View
222
Download
3
Category
Tags:
Preview:
Citation preview
Single Sign-onSingle Sign-onActive Directory and CU KerberosActive Directory and CU Kerberos
Technical Support Provider ForumTechnical Support Provider ForumJanuary 19, 2005January 19, 2005
Moe ArifMoe ArifSystems AdministratorSystems Administrator
CIT Systems and OperationsCIT Systems and Operations
ObjectivesObjectives
Present an overview of Active Directory Present an overview of Active Directory and how it can be integrated with campus and how it can be integrated with campus infrastructureinfrastructure
Discuss the costs, benefits and challenges Discuss the costs, benefits and challenges of campus-wide deploymentof campus-wide deployment
Get feedback, share ideas from campus Get feedback, share ideas from campus adminsadmins
Take this information back to CIT Take this information back to CIT managementmanagement
Overview of Active Directory (AD)Overview of Active Directory (AD) Brief and quick list of featuresBrief and quick list of features Non-technicalNon-technical
Campus IntegrationCampus Integration DNSDNS Kerberos (K5) authenticationKerberos (K5) authentication
Pros and ConsPros and Cons CIT’s current infrastructureCIT’s current infrastructure Q & AQ & A
AgendaAgenda
Windows Systems AdministratorWindows Systems Administrator Programmer/Analyst SpecialistProgrammer/Analyst Specialist 4+ years at CIT4+ years at CIT
ExperienceExperience Currently manage 80+ serversCurrently manage 80+ servers Windows 2003, 2000 (and NT)Windows 2003, 2000 (and NT) Servers running databases, IIS, clusters, Servers running databases, IIS, clusters,
middlewaremiddleware
FocusFocus Manage server environment efficientlyManage server environment efficiently Limited to controlled server environmentLimited to controlled server environment
About the SpeakerAbout the Speaker
Active Directory: OverviewActive Directory: Overview
AD is a Directory serviceAD is a Directory service structured repository of people and structured repository of people and
resources in an organizationresources in an organization Released with Windows 2000 ServerReleased with Windows 2000 Server
LDAP Compliant (LDAPv3 protocol)LDAP Compliant (LDAPv3 protocol) Logical structureLogical structure
Consists of objects, OUs, domains, Consists of objects, OUs, domains, trees, foresttrees, forest
Physical structurePhysical structure Domain controllers, LAN/WAN and Domain controllers, LAN/WAN and
sitessites
Active Directory: Active Directory: Building BlocksBuilding Blocks
Active Directory: How it worksActive Directory: How it works
Servers that are Domain ControllersServers that are Domain Controllers AD database contains the objectsAD database contains the objects
SchemaSchema Can be extendedCan be extended
Flexible Single Master Operation Flexible Single Master Operation (FSMO)(FSMO) Five Roles (PDC, RID, Infrastructure, Five Roles (PDC, RID, Infrastructure,
Schema Master, Domain Naming)Schema Master, Domain Naming)
Global Catalog (GC)Global Catalog (GC) Smaller copy of AD and searchesSmaller copy of AD and searches
Active Directory: How it worksActive Directory: How it works
DNS DNS Heavily relies on SRV recordsHeavily relies on SRV records Dynamically updates recordsDynamically updates records
KerberosKerberos Kerberos authentication under the hoodKerberos authentication under the hood KDC runs on Domain ControllersKDC runs on Domain Controllers
More on DNS and Kerberos later More on DNS and Kerberos later
Active Directory: FeaturesActive Directory: Features
Group PolicyGroup Policy Powerful featurePowerful feature Control user and computer settingsControl user and computer settings Deploy to large number of systemsDeploy to large number of systems Can be applied to Site, Domain and OUsCan be applied to Site, Domain and OUs
Software DeploymentSoftware Deployment Via Group Policy (GPOs)Via Group Policy (GPOs) Install, upgrade, and removeInstall, upgrade, and remove Control over installation via GPOControl over installation via GPO
Active Directory: ManagementActive Directory: Management
Snap-ins and Tools for managing ADSnap-ins and Tools for managing AD MMCMMC
ADUC, domains/trust, Sites/servicesADUC, domains/trust, Sites/services
OUs to organize objectsOUs to organize objects Apply GPOsApply GPOs Delegate controlDelegate control
Group PolicyGroup Policy Group Policy Management ConsoleGroup Policy Management Console gpupdate.exe utility (secedit in 2000)gpupdate.exe utility (secedit in 2000) gpresult.exegpresult.exe
Active Directory: ManagementActive Directory: Management
Command-line tools and other Command-line tools and other utilitiesutilities Ntdsutil, ldifde, csvdeNtdsutil, ldifde, csvde dsadd, dsget, dsrm, dsmoddsadd, dsget, dsrm, dsmod ldp.exe (GUI)ldp.exe (GUI) replmon, repadmin, dcdiagreplmon, repadmin, dcdiag Admin tools (adminpak.msi)Admin tools (adminpak.msi) Resource Kit and RK Tools (free)Resource Kit and RK Tools (free) WMI and wmic.exeWMI and wmic.exe Many, many othersMany, many others
Integration: DNSIntegration: DNS
DNS is a must for AD to functionDNS is a must for AD to function Run DNS servers under WindowsRun DNS servers under Windows DCs (and desktops) perform dynamic DCs (and desktops) perform dynamic
updates (DDNS)updates (DDNS)
BIND can be set up for DDNSBIND can be set up for DDNS CIT no longer offering DDNSCIT no longer offering DDNS
CIT recommended methodCIT recommended method http://www.cit.cornell.edu/computer/system/wihttp://www.cit.cornell.edu/computer/system/wi
n2000/dns/n2000/dns/ Search “dynamic DNS” at CIT websiteSearch “dynamic DNS” at CIT website
Integration: DNSIntegration: DNS How to configure:How to configure:
Install DNS service on your serverInstall DNS service on your server On the DC, configure DNS server On the DC, configure DNS server
addresses to be the server’s IP address addresses to be the server’s IP address (i.e. point to itself)(i.e. point to itself)
Configure desktop to point to CIT’s DNSConfigure desktop to point to CIT’s DNS NS pointer on DNSDB points to your DNS NS pointer on DNSDB points to your DNS
server for these zonesserver for these zones
Configured via DNSDB web pageConfigured via DNSDB web page
_tcp_tcp _udp_udp
_msdcs_msdcs _sites_sites
Net Result:Net Result: AD servers happily update recordsAD servers happily update records Desktops query CUDNS for SRV recordsDesktops query CUDNS for SRV records
The records are served by the Windows The records are served by the Windows DNS servers due to NS pointerDNS servers due to NS pointer
Register desktops with DNSDBRegister desktops with DNSDB Network Registry requirementNetwork Registry requirement Manually or batch uploadManually or batch upload Non-AD integrated DNS servers have Non-AD integrated DNS servers have
records in text filerecords in text file Look in %systemroot%\system32\dnsLook in %systemroot%\system32\dns
Integration: DNSIntegration: DNS
Integration: DNSIntegration: DNS
Live DemoLive Demo DNS Server configDNS Server config *.dns files*.dns files IP configurationIP configuration DNSDB NS recordsDNSDB NS records
Integration: CIT KerberosIntegration: CIT Kerberos
AD supports cross-domain AD supports cross-domain authentication to non-AD domainsauthentication to non-AD domains
CIT K5 realm “CIT.CORNELL.EDU”CIT K5 realm “CIT.CORNELL.EDU” One way trustOne way trust K5 domain is the trusted domainK5 domain is the trusted domain
Once established, users can login to Once established, users can login to AD domains using their NetID and AD domains using their NetID and Kerberos passwordKerberos password
Result: Single Sign-onResult: Single Sign-on
Integration: CIT KerberosIntegration: CIT Kerberos
How to configureHow to configure
AD should be installed as usualAD should be installed as usual E-mail E-mail kerberos-admin@cornell.edukerberos-admin@cornell.edu
Need Domain nameNeed Domain name Password will be given to youPassword will be given to you
CIT’s current practiceCIT’s current practice Will set up one-way trust to K5 realmWill set up one-way trust to K5 realm Technical support may be limitedTechnical support may be limited
Meeting with LDAP group, more Meeting with LDAP group, more testing, security, documentationtesting, security, documentation
Integration: CIT KerberosIntegration: CIT Kerberos
In Active Dir Domains and TrustsIn Active Dir Domains and Trusts Properties Properties Trusts Trusts Domains trusted by this domainDomains trusted by this domain
‘‘Add’ button in Win2000 Add’ button in Win2000 ‘‘New Trust’ button in Win2003New Trust’ button in Win2003
Domain name: CIT.CORNELL.EDUDomain name: CIT.CORNELL.EDU Must be uppercaseMust be uppercase Will need passwordWill need password Reboot serverReboot server
Integration: CIT KerberosIntegration: CIT Kerberos
Need to create name mappingsNeed to create name mappings Turn on Advanced Features in ADUCTurn on Advanced Features in ADUC User Name User Name Name Mappings Name Mappings <netid>@CIT.CORNELL.EDU<netid>@CIT.CORNELL.EDU AD accounts can be any formatAD accounts can be any format Password can be anything (complex)Password can be anything (complex)
Install Kerberos utilities from OS CDInstall Kerberos utilities from OS CD Part of Support ToolsPart of Support Tools <CD>:\support\tools\setup.exe<CD>:\support\tools\setup.exe
Integration: CIT KerberosIntegration: CIT Kerberos
Command prompt magic: ksetup.exeCommand prompt magic: ksetup.exe ksetup /addkdc CIT.CORNELL.EDU ksetup /addkdc CIT.CORNELL.EDU
kerberos.cit.cornell.edukerberos.cit.cornell.edu ksetup /addkdc CIT.CORNELL.EDU ksetup /addkdc CIT.CORNELL.EDU
kerberos2.cit.cornell.edukerberos2.cit.cornell.edu
Adds Kerberos domain at logon screenAdds Kerberos domain at logon screen Desktops and Servers (GPO)Desktops and Servers (GPO)
On-line DocumentOn-line Document http://www.cit.cornell.edu/computer/syshttp://www.cit.cornell.edu/computer/sys
tem/win2000/kerberos/tem/win2000/kerberos/ Search “Windows 2000 Kerberos” on Search “Windows 2000 Kerberos” on
CIT websiteCIT website
Integration: CIT KerberosIntegration: CIT Kerberos
Must create name mappingsMust create name mappings Can be scriptedCan be scripted
Authentication works from domain Authentication works from domain login screen onlylogin screen only
Issues with non-membersIssues with non-members Drive mapping, printing etc.Drive mapping, printing etc. Down level clientsDown level clients Some applications may have problemSome applications may have problem What about non-windows machines?What about non-windows machines?
Integration: CIT KerberosIntegration: CIT Kerberos
Live DemoLive Demo Authenticate to CIT realmAuthenticate to CIT realm Domain trust setup screenDomain trust setup screen Name mappings exampleName mappings example ksetup.exeksetup.exe
Single Sign-on: Pros and consSingle Sign-on: Pros and cons
AdvantagesAdvantages
Single Sign-onSingle Sign-on Same NetID/passwordSame NetID/password
Centrally managed NetIDs for ADCentrally managed NetIDs for AD Future synchronization with LDAPFuture synchronization with LDAP Add/remove NetIDs automaticallyAdd/remove NetIDs automatically
CIT managed Domain ControllersCIT managed Domain Controllers Better reliability, fault tolerance etc.Better reliability, fault tolerance etc. Smaller depts. don’t have to run DCsSmaller depts. don’t have to run DCs Work Force PlanningWork Force Planning
Single Sign-on: Pros and consSingle Sign-on: Pros and cons
Decentralized managementDecentralized management Delegation of controlDelegation of control Admins have full control over OUsAdmins have full control over OUs Domains have separate adminsDomains have separate admins
ManageabilityManageability GPOs to manage large number of GPOs to manage large number of
desktopsdesktops Software deployment or removalSoftware deployment or removal RIS for new systemsRIS for new systems
Single Sign-on: Pros and consSingle Sign-on: Pros and cons
UsabilityUsability Powerful search capabilityPowerful search capability
e.g. find plotter with special featuree.g. find plotter with special feature Easier to setup rights across depts.Easier to setup rights across depts.
e.g. user with multiple appointmentse.g. user with multiple appointments
Single Sign-on: Pros and consSingle Sign-on: Pros and cons
DisadvantagesDisadvantages
Central AuthorityCentral Authority CIT is Enterprise AdminCIT is Enterprise Admin Full control over everythingFull control over everything
Can be blocked to prevent accidentsCan be blocked to prevent accidents Blocks can be easily removedBlocks can be easily removed
SecuritySecurity Privilege elevation vulnerabilitiesPrivilege elevation vulnerabilities Human error and misconfigurationHuman error and misconfiguration Malicious attackMalicious attack
Single Sign-on: Pros and consSingle Sign-on: Pros and cons
SchemaSchema Schema extensions are forest-wideSchema extensions are forest-wide
Yikes!Yikes! Additional load on DCs, replicationAdditional load on DCs, replication
Example: MS ExchangeExample: MS Exchange Schema extensions are permanentSchema extensions are permanent
In Windows 2003, can be disabledIn Windows 2003, can be disabled Some extensions may become obsoleteSome extensions may become obsolete
Example: software no longer usedExample: software no longer used
So, these are So, these are bbad thingsad things but …but …
Single Sign-on: Pros and consSingle Sign-on: Pros and cons
Some thoughts about disadvantagesSome thoughts about disadvantages Schema extensions aren’t that badSchema extensions aren’t that bad Similar security risks exist in separate Similar security risks exist in separate
domaindomain CIT can offer good security practicesCIT can offer good security practices
CIT as Enterprise adminCIT as Enterprise admin CIT runs other more critical services CIT runs other more critical services
that are already trustedthat are already trusted
IMHO: Overall, pros outweigh the IMHO: Overall, pros outweigh the conscons
CIT’s Current InfrastructureCIT’s Current Infrastructure
Empty RootEmpty Root Installed in 2001Installed in 2001 Place holder for cornell.eduPlace holder for cornell.edu May be populated with NetIDs if “Go”May be populated with NetIDs if “Go”
Under cornell.eduUnder cornell.edu citstaff.cornell.edu – Internal CIT usecitstaff.cornell.edu – Internal CIT use citlabs.cornell.edu – Public labscitlabs.cornell.edu – Public labs Separate domain tree for CIT managed Separate domain tree for CIT managed
Windows serversWindows servers
Many larger organizations already Many larger organizations already running separate domainsrunning separate domains
Costs, Benefits, ChallengesCosts, Benefits, Challenges
Costs:Costs: Will need more powerful serversWill need more powerful servers Integration with LDAPIntegration with LDAP
Project will need investigationProject will need investigation
Managing Enterprise level ADManaging Enterprise level AD Non-trivial taskNon-trivial task Creating OUs, objects, rights etc.Creating OUs, objects, rights etc. Everyday care and feedEveryday care and feed Need a dedicated person (or 2 or 3)Need a dedicated person (or 2 or 3)
Costs, Benefits, ChallengesCosts, Benefits, Challenges
Benefits:Benefits: Is it really good for Cornell?Is it really good for Cornell?
Challenges:Challenges: Convincing important folks to approve Convincing important folks to approve
this servicethis service FundingFunding CollaborationCollaboration What about existing separate domains?What about existing separate domains?
ConclusionConclusion
Active Directory is here to stayActive Directory is here to stay Many schools have implemented Many schools have implemented
large or campus-wide ADslarge or campus-wide ADs Will a campus-wide Active Directory Will a campus-wide Active Directory
service (besides LDAP) benefit service (besides LDAP) benefit Cornell?Cornell?
ConclusionConclusion
I don’t have all the answersI don’t have all the answers What are your thoughts?What are your thoughts? What would you like to see at What would you like to see at
Cornell?Cornell? What can I take back to CIT What can I take back to CIT
management?management? Should we form an Active Directory Should we form an Active Directory
focus group and decide?focus group and decide? Questions, comments, suggestionsQuestions, comments, suggestions
e-mail: mna1@cornell.edue-mail: mna1@cornell.edu
Thank YouThank You
Open Discussion, and Q&AOpen Discussion, and Q&A
Recommended