Lesson 3: Designing Directory Synchronization and Integration

When designing a secure network that includes multiple directories, consider how the directories will integrate. The goal is to allow a user to authenticate to the heterogeneous network using a single user account and password. All network operating systems and services should recognize the single set of credentials.

You also must plan directory integration to prevent changes in one directory service from overwriting directory modifications in another directory service. By defining which directory service is authoritative for a specific attribute, you can decentralize the management of directory data to specific departments.

Finally, you must plan for the integration of authentication mechanisms that are supported in multiple operating systems. Kerberos v5 is used by both Active Directory and several UNIX deployments. Configuring Kerberos realms to interoperate with Active Directory domains allow single sign-on capabilities in the mixed network.

After this lesson, you will be able to

  • Design directory service interoperability in a Windows 2000 network

Estimated lesson time: 30 minutes

Synchronizing Active Directory with a Novell Directory

User accounts in a NetWare environment can synchronize their passwords with an Active Directory user account by using the MSDSS application included in Windows Services for NetWare 5.0. The MSDSS application allows passwords to be synchronized between Novell Directory Services (NDS) user accounts and Active Directory user accounts based on mappings configured in MSDSS.


You can also use MSDSS to synchronize account information between Active Directory and a NetWare Bindery service from NetWare 3.x.

Making the Decision

Table 16.4 shows the design decisions you face when synchronizing NetWare NDS with Active Directory.

Table 16.4 Securing Directory Synchronization Between NetWare and Active Directory

ToDo the Following
Synchronize passwords between NDS and Active DirectoryInstall MSDSS on a Windows 2000 domain controller.
Limit which attributes are synchronizedModify the mapping table in MSDSS to map only the attributes required
Perform password synchronization between NDS and Active DirectoryThe Windows 2000 client computer must have the Novell Client for Windows 2000 installed. You can t use Gateway Services For NetWare (GSNW).

Applying the Decision

MSDSS simplifies migration from NetWare 4.11 to Windows 2000 by ensuring that the same user credentials are used in both networks. By ensuring that passwords are the same for user accounts in both network operating systems, Blue Yonder Airlines will reduce the costs associated with migrating to Windows 2000. When the migration is complete, users will continue to authenticate using the same user name and password that they used in the NetWare environment, thus reducing security issues related to modifying passwords during a migration.

Securely Synchronizing Multiple Directories

Microsoft Metadirectory Services (MMS) 2.2 allows integration of identity information from multiple directory services. By using MMS, you ensure that the organization has a single authoritative directory store that collects all of its information from multiple existing directories.

MMS establishes a single directory by deploying a metadirectory. A metadirectory is a service that collects directory information from multiple directories, as shown in Figure 16.2.

click to view at full size.

Figure 16.2 A metadirectory merging directory information from multiple sources

The metadirectory not only merges information from multiple directories into a single source, but it can also synchronize those changes to all directory services in an organization.

A metadirectory allows you to define ownership rules. You can designate which directory is authoritative for each attribute. For example, you could configure all Human Resources (HR)—related information in a directory to be maintained in Lotus Notes. If two directory services differ in an HR-related attribute, such as Manager, the Lotus Notes directory attribute value would be propagated to all other directories in the organization.

Management agents maintain synchronization between the metadirectory and the source directories. Management agents import data into the metadirectory and export metadirectory data to the connected directory assigned to the management agent. This process ensures that the directory service is synchronized with the metadirectory. MMS provides management agents for several common directories, including Windows NT, Novell NDS, cc:Mail, Banyan Vines, and Lotus Notes.

Making the Decision

MMS allows the coexistence of multiple directories in an organization. So that the multiple directories can interact, be sure to include the decision points in Table 16.5 when designing MMS.

Table 16.5 Planning Integration of Directories

ToDo the Following
Merge multiple directories into a common directoryDesign an MMS solution that uses management agents to connect multiple directory services into a single metadirectory.
Connect a directory to an MMS metadirectoryDefine a management agent that will manage the synchronization of the directory service with the metadirectory.
Maintain which directory service is authoritative for a specific attributeDefine ownership rules that define which directory service is authoritative for a specific attribute. The ownership rule will publish information to the metadirectory if the directory service is authoritative or roll the data back to the metadirectory value if another directory service is authoritative.

Applying the Decision

While MSDSS allows password synchronization between NetWare NDS directories and Active Directory, MMS provides you with greater flexibility of when deciding how attribute control is delegated. For example, imagine that user modifications performed in NDS are being overwritten with previous data stored in Active Directory during the migration from NetWare to Windows 2000. MMS allows you to configure NDS as the authoritative directory service for the OU and ensure that any updates performed in the NDS environment are propagated to Active Directory. The management agent also prevents any attempts by Active Directory to update objects stored in the OU. Because of the ability of MMS to delegate management of specific attributes, it may be desirable for Blue Yonder Airlines to use MMS instead of MSDSS.

Integrating Active Directory with Kerberos Realms

Windows 2000 uses Kerberos v5 authentication as the default authentication mechanism. Kerberos allows Windows 2000 and UNIX clients to interoperate and authenticate with each other. There are three common strategies for integrating UNIX and Windows 2000 networks for authentication services.

  • Using Active Directory as the Kerberos realm. Configure UNIX clients to use Windows 2000 domain controllers as Kerberos Key Distribution Centers (KDCs). All authentication of UNIX Kerberos clients is performed using accounts stored in Active Directory.
  • Using Windows 2000 Professional in an existing Kerberos realm. Configure Windows 2000 Professional client computers to authenticate with a UNIX KDC in a Kerberos realm. If this is required, configure the Windows 2000 Professional computer to be a member of a workgroup. In addition, you must configure the Kerberos realm for the Windows 2000 Professional computer and establish the necessary local account mappings.
  • Creating a Kerberos inter-realm trust. Establish an inter-realm trust relationship between a Windows 2000 domain and a Kerberos realm. This trust relationship allows ticket granting tickets (TGTs) to be issued for resources located in another Kerberos realm or Windows 2000 domain. The inter-realm trust is established in the Active Directory Domains And Trusts console, as shown in Figure 16.3.

    Figure 16.3 Establishing trust relationships between Windows 2000 domains and Kerberos realms


For more information on Windows 2000 and UNIX interoperability, see the white paper "Windows 2000 Kerberos Interoperability" found on the Supplemental Course Materials CD-ROM (\Chapt16\Windows 2000 Kerberos Interoperability.doc) that accompanies this book.

While all three methods provide Kerberos authentication, creating a Kerberos inter-realm trust is the only method that allows true interoperability and cross-authentication. Figure 16.4 shows how Kerberos authentication takes place for a user account in a UNIX realm when the user account accesses resources in a Windows 2000 domain.

click to view at full size.

Figure 16.4 Establishing trust relationships between Windows 2000 domains and Kerberos

  1. The server must access resources on the server.w2k.blueyonder.tld domain. To authenticate, a Kerberos authentication request is sent to the computer's configured KDC, the MIT KDC. The MIT KDC responds with a TGT for the w2k.blueyonder.tld KDC, a Windows 2000 domain controller.
  2. The client computer sends the TGT to the Windows 2000 KDC asking for a Service Ticket (ST) for the server.w2k.blueyonder.tld server.
  3. The Windows 2000 DC performs a name mapping operation to determine what Active Directory account is associated with the submitted UID.
  4. The Windows 2000 KDC issues an ST containing the user and group information of the Windows 2000 account mapped to the submitted UNIX UID.
  5. The user submits the ST to the server.w2k.blueyonder.tld computer and is granted or denied access based on the Windows 2000 credentials included in the ST by comparing the account information to the resource's discretionary access control list (DACL).


This process requires the passwords in the UNIX realm and Windows 2000 domain to be synchronized.

Making the Decision

When determining what form of Kerberos interoperability to use in a mixed network, consider the following design issues:

  • Determine what version of Kerberos is used in the UNIX network. Only Kerberos v5 is supported by Windows 2000. If the UNIX network uses Kerberos v4, you can't configure Kerberos interoperability.
  • Identify any Kerberos realms that exist in the UNIX environment. Determine whether you will continue to use the Kerberos realms. If you do, decide what will be the primary Kerberos service.
    • If the UNIX network is your organization s core network, consider configuring Windows 2000 Professional to authenticate with the Kerberos realm.
    • If Active Directory must become the primary Kerberos environment, configure all UNIX Kerberos clients to authenticate with Windows 2000 as their Kerberos realm.
    • If you support both Active Directory and the Kerberos realm, consider configuring a Kerberos inter-realm trust to allow authentication between the two Kerberos systems.
  • If UNIX clients authenticate with a Windows 2000 domain controller, define name mappings so that a UNIX UID is associated with an Active Directory user account. The Active Directory user account SID and associated group SIDs will be placed in Service Tickets when UNIX clients are accessing Windows 2000–based servers.

Applying the Decision

Blue Yonder Airlines must establish a Kerberos inter-realm trust between the blueyonder.tld domain and the UNIX Kerberos realm. Active Directory user accounts can obtain Kerberos service tickets for access to the UNIX database server only if you establish inter-realm trusts. To be safe, establish a two-way trust relationship so that UNIX user accounts can access Windows 2000 resources. Granting access to Windows 2000 resources requires you to define Kerberos name mapping that will associate a UNIX UID with an Active Directory user account.

Lesson Summary

Consolidating directories allows you to maintain a single uniform directory within an organization. The implementation of a uniform directory requires planning to ensure that attributes modified in one directory aren't changed by entries in another directory. The security plan must define what directories are authoritative for specific attributes.

Alternatively, you may require two different directories to cross-authenticate users. Your security design must determine whether only one of the directories should provide the authentication or whether the directories must coexist and allow the forwarding of authentication requests between the multiple directories.

Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net