Ramnish Singh
IT Advisor
Microsoft Corporation
Agenda

Managing IT Infrastructure

Heterogeneous management

Interoperability
Over 60%
of TCO over
a 5-year
Lack
of automation
impacts
all
period of
driven
facets
IT by people costs
Degree of Automation:
Manual
Scripts
Automated Tools
62%
14%
25%
Network
60%
16%
24%
Event
58%
18%
24%
30
Performance
56%
17%
28%
Storage
54%
17%
29%
10
Change/Config
0
53%
24%
23%
70
Security Mgmt
60
50
40
20
0%
10%
20%
30%
40%
50%
60%
Percent of Responses
70%
80%
90%
Staff Costs Downtime
Training
Software
Hardware
Source: IDC 2002, Microsoft Primary Quantitative Research. 400 30-minute phone surveys of IT professionals in data centers with 25 or more servers
100%
Infrastructure Optimization Model
Security,
Identity
Secured
Networking
and Access
Messaging
and
Mgmnt
Monitoring
Backup
and
Restore
Desktop
Lifecycle
Limited
Infrastructure/
Manual
just
desktops
administration,
Uncoordinated
desktops
Run AV on
Antivirus
Active
Automated
Backup/restore
on
desktops
Directory
patch
on
servers
all servers
Mgmnt
for
Managed
IT
Authentication
(WU,
SUS,
Centralized
SPAM
blocking
Infrastructure
and
SMS)
firewall
on
servers
with
some
Authorization
Defined
set of
Internal
DNS
automation
only
standard
basic
and DHCP
images
Backup/restore
Remote
Primary Access
desktools
• Directory
Real-time
for
on
topcentral
all
OS
servers
is
connection
IpSec
server
administration
plus
WinXP
SLA
or and
Managed
isolation
filtering
Win2k
configur-ations
consolidated
• of
Secure
Monitoring
and
security
IT
Automated
anywhere
mail
of
servers
(Group
Policy)
Infrastructure
software
access
distribution,
• Unified
directory
Mgmnt
for
&
andemail
tracking
access
Manual
Application
Compatibility
testing
Manual
reference
image system
Security
Firewall
Automated
Backup
Centrallyrestore
on
of
servers
mobile
patch
on
manage
all servers
Mgmnt
devices
and
users
desktops
for
and
provisioning
servers
desktop
Full
automation
data
across
plus
SLA
Secure
Automated
wireless
Businessheterogeneous
networking
application
linked
SLAs
systesm
compatibility
Service level
testing
monitoring
on
Automated
desktops
reference
image system
Intellimirror Technologies
Consistent Environment

Active Directory

Group Policy

Offline Folders

Roaming User Profiles

Redirected Folders

Enhancements to the Windows Shell

Group Policy Software Installation
Uninterrupted Access

Active Directory

Group Policy

Offline Folders

Synchronization Manager

Enhancements to the Windows Shell

Redirected Folders

Disk Quotas
Minimized Data Loss

Active Directory

Group Policy

Roaming User Profiles

Redirected Folders

Offline Folders
Minimized User Downtime

Active Directory

Group Policy

Windows Installer Service

Add/Remove Programs in Control Panel

Group Policy Software Installation
Group Policy





Enable one-to-many management of users
and computers throughout the enterprise.
Automate enforcement of IT policies.
Simplify administrative tasks, such as
system updates and application
installations.
Consistently implement security settings
across the enterprise.
Efficiently implement standard computing
environments for groups of users.
Group Policy – Capabilities









Registry-based Policy
Security Settings
Software Restrictions
Software Distribution and Installation
Computer and User Scripts
Roaming User Profiles
Redirected Folders
Offline Folders
Internet Explorer Maintenance
Shared Computer Toolkit for Windows XP

Defend shared computers from
unauthorized changes to the hard disk

Restrict untrusted users from system
settings

Enhance the user experience
SMS 2003 Capabilities
Asset
Management
Application
Deployment
Security
Patch
Management
Support for
the Mobile
Workforce
Leveraging
Windows
Management
Services
Application Deployment

Business
Demands



SMS 2003
Delivers
Delivery of large-scale projects in a
timely and inexpensive manner
Provisioning of the right services and
applications to end-users
Quickly and easily - in support of
business requirements
Comprehensive solution for critical
application delivery



Plan, test, deploy and analyze applications
Reliably and easily
To the right place and at the right time
Asset Management
Business
Demands


SMS 2003
Delivers



Reduction in hardware and software
asset costs
Software license compliance
Reduced software costs through
Ability to track and report on compliance
Application installation and
usage information
Security Patch Management
Business
Demands

Tools and processes to





SMS 2003
Delivers
Identify critical patches
Determine vulnerable systems
Deliver patches reliably and quickly
Accurately report delivery status
A secure Windows environment through





Collection of critical patch information
Vulnerability assessment of existing environment
Quick and easy deployment of patches
Targeted delivery of patches
Verification and reporting on patch deployment
Mobility
Business
Demands



SMS 2003
Delivers
Support for roaming and infrequently
connected mobile users
Delivery of critical business services
and applications—reliably and timely
Capability to meet mobile
workforce needs



Provides critical IT business services
Extends asset management to mobile devices
Delivers relevant business applications
to mobile devices
Windows Management
Services Integration
Business
Demands

Reduced operational costs for
managing IT
Leveraging of existing infrastructure

Windows compliance


SMS 2003
Delivers

Windows XP and Windows Server 2003 Certification
Optimal integration of Windows management services


Active Directory simplifies SMS planning and deployment
Core Windows Services Integration



Windows Installer Service (MSI)
Windows Management Instrumentation (WMI)
Reduces costs through leveraging existing
infrastructure and capabilities
Agenda

Managing IT Infrastructure

Heterogeneous management

Interoperability
Operation Management Issues
“Help me
monitor
applications
reliably.”
“Help me
protect my IT
environment.”
“Help me
realize my IT
investments.”
“Help me
understand what
events are
priority.”
“Help me
reduce
incident
management
costs.”
“I need an
enterprise-ready
solution.”
Microsoft Operation Manager 2005 delivers
Microsoft Operations Manager 2005
36 Product Connectors
48 Microsoft Applications
15 SMS Add-ins
189 Management Packs
157 3rd Party Solutions
MOM 2005 Capabilities
Stay Aware
Effectively
Respond
Be Accountable
Stay Aware
Business
Demands



MOM 2005
Delivers



Identifying IT health issues before they
become problems
Provide visibility to critical resources
Quick Deployment
Out of the box expertise with minimal
configuration
Consoles provides proactive health
understanding
Rapidly deploy to identify issues faster
Effectively Respond
Business
Demands

MOM 2005
Delivers



Improvement in operational efficiency
Accurate and effective response to
issues
In-the-box application expertise and
operational knowledge
Actionable best practices
Be Accountable
Business
Demands



MOM 2005
Delivers



Value from IT
Accountability from IT
Meeting and exceeding of Service
Level Agreements
Robust Reporting
Connectivity into Management
Frameworks
Information delivery vehicle
Heterogeneous management
Agenda

Managing IT Infrastructure

Heterogeneous management

Interoperability
The Need for Interoperability

Heterogeneity is the standard.


Interoperability is a key concern.


The reality is that mixed UNIX/Windows environments are a
fact of life
The increased existence of UNIX and Windows-based
environments requires a greater need and demand for
interoperability
Need to leverage existing investments

Although IT spending is slowly gaining momentum, IT
managers continue to need to do more with less.
Broad Interoperability
NetWare
Services for
NetWare
Macintosh
Services
for
Macintosh
IPX
Kerberos
TCP/IP
Active
Directory
Metadirectory
Services
PKI
DHCP
IBM,
Amdahl,
Hitachi
Host
Integration
Server
Windows
Built on
Interoperability
Standards
DNS
LDAP
HTTP
XML
WBEM
App
services:
OLE DB,
ADO,
ODBC,
XML,
SOAP
BizTalk
Services for
UNIX
Sun Solaris, HP/UX,
Linux, Tru64, IBM AIX
Novell NDS,
Exchange,
UNIX NIS,
iPlanet,
Novell
Groupwise,
Lotus Notes
SQL Server,
Oracle,
Informix,
IBM DB2
XML/SOAP web
services
Windows Services For UNIX
(Interix SDK, .NET Framework)
UNIX
Files
UNIX
Application
Extensibility
Windows
Application
Integration
Windows
Files
(Interix Subsystem)
Windows
Folders
UNIX
Folders
UNIX
Database
SQL Server
Database
Interoperability
UNIX
Server
(NFS, NIS,
Active Directory
Integration)
Windows
Server
PC Laptop
UNIX
Workstation
UNIX
Workstation
Windows
Workstation
Services For UNIX 3.5
 Focused

Seamless UNIX / Windows Interoperability





on two major “pain” areas
NFS Client, Server, Gateway
User Name Mapping Server
Bi-directional Password Sync
NIS Server



Korn, Bourne, C Shell
Over 350 UNIX Utilities
Telnet Server and Client
UNIX to Windows Application Portability


UNIX Tools: C, C++, Fortran, scripts, build tools
Interix UNIX subsystem
 Leverage
existing UNIX skills, methods and code
”Best System Integration” Award - LinuxWorld 2003
NFS


File Sharing with UNIX
Server for NFS


Client for NFS


UNIX Clients Using Windows Shared Files
Windows Client Using UNIX Shared Files
Gateway for NFS

Serve UNIX Shared Files as
Windows Shares
NFS
UNIX
Workstation
UNIX
Server
Windows
Server
UNIX
Workstation
Windows
Workstation
Windows
Workstation
UNIX
Workstation
UNIX
Server
Windows
Server
Windows
Workstation
NFS enables access to shared files and folders
between UNIX and Windows
Server For NFS
Server for
NFS
UNIX
Workstation
UNIX
Server
Windows
Server
UNIX
Workstation
Windows
Workstation
Windows
Workstation
Server for
NFS
UNIX
Workstation
UNIX
Server
Windows
Server
Windows
Workstation
Server for NFS allows a UNIX network access to shared files
and folders on a Windows server
Client For NFS
Client for
NFS
UNIX
Workstation
UNIX
Server
Windows
Server
Client for
NFS
Windows
Workstation
Client for
NFS
UNIX
Workstation
Windows
Workstation
Client for
NFS
UNIX
Workstation
UNIX
Server
Windows
Server
Client for
NFS
Windows
Workstation
Client for NFS allows a Windows network access to shared files
and folders on a UNIX server
Gateway For NFS
NFS
Gateway
UNIX
Workstation
UNIX
Server
Windows
Server
UNIX
Workstation
Windows
Workstation
Windows
Workstation
UNIX
Workstation
UNIX
Server
Windows
Server
Windows
Workstation
Gateway for NFS translates NFS to SMB, eliminating the need
for Client for NFS on many computers
Mapping Server






Map Windows User and Group Accounts to
UNIX
Performance Improvements
Cluster Aware
Group Membership Limit
Dynamically set
Redundant Mapping ServerPool
.maphost support
Server For NIS
Makes a Windows 2000 or Windows Server 2003
AD a NIS master server
UNIX NIS Servers
Master
Slave
Windows Servers
Slave
NIS Clients
Server For NIS
UNIX NIS Servers
Slave
Slave
Windows Servers
Slave
NIS Clients
Master
Password Synchronization


Two-way between Windows and UNIX
Support Platforms





HP-UX 11i
Sun Solaris 7, Solaris 8
IBM AIX 5L 5.2
Red Hat Linux 6.2 and higher
Benefits






Logging
Debugging
MD5 Support
Supports 65,000 users
Improved data migration times
Reduced administration leading to lower TCO
Integrating UNIX with AD
authentication (AuthN) and authorization (AuthZ)
Windows Sign-On Authentication

Kerberos v5

Public Key Infrastructure (PKI) and
certificates

Smart cards

NTLMv2
UNIX Sign-On Authentication

/etc/passwd, /etc/shadow

NIS, NIS+

iPlanet, other LDAP-compatible directories

Kerberos v5 (MIT, Heimdal)

PKI Certificates, smart cards

All enabled through PAM (Pluggable
Authentication Modules)
Windows Authorization

Based on SIDs

AuthZ data embodied in Security Token

Win2K and up: Authorization store is AD

Windows PAC attached to Kerberos
ticket

Securable objects possess an ACL

Fine-grained access rights

Granted or revoked by SID

Security Reference Monitor (SRM)
performs authorization
UNIX Authorization

Based on UID, GID

No embodiment; directly retrieved via

getpwnam(), getpwuid(), getgrnam(),
getgrgid()

Many stores:

/etc/passwd and /etc/group

NIS, NIS+

iPlanet, other LDAP directory

No centralized AuthZ mechanism (SRM)

ACL structures, capabilities vary between
platforms
Integrating UNIX and Windows
Sign-On Authentication

Ideal: Kerberos integration using AD




Single mechanism, store for AuthN
Unifies policy for passwords, account lockout
Windows PAC available everywhere
Kerberos peer realm trust




Windows uses AD Kerberos
Unix systems use UNIX Kerberos
Trust relationship established
But… UNIX tickets have no Windows PAC
Integrated Sign-On cont’d

What about LDAP Authentication?





LDAP itself doesn’t do authentication
Performance, scalability limitations
No Windows PAC
Windows requires AD as LDAP provider
Password Synchronization



MIIS
SFU Password Sync
Not really single sign-on anymore
Integrating UNIX and Windows
Authorization via AD





RFC 2307 or SFU 3.5 schema to hold
UNIX-specific authZ info
Single location for user, group data
Simplified provisioning, deprovisioning
Unified policy
Can enable application authZ scenarios
Integrated AuthZ cont’d

LDAP Directory synchronization





Multiple policies
Synchronization delays
Increased complexity of config, ops
Provides infrastructure for LDAP-enabled
application authZ scenarios
UNIX-specific directory may be better tuned
for UNIX behaviors
More Solutions

LDAP directories



Use MIIS or other products to synchronize
attributes, e.g. passwords
Each new directory increases costs for
management, hardware, etc.
Database, flat file

MIIS, other products typically have adapters
that can do this
The Ideal World

IT Pro




Developer





All users are managed in Active Directory
AD has strong user policy enforcement
User passwords safe in AD
Kerberos 5 available on most enterprise platforms
Secure authentication
Protect application data
AD is single source of authorization data
User Experience


Authentication based on one user account in AD
Transparent authentication to applications (SSO)
Kerberos config the hard way






Step 1: Create UNIX user accounts in Active
Directory
Step 2: Create UNIX workstation accounts in
Active Directory
Step 3: Create Keytab files for the UNIX
workstations
Step 4: Transfer & install the keytab file on the
UNIX Workstation
Step 5: Configure the pam.conf file
Step 6: Configure the krb5.conf file
LDAP config the hard way




Step 1: Extend AD schema to hold UNIX
authZ information
Step 2: Provision UNIX users and groups
Step 3: Configure UNIX ldap client to
connect to AD
Step 4: Configure nss_ldap to use
appropriate attributes in AD
What you get





User can logon with AD account and get Kerb
tickets
Use klist to see TGT
TGT used to authenticate to apps
UNIX uid and gid values retrieved from AD
No longer need most of /etc/passwd, /etc/group
What you don’t get




No access to Windows PAC
No off-line TGT cache
No off-line cache of authZ data
No on-line cache of authZ data


Serious issue due to UNIX behavior
Heavy load on DC, network
Vintela Authentication Services

UNIX/Linux security systems integrated into
Active Directory



No synchronization between systems, all
credentials reside within Active Directory
Authentication through Kerberos
UNIX IdM using RFC 2307 schema
Single login and password for Windows,
UNIX and Linux applications, resources
 All LDAP communication secured through
Kerberos – no SSL overhead
 Single point of account management
through Active Directory – MMC snap-in
 http://www.vintela.com

© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.