Windows NT at DESY l Status report lnew

Windows NT at DESY l. Status report lnew developments for the automation of administrative tasks loutlook to our preparations 8/26/98 The DESY Windows. NT Group 1

Summary - Domain Structure l l one domain model DESY group structure in the flat NT 4 name space n n n special naming conventions 40 living groups group administrators TEM is used for user/group administration Net. Install is used for the application support http: //www. mddinc. com http: //netsupport. gmbh. de DESY 8/26/98 The DESY Windows. NT Group 2

Summary - (central) Infrastructure 1 PDC 2 BDC (Hamburg + Zeuthen) 1 Home Directory Server Cluster at Hamburg 2 nodes plus 70 GByte RAID 3/5 1 Application Server Cluster at Hamburg 2 nodes plus 35 Gbyte RAID 3/5 1 Mail Server 2 Print Server (Hamburg + Zeuthen) 1 Utility Server, 1 IIS, 1 Dfs Server 2 WINS (Hamburg + Zeuthen) 1 Server at Zeuthen 32 GByte RAID 1 Server at Zeuthen 16 GByte SW RAID DESY 8/26/98 The DESY Windows. NT Group 3

NEWS l statistics n n n l Net. Install in production since mid of May n n l l ~ 800 NT clients (active on the domain during last 2 month) 1300 registered users nearly 600 daily active users/PC’s (connected to central servers) 200 Yellow 60 Green Mail Server in production Application/Script Server DESY 8/26/98 The DESY Windows. NT Group 4

Workstations online DESY 8/26/98 The DESY Windows. NT Group 5

Connections during the day DESY 8/26/98 The DESY Windows. NT Group 6

Users on Home Directory Servers DESY 8/26/98 The DESY Windows. NT Group 7

Net. Install Status l Production environment just now with 200 and 60 active workstations l To get simple access and support for central services the NI environment is necessary. basic setup: Perl, Scripting Host, userconfig. , home directory setup l Problems with the green setup remote support, helpdesk, complicated package setup l HERA controls and Zeuthen with own NI databases replicated from the central ASG-DB plus own packages l Migration to NI 5 in Autumn hierarchical databases, multiple servers internal replication, …. , still SMS compliant ----> the right time to jump on DESY 8/26/98 The DESY Windows. NT Group 8

NT Mail l in production since April/Mai n n n l problems with the logging scheme of the inbox n n l IMAP server from UW V 11. 237 the MTA is sendmail V 8. 8. 6 the client is Netscape Communicator V 4. 05 sendmail is not able to append new mail on an open inbox workaround under test a possible migration to PMDF is in discussion (end of the year) DESY 8/26/98 The DESY Windows. NT Group 9

Domain automation - the tasks l Tasks for group administrators n n n l most of them handled with the TEM user account maintenance (password reset, management of parts of the user environment like mail forwarding, user registry updates, …) group management more global tasks n n n creating new user accounts (embedded in the common DESY user registry) creating new global user groups moving users (homedir’s) between servers and/or groups moving group file systems/shares between servers Dfs maintenance print server maintenance DESY 8/26/98 The DESY Windows. NT Group 10

Domain automation - the problems l l l Most of the scripts and programs must run under a domain administrator account. The responsible persons to do the jobs are normal users without special privileges, perhaps group admins. Security has to be guaranteed over the whole process n n l authentication user rights - who is allowed to do what Integrity of the systems has to be guaranteed n n job/task control (to execute it at the right place and time) checks for parameters DESY 8/26/98 The DESY Windows. NT Group 11

Domain automation - approach l l Core of the solution will be the MS Transaction Server The access should be flexible as much as possible n n n l normally from a web browser over the IIS direct by special applications independent from programming and script languages simple and central management/maintenance n n central management of the jobs/tasks - one configuration file access control by the help of the transaction server DESY 8/26/98 The DESY Windows. NT Group 12

Domain automation - scheme Client indirect - via SSL. DLL Script / Program Execution IIS ASP Transaction Server Domain. Auto. cfg Configuration File Client direct Roles DESY 8/26/98 The DESY Windows. NT Group 13

IIS & Transaction Server l Why accessing the IIS via SSL? n n l Necessary to ensure secure access and authentication over the LAN/internet - “password” security Level is required Certificate Authority - self made, planed to become sub CA from DFN (CERT) DCOM interface is used to access the transaction server n n n Authentication is done automatically (NTLM-A. ) Packet privacy is used Object and functions are defined by the DLL added to the transaction server Set script. Obj = Create. Object(“Domain. Auto. 1”) script. Obj. Invoke. Script (“scripname”, “param 1 param 2”) DESY 8/26/98 The DESY Windows. NT Group 14

Inside the MTS %WINDIR%system 32Domain. Auto. cfg #comment #format: (separator = tab) #Script. Name Script Role Flag 0/1 Delete. Computer C: scriptsdc. bat # Delete. User C: scriptsdu. bat Roles Role. DC 1 Admins 0 Role. DC: Group. Adm usg_ Admins: Domain. Admins Scripts Set obj = Create. Object(“Domain. Auto. 1”). . . obj. Invoke. Script(“Delete. User”, ”name. . ”) C: scriptsdc. bat C: scriptsdu. bat DESY 8/26/98 The DESY Windows. NT Group 15

NT 5 preparations l first steps n n n l setup of a test domain planing of requirements task list Usage of Technology already available n n IIS Transaction Server DESY 8/26/98 The DESY Windows. NT Group 16

The DESY Windows. NT Group l Henner Bartels Henner. Bartels@desy. de l Volker Heynen Volker. Heynen@desy. de l Ernst-Axel Knabbe Ernst-Axel. Knabbe@desy. de l Wolfgang Krechlok Wolfgang. Krechlok@desy. de l Klaus-Dieter Perger Klaus-Dieter. Perger@desy. de l Rolf Rettinger retti@mail. desy. de l Helga Schwendicke helgas@ifh. de l Cristian Trachimow Christian. Trachimow@desy. de l Gunter Trowitzsch gut@ifh. de (not fulltime) DESY 8/26/98 The DESY Windows. NT Group 17