Windows 2000
Ian Blyth
Senior System Engineer
Microsoft Ltd





Overview
Active Directory
Interoperability with Unix and DNS
Security




Mainstream business desktop
Full featured:







Easiest Windows Yet !
Industrial Strength Reliability
Standards-based Security
State-of-the-art mobile support
Plug and Play, USB, IR, Hot
Docking
Higher performance
Increased Manageability
Lowest TCO Desktop System

Windows 2000 Server



Mainstream Business Server
Full featured:
 Active Directory





Windows Management Tools
Kerberos and PKI Security
Windows Terminal Support
COM+
Enhanced Internet Services
Up to 4-way SMP

Windows 2000 Advanced Server




Powerful Mid-range Solution
Full featured:



Windows 2000 Server Features
TCP/IP Load Balancing
Enhanced MSCS Clustering
Up to 8 GB Main Memory
Up to 8-way SMP

Windows 2000 Datacenter Server




Highest Performance
Full Featured:




All Windows 2000 Advanced
Server Features
Up to 16-way SMP
Up to 64 GB Main Memory
4 node clustering
Optimized for:


OLTP, Data Warehousing
Technical Computing and
Modeling
Tested for the Data Center

Directory and Security
Active Directory
Windows 2000 Server

 Active Directory is an integral part of Windows
2000 Server that delivers essential network operating system services:


Focal point for management of network elements (users, applications, devices, etc.)
Trusted repository of security data for authentication and authorization
 Open platform for application development and integration with other systems




Evolved from Exchange DS
Indexed storage technology
Supports well over 1 Million objects (tested with much more!)
Data Store




Native LDAP support
Extensible schema
Integrated security
Data Store

 Highly optimized replication



Multi-master
Per attribute
Loosely consistent




Link domains into trees
 Kerberos transitive trusts
Or into forests
Fast lookup via Global Catalog Service msn.com
microsoft.com

Global Data Availability
Windows 2000 Forest acme.com
xyx.com
asia.acme.com
europe.acme.com
= Global Catalog
Replica
 Active Directory Catalogs
 Are replicated within a forest



Uses same replication and storage mechanisms as domain replicas
Each catalog holds selectable attributes from all objects in the forest
Enables efficient cross-domain data sharing

Domain Name System Server xyz.com
192.23.14.5
rose.com
194.49.94.2
tulip.com
10.91.77.6
LDAP Server
. . . . . .
1) Find xyz.com
AD
Client 2) Access directory data
192.23.14.5

 Takes advantage Internet naming


DNS = namespace root
Global namespace = DNS + LDAP
DNS microsoft com com bizpart
Domain: bizpart.com
students
Domain: microsoft.com
MargretJ
Vera Kark thorj
Windows NT dsys sarahj
CN=Sarahj,OU=dsys,OU=Windows NT,DC=microsoft,DC=com




Intra-Site Replication: AD replication between DCs within a Site
Intersite Replication: AD replication between Sites
Site is an area of fast connectivity

ROOT
Site London
CHILD
ROOT-DC1
ROOT-DC2
CHILD-DC1
ROOT-DC3
Site Manchester
Site Aberdeen

25,000,000
20,000,000
15,000,000
10,000,000
5,000,000
0
0 2000 4000 6000
# of Objects
Users
Global
Groups
Universal
Groups
Volumes

Intra-Site And Inter-Site
Replication Bytes Comparison
4,500,000
4,000,000
3,500,000
3,000,000
2,500,000
2,000,000
1,500,000
1,000,000
500,000
0
0 500
# of Objects
1000
Users (Inter-
Site)
Users (Intra-
Site)

Delegate Management
Tasks to Office Admins Root
Users Machines Devices Applications
Marketing Personnel Color Printer in
Building 6
Give ‘Personnel’ Members the HR Application
 Active Directory organizes users and network resources hierarchically to simplify management

Kerberos
X.509
Smart Card
Root
Users Machines Devices Applications
Marketing Extranet
Restrict Access Rights of
Extranet Users
PKI Certificates
 Active Directory provides Internet-ready security services to protect data while facilitating access

Application: Exchange mailbox information Root
Policy: Give Personnel access to ‘Change
Salary’ Menu Options
Users Machines Devices Applications
Finance Personnel
Policy: Give Finance more bandwidth at the end of the month
 Active Directory provides a platform for integrating and extending systems through open interfaces, connectors and synchronization mechanisms

 Infrastructure by Active Directory






Extend schema and UI
Program via ADSI/ADO
Publish service binding information
Configure via Group Policy
Just In Time application download
Change notification

Windows 2000 Active Directory
Other
Directories
• White pages
• E-Commerce
Windows Users
• Account info
• Privileges
• Profiles
• Policy
Windows Clients
• Mgmt profile
• Network info
• Policy
Active
Directory
A Focal Point for:
• Manageability
• Security
• Interoperability
Windows Servers
• Mgmt profile
• Network info
• Services
• Printers
• File shares
• Policy
Network Devices
• Configuration
• QoS policy
• Security policy
Other NOS
• User registry
• Security
• Policy
E-Mail Servers
• Mailbox info
• Address book
Applications
• Server config
• Single Sign-On
• App-specific directory info
• Policy
Internet
Firewall Services
• Configuration
• Security Policy
• VPN policy
 Active Directory provides a focal point for management, security and interoperability

Windows 2000
Interoperability

Microsoft’s Interoperability
Strategy
 Make the Windows
Platform work well with existing systems
Management
Applications
 Simplify access to data and applications on existing systems
Data
 Develop solutions based on standards
Network




Customers have told us that they will continue to have mixed environments
Significant investment in existing data & applications
Interoperability is a key requirement




Built on latest internet standards
 LDAP, TCP/IP, DHCP & DNS, SSL, HTTP, DEN
Existing Applications
 Full support for Microsoft Exchange Server,
Microsoft SQL Server, BackOffice Logo’d apps
Existing Operating Systems
 Windows NT 3.5x and 4.0





Down-level client support for Win 3.x, Win 9x
Apple Macintosh and AppleTalk
NetWare: NDS synchronization; Print/file services
UNIX: NFS services, telnet, scripting and security
S/390 and OS/400: Transaction & Queuing gateway

Terminal Services (Thin Client)
 Fully integrated with Windows 2000
Server Family (add/remove service)
 Two operating modes
 Remote Administration
 Application Serving
 Launch and application or desktop
 Leverages Multilingual server capability
 RDP feature and performance enhancements
 Remote Control




 Leverage Existing Network
Resources
Leverage Existing UNIX Knowledge
Simplify Network Administration
Simplify Account Management


Leverage Existing Network
Resources

 NFS Client, Server, Gateway
Leverage Existing UNIX Knowledge
 Korn Shell, UNIX Utilities


Simplify Network Administration
 Telnet Client, Server, PERL, Windows
Technology
Simplify Account Management
 NIS Migration Wizard, Server,
Password Synch

Leverage Existing Network
Resources
Management
Windows
Clients
UNIX Server UNIX clients
Applications
Windows
NT Server
Data
Network
UNIX
Windows
Services for UNIX
NetWare
Server

Leverage Existing UNIX Knowledge

Simplify Network Administration
Management
Applications
Data
Network
UNIX
 Services for UNIX 2.0



Telnet Client and Server
Scripting – PERL and Shell
Command line
 Windows 2000


Windows Installer
Windows Scripting Host


Windows Management
Instrumentation
Microsoft Management Console

Simplify Account Management
Management
Applications
Data
Network
UNIX
 Services for UNIX 2.0



NIS Migration Wizard
Server for NIS
Password Synch
 Windows 2000
 Active Directory
 Supported


V1 – Solaris, HP-UX and DEC/Tru
Unix
V2 – Linux, AIX and SGI Unix

Directories and the Internet
Internet
C1.com
C2.com
C3.com
C4.com
C5.com
C6.com
 Active Directory:

Uses DNS as the ‘top level’ locator service
 Object names fully describe their location
 Dynamic DNS

 SRV Records to locate services (req’d.)


DDNS for Dynamic Update (desired)
Windows
®
2000 DNS also provides:


Incremental Zone Transfer
Active Directory Integrated


Single replication topology
Multi-master replication
 Secure Dynamic update
Tip: BIND 8.1.2 or higher is sufficient to use with AD




No existing DNS infrastructure
 Deploy Microsoft DNS
Existing DNS meets requirements
Existing DNS not adequate:



Choice 1: Update Server
Choice 2: Migrate to Microsoft DNS
Choice 3: Delegate a subdomain to
Microsoft DNS

®

 Kerberos v5 (RFC 1510)
 Smart Card
 PPTP, L2TP and IPSec
 PKI X.509
 SSL 3.0
 Security Configuration Manager
 Auditing
 128 bit encryption
 Radius support
 Encrypted File System




OUs for delegation and policy
Groups for access control
Per property access setting
Feel free to modify your telephone #
DC=streetmarket,
DC=com
OU=
Mftg
OU= OU=
Marketing Engineering
OU=
Users
OU=
Printers
OU=
Groups

X.509






Integrated management
Certificate services
Certificate mapping
Smart card logon
Code signing
Secure applications
X.509
Reader
Cert SC

Blending Intranets &
Extranets
Authentication Authorization
File
System
Windows
2000
Kerberos
Smart Card
X.509/PKI
Active Directory
Certificates
 Active Directory:


Supports Intranet & Extranet authentication
One authorization model

Active Directory is the Best Long-Term Directory
Network Devices
Servers
Users





Scalable without complexity
Standards-based
Flexible security model
Facilitates directory consolidation
Broad Industry Support
 Baan, Cisco, SAP AG
Applications
Clients