woerts
asked on
Preparing for a heterogeneous network environment
Hi,
I have to prepare for an integration of our network (Only Microsoft -AD, VS.net, MS SQL, Exchange, ISA, Sharepoint etc.) with another network that consists of mixed *nix (all flavors) and Microsoft.
My first problem is that I have very limited information at this time about which technologies will be more common.
My second problem is that I don’t have any experience in the *nix environment.
I need a place to start, any recommendations, and some questions answered.
More information (the bits I have at the moment):
- At the moment I plan for 5 sites with 40 users in total.
- The 40 users might grow to 300 before the end of the year.
- Microsoft SQL server HAVE TO run at all sites.
- I will be doing the administration from a single point (Desktop, Firewall, VPN, eMail, Antivirus etc).
- A redundant VPN solution using Microsoft Internet and Acceleration Server to join all sites is already in place.
- Initially we will be going with Active Directory.(Almost all of the the initial 40 users are already WinXP, Win2K Clients)
- Let’s assume that at the end of the year there will be 50% *nix clients, and 50% MS clients.
Some Questions to start with:
- What will be my biggest concern in a situation like this? (Apart from the fact that the deadline is in less than a month)
- Should or shouldn’t I go with Active Directory from the start?
- What are the alternatives to AD as a directory in such an environment, and do I loose or win if going with another directory?
- Which is better in a 50/50 situation: getting the *nix clients to work nicely on a MS environment, or getting the MS clients to work nicely on a *nix environment?
PS: Please recommend the best solutions / practices, or share some experiences. Please don’t criticize either Microsoft or *nix products because of your own preferences.
I will split points between all valuable contributions to this question, and I will increase the point if I need to.
Thank you
Woerts.
I have to prepare for an integration of our network (Only Microsoft -AD, VS.net, MS SQL, Exchange, ISA, Sharepoint etc.) with another network that consists of mixed *nix (all flavors) and Microsoft.
My first problem is that I have very limited information at this time about which technologies will be more common.
My second problem is that I don’t have any experience in the *nix environment.
I need a place to start, any recommendations, and some questions answered.
More information (the bits I have at the moment):
- At the moment I plan for 5 sites with 40 users in total.
- The 40 users might grow to 300 before the end of the year.
- Microsoft SQL server HAVE TO run at all sites.
- I will be doing the administration from a single point (Desktop, Firewall, VPN, eMail, Antivirus etc).
- A redundant VPN solution using Microsoft Internet and Acceleration Server to join all sites is already in place.
- Initially we will be going with Active Directory.(Almost all of the the initial 40 users are already WinXP, Win2K Clients)
- Let’s assume that at the end of the year there will be 50% *nix clients, and 50% MS clients.
Some Questions to start with:
- What will be my biggest concern in a situation like this? (Apart from the fact that the deadline is in less than a month)
- Should or shouldn’t I go with Active Directory from the start?
- What are the alternatives to AD as a directory in such an environment, and do I loose or win if going with another directory?
- Which is better in a 50/50 situation: getting the *nix clients to work nicely on a MS environment, or getting the MS clients to work nicely on a *nix environment?
PS: Please recommend the best solutions / practices, or share some experiences. Please don’t criticize either Microsoft or *nix products because of your own preferences.
I will split points between all valuable contributions to this question, and I will increase the point if I need to.
Thank you
Woerts.
One last recommendation...if possible, set up a test server with 2000 AD installed and try connecting a nix client to it. Insure you have a process down before trying to do the whole thing or you will be writing your will...
ASKER
Hi James,
Thanks for the valuable information. Here are some more information / questions:
I am going to set up a new AD domain for this from scratch on Windows Server 2003. I started to read a Microsoft document named "Solution Guide for Windows Security and Directory Services for UNIX"
http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7B82-65CF-4105-B60C-44515299797D&displaylang=en
Part of this solution is a product called Vintela Authentication Services.
Some of the benefits of using VAS:
- UNIX and Linux users and computers are managed through the Active Directory Users and Computers MMC snap-in.
- Kerberos is used to secure LDAP traffic.
- Performance is tuned to work effectively with Active Directory.
- The VAS product allows UNIX and Linux clients to operate within an Active Directory domain in an equivalent manner to Windows clients.
Have you ever heard of this? It obviously come with a price. Can Samba provide the same functionality?
Just one more for now: Is there any merit investigating going a total *nix directory instead of AD, and integrating the Windows clients into that?
I am busy setting up may lab with Windows S 2003, nix clients, win clients ect.
Thanks
Woerts
Thanks for the valuable information. Here are some more information / questions:
I am going to set up a new AD domain for this from scratch on Windows Server 2003. I started to read a Microsoft document named "Solution Guide for Windows Security and Directory Services for UNIX"
http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7B82-65CF-4105-B60C-44515299797D&displaylang=en
Part of this solution is a product called Vintela Authentication Services.
Some of the benefits of using VAS:
- UNIX and Linux users and computers are managed through the Active Directory Users and Computers MMC snap-in.
- Kerberos is used to secure LDAP traffic.
- Performance is tuned to work effectively with Active Directory.
- The VAS product allows UNIX and Linux clients to operate within an Active Directory domain in an equivalent manner to Windows clients.
Have you ever heard of this? It obviously come with a price. Can Samba provide the same functionality?
Just one more for now: Is there any merit investigating going a total *nix directory instead of AD, and integrating the Windows clients into that?
I am busy setting up may lab with Windows S 2003, nix clients, win clients ect.
Thanks
Woerts
Samba can provide all the functionality you will need for LINUX...but not UNIX....at least, I'm fairly certain Samba will not work on UNIX.
To answer your question...my opinion of hybrid networks is low. When you have hybrid networks controls are harder to track and integrate with the other networks. Windows Server 2003 adds a lot of functionality that will much more easily interface with UNIX/Linux and Macintosh environments.
Is there any merit? Sure...it won't take nearly as long to implement. As a former UNIX support technician for EDS, I can say that UNIX also has a lot of power and will function as a server nicely. In fact, Samba can be loaded onto Linux boxes and made to function as a server for 2000 based networks quite nicely, from what I know. I've never used one as a server, but I know people who do.
When you have got a network such as the one you are speaking of, that is so..."discombobulated"....
James
To answer your question...my opinion of hybrid networks is low. When you have hybrid networks controls are harder to track and integrate with the other networks. Windows Server 2003 adds a lot of functionality that will much more easily interface with UNIX/Linux and Macintosh environments.
Is there any merit? Sure...it won't take nearly as long to implement. As a former UNIX support technician for EDS, I can say that UNIX also has a lot of power and will function as a server nicely. In fact, Samba can be loaded onto Linux boxes and made to function as a server for 2000 based networks quite nicely, from what I know. I've never used one as a server, but I know people who do.
When you have got a network such as the one you are speaking of, that is so..."discombobulated"....
James
ASKER
Hi,
Thanks for the comment.
We don’t have any NT networks involved at the moment (at least none I know of). The main objective here is to get centralized management over the Unix, Linux, and Microsoft clients. I don’t know if there is an ideal solution for this. Obviously if I go with something else than AD, I will loose allot of functionality - unless there is something out there that run on Unix or Linux with similar functionality. I use the group policies allot in AD at the moment.
I don’t want to end up with AD for the windows clients, Samba for the Linux clients, and whatever for the Unix clients.
I need ONE directory for the clients, and I need GOOD reasons why I am going with that specific directory, looking at the following:
- Security
- Manageability
- TCO
- Compatibility
PS. Do you think I should post this question under another topic or perhaps change the title to get more reaction?
Thanks
Woerts
Thanks for the comment.
We don’t have any NT networks involved at the moment (at least none I know of). The main objective here is to get centralized management over the Unix, Linux, and Microsoft clients. I don’t know if there is an ideal solution for this. Obviously if I go with something else than AD, I will loose allot of functionality - unless there is something out there that run on Unix or Linux with similar functionality. I use the group policies allot in AD at the moment.
I don’t want to end up with AD for the windows clients, Samba for the Linux clients, and whatever for the Unix clients.
I need ONE directory for the clients, and I need GOOD reasons why I am going with that specific directory, looking at the following:
- Security
- Manageability
- TCO
- Compatibility
PS. Do you think I should post this question under another topic or perhaps change the title to get more reaction?
Thanks
Woerts
LOL. Nah. There are very few people who will be able to comment intelligently on this simply because the UNIX experts rarely use Windows, the Windows experts rarely use Unix, and so on. No one WANTS a heterogenous network because of the reasons you've stated....it's an administrative nightmare.
I can tell you that Windows 2000 AD does include support for UNIX, because Windows 2000 is POSIX compliant, so you really should not have many issues. Windows 2000/AD purposefully retains case sensitivity in the event that UNIX-based systems need access.
Linux will not be a problem...that much I can tell you. Samba will take care of you there. I guess it is more a matter of to what EXTENT that you plan to integrate UNIX with Windows. If you primary purpose is to simply share files...you will be fine. If you require UNIX to access Active Directory...I'm not sure.
I can tell you that Windows 2000 AD does include support for UNIX, because Windows 2000 is POSIX compliant, so you really should not have many issues. Windows 2000/AD purposefully retains case sensitivity in the event that UNIX-based systems need access.
Linux will not be a problem...that much I can tell you. Samba will take care of you there. I guess it is more a matter of to what EXTENT that you plan to integrate UNIX with Windows. If you primary purpose is to simply share files...you will be fine. If you require UNIX to access Active Directory...I'm not sure.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanx James.
It looks like same info I mentioned in my 2nd post. At the moment it looks like the way to go. I still don't have a clear answer if management wants to know:
- Why go with AD?
- What are the alternatives?
I guess it's not an easy answer to find.
Thanks for you contribution. I'm going to award you the points, but I will still comment to this question as I make progress...... maybe we can help the next guy.
There really doesn’t seem to be allot of resources available on this topic.
Thank you
Woerts.
It looks like same info I mentioned in my 2nd post. At the moment it looks like the way to go. I still don't have a clear answer if management wants to know:
- Why go with AD?
- What are the alternatives?
I guess it's not an easy answer to find.
Thanks for you contribution. I'm going to award you the points, but I will still comment to this question as I make progress...... maybe we can help the next guy.
There really doesn’t seem to be allot of resources available on this topic.
Thank you
Woerts.
AD provides you with centralized management, fault tolerant replication of critical network information, speeds up site performance by automatically negotiating with the closest server, Distributed File System, clustering....the reasons go on and on. The alternative is no centralized management...peer-to-peer style integreation.
I don't believe MS SFU supports authentication from Linux clients like the Vintela product VAS provides.
1. Biggest concern.
Active Directory. First of all, domain controlers are in mixed mode by default. KEEP it that way or you risk disconnecting your NT controllers, if there are any. All of your 2000/XP clients will connect to the server with little to no problems. If you have 95/98/Me clients or servers, you will need to download and install DSCLIENT so that those OS's will be able to read Active Directory information properly.
Instructions and download information for 9x/Me can be found below:
http://www.4help.vt.edu/lm/
Alternatively, you can pull the client off the Windows 2000 Server CD under Clients\Win9x.
2. Go with Active Directory from the start. If you plan to use Windows 2000 as a domain controller, you have no choice. Windows 2000 uses AD as soon as it is promoted.
3. The other option is to keep any 2000 servers as member servers and run the network off NT....I think this is a bad idea, but it can be done. It would require less work in the short term to not use 2000 DCs, but in the long run, it'll be more of a headache if you DON'T run off 2000 and AD.
4. By other OS's, I assume you mean Linux flavors. If there are more, let me know. For Linux to fully integrate with AD, you will need Samba. It acts as a conduit to windows-based networks and Active Directory. More detail on installing and downloading Samba can be found below:
http://insight.zdnet.co.uk/software/developer/0,39020469,2122363,00.htm
My experience would say to try to upgrade eveything as much as possible to the latest versions...in other words, all 9x clients go to 2000/XP...Macintosh should be OS X v10, Linux releases should be the latest versions. If not, make sure that all updates (not just the critical ones) are downloaded and installed to every workstation and server PRIOR to starting the upgrade. It'll save you a lot of headaches later.
Hope some of that helps.
James