|
Designing a
Microsoft Windows Server 2003 Active Directory and Network
Infrastructure
The objectives for exam 70-297 focus it toward an MCSE
candidate who is involved with the design of large
networks. If focuses on two distinct categories that were
tested separately under Windows 2000: network
infrastructure and Active Directory design. The objectives
for it are:
Creating the Conceptual Design by Gathering and
Analyzing Business and Technical Requirements
n Analyze the impact of Active Directory on the
existing technical environment.
o Analyze hardware and software requirements.
o Analyze interoperability requirements.
o Analyze current level of service within an
existing technical environment.
o Analyze current network administration model.
o Analyze network requirements.
n Analyze DNS for Active Directory directory
service implementation.
o Analyze the current DNS infrastructure.
o Analyze the current namespace.
n Analyze existing network operating system
implementation.
o Identify the existing domain model.
o Identify the number and location of domain
controllers on the network.
o Identify the configuration details of all
servers on the network. Server types might include primary
domain controllers, backup domain controllers, file
servers, print servers, and Web servers.
n Analyze security requirements for the Active
Directory directory service.
o Analyze current security policies, standards,
and procedures.
o Identify the impact of Active Directory on the
current security infrastructure.
o Identify the existing trust relationships.
n Design the Active Directory infrastructure to
meet business and technical requirements.
o Design the envisioned administration model.
o Create the conceptual design of the Active
Directory forest structure.
o Create the conceptual design of the Active
Directory domain structure.
o Design the Active Directory replication
strategy.
o Create the conceptual design of the
organizational unit (OU) structure.
n Design the network services infrastructure to
meet business and technical requirements.
o Create the conceptual design of the DNS
infrastructure.
o Create the conceptual design of the WINS
infrastructure.
o Create the conceptual design of the DHCP
infrastructure.
o Create the conceptual design of the remote
access infrastructure.
n Identify network topology and performance
levels.
o Identify constraints in the current network
infrastructure.
o Interpret current baseline performance
requirements for each major subsystem.
n Analyze the impact of the infrastructure
design on the existing technical environment.
o Analyze hardware and software requirements.
o Analyze interoperability requirements.
o Analyze current level of service within the
existing technical environment.
o Analyze network requirements.
Creating the Logical Design for an Active Directory
Infrastructure
n Design an OU structure.
o Identify the Group Policy requirements for the
OU structure.
o Design an OU structure for the purpose of
delegating authority.
n Design a security group strategy.
o Define the scope of a security group to meet
requirements.
o Define resource access requirements.
o Define administrative access requirements.
o Define user roles.
n Design a user and computer authentication
strategy.
o Identify common authentication requirements.
o Select authentication mechanisms.
o Optimize authentication by using shortcut trust
relationships.
n Design a user and computer account strategy.
o Specify account policy requirements.
o Specify account requirements for users,
computers, administrators, and services.
n Design an Active Directory naming strategy.
o Identify Internet domain name registration
requirements.
o Specify the use of hierarchical namespace
within Active Directory.
o Identify NetBIOS naming requirements.
n Design migration paths to Active Directory.
o Define whether the migration will include an
in-place upgrade, domain restructuring, or migration to a
new Active Directory environment.
n Design a strategy for Group Policy
implementation.
o Design the administration of Group Policy
objects (GPOs).
o Design the deployment strategy of GPOs.
o Create a strategy for configuring the user
environment with Group Policy.
o Create a strategy for configuring the computer
environment with Group Policy.
n Design an Active Directory directory service
site topology.
o Design sites.
o Identify site links.
Creating the Logical Design for a Network Services
Infrastructure
n Design a DNS name resolution strategy.
o Create the namespace design.
o Identify DNS interoperability with Active
Directory, WINS, and DHCP.
o Specify zone requirements.
o Specify DNS security.
o Design a DNS strategy for interoperability with
UNIX Berkeley Internet Name Domain (BIND) to support
Active Directory.
n Design a NetBIOS name resolution strategy.
o Design a WINS replication strategy.
n Design security for remote access users.
o Identify security host requirements.
o Identify the authentication and accounting
provider.
o Design remote access policies.
o Specify logging and auditing settings.
n Design a DNS service implementation.
o Design a strategy for DNS zone storage.
o Specify the use of DNS server options.
o Identify the registration requirements of
specific DNS records.
n Design a remote access strategy.
o Specify the remote access method.
o Specify the authentication method for remote
access.
n Design an IP address assignment strategy.
o Specify DHCP integration with DNS
infrastructure.
o Specify DHCP interoperability with client
types.
Creating the Physical Design for an Active Directory
and Network Infrastructure
n Design DNS service placement.
n Design an Active Directory implementation
plan.
o Design the placement of domain controllers and
global catalog servers.
o Plan the placement of flexible operations
master roles.
o Select the domain controller creation process.
n Specify the server specifications to meet
system requirements.
n Design Internet connectivity for a company.
n Design a network and routing topology for a
company.
o Design a TCP/IP addressing scheme through the
use of IP subnets.
o Specify the placement of routers.
o Design IP address assignment by using DHCP.
o Design a perimeter network.
n Design the remote access infrastructure.
o Plan capacity.
o Ascertain network settings required to access
resources.
o Design for availability, redundancy, and
survivability.
*********************** End of Objectives
**********************
Analyzing Business Requirements
Identifying the business model is necessary because
similar businesses often have similar needs and
requirements. Knowing the geographic scope can help define
the infrastructure employed by the IT department. The five
possible geographic models are: Regional, National,
International, Subsidiary, and Branch Office.
When implementing technologies that are within
companies restricted to regional boundaries, you can often
pay less attention to such things as international
translations than you would with different models. The key
to the Regional model is that all sites must be within a
single, well-defined geographic area.
The scale of the National model is grander than that of
the Regional model. You can still often overlook many
factors such as international regulations, but you must
consider time zones, local laws, and so forth. By
definition, all sites within the National model must be
contained within a single nation.
By definition, international boundaries are crossed in
the International model. Importance must be paid to
languages/translations, regulations, laws, and time zones.
Representatives from all countries should be involved in
IT decision-making processes.
Under the Subsidiary model, subsidiaries are part of a
larger company, but function independently. When working
with a subsidiary of a larger conglomerate, make certain
that approval for the solution generated will be
acceptable to the parent company if there is a complex
relationship between the two.
Under the Branch Office model, you must go to lengths
to verify that solutions implemented at the branch offices
work with technologies employed throughout the rest of the
company. Branch offices are wholly controlled by other
entities (corporate offices).
All company processes should be documented and
diagrammed. Of key importance are the processes related to
information flow, communication flow, service/product
lifecycles, and decision-making.
How information moves throughout the company is defined
as Information Flow. This typically follows the
organization chart, but can differ with geographic breaks.
Rather than being how the information is disseminated,
Communication Flow focuses more on how the information is
used. Does a customer hear something to make them want to
buy more of your product, or less? Does a customer tell
you something they heard about your company that makes you
want to send out a resume? "Communication flow" differs
from "information flow" in that it often lacks formal
structure and comes about as a result of communication
with others (customers, vendors, etc.).
The lifespan of the product is known as the
"Service/product lifecycle". Services can have a lengthy
or short lifespan and can encompass leases from DHCP,
authentication from a domain controller, and so on.
Questions to ask regarding the "Decision-making
process" are: Does the Chief Technology Officer need to
approve all expenditures, or can they be signed-off on at
a lower level? Decision-making can either follow the
organizational chart or can be completely dispersed if the
company practices empowerment (allowing the employees the
power to make key decisions within structured guidelines).
When deciding business requirements, it's important to
analyze existing and planned organizational structures.
These categories can break down into the following key
areas:
- management model
- company organization
- vendor
- partner relationships
- customer relationships; and
- acquisition plans.
Different risk models can be associated with different
management models. One of the most common management
models is departmental, in which each department is geared
around a function (sales, research, etc.). Other models
include project-based and cost center-based.
When analyzing the management model, determine whether
you are dealing with a family-owned business, a privately
held business, or a public company with a CEO and Board of
Directors.
When identifying company organization, realize that
some organizations are divided by products (transmissions
in one division, four-wheel-drive axles in another, etc.),
whereas other organizations divide operations and
responsibilities purely on geographic terms.
When doing an analysis of vendor/partner/customer
relationships, know the contact points and whether web
presence is offered on an Internet, intranet, and/or
extranet basis. Vendors can be external (the traditional
model) or internal if each department acts as a cost
center.
Acquisition plans should always be taken into account
on any analysis. Is the company you are designing a
solution for actively seeking acquisitions (meaning you
must plan for future growth), or are they a likely
acquisition target?
Never assume a company's priorities are constant. They
can change with management teams, market shifts, etc.
During the design process, find out what the priorities
are and where interest lies.
Factors that can influence company strategies include
company priorities, projected growth and strategy,
relevant laws and regulations, the company's tolerance for
risk, and the total cost of operations.
Projected growth and growth strategy: How is expansion
accomplished (acquisition, divestiture, franchises, and so
on). Do you need to include plans for growth, or will
conditions be stagnant for a while? Are there seasonal
variables? Is there a documented goal for growth?
Relevant laws and regulations are always subject to
change and must be watched carefully. Is the company in a
high-profile position to be greatly affected by new
legislation? Does the company work with encryption? Do
local laws or international laws affect the organization?
Company's tolerance for risk - how does the company
weigh risk against profit: vulnerability against value? Do
they employ basic security devices on sites? Do they
employ physical security at the facility?
When computing the total costs of operations (TCO),
consider the value of the company's data; of the IT
staff's budget; of having server access 24 hours a day
versus 8, etc.? Where does the funding come from?
Microsoft uses seven categories to group budgeted
costs:
- Hardware and Software costs
- Management costs
- Development costs
- Support costs
- Communication costs
- End-user costs, and
- Downtime costs.
When undertaking a project, you should verify that
there is a budget for any training that needs to be done
and that all relevant decision-makers are in agreement on
the need to support the existing support staff.
The structure of IT management should weigh heavily in
the analysis of business requirements. Factors that help
understand the management structure include administration
type, funding model, outsourcing, decision-making process,
and change management.
The administration type can be either centralized,
decentralized, or hybrid. Hybrid administration has most
of the functions performed at a central location, but one
or more key contact people are on-site for handling lesser
responsibilities.
Funding and the funding model employed can be crucial
in implementing technologies. If the IT department is
being run as a profit center, then the departments it
administers are charged for the services provided.
Outsourcing is necessary when certain needs cannot be
met internally. Although outsourcing is a good way to
solve short-term issues, it can present problems down the
road when you cannot find the group who implemented a
solution because they have moved on, and the solution now
has problems.
The first change management question to ask is: is
there a structure in place or not? When changes occur,
what is the procedure followed? If there is no procedure,
chaos can result. If there is too much of a procedure, no
change will ever occur. In most situations, small
companies can change (and adapt to change) more readily
than larger companies.
Analyzing Technical Requirements
When deciding whether to implement Active Directory in
an existing or planned network, it is important to detail
the possible impact of so doing.
Access patterns need to be taken into account during an
analysis: Are all the resources centralized, or are they
disbursed? When users need to access a resource, is it
within their LAN 80% of the time, or only 20% (meaning
they access the WAN 80% of the time)? What are the
implications of the resources being centralized versus
being disbursed? What are the implications of the resource
being within the LAN 80% of the time versus 20%?
The geographic scope as well as the owner or
organization responsible for the company fall beneath
company size analysis.
When doing user and resource distribution analysis, the
main question is: Where are the users? How are they
serviced? How do they reach the resources (servers,
printers, etc.)? Do they reach them via hubs, switches,
routers, or bridges? Via modems or proxy servers?
Connectivity between sites must be factored in. What
bandwidth is employed? Are there leased lines or dial-up
connections (with or without multilink)?
Speeds employed on WANs differ by technologies. The
most common technologies are modems (analog, ISDN, DSL,
and cable) and leased lines (T1, T3, E1, E3). An
analog/traditional modem requires a single phone line for
a connection and is limited in speed to approximately
57,600bps. ISDN (Integrated Services Digital Network)
requires two phone lines and can reach a speed of
approximately 128,000bps. DSL (Digital Subscriber Line)
uses existing phone lines (copper) and is available only
in certain areas. You must be within a short distance of a
switching station, and speeds can reach 9Mbps. The closer
you are to the central office, the faster the speed which
is possible (and the different the type of DSL available -
ADSL, HDSL, etc.) Cable modems work with the coaxial from
the cable television company. The speed, though reduced
with the number of users, is approximately 2Mbps. T1 is a
dedicated line that operates across 24 channels at
1.544Mbps. T3 is a dedicated line of 672 channels able to
run at speeds of 43Mbps. E1 is the European counterpart to
T1; it uses 32 channels and can run at 2.048Mbps. E3 is
the European counterpart to T3.
Connectivity can include hubs, switches, bridges,
routers. You must determine which topologies are employed
(star versus mesh, etc.).
Network roles and responsibilities can be defined as
administrative, or they can be associated with a user, a
service, or other. Administrative roles are those
predefined by the operating system with additional
responsibilities above a user. Examples include
Administrator, Backup Operator, etc.
User roles simply have the right to log on and use the
network resources. Service roles run as services in the
operating system. They require no user interaction.
Performance requirements questions entail: Are users
connecting only for authentication, or for the entire
session (such as with Terminal Server)? During performance
analysis, it is important to identify any bottlenecks and
create a baseline from which to judge future
modifications. When computing performance requirements,
find out the peak utilization, the type of circuits used,
requirements of applications, and so on.
Security considerations should always start with: What
are the needs of the organization, and what operating
systems does the organization support? Can everything
standardize upon TCP/IP, or must NetBEUI (insecure) be
used, and so on? One of the most effective means of
implementing security with Windows
clients is through the use of group policies.
When evaluating the company's technical environment,
always factor in both the existing environment and the
planned environment, and differences between the two.
The impact of going to Active Directory should be
calculated in terms of: existing systems and applications;
existing and planned upgrades and rollouts; technical
support structure; existing and planned network and
systems management; and client needs.
Active Directory Structure:
Active Directory is a database that stores information
about objects in the network-such as users, computers,
printers, and shared folders-in a central location. The
Active Directory naming scheme follows the path: forest,
tree(s), domains. Active Directory depends on DNS (Domain
Name System) for it to work. In the absence of DNS, there
is - effectively - no Active Directory. Active Directory
is created to be scalable and interoperate with other name
services.
Active Directory names are equivalent to DNS names and
use the SRV records of DNS to store information about
services, thereby creating "dynamic DNS." To refer to a
host in a domain, you use a fully qualified domain name (FQDN).
It is recommended that the registered DNS name your
company already has, if they are connected to the
Internet, be used as the Active Directory root domain.
A forest can consist of either a single domain or
multiple domains. (Therefore, by definition, a single
domain can also be a tree). A tree is a contiguous
namespace, meaning the child has the parent as part of its
name. Each tree has its own identity within the forest.
Domains are partitions; that is, entities that can be
combined into trees and forests, but that operate with
some autonomy. Domains contain objects, and/or
organizational units (OUs). An OU is a container for
organizing objects within a domain into logical
sub-groupings. A domain is an administrative as well as
security boundary since administrative privileges do not
extend past domain boundaries. The Active Directory root
domain has to be unique within the DNS realm it works
with.
Reasons for creating OUs (organizational units)
include: to control access to resources, to create group
policy objects, to delegate administration, and/or to
group common objects.
The simplest network is a network with one domain.
Reasons for creating additional domains include: to
isolate replication traffic, to retain existing NT domain
structures, to support decentralized administration, to
support international boundaries, and/or to support more
than one domain policy. Factors to consider when deciding
to create more than one domain include replication,
security, and overhead.
Objects are organized in a hierarchical structure
rather than physical location and can include:
Users
Groups
Computers
Shared resources
Security information
Active Directory key concepts to focus on are:
Objects: Object classes such as users,
groups, computers, services, printers, security policies,
etc. are a collection of object attributes.
Schema: A database structure made up of
attribute definitions and object definitions known as
schema objects or metadata (data about data). Adding new
attributes can extend a schema, however once an object is
created it can be disabled but not deleted. Write access
to the schema is restricted to the Administrators group.
A forest is a collection of Active Directory domains.
All trees within a forest have different naming structures
but share common schema.
Trees are groupings of domains that share contiguous
namespaces and a hierarchical naming structure.
Single Domain: One domain that is the first
and only tree's root domain as well as the forest's root. OU's are used to build Active Directory and should be kept
to a minimum.
Tree with Multiple Domains: Used when
implementing different security policies in remote
offices, or limit administrative control between different
locations.
Forest with Multiple Trees: Each tree has its
own unique namespace and are all part of the same Active
Directory. Its root domain DNS name identifies each tree.
The trees share a common schema, configuration information
and Global Catalog
Naming of objects in Active Directory is a critical
issue.
Each Active Directory object must be uniquely
identified.
Domain Name System (DNS) is required for
Active Directory. NETLOGON.DNS is the file that holds DNS
entries for Active Directory. It resides beneath the
System32\Config folder.
Object names must follow an established naming
convention.
The following are common name formats:
LDAP Distinguished Name (DN). A DN exists for
every object in Active Directory. The values cannot be
duplicates; they must be unique.
LDAP Relative Distinguished Name (RDN). RDNs
need not be unique if they exist in separate OUs.
User Principal Name (UPN).
These are often referred to as "friendly names."
LDAP functionality is a key component of Active
Directory, employing similar naming standards. LDAP
functionality makes Active Directory compatible with other
naming strategies (such as BIND). LDAP is a derivative of
X.500. LDAP uses four different name types: 1)
Distinguished name, 2) Relative Distinguished name, 3)
User Principal name, and 4) Canonical name.
The Distinguished name, in LDAP, is the full path,
including containers, of the object. The Relative
Distinguished name (RDN), in LDAP, is the portion of the
name that's unique within its container. The User
Principal name, in LDAP, is the user-friendly name. The
Canonical name, in LDAP, is a top-down notation of the
Distinguished name.
Real-time LDAP is now supported, also known as LDAPv3,
and security for digest authentication is now available
for secure queries to a domain controller.
Sites
Groups of subnets and domain controllers
connected through a reliable high-speed connection used
to partition Active Directory into logical groups.
A set of one or more IP Subnetwork
addresses
Controls how replication is managed, logon
traffic and DFS topology
Active Directory Sites
Domain controllers get added to
Default-First-Site-Name object which is automatically
created
Intersite replication occurs between two or
more sites over manually created links based on a
replication schedule
To minimize network traffic data is
compressed to about 10-15% of its volume before intersite
replication is transmitted
Active Directory domains are defined by the
network's logical structure
Sites are based on the network's physical
structure
Sites can include:
o All Active Directory domain controllers
o Some of Active Directory domain controllers
o Domain controllers from different Active
Directory domains
DNS:
DNS is a server service consisting of a hierarchical,
distributed database with built-in redundancy and caching
capabilities. DNS translates domain names into IP
addresses. When a DNS server cannot resolve a query, it
moves (escalates) it up to a root server that is
authoritative for a zone. DNS queries can be either
recursive or iterative.
DNS is installed as a service within Windows Server
2003 through the use of wizards. If you have installed
Active Directory (via the Active Directory Installation
Wizard) but cannot find a DNS server, the ADI wizard will
attempt to install the DNS service for you. DNS management
can be performed with the DNS Manager snap-in.
DNS monitoring can be done with the Performance tool on
counters such as Caching Memory, IXFR Counters, TCP/IP,
and Zone Transfer. DNS uses resource records to perform
translations. Resource records are entries in the zone
database file; each resource record identifies a
particular resource within the database.
FSMOs:
Special roles can be assigned to domain controllers to
act as single master roles. A single master role is not
permitted to occur simultaneously at different locations
on the network.
The role can be Active Directory related (Domain
controllers) or purely service-oriented. Within those that
are Active Directory related, there are five FSMOs
(Flexible Single Master Operations) roles:
1. PDC (Primary Domain Controller) emulator
- used
for backward compatibility
2. RID (Relative ID) Master - holds the pool of
ID numbers to be used
3. Infrastructure Master
- handles updates and
name changes
4. Domain Naming Master - by default the first
domain controller in a forest
5. Schema Master - oversees all schema operations
The primary domain controller performing one of these
roles is known as the role master. Microsoft recommends
the PDC emulator and RID master be kept on the same domain
controller, and the Domain Naming Master be stored on a
Global Catalog server.
The five operations master roles are responsible for
keeping track of and originating replication and are
divided into two categories: forestwide and domainwide.
Forestwide
Note: Both Schema and Domain naming should be the same
domain controller
Schema master
Only one schema master in forest (can have
standbys)
Controls schema updates and modifications
Failure of the schema master can go unnoticed
until a change is made to the schema
If schema master role is seized permanently
the server must not be brought back online without
formatting it and reinstalling the operating system
Domain naming master
Only one domain naming master in forest (can
have standbys)
The only server responsible for controlling
the addition or removal of domains to the forest
Failure of the domain naming master can go
unnoticed until a domain is added or removed from the
forest
If the current Domain Naming Master server is
to become unavailable, its role should be seized. If
domain naming master role is seized permanently the server
must not be brought back online without formatting it and
reinstalling the operating system
Domainwide
Relative ID (RID) master
Each domain will have one relative ID master
Responsible for management of relative ID's
(object security)
RID will be generated for each domain object
that includes the domain security ID (same for all domain
objects) and a unique relative ID
Responsible for initiating the move when
moving objects between domains (MOVETREE is a utility used
to move objects between domains).
Failure of the relative ID master can go
unnoticed until an administrator attempts to create domain
objects and the domain runs out of available relative
identifiers.
If relative ID master role is seized
permanently the server must not be brought back online
without formatting it and reinstalling the operating
system
Primary Domain Controller PDC emulator
Each domain will have only one PDC emulator
Provides support for client systems
Receives preferential replication of any
password changes
If logon authentication fails at any domain
controller, the request is forwarded to the PDC emulator
Acts as a Windows NT PDC providing updates to
any Windows NT BDCs during a migration to Active Directory
Failure of PDC emulator can immediately affect
network users.
If PDC emulator role is seized permanently the
server can be brought back online and returned to the PDC
emulator role
Infrastructure master
Each domain will have only one infrastructure
master
Updates group or user references when
supporting group members from a different domain and group
membership changes
If placed on a Global Catalog server
infrastructure master will not be able to do its job
properly because out-of-date data will not be detected,
therefore replication will not occur; because of this, the
Infrastructure Master should not be located on a global
catalog server.
Failure of the infrastructure master can go
unnoticed unless a number of changes have been made.
If infrastructure master is seized the server
can be returned to the original infrastructure master when
brought back online
The Domain Naming master allows additions, removals,
and some modifications of all domains in the forest. It
also generates the unique SID for every domain in the
forest. The Infrastructure master updates group-to-user
references when changes occur. It is recommended that the
Infrastructure master be placed on a domain controller
that is not the global catalog server to even the load and
separate the burden of each role.
The PDC Emulator master is used for interoperability
with older clients. The RID master and PDC Emulator roles
should be placed on the same domain controller (if it is
not overloaded)-or, if not, on separate primary operations
master domain controllers (making sure they both have
direct connection objects to the standby PDC emulator and
RID master servers).
The RID (Relative ID) master issues IDs to domain
controllers, as needed (10,000 at a time). The Schema
master controls all updates to the schema. The Schema
master and Domain Naming master are forest-wide in nature,
whereas the RID, Infrastructure, and PDC Emulator masters
are domain-based. (Only one server in each domain is
needed for these operations.)
Active Directory Infrastructure:
LDAP is the main access protocol for Active
Directory. LDAP is an Internet standard used to exchange
information between applications and directories.
n Replication: automatic updates of
active directory between servers. The Knowledge
Consistency Checker (KCC) is responsible for generating
replication information within a forest. The KCC runs on
each domain controller automatically. REPLMON is used to
show replication topology and monitor status. It can also
be used to force replication or KCC recalculation.
Replication
Replication to all domain controllers occurs
every 15 minutes by default but can be forced through
Active Directory Sites and Services.
When the domain controller is expanded under
Sites\Default-First-Site-Name\Servers, select NTDS
Settings. Right-click and select Replicate Now.
Compression is used when replication is between sites.
Multimaster replication is employed by Active Directory to
keep all domain controllers as peers.
Active Directory Connector (ADC) is used for
replication between Exchange and Active Directory.
Active Directory Replication
Changes made to Active Directory need to be
propagated to all Domain Controllers
Uses a multiple-master replication model whereby
all domain controllers are equal
Intrasite Replication
Automatic replication between domain
controllers in the same site
Uses Remote Procedure Calls (RPC)
communication to control notification
RPC is used for replication traffic within a site, and
the data it sends is uncompressed.
o Replication latency is the delay
between when a change is made to one domain controller
then replicated to other domain controllers.
o Replication convergence occurs after
replication has taken place, all domain controllers are up
to date and no new changes are to be sent.
Replication Monitor (replmon.exe) can be used to show
the Active Directory replication topology. It can also be
used for troubleshooting replication, and seeing when the
last successful replication took place.
Event Viewer is the primary tool used for
viewing log files. In addition to the three log files that
have always existed (Application, System - which contains
information about services and drivers that fail to start
- and Security), there are now log files for: Directory
Services, File Replication Service, and DNS, if those
services are in use.
WINS:
WINS continues to persist in Windows Server 2003, with
no real changes in operation between now and with Windows
2000. WINS (Windows Internet Naming Service) is
responsible for resolving NetBIOS names to IP addresses.
When a WINS client boots up it announces itself to the
WINS server. The WINS server stores the name and IP of the
client in the database to hand out on future requests.
This enables you to connect to a server named Appserver by
name instead of having to remember Appserver's IP address.
The WINS database is dynamic.
WINS servers are required to have static IP addresses.
Name Resolution Nodes
B-Node (broadcast) - uses broadcasts to resolve names (not
recommended for larger networks, and mostly used by older
clients)
P-Node (peer to peer) - uses WINS only, no broadcasts. No
WINS server, no resolution. This is the mode typically
used by newer clients
M-Node (mixed) - Broadcast first, then WINS (this is not
recommended as you want to attempt to minimize
broadcasts).
H-Node (hybrid) - uses WINS first, then broadcast (this
is recommended as it cuts down broadcasts by trying WINS
first but will resort to broadcast as last resort.)
The LMhosts file is a text file that you can manually
update that holds NetBIOS name and IP combinations.
WINS Replication - You should have multiple WINS
servers for fault tolerance. These servers can be set up
to replicate the data to each other. WINS replicates
changes only (data is replicated at the record level using
an incremental version ID) instead of the whole database.
Persistent connections between WINS servers increase
replication efficiency by not needing to establish
temporary connections for every update.
Push Partner - WINS will replicate after a certain number
of changes to the database.
Pull Partner - WINS will replicate at a certain time
period regardless of the number of changes.
Push/Pull Partner - WINS will replicate at a certain
number of changes or at a specified time interval
regardless of the number of changes.
For automatic configuration, every WINS server
announces its presence with broadcasts. If one is found
without a push/pull partner, it gets added into the
replication list of an existing server. For manual
configuration, choose the New Replication Partner option
from the Replication Partners node of the server.
While WINS replication occurs on a regular basis, it
can be forced at any time by right-clicking a partner and
sending an immediate trigger to the partner. WINS-R
records can be used in DNS to configure reverse lookups
for WINS resolution.
Tombstoned WINS records are not immediately removed,
but instead are flagged for later deletion (via an
extinction interval) and replicated. Even manually
tombstoned WINS records remain in the database until a
scavenge operation is undertaken.
DHCP:
DHCP (Dynamic Host Configuration Protocol) allows you
to dynamically distribute IP addresses and all associated
configuration data through an open standard. DHCP clients
are given leases to define the amount of time their
address information is valid. Every client automatically
attempts to extend the lease when half the time of the
lease has expired. If it fails, it keeps trying for the
duration of the lease.
DHCP does not only issue addresses from the address
pool/scope, but also issues lease information and other IP
configuration data (default gateway, subnet mask, etc.).
DHCP is installed as a service on Windows Server 2003
through the use of wizards that follow the networking
services subcomponent of the Add/Remove Programs applet.
A scope is a range of IP addresses that can be
issued to DHCP clients on a single subnet by the DHCP
server. Only one scope can be created for each subnet, and
a single DHCP server can manage several scopes.
Automatic Private IP Addressing (APIPA) is used if
TCP/IP values are not manually entered, and no DHCP server
is found. This assigns values in the 169.254.x.x range
with a subnet of 255.255.0.0. Turning this feature off
requires editing the Registry.
Routing and Remote Access:
RRAS routing is installed/configured through the RRAS
MMC snap-in by right-clicking on the server and choosing
Configure and Enable Routing and Remote Access on the
popup menu. This starts the RRAS Setup Wizard.
The three types of remote access permissions available
to a user are:
Allow access
Deny access
Control access through Remote Access Policy
When a user dials in, you can choose to verify
caller-ID, assign a static IP address to the connection,
and/or apply static routes.
RRAS includes support for RIP for IPX and SAP for IPX.
RRAS supports the following protocols: AppleTalk, IPX,
NetBEUI, and TCP/IP.
An individual host can have its data packet sent in one
of the following three ways:
- By
looking at the default gateway address in the IP
configuration
- By
using Internet Control Message Protocol (ICMP) redirects
to find a route to a destination host
- By
listening to traffic between routers utilizing RIP
(Routing Information Protocol) or Open Shortest Path
First (OSPF)-known as dynamic routing.
Monitoring remote access is done through counters in
the Performance utility; the RRAS MMC console can be used
to configure incoming connections and other features.
Remote Access Dial-in Profiles allow you to define the
following:
Dial-in Constraints
IP Address Assignment Policy
Multilink (aggregation of multiple analog
phone lines through multiple modems for greater bandwidth)
Authentication
Encryption (No Encryption, Basic or Strong)
Remote Access Dial-in Profiles can be configured and
govern security in much the same way group policies do.
A remote access policy defines actions that can
be undertaken for a user or group of users who connect
remotely. They can employ specific authentication and
encryption methods.
IAS (Internet Authentication Service) can be used to
enforce (through policies) issues such as: RADIUS clients
allowed, incoming phone numbers to accept, the type of
media used to establish the connection, user membership in
security groups, and the time of allowed access (day,
hour, etc.). With RADIUS, all authentication requests
heard by a server are sent to a RADIUS server for
approval/denial. RADIUS is an open standard.
IAS is used for centralized administration and to
enforce access policies. It works with PAP, CHAP, MS-CHAP,
and EAP. IAS is useful for centralized auditing, scaling
systems for growing demand, monitoring usage remotely, and
working with a graphical interface through an MMC snap-in.
Remote Access Authentication Protocols:
CHAP - (Challenge Handshake Authentication Protocol)
- uses the industry standard MD5 1-way encryption scheme
to encrypt the response. Highly Secure.
EAP (Extensible Authentication Protocol) - Client
and server negotiate the Authentication method to include
MD5 username and password encryption, smart-cards, token
cards, retina or fingerprint scanners and other third
party authentication technologies.
MS-CHAP (Microsoft Challenge Handshake
Authentication Protocol)- 1-way encrypted password.
This is enabled by default on a Windows Server 2003
running RAS. Highly Secure. This differs from CHAP in
that client communication must be between two Microsoft
operating systems.
MS-CHAP v2 (Microsoft Challenge Handshake
Authentication Protocol v2)- Strong encryption.
Windows clients use this by default for dialup networking
(also known as DUN). Windows 2000,NT4 and Win98 clients
use this by default for VPN. Highly Secure. Version 2
differs from version 1 primarily in that two-way (mutual)
authentication is implemented in version 2.
PAP (Password Authentication Protocol) - uses clear
text passwords. Provides little security.
SPAP - (Shiva Password Authentication Protocol) -
more secure than PAP, it is uses to connect to Shiva
LANRover. Medium Security.
A virtual private network (VPN) is an extension of the
physical network. Rather than restricting the network to
local cabling, it uses a public network (i.e. the
Internet) as a segment backbone.
Windows Server 2003 uses two main encryption protocols
with VPNs (virtual private networks): MPPE is used with
PPTP, and IPSec, an open protocol suite that relies on
L2TP, is used to encrypt user names, passwords, and data.
Connections are configured to use MPPE (running with PPTP)
or IPSec (running with L2TP) through the Network and
Dial-up Connections applet.
PPPoE (Point to Point Protocol over Ethernet) support
is built into Windows Server 2003, as is an integrated
firewall, 802.1x (wireless security) and IPv6 support.
Demand-dial routing (also known as
dial-on-demand routing) is used to send packets across
a dial-up link between two routers that have Routing and
Remote Access Services (RRAS) installed. The connection
can be made through a modem, ISDN line, or direct
(serial/parallel) connection.
Demand-dial security allows the administrator to add
features such as authentication, encryption, callback,
caller ID, etc.
Static routing uses a routing table that does not
change. It is configured by the administrator and must be
manually updated, as needed. The route command is
used to configure static routes and for troubleshooting.
The route -p command lists all the routes the
computer knows about.
Dynamic routing can use either distance-vector routing
protocols or link-state routing protocols. Link-state
routing protocols differ from distance-vector protocols in
that they send information only about routes that have
changed via link-state advertisements (also known as
flooding). With link-state routing protocols,
knowledge is obtained first hand, not passed on through
other routers.
RIP is a distance-vector protocol using hop count as
the metric for measuring the number of routers that must
be crossed to reach a network. The maximum number of hops
in a path is 15. RIPv2 can use multicasting of routing
tables and supports variable-length subnet masks.
OSPF is a link state routing protocol that uses link
state advertisements (LSAs) to communicate. OSPF has more
features and functionality than RIP and is considered
"loop-free," with a maximum metric limit of 65,535.
Network Infrastructure:
NAT interfaces define connection properties for network
address translation. They define what constitutes the
internal network and what constitutes the external
network. NAT translates between two different networks,
allowing you to have a private scope internally and still
communicate with the Internet. Windows Server 2003
includes the following NAT editors: FTP, ICMP, and PPTP.
Internet Connection Sharing (ICS) is a service that
allows you to provide automated demand-dial capabilities
on a small network, such as a home office. This can be
used for any number of processes, including DNS Proxy,
DHCP, and NAT.
Network Monitor is a subset of the fuller
version in SMS. It can be used to capture real-time
activity, to create filters, and to view and save data to
a file.
System Monitor is an ActiveX tool that can
graphically display performance of various real-time
statistics. Within it, the workstation is divided into a
number of different objects, and each object is divided
into one or more counters. System Monitor appears on the
Performance tool (Start - Programs - Administrative Tools
- Performance) and it is the primary performance tool for
the system. Performance Logs and Alerts enables you to
record data to create and compare with a baseline (to get
a long-term look at how the system is operating) or send
administrative alerts when thresholds are reached.
Optimal performance from a system is what you are
always striving for. Optimal performance is attained when
a system is running (processing, responding, and so on) as
fast as it possibly can, given the resources available to
it.
Group Policy:
RSoP (Resultant Set of Policy) is a new tool included
with Windows Server 2003 that shows how permissions and
policies overlap. It factors in inheritance and other
factors and shows what the resulting policy will be that
applies to the user or computer in an Active Directory
tree. Gpresult is a command-line utility that can
perform the same function as RSoP.
Windows Server 2003 includes GPUPDATE - a new
utility that replaces SECEDIT switches for group policy
updates. SECEDIT still exists in 2003, but it is now used
only for applying changes and reporting on them.
Group Policy
Group Policy is a component of Active Directory used to
restrict users and enforce limitations. Operating systems
prior to Windows 2000 must utilize system policies,
created with the POLEDIT utility.
Reduces Total Cost of Ownership (TCO)
Implemented through Group Policy Objects
(GPOs) and applied to User and Computer Configurations
Three possible settings for policies include
Not Configured, Enable and Disabled
Group Policies can be used to assign and publish
software. Assigning software causes the software to be
installed regardless of whether it is used. Published
software is available to the users/machines, but it is not
installed automatically. Software can be assigned to a
user or computer, but published only to users (not
computers).
Disk quotas can be assigned via group policies to
restrict how much space a user is allowed to have in
specific folders.
Group policies are implemented by Site, Domain, and
then Organizational Unit (OU).
Creating and Modifying Group Policies
Group policy settings are refreshed throughout
the network, on average every 90 minutes
Domain Controllers refresh on average every 5
minutes
Refresh interval for Domain Controllers can be
modified through Group Policy settings
When deleting a GPO any links are
automatically dropped without warning
Filtering GPO's allows Group Policies to be
applied to individual users rather than all users and
computers in an OU
TCP/IP:
TCP/IP addresses can be assigned manually to each host,
or leased to them through the use of a DHCP server. The
addresses must be unique within the realm the host
communicates. If the host only communicates locally, then
the address need only be unique locally; if it directly
communicates across the Internet, then the address must be
unique within the world.
The first octet identifies the class of network, with
the following being valid entries:
| 1
- 126 |
Class A |
| 128
- 191 |
Class B |
| 192
- 223 |
Class C |
| 224
- 239 |
Class D (multicast) |
Addresses cannot consist of all zeros, or all ones, and
the entire 127 domain is reserved because 127.0.0.1 is set
aside as the "loopback" address.
To configure TCP/IP on a host, you need only three
values with one being that of default gateway (the other
two are IP address and subnet mask). The default gateway
is the IP address of the router all data not intended for
this network should go to.
A subnet mask divides the total number of hosts
available for one network into a smaller number available
for a number of networks. The subnet mask value is based
upon the class of network you have. Default values by
class, and the maximum number of hosts are:
| Class |
Default Subnet Mask |
Total number of Hosts for
Network |
| A |
255.0.0.0 |
> 16 million |
| B |
255.255.0.0 |
>65,000 |
| C |
255.255.255.0 |
254 |
|
