Introduction to Windows 2000 for Lage Landen

1
Windows 2000
Introduction to Windows 2000 for K.U.B.
Rafal Lukawiecki Strategic Consultant rafal.lukawi
ecki_at_aris.com Aris
2
Agenda

• Overview
• Windows 2000 Professional
• Windows 2000 Server
• Active Directory
• Group policies
• Security
• Deployment

3
Windows 2000Build on NT Technology
4
Windows 2000 Family

• This part covers Windows 2000 Professional
• Important to think about differences between
  Windows 2000 family members
• Professional Replacement for all desktop
  versions of Windows in organizations
• If youre not deploying server or infrastructure,
  still think about Professional

5
Windows 2000 Professional Big Picture

• Best features of Win98
• PnP, ACPI, USB, 1394, DX6, integrated
  browser/shell
• Broad driver support
• Display, Sound, Printer, Digital Cameras,
  Scanners, NIC, etc.
• Enhanced ease-of-use
• Shell, Network UI, Fewer config reboots, IE5
• Lowest Total Cost of Ownership
• Setup Manager, SysPrep, Windows installer,
  WMI, WBEM
• NTs traditional power
• Better Reliability, Security, Performance

6
Shell Enhancements

• Next generation web integration (IE 5.0)
• Adaptive Menus
• New Balloon Help makes more discoverable
• New File Open and Printer dialogs
• File Open - FTP and Web (HTTP)
• Printer - Add New Printer Wizard
• Enhanced My Documents
• Single primary document location
• My Pictures Folder
• Find Files, Folders
• Enhanced My Network Places
• Interactive Add/Remove Programs wizard

• AutoComplete
• Explore Folders Button
• Consistent Namespace
• Inactive Window Object Selection
• Document History
• Thumbnails
• File Associations/Open With
• SuperHidden Files
• Disk Cleaners
• Sync Manager
• Common Controls
• Alpha Blending
• Keyboard Cue Suppression
• HTML Help
• Balloon-Shaped Tooltips
• Tahoma Font

7
Shell Enhancements Examples
Map Network Drive
Balloon Tooltips
8
New File Association Support

• Windows tracks the applications you use
• Quick access to the most used apps
• Open With is always available

• Friendly names
• Only relevant apps

9
Toolbar Enhancements

• Customizable
• Resizable
• Double-arrows when not enough room

10
Multi Language User Interface

• On demand user interface language
• Supports over 60 languages
• Can create, view, edit and print in any of the 60
  languages
• Roams with user via User Profiles
• Requires MUI system
• Works with Terminal Server
• Cannot upgrade existing NTW4 localized version to
  MUI
• Need to wipe and load

11
New Multilingual Support
12
Multilingual OptionsWhich version should I use?
13
Agenda

• Overview
• Windows 2000 Professional
• Windows 2000 Server
• Active Directory
• Group policies
• Security
• Deployment

14
Major Scalability Initiatives
SMP
Large Systems
Clustering
64-bit
15
Large Memory Support

• Physical Address Extension (PAE)
• All physical memory is treated as general purpose
  memory
• No APIs needed for running above 4GB physical
  memory address - just have 4 GB VA limit as today
• AWE APIs to access gt 4GB of physical memory
• Direct I/O is done to gt4GB physical address

16
Job Object API

• Provides a namable, securable, inheritable,
  sharable object that controls associated
  processes
• Limit possible adverse impacts (eg leaks)
• Manage groups of processes as a unit
• Enforce limits on each process associated with job

17
SAN System Area Network

• High performance interconnect
• Used for interprocess communication
• Storage is a different topic
• Connects servers in data center
• Limited cable lengths
• Limited topologies
• Physical security assumed

18
Clustering In Windows 2000
Cluster Server
Network Load Balancing
Component Load Balancing (COM)
Clients
COM Components
IIS Web Server or other IP based services
Data Servers SQL, Exchange, File
Application Servers
19
Network Load Balancing

• No single point of failure
• No performance bottleneck
• No additional hardware needed

• Grow incrementally as demand increases
• Up to 32 windows 2000 servers in a cluster

Internet/ Intranet
NLB Virtual IP Address

• Handle both planned and unplanned server downtime
  transparently (sub-10 second failover)

20
Packaging Proposal
Windows 2000 Server. 4 CPU 4 GB memory
Windows 2000 Advanced Server. 8 CPU 8 GB
memory 2-node clustering, NLBS
Windows 2000 Datacenter Server. 32 CPU, 64 GB
memory, 64-bit (future) 4-node clustering, Gold
HCL Process Control, Partition-ability
21
Windows 2000 Datacenter

• Up to 32 processors SMP
• 64 GB memory support
• 4-node failover cluster support
• System Area Network support
• Process Group Manager tool
• Higher level platform certification
• Available 90-120 days after Windows 2000 Server
  and Advanced Server

22
Terminal Services
Centrally deploy and manage applications
One Install, Many Accesses Uniform LOB deployment
Extend benefits of Windows 2000
Wide Range of Client Systems including thin
clients and UNIX Investment Protection for older
hardware
Enhance Manageability
New Remote Mgmt. Capabilities Low cost per device
23
Windows 2000Maturity

• Split Windows 2000 in pieces
• Windows 2000 V5
• ADSI V2.5
• ADS Replication based on exchange V5.5
• ADS Store based on exchange V5.5
• Domain model new
• Windows 2000 is evolution over almost 8 year

24
Industry Leading PerformanceEnterprise Web
Server Performance
Source 4-way SPECWeb 96 results
http//www.specbench.org
25
Agenda

• Overview
• Windows 2000 Professional
• Windows 2000 Server
• Active Directory
• Group policies
• Security
• Deployment

26
What Is Active Directory?

• Windows Clients
• Mgmt profile
• Network info
• Policy

• Windows Servers
• Mgmt profile
• Network info
• Services
• Printers
• File shares
• Policy

• Windows Users
• Account info
• Privileges
• Profiles
• Policy

• Management
• Focal Point For
• Users and resources
• Security
• Delegation
• Policy

Active Directory
27
Active DirectoryIntegration
Network Infrastructure
Routers
Network Devices
HTTP
LDAP
MAPI
ADSI
Unix servers
Clients Applications
28
Directory Objects
ObjectClass
Defined in the schema
Data storage is allocated as necessary
29
Resource Access
Domain
ACL
ACL
ACL
OU
OU
OU
ACL
ACL

• If you can gain access to the directory object,
  it doesnt mean you can gain access to the
  resource
• The resource is still protected by its own ACLs

30
Organizing the Directory

• A hierarchy of objects can be created using
  Organizational Units (OUs)
• Although OUs are the primary containers used to
  create the hierarchy, all directory objects are
  potential containers

31
OUs
OU

• OU security provides the mechanism for
  controlling object visibility and delegating
  administration

32
Domains
Configuration

• One or more domain controllers
• Multi-master replication
• One or more sites

33
Sites

• Control Active Directory replication
• Site knowledge used
• Logon locator
• Printer locator
• DFS and more

34
Trees And Forests

• Configuration and schema common to all domains
• Transitive trusts link domains

35
Boundaries

• Replication
• Administration
• Security Policy
• Group Policy

36
Global Catalog

• Enterprise wide searches
• Resolves enterprise queries

37
Identity Management Issues
BusinessRules?

• Most companies maintain identity data in many
  places
• Not all identity data is kept in directories or
  exposed through directory interfaces
• No single place to access or manage aggregated
  enterprise identity information

38
Zoomit Scenario
Zoomit CompassBrowser
X
Meta-Directory
VIA 2.1

• Fire Business Rules
• Remove Dave from Meta-Directory
• Remove Dave from Notes
• Remove Dave from NDS

39
Zoomit Scenario
Zoomit CompassBrowser
X
Meta-Directory
VIA 2.1
40
Agenda

• Overview
• Windows 2000 Professional
• Windows 2000 Server
• Active Directory
• Group policies
• Security
• Deployment

41
Change and Configuration ManagementTechnologies
42
Group PolicyDefinition
The ability for the administrator to state a
wish about the state of their users environment
once, and then rely on the system to enforce that
wish!

• Sales department will have Office 2000
• Disable logoff from Start Menu for all
  Receptionist
• Audit all failed logon attempts for all
  Computers in the Atlanta area, in the Peachtree
  office

43
Group Policy

• Universal, hierarchical way to describe any or
  all settings
• For users
• For computers
• For any Active Directory object!
• Follows hierarchy SDOU
• Site(s)
• Domain(s)
• Organizational Unit(s)

44
Hierarchical Policy Settings

• Applied policy for a computer combines multiple
  policy objects

45
Automatic Application Installation
1 Make a network install. for app.
2 Tune installation options
3 Make application framework
4 Policy maps framework to user
5 During logon, the framework is applied
6 On first use the app is installed (natural
staggering of software rollout)
46
Auto-Install
47
Auto-Install
48
Systems Management Server 2.0

• Complete solution
• Hardware software inventory
• Software distribution and installation
• Licensing control
• Remote control, diagnostics and monitoring
• Rollback

Hardware Software Inventory
Software Distribution Installation
Remote Management and Troubleshooting
49
Agenda

• Overview
• Windows 2000 Professional
• Windows 2000 Server
• Active Directory
• Group policies
• Security
• Deployment

50
The Infrastructure Pieces

• Account Management
• Authentication Services
• Public Key Infrastructure
• Policy Management
• Trust Management

• Authorization Services
• Auditing Services
• Cryptographic Services
• Data Protection Services
• Integrity Services

51
Security

• IP Security
• ENTFS (Encrypting NTFS)
• Kerberos
• Public Key Infrastructure (X509)
• SmartCards
• Code Signing
• Security Configuration Tool

52
Key Kerberos Concepts

• Kerberos is
• An authentication protocol
• Based on encrypted tickets with client
  credentials
• The default authentication package in Windows
  2000
• The basis for transitive domain trusts
• Based on RFC 1510 and draft revisions
• More efficient than NTLM
• Extensible

53
Cross-Platform Interop

• Based on Kerberos v5 protocol
• RFC 1510 and RFC 1964 token format
• Windows NT hosts the KDC
• UNIX clients to Unix Servers
• UNIX clients to NT Servers
• NT clients to UNIX Servers
• Simple cross-realm authentication
• UNIX realm to NT domain
• Not DCE compatible

54
Symmetric Key Encryption
Plain-text input
Plain-text output
Cipher-text
The quick brown fox jumps over the lazy dog
The quick brown fox jumps over the lazy dog
AxCv5bmEseTfid3)fGsmWe4,sdgfMwir3dkJeTsY8R\s_at_
!q3
Encryption
Decryption
Same key(shared secret)
55
Public Key Encryption
Clear-text Input
Clear-text Output
Cipher-text
The quick brown fox jumps over the lazy dog
The quick brown fox jumps over the lazy dog
Py75cbn)9fDebDFaqxzjFr_at_g5nmdFg5knvMdrkv
egMs
Encryption
Decryption
Different keys
Recipients private key
Recipients public key
56
Public Key Cryptography

• Knowledge of the encryption key doesnt give you
  knowledge of the decryption key
• Public key for encryption
• Private key for decryption
• Receiver of information generates a pair of keys
• Publish the public key in directory
• Then anyone can send him messages that only he
  can read

57
Digital Signatures

• Want to give plain text data to someone, and
  allow them to verify the origin
• Hash the text, encrypt the hash, provide the
  signature with the plain text
• Encrypt (Hash( plain text) )
• Encrypt the hash using Private key
• Recipient
• Hashes plain text H(pt)
• Decrypts D(E(H(pt)) H(pt) using Public key
• Compares the result!

58
Encrypting File System

• Strong data protection for desktops
• Integrated and transparent to users and
  applications
• Per file or entire directory encryption
• Enterprise ready
• Data recoverability
• Shared access to encrypted data
• Remote encrypted files on servers
• Fault tolerance

59
Data Encryption Process
Launch key for nuclear missile RedHeat is...
60
Data Decryption Process
fjdaj u539!3t t389E \_at_ 5e32\kd
61
Data Recovery Process
fjdaj u539!3t t389E \_at_ 5e32\kd
62
Agenda

• Overview
• Windows 2000 Professional
• Windows 2000 Server
• Active Directory
• Group policies
• Security
• Deployment

63
Disk Duplication

• Enabled using Sysprep.exe
• Sysprep readies disk for duplication and
  ready-to-run scenarios
• Beta version available on Beta 3 CD
• Support for workstations and stand-alone servers
  
• Domain Controllers can be installed in limited
  scenarios
• Greatly reduces deployment costs and time

64
Setup and Deployment System Preparation Tool

• 1. Install, Configure NTW4.0/2000
• Network, Security, Desktop

• 2. Install, Configure Applications
• Templates, File locations

• 3. Run System Preparation tool
• Shutdown system

• 5. On first boot complete configuration
• Regenerate SID (Security Identifier)
• Auto Create ComputerName, UserName, CompanyName,
  Admin Password

• 4. Run Third Party Image Copy tool
• Examples Symantec Ghost, PowerQuest DriveImage
  ...

• Copy Image to Server

• Copy Image to target PCs

http//www.microsoft.com/ntworkstation
65
Unattended Installation

• Most flexible deployment option
• Starts and run Windows 2000 Setup on each
  computer individually
• What you need
• Winnt.exe, Winnt32.exe or CD (BIOS must support
  bootable CD )
• A distribution share with Setup files or Windows
  2000 CD
• An answer file (text file) or winnt.sif if
  running unattended from CD

66
Integrating Service Packs

• Windows 2000 and Service Pack Integration
• No need to reapply a Service Pack after changing
  system state
• Slipstreaming - apply the service pack to an
  install share of Windows 2000 for clean installs
• Solves significant customer problems with
  current Windows NT 4.0 Service Packs

67
If Time Remains

• A Word on Development

68
What is Windows DNA?

• It is
• A Platform of products and services using which
  you can build various solutions, following the
• Architectural Guidance, which tells you how to do
  the things correctly
• Without a good architecture, your solution will
  be poor!
• Windows DNA tells you how to do things the right
  way!

69
Why is Windows DNA Good?

• Unlike 2-tiers (client-server, thick-client),
  Windows DNA gives you
• Scalability
• Manageability
• Reliability
• Easier development and maintenance
• Simpler and more available skill-set needed
• Easy choices about locating business logic
• Academically speaking, 3-tiers (or more) have
  been the right way for the past 6-7 years

70
A Component

• Could be explained as
• A building block in a solution
• A portion of software
• A bunch of methods and properties
• A COM object
• Is
• Easy to reuse and deploy
• Easy to replace and maintain
• Simpler than big top-to-bottom code
• Embodiment of divide and conquer
• Bought or created when needed
• Gives software high quality

71
Windows DNA for FMStocks
72
Tools Used on FMStocks
Planning Visual Modeller Teamwork Visual
SourceSafe
MSDN Universal contains all of these tools and
the knowledge
Knowledge Support MSDN
73
Thank You!