Networks and Protocols CE00997-3

Week 9a

Network Management

• Novell NDS• Microsoft ADS

What is network management

• Many views, but typically includes:• Logging on of users • Management or resources, both hardware and software e.g. files, storage areas, printers…• Sharing of resources• Setting of permissions to use resources•Providing a logical structure to the network•Managing flow of traffic across the network

Other roles

• Centralised administration•All user accounts, shares etc can be managed from one point• Replication across a number of servers or controllers • Fault tolerance and disaster recovery

Other roles

• Accounting / fault logging• Often hear AAA:•Authentication – authenticate the user•Authorisation – allow them access to a resource•Accounting – watch what they are doing

Intro

• Historically two competing companies:

• Novell – first to use object orientation, let down by poor choice of protocol

• Microsoft – adopters of OO approach, better choice of protocol

• similar to VHS/BetaMax battle.

NDS

• Novell Directory Services (NDS) is a popular software product for managing access to computer resources and keeping track of the users of a network, such as a company's intranet, from a single point of administration.

Background• Using NDS, a network administrator can set up and control a database of users and manage them using a directory with an easy-to-use graphical user interface (GUI).

• Users of computers at remote locations can be added, updated, and managed centrally. Applications can be distributed electronically and maintained centrally.

Background

• Based on original Novell Netware 4.0• Know known as eDirectory• Platform independent•The latest version runs on NetWare, Windows 2000, Solaris, Linux, and Compaq Tru64 UNIX systems

Background

• NDS serves as a platform for directory-enabled services such as automated business-relationship management, supply-chain management, and electronic storefronts.

•Other services include automated provisioning, enhanced security, customer profiling, electronic wallets, automated notification systems, customized Web interfaces, and virtual private networks (VPNs).

History• NetWare evolved from a very simple concept: file sharing instead of disk sharing.• In 1983 when the first versions of NetWare were designed, all other competing products were based on the concept of providing shared direct disk access• Validated by IBM in 1984• Disk space was shared in the form of NetWare volumes, comparable to DOS volumes. Clients running MS-DOS would run a special Terminate and Stay Resident (TSR) program that allowed them to map a local drive letter to a NetWare volume.

History•Clients had to log in to a server in order to be allowed to map volumes, and access could be restricted according to the login name.• Similarly, they could connect to shared printers on the dedicated server, and print as if the printer was connected locally.• NetWare established the dominant position in the market in the early and middle 1990s by developing its XNS-derived IPX/SPX protocol as the local area network (LAN) standard.

History cont.

• Late 1990s, with Internet connectivity booming, the Internet's TCP/IP protocol became dominant on LANs. Novell had introduced limited TCP/IP support in NetWare v3.x (circa 1992) and v4.x (circa 1995), consisting mainly of FTP services and UNIX-style LPR/LPD printing (available in NetWare v3.x), and a Novell-developed webserver (in NetWare v4.x). Native TCP/IP support for the client file and print services normally associated with NetWare was introduced in NetWare v5.0 (released in 1998).

History cont.

• The popular use and growth of Novell NetWare began in 1985 with the simultaneous release of NetWare 286 2.0a and the Intel 80286 16-bit processor. • The 80286 CPU featured a new 16-bit protected mode that provided access to up to 16 MB RAM as well as mechanisms to support multi-tasking. Prior to the 80286 CPU, servers were based on the Intel 8086/8088 8/16-bit processors limited to an address space of 1MB with not more than 640 KB usable RAM which did not support multi-tasking.

History cont.

• The combination of a higher 16 MB RAM limit, 80286 processor feature utilization, and 256 MB NetWare volume size limit allowed reliable, cost-effective server-based local area networks to be built for the first time.

• The 16 MB RAM limit was especially important, since it made enough RAM available for disk caching to significantly improve performance. This became the key to Novell's performance while also allowing larger networks to be built.

History cont.

• Another significant difference of NetWare 286 was that it was hardware-independent, unlike competing server systems from 3Com. Novell servers could be assembled using any brand system with an Intel 80286 or higher CPU, any MFM, RLL, ESDI, or SCSI hard drive and any 8- or 16-bit network adapter for which Netware drivers were available.• Novell also designed a compact and simple DOS client software program that allowed DOS stations to connect to a server and access the shared server hard drive. While the NetWare server file system introduced a new, proprietary, file system design, it looked like a standard DOS volume to the workstation, ensuring compatibility with all existing DOS programs.

History cont.

•NetWare was based on the NetWare Core Protocol (NCP), which is a packet-based protocol that enables a client to send requests to and receive replies from a NetWare server. Initially NCP was directly tied to the IPX/SPX protocol, and NetWare communicated natively using only IPX/SPX.

Netware 286 2.x

• NetWare version 2 was notoriously difficult to configure, since the operating system was provided as a set of compiled object modules that required configuration and linking•The file system used by NetWare 2 was NetWare File System 286, or NWFS 286, supporting volumes of up to 256 MB. NetWare 286 recognized 80286 protected mode, extending NetWare's support of RAM from 1 MB to the full 16 MB addressable by the 80286.

NetWare 3.x

Starting with NetWare 3.x, support for 32-bit protected mode was added, eliminating the 16 mb memory limit of NetWare 286. This allowed larger hard drives to be supported, since NetWare 3.x cached (copied) the entire file allocation table (FAT) and directory entry table (DET) into memory for improved performance.

Bindery

• Initially, NetWare used Bindery services for authentication. This was a stand-alone database system where all user access and security data resided individually on each server.• When an infrastructure contained more than one server, users had to log-in to each of them individually, and each server had to be configured with the list of all allowed users.

"NetWare Name Services" was a product that allowed user data to be extended across multiple servers, and the Windows "Domain" concept is functionally equivalent to NetWare v3.x Bindery services with NetWare Name Services added on (e.g. a 2-dimensional database, with a flat namespace and a static schema).

NetWare 4.x

• Version 4 in 1993 also introduced the Novell Directory Services (NDS), based on X.500, which replaced the Bindery with a global directory service, in which the infrastructure was described and managed in a single place.• Version 4 also introduced a number of useful tools and features, such as transparent compression at file system level and RSA public/private encryption.•Another new feature was the NetWare Asynchronous Services Interface (NASI). It allowed network sharing of multiple serial devices, such as modems.• Client port redirection occurred via an MS-DOS or Microsoft Windows driver allowing companies to consolidate modems and analog phone lines

NetWare 5.x

• Moved away from IPX/SPX to TCP/IP•New GUI and:•Novell Storage Services (NSS), a new file system to replace the traditional NetWare File System - which was still supported • Java virtual machine for NetWare • Novell Distributed Print Services (NDPS) • ConsoleOne, a new Java-based GUI administration console • directory-enabled Public key infrastructure services (PKIS) • directory-enabled DNS and DHCP servers • support for Storage Area Networks (SANs) • Novell Cluster Services (NCS) • Oracle 8i with a 5-user license

NetWare 6.0• Simplified licensing based on users not servers, plus:• enhanced SMP support - up to 32 processors per server • iFolder - location- and platform-independent access to local files by automatic intelligent synchronization of the local iFolder directory with the iFolder server • NetStorage - access to personal files through a standard web browser • iPrint - ability to install printers from a web browser and submit print jobs over the Internet through the standard IPP protocol • iManager - web-based administration for NetWare and other Novell products • the Apache web server and the Jakarta Tomcat servlet container Native File Access Protocols - support for the SMB, AFP and NFS protocols to provide Windows, Macintosh and Unix/Linux clients with access to files on a NetWare server without a Novell client

NetWare 6.5 (Aug 2003)• more open-source products such as PHP, MySQL and OpenSSH •a port of the Bash shell and a lot of traditional Unix utilities such as wget, grep, awk and sed to provide additional capabilities for scripting • iSCSI support (both target and initiator) • Virtual Office - an "out of the box" web portal for end users providing access to e-mail, personal file storage, company address book, etc. • Domain controller functionality • Universal password • DirXML Starter Pack - synchronization of user accounts with another eDirectory tree, a Windows NT domain or Active Directory. • exteNd Application Server - a J2EE 1.3-compatible application server support for customized printer driver profiles and printer usage auditing NX bit support • support for USB storage devices • support for encrypted volumes

Active Directory (AD)

• Similar to NDS as based on LDAP•Managed via MMC (Microsoft Managment Console)

AD•Active Directory (AD) is an implementation of LDAP directory services by Microsoft for use primarily in Windows environments.• Its main purpose is to provide central authentication and authorization services for Windows-based computers.• Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization.• Active Directory stores information and settings in a central database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects.

AD

• In addition to Windows NT4.0 when Windows 2000 server released, skeptics suggest that Microsoft “borrowed” Novell’s object orientated system (NDS)!• Active Directory was called NTDS (NT Directory Service) in older Microsoft documents.• There is a common misconception that Active Directory provides software distribution. Software distribution is run by a separate service that uses additional proprietary schema attributes that work in conjunction with the LDAP protocol.• Active Directory does not automate software distribution, but provides a mechanism by which other services can provide software distribution.

AD

•An 'Active Directory' (AD) structure is a hierarchical framework of objects. •The AD provides information on the objects, organizes the objects, controls access and sets security•Each object represents a single entity •Each attribute object can be used in several different schema class objects

Forests, trees, and domains

•The framework that holds the objects is viewed at a number of levels. At the top of the structure is the Forest - the collection of every object, its attributes, and rules (attribute syntax) in the AD•The forest holds one or more transitive, trust-linked Trees. A tree holds one or more Domains and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace.•The objects held within a domain can be grouped into containers called Organizational Units (OUs). •AD also supports the creation of Sites, which are physical, rather than logical, groupings defined by one or more IP subnets.

AD

Physically the Active Directory information is held on one or more equal peer domain controllers (DCs), replacing the NT PDC/BDC model. Each DC has a copy of the AD; changes on one computer being synchronized (converged) between all the DC computers by multi-master replication. Servers joined in to AD, which are not domain controllers, are called Member Servers.

Unlike earlier versions of Windows which used NetBIOS to communicate, Active Directory is fully integrated with DNS and TCP/IP — indeed DNS is required. To be fully functional, the DNS server must support SRV resource records or service records.

Naming

•AD supports UNC (\), URL (/), and LDAP URL names for object access. AD internally uses the LDAP version of the X.500 naming structure•Every object has a Distinguished name (DN), so a printer object called HPLaser3 in the OU Marketing and the domain foo.org, would have the DN: CN=HPLaser3,OU=Marketing,DC=foo,DC=org where CN is common name and DC is domain object class, DNs can have many more than four parts

Naming

• The object can also have a Canonical name, essentially the DN in reverse, without identifiers, and using slashes: foo.org/Marketing/HPLaser3. To identify the object within its container the Relative distinguished name (RDN) is used: CN=HPLaser3. Each object also has a Globally Unique Identifier (GUID), a unique and unchanging 128-bit string which is used by AD for search and replication. Certain objects also have a User principal name (UPN), an objectname@domain name form.

Trust

•To allow users in one domain to access resources in another, AD uses trusts Trusts in Windows 2000 (native mode)One-way trust - When one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust - When two domains allow access to users on the other domain. Trusting domain - The domain that allows access to users from a trusted domain. Trusted domain - The domain that is trusted; whose users have access to the trusting domain.

Trust cont.

Transitive trust - A trust that can extend beyond two domains to other trusted domains in the tree. Intransitive trust - A one way trust that does not extend beyond two domains. Explicit trust - A trust that an admin creates. It is not transitive and is one way only. Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

Adam• Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a service, on computers running Microsoft Windows Server 2003 or Windows XP Professional.• ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers.•Like Active Directory, ADAM provides a Data Store, which is a hierarchical datastore for storage of directory data, a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the same server, with each instance having its own and required by applications making use of the ADAM directory service.