Windows 2000 Conversion Wrapup. Al Williams Penn State Teaching and Learning with Technology SHARE 98, Nashville, TN Session 5822

Similar documents
5 MANAGING USER ACCOUNTS AND GROUPS

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

Adding content to your Blackboard 9.1 class

3 ways of supporting a group of computers. Machine by machine Centrally structured Centrally managed (AD/Novell)

The CyberCIEGE scenario builds on concepts learned in the Advanced VPN scenario related to use of PKI to manage keys used to protect assets.

1. CyberCIEGE Advanced VPNs

Tutorial on Using Windows 8

Let s Review Lesson 2!

Adding Groups to Groups

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Do you think you'll be using a computer with the Windows 8 operating system on it anytime soon?

WIRELESS N USB ADAPTER USER MANUAL

Chapter 1: Windows Platform and Architecture. You will learn:

Computer Network Protocols: Myths, Missteps, and Mysteries. Dr. Radia Perlman, Intel Fellow

1. The first true 32-bit operating system developed by Microsoft was Windows 3.1.

LO CompTIA A+ : (Exam ) Course Outline Sep 2018

NS312 User Guide. Version 1.0. SilverStone Technology Co., Ltd.

Media-Ready Network Transcript

Nicolas Williams Staff Engineer Sun Microsystems, Inc.

Lesson 2 page 1. ipad # 17 Font Size for Notepad (and other apps) Task: Program your default text to be smaller or larger for Notepad

Proposal for Deep Freeze Solution. Copyright Topbit System Sdn Bhd

Chapter 6: Connecting Windows Workstations

Security Automation Best Practices

Title: Episode 11 - Walking through the Rapid Business Warehouse at TOMS Shoes (Duration: 18:10)

How to download/install Windows Live Movie Maker 2011

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Configuration and Day 2 Operations First Published On: Last Updated On:

How to Stay Safe on Public Wi-Fi Networks

Duplication and/or selling of the i-safe copyrighted materials, or any other form of unauthorized use of this material, is against the law.

A view through the Window

Video. Objectives. Vocabulary. Pedagogical Implications. Classroom Integration

Change Schema Active Directory Password Mac Users Can't

EXPERIENCES WITH VIRTUALIZATION TECHNOLOGY IN EDUCATION

EDINBURGH S TELFORD COLLEGE

Filesharing. Jason Healy, Director of Networks and Systems

Results of TEC Faculty Survey

Analyzing Systems. Steven M. Bellovin November 26,

Data Structures and Algorithms Dr. Naveen Garg Department of Computer Science and Engineering Indian Institute of Technology, Delhi.

Radius, LDAP, Radius, Kerberos used in Authenticating Users

SDC EMEA 2019 Tel Aviv

Introduction: UNCC COE MOSAIC Page 1 of 9

Outline Key Management CS 239 Computer Security February 9, 2004

Example File Systems Using Replication CS 188 Distributed Systems February 10, 2015

Integrating non-dce/dfs Desktops into an existing DCE/DFS Environment

SOE Computing Support

Encrypting Removable Media

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Not long ago, home local area networks were proof of their owner s geekhood. They were very

OPEN THE HOTLINE CLIENT

CONTENTS. Getting connected. Ethernet Setup. Connecting a Router. Logging on. Configuring DHCP in Windows. Configuring DHCP on a Mac.

Andrew Bartlett Hawker College

Bitcoin, Security for Cloud & Big Data

Windows 7 Overview. Windows 7. Objectives. The History of Windows. CS140M Fall Lake 1

Exam : Windows 7 Configuration PDF

Part I. Windows XP Overview, Installation, and Startup COPYRIGHTED MATERIAL

TO: Doctoral Students Expected to Register in EDD 1006 for Spring FROM: R. H. Red Owl, Ph.D., Professor

Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration

ISP Workshop Lab. Module 2 OSPF Areas

What does a file system do?

How to: Improve Agency Communication

Background. $VENDOR wasn t sure either, but they were pretty sure it wasn t their code.

Getting Microsoft Outlook and Salesforce in Sync

Building a Secure Wireless Network. Use i and WPA to Protect the Channel and Authenticate Users. May, 2007

Student Tech Guide. Get Help from the Information and Technology Solutions Center! link.mnsu.edu/studenttech. Big ideas. Real-world thinking.

SmarterMail v. Exchange: Admin Comparison

The Collaboration Cornerstone

Getting Microsoft Outlook and Salesforce in Sync

Authenticating Devices

Course Outline. Upgrading Your Skills to MCSA Windows Server 2012 R2 (Course & Lab)

Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration

Manual Ftp Windows 7 Server Configuration Up Home Premium

70-742: Identity in Windows Server Course Overview

Zoom User Manual. developed. Gary P. Davis. and. David J. Ayersman. for. Students and Employees of New River Community and Technical College

QuickBooks 2008 Software Installation Guide

How to set up your wireless network

MOC 6420A: Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Freshservice Discovery Probe User Guide

15-498: Distributed Systems Project #1: Design and Implementation of a RMI Facility for Java

Printer and Driver Management

Step-by-Step: Migrating Exchange 2000 to Exchange 2003 Using New Hardware

Lab - Data Migration in Windows

CSCI 1100L: Topics in Computing Lab Lab 1: Introduction to the Lab! Part I

The collaboration app that keeps you connected to everyone and everything

CASE STUDY IT. Albumprinter Adopting Redgate DLM

Welcome to Windows 10. Love it or Avoid it

COMPUTING FUNDAMENTALS I

Helpdesk. Shopping for Technology. Talkin Tech Highlights... Computing on the Go!

Administration Of Active Directory Schema Version Checking

Johns Hopkins

Make $400 Daily. With Only. 5 Minutes Of Work

What a lot of folks might call the class but as we ll see later, it s not entirely accurate.

Camtasia Relay. Administrator Help. Release 1.2. September TechSmith Corporation. All rights reserved.

IPv6 investigation within Informatics. George Ross

The Challenges for Software Developers with Modern App Delivery

Stage 1 - The text based setup - Basic configuration (Partitioning and Formatting)

CompTIA A+ Accelerated course for & exams

google SEO UpdatE the RiSE Of NOt provided and hummingbird october 2013

Computer Visions Course Outline

Remote Access for End User Reference Guide for EpicConnect Access

Accessing CharityMaster data from another location

Transcription:

Windows 2000 Conversion Wrapup Al Williams (alw@psu.edu) Penn State Teaching and Learning with Technology SHARE 98, Nashville, TN Session 5822 1

Introduction We ve reorganized (again, and again, and ) Teaching and Learning with Technology Provides resources and support For teaching For students (labs) Do not do PSU Administrative Computing Have no authority over Colleges or Departments Part of Computer and Information Systems Oops that s now Information Technology Services ITS @ Penn State 2

My Group Classroom and Lab Computing (name changed from Distributed Computing) About 30 full time & 60 hourly employees Student Labs (44) Technology Classrooms (126) Workstations and Servers (2000) Serve up applications (hundreds) 42K Students at University Park campus 80K Students system-wide 3

Topics of Discussion Status last summer Completed Windows 2000 Upgrade Caused a political firestorm Current efforts Windows XP for summer 2002 Lessons Learned What next? 4

You Missed a Good One Monday 1:30 Session 5800 Windows 2000 and.net Security Solutions and Technologies Rand Morimoto Look for it in the Proceedings Great detail This session more introductory in nature 5

Status Summer 2001 In middle of W2K upgrade Big effort to manage applications Replaced older hardware Optimistic that we could make it 6

New GINA Graphical Interface for Network Authentication Create new PSUGINA Providing an installer Uses stub facility Registry points to PSUGINA We load MSGINA Keeps MSGINA 7

Logon Interface New GINA Capture userid and password Writes security event PSUGINA communicates with PALS (encrypted UDP) Calls MSGINA for Domain Logon 8

Print Accounting and Logon Server (PALS) Provides proxy server for DCE authentication W2K server running Gradient DCE DCE (K5) and K4 capable Secure, encrypted exchange with PSUGINA Enables same service to Mac Keeps log of who logs on 9

Windows 2000 Conversion Completed! Up and running for Fall Semester One lab renovation not finished Considerations for support of other operating systems Looked good Systems more stable than NT 4 Applications up and running 10

Supporting Other Operating Systems Need to support NTLM (authorization) All Access Account users joined to top Domain Passwords synchronized dynamically Users can connect from NT 4 W9X, ME Added software to Student File Server Apple IP Server Supports Mac file access on a cluster 11

Access Account Userids? In 1991 started project for single userid Called Access Account Everyone gets one when they join Penn State Central authentication service Started as MIT Kerberos V4 KDC and AFS Migrated to DCE and DFS 12

Userids and Passwords All Access Account userids in win domain Nightly update for changes PALS server still checking logon authentication Sets W2K password if not the same as DCE Added service to our win DC to accept password sets and user joins Disabled password change from workstation Use a web page to set DCE password 13

Domain Structure win.psu.edu staff.win.psu.edu labs.win.psu.edu otc.win.psu.edu 14

Other Services Added AIX Samba Server Provides access to DFS for Windows Provide mapping mechanism on desktop Added Sun Solaris Netatalk Server Provides DFS access to Mac Added Apple IP product to student file server 15

Political Firestorm Thought I had buyoff Some viewed synchronizing passwords as stealing passwords Some thought this was a security violation CIO got involved 7 week delay in services 16

Issues Issue of who owns the KDC Issue of whether duplicate sets of userids and passwords is a bad thing Issue of control point Lack of understanding of How Windows 2000 works Services that we deliver What customers want 17

Why is CLC Doing This? Developed expertise to support lots of computers in a distributed environment Shared that expertise Started delivering support and services Each one blessed No one appreciated the aggregate implication 18

What Implications? Other departments and colleges want what we have Want to authenticate to our Active Directory Want to use our software (when possible) PALS has become integral to PSU security Only record of logon / logoff Lots of folks using our GINA code Controlling Karl Bridge router authentication for all of PSU 19

Strategic Implications Should CLC be setting domain strategy for PSU? Is this the only way to deliver the services? Up till now, no interest in doing Windows Domain planning for PSU. Have stirred up interest! (or at least fear) 20

What Fears? Everything that we visited before is back DNS Why does my machine have that DNS name? Why do you want to run DNS? Why is it integrated with AD? File service Why are you doing file service? AD Accounts Why do you have Access Accounts in AD? Why do you need the real passwords? 21

Communications Breakdown Developed services strategy a year ago Communicated to my management It was largely ignored Perhaps no one thought we could do all that Not being ignored now 22

Current Efforts Educate Bridge the understanding gap Market the services strategy Build consensus Placate Try a one-way relationship with DCE Building and testing a separate AD Domain See what works and doesn t 23

Meanwhile Windows XP Target conversion this summer Roll out even more services Terminal server for software access Roaming profiles Services dependant on both authentication and authorization 24

Why Windows XP? Only way to get Windows 2000 maintenance Improvements in handling MSI packages Some nice new features Annual window of opportunity Only do major changes in summer Prepare for.net 25

What XP Features? Built in terminal server on Workstation This might be real useful for help desk Application Compatibility Mode Allows us to run some applications that don t run on Windows 2000 Native CD write capability Reliability improvement Seems even better than Windows 2000 26

What XP Features? Better plug and play Recognizes and uses more devices Not universal plug and play Digital media? New media player, movie maker, photo support Better power management (for laptops) 64-bit itanium support More policies 27

Windows XP Plan Prototype lab next month Only do XP equipment upgrades Migrate our way through all labs and classrooms this summer Improve servers to support Roaming profiles User file space upgrade Terminal server 28

Lessons Learned Sometimes it s better to be a planner than a doer Last reorganization diverted attention away from windows strategies Need to formalize our windows strategy Need to market the strategy and obtain senior management buy in We aren t just supporting PCs any more 29

Lessons Learned Active Directory really works Our objectives seem quite attainable Services for both DFS and NTFS Ubiquitous Access Account Ultimately Single Signon Lots of Windows applications are not Kerberized Still need NTLM 30

Lessons Learned Authorization is much more difficult than authentication They don t understand what I m saying Need to provide more basic windows education For peers For management 31

What Next? When in doubt reorganize! I have new job Develop strategy Recommend policy Market the ideas Build consensus 32

What Next Continue with XP conversion Also happen to be doing Mac OS X Build test bed for Active Directory integration into Kerberos / DCE realm Document everything in open forum Spend lots of time doing presentations 33

Objective Teach about services and capabilities of Windows Focus on services for customers Reach senior management Propose policy Build a Penn State Domain Strategy 34

What are Our Alternatives for Authentication? Continue with current Develop K5 interoperability with AD Extend the current process Deploy CyberSafe Active Trust style solution Drop back to NT4 approach 35

Continue With Current No changes to accounts process No changes to DCE password change web page All synchronization done by CLC Will add web service for password change management Works OK but Prefer central management of userid/password Prefer central management of password change 36

K5 Interoperable AD Need MIT Kerberos 5 Establish Trust between AD and K5 (DCE) All users joined to AD No passwords in AD Use K5 for Authentication Breaks NTLM and other services No services for older Windows (NT4 or older) Authorization synchronization is problematic 37

Extend Current Process Institutionalize control by Accounts sets passwords at user join www.work does password change for windows Accounts does immediate suspend Users and passwords in the root domain Authorizations work natively Single Sign On much easier All native services work 38

CyberSafe Active Trust Solution Third KDC mitigates and populates both K5 KDC Active Directory Works well Expensive Complicated No advantage over our synchronized approach 39

Return to NT4 Model No users in Active Directory No Authorization capability Use our own MSGINA Use PALS to do all authentication to DCE No capability to offer services for the rest of PSU Retains single point of control Roll back all new services 40

And the Winner Is? Watch this space for future developments! 41

References Lots available through Microsoft web pages New detailed information about AD authorization http://msdn.microsoft.com/library/enus/dnkerb/html/msdn_pac.asp?frame=true Look at what other Universities are doing Web references tend to move Building my own collection http://dsg.cac.psu.edu/support/domains/domstrat 42

Questions? 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback