340 likes | 566 Views
Single Sign-on Active Directory and CU Kerberos Technical Support Provider Forum January 19, 2005 Moe Arif Systems Administrator CIT Systems and Operations. Objectives. Present an overview of Active Directory and how it can be integrated with campus infrastructure
E N D
Single Sign-onActive Directory and CU KerberosTechnical Support Provider ForumJanuary 19, 2005Moe ArifSystems AdministratorCIT Systems and Operations
Objectives • Present an overview of Active Directory and how it can be integrated with campus infrastructure • Discuss the costs, benefits and challenges of campus-wide deployment • Get feedback, share ideas from campus admins • Take this information back to CIT management
Agenda • Overview of Active Directory (AD) • Brief and quick list of features • Non-technical • Campus Integration • DNS • Kerberos (K5) authentication • Pros and Cons • CIT’s current infrastructure • Q & A
About the Speaker • Windows Systems Administrator • Programmer/Analyst Specialist • 4+ years at CIT • Experience • Currently manage 80+ servers • Windows 2003, 2000 (and NT) • Servers running databases, IIS, clusters, middleware • Focus • Manage server environment efficiently • Limited to controlled server environment
Active Directory: Overview • AD is a Directory service • structured repository of people and resources in an organization • Released with Windows 2000 Server • LDAP Compliant (LDAPv3 protocol) • Logical structure • Consists of objects, OUs, domains, trees, forest • Physical structure • Domain controllers, LAN/WAN and sites
Active Directory: How it works • Servers that are Domain Controllers • AD database contains the objects • Schema • Can be extended • Flexible Single Master Operation (FSMO) • Five Roles (PDC, RID, Infrastructure, Schema Master, Domain Naming) • Global Catalog (GC) • Smaller copy of AD and searches
Active Directory: How it works • DNS • Heavily relies on SRV records • Dynamically updates records • Kerberos • Kerberos authentication under the hood • KDC runs on Domain Controllers • More on DNS and Kerberos later
Active Directory: Features • Group Policy • Powerful feature • Control user and computer settings • Deploy to large number of systems • Can be applied to Site, Domain and OUs • Software Deployment • Via Group Policy (GPOs) • Install, upgrade, and remove • Control over installation via GPO
Active Directory: Management • Snap-ins and Tools for managing AD • MMC • ADUC, domains/trust, Sites/services • OUs to organize objects • Apply GPOs • Delegate control • Group Policy • Group Policy Management Console • gpupdate.exe utility (secedit in 2000) • gpresult.exe
Active Directory: Management • Command-line tools and other utilities • Ntdsutil, ldifde, csvde • dsadd, dsget, dsrm, dsmod • ldp.exe (GUI) • replmon, repadmin, dcdiag • Admin tools (adminpak.msi) • Resource Kit and RK Tools (free) • WMI and wmic.exe • Many, many others
Integration: DNS • DNS is a must for AD to function • Run DNS servers under Windows • DCs (and desktops) perform dynamic updates (DDNS) • BIND can be set up for DDNS • CIT no longer offering DDNS • CIT recommended method • http://www.cit.cornell.edu/computer/system/win2000/dns/ • Search “dynamic DNS” at CIT website
How to configure: • Install DNS service on your server • On the DC, configure DNS server addresses to be the server’s IP address (i.e. point to itself) • Configure desktop to point to CIT’s DNS • NS pointer on DNSDB points to your DNS server for these zones • Configured via DNSDB web page • _msdcs • _sites • _tcp • _udp Integration: DNS
Integration: DNS • Net Result: • AD servers happily update records • Desktops query CUDNS for SRV records • The records are served by the Windows DNS servers due to NS pointer • Register desktops with DNSDB • Network Registry requirement • Manually or batch upload • Non-AD integrated DNS servers have records in text file • Look in %systemroot%\system32\dns
Integration: DNS • Live Demo • DNS Server config • *.dns files • IP configuration • DNSDB NS records
Integration: CIT Kerberos • AD supports cross-domain authentication to non-AD domains • CIT K5 realm “CIT.CORNELL.EDU” • One way trust • K5 domain is the trusted domain • Once established, users can login to AD domains using their NetID and Kerberos password • Result: Single Sign-on
Integration: CIT Kerberos How to configure • AD should be installed as usual • E-mail kerberos-admin@cornell.edu • Need Domain name • Password will be given to you • CIT’s current practice • Will set up one-way trust to K5 realm • Technical support may be limited • Meeting with LDAP group, more testing, security, documentation
Integration: CIT Kerberos • In Active Dir Domains and Trusts • Properties Trusts • Domains trusted by this domain • ‘Add’ button in Win2000 • ‘New Trust’ button in Win2003 • Domain name: CIT.CORNELL.EDU • Must be uppercase • Will need password • Reboot server
Integration: CIT Kerberos • Need to create name mappings • Turn on Advanced Features in ADUC • User Name Name Mappings • <netid>@CIT.CORNELL.EDU • AD accounts can be any format • Password can be anything (complex) • Install Kerberos utilities from OS CD • Part of Support Tools • <CD>:\support\tools\setup.exe
Integration: CIT Kerberos • Command prompt magic: ksetup.exe • ksetup /addkdc CIT.CORNELL.EDU kerberos.cit.cornell.edu • ksetup /addkdc CIT.CORNELL.EDU kerberos2.cit.cornell.edu • Adds Kerberos domain at logon screen • Desktops and Servers (GPO) • On-line Document • http://www.cit.cornell.edu/computer/system/win2000/kerberos/ • Search “Windows 2000 Kerberos” on CIT website
Integration: CIT Kerberos • Must create name mappings • Can be scripted • Authentication works from domain login screen only • Issues with non-members • Drive mapping, printing etc. • Down level clients • Some applications may have problem • What about non-windows machines?
Integration: CIT Kerberos • Live Demo • Authenticate to CIT realm • Domain trust setup screen • Name mappings example • ksetup.exe
Single Sign-on: Pros and cons Advantages • Single Sign-on • Same NetID/password • Centrally managed NetIDs for AD • Future synchronization with LDAP • Add/remove NetIDs automatically • CIT managed Domain Controllers • Better reliability, fault tolerance etc. • Smaller depts. don’t have to run DCs • Work Force Planning
Single Sign-on: Pros and cons • Decentralized management • Delegation of control • Admins have full control over OUs • Domains have separate admins • Manageability • GPOs to manage large number of desktops • Software deployment or removal • RIS for new systems
Single Sign-on: Pros and cons • Usability • Powerful search capability • e.g. find plotter with special feature • Easier to setup rights across depts. • e.g. user with multiple appointments
Single Sign-on: Pros and cons Disadvantages • Central Authority • CIT is Enterprise Admin • Full control over everything • Can be blocked to prevent accidents • Blocks can be easily removed • Security • Privilege elevation vulnerabilities • Human error and misconfiguration • Malicious attack
Single Sign-on: Pros and cons • Schema • Schema extensions are forest-wide • Yikes! • Additional load on DCs, replication • Example: MS Exchange • Schema extensions are permanent • In Windows 2003, can be disabled • Some extensions may become obsolete • Example: software no longer used • So, these are bad things but …
Single Sign-on: Pros and cons • Some thoughts about disadvantages • Schema extensions aren’t that bad • Similar security risks exist in separate domain • CIT can offer good security practices • CIT as Enterprise admin • CIT runs other more critical services that are already trusted • IMHO: Overall, pros outweigh the cons
CIT’s Current Infrastructure • Empty Root • Installed in 2001 • Place holder for cornell.edu • May be populated with NetIDs if “Go” • Under cornell.edu • citstaff.cornell.edu – Internal CIT use • citlabs.cornell.edu – Public labs • Separate domain tree for CIT managed Windows servers • Many larger organizations already running separate domains
Costs, Benefits, Challenges • Costs: • Will need more powerful servers • Integration with LDAP • Project will need investigation • Managing Enterprise level AD • Non-trivial task • Creating OUs, objects, rights etc. • Everyday care and feed • Need a dedicated person (or 2 or 3)
Costs, Benefits, Challenges • Benefits: • Is it really good for Cornell? • Challenges: • Convincing important folks to approve this service • Funding • Collaboration • What about existing separate domains?
Conclusion • Active Directory is here to stay • Many schools have implemented large or campus-wide ADs • Will a campus-wide Active Directory service (besides LDAP) benefit Cornell?
Conclusion • I don’t have all the answers • What are your thoughts? • What would you like to see at Cornell? • What can I take back to CIT management? • Should we form an Active Directory focus group and decide? • Questions, comments, suggestions • e-mail: mna1@cornell.edu
Thank You Open Discussion, and Q&A