Windows 2000 - Distributed OS Features Part II

1
Windows 2000 - Distributed OS Features Part II

• Angelo Cavone
• CPSC550 Distributed Operating Systems
• Spring 2001
• Dr. Zhang

2
Introduction

• Windows 2000 Distributed Operating Systems
  Features
• Focus on Features of Windows 2000 Advanced Server
  and Datacenter Server
• Discussion Areas
• Active Directory
• Microsoft Management Console
• Cluster Service
• Security Overview

3
Windows 2000 Background

• Represents the next step in Microsofts evolution
  towards a portable operating system.
• Mostly built upon technologies provided under
  Windows NT
• Goals of Windows 2000
• Provide flexibility, security object redundancy,
  transparency and extensibility

4
Active Directory - Overview

• Allows transparent access to remotely located
  resources - exact location not required.
• Designed to simplify management, strengthen
  security and extend interoperability of resources
  in distributed computing environments.
• Provides a common storage location for
• Objects - ex client server applications
• Files
• Printers
• People - accounts

5
Active Directory - Overview

• Incorporates a standard means for naming,
  locating, accessing, managing and providing
  security for AD objects
• AD information provided to administrators, users
  and applications thus yielding a tightly
  integrated interface for accessing distributed
  resources
• As the number of these objects increases the
  importance of AD becomes magnified due to the
  increase in management required

6
Active Directory - Implementation

• Built upon Internet-standard technologies to
  support Microsofts goal for a scalable,
  enterprise-class operating system.
• AD is a namespace incorporating features of
  Domain Name System (DNS) and X.500 directory
  service.
• DNS allows IP address resolution
• X.500 - directory service analogous to
  white/yellow pages - Basis for LDAP compatibility
  in Win 2000
• Namespace - collection of objects and containers
  organized in a hierarchical fashion.

7
Active Directory - Implementation

• DNS is central to the functionality of AD -
  provides scalability for Windows 2000
• Multiple domains are organized into the Windows
  2000 domain tree in a bottom-up manner
  organizing a structure built as a tree of trees
• DNS and AD have same hierarchical domain
  structure - each stores unique information and
  manage different objects
• Each use databases to resolve names
• AD clients query DNS to resolve the AD servers
  IP address
• DNS zones are stored in the AD

8
Active Directory - Architecture

• Objects - represent named sets of attributes for
  objects such as users, groups, machines,
  applications
• As Objects are created AD sets internal
  management attributes such as a Globally Unique
  Identifier (GUID), while user supplies own
  attributes, i.e. user name, Logon ID, etc
• Containers organize collections of related
  objects.
• Tree structure organizes objects containers -
  Like popular file managers

9
Active Directory - Architecture

• Schema describe various types of objects
  attributes associated with them
• Schema are objects also saved in AD tree
• Active Directory Services Interfaces (ADSI) SDK
  allows developers to define new or extend schema
• MMC snap-in for schema management
• Security information also stored in AD
• Via AD administrators set access privileges to
  attributes individually
• Single copy storage conserves resources

10
Active Directory - Naming Formats

• Security Principal Names Security Identifiers
• Names that uniquely identify objects in a domain
• Created on object inception
• Identifies access principals
• LDAP-related names
• Industry Standard directory access protocol used
  for modification of AD information
• Provides for interoperability with LDAP compliant
  applications in heterogeneous networks

11
Active Directory - Naming Formats

• Object GUIDs
• Assigned at object creation
• Each is unique
• 128-bit value assigned by Directory System Agent
• Logon Names
• Each AD user account requires a User Principal
  Name (UPN)
• Format ltusergt_at_ltDNS-domain-namegt

12
Active Directory Hierarchy
13
Object Publishing

• Creates objects directory containing requested
  information or a reference to it
• AD Information published when interesting to a
  many users thus requiring
• Characteristics of published information
• Static - infrequent modifications
• Structured - ex a user profile
• Connection points for C/S apps are published
• RPC
• Winsock
• COM

14
Active Directory Domains

• AD built from one or more domains
• Each domain requires domain controller has a
  DNS domain name
• Domains satisfy network management goals
• Security Bounding - each sets own security policy
• Information Replication - each stores object info
• Set Group Policy - each defines a scope for
  policy
• Define Network Structure - organizations decide
  division
• Administration Authority Delegation -
  administrative tasks assigned along domain
  divisions

15
Active Directory Domains

• AD Domain Structure
• Trees
• set of one or more domains with contiguous names
• gt 1domain combined into hierarchical trees
• 1st domain of structure is root
• domains containing root are contiguous
• ltchild domaingt.ltparent domaingt

16
Active Directory Domains

• Forests
• Distributed database construct
• Improves efficiency of network
• Trust Relationships
• User recognition across domains
• Users in domain A access domain B resources
• Organizational Units
• Various objects placed in a single domain

17
Active Directory Domain Structure
18
AD Multi-Master Replication

• Replicas of directories created placed
  throughout the network
• Improves performance, availability flexibility
  for distributed systems
• Duplication provides server overlap - alternative
  server assumes task when original becomes
  unavailable
• Units of replication called Naming Contexts (NC)
• Replication activities tuned to keep data up to
  date
• Update Sequence Numbers USNs - used to keep track
  of updates - 64-bits

19
Active Directory Benefits

• Administrators, Developers, Users
• Simplifies Management
• Single point administration of groups, network
  resources, distributed applications, desktop
  configs.
• Strengthened Network Security
• Single point user logon
• Admin tools for security management for internal
  desktop user, dial-up users or external customers
• Extends Interoperability
• Std. Interface for application integration
  synchronization allows Windows 2000 to operate
  with different applications and devices

20
Microsoft Management Console (MMC)

• Common presentation service for management
  applications under Windows 2000
• Simplifies administration of Win2K systems thru
  integration, delegation, task orientation, and
  interface simplification
• Integrated Internet Technologies allow network
  wide administration
• Available under Win95/98, Win NT

21
MMC Model
22
MMC Snap-Ins

• MMC provides a common interface for snap-ins
  which do the actual work
• Snap-Ins are small management applications which
  reside in the MMC
• SAs/Users can build custom apps from snap-ins
• Types
• Stand-Alone - all required functionality
• Extension - adds functionality to a parent
• Combination - can be both
• MMC API encourages development of snap-ins

23
MMC Benefits

• Task Orientation - MMC tools perform specific
  tasks
• Integration - multiple tools available on single
  console
• Customization - specific management tasks created
  as needed
• Delegation - customized tools provide more or
  less functionality
• Simplified Interface - same appearance regardless
  of functionality - minimizes retraining
• Extensibility - snap-in base functionality
  extended using extension snap-ins

24
MMC User Interface
25
Cluster Service

• Allows collection of independent computers on a
  network to run a set of common applications
• Presents single system image to both users and
  applications
• Improves system reliability via multiple servers
• Failover feature circumvents server failure
• Also provides load balancing
• Primarily designed to provide failover for
  database apps., messaging services print/file
  servers
• Extended version of cluster service under Win NT

26
Cluster Service Models

• Two models employed in clustering technology
• Common Resource Model - all resources within the
  cluster are accessible
• - ex disk sharing
• provide scalability to applications
• Independent Resource Model - one system at a time
  owns a resource

27
Cluster Service Benefits

• Cluster Service
• Reduces Unplanned Downtime
• via overlapping servers applications or
  transactions proceed to completion w/ minimal
  interruption
• Upgrade Deployment
• application upgrades performed transparently w/o
  client interrupt
• transparent process movement
• Cluster Aware Applications
• Applications exist to take advantage of
  clustering
• Microsoft SQL Exchange Server, IBM DB2,
  DoubleTake

28
Windows 2000 Security

• Windows 2000 security model provides
• Single user logon to access all system resources.
• Strong user authentication and authorization.
• Secure communication between internal and
  external resources.
• Configuration and management of security
  policies.
• Automated security inspection.
• Interoperability with other operating systems and
  security policies.
• Windows 2000 security API for application
  development.

29
Windows 2000 Security Model

• Based on authentication authorization model
• Authentication
• Identify user at logon
• Authorization
• Establishes resource access rules
• Access Control Lists in AD set object permissions
• Trust Relationships
• Logical relationships that allow passthrough
  authentication between domains

30
Windows 2000 Security Protocols

• Diffie-Hellman Technique - public key
  cryptography - two entities agree on shared key
• Digital Signatures - Hash Message Authentication
  Coding (HMAC)
• MDS (128-bit), SHA(160-bit), CBC (secret key)
• Secure Socket Layer (SSL) - de facto std
• Private-key encryption - DES 64-bit, NIST std.
• Kerberos - primary authentication method

31
Windows 2000 Kerberos

• Provides for mutual authentication between server
  client
• Features
• Based on tickets - used to validate connections
  to resources - shared secret authentication
• Mature industry standard authentication protocol
• Faster server performance at initial connection
  time
• Delegate authentication for multi-tier c/s apps
• Transitive Trust for inter-domain authentication
  simplifies domain management in large networks

32
Windows 2000 Security Configuration

• Security management provided via MMC snap-ins
• Administrators can tailor security settings as
  required via Security Templates
• Security Template Features
• Security Policies for account local policies
• Account Policies - Passwords, acct lockouts,
  Kerberos
• Local Policies - User rights, security event
  logging
• Restricted Group Administration
• Registry Security
• Local File System Security
• Local Services Startup Security

33
Windows 2000 Smart Cards

• Windows 2000 provides smart card security
  capability
• Credit card size w/ built-in micro-chip
• Stores
• Users private key
• Logon information
• Public key certificate for digital signing
  encryption

34
Windows 2000 Encrypting File System

• EFS allows desktop laptop data to be encrypted
• User selects files or folders to be encrypted -
  locks out unauthorized individuals
• Especially important for laptops - easily stolen
  or lost

35
Windows 2000 IPSec

• Security methods for data traversing networks
• Conforms to Internets Engineering Task Forces IP
  Security Protocol - assures interoperability with
  IPSec operating on other networks
• IPSec features
• Configurable
• Data packets authenticated using Kerberos,
  Digital Certificates or Passwords
• Guaranteed IP packet security across network
• Encrypts data transmitted network confidently
• Hides IP address of host generating packet

36
Conclusion

• Overview of Win 2000 Internetworking Features
• Win 2000 is a Significant Step towards networking
  computing
• Internet based applications commerce will
  continue to motivate incorporation of network
  based technology by MS
• APIs are available to encourage development of
  apps using Win 2000 internetworking features

37
References

• Galli, D.L. Distributed Operating Systems
  Concepts Practice. Prentice Hall, Upper Saddle
  River, NJ, 2000.
• Microsoft Corporation. Windows 2000 Server White
  Paper Series Active Directory Architecture.
  www.microsoft.com/windows2000/library
• Microsoft Corporation. Windows 2000 Server White
  Paper Series Active Directory Overview.
  www.microsoft.com/windows2000/library
• Microsoft Corporation. Windows 2000 Server White
  Paper Series Microsoft Management Console
  Overview. www.microsoft.com/windows2000/library
• Microsoft Corporation. Windows 2000 Server White
  Paper Series Microsoft 2000 Security Technical
  Overview. www.microsoft.com/windows2000/library
• Microsoft Corporation. Windows 2000 Server White
  Paper Series IP Security for Microsoft
  Windows 2000 Server. www.microsoft.com/windows200
  0/library