551 robustness of ADSI. Documentation for the Win32::OLE module can be found at http://aspn.activestate.com/ASPN/Perl/Products/ActivePerl/site/lib/Win32/OLE.html. 18.4.4 See Also http://www.cpan.org/ to download Perl modules Recipe 18.5 Programming with Java 18.5.1 Problem You want to programmatically access Active Directory using Java. 18.5.2 Solution The Java Naming and Directory Interface (JNDI) is a standard extension to Java that can be used to access a variety of naming and directory services including DNS and LDAP. JNDI is part of the Java Enterprise API set and is documented on the following site: http://java.sun.com/products/jndi/. JNDI provides an object-oriented interface to programming with LDAP, and is not based on the LDAP C API, which many other LDAP API's are based on. The following code uses JNDI to print out the RootDSE for the host DC1: /** * Print the RootDSE for DC1 * usage: java RootDSE */ import javax.naming.*; import javax.naming.directory.*; class RootDSE { public static void main(String[] args) { try { // Create initial context. DirContext ctx = new InitialDirContext( ); // Read attributes from root DSE. Attributes attrs = ctx.getAttributes( "ldap://DC1", new String[]{"*"}); // Get a list of the attributes. NamingEnumeration enums = attrs.getIDs( ); // Print out each attribute and its values. while (enums != null && enums.hasMore( )) { String nextattr = (String)enums.next( ); System.out.println( attrs.get(nextattr) ); } 552 // Close the context. ctx.close( ); } catch (NamingException e) { e.printStackTrace( ); } } } 18.5.3 Discussion Any serious Java programmer should be familiar with JNDI. It is a generic interface that can be used with a variety of services, not least of which includes Active Directory. A good tutorial on JNDI is available on Sun's web site: http://java.sun.com/products/jndi/tutorial/ . 18.5.4 See Also Sun's JNDI home page : http://java.sun.com/products/jndi/ Recipe 18.6 Programming with Python 18.6.1 Problem You want to programmatically access Active Directory using Python. 18.6.2 Solution As with Perl, you have two options for programming Active Directory with Python: the native LDAP-based approach, and a COM interface, which allows you to use ADSI. The LDAP module can be downloaded from http://python-ldap.sourceforge.net/. The COM interface is part of the standard ActivePython install available from ActiveState (http://www.activestate.com/ActivePython/ ). The following Python code sample prints out the RootDSE of DC1 using the LDAP interface: import ldap try: l = ldap.open("dc1") except ldap.LDAPError, e: print e baseDN = "" searchScope = ldap.SCOPE_BASE retrieveAttributes = None searchFilter = "objectclass=*" try: ldap_result_id = l.search(baseDN, searchScope, searchFilter, retrieveAttributes) 553 result_type, result_data = l.result(ldap_result_id, 0) if result_type == ldap.RES_SEARCH_ENTRY: print result_data except ldap.LDAPError, e: print e This next code sample uses the win32com.client module to access the RootDSE with ADSI: import win32com.client objRootDSE = win32com.client.GetObject('LDAP://RootDSE') objRootDSE.GetInfo( ) for i in range( 0, objRootDSE.PropertyCount - 1): prop = objRootDSE.Item(i) print prop.Name for val in prop.Values: print " ",val.CaseIgnoreString 18.6.3 Discussion More information is available on Python by going to the Python home page: http://www.python.org/. Recipe 18.7 Integrating with MIT Kerberos 18.7.1 Problem You want to integrate your existing MIT Kerberos infrastructure with Active Directory. 18.7.2 Solution Integrating MIT Kerberos with Active Directory typically means setting up a trust between an Active Directory domain and your MIT Kerberos realm. Creating a trust between a domain and realm is the first step toward Kerberos interoperability. It will allow users to access resources in either the AD domain or Kerberos realm. Here are the steps to create the trust: 1. Create a trust to the Kerberos realm on a domain controller: 2. > netdom trust AD.RALLENCORP.COM /Domain:MIT.RALLENCORP.COM /Add /Realm /[RETURN] PasswordT:"Password" 3. Make the trust transitive (if necessary): > netdom trust AD.RALLENCORP.COM /Domain:MIT.RALLENCORP.COM /Transitive:yes 4. Add a KDC for the Kerberos realm on the domain controller(s): 554 > ksetup /addkdc MIT.RALLENCORP.COM kdc01.mit.rallencorp.com 5. Add the AD domain principal to the Kerberos realm (on the Unix host): kadmin: addprinc -e des-cbc-crc:normal krbtgt/ad.rallencorp.com 18.7.3 Discussion What I've shown here is just the tip of the iceberg. You may need to configure service principals, create account mappings, create host principals, and tweak the krb5.conf configuration file on your MIT KDCs to accomplish full integration in your environment. Providing details on how to do all of that is beyond the scope of this book, but a great resource on Kerberos is O'Reilly's Kerberos: The Definitive Guide, which covers all the ins and outs of the Kerberos protocol and interoperability with Active Directory. Also, there are some good resources on the Web, which I've listed here: • MIT Kerberos home page (http://web.mit.edu/kerberos/www/) • Microsoft's Step-by-Step Guide to MIT Kerberos Interoperability (http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp) • Windows 2000-MIT Kerberos Interop Trip-ups (http://calnetad.berkeley.edu/documentation/test_environment/kerb_interop_trip-ups.html) 18.7.4 See Also MS KB 217098 (Basic Overview of Kerberos User Authentication Protocol in Windows 2000), MS KB 230476 (Description of Common Kerberos-Related Errors in Windows 2000), MS KB 248758 (Information About the Windows 2000 Kerberos Implementation), MS KB 324143 (HOW TO: Use the Kerberos Setup Tool (Ksetup.exe)), and MS KB 810755 (White Paper: Windows 2000 Kerberos Interoperability and Authentication) Recipe 18.8 Integrating with Samba 18.8.1 Problem You want your Samba clients to authenticate against Active Directory and access Active Directory resources. 18.8.2 Solution Samba 2.2 currently does not provide Active Directory support. The next release, Samba 3.0, which is in Beta at the time of this writing, will provide client-side support of Active Directory. OpenLDAP and MIT Kerberos must also be installed on the client to provide full LDAP and Kerberos functionality. 555 18.8.3 Discussion Samba has a rich history of providing Unix integration and interoperability solutions for the Windows network operating system (NOS) under Windows NT. Samba is typically deployed so that Windows-based clients can use Unix-based file and print services seamlessly. A Samba server can also act as a PDC in a Windows NT 4.0 environment. Do not expect this level of server emulation for Active Directory domain controllers any time soon. 18.8.4 See Also For more information on the Samba project, see http://www.samba.org/. Recipe 18.9 Integrating with Apache 18.9.1 Problem If your organization has Active Directory and Apache deployed, one way to reduce logins is to integrate the two by having HTTP authentication on Apache use Active Directory. 18.9.2 Solution There are several Apache modules that support authentication to an LDAP store, and with the release of Apache 2.0, it is supported natively with the mod_auth_ldap module. The documentation for mod_auth_ldap can be found at the following site: http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html. The mod_auth_ldap module works in the following way: 1. Binds using preconfigured bind DN and bind password. 2. Searches the directory with the preconfigured search filter and username of the user that is authenticating. 3. If a match was found, performs a bind attempt with the matching user's DN and password. If you are still running Apache 1.x, the auth_ldap module is widely used and works in much the same way as mod_auth_ldap. For more information, visit the following site: http://www.rudedog.org/auth_ldap/. 18.9.3 Discussion The mod_auth_ldap module isn't ideal from an Active Directory perspective. Typically, the second step (search for the user's DN) is completely unnecessary. If you have been configuring a user principal name (UPN) for all of your users, the search could be eliminated by attempting to authenticate the user with its UPN instead of the DN. Active Directory supports binding with either. That means mod_auth_ldap could instead just take the user name entered in the user name/password prompt and prepend it to a preconfigured UPN suffix (e.g., @rallencorp.com). 556 Hopefully, the developers of mod_auth_ldap will take this into consideration for a future enhancement. Another issue to be aware of when using this module is that you will need to hardcode a domain controller name to query and bind against in the mod_auth_ldap configuration. Unless you are using some type of load balancing software or hardware, you will be placing a dependency on that domain controller. Both mod_auth_ldap and auth_ldap support SSL and TLS, and I highly recommend enabling that if you plan on using either of these modules. If you don't enable SSL/TLS support, passwords sent from the Apache server to a domain controller will be sent in clear text. 18.9.4 See Also For more information on Apache, see http://www.apache.org/. Recipe 18.10 Replacing NIS 18.10.1 Problem You want to replace all or part of your NIS infrastructure with Active Directory. NIS serves many of the same functions as Active Directory and you can reduce costs by integrating both infrastructures. 18.10.2 Solution The Microsoft Services for Unix (SFU) suite provides numerous tools that can aid in integrating your Unix and Windows systems. SFU has a NIS server that can be used as a replacement for existing NIS servers and uses Active Directory as its data store. SFU comes with a set of schema extensions that the NIS server uses to structure the user, group, and host information that NIS clients require. SFU also includes a NFS server and client software if you are trying to interoperate with NFS. All of the SFU software runs on Windows operating systems. More information on SFU can be found on the following site: http://www.microsoft.com/windows/sfu/default.asp . If you'd rather not use SFU, another option is the NIS/LDAP Gateway from PADL Software (http://www.padl.com/). The PADL NIS/LDAP Gateway utilizes the SFU schema extensions to provide NIS services with an Active Directory backend. NIS clients can use the gateway to resolve user, group, and host information and works with SunONE Directory Server as well as Active Directory. The NIS/LDAP Gateway is supported on a host of Unix-based platforms including Solaris, FreeBSD, and Linux. 557 18.10.3 See Also LDAP System Administration (O'Reilly), MS KB 324083 (HOW TO: Install Server for NIS on Windows for Unix-to-Windows Migration), MS KB 324541 (HOW TO: Configure Server for NIS for a Unix-to-Windows Migration), and MS KB 324543 (HOW TO: Migrate Existing NIS Maps to Server for NIS in a Unix-to-Windows Migration) Recipe 18.11 Using BIND for DNS 18.11.1 Problem You've decided that you do not want to use Microsoft DNS for Active Directory and instead prefer to use BIND. 18.11.2 Solution The two main requirements for supporting Active Directory DNS are SRV records and Dynamic DNS support. The first version of BIND to support SRV records was 8.2.2 patch 7. Hopefully you are running a much more recent version since that was released in 2000. You technically don't have to use DDNS with Active Directory DNS records, but if you don't, you end up doing a lot of work to manually maintain the Active Directory-related resource records. Here is an example BIND 8 configuration to support the ad.rallencorp.com domain: Options { directory "/etc/namedb"; }; Zone "ad.rallencorp.com" IN { type master; file "db.ad.rallencorp.com"; allow-update { dc1.; dc2.; dc3.; }; check-names ignore; }; The directory directive specifies where the zone files are stored. The type should be master, and the file directive is the name of the file to store the contents of the zone in. The allow- update directive indicates which servers (either by name or IP address) can dynamically update the zone. Finally, the check-names ignore directive tells BIND not to be restrictive about the names used in resource records. Without this setting, BIND would fail to respond to queries for records containing underscores used by Active Directory. The BIND 9 configuration for the same zone would look exactly the same, except the check- names ignore line is not necessary. By default, BIND 9 allows underscores in resource records. After your BIND servers are properly configured, be sure the resolver on your domain controllers points to at least one of the BIND name servers. This can be done by going into the Network Connections for each domain controller and right-clicking the active connection. Click 558 on Properties, highlight Internet Protocol (TCP/IP), and select Properties. You can configure the resolvers under the General tab. This setting can also be configured through DHCP or Group Policy. 18.11.3 Discussion See Recipe 13.13 for forcing a domain controller to reregister its records and Recipe 13.12 for verifying a domain controller can register its records. BIND documentation and source can be downloaded from the following ISC site: http://www.isc.org/products/BIND/ . 18.11.4 See Also MS KB 255913 (Integrating Windows 2000 DNS into an Existing BIND or Windows NT 4.0- Based DNS Namespace), and MS KB 323419 (HOW TO: Migrate an Existing DNS Infrastructure from a BIND-Based Server to a Windows Server 2003-Based DNS) Recipe 18.12 Authorizing a Microsoft DHCP Server 18.12.1 Problem You want to authorize a Microsoft DHCP server in Active Directory so that clients can use it. 18.12.2 Solution 18.12.2.1 Using a graphical user interface 1. Open the DHCP snap-in. 2. In the left pane, right-click on DHCP and select New Server. 3. Type in the name of the new DHCP server and click OK. 4. Click on the server entry in the left pane. 5. Right-click on the server and select Authorize. 18.12.3 Discussion Windows 2000- and Windows Server 2003-based DHCP servers must be authorized before they can give out leases to clients. This feature helps reduce the occurrence of rogue DHCP servers that an end-user sets up, perhaps even unintentionally. A rogue DHCP server can provide incorrect lease information or deny lease requests altogether, ultimately causing a denial of service for clients on your network. If the DHCP Server service is enabled on a domain controller, it is automatically authorized. A DHCP server that is a member server of an Active Directory domain performs a query in Active Directory to determine whether it is authorized. If it is, it will respond to DHCP requests, if not, 559 it will not respond to requests. A standalone DHCP server that is not a member of an Active Directory domain sends out a DHCPINFORM message when it first initializes. If an authorized DHCP server responds to the message, the standalone server will not respond to any further DHCP requests. If it does not receive a response from any DHCP servers, it will respond to client requests and give out leases. Authorized DHCP servers are represented in Active Directory as objects of the dhcpClass class, which can be found in the cn=NetServices,cn=Services,cn=Configuratation,<ForestRootDN> container. The RDN for each authorized DHCP server is the IP address of the server. Windows 2000 DHCP servers cannot be authorized with the Windows Server 2003 version of the DHCP snap-in unless the DHCP server has Service Pack 2 installed. 18.12.4 See Also MS KB 279908 (Unexpected Results in the DHCP Service Snap-In After Using NETSH to Authorize DHCP), MS KB 300429 (HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows 2000), and MS KB 303351 (How to Use Netsh.exe to Authorize, Unauthorize, and List DHCP Servers in Active Directory), MS KB 306925 (Cannot Authorize New DHCP Server in Active Directory), and MS KB 323360 (HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows Server 2003) Recipe 18.13 Using VMWare for Testing AD 18.13.1 Problem One of the issues that developers and administrators commonly face when trying to do Active Directory testing is the limitation of being able to host only a single domain on a server. You can use VMWare to work around this issue and host multiple domains on a single server. 18.13.2 Solution VMWare, Inc. (http://www.vmware.com/) develops a very popular virtual machine technology that allows you to run multiple operating systems, even of different varieties, on a single machine. Their VMWare Workstation product can be used on laptops and desktop servers and is great for running simulations. Their VMWare GSX Server is oriented for enterprise solutions so that you could even run production- grade services from VMWare virtual machines. As far as Active Directory goes, you can create several virtual machines on a single host using either the Workstation or GSX Server products to simulate a forest. I've personally used VMWare to help facilitate schema extension testing. Since there is no supported schema deletion process, once you've extended the schema, you cannot extend the schema again with the same extensions (if you wanted to test the extension process again). VMWare stores each virtual machine as a collection of files. Once you've created a baseline domain controller virtual 560 machine, you can copy the files that make up that virtual machine and create as many domain controllers as needed. If you support multiple domains in a forest, it can be expensive in terms of both hardware and people to support multiple test environments that are similar to your production environment. For each domain in a forest, you need a separate server. If you have a four-domain forest and want to create three test environments, you'd need 12 servers total. With VMWare, you could use three servers and host all four domains on each server. I suppose if you had a big enough server, you could even host all four test environments on the same server! The new snapshot capability with VMWare 4.0 can make testing even easier. With it you can take a snapshot of a virtual machine and preserve its state at a specific moment in time. You can then revert to the saved snapshot at any time, irrespective of whether the machine is powered on or off. This is ideal for testing schema changes. 18.13.3 Discussion One of the caveats with using VMWare is that Microsoft will not support any issues that arise while running Active Directory or any other product for that matter under VMWare. In my experience, Microsoft support will make a best effort to try and troubleshoot problems with VMWare, but they will not guarantee a resolution. Speaking of Microsoft, they have plans of their own for developing virtual server technology. In February 2003, Microsoft purchased rights to the Virtual PC software developed by Connectix, a privately held company. By mid-2003 Microsoft released a customer preview of the newly packaged Microsoft Virtual Server for Windows Server 2003. This will be a direct competitor to VMWare and provides many of the same capabilities. For more information on the Virtual Server, see http://www.microsoft.com/windowsserver2003/evaluation/news/bulletins/vmnews.mspx. 18.13.4 See Also MS KB 273508 (VMWare Support Policy and Support Boundaries) . New DHCP Server in Active Directory) , and MS KB 323360 (HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows Server 2003) Recipe 18.13 Using VMWare for Testing. cn=NetServices,cn=Services,cn=Configuratation,<ForestRootDN> container. The RDN for each authorized DHCP server is the IP address of the server. Windows 2000 DHCP servers cannot be authorized with the Windows Server 2003. Configure Server for NIS for a Unix-to -Windows Migration), and MS KB 324543 (HOW TO: Migrate Existing NIS Maps to Server for NIS in a Unix-to -Windows Migration) Recipe 18.11 Using BIND for DNS