A large part of deploying a Windows 2000 infrastructure at UCB is the integration of the Active Directory with existing campus IT infrastructures. The integration portion of the project represented a great deal of the technical challenges as well as a great deal of the potential benefits to Windows 2000 users on campus. The integration came in three major areas: Kerberos, DNS and directory services.

Kerberos Integration/Interoperability

Prior to the beginning of the Windows 2000 project, UCB relied on a MIT Kerberos 5 infrastructure, commonly known as IdentiKey, for authentication in public computing labs, the campus modem pool, and systems administration. The release of Windows 2000 created much speculation around integration with existing Kerberos systems as Windows 2000 uses Kerberos 5 as its primary form of authentication. There were a number of questions about integration of Windows 2000 with standard Kerberos systems as the industry learned exactly how Windows 2000 used Kerberos.

Eventually Microsoft and several universities formulated a number of different ways in which a Windows 2000 domain could interoperate with an existing Kerberos infrastructure. Included in these interoperability scenarios is the cross-realm authentication one used on the UCB campus.

The configuration used at UCB requires a small amount of configuration on each client workstation, a one-way Kerberos trust between the Windows 2000 domain and the existing Kerberos realm, and special configuration of the user objects in the Windows 2000 domain. This allows Windows 2000 users on campus to login to their computers using their IdentiKey accounts.

See the Kerberos Interoperability Diagram for additional details on this interoperability configuration.

DNS

Domain naming service (DNS) allows computers and other devices to have names (like www.colorado.edu) associated with their IP addresses. A Solaris server running BIND 8.2.2 provides domain naming service for the UCB campus. Windows 2000 relies heavily on DNS to locate computers and services within a Windows 2000 domain. It requires a DNS server that supports SRV records (a type of record used to locate a service) as BIND 8.2.2 does. Windows 2000 also prefers to operate using dynamic DNS naming. Dynamic DNS naming allows a computer to use dynamic IP addressing (DHCP) while retaining its name regardless of its IP address. While the UCB DNS server is capable of supporting dynamic DNS, the current implementation would represent a large security risk.

Windows 2000 also requires a domain root in DNS namespace. At UCB we have chosen to root our domain at ad.colorado.edu. This means that computers within the domain could have a DNS name of either computer.colorado.edu or computer.ad.colorado.edu, but not both. The ad.colorado.edu DNS zone contains the necessary SRV records for the domain, but is not running dynamic DNS.

See the DNS interoperability diagram for additional details on this implementation.

Directory Services

Directory services at UCB are currently undergoing a massive overhaul. The Windows 2000 project team is working closely with the directory services project team to ensure the new directory meets any needs of the campus Windows 2000 Active Directory. Hopefully this new directory will allow ITS to provide better services within the campus Windows 2000 domain.

The campus Windows 2000 domain will import public information about users (full name, title, department, etc.) from the campus directory. This will allow administrators to correctly identify users when granting access to resources. See the account synchronization diagram for details.

Getting Help

help@colorado.edu