Windows 2000 Active Directory Services Usage Guide version = 09Dec99 status = in progress

Why this Talk Review what W2ks Active Directory Services (ADS) enables and what it is Review how W2ks ADS might effect how existing services are designed, deployed and managed Review some implementation details we have learned Discuss what services could make sense to start developing or piloting or today?

Agenda What is the Microsoft Active Directory Service Directory Enabled Networking / Policy Based Management Policy Based Management Development Roadmaps Customer Relationship Management Solutions Service Partitioning Implementations Next Steps

What does ADS enable? Building block for the creation of service offerings where shifting the roles and responsibilities for service reporting, management and feature expansion from the Network Service Provider to Customer and the Customer’s customers can be easily achieved.

What is ADS…a DNS, LDAP and X.500 directory MachinesMachines ApplicationsApplicationsDevicesDevices RootRoot UsersUsers MarketingMarketingPersonnelPersonnel = Container = Object

What is ADS…a DNS, LDAP and X.500 directory (1) Domain Naming context rooted on “objectCategory” CN=Domain-DNS,CN=… entry Schema Class and Attribute definitions require “attributeId” w/ OID value syntax and “lDAPdisplayName” attributes Information organized hierarchically as objects within Organizational Unit (OU) containers Every ADS object supports specific or inherited Access Control List security

What is ADS…a DNS, LDAP and X.500 directory (2) Forest and Tree structure supports representation of large business entity including departments, customers and wholesalers Within a Tree namespace partitioning can be used to achieve the same levels or heirarchy Implicit Hierarchical and Transitive trusts lowers initial configuration overhead Inter - Forest trusts allow for mergers and eCommerce relationships to be defined

…a Relational Database RDMS that is useful anytime easy to manage, efficient distributed presence is required RDMS optimized for –Distributed, Replicated, Delegated Admin –Sparse objects –Lots of index creation and rebuild in support of queries –Reuse of record and field definitions in other tables –Data sets are assumed to not change rapidly Not a replacement for traditional RDMS services –i.e. financials/billing/accounting/subscriber Mgmt –existing databases can be primary that populates ADS when changes occur or reverse

….a Front End Processor Authentication –RADIUS (PAP, CHAP, MsCHAP) / LDAP SASL / SmartCards [Certs] / Kerberos / NTLM / HTTP / SMTP / NNTP –Exchange adds POP3 / IMAP4 auth support –Any client (i.e. SecureId) that can do these protocols –Single sign-on dependant on client auth caching support Query –LDAP / ADSI / OLEDB / … –Any client device that can do these protocols Custom - Add new FEP protocol services

Microsoft Active Directory Windows Users Account info Privileges Profiles Policy Applications Server config Single Sign-On App-specific directory info Policy Windows Clients Mgmt profile Network info Policy Windows Servers Mgmt profile Network info Services Printers File shares Policy Network Devices Configuration QoS policy Security policy Internet Firewall Services Configuration Security Policy VPN policy Management Focal Point For: Users & resources Security Delegation Policy Other Directories White pages E-Commerce Other NOS User registry Security Policy Servers Mailbox info Address book Active Directory

Directory Enabled Networking Microsoft and Cisco / Adhoc Working group –DEN information model specification in ’97 –LDAP schema representation created Taken over by Distributed Mgmt Task Force ‘98 – CIM expected to absorb DEN Information model additions…appx. Q IETF working group plans to post LDAP schema implementation post CIM 2.3 –LDAP schema implementation which required flattening and denormalization aka Policy Based Management (PBM)

What is Policy Based Mgmt? Policies applied based on service object storage location or security group membership Hierarchical supporting global down to service level specific policy settings if (match policyXyz) –then do action1, 2, … Bottom Up Policy –End Station initiated policy processing –i.e. Dialup, QOS, VPN service request events Top Down Policy –Provisioned (/Pushed/Polled) policy processing –i.e. static, intermittently chaning service configurations

Logical PBM Architectures 1. Policy Store 2. Policy Server 3. Service Control 2b. Policy Server “Gateway” [optional] 1b. Policy “State Machine” Store [optional] 2c. Policy “Change Notification” Server [optional] 3. Service Control CPE, eCommerce, B2B, hosting, messaging, etc.

Evolving PBM Standards Policy Store –LDAP, CIM derived LDAP, CIM, MIB, PIB, CMIP… Policy “State Machine” Store –Custom in-memory RDMS and LDAP servers Policy Server [/Gateway] –RADIUS, COPS, DIAMETER, LDAP, … Policy “Change Notification” Service –Custom function callback routines –Msft COM Event Sources & Sinks Service Control –CLI, WMI, SNMP, TMN, SS7, …

Microsoft PBM Solutions User DialUp and VPN’s –Internet Authentication Service RADIUS policies –IAS Policy “State Machine” Store –Commercial IAS RADIUS proxy –Voluntary or mandatory tunnels, Availability times, Call back settings, Filters, IP settings, Radius parameters, Name/Realm cracking rules QOS –W2ks End station signaling, marking and scheduling –Quantitative IntServ support i.e. Netmeeting, Wmt40+ –Qualitative AppId/SubId support i.e. SAP, PeopleSoft –Qualitative DS and SQL replication being investigated –DCLASS(IntServ), TCLASS(DiffServ) policy updates

Microsoft QOS PBM (1) QOS Policy Enforcement Approaches –Top Down (aka Provisioned) –Bottom Up (aka End Station event driven) Top Down / Provisioned Options –VPN’s, Routes, Filters, DiffServ, etc. Bottom Up / End Station Options –Quantitative Flow Classifier (src/dst/port) and Flow Specifier (data rate, peak, latency, jitter, loss) are known, DCLASS object from Policy Server can modify initial request settings –Qualitative Flow Specifier only knows flow AppId and SubId, TCLASS object from Policy Server can modify initial request settings

Microsoft QOS PBM (2) Edge and Core approaches –IntServ/PerFlow state and shaping possible at the Edge –DiffServ/Aggregate possible in the Core –What you call the Edge can move further down or up the line as desire for expended network device flow processing cycles decreases/increases –Layered Policy Enforcement Processing points allows for enforced SLA at Edge and/or in the Core

Microsoft PBM Solutions (1) IPSEC –Classify by IP Src/Dst/Port, –Filter Action Permit (permit/request/require), Tunnel Mode, Security Method, Authentication Method, Connection Type (all/lan/remoteAccess) Security –ACL’s, Users, Groups, Services, PXE setup, …. Software –Hotfixes, OS upgrades, Service Packs, 3 rd party, …. Script processing –Startup, Shutdown, Scheduler(aka crontab) updates

Microsoft PBM Solutions (2) Group Policy Container / Group Policy Template –Extensible model for custom policy based settings –Default “Computer” or “User” configuration settings –i.e. CyberOffice configurations, disk quotas, etc. Futures – –DHCP policy managed address space for in support of load balancing –Routing protocol settings (OSPF/BGP), filters, net to net tunnels –Routing per user policies –ServiceXyz i.e. eCommerce, B2B, hosting, messaging, etc.

Cisco PBM Solutions User DialUp and VPN’s NAS configuration Cisco Network Services / Active Directory (CNS/AD) –QOS (qualitative and provisioned) –AccessVPN (CPE net to HQ net star configurations) –AccessRegistrar (Merit RADIUS server acquisition) Cisco Active Directory / Unix (AD/X) –Active Directory Replica service for Solaris & HPUX –Windows authentication services not available

Other PBM Solutions Ascend –User DialUp and VPN’s and NAS configuration via RADIUS 3Com Dynamic Access –Configured QOS, pushed aggregate marking …etc

PBM Dev Roadmaps Policy Store Policy Server Service Control Management Installer

PBM Dev – Policy Store Recall Evolving Standards = LDAP Schema, CIM derived LDAP Schema, CIM, MIB, PIB, CMIP… Option = Store Service and Policy Class/Attribute Instances in Active Directory Service Derive from ADS category 1 classes Derive your own from “TOP” Derive from evolving CIM LDAP schema Note use versioning on dev systems to avoid requiring domain reinstall to test new releases

PBM Dev – Policy “State Machine” Store High performance writes implying non-replicated or limited replication Review IAS “State Server” SDK if you require a way to hook into RADIUS policy events Option 1 - Internet Locator Service –In-memory LDAP service on tcp/1002 Option 2 – W2ks In-Memory Database Service Option 3 – database cache rich RDMS/SQL70 setup Option 3 - Custom State Machine storage.. All – Review COM+ Load Balancing Services for optional State Machine application fail over functionality

PBM Dev – Policy Store Refs Msdn / Platform SDK / Networking Services / AD / ADProgGuid / Extending the Schema Msdn / Platform SDK / Management Services / Group Policy / About Group Policy / Providing Policy for your Application Msdn / Platform SDK / Index on “Group Policy, implementation and Active Directory structure”

PBM Dev – Policy Store Refs (1) Msdn / Platform SDK / Networking Services / Networking Security / IAS / Working With a State Server Msdn / Platform SDK / Msg & Collab Svcs / WinNetMtg30Sdk / Using NetMtg / Internet Locator Service API Start / Help / Index / Site Server ILS service Msdn / Platform SDK / Services Provided by COM+ / In-Memory Database Msdn / Platform SDK / Svcs Provided by COM+ / Load Balancing

PBM Dev – Policy Server Recall Evolving Standards = RADIUS, COPS, DIAMETER, LDAP, … Option = Host on W2ks and leverage built in Group Policy API support Read from directory services it is responsible for or accept registration directly from services Locates via GC lookup service storage location and security group membership to decide effective policies Read from DS interval polling time policies to which you want to register for change event notifications

PBM Dev – Policy “Change Notification” Server Policy change notification and immediate push updates to services Option 1 – Custom update UI that triggers policy push update when policy changes applied Option 2 – LDAP “persistent search” settings applied to policy managed OU’s Statically define set of policies to enable “Change Event” notification in order to scale solution

PBM Dev – Policy Server Refs Msdn / Platform SDK / Networking Services / Networking Security / IAS Msdn / Platform SDK / Networking Services / LDAP API / Using the LDAP API in a Client Application Msdn / Platform SDK / Management Services / Group Policy

PBM Dev – Service Control Recall Evolving Standards = CLI, WMI, SNMP, TMN, SS7, … Option = Expand on service’s OS support for any of the above to enable PBM of service Option = Migrate service’s control OS or core OS to W2ks and reuse the existing API support for these management protocols

PBM Dev – Service Control (1) Hosting Device Publication in Policy Store –Use Msft open source LDAP client w/ SASL Kerberos authentication support (TBD) –CLI routine requesting domain and container to self publish in –Local storage denoting publication complete and location or –Admin snap-in for manual creation/publication of hosting device object –CLI routine for statically configuring location that Admin snap-in manually published object representation

PBM Dev – Service Control (2) Service Publication in Policy Store –Use Msft open source LDAP client w/ SASL Kerberos authentication support (TBD) –CLI routine requesting domain and container to self publish in –Local storage denoting publication complete and location or –Admin snap-in for manual creation/publication of hosting device object –CLI routine for statically configuring location that Admin snap-in manually published object representation

PBM Dev – Service Control Refs Msdn / Platform SDK / Management Services / WMI Msdn / Platform SDK / Networking Services / SNMP

PBM Dev – Management Recall Evolving Standards = ??? Option = Create a Microsoft Management Console Snap-In One for mgmt of Service and Policy instances Create your custom snap-in Create creation wizard or Extend ADS category 1 classes MMC snap-in Add creation wizard pages for mandatory attributes

PBM Dev – Management Refs Msdn / Platform SDK / Networking Services / AD / ADProgGuid / Extending the User Interface for Directory Objects

PBM Dev – Installer Recall Evolving Standards = AcmeSetup, SetupAPI’s, InstallShield, … Option = Use the W2k Windows Installer Derive from Platform SDK Windows Installer sample code or Build your own from scratch using Windows Installer Documentation

PBM Dev – Installer Refs Software defined using Microsoft Installer.MSI files is easily managed and self reparing – pers/installer.asp, pers/installer.asp Natively Author MSI – Repackaging Software in MSI –equivalent to before and after snap shooting –ZAP’s only work for “published” software deployments –Veritas WinInstall LE included in platform to provide simple repackaging of software to MSI – ininstall/default.asp,

PBM Dev – Installer Refs (1) Msdn / Platform SDK / Management Services / Setup / Windows Installer

Customer Relationship Mgmt aka Enterprise Application Integration (EAI) Services /Acronyms –OLTP – On Line Transaction Processor –ERP – Enterprise Resource Planning –ETL – Extraction, Transformation & Loading –DW – Data Warehouse –DM – Data Mart (vertical team DW) –OLAP – On Line Analytical Processing CRM future according to Siebel Systems –2.2 billion software market –54% compounded annualized growth rate –Lucent sites that this growth will involve both software and hardware updates

CRM – Food Chain OLTP -> ERP -> [ETL ->] DW | DM ->[ETL->] OLAP CRM OLTP | ERP | ETL | DW | DM | OLAP CRM Data Network Security & Resources Identity is the aggregated summary of Xyz –Most often identity data in too many places –Not all identity is exposed through directory interfaces –No single place to access or manage aggregated identity Meta Directories can play the key role in creating and presenting CRM interfaces

CRM – Food Chain (1) PBM Services Environment Customer Care Environment = Vertical Application/Database Services Billing SLA Data Orders... Partial 2-Way Synchronization Customer Service Representatives and Delegated Ops Front End Partial 2-Way Synchronization CCE Tasks Support Calls & some CCE/PBM Tasks PBM Tasks CRM Environment “Denormalized Access” CRM Environment “Denormalized Access”

CRM – Meta Directory Sync Two way connectors included for sync with –Novell NDS, LDAP (i.e. Exchange 5.5, NSCP, etc.) One way connectors included for sync with –/etc/passwd, /etc/shadow Connectors creatable via ADSI, OLEDB, etc for sync with –SQL, Oracle, DB2, etc. or flat file databases Exchange one way connectors for sync with –Lotus Notes, GroupWise, etc. LDIF Directory Sync Bulk import/export tool

CRM –Meta Directory Sync (2) Microsoft is commitment to directory interoperability Helping customers reduce the cost and complexity of directory management Acquired Zoomit on Wed 07Jul99 Zoomit's technologies being integrated with Active Directory Services ISV solutions also available i.e. IsoCor and MetaConnect

Service Partitioning Architecture - Services Desire Highly Available and Scalable Services SLC = Stateless Clusters –Used for services where changes need not be persisted –Requests spread out over set of nodes in cluster –Host failures usually result in rerouting of requests –Implemented using network or platform SLC solution SFC = Stateful Clusters –Used for services where changes must be persisted –Requests are partitioned across available clusters –Host failures usually handled via fail over or some form of fault tolerant recovery –Implemented using HW or platform SFC solution

Service Partitioning Architecture - Services (1) RFS = Reliable File Service SSM = Service State Machine RDMS = Relational Database Service DS = Directory Service AS = Autonomous System encapsulating DataCenter Network layer 3 address space

Service Partitioning Architecture - SLC Must use “Scaling Out” for Stateless services –“Scaling Up” may eventually reach a current technology ceiling for you service requirements –“Scaling Up” has implied level of risk associated with a given node “Scaling Out” Stateless services –Microsoft Network Load Balancing Service (NLBS) –Cisco Local Director, F5 Labs BigIP, RnD Web Service Director, Alteon AceDirector, etc. NLBS currently supports 32 node clusters –More nodes per cluster can be achieved by linking clusters together with DNS Round Robin

Service Partitioning Architecture - SFC Must use “Scaling Out” for Stateful services –“Scaling Up” may eventually reach a current technology ceiling for you service requirements –“Scaling Up” has implied level of risk associated with a given node “Scaling Out” Stateful services –Microsoft Cluster Service (MSCS) –Marathon Technologies, Stratus Melody, etc. MSCS currently supports N + 1 clustering –Where N = 1 max today on AdvancedServer, N = 3 on DataCenter, N = more to follow with OEM solutions –Active/Active configuration also supported

Svc Part, Architecture - DataCenter SLC HTTP, SMTP, POP3, IMAP4, LDAP, etc. SLC RFS & RDMS... SFC RFS, SSM & RDMS... Additional SFC RFS, SSM & RDMS... SLC DS... SLC updates from outside sources at scheduled times.... use DS to lookup SFC partition Application/services requests

Implementation – Headless Ops Templates for jumpstart setup of Ds host roles – initial domain root, replica, child, child replica –ftp://ftp.microsoft.com/services/isn/ops/setup/$oem$w2ks.zipftp://ftp.microsoft.com/services/isn/ops/setup/$oem$w2ks.zip Out-Of-Band hardware and software –TTY access = Compaq IRC | Phoenix Firmware | Apex Emerge RSA | … –Power control = Compaq IRC | Apc Masterswitch | … –Vt100 Terminald = Seattle Labs | Interix | … Couple with recovery models to enable “Lights Out Operation” Note fixed IP’s required for DC’s operating DNS service for domain

Implementation - Integration Windows NT 4.0 hosted services plug in as Member Servers Services see domain via downlevel domain support Gain unlimited scaling of downlevel domains Multidomain support within a single W2ks domain install Easy migration from Windows NT 4.0 hosted services to Windows 2000 hosted services

Impl. – Outsourced & Wholesale Use One host can supports Multi-domain hosting today –Nsg tested 10k+ customers w/ 100 users in each –Limited to single schema, resolved in future versions OU’s with UpnSuffixes versus default domain Wholesale operators can operate –their own standalone ADS –ADS linked to provider ADS via peer (root domain) or hierarchical (child domain) trusts –a provider operated ADS with wholesale customer under a OU with their customers as sub-OU’s Delegation of Admin supported by ACL’s Search result view control supported by ACL’s

Implementation – Directory Access Global searches provided by Global Catalog –Accessed via ADSI or LDAP –port = 3268 Authentication and complete attribute set value lookups provided by Domain Controller –SSPI/Kerberos Auth’s ports = 88 svcTck, 464 pwdChg –ADSI/LDAP Read/Write ports = 3268, 389, 636(SSL) For extensive w2ks and services port listing –ftp://ftp.microsoft.com/services/isn/ossbss/security/ipFilters.htmftp://ftp.microsoft.com/services/isn/ossbss/security/ipFilters.htm –

Implementation – Recovery Failure/Recovery level 0 - server crashes –recycle and recover from local transactional logs Failure/Recovery level 1 - loose replica dc –bring back into service using replicas still operating –OR configure daily | ??? System State Backups to net –rebuild host with unattended setup template –“F8” boot option “Active Directory Restore Mode” –restore using.bkf off of network reliable storage –let differential sync take care of rest –ship cdImage of Noc restore for Pop with low bw connection or available storage

Implementation – Recovery (1) Failure/Recovery level 2 - loose root dc | operations master –shift operations masters and rebuild/reintroduce as replica –MMC snap-in and reskit “ntdsutils” used for transfers & seizures or –use System State Backups of net reliable storage to recover as root –Use “F8” boot option “active directory restore mode” to restore the system state backup.

Implementation – Recovery (3) Flexible Schema Master Operations (FSMO) Plan locations of your Operations Masters –Schema – add attributes and classes –Domain Naming – add/removal of domains in forest –Relative Id – allocs sequences of object id suffixes to dc’s hosting domain, used in conjunction with domain’s security id prefix to create unique object id’s –Pdc Emulator – downlevel pwd updates and bdc replication, receives preferential pwd replication in native mode domains –Infrastructure – Group to user references / memberships MMC snap-in and reskit “ntdsutils” used for transfers & seizures

Implementation – Recovery (4) Schema attribute and class deletions not supported in version 1.0 Schema could perhaps end up with lots of IsDefunc entries over time Wipe and rebuild of directory not practical when million+ objects exist develop and test only in non-production environment Note use versioning on dev systems to avoid requiring domain reinstalls to test new releases

Implementation – Storage No LDAP access performance degradation found from 0 through 1.1 million objects User object largest due to number of mandatory attributes = 6 Object size w/ 6 mandatory attributes = 3,649 bytes 500k objects = 1.8GB, linear extrapolation holds true

Implementation, Storage (2) Linear extrapolation 5mil objects = 18GB Defragmentation important after bulk loads Allow 2x calculated number for fragmented periods Each additional attribute with a string size of 10 characters adds approximately 100 bytes to an object’s size. = 50mil objects in DShttp:// See Reskit for overview and latest numbers –W2kReskitOnlineBooks/DistributedSystemsGuide/Acti veDirectoryDataStorageAndNameResolution/ActiveDir ectoryDataStorage/StorageLimits/GarbageCollection

Implementation - Performance LDAP Query > 40k queries/s via LDAP recorded by Cisco test team (latest numbers are ???) LDAP Authenticated binds > 1000 auth/s recorded by Cisco test team (latest numbers are ???) RADIUS –Modem connections = 10% of user base but this increases/changes with xDSL, Cable and ISDN –Auths/sec = % (I.e. 200/sec for 1mil subs) which may drop with xDS, Cable and ISDN –400 auth/sec recorded by Cisco test team (latest numbers are ???)

Implementation – Performance (1) Improved HW I/O paths scale up performance Referrals to multiple DC’s scale out performance Use Windows Load Balancing Service to scale up read/only custom app queries

Implementation – Performance (2) DC’s and GC’s replication is I/O bound Use Switched paths between DC’s Fiber channel disk controllers –New PCI Xtended will help improve SCSI perf HW level Raid5 or disk OS Raid5 layered over multiple HW volumes collapses into a single data partition volume simplifying distribution of I/O Lots of small drives better I/O impact than fewer Large drives Directory Sys, Data and Log on separate partitions

Implementation – Performance (3) Chkdsk /l: –default is 4MB, maximum 64MB Hklm\Sys\Ccs\Ctrl\FileSystem –LastAccessUpdateDisabled = 1 Disables updating last access date and time –NtfsDisable8Dot3NameCreation = 1 Disables creation of 8 dot 3 file names Test first with application suite that will be present Memory allocation of network server service –optimized for network applications Priority scheduler to Max for Background jobs

Implementation – Tools & Docs W2k Reskit utilities –Dsastate.exe, RepAdmin.exe, ReplMon.exe, DnsCmd.exe, NetSh.exe, Shutdown.exe ActiveDirectorySitesAndServices/Sites/InterSites Transports/IP/DefaultIPSiteLink/Properties/Chang eSchedule Wk2ReskitOnlineBooks/DistributedSystemsGuide /activeDirectoryDataStorageAndNameResolution/ ActiveDirectoryDataStorage/StorageLimits/Garba geCollection

Reiterating…What does ADS enable? Building block for the creation of service offerings where shifting the roles and responsibilities for service reporting, management and feature expansion from the Network Service Provider to Customer and the Customer’s customers can be easily achieved.

Next Steps… Network Equipment Provider –Choose a development roadmap that best fits your plans –Create an initial market analysis demo or pilot capable solution –Evolve as standards do Network Service Providers –Choose a useful W2ks ADS Policy Based Managed service and pilot –Choose a CSR application and leverage CRM / Meta Directory services to improve overall solution –Build a highly Available & Scalable service leveraging W2ks ADS as a SRC host locator

Next Steps Refs Relevant NSG materials available on –ftp://ftp.microsoft.com/services/isn/svcs/dsftp://ftp.microsoft.com/services/isn/svcs/ds –ftp://ftp.microsoft.com/services/isn/ops Review W2ks on-line documentation –Start/Help Review W2k Reskit on-line documentation Review Msdn / Platform SDK documentation Questions