Windows 2000 Klara Jelinkova Tom Jordan Steve Tanner

Windows 2000 Klara Jelinkova Tom Jordan Steve Tanner

Major Goals For Windows 2000 l l Distributed computing Address the TCO issue: Ø l Zero Administration for Windows (ZAW) Ø MMC Ø Intelli. Mirror™ Ø Client side caching Support the right standards: Ø Ø Ø TCP/IP DNS “Kerberos” HTML LDAP

Presentation Goals l l l Windows 2000 Overview Where to go from here How can Do. IT help you Ø Ø Help. Desk and I&R Active Directory forum

Hardware Support l l Plug-and-play Power management WDM driver model (with signed drivers) Broad device support (e. g. , DVD, scanners)

Storage Management l File System Ø Ø l Disk quotas Real-time property and content indexing Media management Ø Dynamic Disks Ø Spanned volume (not fault tolerant) Ø Mirrored volumes (fault tolerant) Ø Striped volume (not fault tolerant) Ø RAID 5

World Ready l l Multilingual user interface Same code runs anywhere Simultaneous support of multiple languages Single worldwide API

Application Installer l Current problems Ø Ø Ø l New Setup Ø Ø Ø l Shared DLL version conflicts Per user, per machine state is confused Uninstall frequently fails New install service as part of base OS Shared components only in service packs Much stricter Windows logo program Developer prepares application as an “MSI package”

Application problems l l l People. Soft not supported ODBC Problems with machines upgraded from Windows 9. x Wisc. World 3. 5 b supported NAI Net. Shielf not supported Speed. Disk Unsupported Minor glitches in Meeting. Maker, PC Anywhere and other apps.

Addressing TCO l Common management interface (MMC) Ø l l l “Snap in” custom tools Intelli. Mirror Policy management Systems Management Server

Microsoft Management Console l l Standardized interface to all admin tools MMC services are termed “snap ins”

Intelli. Mirror l l Roaming user support A suite of technologies to reduce TCO. Intelli. Mirror provides for redundant copies of data to be stored on both the clint and server Network Server Desktop Data, Apps, Policy Cache Client side cache

ZAW And Microsoft Systems Management Server Feature Windows 2000 Desktop locking Roaming user Disk quotas Client caching Remote boot Basic S/W distribution Advanced S/W distribution 16 -bit client support HW and SW inventory Centralized diagnostics/troubleshooting Software metering Network tracing/monitoring SMS

Preparing For Windows 2000 l Planning is key Ø Ø Ø l l Take a long term view Expect it to take longer than you’d like Ø Politics Ø A chance to correct things Remember the ability to delegate administrative authority Ø Windows NT resource domains should go away Familiarize yourself with TCP/IP terminology Upgrade matrix is more complete Ø Most Windows versions can be upgraded

What’s A Directory? l Database that stores attribute/value pairs for every object you might want to know about Ø Ø l You can query it in a variety of ways Ø Ø Ø l Users (name, phone #, … ) Devices (printer capabilities, … ) Programs (published interfaces) Etc. Standard UI methods Custom code Etc. Database schema can be extended

What’s In The Active Directory And how does the system utilize it? l People’s phone numbers, certificates Ø l Account information Ø l Class store Profile and configuration information Ø l Single login, secure Web access Component’s identifying information Ø l (Secure) e-mail ZAW Service and device information Ø Network use of the directory

Active Directory Beyond the traditional directory service DNS Browser Exchange Recipient Lookup Referrals HTTP / LDAP Mail Client Address Book SQL Server Register Service Directory Replicate Storage Replication Security Credential Management Find Printer Query

Active Directory l LDAP REPL MAPI Other. . . Directory system agent l l DB layer Extensible storage engine l l Store Open to multiple access protocols It’s a real database Every object is protected (ACL) Schema is stored in the directory Schema is extensible Ø You can define: Ø New object types Ø Additional attributes

Windows 2000 Domains l In Windows NT 5. 0 a server is either a domain controller or a member server Ø Ø Ø l Primary and backup DCs (Windows NT 4. 0) go away Domain controllers have a replica of the directory database, member servers don’t Can have multiple DCs within a domain Ø Automatic replication for efficiency, security, availability Domain controllers can host the Global Catalog Ø Ø Enterprise wide directory containing common attributes Knows how to get to other DCs

To Be Clear About Net. BIOS l l TCP/IP is the default Windows 2000 protocol Net. BIOS/WINS fully supported in Windows 2000 Ø l l In fact there are several enhancements Provides support for down-level systems Once the enterprise upgrade to Windows 2000 is complete, DNS takes over and the WINS servers can be retired

The Domain Name System DNS Root com microsoft. com edu acme. com usa. acme. com purdue. edu uk mit. edu southamerica. acme. com acme. co. uk

Windows NT 5. 0 Domains l l Map closely to DNS domains An Organizational Unit (OU) allows grouping within a domain Ø Ø l May contain other OUs, machines, users, … Administration privilege can be delegated on a per OU basis Some terminology and concepts derived from X. 500

Active Directory Namespace l Domains Ø Ø Ø l Forests Ø Ø l DNS used as the name location service Organized in a true hierarchy Domain controllers are local to a domain Directory automatically fully replicated DCs know how to get to other DCs in the tree A collection of domain trees Relationships explicitly established Global Catalog Ø Can span the forest

Dynamic DNS l l Allows machines joining the network to register their name and IP address automatically Currently an IETF proposed standard Ø l RFC 2136 and 2137 Windows 2000 will support this Ø Interoperable with other implementations

Distributed File System l DFS provides location independence Ø Ø l A standard feature of Windows 2000 Ø l You need only know how to name the file Server names, shares are irrelevant Also supported in Windows NT 4. 0, Windows 95/98 Similarities to existing UNIX solutions Ø Terminology is different (naturally!)

Distributed File System l DFS Root l l Volume Single drive mapping User unaware of physical location Administrative flexibility Junction (reparse point) Access to a file: \volumefolder 1. . . folder 3afile. txt

Windows 2000 Security l l l Single enterprise logon Integrated with Active Directory Delegated administration and scalability for large domains Strong network authentication protocols Standard protocols Ø “Kerberos” is the default

Integrated Security Scenarios Single sign-on Private comms Secure ops Secure desktop Safety Authentication Protocol Base l l l Authenticode Driver signing Private Key/Kerberos Public Key/X. 509 Windows NT 4. 0 SSL IPSEC RPC/DCOM Crypto API Encrypted Filesystem More auditing

Multiple Authentication Services Remote file Internet Explorer, Internet Information Server DCOM application CIFS/SMB Secure RPC HTTP Directoryenabled apps using ADSI LDAP Mail, Chat, News POP 3, NNTP SSPI NTLM Kerberos MSV 1_0/ SAM KDC/DS SChannel SSL/TLS DPA Membership services

Kerberos Advantages l Faster Ø Ø l l Mutual authentication of both client, server Delegation of authentication Ø l Impersonation in three-tier client/server architectures Transitive trust between domains Ø l Server scalability for high-volume connections Reuse session tickets from cache Simplify interdomain trust management Mature IETF standard for interoperability Ø Ø Multi vendor support Compliant with MIT Kerberos v 5 release