Q

Using AD with DNS and GPO in mixed Win2k, NT, Solaris, HP-UX, Linux environment

We run a mixed environment (NT, Solaris, HP-UX, Linux), and are looking to upgrade to Win2K in the near future. We don't want to leave behind the numerous Linux clients we support. What is the preferred method to implement Domain Name System (DNS) and GPOs for network access on such a mixed environment? I guess the root question is "How can we use Active Directory in this environment?" Does it matter on which platform the DNS service is running? Unfortunately I am new at this and charged with making it all work.

Whew. You have a job ahead of you and that's the truth. Forget the technical challenges. You're entering a minefield

of fanatical operational beliefs. Even Salman Rushdie would not envy your position.

Okay, first things first. You can't use Windows 2000 group policies to control anything other than Windows 2000 machines. Policies rely on client-side extensions that are not present on downlevel Windows clients and certainly not on Linux clients.

Picking a DNS server is a matter of your own background and comfort level. If you are familiar with BIND and you are running a version that supports Service Locator Records (SRV) and (optional but preferable) dynamic updates, then by all means use a Linux or Unix server for DNS. If you are more familiar with NT DNS, then you should install a Windows 2000 server and put the primary DNS zones on that server. There are some advantages to using Windows 2000 DNS because you can integrate the zones into Active Directory. This gives you multiple master DNS (contrasted with a single primary master in BIND) and a rudimentary form of secure updates. But neither of these is sufficiently interesting to move away from BIND if that's what you're currently using.

Network authentication is also fairly straightforward. I'm assuming that you're already running SAMBA if you're in a mixed environment. A SAMBA client can authenticate in a Windows 2000 domain using NTLM Challenge-Response, just like a downlevel Windows client. If you want to take advantage of Kerberos authentication, you can configure your Linux/UNIX clients for Kerberos and point them at a Windows 2000 domain controller as a Key Distribution Center (KDC). Unfortunately, this will not give your Linux/UNIX clients full Windows 2000 authorization because only Windows 2000 clients know how to extract the Privilege Access Certificate (PAC) from a Kerberos ticket issued by a Windows 2000 KDC. So when the SAMBA client touches a Windows 2000 member server, it will fall back on NTLM authentication to get a local access token. Take a look in www.dejanews.com at any discussion thread ranting about the PAC and you?ll get a flavor for the problem.

As for other network infrastructure components you use, most of them will be just as happy in a Windows 2000 domain as an NT4 domain. If you?re running NT4 RAS servers, you should upgrade them to Windows 2000 to avoid putting the Everyone group in the Pre-Windows 2000 Compatible Access group to support null logons. Thoroughly test all your applications (especially client/server applications that rely on the underlying Windows authentication infrastructure) to make sure they work fine on Windows 2000. This is especially true of any NFS servers you are running on your NT servers.

This was first published in February 2001

Dig deeper on Windows Server Monitoring and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close