Windows Server 2008 R2 Unleashed (55 page)

UNIX LDAP Directory

Username:

Mills

FIGURE 8.10

Synchronizing multiple identities with FIM.

In addition to creating these accounts, all associated accounts can be automatically

deleted or disabled through a deprovisioning process in FIM. By automating this process,

administration of the multitude of user accounts in an organization can be simplified and

the risk of accidentally leaving a user account enabled after an employee has been termi-

nated can be minimized.

The following high-level example demonstrates the steps required to set up simple

account provisioning. In this example, a connected AD DS domain is connected to FIM.

Any user accounts created in that domain have corresponding Exchange mailboxes

created in a separate Active Directory resource forest:

1. Install FIM.

2. Configure a management agent for the connected AD DS domain.

3. Configure the AD DS MA so that the attributes necessary to create a resource

mailbox flow into the metaverse.

Best Practices

243

4. Configure the attribute flow between the AD DS MA attributes and the FIM metaverse.

5. Configure an additional MA for the AD DS Exchange Resource domain.

6. Ensure that the AD DS Exchange Resource MA attributes that FIM will need to create

the mailbox are set. These include the object types container, group, inetOrgPerson,

organizationUnit, and user.

7. Using Visual Studio, configure a custom Rules Extension DLL to provide for the

automatic creation of a mailbox-enabled user account in the resource forest. In this

case, the DLL must use the MVExtensionExchange class in the script.

8. Install this rules extension DLL into the metaverse.

9. Configure run profiles to import the information and automatically create the mail-

boxes.

The example described previously, although complex, is useful in situations in which a

single Exchange Server forest is used by multiple organizations. The security identifier

(SID) of the AD DS account is imported into the metaverse and used to create a mailbox

in the resource forest that has the external domain account listed as the Associated

External Account. Through a centralized FIM implementation, the Exchange resource

forest can support the automatic creation of resource mailboxes for a large number of

connected domains.

ptg

Summary

Active Directory as a platform provides for powerful tools to enable organizations to

centralize and store information about users and other objects in an organization. The

efficiencies built in to having a centralized directory platform are greatly diminished if

multiple directory platforms, each with their own disparate users and attributes, are main-

tained. Tools from Microsoft such as the Forefront Identity Manager (FIM) product give

administrators the ability to synchronize across these directories and to keep organiza-

8

tional information standardized across multiple platforms.

In addition to directory sync technologies such as FIM, Microsoft offers support for prod-

ucts such as AD FS and AD LDS, which enable organizations to streamline identity logons

and create personalized directories for applications. Through proper use of these technolo-

gies, organizations can take greater advantage of the knowledge that is traditionally

distributed across multiple technologies.

Best Practices

The following are best practices from this chapter:

. Use FIM to keep disparate directories synchronized together.

. Use AD LDS for applications that require custom schema changes, and keep the

information in those AD LDS instances synchronized to a central AD DS farm with

the use of FIM.

244

CHAPTER 8

Creating Federated Forests and Lightweight Directories

. Use the Server Manager application to add AD FS and AD LDS roles to a server.

. Use AD FS for Single Sign-On support across multiple platforms.

. Consider using FIM for automatic provisioning/provisioning of user accounts across

multiple directories. By establishing a firm policy on deprovisioning accounts that

are no longer active, greater overall security can be achieved.

. Consider deploying AD LDS on Windows Server 2008 R2 Server Core to reduce the

attack surface area of the server.

ptg

CHAPTER 9

IN THIS CHAPTER

Integrating Active
. Understanding and Using

Windows Server 2008 R2 UNIX

Integration Components

Directory in a UNIX
. Reviewing the Subsystem for

UNIX-Based Applications (SUA)

Environment
. Understanding the Identity

Management for UNIX

Components

In the past, Microsoft had a bad reputation for giving the

. Administrative Improvements

impression that its technologies would be the only ones

with Windows Server 2008 R2

deployed at organizations. The toolsets available to coexist

in cross-platform environments were often weak and were

provided mostly as a direct means to migrate from those

environments to Microsoft environments. The introduction

of Windows Server 2008 R2, however, coincides with the

maturation of technologies from Microsoft that simplify and

expand the ability to integrate with UNIX environments.

ptg

This chapter focuses on those technologies, and pays

considerable attention to the Services for NFS role in

Windows Server 2008 R2. In addition to explaining the

features in Services for NFS, this chapter introduces the

Subsystem for UNIX-based Applications (SUA), a tool used

to allow UNIX applications to run on Windows.

Understanding and Using

Windows Server 2008 R2 UNIX

Integration Components

Microsoft has a long history of not “playing well” with

other technologies. With Windows Server 2008 R2,

Microsoft provides native support for Windows Server 2008

R2 UNIX Integration, a series of technologies that was

previously included in a product line called Windows

Services for UNIX (SFU). With Windows Server 2008 R2,

each of the components of the old SFU product is included

as integrated services in the Windows Server 2008 R2 OS.

246

CHAPTER 9

Integrating Active Directory in a UNIX Environment

For many years, UNIX and Windows systems were viewed as separate, incompatible envi-

ronments that were physically, technically, and ideologically different. Over the years,

however, organizations found that supporting two completely separate topologies within

their environments was inefficient and expensive; a great deal of redundant work was also

required to maintain multiple sets of user accounts, passwords, environments, and so on.

Slowly, the means to interoperate between these environments was developed. At first,

most of the interoperability tools were written to join UNIX with Windows, as evidenced

by Samba, a method for Linux/UNIX platforms to be able to access Windows file shares.

Microsoft’s tools always seemed a step behind those available elsewhere. With Windows

Server 2008 R2 UNIX Integration tools, Microsoft leapfrogs traditional solutions, like

Samba, and becomes a leader for cross-platform integration. Password synchronization,

the capability to run UNIX scripts on Windows, joint security credentials, and the like

were presented as viable options and can now be considered as part of a migration to or

interoperability scenario with Windows Server 2008 R2.

The Development of Windows Server 2008 R2 UNIX Integration

Components

Windows Server 2008 R2 UNIX Integration has made large strides in its development since

the original attempts Microsoft made in this area. Originally released as a package of prod-

ptg

ucts called Services for UNIX (SFU), it received initial skepticism. Since then, the line of

technologies has developed into a formidable integration and migration utility that allows

for a great deal of interenvironmental flexibility. The first versions of the software, 1.x and

2.x, were limited in many ways, however. Subsequent updates to the software vastly

improved its capabilities and further integrated it with the core operating system.

A watershed advancement in the development of Services for UNIX was the introduction

of the 3.0 version of the software. This version enhanced support for UNIX through the

addition or enhancement of nearly all components. Included was the Interix product, as

well as an extension to the POSIX infrastructure of Windows to support UNIX scripting

and applications natively on a Windows server.

Later, version 3.5 of Services for UNIX was released, which included several functionality

improvements over Windows Server for UNIX 3.0. The following components and

improvements were made in the 3.5 release:

. Greater support for Active Directory Directory Services (AD DS) authentication

. Improved utilities for international language support

. Threaded application support in Interix (separated into a separate application in

Windows Server 2008 R2 named the Subsystem for UNIX-based Applications)

. Support for the Volume Shadow Copy Service of Windows Server 2008 R2

Finally, we come to the Windows Server 2008 version of Services for UNIX, which was

broken into several components that became embedded into the operating system. No

longer were the components a part of a separate package. Instead, the components were

built in to the various server roles on the operating system for the first time.

Understanding and Using Windows Server 2008 R2 UNIX Integration Components

247

Here is the structure of major improvements for the Windows Server 2008 UNIX

Integration:

. x64-bit Windows Server OS support

. AD lookup capabilities through the inclusion of Group ID (GID) and User ID (UID)

fields in the AD schema

. Enhanced UNIX support with multiple versions supported, including Solaris v9, Red

Hat Linux v9, IBM AIX version 5L 5.2, and Hewlett Packard HP-UX version 11i

. Ability for the Telnet Server component to accept both Windows and UNIX clients

. Extended Network Information Service (NIS) interoperability, including allowing a

Windows Server 2008 R2 system to act as a NIS master in a mixed environment

. Removal of the User Mapping component and transfer of the functionality directly

into the AD DS schema

. NFS server functionality expanded to Mac OS X and higher clients

. Subsystem for UNIX-based Applications (SUA), which allows POSIX-compliant UNIX

application to be run on Windows Server 2008 R2, including many common UNIX

tools and scripts

ptg

. Easier porting of native UNIX and Linux scripts to the SUA environment

Finally, some minor changes were added to the UNIX support in this latest release, Windows

Server 2008 R2. These include the following, all related to the Services for NFS component:

. Netgroup support provides the ability to create and manage networkwide named

groups of hosts.

. The Unmapped UNIX User Access functionality allows NFS data to be stored on

Windows servers without first creating UNIX to Windows account mapping.

. RPCSEC_GSS support provides for native support of this RPC security feature.

Windows Server 2008 R2 does not provide support for the RPCSEC_GSS privacy secu-

rity service, however.

. WMI Management support provides extendibility of management to NFS servers.

9

. Kerberos Authentication (Krb5 and Krb5i) on Shares improves standards for secured

information access.

Understanding the UNIX Interoperability Components in Windows

Server 2008 R2

Windows Server 2008 R2 UNIX Integration is composed of several key components, each

of which provides a specific integration task with different UNIX environments. Any or all

of these components can be used as part of Windows Server 2008 R2 UNIX Integration as

the installation of the suite can be customized, depending on an organization’s needs. The

major components of Windows Server 2008 R2 UNIX Integration are as follows:

248

CHAPTER 9

Integrating Active Directory in a UNIX Environment

. Services for NFS (includes Server for NFS and Client for NFS)

. Telnet Server (supports Windows and UNIX clients)

. Identity Management for UNIX (includes the Server for Network Information

Services and Password Synchronization components)

. Subsystem for UNIX-based Applications (SUA)

Each component can be installed as part of a server role. For example, the Services for NFS

component is installed as part of the File Services role in Windows Server 2008 R2. Each

component is described in more detail in the following sections.

Prerequisites for Windows Server 2008 R2 UNIX Integration

Windows Server 2008 R2 UNIX services interoperate with various flavors of UNIX, but

were tested and specifically written for use with the following UNIX versions:

. Sun Solaris 7.x, 8.x, 9.x, or 10

. Red Hat Linux 8.0 and later

. Hewlett-Packard HP-UX 11i

ptg

. IBM AIX 5L 5.2

. Apple Macintosh OS X

NOTE

Windows Server 2008 R2 UNIX Integration is not limited to these versions of Sun

Other books

The Prince She Had to Marry by Christine Rimmer
Barbara Kingsolver by Animal dreams
Blackass by A. Igoni Barrett
Appointment in Kabul by Don Pendleton
Smokeheads by Doug Johnstone
Eden in Winter by Richard North Patterson
Two Wolves by Tristan Bancks