Tải bản đầy đủ - 0 (trang)
Chapter 27.  Managing Windows Clients Using Mac OS X Server

Chapter 27.  Managing Windows Clients Using Mac OS X Server

Tải bản đầy đủ - 0trang

27.1.HostingaWindowsDomain

WindowsservicesunderMacOSServerincludetheabilityto

sharefilesandprintersusingtheSMBprotocol(thedefaultfile

andprintprotocolforWindows),Windowsnameresolution

services,andtheabilitytofunctionasaWindowsPrimary

DomainController(PDC),andhostaWindowsdomain.Whenall

oftheseservicesareimplementedunderMacOSXServer,itis

possibletomanageanetworkofWindowscomputersalmostas

thoughyouwereusingoneormoreWindowsservers.

WhenactingasaPDC,aMacOSXServersupportsWindows

domainloginusingaccountscreatedinashareddirectory

domain.Windowsclientcomputersandservers(betheyactual

WindowsserversoradditionalMacOSXServers)canbejoined

tothedomainasworkstationsormemberservers.Whena

Windowsworkstationisjoinedtotheshareddomain,itsupports

userloginbasedonOpenDirectory,mappingofthesamehome

directoryforusersaswhentheyloginonaMacworkstation,

supportforroamingandmandatoryprofiles,andsupportfor

Windowsloginscripts.Whenaserverisjoinedtothedomainas

amemberserver,itprocessesSMBfileandprintrequestsusing

thelogininformationgeneratedbythePDC,asamember

serverinatraditionalWindowsdomainwoulddo.

ImplementingaMacOSXServerasaWindowsPDCdoesnot

implementMicrosoft'sActiveDirectory,however.Itsimplyports

allWindowsdomaindirectoryaccesstoOpenDirectory.This

makesitpossibleforthesamedirectoryinformationtobeused

toauthenticateuseraccessregardlessofwhetherauserlogsin

onaMacorWindowsworkstation.



27.1.1.DomainRequirementsandLimitations



Asyoumightexpect,therearesomespecialconsiderationsin

termsofthecapabilitiesofferedbyaWindowsdomainhosted

usingMacOSXServerascomparedtousingaWindowsserver

asadomaincontroller.Ifyou'reanexperiencedWindows

administrator,youmaynoticesomeoftheseaslimitationsoras

differencesfromtheoptionstypicallyavailablewithaWindows

domain.Asfarasrequirementsforbeingabletohostadomain,

anyMacOSXServerthatisanLDAPmastercanbeconfigured

asaWindowsPDC.LDAPreplicascannothostadomain,nor

cantheyactasreplicasofthePDC.Considerationsinclude:



Onedomaincontrollerpernetwork

MacOSXServerdoesnotsupportmultipledomain

controllers.ThisissignificantlydifferentfromaWindows

2000domain,whichcanmaintaindomaininformation

concurrentlyacrossmultipledomaincontrollersthrougha

network,oraWindowsNTdomain,whichcanhavea

primarydomaincontrollerandmultiplebackupdomain

controllersavailableincasetheprimarydomaincontroller

cannotbeaccessed.Furthermore,MacOSXServerdoes

notsupportdomainforestsortrusts;MacOSXServer

supportsonlyasingledomainpernetwork.

ThispresentsthebiggestlimitationtousingMacOSX

ServertohostaWindowsdomain.AllWindowsworkstations

mustcommunicatewiththePDC,whichisalsotheLDAP

master.Youcannotreducethiscommunicationbytheuseof

LDAPreplicas,multipledomaincontrollers,orevenmultiple

domains.Thisrestrictionisparticularlydifficultfornetworks

thatspanslownetworklinks,althoughfornetworksthat

aremadeupofmultipleLDAPmasters,eachwithan

independentdirectorydomain,eachLDAPmastercanhost

aWindowsdomainindependentoftheothers(thoughthese

mustbecompletelyindependentWindowsdomainswithout

trustrelationships).Thisrestrictioncanalsobehardon



networksthathavealargenumbersofusersand

workstationsaccessingtheLDAPmasteralready.Inthese

situations,usingLDAPreplicascanreducetheburdenon

theLDAPmaster/domaincontroller.

ThisisperhapsthebiggestreasonthataMacOSXServerbasedWindowsdomainisbestimplementedinanetwork

thathasalargenumberofMacscomparedtoasmaller

numberofWindowsworkstations.However,inmanycrossplatformnetworks,usingMacOSXServertohosta

Windowsdomainremainsavalidandworkablesolution.



MacOSXpermissionstructure

Lessalimitationandmoresomethingtobeawareofisthe

factthatWindowsdomains(indeed,Windowsfileservicesin

general)hostedbyMacOSXServerdonotsupportthe

arrayofpermissionofferingsoftraditionalWindows

domains.PermissionsareassignedastheyarewithinMac

OSX:asinglefileowner,asinglegroup,andaneveryone

groupentryforallsharepoints,folders,andfiles.This

designcontrastsnoticeablytotheWindowsserverabilityto

applypermissionsformultiplegroupsandusingawide

varietyofspecialpermissionsforshareditems.However,

MacOSX'spermissionstructuredoestakemuchofthe

guessingoutofhowpermissionsinteractwitheachother.



InabilitytorestrictaccesstoWindowsworkstations

WhenworkstationsarejoinedtoaMacOSXServer-hosted

domain,theyareavailabletoallusers.Youcannotcreate

listsofWindowsworkstationsandlimitaccessbasedon

usergroupsasyoucanwithMacOSXorMacOS9

workstations.



Nobuilt-inautomountoptionsexcepthomedirectories

Windowsdoesnotuseautomountsinthesamewaythat

MacOSXandUnixcomputersdo.Thereisnobuilt-inway

toautomountsharepointsforWindowsworkstations,other

thantheuser'shomedirectory(whichismappedasa

networkdrive).However,aswe'lldiscusslaterinthis

chapter,youcansetupmappingofadditionalsharepoints

asnetworkdrivesusingWindowsloginscriptsanduser

profiles.



MacOSXServerpasswordandaccesspolicies

Windowsdomainsofferaplethoraofuseraccessand

passwordpolicies.Asyoumightexpect,whenhostinga

WindowsdomainfromMacOSXServer,passwordpolicies

arethosedefinedforOpenDirectoryusers.Theseare

somewhatmorelimitedthanthoseofferedbyWindows

servers.Also,asnotedearlier,youcan'tapplyspecific

accesspoliciestoWindowsworkstations.



NoActiveDirectorybrowsing

Asnotedearlier,MacOSXServersupportshostinga

WindowsdomainbutdoesnotsupporthostingActive

Directory.ThismeansthatWindowsoptionsforbrowsing

ActiveDirectoryforuserinformation,serversandshare

points,orprinterswon'twork.



27.1.2.ConfiguringMacOSXServerasa

WindowsDomainController



ComparedtoconfiguringandmanagingaWindowsdomainona

Windowsserver,configuringMacOSXServertohosta

Windowsdomainisactuallyverysimple.Configurationcanbe

doneeitherthroughtheSetupAssistant,wheretheWindows

computer(NetBIOS)namefortheserverandthenameofthe

domainareenteredalongwithotherOpenDirectory

information,orusingtheServerAdminapplication.Server

Adminalsoallowssomeadditionalconfigurationoptions.

ToconfigureWindowsdomainandotherservicesusingServer

Admin,launchtheServerAdminapplicationandselectWindows

fortheappropriateserverintheComputersandServicelist.

You'llnoticethattherightpanefortheWindowsservicelooks

verymuchlikethepanefortheAFPservice.TheOverviewtab

displaysthesameinformationaboutthenumberof

connections,thenumberofGuestconnections,andthestatus

oftheservice.Also,thefivetabsavailablefortheWindows

service(Overview,Logs,Connections,Graphs,andSettings)

arethesameasthoseintheAFPservicetab.

SelecttheSettingstabtoconfigureaWindowsdomainorother

services.TheSettingstabcontainsfoursubtabs(General,

Access,Logging,andAdvanced).TheGeneraltab,shownin

Figure27-1,definestheserver'srole,Windowsname,and

relatedinformation.TheRolepop-upmenuallowsyoutodefine

theserverasaWindowsPDC,amemberserverwithina

Windowsdomain,orastandaloneserver.You'llprobablynotice

thattheserolesparalleltherolesforOpenDirectory(master,

joinedtoadirectorydomain,andstandaloneservers).



Figure27-1.TheGeneralWindowsServer

settingstabinServerAdmin.



ToconfigureaserverasaWindowsdomaincontroller,select

"PrimaryDomainController(PDC)"fromtheRolemenu.Inthe

computernamefield,enterthenamethatyouwishtobeused

toconnecttotheserver(eitherusingaWindowscommandline

orbybrowsingthenetwork).Thisistheserver'sNetBIOS

name.Generallyspeaking,it'sagoodpolicytousethesame

nameforaserver'sNetBIOSnameasyouuseforAppleTalkand

Rendezvousname,whichisalsotypicallyusedaspartofthe

server'sDNSname.EnterthenameoftheWindowsdomain

thattheserverwillhostintheDomainfield.Youcanalsoenter

adescriptionfortheserverintheDescriptionfield.A

descriptionisoptional,thoughitmaybehelpfulforWindows

userstoidentifywhataserverisusedfor,asthedescriptionis

displayedwhentheserverisselectedwhileusersarebrowsing

anetworkusingtheNetworkNeighborhood(Windows95/98)or

MyNetworkPlaces(Windows2000/XP).

WiththeoptionsontheGeneralsettingstabconfigured,you

canclicktheSavebutton,starttheWindowsservice(usingthe



StartServicebuttoninthetoolbaratthetopoftheServer

Adminwindow,whichwillchangeto"stopservice"whilethe

windowsserviceisrunning,asshowninFigure27-1),andthe

newWindowsdomainisupandrunning.Ofcourse,thereare

someadditionaloptionstoconsider,includingjoiningWindows

computerstothedomain,configuringuserandhomedirectory

accessfromWindowsworkstations,andpotentiallyimporting

usersandsettingsfrompre-existingWindowsdomains.Butfor

themostpart,Apple'sdefaultsettingsmakeitpossibleto

configureadomainwithjustthisonestep.However,beforewe

leaveServerAdminforawhile,let'stakealookattheother

threeWindowsservicesettingstabs.



27.1.2.1Limitingaccesstoadomain

TheAccesstabletsyouallowordisallowguestloginsfrom

Windowsworkstations.Whenconfiguringaserverthatis

functioningasaPDC,disablingguestaccessrestrictsusers

fromloggingintoworkstationsthataremembersofadomain

asGuestandalsodisablestheabilitytoconnecttoSMBshare

pointslocatedontheserverthatisthePDCasaguestuser.As

I'verepeatedthroughoutthisbook,guestaccessisabig

securityholebecauseitprovidesnomeanofauthenticationor

trackingwhoguestusersareorwhateachguestuserisdoing.

Asalways,useguestaccessonlyifabsolutelyrequiredandthen

restrictguestusersasmuchaspossible.

TheAccesstabalsoallowsyoutolimitthenumberofuserswho

canlogintoworkstationsorsharepointswithinthedomain.

Thisfeaturecanhelpreduceunneededserverandnetwork

resources.Itcanalsobeusedtosecurethenetworkorserver

againstalargenumberofunauthorizedconnections.However,

asmentionedinearlierchapters,ifyoulimitthenumberof

connectionstoadomain,dosobasedonthetypicalvolumeof

connectedusersornumberofworkstationsatasitetoavoid

restrictingaccesstolegitimateusers.



27.1.2.2ConfiguringWindowsservicelogging

TheLoggingsettingstabletsyouchoosehowmuchinformation

isstoredintheWindowsservicelog.Theoptionsareselect

fromtheLogDetailpop-upmenuandincludeLow,Medium,and

High.WhenLowisselected,onlyserviceerrorsandwarning

eventsarelogged.Noinformationaboutuserloginorfile

accessislogged.WhenMediumisselected,servicestartand

stoptimes,loginfailures,andcomputernameregistrations(if

appropriate)arelogged,inadditiontoserviceerrorsand

warning.WhenHighisselected,allfileaccessislogged(in

additiontotheitemsloggedwithlowerloggingdetails).AsI've

alsostatedmorethanonce,detailedserverlogscanbe

importantforproblemsolving,security,andauditingpurposes.

Windowsservicelogsarestoredin/Library/Logsontheserver's

startupdriveandrecentlogscanbeviewedusingtheWindows

ServiceLogspaneinServerAdmin.



27.1.3.ConfiguringWindowsComputerAccess

toaDomain

AswithtraditionalWindowsdomains,workstationsmusthavea

computeraccountwithinthedomainandbejoinedtothe

domain.JoiningaWindowsworkstationtoadomainisakinto

bindingaMacOSXcomputertoashareddirectorydomain,

althoughWindowsdomainsdonotsupporttheuseofguest

computers.Eachcomputerjoinedtothedomainmusthavean

accountforitcreatedwithinthedomain.InaWindowsdomain

hostedbyMacOSXServer,thesecomputeraccountsare

createdasworkstationsthataremembersoftheWindows

ComputerslistinWorkgroupManager.

YoujoinWindowscomputerstoadomainhostedbyMacOSX

ServerexactlyasyoujointhemtoaWindowsdomainhostedby

aWindowsserver.Whenyoujoinacomputertoadomain,you



willbeaskedtoprovidethenameandpasswordofadomain

userwithauthoritytojointhecomputertothedomain.For

domainshostedbyMacOSXServer,thismeansauserwhoisa

directorydomainadministratorfortheshareddirectorydomain

hostedbythesameserverfunctioningastheWindowsPDC.



27.1.4.ConfiguringUserAccesstoaDomain

OnceanLDAPmasterhasbeenconfiguredasaWindowsPDC,

anyusersinthedirectorydomainwhosepasswordtypeisOpen

DirectorycanloginatanyWindowsworkstationthathasbeen

joinedtothedomain(userswithcryptpasswordscannotlogin

fromWindows).Passwordpoliciesconfiguredforthedomain

(eithergloballyinServerAdminorbyuserinWorkgroup

Manager)remainineffectforusers.

AswithtraditionalWindowsdomains,youcanassigndomain

userstobemembersoflocalcomputergroups(forexample,

youcanmakeadomainuserintoalocaladministratorfora

specificworkstation).YoucannotlimitwhichWindows

workstationsusersareallowedtologinatbecauseallWindows

computersjoinedtothedomainareautomaticallymadepartof

theWindowsComputerslistinWorkgroupManagerandyou

cannotassignaccesstothislistbygroupsasyoucanMacOSX

computerlists.



UsingtheWindowsComputersListinWorkgroupManager

TheWindowsComputerslistcontainstheNetBIOSnameofeachWindows

computerthathasbeenjoinedtotheWindowsdomainhostedbyMacOSX

Server,alongwithanoptionaldescription.Windowscomputersareautomatically

addedtothislistwhentheyarejoinedtothedomain.Youcannotmanageaccess

totheWindowsComputerslistasyoucanothercomputerlistsinWorkgroup

Manager,andWindowsworkstationscannotbemadepartofothercomputer

lists.

Essentially,theWindowsComputerslistexistsforcompatibilitywiththeWindows

domainarchitecture.However,youcandeletecomputersfromthislist.When

youdeleteacomputerfromtheWindowsComputerlist,theworkstationis

removedfromthedomain.Thistrickcanbeusefulfordealingwithworkstations

thatyoubelieveposeasecuritythreat.Itcanalsobeusefulifworkstationsare

retiredandarenolongerpartofthenetwork.

YoucanalsoaddcomputerstotheWindowsComputerslistwithoutjoiningthe

computertothedomain.Becauseonlydirectorydomainadministratorshavethe

authoritytojoinacomputertothedomain,creatingthecomputeraccount

beforejoiningthecomputertothedomainallowsuserswhoarenot

administratorstojoinworkstationstothedomain.YouinteractwiththeWindows

Computerlistasyouwouldanyothercomputerlist.Theexceptionbeingthat

whenyouaddacomputer,youenterthecomputer'sNetBIOSnameratherthan

theMACAddressorbrowsingforitoverthenetwork.



WhileuserloginfromWindowsisautomaticallysupported

acrosstheboard,youcanspecifysomevariablesabouthow

usersinteractwithboththeWindowsworkstationstheyloginat

andhowtheyinteractwithfileandprintservicesacrossthe

network.ThemajorwaysthatyoucancontroltheWindows

userenvironmentarethroughhowtheWindowsserviceworks

withhomedirectories,theuseofuserprofiles,andbyusing

Windowsloginscripts.



27.1.5.HomeDirectoryAccessfromWindows

Workstations



Inandofthemselves,homedirectoriesfunctionsomewhat

differentlyforusersloggedinfromWindowsthanforusers

loggedinfromeitherMacOSXorMacOS9.Infact,youcan

assignauseraseparatehomedirectorytousewhenloggedin

fromWindowsoryoucanletusershaveaccesstothesame

homedirectoryregardlessofplatform.Whetherit'sthesame

homedirectoryusedwithMacworkstationsoraseparateone,

Windowsmapsthehomedirectoryasanetworkdrive.

Itemsstoredinthehomedirectory,suchaspreferences,

desktoppictures,screensavers,andInternetbookmarks,are

notusedbyWindowsinconfiguringtheWindowsuser

environment(astheyarebyMacOSXorMacOS9).Thehome

directorysimplyservesasanetworkstoragespacefortheuser.

Theusershomedirectoryisalsotheonlynetworkfolderor

sharepointthatisautomaticallymappedormountedasa

networkdriveforusersbytheconfigurationoptionsbuiltinto

MacOSXServer.

Tostoreuserpreferencesandenvironmentsettings,Windows

createsaprofilefortheuser,whichstoresinformationusedfor

definingtheuserenvironment.Liketheuser'shomedirectory,

thisprofileisalsostoredonanetworkserverandisusedto

configuretheWindowsuserenvironmentforusersregardless

oneachWindowscomputerthattheuserslogintowithinthe

domain.



27.1.5.1SharedMac/Windowshomedirectories

TheAdvancedsettingstabfortheWindowsserviceinServer

AdminincludesacheckboxlabeledHomes:EnableVirtualShare

Points.Whenthisisselected,MacOSXServercreatesavirtual

SMBhomedirectorysharepointforhomedirectorieswhen

usersloginfromWindows.Essentially,itmapstheAFPorNFS

homedirectorysharepointusedforMacOSXandMacOS9

clientsasatemporarySMBsharepointwhenauserlogsin



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 27.  Managing Windows Clients Using Mac OS X Server

Tải bản đầy đủ ngay(0 tr)

×