Deployment Aids

• Sysprep used to help deploy Server and Advanced Server.– Sysprep prepares a Pro or Server

installation for duplication to identical hardware.• Run sysprep, cut an image, copy image• Deletes security identifiers, user and system

specific data• Regenerates on reboot

Deployment

• Remote OS Installation– Server hosted equivalent CD

• Remote Installation Service

– Requires DNS, DHCP, Active Dir.– Installed on a shareable volume– Can’t be on the server’s system drive

• Formatted as NTFS

Command Interface

• Start / Run / Command– Example

• Netstat /?

Naming Conventions

• Distinguished Name DN– Defines the domain and the related containers in

which the object resides.

• Relative Distinguished Name RDN– An attribute of an object

• Globally Unique Identifier – Avoids duplication, ensures uniqueness, a 128 bit

number assigned to an object on creation and stored with it.

Naming Conventions

• User Principal Name UPN– Combines the user account name with the

domain name where the account exists

• Domain Component DC

• Organizational Unit OU

• Common Name CN

Microsoft & Directory Services

• MS does not support an extension of LDAP, called LDAP Duplication Update Protocol.– Violation of directory rules can lead to

cascading errors in directory– Uses synchronization to populate and update

directories

Microsoft & Directory Services

• Microsoft left out major portions of the X.500 protocol in the AD.– B/C Dependent on OSI networking layer and

lack of public interest.– Elements include:

• Dir. Access Prot, Dir. Systems Prot., Dir Info Shadowing Prot.,Dir Operational Binding Management Prot.

What is a directory service?

• A directory is like a database, but tends to contain more descriptive, attribute-based information. The information in a directory is generally read much more often than it is written.

• Directory updates are typically simple all-or-nothing changes, if they are allowed at all.

• Directories are tuned to give quick-response to high-volume lookup or search operations.

LDAP

• Lightweight Directory Access Protocol.

• A directory service protocol that runs over TCP/IP.

• The details of LDAP are defined in RFC 1777 "The Lightweight Directory Access Protocol."

LDAP

• The LDAP directory service model is based on entries.

• An entry is a collection of attributes that has a name, called a distinguished name (DN).

• Each of the entry's attributes has a type and one or more values.

LDAP

• Types are typically mnemonic strings, like "cn" for common name, or "mail" for email address. – mail attribute might contain the value

"bdobs@psu.edu– jpegPhoto attribute would contain a

photograph in jpeg format

How is the information arranged?

• Directory entries are arranged in a hierarchical tree-like structure that reflects political, geographic and/or organizational boundaries.

• Entries representing countries appear at the top of the tree.

• Below them are entries representing states or national organizations.

• Below them might be entries representing people, organizational units, printers, documents,

LDAP Tree

C=GB C=US

O=PSU

CN=Rick Evans

CN=Richard Evans

mail=revans@psu.edu

How is the information referenced?

• Entry is referenced by its distinguished name, constructed by taking the name of the entry itself (called the relative distinguished name, or RDN) and concatenating the names of its ancestor entries.– For example, the entry for Rick Evans in the example

above has an RDN of "cn=Rick Evans" and a DN of "cn=Rick Evans, o=PSU, c=US". The full DN format is described in RFC 1779, "A String Representation of Distinguished Names."

Resources

• http://www.oblix.com/pointofentry/ldap/index.html

Trusts

• Two-way transitive trust– Automatically achieved between domains in

the same tree or can be established between domains on separate trees.

• Explicit one-way trust– Created between specific domains in two

different forests and provide one-way restricted permissions.

Domain Trees & Child Domains

• When should a child be created?– Is decentralized administration desired– Do you need tight/localized administration– Do business activities dictate separate

domains– Do account policies need to differ

Domain Trees & Child Domains

• When should a forest be created?– Are the business activities extremely different?– Are there reasons for maintaining separate identities

• Unique trade names

– Do joint venture or partner relationships exist that require tighter control over network resources.

• Enforcing direct administrative and security restrictions

User accounts

• Unique identifier– SID – security identifier– User and group SID’s form the security token– Unique, must be regenerated if account is

deleted.– Mapped to the Access control list

• DACL – discretionary access control list is a security descriptor, who has permission to use.

Profiles

• Local User – maintained on each system in the users profile directory.

• Roaming – allows users to move from system to system, located in shared directory of server.

• Mandatory – restricted by sysadmin to permit consistent desktops.– Ntuser.dat to Ntuser.man

Contents Profile Directory

• Cookies

• Desktop

• Favorites

• My documents

• Start Menu

All users profile

• Application Data

• Local Settings

• NetHood – domains & files accessed

• PrintHood

• Recent

• Send To

• Templates for Office Apps.

Novell NetWare

• 1983 – NetWare/86 file & print sharing• NetWare 286 – multitasking• NetWare 386 – larger networks• NetWare 4.11- IntraNetware• NetWare 4.2 – NetWare for small Business• NetWare 3.2 mid size networks/older cpus• 1998 Netware 5.0 – larger networks• 2003 Netware 6.5 - Internet

NetWare

• IP protocol– Backward compatible to IPX

• Java enabled

• NSS – Novell Storage System– Volumes & Mounts

File Server Capacity

Capability Netware 5 Netware 4

Concurrent Open files

1019 100,000

Directory Entries per volume

1019 16 million

Volumes per sever Unlimited 64

Segments per volume

Unlimited 8

Max Disk Cap 8TB 4TB

Max File Size 8TB 4GB

NetWare

• NetWare Loadable Modules NLM’s– Add hardware without rebooting– Remove without stopping server– Increase volume size while S is running

• Multiprocessor kernel MPK• Supports symmetrical multiprocessing H/W (SMP)• Multithreading• Up to 32 processors - Questionable release date

NetWare

• NetWare Directory Services– Organizes users, groups, devices into a tree

like structure• NDS Tree

– Single user login– Scalable, up to unlimited sizing

• 1999 test had a billion users

NetWare

• Novell's core-services are wrapped around NDS eDirectory, a robust, cross-platform directory service.

• NDS eDirectory ships with NetWare 5.1 and is available in versions that run natively on Linux, Solaris, and Windows 2000 and NT - no NetWare required.

NetWare

• NDS - NetWare's central feature. All the services that ship in the NetWare 5.1 box, all those available from Novell separately and even most third-party additions plug into the directory to become part of a fabric of integrated services.

• This integration gives administrators a replicated, fail-safe, single point of administration.

• Users, get one place to search for enterprise wide resources and one point of authentication to gain access to those resources.

NetWare

• Fault tolerance (3 Levels)– SFT1 single server, when a sector goes bad,

the bad sector to a good one. Hot fix.• Redundant volume data structures

– SFTII level two, has all the features of one and uses disk mirroring and duplexing

• Duplexing has a controller for each drive

Mirror

Duplex

• Fault tolerance (Cont)– SFTIII Level three consists of SFT II plus

server mirroring, or redundant servers.– Two servers connected using a high speed

Mirrored Server Link (MSL)– Nonstop operation using an entirely

redundant server.

NetWare

• Security– Public key infrastructure PKIS

• Enables public key & cryptography and digital certificates. Local certificate authority & SSL

– Novell International Cryptographic Infrastructure– Enable cryptography services for confidentiality, integrity,

and authentication

– Secure Authentication Services SAS– Auditing

NetWare

NetWare 5.1's security

• built on an RSA dual-key-encrypted security store

• authentication methods-- passwords, tokens, biometrics, smartcards and X.509 certificates

• Cryptography services in the form of Novell's International Cryptographic Infrastructure (NICI) ship with and plug into NetWare's modular security services and provide DES/RC2/RC4 data encryption of 56-bit to unlimited strength.

NetWare 5.1's security

• NetWare 5.1 automatically creates a directory-based CA and generates a server certificate, which it uses for the Web-accessible NetWare Management Portal (NMP) and the Enterprise Web Server.

NetWare 5.1's security

• SSL-enabled and secure out of the box with NetWare 5.1

• NetWare supports minimum password lengths, intruder detection lockout and unique passwords– does not have a built-in method for

identifying weak passwords or forcing users to use punctuation marks or other special characters in their passwords.

NetWare

• DNS & DHCP

• LDAP

• Web Server– Netscape FastTrack Server

• FTP & Unix printing services

• NIS, telnet, XConsole

NetWare

• Client support– Windows– UNIX– OS/2– MacOS– DOS

NetWare

• ZENWorks – Zero Effort Networks

NetWare

• NetWare NFS services– Two parts NFS gateway & NFS server

• Gateway permits clients to access a Unix file system as a NetWare volume

– NFS server exports NetWare volumes to Unix and other NFS clients

• Access is granted using traditional Unix Mount commands

– Line printer/Line printer Daemon LPR/LPD– Built on Sun’s NFS services 2.0

NetWare

• NDS for Non-NetWare Platforms– NDS for NT

• NWAdmin Snap-in

– NDS for Unixware– NDS for Solaris– Others

NetWare

• NDS Directory Tree– Graphical display of the network– Consists of objects that are resources– Displays relationships– Objects have properties and values

• Property defines a function• Value are the data for the property

NetWare

• NDS tree Objects– Container (4)

• Root• Country• Organization• Organizational Unit

– Leaf objects• User, printer, file server (16)

NetWare

• File System– File Server– Volumes– Directories– Files

• Rights Supervisor,R,W,Create,Erase,Modify,File Scan,Access Control

NetWare

• Web-based management tool- NMP– create and delete NDS users and groups,

manage the Enterprise Web Server, the NetWare Web Search Server and the NetWare News Server.

– access volume management, trustee assignments, server management, NDS management, remote-server access to other NetWare 5.1 server portals and limited access to the file systems on NetWare 5 and 4.x servers in the same tree.

NetWare

– The NMP provides hardware information, console screens and server-health monitors.

– mount and dismount volumes, set volume attributes and server parameters, restart servers, manage connections, broadcast messages to connected users, view statistics and graphical representations of server performance, debug problems, and execute console commands.

Costs

• Windows 2000 Advanced Server, $3,999 with 25 client access licenses

• NetWare 5.1, $3,155 for 25-connections

• Solaris 8, free, Sun Microsystems

NetWare 6 Features • There are a broad range of features.• Many features are not available in other

NOSs.

Storage Management • Server storage is divided into logical

volumes.

• A volume may be one or more hard drives, CD-ROMs, DVDs, or SANs.

• A storage volume can contain eight terabytes.

Storage Management

Storage Management• NetWare supports storage virtualization.• Storage pools can be from 1 to 254 volumes.• Storage pools can exceed the physical storage

currently available.

Deployment• No additional client software is required to

connect to a NetWare server.• NetWare automatically recognizes and supports

protocols from different client operating systems.• NetWare 6 can be installed incrementally to

existing networks.

iPrint• Any LAN printer can be accessible through the

Internet.• iPrint can create a facility floor plan that shows

the physical location of printers.• Users click on the printer icon to select the

printer to use.• Printer drivers are automatically downloaded

and installed.

iPrint

iFolder• Provides remote users a simple means of

accessing files on a NetWare server.• Files and directories are accessed by special

software or a Web browser.• Transmitted files are encrypted.• iFolder provides synchronization.

eDirectory • eDirectory is Novell NetWare’s directory service.• It can manage users running different NOSs.• It can create dynamic groups.• Persistent search can take action whenever

change occurs.

User Accounts• Performed at ConsoleOne • Name• Surname• Password