Tuesday, October 18, 2011

Windows Authorization Manager in Hyper-V using Active Directory

As per mention in my earlier port, we can use  AZMAN as base to control user access base on the requirement, however if your have a lot of team member that need to manage the server you have a nightmare in managing different authorization store.

In Windows 2008, we can store authorization store into Active Directory Database. Before this can be implemented, you must make sure the active directory must be at least at windows 2003 functional level.

Before you do so, you will need to download the sample script Authorization Store Script.Once you have download it, store into c:\.

Now we are ready to install the component
1)Open cmd and type the following command as below. The command will create a store inside active directory database.
2)If the command successful, you will get the following screen.
3)To make sure, the data have been created inside Active directory, open the Active Directory user & computers (dsa.msc) and click view and enable advanced feature. You shall see what you have just created.
4)In order to configure the hyper-V server to use the role base access control, you need to configure the path into the virtualization keys as shown as below. The path of regedit is at HKLM\Software\Microsoft\Window NT\Currentversion\Virtualization and modify the value in the storelocation key.Please take note , wrongly configuration will cause VM can't be started

5)Now should be able to see the configuration inside the azman. You can open the azman and verify the configuration by typing azman.msc. Now you will need to open the authorization store inside the active directory as what you have configure.
6)In the previous example, I have show you the local store and this example will be from active directory.There is also option for MSSQL, but I think this option will use a lot of network traffic.

7)Now you will need to configure the azman to let the user computer to have a read access to your active directory. To do that, you will need to open the security tab from the azman property.

the computer name will be the hyperv server name that you will like the azman feature to be effective.

8)The next step will be restarting the hyper-v services as shown as below.

In the next article I will show you how to configure the roles to be given to the administrator team. Overall I see the azman is a good feature, but then again , if your infrastructure is not been secure it might become a nightmare for you. In this cases, Active Directory need to be properly manage, if there is corruption into it, your hyper-v services might be interrupted. From security standpoint, I won't be recommend this as there is dependency on the Active Directory. But I am not saying we can't use it, we just need to have a better planning in term of securing the AD.

No comments:

Post a Comment