Embed Size (px)
Citation preview
Windows 2000Windows 2000
Ian BlythIan BlythSenior System EngineerSenior System Engineer
Microsoft LtdMicrosoft Ltd
AgendaAgenda
OverviewOverview Active DirectoryActive Directory Interoperability with Unix and DNSInteroperability with Unix and DNS SecuritySecurity
MainstreamMainstream business desktop business desktop Full featured: Full featured:
Easiest Windows Yet !Easiest Windows Yet ! Industrial Strength ReliabilityIndustrial Strength Reliability Standards-based SecurityStandards-based Security State-of-the-art mobile supportState-of-the-art mobile support Plug and Play, USB, IR, Hot Plug and Play, USB, IR, Hot
DockingDocking Higher performanceHigher performance Increased ManageabilityIncreased Manageability
Lowest TCO Desktop SystemLowest TCO Desktop System
Windows 2000 Professional Windows 2000 Professional
Windows 2000 ServerWindows 2000 Server
Mainstream Mainstream Business Server Business Server Full featured: Full featured:
Active DirectoryActive Directory Windows Management ToolsWindows Management Tools Kerberos and PKI SecurityKerberos and PKI Security Windows Terminal SupportWindows Terminal Support COM+COM+ Enhanced Internet ServicesEnhanced Internet Services
Up to 4-way SMPUp to 4-way SMP
Windows 2000 Advanced ServerWindows 2000 Advanced Server
Powerful Powerful Mid-rangeMid-range Solution Solution Full featured: Full featured:
Windows 2000 Server FeaturesWindows 2000 Server Features TCP/IP Load BalancingTCP/IP Load Balancing Enhanced MSCS ClusteringEnhanced MSCS Clustering
Up to 8 GB Main MemoryUp to 8 GB Main Memory Up to 8-way SMPUp to 8-way SMP
Windows 2000 Datacenter ServerWindows 2000 Datacenter Server
Highest PerformanceHighest Performance Full Featured:Full Featured:
All Windows 2000 Advanced All Windows 2000 Advanced Server FeaturesServer Features
Up to 16-way SMPUp to 16-way SMP Up to 64 GB Main MemoryUp to 64 GB Main Memory 4 node clustering4 node clustering
Optimized for:Optimized for: OLTP, Data Warehousing OLTP, Data Warehousing Technical Computing and Technical Computing and
ModelingModeling
Tested for the Data CenterTested for the Data Center
Active DirectoryActive DirectoryDirectory and SecurityDirectory and Security
Active DirectoryActive Directory
Windows 2000 ServerWindows 2000 Server
What is Active Directory?What is Active Directory?
Active Directory is an integral part of Windows Active Directory is an integral part of Windows 2000 Server that delivers essential network 2000 Server that delivers essential network operating system services:operating system services: Focal pointFocal point for management of network for management of network
elements (users, applications, devices, etc.)elements (users, applications, devices, etc.) Trusted repositoryTrusted repository of security data for of security data for
authentication and authorizationauthentication and authorization Open platformOpen platform for application development for application development
and integration with other systemsand integration with other systems
Data StoreData Store
Start with the data storeStart with the data store
Evolved from Exchange DSEvolved from Exchange DS Indexed storage technologyIndexed storage technology Supports well over 1 Million Supports well over 1 Million
objects (tested with much objects (tested with much more!)more!)
Extensible schemaExtensible schema Integrated securityIntegrated security
Add An Object ModelAdd An Object Model
Native LDAP supportNative LDAP support
Data StoreData Store
Replicate for availabilityReplicate for availability
Highly optimized replicationHighly optimized replication Multi-master Multi-master Per attributePer attribute Loosely consistentLoosely consistent
msn.commsn.com microsoft.commicrosoft.com
Add more domainsAdd more domains Link domains into trees Link domains into trees
Kerberos transitive trustsKerberos transitive trusts
Or into forestsOr into forests Fast lookup via Global Catalog ServiceFast lookup via Global Catalog Service
= Global Catalog= Global Catalog Replica Replica
Global Data AvailabilityGlobal Data Availability
Active Directory Catalogs Active Directory Catalogs Are replicated within a forestAre replicated within a forest Uses same replication and storage mechanisms Uses same replication and storage mechanisms
as domain replicasas domain replicas Each catalog holds selectable attributes from all Each catalog holds selectable attributes from all
objects in the forestobjects in the forest Enables efficient cross-domain data sharingEnables efficient cross-domain data sharing
asia.acme.comasia.acme.comasia.acme.comasia.acme.com
acme.comacme.comacme.comacme.com
europe.acme.comeurope.acme.comeurope.acme.comeurope.acme.com
Windows 2000 ForestWindows 2000 Forest
xyx.comxyx.comxyx.comxyx.com
xyz.comxyz.com 192.23.14.5192.23.14.5
rose.comrose.com 194.49.94.2194.49.94.2
tulip.comtulip.com 10.91.77.610.91.77.6
. . . . . .. . . . . .
Domain Name SystemDomain Name System Server Server
LDAP ServerLDAP Server
ADADClientClient
1) Find xyz.com1) Find xyz.com
2) Access directory data2) Access directory data192.23.14.5192.23.14.5
Combining DNS and Combining DNS and LDAPLDAP
Hook to the InternetHook to the Internet
Takes advantage Internet namingTakes advantage Internet naming DNS = namespace rootDNS = namespace root Global namespace = DNS + LDAPGlobal namespace = DNS + LDAP
comcombizpartbizpart
comcom
microsoftmicrosoft
DNSDNS
Windows NTWindows NT
Domain: microsoft.com dsysdsys
studentsstudents
sarahjsarahj
thorjthorj
Vera KarkVera KarkMargretJMargretJ
Domain: bizpart.com
CN=Sarahj,OU=dsys,OU=Windows NT,DC=microsoft,DC=com
Available Replication Available Replication TopologiesTopologies
Intra-Site Replication: AD replication Intra-Site Replication: AD replication between DCs within a Sitebetween DCs within a Site
Intersite Replication: AD replication Intersite Replication: AD replication between Sitesbetween Sites
Site is an area of fast connectivitySite is an area of fast connectivity
Example Domains and Example Domains and SitesSites
ROOTROOT
CHILDCHILD
ROOT-DC1ROOT-DC1
ROOT-DC3ROOT-DC3
ROOT-DC2ROOT-DC2
CHILD-DC1CHILD-DC1
Site AberdeenSite Aberdeen
Site LondonSite London
Site ManchesterSite Manchester
Predictability Of Intra-Site Predictability Of Intra-Site Replication Replication
00
5,000,0005,000,000
10,000,00010,000,000
15,000,00015,000,000
20,000,00020,000,000
25,000,00025,000,000
00 20002000 40004000 60006000
# of Objects# of Objects
Rep
lica
tio
n B
ytes
Rep
lica
tio
n B
ytes
UsersUsers
GlobalGlobalGroupsGroups
UniversalUniversalGroupsGroups
VolumesVolumes
Intra-Site And Inter-Site Intra-Site And Inter-Site Replication Bytes ComparisonReplication Bytes Comparison
Users (Inter-Users (Inter-
Users (Intra-Users (Intra-
00500,000500,000
1,000,0001,000,0001,500,0001,500,0002,000,0002,000,0002,500,0002,500,0003,000,0003,000,0003,500,0003,500,0004,000,0004,000,0004,500,0004,500,000
00 500500 10001000
# of Objects# of Objects
Rep
lica
tio
n B
ytes
Rep
lica
tio
n B
ytes
Site)Site)
Site)Site)
SimplifiesSimplifies Management Management
Active Directory organizes users and network Active Directory organizes users and network resources hierarchically to simplify managementresources hierarchically to simplify management
RootRootRootRoot
UsersUsersUsersUsers MachinesMachinesMachinesMachines ApplicationsApplicationsApplicationsApplications
MarketingMarketingMarketingMarketing PersonnelPersonnelPersonnelPersonnel
DevicesDevicesDevicesDevices
Give ‘Personnel’ Members Give ‘Personnel’ Members the HR Applicationthe HR Application
Give ‘Personnel’ Members Give ‘Personnel’ Members the HR Applicationthe HR Application
Color Printer in Color Printer in Building 6Building 6
Color Printer in Color Printer in Building 6Building 6
Delegate Management Delegate Management Tasks to Office AdminsTasks to Office AdminsDelegate Management Delegate Management Tasks to Office AdminsTasks to Office Admins
StrengthensStrengthens Security Security
Active Directory provides Internet-ready security Active Directory provides Internet-ready security services to protect data while facilitating accessservices to protect data while facilitating access
RootRootRootRoot
UsersUsersUsersUsers MachinesMachinesMachinesMachines ApplicationsApplicationsApplicationsApplications
MarketingMarketingMarketingMarketing ExtranetExtranetExtranetExtranet
DevicesDevicesDevicesDevices
Restrict Access Rights of Restrict Access Rights of Extranet UsersExtranet Users
Restrict Access Rights of Restrict Access Rights of Extranet UsersExtranet Users
KerberosKerberosX.509X.509
Smart CardSmart Card
KerberosKerberosX.509X.509
Smart CardSmart Card
PKI CertificatesPKI CertificatesPKI CertificatesPKI Certificates
ExtendsExtends Interoperability Interoperability
Active Directory provides a platform for integrating and Active Directory provides a platform for integrating and extending systems through open interfaces, connectors extending systems through open interfaces, connectors and synchronization mechanismsand synchronization mechanisms
RootRootRootRoot
UsersUsersUsersUsers MachinesMachinesMachinesMachines ApplicationsApplicationsApplicationsApplications
FinanceFinanceFinanceFinance PersonnelPersonnelPersonnelPersonnel
DevicesDevicesDevicesDevices
Policy: Give Personnel Policy: Give Personnel access to ‘Change access to ‘Change
Salary’ Menu OptionsSalary’ Menu Options
Policy: Give Personnel Policy: Give Personnel access to ‘Change access to ‘Change
Salary’ Menu OptionsSalary’ Menu Options
Policy: Give Finance Policy: Give Finance more bandwidth at the more bandwidth at the
end of the monthend of the month
Policy: Give Finance Policy: Give Finance more bandwidth at the more bandwidth at the
end of the monthend of the month
Application: Exchange Application: Exchange mailbox informationmailbox information
Application: Exchange Application: Exchange mailbox informationmailbox information
Directory Enabled AppsDirectory Enabled Apps
Infrastructure by Active DirectoryInfrastructure by Active Directory Extend schema and UIExtend schema and UI Program via ADSI/ADOProgram via ADSI/ADO Publish service binding informationPublish service binding information Configure via Group Policy Configure via Group Policy Just In Time application downloadJust In Time application download Change notificationChange notification
Windows UsersWindows Users• Account infoAccount info• PrivilegesPrivileges• ProfilesProfiles• PolicyPolicy
Windows ClientsWindows Clients• Mgmt profileMgmt profile• Network infoNetwork info• PolicyPolicy
Windows ServersWindows Servers• Mgmt profileMgmt profile• Network infoNetwork info• ServicesServices• PrintersPrinters• File sharesFile shares• PolicyPolicy
A Focal Point for:A Focal Point for:• ManageabilityManageability• SecuritySecurity• InteroperabilityInteroperability
ActiveActiveDirectoryDirectory
ApplicationsApplications• Server configServer config• Single Sign-OnSingle Sign-On• App-specificApp-specific
directory info directory info • PolicyPolicy
Network DevicesNetwork Devices• ConfigurationConfiguration• QoS policyQoS policy• Security policySecurity policy
InternetInternet
Firewall ServicesFirewall Services• ConfigurationConfiguration• Security PolicySecurity Policy• VPN policyVPN policy
OtherOtherDirectoriesDirectories• White pagesWhite pages• E-CommerceE-Commerce
Other NOSOther NOS• User registryUser registry• SecuritySecurity• PolicyPolicy
E-Mail ServersE-Mail Servers• Mailbox infoMailbox info• Address bookAddress book
WindowsWindows 2000 Active Directory 2000 Active Directory
Active Directory provides a focal point for Active Directory provides a focal point for management, security and interoperabilitymanagement, security and interoperability
Windows 2000Windows 2000InteroperabilityInteroperability
Microsoft’s Interoperability Microsoft’s Interoperability Strategy Strategy
Make the Windows Make the Windows Platform work well Platform work well with existing with existing systemssystems
Simplify access to Simplify access to data and applications data and applications on existing systemson existing systems
Develop solutions Develop solutions based on standardsbased on standards
Network Network
Data Data
Applications Applications
Management Management
Why Microsoft Cares About Why Microsoft Cares About Interoperability Interoperability
Customers have told us that they Customers have told us that they will continue to have mixed will continue to have mixed environments environments
Significant investment in existing Significant investment in existing data & applicationsdata & applications
Interoperability is a key Interoperability is a key requirementrequirement
Designed to Integrate With Designed to Integrate With Existing SystemsExisting Systems
Built on latest internet standardsBuilt on latest internet standards LDAP, TCP/IP, DHCP & DNS, SSL, HTTP, DENLDAP, TCP/IP, DHCP & DNS, SSL, HTTP, DEN
Existing ApplicationsExisting Applications Full support for Microsoft Exchange Server, Full support for Microsoft Exchange Server,
Microsoft SQL Server, BackOffice Logo’d appsMicrosoft SQL Server, BackOffice Logo’d apps
Existing Operating SystemsExisting Operating Systems Windows NT 3.5x and 4.0Windows NT 3.5x and 4.0 Down-level client support for Win 3.x, Win 9xDown-level client support for Win 3.x, Win 9x Apple Macintosh and AppleTalkApple Macintosh and AppleTalk NetWare: NDS synchronization; Print/file servicesNetWare: NDS synchronization; Print/file services UNIX: NFS services, telnet, scripting and securityUNIX: NFS services, telnet, scripting and security S/390 and OS/400: Transaction & Queuing gatewayS/390 and OS/400: Transaction & Queuing gateway
Terminal Services (Thin Client)Terminal Services (Thin Client)
Fully integrated with Windows 2000 Fully integrated with Windows 2000 Server Family (add/remove service)Server Family (add/remove service)
Two operating modesTwo operating modes Remote Administration Remote Administration Application ServingApplication Serving
Launch and application or desktopLaunch and application or desktopLeverages Multilingual server Leverages Multilingual server
capability capability RDP feature and performance RDP feature and performance
enhancementsenhancementsRemote ControlRemote Control
Customer Interoperability Customer Interoperability Requests Requests
Leverage Existing Network Leverage Existing Network ResourcesResources
Leverage Existing UNIX KnowledgeLeverage Existing UNIX Knowledge Simplify Network AdministrationSimplify Network Administration Simplify Account ManagementSimplify Account Management
Microsoft Windows Microsoft Windows Services for UNIX 2.0Services for UNIX 2.0
Leverage Existing Network Leverage Existing Network ResourcesResources NFS Client, Server, GatewayNFS Client, Server, Gateway
Leverage Existing UNIX KnowledgeLeverage Existing UNIX Knowledge Korn Shell, UNIX UtilitiesKorn Shell, UNIX Utilities
Simplify Network AdministrationSimplify Network Administration Telnet Client, Server, PERL, Windows Telnet Client, Server, PERL, Windows
Technology Technology Simplify Account ManagementSimplify Account Management
NIS Migration Wizard, Server, NIS Migration Wizard, Server, Password SynchPassword Synch
NetworkNetwork
ManagementManagement
ApplicationsApplications
UNIXUNIX
Leverage Existing Network Leverage Existing Network ResourcesResources
DataData
Windows Windows Services for UNIXServices for UNIX
WindowsWindowsNT ServerNT Server
NetWareNetWareServerServer
UNIX ServerUNIX Server UNIXUNIXclientsclients
WindowsWindowsClientsClients
Leverage Existing UNIX KnowledgeLeverage Existing UNIX Knowledge
Services for UNIX 2.0Services for UNIX 2.0 Telnet Client and ServerTelnet Client and Server Scripting – PERL and ShellScripting – PERL and Shell Command lineCommand line
Windows 2000Windows 2000 Windows InstallerWindows Installer Windows Scripting HostWindows Scripting Host Windows Management Windows Management
InstrumentationInstrumentation Microsoft Management Console Microsoft Management Console
ApplicationsApplications
DataData
ManagementManagement
NetworkNetwork
UNIXUNIX
Simplify Network AdministrationSimplify Network Administration
Services for UNIX 2.0Services for UNIX 2.0 NIS Migration WizardNIS Migration Wizard Server for NISServer for NIS Password SynchPassword Synch
Windows 2000Windows 2000 Active DirectoryActive Directory
SupportedSupported V1 – Solaris, HP-UX and DEC/Tru V1 – Solaris, HP-UX and DEC/Tru
UnixUnix V2 – Linux, AIX and SGI UnixV2 – Linux, AIX and SGI Unix
ApplicationsApplications
DataData
ManagementManagement
NetworkNetwork
UNIXUNIX
Simplify Account ManagementSimplify Account Management
Directories and the InternetDirectories and the Internet
Active Directory:Active Directory: Uses DNS as the ‘top level’ locator serviceUses DNS as the ‘top level’ locator service Object names fully describe their locationObject names fully describe their location Dynamic DNSDynamic DNS
InternetInternet
C1.comC1.com C2.comC2.com C3.comC3.com C4.comC4.com C5.comC5.com C6.comC6.com
??DNSDNSDNSDNS
DNS And Active DirectoryDNS And Active Directory
SRV Records to locate SRV Records to locate services (req’d.)services (req’d.)
DDNS for Dynamic Update (desired)DDNS for Dynamic Update (desired) WindowsWindows®® 2000 DNS also provides: 2000 DNS also provides:
Incremental Zone TransferIncremental Zone Transfer Active Directory IntegratedActive Directory Integrated
Single replication topologySingle replication topology Multi-master replicationMulti-master replication Secure Dynamic updateSecure Dynamic update
Tip: BIND 8.1.2 or higher is sufficient to use with AD
DNS ImplementationsDNS Implementations No existing DNS infrastructureNo existing DNS infrastructure
Deploy Microsoft DNSDeploy Microsoft DNS
Existing DNS meets requirementsExisting DNS meets requirements Existing DNS not adequate:Existing DNS not adequate:
Choice 1: Update ServerChoice 1: Update Server Choice 2: Migrate to Microsoft DNSChoice 2: Migrate to Microsoft DNS Choice 3: Delegate a subdomain to Choice 3: Delegate a subdomain to
Microsoft DNSMicrosoft DNS
WindowsWindows®® 2000 Security 2000 Security
Security FeaturesSecurity FeaturesKerberos v5 (RFC 1510)Kerberos v5 (RFC 1510)Smart CardSmart CardPPTP, L2TP and IPSecPPTP, L2TP and IPSecPKI X.509PKI X.509SSL 3.0SSL 3.0Security Configuration ManagerSecurity Configuration ManagerAuditingAuditing128 bit encryption128 bit encryptionRadius supportRadius supportEncrypted File SystemEncrypted File System
Integrate Security with ADIntegrate Security with ADAccount ManagementAccount Management
OUs for delegation and policyOUs for delegation and policy Groups for access controlGroups for access control Per property access settingPer property access setting
DC=streetmarket,DC=com
OU=Mftg
OU=Marketing
OU=Engineering
OU=Printers
OU=Groups
OU=Users
Feel free to modifyyour telephone #
Integrate SecurityIntegrate SecurityPublic KeyPublic Key
Integrated managementIntegrated management Certificate servicesCertificate services Certificate mappingCertificate mapping Smart card logonSmart card logon Code signingCode signing Secure applicationsSecure applications
ReaderReader
SCSCCertCert
Active Directory
Active Directory
X.509X.509
X.509X.509
WindowsWindows20002000
WindowsWindows20002000
FileFileSystemSystem
FileFileSystemSystem
KerberosKerberos
Smart CardSmart Card
X.509/PKIX.509/PKI
CertificatesCertificates
AuthenticationAuthenticationAuthorizationAuthorization
Active DirectoryActive Directory
Blending Intranets & Blending Intranets & ExtranetsExtranets
Active Directory: Active Directory: Supports Intranet & Extranet Supports Intranet & Extranet
authenticationauthentication One authorization modelOne authorization model
UsersUsers
ApplicationsApplications
ClientsClients
ServersServers
Network DevicesNetwork Devices
Directory ServicesDirectory ServicesActive Directory is the Best Long-Term DirectoryActive Directory is the Best Long-Term Directory
Scalable without complexityScalable without complexity Standards-basedStandards-based Flexible security modelFlexible security model Facilitates directory Facilitates directory
consolidationconsolidation Broad Industry SupportBroad Industry Support
Baan, Cisco, SAP AGBaan, Cisco, SAP AG
