1. Technical Field
The present invention relates, generally, to a server system for use with a plurality of computing devices and, specifically, to a server system that provides synchronization between dissimilar computer server environments. More specifically still, the present invention relates to a synchronization system used in a local area network matched to a distributed computing environment.
2. Description of the Related Art
Data processing and computer systems are well known in the arts. More specifically, the use of multiple processing systems tied one to another to form a local area network (LAN) are also well know. A broader application of LANs is known as a distributed computing environment (DCE) and is capable of handling a greater number of computer systems within the server system than is typically capable in a LAN server system.
As a business or enterprise first develops, it is typically small and requires either a single computer or merely a couple of computers to provide all the data processing needs of that particular enterprise. As the enterprise grows, additional data processing systems are added and eventually a LAN is added with a LAN server used to provide system security and to provide synchronization of communication between the various computers on the LAN. As the enterprise grows still bigger, the abilities of the LAN server are taxed and the enterprise is ready for a distributing computing environment (DCE). The DCE security architecture usually is substantially different than that for a LAN server and the synchronization process is also more complex due to the added resources and the abilities required of the DCE server.
The DCE security server typically consists of the following services: registry service, authentication service, privilege service, and access control list. Registry service is provided to maintain the registry database, which is a replicated database of principals, groups, organizations, accounts and administrative policies. Authentication service handles user authentication or the process of verifying that principals are correctly identified. The authentication service also issues tickets that a principal uses to access remote services. The ticket contains data that is presented by the principal requesting the service to the principal providing the service. Privileged service supplies the user's privilege attributes, which are used to ensure that a principal has the rights to perform requested operations. Access control list (ACL) facility determines the access rights to an object based on the users privilege attributes.
The DCE security further includes a DCE host daemon (DCED) that acts as the security client. The registry, authentication and privileged services are implemented as a single daemon, which is typically referred to as the security server. The actual granting of access rights to an object is performed by the ACL facility; the ACL edit tool establishes the access permissions for an object. The authentication service consists of a registry database, security servers, and security clients. A security client communicates with a security server to request information and operations. The security server accesses the registry database to perform queries and updates and to validate user logins. To gain access to the registry database, the authentication service must talk to the registry service.
FIG. 1 represents a block diagram of the relationship between the security clients 11, servers 13, and a registry database 15. It is also an example of the security server clients requesting a database operation.
Registry database 15 contains information similar to that found in a UNIX group and password files. It contains the following items: principals, groups, organizations, and accounts. Principals are included and are the users of the system. Principals can be interactive principals, such as human users, or non interactive, such as servers, machines, and cells. Principals can be associated with access permissions. Groups are a collection of principals that are identified by group name. Groups can be associated with access permissions. Organizations are collections of principals; these principals are identified by an organization name. Organizations define the policies associated with the principals in the registries. Organizations cannot be associated with access permissions. Accounts contain the passwords and accounting information that allow principals authenticated access to objects within the cell.
Registry database 15 also contains information on policies and properties for the registry as a whole and for organizations. Policy and properties regulate such things as password length, format and certain authentication of requirements.
The collection of principals, groups, organizations and accounts controlled by a registry database is an entity known as a cell. Authenticated communication is possible between cells only if those cells have special accounts in the registry database at the cell with which they wish to communicate. These special accounts setup a cross cell authentication, which allows principals from one cell authenticated access to another cell.
Adding LAN Server servers to DCE system or DCE system servers to LAN Server can be complex and troublesome for the enterprise, but to minimize such trauma, it is quite common to transition gradually from a LAN server to a DCE server environment where the LAN and the DCE systems have overlapping capabilities and operation. Additionally, the LAN server may be merely a subset of the DCE environment. In either event, it is helpful to have cross compatibility between the two systems so as to minimize expense and avoid system incompatability.
One example of a LAN server is the OS/2 LAN server 4.0, provided by International Business Machines Corporation. LAN server 4.0 provides the enterprise with functionality for a large network. The current LAN server base can continue to exist and evolve as a separate product to provide file and print sharing services for small to medium work groups. The LAN server also allows the base functionality to extend to large enterprises by replacing the LAN server base directory and security structure with the equivalent DCE services. This provides for a transition from the small to medium size work groups to the large DCE type environments.
One limitation of transitioning from the OS/2 LAN Server 4.0 system to a more robust DCE enterprise server is that the synchronization process must be fully compatible with the DCE security server system. Unfortunately, there exist incompatibilities with prior LAN server systems and with current DCE security servers that do not permit merely combining the two systems to arrive at a common system for the two environments. Specifically, the DCE security server maintains a working copy of the registry database at all times. The registry database can be replicated within its cell.
Each instance of a security server in a cell maintains a working copy of the database. The combination of a security server and its data, the registry database, is referred to as a "replica." Typically, the security server creates several replicas in a cell to enhance performance and reliability. The task of keeping the cell replicas consistent is handled automatically by the security servers. Any changes made to the data are automatically reflected in all replicas. Within the replicas there is a hierarchy of one master replica or primary replica and several secondary replicas.
In a DCE enterprise that includes a LAN Server, two separate systems must be maintained for installing a domain controller because the Registr synchronization process (RSP) cannot run on the same machine on which the DCE security server is installed. The RSP within the LAN server then becomes a modified version of secondary security server in the DCE enterprise. This RSP registers itself as a secondary replica for the purposes of receiving timely updates from the primary replica. Since the DCE security architecture does not allow more than one replica to run on the same machine, the current version of the RSP cannot run on a machine that has a primary or a secondary replica installed. Because of this, there is a need for a solution that allows both the LAN server RSP and the DCE security server to co-exist on one system without conflicting with one another in their generation of replicas and synchronization of registries.