Upload
mitchel-mallison
View
219
Download
1
Tags:
Embed Size (px)
Citation preview
Bruce Cowper
IT Pro Advisor
Microsoft Canada
Agenda• Windows Server™ 2003 R2
– Principal Scenarios• Identity and Access Management• Efficient Storage Management• Simplified Branch Server Management• Cost-Effective Virtualization
Manage a single identity across partner, web and UNIX apps
Better connectivity, reliability, Security
Better control over storage setup
Enterprise Edition & Virtual Server R2
IdentityManagement
Branch Office
StorageManagement
Virtualization
Your EMPLOYEESYour APPLICATIONS
Your PLATFORMS
Your SUPPLIERSTheir APPLICATIONS
Your PARTNERSTheir APPLICATIONS
Your REMOTE andVIRTUAL EMPLOYEES
Your CUSTOMERS
Identity and Access ManagementChallenge: Extending access across users, apps, platforms
Identity and Access Management
• Active Directory® Application Mode (ADAM)– Lightweight, domain-independent mode of Active Directory for application
directory scenarios
– Interoperability with Domain Mode for authentication
– Benefit: Tailor directory services infrastructure for local control/autonomy or shared services
• UNIX Identity Management– Server for Network Information Service (NIS) helps integrate Windows and
UNIX domains
– Password synchronization simplifies password maintenance across platforms
– Benefit: Efficient multi-platform identity management
• Active Directory Federation Services (ADFS)
Windows Server 2003 R2 Features
Active Directory Application Mode
• Lightweight, domain-independent mode of Active Directory for application directory scenarios– Same code as Active Directory = same programming
model, admin tools, replication model– Simple wizard-based install; no DCPROMO– Schema flexibility; synchronization with Active Directory
possible via Identity Integration Feature Pack• Free web download
– Authentication in Active Directory, authorization in ADAM for increased security
ADAM Usage ScenariosApplication-specific local directory
• Example: Web portal with personalization– Store personalization info in ADAM– Use Active Directory for authentication
ADAMADAM
Infrastructure Active DirectoryInfrastructure Active Directory
WebWebportalportal
Store/Store/retrieveretrieve
datadata
ClientClient
AuthenticationAuthentication
ServerServer
ADAM Usage ScenariosExtranet Access Management
• Policy server: ADFS or third-party solutions (CA SiteMinder, OpenNetwork/BMC, etc.)– “Fast-bind authentication” via LDAP bind calls
• Scenario benefits from ADAM ease of use
ADAMADAM
PolicyPolicyServerServer
LDAPLDAP““admin admin
connection”connection”(search,(search,Update)Update)
WebWebclientclient
LDAP bindLDAP bind (authN)(authN)
WebWebserversservers
UNIX Identity Management
• Consolidation of administration and monitoring across platforms
• Remotely monitor and administer Windows-based systems in the same fashion and with the same tools as UNIX-based systems
Efficient Cross-platform User Management
UNIXServer
Windows Server
Windows Workstation
UNIXWorkstation
Windows Server
UNIXServer
UNIXWorkstation
UNIXWorkstation
Windows Workstation
Windows Workstation
Server For NIS
NIS Clients
UNIX NIS Servers
Master Slave
Windows Servers
Makes a Windows Server 2003 Active Directory into a NIS (Network Information System) master server
Slave
Server For NIS
UNIX NIS Servers Windows Servers
NIS Clients
Slave Slave Slave Master
UNIX Password Synchronization
• Pull NIS schema into Active Directory• Bidirectional Password Sync, user name
mapping, supported on:– HP-UX 11i– Sun Solaris 8 & 9– IBM AIX 5L 5.2– Red Hat Linux 9.0
• Mapping Server– Map Windows® User and Group Accounts to UNIX
Active Directory Federation ServicesWindows Integrated Authentication: Great For Intranets
Active DirectoryLogon to Windows
Flexible Authentication Kerberos X509 v3/Smartcard/PKI VPN/802.1x/RADIUS LDAP Passport/Digest/Basic (Web) SSPI/SPNEGO
Single Sign-on to: Windows File/Print servers Microsoft applications 390/AS400 (Host Integration Server) ERP (BizTalk®, SharePoint® ESSO) 3rd Party Integrated Apps Web Applications via IIS UNIX/J2EE
Exchange
Web APPS
File Share
Windows IntegratedApplications
ADFS Scenario: Web SSOADFS Scenario: Web SSO
• User credentials and attributes managed in Active Directory/ADAM at the application
• Benefits:– Single sign-on to farm of IISv6 web apps– Stronger authentication via forms, client-side certs– ADAM support: LDAP user store in perimeter– Support for “road warrior” applications
• Windows Integrated Auth for internal users• ADFS auth for external users
Customers
BusinessPartners
Employees
ADFS Scenario: Identity FederationADFS Scenario: Identity Federation
• User credentials and attributes managed in “home realm” by partner organization
• Benefits:– Single sign-on to internal and partner web applications– Fewer passwords for users to forget– Lower password reset costs– Centralized administration, delegated to partners– Automated restriction of partner app access– Logging of inbound and outbound access requests
BusinessPartners
Cross Organization Namespace Manages:
Trust -- Keys Security -- Claims required Privacy -- Claims allowed Audit -- Identities, authorities
A. DatumA. DatumAccount ForestAccount Forest
Trey ResearchTrey ResearchResource ForestResource Forest
Identity Federation in Action
`
Internal Client
ResourceFederation Server
AccountFederation Server
Web Server
Active Directory
Federation TrustFederation Trust
ADFS: Standards-Based Solution
AD Users
.Net Apps ActiveDirectory
FederationServices
Java, UNIX, Linux Users
Java, UNIX,Linux AppsIBM PingID
BMC Quest CA Centrify
+ others…
Multi-vendor, multi-platform interoperability via Web Services
WS-Federation
SecurityToken
Service
HTTP messages
SOAP messages SOAPReceiver
HTTPReceiver
Now
Future
ADFS ArchitectureActive Directory (2K, 2K3, ADAM)
• Authenticates users • Manages attributes
Federation Service (FS)• STS (security token service) • Issues security tokens• Populates claims
– Statements an authority makes about security principals
• Manages federation trust policy
FS Proxy (FS-P)• Client proxy for token requests• Provides UI for browser clients
Web Server SSO Agent • Enforces user authentication• Creates user authorization context
FS
browser
WebServer
FS-PAD or ADAM
ApplicationSSO Agent
FS
browser
WebServer
FS-PAD or ADAM
ApplicationSSO Agent
HTTPS
LPC/Web Methods
Windows Authentication/LDAP
Application (authorization)• Windows NT® Impersonation and ACLs• ASP.NET IsInRole()• AzMan RBAC integration• ASP.NET Raw Claims API
ADFSADFS
Mapping trusts in ADFSMapping trusts in ADFS
demonstrationdemonstration
• Active Directory Federation Services • UNIX Identity Management
• Distributed File System• Centralized File and Print Consoles
• File Server Resource Manager• Storage Manager for SANs
• Enterprise Edition licensing change
IdentityManagement
Branch Office
StorageManagement
Virtualization
Simplified Branch Server Management
• Wide-Area Network (WAN)– WAN costs can be significant – WAN latency issues
• Security / Management costs– Lack of network admins on site in branch offices– Tape backup expensive, unreliable– Tools need to scale to large number of branches
• Policy• Delegation• UI
Branch office challenges
Security Configuration Wizard• Server 2003 SP1 and Server 2003 R2• Identifies open ports
• The wizard should be executed with required applications and services running
• Selects server roles from configuration database• Configures required services• Configures ports for Windows Firewall• Configures security for LDAP and SMB• Configures an audit policy• Configures settings specific to roles performed by the
server
Security Configuration Wizard• Configuration saved to XML file• Applied by the wizard
• Apply an existing security policy
• Applied from the command line• scwcmd.exe configure /p:webserverpolicy.xml • Used in scripts• Unattended setup scripts
Security Configuration WizardSecurity Configuration Wizard
Using the Security Configuration WizardUsing the Security Configuration Wizard Roles and TemplatesRoles and Templates
demonstrationdemonstration
Simplified Branch Server Management
• Easily manage your infrastructure with centralized management tools– DFS Management Console & Failover with Failback– Print Management Console
• Keep your business running smoothly, by taking advantage of faster data replication– DFS: Remote Differential Compression
• Reduce administration costs by eliminating local administration & local back-up
Windows Server 2003 R2 Features for Branch
Simplified Branch Server Management
• Brand new management UI– Hierarchical view of namespace– New features such as rename links, drag n’ drop
• New features in DFS Namespace Service– Failback (Configured by admin at root or link)
• Vs. Failover• Prioritization of Target Server referrals
– Set priority of servers to which you failback
Enabling Technologies: DFS Namespace
Simplified Branch Server Management
• A robust multi-master file replicator– Efficient, scalable & robust
• Key new features:– Core Service:
• Efficient and simple state-based synchronization
• Remote Differential Compression
• Bandwidth Throttling
– New management console
Enabling Technologies: Distributed File System Replication (DFS-R)
Simplified Branch Server Management
• New Microsoft algorithm – Send only minimal deltas when transferring data over a network
• RDC efficiency examples– Change title in a 3.5MB PPT, resync takes just 16K
Enabling Technologies: Remote Differential Compression (RDC)
Source: MS InternalSource: MS Internal
Connection Type Save full 3.5MB Save changes only
56K bps modem 10 minutes 3 seconds
500K bps DSL 70 seconds <1 second
Simplified Branch Server Management
• New Print Management Console (PMC) in R2
• With PMC, branch servers can easily be print servers because they are remotely manageable on a 1-to-many basis
Enabling Technologies: Print Role
Printers Node
Servers Node
DFSDFS
Setting up and Securing DFSSetting up and Securing DFS
demonstrationdemonstration
• Active Directory Federation Services • UNIX Identity Management
• Distributed File System• Centralized File and Print Consoles
• File Server Resource Manager• Storage Manager for SANs
• Enterprise Edition licensing change
IdentityManagement
Branch Office
StorageManagement
Virtualization
Efficient Storage Management
• Storage growth estimates: 60-100% per year• Managing storage growth effectively is a challenge
– Direct Attached Storage (DAS) solutions have limitations
– Storage Area Network (SAN) solutions can be complex
– Few IT professionals are storage experts:
• 35% of SMBs have moved from DAS to SAN
• 40% of SMBs are considering moving to SAN
• Costs of managing storage can be 10x the cost of storage• Process of consolidating File Servers/Storage is involving
– Complex and error prone
– Potential disruption to end users
The Challenges of Storage Today
Efficient Storage Management
Windows Server 2003 R2 Storage Management
(FSRM)
(SMFS)
Capacity Management
Policy Management File Screening
QuotaManagement
Configuration Management
File Server Resource Manager
Storage Manager for SANs
Disk provisioning Disk management
Efficient Storage Management
• Capacity Management– Determine existing storage capacity usage across the organization– Determine whether usage effectively supports organizational goals– Define and implement storage policies – Adjust the policies as capacity needs grow and as organization needs
change
• Policy Management – No easy way to control the type of data stored on file servers – Unwanted content must be identified manually
• Quota Management– User home directories often grow quickly causing servers to run out of
space– Departmental shares can also grow unexpectedly – Administrators are only aware of storage crises when the server is already
out of space
FSRM: Administrator Challenges
Efficient Storage ManagementFSRM: Capacity Management • Functionality
– Predefined and configurable storage capacity reporting• Predefined reports for ease of use• Configurable reports for fine tuning to specific server environments
Predefined• Large files• Most/least recently used• Files by owner• Files by file group
• Duplicate files• Quota usage• File screen audit• Export report
Configurable • Multiple volumes • Multiple folders or shares
– Multiple report formats – Generate reports
• at scheduled intervals (e.g. off-hours) – Save reports locally or send to users via e-mail – Support for clustered configurations
Efficient Storage Management
• Functionality – Applies to a folder tree or volume– Screening rules
• Based on file groups• Apply to all user files in the folder • File screening settings can be saved in template
– Passive and active screening supported– Screening events recorded in audit log– Same set of notification as quotas – File system interoperability
• Only NTFS volumes are supported • Usage is tracked in real time • Only volumes with screening configuration are monitored• Screening is based on file name patterns (*.mp3, FY04*)
– Self-consistent volume configuration– Cluster support
FSRM: Policy Management (File Screening)
Efficient Storage Management
• Functionality – Quotas limit the size of a directory tree or a volume– Quota applies to all users files in directory– Limit can be soft or hard – File system interoperability
• Only NTFS volumes are supported• Usage is tracked in real time, failing I/Os at hard limit• Only volumes with quota configuration are monitored• Quota usage is charged based on disk size• Support for special files
– Compressed, sparse, named streams, hard links, reparse points– Multiple notification thresholds at configurable quota utilization levels– Self-consistent volume configuration
• Quota settings travel with volume (SAN, hot-pluggable disks)• Cluster support
FSRM: Quota Management
Storage ManagementStorage Management Quotas and reportingQuotas and reporting File ScreeningFile Screening
demonstrationdemonstration
• Active Directory Federation Services • UNIX Identity Management
• Distributed File System• Centralized File and Print Consoles
• File Server Resource Manager• Storage Manager for SANs
• Enterprise Edition licensing change
IdentityManagement
Branch Office
StorageManagement
Virtualization
Change: Windows Server 2003 R2 Licensing Multiple instances per license for EE
Windows Server 2003 R2 Standard Edition Windows Server 2003 R2 Enterprise Edition
Server A• 5 licenses for WS 2003 R2 STD
– Each license allows user to run 1 instance in a physical or virtual OS environment on licensed server
– Same rule applies to WS 2003 (STD and EE)
• 1 license for Virtual Server
Server A• 1 license for WS 2003 R2 EE
– Run 1 instance in a physical OS environment on licensed server
– Run up to 4 instances in virtual OS environments on licensed server
– Run instances of STD in place of EE in virtual OS environments
• 1 license for Virtual Server
Server “A”
WS 2003 R2 Enterprise Edition
Virtual Server
WS 2003 R2 EE
VirtualOS
Environments
PhysicalOS
Environment
WS 2003 R2 STD
WS 2003 R2 EE
WS 2003 R2 STD
Server “A”
WS 2003 R2 Standard Edition
Virtual Server
WS 2003 R2 STD
VirtualOS
Environments
PhysicalOS
Environment
WS 2003 R2 STD
WS 2003 R2 STD
WS 2003 R2 STD
Windows Server Virtualization LicensingCurrent Rights: For each SW license, you may install and use 1 copy of the software on 1 device
New Use Rights:1. License by Running Instances
– Customer pays for what they use
2. Enhanced Virtual Use Rights in Windows Server 2003 R2 Enterprise
– 1 Physical Instance and up to 4 virtual– Enables Flexible Deployment– Supports Common Enterprise Scenarios
(Server Consolidation, Application Isolation, etc)
1 install = 1 license
SAN or file server w/
many images
Servers(i.e. devices)
Windows Server w/ SQL
Multiple instances per device
EditionVirtual
InstancesChannel Price
Standard 1 All Unchanged
Enterprise 4 All Unchanged
Datacenter 1 per Proc OEM Unchanged
Summary• Windows Server 2003 R2
– Principal Scenarios• Identity and Access Management• Efficient Storage Management• Simplified Branch Server Management• Cost-Effective Virtualization
– UNIX Interoperability
Editions and FeaturesFeatures Standard Edition Enterprise Edition Datacenter Edition
File Server Resource Manager √ √ √
Storage Manager for SANs √ √ √
Active Directory Federation Services (ADFS) √ √
ADFS Proxy √ √
ADFS Web Agents √ √ √
Active Directory Application Mode √ √ √
Distributed File System – Replication with Remote Differential Compression
√ √ √
Distributed File System – Cross-File Remote Differential Compression*
√* √*
Print Management Console √ √ √
Microsoft Management Console 3.0 √ √ √
Windows SharePoint Services V2 SP2 √ √ √
.NET Framework 2.0 √ √ √
Subsystem for UNIX Applications √ √ √
UNIX Interop (NIS Server, Password Sync, NFS Admin, etc)
√ √ √
x64 Availability √ √ √
WS-Management √ √ √
* Only one of the replication partners is required to be an Enterprise Edition or Datacenter Edition
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
All other trademarks are property of their respective owners. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Bruce Cowper
IT Pro Advisor
Microsoft Canada
Blogs.TechNet.com/brucecowper