Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management

Bruce Cowper

IT Pro Advisor

Microsoft Canada

Agenda• Windows Server™ 2003 R2

– Principal Scenarios• Identity and Access Management• Efficient Storage Management• Simplified Branch Server Management• Cost-Effective Virtualization

Manage a single identity across partner, web and UNIX apps

Better connectivity, reliability, Security

Better control over storage setup

Enterprise Edition & Virtual Server R2

IdentityManagement

Branch Office

StorageManagement

Virtualization

Your EMPLOYEESYour APPLICATIONS

Your PLATFORMS

Your SUPPLIERSTheir APPLICATIONS

Your PARTNERSTheir APPLICATIONS

Your REMOTE andVIRTUAL EMPLOYEES

Your CUSTOMERS

Identity and Access ManagementChallenge: Extending access across users, apps, platforms

Identity and Access Management

• Active Directory® Application Mode (ADAM)– Lightweight, domain-independent mode of Active Directory for application

directory scenarios

– Interoperability with Domain Mode for authentication

– Benefit: Tailor directory services infrastructure for local control/autonomy or shared services

• UNIX Identity Management– Server for Network Information Service (NIS) helps integrate Windows and

UNIX domains

– Password synchronization simplifies password maintenance across platforms

– Benefit: Efficient multi-platform identity management

• Active Directory Federation Services (ADFS)

Windows Server 2003 R2 Features

Active Directory Application Mode

• Lightweight, domain-independent mode of Active Directory for application directory scenarios– Same code as Active Directory = same programming

model, admin tools, replication model– Simple wizard-based install; no DCPROMO– Schema flexibility; synchronization with Active Directory

possible via Identity Integration Feature Pack• Free web download

– Authentication in Active Directory, authorization in ADAM for increased security

ADAM Usage ScenariosApplication-specific local directory

• Example: Web portal with personalization– Store personalization info in ADAM– Use Active Directory for authentication

ADAMADAM

Infrastructure Active DirectoryInfrastructure Active Directory

WebWebportalportal

Store/Store/retrieveretrieve

datadata

ClientClient

AuthenticationAuthentication

ServerServer

ADAM Usage ScenariosExtranet Access Management

• Policy server: ADFS or third-party solutions (CA SiteMinder, OpenNetwork/BMC, etc.)– “Fast-bind authentication” via LDAP bind calls

• Scenario benefits from ADAM ease of use

ADAMADAM

PolicyPolicyServerServer

LDAPLDAP““admin admin

connection”connection”(search,(search,Update)Update)

WebWebclientclient

LDAP bindLDAP bind (authN)(authN)

WebWebserversservers

UNIX Identity Management

• Consolidation of administration and monitoring across platforms

• Remotely monitor and administer Windows-based systems in the same fashion and with the same tools as UNIX-based systems

Efficient Cross-platform User Management

UNIXServer

Windows Server

Windows Workstation

UNIXWorkstation

Windows Server

UNIXServer

UNIXWorkstation

UNIXWorkstation

Windows Workstation

Windows Workstation

Server For NIS

NIS Clients

UNIX NIS Servers

Master Slave

Windows Servers

Makes a Windows Server 2003 Active Directory into a NIS (Network Information System) master server

Slave

Server For NIS

UNIX NIS Servers Windows Servers

NIS Clients

Slave Slave Slave Master

UNIX Password Synchronization

• Pull NIS schema into Active Directory• Bidirectional Password Sync, user name

mapping, supported on:– HP-UX 11i– Sun Solaris 8 & 9– IBM AIX 5L 5.2– Red Hat Linux 9.0

• Mapping Server– Map Windows® User and Group Accounts to UNIX

Active Directory Federation ServicesWindows Integrated Authentication: Great For Intranets

Active DirectoryLogon to Windows

Flexible Authentication Kerberos X509 v3/Smartcard/PKI VPN/802.1x/RADIUS LDAP Passport/Digest/Basic (Web) SSPI/SPNEGO

Single Sign-on to: Windows File/Print servers Microsoft applications 390/AS400 (Host Integration Server) ERP (BizTalk®, SharePoint® ESSO) 3rd Party Integrated Apps Web Applications via IIS UNIX/J2EE

Exchange

Web APPS

File Share

Windows IntegratedApplications

ADFS Scenario: Web SSOADFS Scenario: Web SSO

• User credentials and attributes managed in Active Directory/ADAM at the application

• Benefits:– Single sign-on to farm of IISv6 web apps– Stronger authentication via forms, client-side certs– ADAM support: LDAP user store in perimeter– Support for “road warrior” applications

• Windows Integrated Auth for internal users• ADFS auth for external users

Customers

BusinessPartners

Employees

ADFS Scenario: Identity FederationADFS Scenario: Identity Federation

• User credentials and attributes managed in “home realm” by partner organization

• Benefits:– Single sign-on to internal and partner web applications– Fewer passwords for users to forget– Lower password reset costs– Centralized administration, delegated to partners– Automated restriction of partner app access– Logging of inbound and outbound access requests

BusinessPartners

Cross Organization Namespace Manages:

Trust -- Keys Security -- Claims required Privacy -- Claims allowed Audit -- Identities, authorities

A. DatumA. DatumAccount ForestAccount Forest

Trey ResearchTrey ResearchResource ForestResource Forest

Identity Federation in Action

`

Internal Client

ResourceFederation Server

AccountFederation Server

Web Server

Active Directory

Federation TrustFederation Trust

ADFS: Standards-Based Solution

AD Users

.Net Apps ActiveDirectory

FederationServices

Java, UNIX, Linux Users

Java, UNIX,Linux AppsIBM PingID

BMC Quest CA Centrify

+ others…

Multi-vendor, multi-platform interoperability via Web Services

WS-Federation

SecurityToken

Service

HTTP messages

SOAP messages SOAPReceiver

HTTPReceiver

Now

Future

ADFS ArchitectureActive Directory (2K, 2K3, ADAM)

• Authenticates users • Manages attributes

Federation Service (FS)• STS (security token service) • Issues security tokens• Populates claims

– Statements an authority makes about security principals

• Manages federation trust policy

FS Proxy (FS-P)• Client proxy for token requests• Provides UI for browser clients

Web Server SSO Agent • Enforces user authentication• Creates user authorization context

FS

browser

WebServer

FS-PAD or ADAM

ApplicationSSO Agent

FS

browser

WebServer

FS-PAD or ADAM

ApplicationSSO Agent

HTTPS

LPC/Web Methods

Windows Authentication/LDAP

Application (authorization)• Windows NT® Impersonation and ACLs• ASP.NET IsInRole()• AzMan RBAC integration• ASP.NET Raw Claims API

ADFSADFS

Mapping trusts in ADFSMapping trusts in ADFS

demonstrationdemonstration

• Active Directory Federation Services • UNIX Identity Management

• Distributed File System• Centralized File and Print Consoles

• File Server Resource Manager• Storage Manager for SANs

• Enterprise Edition licensing change

IdentityManagement

Branch Office

StorageManagement

Virtualization

Simplified Branch Server Management

• Wide-Area Network (WAN)– WAN costs can be significant – WAN latency issues

• Security / Management costs– Lack of network admins on site in branch offices– Tape backup expensive, unreliable– Tools need to scale to large number of branches

• Policy• Delegation• UI

Branch office challenges

Security Configuration Wizard• Server 2003 SP1 and Server 2003 R2• Identifies open ports

• The wizard should be executed with required applications and services running

• Selects server roles from configuration database• Configures required services• Configures ports for Windows Firewall• Configures security for LDAP and SMB• Configures an audit policy• Configures settings specific to roles performed by the

server

Security Configuration Wizard• Configuration saved to XML file• Applied by the wizard

• Apply an existing security policy

• Applied from the command line• scwcmd.exe configure /p:webserverpolicy.xml • Used in scripts• Unattended setup scripts

Security Configuration WizardSecurity Configuration Wizard

Using the Security Configuration WizardUsing the Security Configuration Wizard Roles and TemplatesRoles and Templates



• Easily manage your infrastructure with centralized management tools– DFS Management Console & Failover with Failback– Print Management Console

• Keep your business running smoothly, by taking advantage of faster data replication– DFS: Remote Differential Compression

• Reduce administration costs by eliminating local administration & local back-up

Windows Server 2003 R2 Features for Branch


• Brand new management UI– Hierarchical view of namespace– New features such as rename links, drag n’ drop

• New features in DFS Namespace Service– Failback (Configured by admin at root or link)

• Vs. Failover• Prioritization of Target Server referrals

– Set priority of servers to which you failback

Enabling Technologies: DFS Namespace


• A robust multi-master file replicator– Efficient, scalable & robust

• Key new features:– Core Service:

• Efficient and simple state-based synchronization

• Remote Differential Compression

• Bandwidth Throttling

– New management console

Enabling Technologies: Distributed File System Replication (DFS-R)


• New Microsoft algorithm – Send only minimal deltas when transferring data over a network

• RDC efficiency examples– Change title in a 3.5MB PPT, resync takes just 16K

Enabling Technologies: Remote Differential Compression (RDC)

Source: MS InternalSource: MS Internal

Connection Type Save full 3.5MB Save changes only

56K bps modem 10 minutes 3 seconds

500K bps DSL 70 seconds <1 second


• New Print Management Console (PMC) in R2

• With PMC, branch servers can easily be print servers because they are remotely manageable on a 1-to-many basis

Enabling Technologies: Print Role

Printers Node

Servers Node

DFSDFS

Setting up and Securing DFSSetting up and Securing DFS






IdentityManagement

Branch Office

StorageManagement

Virtualization

Efficient Storage Management

• Storage growth estimates: 60-100% per year• Managing storage growth effectively is a challenge

– Direct Attached Storage (DAS) solutions have limitations

– Storage Area Network (SAN) solutions can be complex

– Few IT professionals are storage experts:

• 35% of SMBs have moved from DAS to SAN

• 40% of SMBs are considering moving to SAN

• Costs of managing storage can be 10x the cost of storage• Process of consolidating File Servers/Storage is involving

– Complex and error prone

– Potential disruption to end users

The Challenges of Storage Today


Windows Server 2003 R2 Storage Management

(FSRM)

(SMFS)

Capacity Management

Policy Management File Screening

QuotaManagement

Configuration Management

File Server Resource Manager

Storage Manager for SANs

Disk provisioning Disk management


• Capacity Management– Determine existing storage capacity usage across the organization– Determine whether usage effectively supports organizational goals– Define and implement storage policies – Adjust the policies as capacity needs grow and as organization needs

change

• Policy Management – No easy way to control the type of data stored on file servers – Unwanted content must be identified manually

• Quota Management– User home directories often grow quickly causing servers to run out of

space– Departmental shares can also grow unexpectedly – Administrators are only aware of storage crises when the server is already

out of space

FSRM: Administrator Challenges

Efficient Storage ManagementFSRM: Capacity Management • Functionality

– Predefined and configurable storage capacity reporting• Predefined reports for ease of use• Configurable reports for fine tuning to specific server environments

Predefined• Large files• Most/least recently used• Files by owner• Files by file group

• Duplicate files• Quota usage• File screen audit• Export report

Configurable • Multiple volumes • Multiple folders or shares

– Multiple report formats – Generate reports

• at scheduled intervals (e.g. off-hours) – Save reports locally or send to users via e-mail – Support for clustered configurations


• Functionality – Applies to a folder tree or volume– Screening rules

• Based on file groups• Apply to all user files in the folder • File screening settings can be saved in template

– Passive and active screening supported– Screening events recorded in audit log– Same set of notification as quotas – File system interoperability

• Only NTFS volumes are supported • Usage is tracked in real time • Only volumes with screening configuration are monitored• Screening is based on file name patterns (*.mp3, FY04*)

– Self-consistent volume configuration– Cluster support

FSRM: Policy Management (File Screening)


• Functionality – Quotas limit the size of a directory tree or a volume– Quota applies to all users files in directory– Limit can be soft or hard – File system interoperability

• Only NTFS volumes are supported• Usage is tracked in real time, failing I/Os at hard limit• Only volumes with quota configuration are monitored• Quota usage is charged based on disk size• Support for special files

– Compressed, sparse, named streams, hard links, reparse points– Multiple notification thresholds at configurable quota utilization levels– Self-consistent volume configuration

• Quota settings travel with volume (SAN, hot-pluggable disks)• Cluster support

FSRM: Quota Management

Storage ManagementStorage Management Quotas and reportingQuotas and reporting File ScreeningFile Screening






IdentityManagement

Branch Office

StorageManagement

Virtualization

Change: Windows Server 2003 R2 Licensing Multiple instances per license for EE

Windows Server 2003 R2 Standard Edition Windows Server 2003 R2 Enterprise Edition

Server A• 5 licenses for WS 2003 R2 STD

– Each license allows user to run 1 instance in a physical or virtual OS environment on licensed server

– Same rule applies to WS 2003 (STD and EE)

• 1 license for Virtual Server

Server A• 1 license for WS 2003 R2 EE

– Run 1 instance in a physical OS environment on licensed server

– Run up to 4 instances in virtual OS environments on licensed server

– Run instances of STD in place of EE in virtual OS environments

• 1 license for Virtual Server

Server “A”

WS 2003 R2 Enterprise Edition

Virtual Server

WS 2003 R2 EE

VirtualOS

Environments

PhysicalOS

Environment

WS 2003 R2 STD

WS 2003 R2 EE

WS 2003 R2 STD

Server “A”

WS 2003 R2 Standard Edition

Virtual Server

WS 2003 R2 STD

VirtualOS

Environments

PhysicalOS

Environment

WS 2003 R2 STD

WS 2003 R2 STD

WS 2003 R2 STD

Windows Server Virtualization LicensingCurrent Rights: For each SW license, you may install and use 1 copy of the software on 1 device

New Use Rights:1. License by Running Instances

– Customer pays for what they use

2. Enhanced Virtual Use Rights in Windows Server 2003 R2 Enterprise

– 1 Physical Instance and up to 4 virtual– Enables Flexible Deployment– Supports Common Enterprise Scenarios

(Server Consolidation, Application Isolation, etc)

1 install = 1 license

SAN or file server w/

many images

Servers(i.e. devices)

Windows Server w/ SQL

Multiple instances per device

EditionVirtual

InstancesChannel Price

Standard 1 All Unchanged

Enterprise 4 All Unchanged

Datacenter 1 per Proc OEM Unchanged

Summary• Windows Server 2003 R2

– Principal Scenarios• Identity and Access Management• Efficient Storage Management• Simplified Branch Server Management• Cost-Effective Virtualization

– UNIX Interoperability

Editions and FeaturesFeatures Standard Edition Enterprise Edition Datacenter Edition

File Server Resource Manager √ √ √

Storage Manager for SANs √ √ √

Active Directory Federation Services (ADFS) √ √

ADFS Proxy √ √

ADFS Web Agents √ √ √

Active Directory Application Mode √ √ √

Distributed File System – Replication with Remote Differential Compression

√ √ √

Distributed File System – Cross-File Remote Differential Compression*

√* √*

Print Management Console √ √ √

Microsoft Management Console 3.0 √ √ √

Windows SharePoint Services V2 SP2 √ √ √

.NET Framework 2.0 √ √ √

Subsystem for UNIX Applications √ √ √

UNIX Interop (NIS Server, Password Sync, NFS Admin, etc)

√ √ √

x64 Availability √ √ √

WS-Management √ √ √

* Only one of the replication partners is required to be an Enterprise Edition or Datacenter Edition

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

All other trademarks are property of their respective owners. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Bruce Cowper

IT Pro Advisor

Microsoft Canada

Blogs.TechNet.com/brucecowper

Documents

Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management