Solved

Preparing for a heterogeneous network environment

Posted on 2004-03-25
10
427 Views
Last Modified: 2010-03-18
Hi,

I have to prepare for an integration of our network (Only Microsoft -AD, VS.net,  MS SQL, Exchange, ISA, Sharepoint etc.) with another network that consists of mixed *nix (all flavors) and Microsoft.

My first problem is that I have very limited information at this time about which technologies will be more common.

My second problem is that I don’t have any experience in the *nix environment.

I need a place to start, any recommendations, and some questions answered.

More information (the bits I have at the moment):

-  At the moment I plan for 5 sites with 40 users in total.
-  The 40 users might grow to 300 before the end of the year.
-  Microsoft SQL server HAVE TO run at all sites.
-  I will be doing the administration from a single point (Desktop, Firewall, VPN, eMail, Antivirus etc).
-  A redundant VPN solution using Microsoft Internet and Acceleration Server to join all sites is already in place.
-  Initially we will be going with Active Directory.(Almost all of the the initial 40 users are already WinXP, Win2K Clients)
-  Let’s assume that at the end of the year there will be 50% *nix clients, and 50% MS clients.

Some Questions to start with:

-  What will be my biggest concern in a situation like this? (Apart from the fact that the deadline is in less than a month)
-  Should or shouldn’t I go with Active Directory from the start?
-  What are the alternatives to AD as a directory in such an environment, and do I loose or win if going with another directory?
-  Which is better in a 50/50 situation: getting the *nix clients to work nicely on a MS environment, or getting the MS clients   to work nicely on a *nix environment?


PS: Please recommend the best solutions / practices, or share some experiences. Please don’t criticize either Microsoft or *nix products because of your own preferences.

I will split points between all valuable contributions to this question, and I will increase the point if I need to.

Thank you
Woerts.







0
Comment
Question by:woerts
  • 6
  • 3
10 Comments
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10677347
Okay.  *cracks knuckles*  Here we go.

1.  Biggest concern.

Active Directory.  First of all, domain controlers are in mixed mode by default.  KEEP it that way or you risk disconnecting your NT controllers, if there are any.  All of your 2000/XP clients will connect to the server with little to no problems.  If you have 95/98/Me clients or servers, you will need to download and install DSCLIENT so that those OS's will be able to read Active Directory information properly.

Instructions and download information for 9x/Me can be found below:
http://www.4help.vt.edu/lm/

Alternatively, you can pull the client off the Windows 2000 Server CD under Clients\Win9x.


2.  Go with Active Directory from the start.  If you plan to use Windows 2000 as a domain controller, you have no choice.  Windows 2000 uses AD as soon as it is promoted.

3.  The other option is to keep any 2000 servers as member servers and run the network off NT....I think this is a bad idea, but it can be done.  It would require less work in the short term to not use 2000 DCs, but in the long run, it'll be more of a headache if you DON'T run off 2000 and AD.

4.  By other OS's, I assume you mean Linux flavors.  If there are more, let me know.  For Linux to fully integrate with AD, you will need Samba.  It acts as a conduit to windows-based networks and Active Directory.  More detail on installing and downloading Samba can be found below:

http://insight.zdnet.co.uk/software/developer/0,39020469,2122363,00.htm


My experience would say to try to upgrade eveything as much as possible to the latest versions...in other words, all 9x clients go to 2000/XP...Macintosh should be OS X v10, Linux releases should be the latest versions.  If not, make sure that all updates (not just the critical ones) are downloaded and installed to every workstation and server PRIOR to starting the upgrade.  It'll save you a lot of headaches later.

Hope some of that helps.

James
0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10677368
One last recommendation...if possible, set up a test server with 2000 AD installed and try connecting a nix client to it.  Insure you have a process down before trying to do the whole thing or you will be writing your will...
0
 

Author Comment

by:woerts
ID: 10677499
Hi James,

Thanks for the valuable information. Here are some more information / questions:

I am going to set up a new AD domain for this from scratch on Windows Server 2003. I started to read a Microsoft document named "Solution Guide for Windows Security and Directory Services for UNIX"

http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7B82-65CF-4105-B60C-44515299797D&displaylang=en

Part of this solution is a product called Vintela Authentication Services.

Some of the benefits of using VAS:

-  UNIX and Linux users and computers are managed through the Active Directory Users and Computers MMC snap-in.
-  Kerberos is used to secure LDAP traffic.
-  Performance is tuned to work effectively with Active Directory.
-  The VAS product allows UNIX and Linux clients to operate within an Active Directory domain in an equivalent manner to Windows clients.

Have you ever heard of this? It obviously come with a price. Can Samba provide the same functionality?

Just one more for now: Is there any merit investigating going a total *nix directory instead of AD, and integrating the Windows clients into that?

I am busy setting up may lab with Windows S 2003, nix clients, win clients ect.

Thanks

Woerts
0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10679570
Samba can provide all the functionality you will need for LINUX...but not UNIX....at least, I'm fairly certain Samba will not work on UNIX.

To answer your question...my opinion of hybrid networks is low.  When you have hybrid networks controls are harder to track and integrate with the other networks.  Windows Server 2003 adds a lot of functionality that will much more easily interface with UNIX/Linux and Macintosh environments.  

Is there any merit?  Sure...it won't take nearly as long to implement.  As a former UNIX support technician for EDS, I can say that UNIX also has a lot of power and will function as a server nicely.  In fact, Samba can be loaded onto Linux boxes and made to function as a server for 2000 based networks quite nicely, from what I know.  I've never used one as a server, but I know people who do.

When you have got a network such as the one you are speaking of, that is so..."discombobulated"....it just makes sense to me to start a new network structure (Win2K3) and start pulling your resources into it one at a time.  Win2K3 also has to ability to "acquire" domains from other forests, so that could make the transitions easier if you have NT.  You could upgrade the NT networks and pull them in.

James
0
 

Author Comment

by:woerts
ID: 10686125
Hi,

Thanks for the comment.

We don’t have any NT networks involved at the moment (at least none I know of). The main objective here is to get centralized management over the Unix, Linux, and Microsoft clients. I don’t know if there is an ideal solution for this. Obviously if I go with something else than AD, I will loose allot of functionality - unless there is something out there that run on Unix or Linux with similar functionality. I use the group policies allot in AD at the moment.

I don’t want to end up with AD for the windows clients, Samba for the Linux clients, and whatever for the Unix clients.

I need ONE directory for the clients, and I need GOOD reasons why I am going with that specific directory, looking at the following:

-  Security
-  Manageability
-  TCO
-  Compatibility


PS. Do you think I should post this question under another topic or perhaps change the title to get more reaction?

Thanks
Woerts
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 9

Expert Comment

by:jamesreddy
ID: 10687818
LOL.  Nah.  There are very few people who will be able to comment intelligently on this simply because the UNIX experts rarely use Windows, the Windows experts rarely use Unix, and so on.  No one WANTS a heterogenous network because of the reasons you've stated....it's an administrative nightmare.

I can tell you that Windows 2000 AD does include support for UNIX, because Windows 2000 is POSIX compliant, so you really should not have many issues.  Windows 2000/AD purposefully retains case sensitivity in the event that UNIX-based systems need access.

Linux will not be a problem...that much I can tell you.  Samba will take care of you there.  I guess it is more a matter of to what EXTENT that you plan to integrate UNIX with Windows.  If you primary purpose is to simply share files...you will be fine.  If you require UNIX to access Active Directory...I'm not sure.
0
 
LVL 9

Accepted Solution

by:
jamesreddy earned 500 total points
ID: 10687860
Scratch that.  Looks like you can do it.  There is something called Microsoft's Services for UNIX.  It allows AD integration.  I found a link to read more about it here:

http://at.unh.edu/siguccs/p078-blezard.html

And here is a long paper on the subject of authenticating UNIX with AD:

http://www.vintela.com/products/vas/VAS_WP.pdf

I found this too:

http://www.macosxlabs.org/documentation/cookbooks/applead.html

The last article explains that Services for UNIX has to be purchased seperately.  CDW has it listed for $92.00.


But it looks like Microsoft has a tool for you here.  So I would go with AD, and buy services for UNIX from MS.

James
0
 

Author Comment

by:woerts
ID: 10687940
Thanx James.

It looks like same info I mentioned in my 2nd post. At the moment it looks like the way to go. I still don't have a clear answer if management wants to know:

-  Why go with AD?
-  What are the alternatives?

I guess it's not an easy answer to find.

Thanks for you contribution. I'm going to award you the points, but I will still comment to this question as I make progress...... maybe we can help the next guy.

There really doesn’t seem to be allot of resources available on this topic.

Thank you

Woerts.
0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10688048
AD provides you with centralized management, fault tolerant replication of critical network information, speeds up site performance by automatically negotiating with the closest server, Distributed File System, clustering....the reasons go on and on.  The alternative is no centralized management...peer-to-peer style integreation.
0
 

Expert Comment

by:mholbr
ID: 11109815
I don't believe MS SFU supports authentication from Linux clients like the Vintela product VAS provides.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now