摘要:
Branch domain controllers (DCs) contain read only replicas of the data in a normal domain DC. This includes information about the groups a user belongs to so it can be used to determine authorization information. Password information, however, is desirably replicated to the branch DCs only for users and services (including machines) designated for that particular branch. Moreover, all write operations are desirably handled by hub DCs, the primary domain controller (PDC), or other DCs trusted by the corporate office. Rapid authentication and authorization in branch offices is supported using Kerberos sub-realms in which each branch office operates as a virtual realm. The Kerberos protocol employs different key version numbers to distinguish between the virtual realms of the head and branch key distribution centers (KDCs). Accounts may be named krbtgt_ where is carried in the kvno field of the ticket granting ticket (TGT) to indicate to the hub KDC which krbtgt′ key was used to encrypt the TGT.
摘要:
Described is an invention for safeguarding against the modification of certain data associated with one domain of a distributed network by an entity (such as an administrator) within another domain of the distributed network while still allowing the entity to modify other data associated with the one domain. More particularly, security safeguards are applied by a directory replication service that operates to replicate the shared data to each domain in a domain “forest.” Those security safeguards allow a user to indicate that certain modifications of specified shared data may only be made within the domain in which the shared data was created. In that way, a shared data namespace may still be implemented in which trust relationships exist so that, for example, an administrator in one domain may alter a configuration of another domain within the forest. However, certain data may be restricted by these safeguards such that certain modifications of that data (e.g., taking ownership of the data) may only be done from the domain which currently owns the data.
摘要:
An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.
摘要:
An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.
摘要:
Method and system for networking multiple-master servers, including multiple-master servers, with single-master servers are described. A checkpoint-flag is used to identify a state when the same changes are present in the change-log of a first multiple-master server, which is emulating a primary server for the single master servers in the network, and a second multiple master server in the network. This done by identifying a replication cycle in which no changes are made to either the first multiple-master server or the second multiple master serve. The change-log of the first multiple master server is adopted by the second multiple master server, thus ensuring that the multiple master server in the network have their change-logs converge to reflect the order in the change-log of the multiple master server emulating a primary server. Thus any of the multiple master servers can takeover the task of the primary server in the event such a promotion is required without inconveniencing the single master servers in the network. This strategy helps in realization of hybrid networks that retain both single master and multiple master functionality and, moreover, facilitate a smooth and economical switch to a multiple master server based network from a single master server based network.
摘要:
A network system server, at a first network site, maintains network access information that identifies users authorized to access a network and a network controller, at a second network site, caches the network access information for individual users that request access to the network from the second network site. The network controller tracks the individual users that request access to the network from the second network site and updates the cached network access information for the individual users that request access to the network from the second network site within a defined time interval.
摘要:
A system for multi-master unique identifier allocation comprises a server for allocating pools of identifiers to requesting servers and at least one server for requesting pools of identifiers and allocating individual identifiers as necessary. A single master server allocates “pools” of unique identifiers to network servers upon request. The network servers in turn allocate unique identifiers from their pool as necessary when the server generates new system objects. When a network server's pool of unique identifiers is nearly depleted, the network server requests an additional pool of identifiers from the master server.