Windows 2000 and Active Directory Services at UQ

1
Windows 2000 and Active Directory Services at UQ
Scott SinclairSenior Systems Programmer Software
Infrastructure Group s.sinclair_at_its.uq.edu.au
2
Presentation Overview

• The Players
• The Field
• The Rules
• The Prizes
• Active Directory in practice at UQ
• Resources and references
• Questions?

3
The Players

• Windows 2000 Advanced Server
• Provides Active Directory Services
• DCPROMO
• MIT Kerberos or equivalent Solaris.
• Windows 2000 Professional Clients
• Downstream Domains
• Sorry but its the future (well maybe)

4
The Field

• Physically
• University Campus Network.
• Typically high-speed switched.
• Reliable.
• Multiple sites campuses.
• Windows 2000 Professional-class desktops.
• Politically
• Multiple faculties, departments, colleges etc.
• Multiple rules for resource access.
• Existing (and rigid) structure.

5
The Rules

• Kerberos 5 (RFC 1510)
• extended by Microsoft.
• Microsoft did not rewrite the Kerberos system -
  Microsoft filled in what had been left blank in
  the standard
• "You can keep your existing Kerberos investment
  in place and introduce Windows 2000
  incrementally
• Windows 2000 Forest and Trees
• includes mixed mode to deal with existing NT 4
  Domains etc. (NTLM vs. Kerberos Auth)

6
The Prizes

• Single Sign-On
• Authentication and Authorisation
• Centralised account management and maintenance
  (if required or wanted)
• But not enforced on downstream domains.
• Standardisation across campus networks.
• Reduced administration overhead.
• Increased (and/or enhanced) resource usage.
• On demand software installation (MSI).
• Microsofts idea of LDAP and more.

7
Active Directory in practice
8
Case Study

• Engineering, Physical Sciences and Architecture
• 3 Labs
• 120 Windows 2000 Professional Clients
• 500 1000 user accounts (potentially)
• 23 Software Packages
• 12 Printers
• Shared User space

9
Previously

• Obtain class lists from each subject code.
• Automagically create required accounts based on
  some unique ID scripts, passwords, printing.
• Create policies and resource allocation based on
  class lists and availability.
• Print and distribute as required.
• Wait
• Begin dealing with users or let support staff.

10
Sound familiar?

• I forgot my password.
• Why do I have two passwords?
• Why do I have two usernames?
• Which password do I use?
• I cant print to printer X.
• I cant login.
• I forgot my password again.
• Authentication and Authorisation are the issues

11
Existing UQ Infrastructure

• Kerberos 4 central account repository.
• myUQ Web Portal.
• Student, Staff and External systems.
• POP3, IMAP, FTP, Web Servers
• Dial-in modem banks.
• SQUID proxies.
• PRISM.
• Unix, Apple Macintosh and other existing labs.
• LDAP Directory as discussed earlier.

12
Active Directory methodology

• All accounts already stored in the Active
  Directory repository imported from LDAP store
  (more)
• Create appropriate OU structure based on faculty
  subject codes, etc. (similar to NT4 procedure
  schema snap-in).
• Set up local Windows 2000 Servers and Unix hosts
  for cross-realm authentication.
• Set up local Windows 2000 Servers to authenticate
  via Kerberos to Unix K5 Servers - (ksetup
  ktpass).

13
AD methodology (cont.)

• Import user accounts from LDAP directory.
• LDIFDE (Lightweight Directory Access Protocol
  Interchange Format) imports.
• CSVDE (Comma separated).
• For total control - ADSI, VB etc. or best of all
  Perl.
• Typically around 15 minutes for 8000 accounts

14
AD methodology (cont.)

• After imports completed
• Allocate resources based on OUs, GPOs etc.
• Assign permissions to resources.
• Test and re-test.
• Hope and pray.

15
Results

• Problems with password SALT.
• Windows 2000 Active Directory doesnt like
  dealing with Kerberos 4 Unix implementations.
• Works perfectly provided you use Kerberos 5!

16
The future implementation

• Upgrade to Kerberos 5 password change.
• Improved functionality of the Kerberos protocol.
• Windows 2000 Active Directory enabled campus.
• Single Sign On.
• All the other benefits mentioned earlier.

17
Resources

• Step-by-Step Guide to Kerberos 5 (krb5 1.0)
  Interoperability
• http//www.microsoft.com/windows2000/techinfo/pla
  nning/security/kerbsteps.asp
• Active Directory Services for Windows 2000
  Technical Reference (ISBN 0-7356-0624-2).
• Microsoft Curriculum
• 2154A Implementing and Administering Microsoft
  Windows 2000 Directory Services.
• 1561B - Designing a Microsoft Windows 2000
  Directory Services Infrastructure