Windows Server 2008 R2 Unleashed (55 page)
Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
UNIX LDAP Directory
Username:
Mills
FIGURE 8.10
Synchronizing multiple identities with FIM.
In addition to creating these accounts, all associated accounts can be automatically
deleted or disabled through a deprovisioning process in FIM. By automating this process,
administration of the multitude of user accounts in an organization can be simplified and
the risk of accidentally leaving a user account enabled after an employee has been termi-
nated can be minimized.
The following high-level example demonstrates the steps required to set up simple
account provisioning. In this example, a connected AD DS domain is connected to FIM.
Any user accounts created in that domain have corresponding Exchange mailboxes
created in a separate Active Directory resource forest:
1. Install FIM.
2. Configure a management agent for the connected AD DS domain.
3. Configure the AD DS MA so that the attributes necessary to create a resource
mailbox flow into the metaverse.
Best Practices
243
4. Configure the attribute flow between the AD DS MA attributes and the FIM metaverse.
5. Configure an additional MA for the AD DS Exchange Resource domain.
6. Ensure that the AD DS Exchange Resource MA attributes that FIM will need to create
the mailbox are set. These include the object types container, group, inetOrgPerson,
organizationUnit, and user.
7. Using Visual Studio, configure a custom Rules Extension DLL to provide for the
automatic creation of a mailbox-enabled user account in the resource forest. In this
case, the DLL must use the MVExtensionExchange class in the script.
8. Install this rules extension DLL into the metaverse.
9. Configure run profiles to import the information and automatically create the mail-
boxes.
The example described previously, although complex, is useful in situations in which a
single Exchange Server forest is used by multiple organizations. The security identifier
(SID) of the AD DS account is imported into the metaverse and used to create a mailbox
in the resource forest that has the external domain account listed as the Associated
External Account. Through a centralized FIM implementation, the Exchange resource
forest can support the automatic creation of resource mailboxes for a large number of
connected domains.
ptg
Active Directory as a platform provides for powerful tools to enable organizations to
centralize and store information about users and other objects in an organization. The
efficiencies built in to having a centralized directory platform are greatly diminished if
multiple directory platforms, each with their own disparate users and attributes, are main-
tained. Tools from Microsoft such as the Forefront Identity Manager (FIM) product give
administrators the ability to synchronize across these directories and to keep organiza-
8
tional information standardized across multiple platforms.
In addition to directory sync technologies such as FIM, Microsoft offers support for prod-
ucts such as AD FS and AD LDS, which enable organizations to streamline identity logons
and create personalized directories for applications. Through proper use of these technolo-
gies, organizations can take greater advantage of the knowledge that is traditionally
distributed across multiple technologies.
The following are best practices from this chapter:
. Use FIM to keep disparate directories synchronized together.
. Use AD LDS for applications that require custom schema changes, and keep the
information in those AD LDS instances synchronized to a central AD DS farm with
the use of FIM.
244
CHAPTER 8
Creating Federated Forests and Lightweight Directories
. Use the Server Manager application to add AD FS and AD LDS roles to a server.
. Use AD FS for Single Sign-On support across multiple platforms.
. Consider using FIM for automatic provisioning/provisioning of user accounts across
multiple directories. By establishing a firm policy on deprovisioning accounts that
are no longer active, greater overall security can be achieved.
. Consider deploying AD LDS on Windows Server 2008 R2 Server Core to reduce the
attack surface area of the server.
ptg
IN THIS CHAPTER
Integrating Active
. Understanding and Using
Windows Server 2008 R2 UNIX
Integration Components
Directory in a UNIX
. Reviewing the Subsystem for
UNIX-Based Applications (SUA)
Environment
. Understanding the Identity
Management for UNIX
Components
In the past, Microsoft had a bad reputation for giving the
. Administrative Improvements
impression that its technologies would be the only ones
with Windows Server 2008 R2
deployed at organizations. The toolsets available to coexist
in cross-platform environments were often weak and were
provided mostly as a direct means to migrate from those
environments to Microsoft environments. The introduction
of Windows Server 2008 R2, however, coincides with the
maturation of technologies from Microsoft that simplify and
expand the ability to integrate with UNIX environments.
ptg
This chapter focuses on those technologies, and pays
considerable attention to the Services for NFS role in
Windows Server 2008 R2. In addition to explaining the
features in Services for NFS, this chapter introduces the
Subsystem for UNIX-based Applications (SUA), a tool used
to allow UNIX applications to run on Windows.
Microsoft has a long history of not “playing well” with
other technologies. With Windows Server 2008 R2,
Microsoft provides native support for Windows Server 2008
R2 UNIX Integration, a series of technologies that was
previously included in a product line called Windows
Services for UNIX (SFU). With Windows Server 2008 R2,
each of the components of the old SFU product is included
as integrated services in the Windows Server 2008 R2 OS.
246
CHAPTER 9
Integrating Active Directory in a UNIX Environment
For many years, UNIX and Windows systems were viewed as separate, incompatible envi-
ronments that were physically, technically, and ideologically different. Over the years,
however, organizations found that supporting two completely separate topologies within
their environments was inefficient and expensive; a great deal of redundant work was also
required to maintain multiple sets of user accounts, passwords, environments, and so on.
Slowly, the means to interoperate between these environments was developed. At first,
most of the interoperability tools were written to join UNIX with Windows, as evidenced
by Samba, a method for Linux/UNIX platforms to be able to access Windows file shares.
Microsoft’s tools always seemed a step behind those available elsewhere. With Windows
Server 2008 R2 UNIX Integration tools, Microsoft leapfrogs traditional solutions, like
Samba, and becomes a leader for cross-platform integration. Password synchronization,
the capability to run UNIX scripts on Windows, joint security credentials, and the like
were presented as viable options and can now be considered as part of a migration to or
interoperability scenario with Windows Server 2008 R2.
The Development of Windows Server 2008 R2 UNIX Integration
Components
Windows Server 2008 R2 UNIX Integration has made large strides in its development since
the original attempts Microsoft made in this area. Originally released as a package of prod-
ptg
ucts called Services for UNIX (SFU), it received initial skepticism. Since then, the line of
technologies has developed into a formidable integration and migration utility that allows
for a great deal of interenvironmental flexibility. The first versions of the software, 1.x and
2.x, were limited in many ways, however. Subsequent updates to the software vastly
improved its capabilities and further integrated it with the core operating system.
A watershed advancement in the development of Services for UNIX was the introduction
of the 3.0 version of the software. This version enhanced support for UNIX through the
addition or enhancement of nearly all components. Included was the Interix product, as
well as an extension to the POSIX infrastructure of Windows to support UNIX scripting
and applications natively on a Windows server.
Later, version 3.5 of Services for UNIX was released, which included several functionality
improvements over Windows Server for UNIX 3.0. The following components and
improvements were made in the 3.5 release:
. Greater support for Active Directory Directory Services (AD DS) authentication
. Improved utilities for international language support
. Threaded application support in Interix (separated into a separate application in
Windows Server 2008 R2 named the Subsystem for UNIX-based Applications)
. Support for the Volume Shadow Copy Service of Windows Server 2008 R2
Finally, we come to the Windows Server 2008 version of Services for UNIX, which was
broken into several components that became embedded into the operating system. No
longer were the components a part of a separate package. Instead, the components were
built in to the various server roles on the operating system for the first time.
Understanding and Using Windows Server 2008 R2 UNIX Integration Components
247
Here is the structure of major improvements for the Windows Server 2008 UNIX
Integration:
. x64-bit Windows Server OS support
. AD lookup capabilities through the inclusion of Group ID (GID) and User ID (UID)
fields in the AD schema
. Enhanced UNIX support with multiple versions supported, including Solaris v9, Red
Hat Linux v9, IBM AIX version 5L 5.2, and Hewlett Packard HP-UX version 11i
. Ability for the Telnet Server component to accept both Windows and UNIX clients
. Extended Network Information Service (NIS) interoperability, including allowing a
Windows Server 2008 R2 system to act as a NIS master in a mixed environment
. Removal of the User Mapping component and transfer of the functionality directly
into the AD DS schema
. NFS server functionality expanded to Mac OS X and higher clients
. Subsystem for UNIX-based Applications (SUA), which allows POSIX-compliant UNIX
application to be run on Windows Server 2008 R2, including many common UNIX
tools and scripts
ptg
. Easier porting of native UNIX and Linux scripts to the SUA environment
Finally, some minor changes were added to the UNIX support in this latest release, Windows
Server 2008 R2. These include the following, all related to the Services for NFS component:
. Netgroup support provides the ability to create and manage networkwide named
groups of hosts.
. The Unmapped UNIX User Access functionality allows NFS data to be stored on
Windows servers without first creating UNIX to Windows account mapping.
. RPCSEC_GSS support provides for native support of this RPC security feature.
Windows Server 2008 R2 does not provide support for the RPCSEC_GSS privacy secu-
rity service, however.
. WMI Management support provides extendibility of management to NFS servers.
9
. Kerberos Authentication (Krb5 and Krb5i) on Shares improves standards for secured
information access.
Understanding the UNIX Interoperability Components in Windows
Server 2008 R2
Windows Server 2008 R2 UNIX Integration is composed of several key components, each
of which provides a specific integration task with different UNIX environments. Any or all
of these components can be used as part of Windows Server 2008 R2 UNIX Integration as
the installation of the suite can be customized, depending on an organization’s needs. The
major components of Windows Server 2008 R2 UNIX Integration are as follows:
248
CHAPTER 9
Integrating Active Directory in a UNIX Environment
. Services for NFS (includes Server for NFS and Client for NFS)
. Telnet Server (supports Windows and UNIX clients)
. Identity Management for UNIX (includes the Server for Network Information
Services and Password Synchronization components)
. Subsystem for UNIX-based Applications (SUA)
Each component can be installed as part of a server role. For example, the Services for NFS
component is installed as part of the File Services role in Windows Server 2008 R2. Each
component is described in more detail in the following sections.
Prerequisites for Windows Server 2008 R2 UNIX Integration
Windows Server 2008 R2 UNIX services interoperate with various flavors of UNIX, but
were tested and specifically written for use with the following UNIX versions:
. Sun Solaris 7.x, 8.x, 9.x, or 10
. Red Hat Linux 8.0 and later
. Hewlett-Packard HP-UX 11i
ptg
. IBM AIX 5L 5.2
. Apple Macintosh OS X
NOTE
Windows Server 2008 R2 UNIX Integration is not limited to these versions of Sun
