 2000 hosted services