Ramnish Singh IT Advisor Microsoft Corporation Agenda

Ramnish Singh IT Advisor Microsoft Corporation

Agenda ¢ Managing IT Infrastructure ¢ Heterogeneous management ¢ Interoperability

Over 60% of TCO over a 5 -year Lack of automation impacts all period of IT by people costs facets driven Degree of Automation: Manual Scripts Automated Tools 62% 14% 25% Network 60% 16% 24% Event 58% 18% 24% 30 Performance 56% 17% 28% Storage 54% 17% 29% 10 Change/Config 0 53% 24% 23% 70 Security Mgmt 60 50 40 20 0% Staff Costs 10% 20% Downtime 30% 40% 50% 60% Training of Responses Software Percent 70% 80% 90% Hardware Source: IDC 2002, Microsoft Primary Quantitative Research. 400 30 -minute phone surveys of IT professionals in data centers with 25 or more servers 100%

Infrastructure Optimization Model Security, Networking and Monitoring Identity. Desktop and Restore Secured Messaging and Access Mgmnt Backup Lifecycle Limited Infrastructure/ Manual just desktops administration, Uncoordinated desktops Run AV Backup/restore Automated Active on Antiviruson servers on all Mgmnt patch servers Directory desktops for Managed IT (WU, SUS, Authentication SPAM blocking Centralized Infrastructure SMS) and on servers firewall with some of Authorization Defined DNS Internal set automation only standard basic and DHCP images Backup/restore Remote Access Primary tools • Directory desk- for Real-time centralservers on all server top OS connection Ip. Sec is administration plus SLA and Win. XP Managed filtering or isolation Win 2 k consolidated • of configur-ations Secure Monitoring and security IT Automated anywhere mail of servers (Group Policy) Infrastructure software access distribution, • Unified directory Mgmnt for email & and tracking access Manual Application Compatibility testing Manual reference image system Security on Firewall restore Backup of Automated Centrally mobile. Mgmnt for serversdevices on all and patch servers manage users desktops and desktop servers provisioning Full automation data plus SLA across Secure wireless Automated Businessheterogeneous networking application linked SLAs systesm compatibility Service level testing monitoring on desktops Automated reference image system

Intellimirror Technologies Consistent Environment ¢ Active Directory ¢ Group Policy ¢ Offline Folders ¢ Roaming User Profiles ¢ Redirected Folders ¢ Enhancements to the Windows Shell ¢ Group Policy Software Installation Uninterrupted Access ¢ Active Directory ¢ Group Policy ¢ Offline Folders ¢ Synchronization Manager ¢ Enhancements to the Windows Shell ¢ Redirected Folders ¢ Disk Quotas Minimized Data Loss ¢ Active Directory ¢ Group Policy ¢ Roaming User Profiles ¢ Redirected Folders ¢ Offline Folders Minimized User Downtime ¢ Active Directory ¢ Group Policy ¢ Windows Installer Service ¢ Add/Remove Programs in Control Panel ¢ Group Policy Software Installation

Group Policy ¢ ¢ ¢ Enable one-to-many management of users and computers throughout the enterprise. Automate enforcement of IT policies. Simplify administrative tasks, such as system updates and application installations. Consistently implement security settings across the enterprise. Efficiently implement standard computing environments for groups of users.

Group Policy – Capabilities ¢ ¢ ¢ ¢ ¢ Registry-based Policy Security Settings Software Restrictions Software Distribution and Installation Computer and User Scripts Roaming User Profiles Redirected Folders Offline Folders Internet Explorer Maintenance

Shared Computer Toolkit for Windows XP ¢ Defend shared computers from unauthorized changes to the hard disk ¢ Restrict untrusted users from system settings ¢ Enhance the user experience

SMS 2003 Capabilities Asset Management Application Deployment Security Patch Management Support for the Mobile Workforce Leveraging Windows Management Services

Application Deployment ¢ Business Demands ¢ ¢ SMS 2003 Delivers ¢ Delivery of large-scale projects in a timely and inexpensive manner Provisioning of the right services and applications to end-users Quickly and easily - in support of business requirements Comprehensive solution for critical application delivery n n n Plan, test, deploy and analyze applications Reliably and easily To the right place and at the right time

Asset Management Business Demands ¢ ¢ SMS 2003 Delivers ¢ ¢ ¢ Reduction in hardware and software asset costs Software license compliance Reduced software costs through Ability to track and report on compliance Application installation and usage information

Security Patch Management Business Demands ¢ Tools and processes to n n ¢ SMS 2003 Delivers Identify critical patches Determine vulnerable systems Deliver patches reliably and quickly Accurately report delivery status A secure Windows environment through n n n Collection of critical patch information Vulnerability assessment of existing environment Quick and easy deployment of patches Targeted delivery of patches Verification and reporting on patch deployment

Mobility Business Demands ¢ ¢ ¢ SMS 2003 Delivers Support for roaming and infrequently connected mobile users Delivery of critical business services and applications—reliably and timely Capability to meet mobile workforce needs n n n Provides critical IT business services Extends asset management to mobile devices Delivers relevant business applications to mobile devices

Windows Management Services Integration Business Demands ¢ ¢ SMS 2003 Delivers Reduced operational costs for managing IT Leveraging of existing infrastructure Windows compliance ¢ n ¢ Windows XP and Windows Server 2003 Certification Optimal integration of Windows management services n n Active Directory simplifies SMS planning and deployment Core Windows Services Integration n Windows Installer Service (MSI) Windows Management Instrumentation (WMI) Reduces costs through leveraging existing infrastructure and capabilities

Agenda ¢ Managing IT Infrastructure ¢ Heterogeneous management ¢ Interoperability

Operation Management Issues “Help me monitor applications reliably. ” “Help me protect my IT environment. ” “Help me realize my IT investments. ” “Help me understand what events are priority. ” “Help me reduce incident management costs. ” “I need an enterprise-ready solution. ” Microsoft Operation Manager 2005 delivers

Microsoft Operations Manager 2005 36 Product Connectors 48 Microsoft Applications 15 SMS Add-ins 189 Management Packs 157 3 rd Party Solutions

MOM 2005 Capabilities Stay Aware Effectively Respond Be Accountable

Stay Aware Business Demands ¢ ¢ ¢ MOM 2005 Delivers ¢ ¢ ¢ Identifying IT health issues before they become problems Provide visibility to critical resources Quick Deployment Out of the box expertise with minimal configuration Consoles provides proactive health understanding Rapidly deploy to identify issues faster

Effectively Respond Business Demands ¢ MOM 2005 Delivers ¢ ¢ ¢ Improvement in operational efficiency Accurate and effective response to issues In-the-box application expertise and operational knowledge Actionable best practices

Be Accountable Business Demands ¢ ¢ ¢ MOM 2005 Delivers ¢ ¢ ¢ Value from IT Accountability from IT Meeting and exceeding of Service Level Agreements Robust Reporting Connectivity into Management Frameworks Information delivery vehicle

Heterogeneous management

Agenda ¢ Managing IT Infrastructure ¢ Heterogeneous management ¢ Interoperability

The Need for Interoperability ¢ Heterogeneity is the standard. n ¢ Interoperability is a key concern. n ¢ The reality is that mixed UNIX/Windows environments are a fact of life The increased existence of UNIX and Windows-based environments requires a greater need and demand for interoperability Need to leverage existing investments n Although IT spending is slowly gaining momentum, IT managers continue to need to do more with less.

Broad Interoperability Net. Ware Services for Net. Ware Macintosh Services for Macintosh IPX DHCP IBM, Amdahl, Hitachi Host Integration Server Kerberos TCP/IP Metadirectory Services PKI Windows Built on Interoperability Standards DNS Active Directory LDAP HTTP XML WBEM App services: OLE DB, ADO, ODBC, XML, SOAP Biz. Talk Services for UNIX Sun Solaris, HP/UX, Linux, Tru 64, IBM AIX Novell NDS, Exchange, UNIX NIS, i. Planet, Novell Groupwise, Lotus Notes SQL Server, Oracle, Informix, IBM DB 2 XML/SOAP web services

Windows Services For UNIX (Interix SDK, . NET Framework) UNIX Files UNIX Application Extensibility Integration (Interix Subsystem) Windows Application Windows Files Windows Folders UNIX Database SQL Server Database Interoperability UNIX Server (NFS, NIS, Active Directory Integration) Windows Server PC Laptop UNIX Workstation Windows Workstation

Services For UNIX 3. 5 ¢ Focused n Seamless UNIX / Windows Interoperability § § n on two major “pain” areas NFS Client, Server, Gateway User Name Mapping Server Bi-directional Password Sync NIS Server § § § Korn, Bourne, C Shell Over 350 UNIX Utilities Telnet Server and Client UNIX to Windows Application Portability n n UNIX Tools: C, C++, Fortran, scripts, build tools Interix UNIX subsystem ¢ Leverage existing UNIX skills, methods and code ”Best System Integration” Award - Linux. World 2003

NFS ¢ ¢ File Sharing with UNIX Server for NFS n ¢ Client for NFS n ¢ UNIX Clients Using Windows Shared Files Windows Client Using UNIX Shared Files Gateway for NFS n Serve UNIX Shared Files as Windows Shares

NFS UNIX Workstation UNIX Server Windows Server UNIX Workstation Windows Workstation UNIX Server Windows Workstation NFS enables access to shared files and folders between UNIX and Windows

Server For NFS Server for NFS UNIX Workstation UNIX Server Windows Server UNIX Workstation Windows Workstation Server for NFS UNIX Workstation UNIX Server Windows Workstation Server for NFS allows a UNIX network access to shared files and folders on a Windows server

Client For NFS Client for NFS UNIX Workstation UNIX Server Windows Server Client for NFS Windows Workstation Client for NFS allows a Windows network access to shared files and folders on a UNIX server

Gateway For NFS Gateway UNIX Workstation UNIX Server Windows Server UNIX Workstation Windows Workstation UNIX Server Windows Workstation Gateway for NFS translates NFS to SMB, eliminating the need for Client for NFS on many computers

Mapping Server ¢ ¢ ¢ Map Windows User and Group Accounts to UNIX Performance Improvements Cluster Aware Group Membership Limit Dynamically set Redundant Mapping Server. Pool. maphost support

Server For NIS Makes a Windows 2000 or Windows Server 2003 AD a NIS master server UNIX NIS Servers Master Slave Windows Servers Slave NIS Clients

Server For NIS UNIX NIS Servers Slave Windows Servers Slave NIS Clients Master

Password Synchronization ¢ ¢ Two-way between Windows and UNIX Support Platforms n n ¢ HP-UX 11 i Sun Solaris 7, Solaris 8 IBM AIX 5 L 5. 2 Red Hat Linux 6. 2 and higher Benefits n n n Logging Debugging MD 5 Supports 65, 000 users Improved data migration times Reduced administration leading to lower TCO

Integrating UNIX with AD authentication (Auth. N) and authorization (Auth. Z) Windows Sign-On Authentication ¢ Kerberos v 5 ¢ Public Key Infrastructure (PKI) and certificates ¢ Smart cards ¢ NTLMv 2 Windows Authorization ¢ Based on SIDs ¢ Auth. Z data embodied in Security Token ¢ Win 2 K and up: Authorization store is AD n Windows PAC attached to Kerberos ticket ¢ Securable objects possess an ACL n Fine-grained access rights n Granted or revoked by SID ¢ Security Reference Monitor (SRM) performs authorization UNIX Sign-On Authentication ¢ /etc/passwd, /etc/shadow ¢ NIS, NIS+ ¢ i. Planet, other LDAP-compatible directories ¢ Kerberos v 5 (MIT, Heimdal) ¢ PKI Certificates, smart cards ¢ All enabled through PAM (Pluggable Authentication Modules) UNIX Authorization ¢ Based on UID, GID ¢ No embodiment; directly retrieved via n getpwnam(), getpwuid(), getgrnam(), getgrgid() ¢ Many stores: n /etc/passwd and /etc/group n NIS, NIS+ n i. Planet, other LDAP directory ¢ No centralized Auth. Z mechanism (SRM) ¢ ACL structures, capabilities vary between platforms

Integrating UNIX and Windows Sign-On Authentication ¢ Ideal: Kerberos integration using AD n n n ¢ Single mechanism, store for Auth. N Unifies policy for passwords, account lockout Windows PAC available everywhere Kerberos peer realm trust n n Windows uses AD Kerberos Unix systems use UNIX Kerberos Trust relationship established But… UNIX tickets have no Windows PAC

Integrated Sign-On cont’d ¢ What about LDAP Authentication? n n ¢ LDAP itself doesn’t do authentication Performance, scalability limitations No Windows PAC Windows requires AD as LDAP provider Password Synchronization n MIIS SFU Password Sync Not really single sign-on anymore

Integrating UNIX and Windows Authorization via AD ¢ ¢ ¢ RFC 2307 or SFU 3. 5 schema to hold UNIX-specific auth. Z info Single location for user, group data Simplified provisioning, deprovisioning Unified policy Can enable application auth. Z scenarios

Integrated Auth. Z cont’d ¢ LDAP Directory synchronization n n Multiple policies Synchronization delays Increased complexity of config, ops Provides infrastructure for LDAP-enabled application auth. Z scenarios UNIX-specific directory may be better tuned for UNIX behaviors

More Solutions ¢ LDAP directories n n ¢ Use MIIS or other products to synchronize attributes, e. g. passwords Each new directory increases costs for management, hardware, etc. Database, flat file n MIIS, other products typically have adapters that can do this

The Ideal World ¢ IT Pro n n n ¢ Developer n n ¢ All users are managed in Active Directory AD has strong user policy enforcement User passwords safe in AD Kerberos 5 available on most enterprise platforms Secure authentication Protect application data AD is single source of authorization data User Experience n n Authentication based on one user account in AD Transparent authentication to applications (SSO)

Kerberos config the hard way ¢ ¢ ¢ Step 1: Create UNIX user accounts in Active Directory Step 2: Create UNIX workstation accounts in Active Directory Step 3: Create Keytab files for the UNIX workstations Step 4: Transfer & install the keytab file on the UNIX Workstation Step 5: Configure the pam. conf file Step 6: Configure the krb 5. conf file

LDAP config the hard way ¢ ¢ Step 1: Extend AD schema to hold UNIX auth. Z information Step 2: Provision UNIX users and groups Step 3: Configure UNIX ldap client to connect to AD Step 4: Configure nss_ldap to use appropriate attributes in AD

What you get ¢ ¢ ¢ User can logon with AD account and get Kerb tickets Use klist to see TGT used to authenticate to apps UNIX uid and gid values retrieved from AD No longer need most of /etc/passwd, /etc/group

What you don’t get ¢ ¢ No access to Windows PAC No off-line TGT cache No off-line cache of auth. Z data No on-line cache of auth. Z data n n Serious issue due to UNIX behavior Heavy load on DC, network

Vintela Authentication Services ¢ UNIX/Linux security systems integrated into Active Directory n n n No synchronization between systems, all credentials reside within Active Directory Authentication through Kerberos UNIX Id. M using RFC 2307 schema Single login and password for Windows, UNIX and Linux applications, resources ¢ All LDAP communication secured through Kerberos – no SSL overhead ¢ Single point of account management through Active Directory – MMC snap-in ¢ http: //www. vintela. com ¢

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.