Only after you have a thorough understanding of the technology and the architecture are you in a position to determine the benefits of the technology for the enterprise. Granted, you may have heard how wonderful Active Directory is, but you have probably heard rumors that it is "overkill for a small company." How do you know whether that statement is invalid until you fully understand how Active Directory works and what it can do for your company, no matter what the size? Just because Active Directory can hold a billion objects does not mean that it should not hold only a hundred. Understanding the various services that play domain roles is also important. Official documentation, for example, refers to three roles a server can play. The server can be any of the following, and understanding the differences between them is important:
♦ A Windows 2003 server can be a standalone server, which means that it is not joined to any domain and stands alone in its own workspace. Understanding how this server interacts with or participates on the network provides you with the information that you need to assess needs and cater to them with the establishment of standalone servers. A standalone server, for example, is an ideal bastion, and it can be used as a firewall or proxy server without needing to be part of a domain. A certificate server, established for a public key infrastructure (PKI), is a good example of a standalone server.
Millions of Windows NT, Windows 2000, and Windows 2003 servers are on the Internet, and they are not part of any Windows domains. The machine is thus more secure as a standalone server than as a member server, because standalone servers are not given domain accounts, nor are they authenticated on the domain. They can also be print servers and such, but their resources cannot be published in Active Directory, short of mapping them to IP addresses (see Chapter 28).
Tip If you are in a hurry to install Windows Server 2003, do not try to join it to any domain or pro mote it to a domain controller. Make it a standalone server that logs into its own workgroup. / This type of setup enables you to configure it, because any domain influence or control is extended from Active Directory.
♦ Windows 2003 can be a member server, which means that it has an account in the domain. That account can be in a Windows NT domain, a Windows 2000 domain, or a Windows 2003 domain. As long as it is a member server, you can access its resources via the authentication mechanisms of Windows NT and the NTLM authentication service (see Chapter 3) or via Kerberos on a Windows 2003 network. The Windows 2003 member server can therefore play certain worthwhile roles in an NT domain.
♦ A domain controller loads the Active Directory support infrastructure. You can install a Windows 2003 domain controller whenever you are ready to begin learning about Active Directory or if you are building your test domains in the lab. You can also install a Windows 2003 domain controller server into a Windows NT domain or a Windows 2000 domain.
A good example of understanding the technology is coming to the conclusion that Windows Server 2003-DNS, Windows Server 2003-W1NS, and Windows Server 2003-DHCP are ideal role servers to install in the existing environment, whether it's Windows NT or something else . . . and then figuring out how to integrate them. In fact, this is the design technique that forms the basis of our evangelism in this book in general and in Parts II and III in particular.
We call this technique conversion by subversion. The process is straightforward, as the following steps indicate:
1. Target the service that can be overthrown.
2. Move the role server into a position where it can perform the role of the target.
3. Take over the role.
Now look at this concept more closely. Take Windows Internet Naming Service (WINS). On NT, it's a stinker, causing more headaches for every new segment that you need to roll out. Face it: It is a Band-Aid for a service that was not meant to be used the way that it is being used, and we are talking about NetBIOS.
After years of complaints from thousands of IT managers, Microsoft has rolled out a new WINS. Managed behind the Microsoft Management Console (MMC), it's a new wave for a service that is not expected to last more than a few more years.
We have zoomed in on all the WINS servers at one of our clients —19 servers to be precise. That's 19 targets to take over. After tests proved that the Windows 2003 WINS servers would work well in their new environments, we began a conversion project to take the legacy servers out one by one. Why could we deploy in this fashion? Because WINS is not for pure Windows 2003 . . . it's for Windows NT and Windows 9x clients that need to resolve NetBIOS names to IP addresses (see Part IV).
Tip Never install WINS on a domain controller if you have more than 20 or 30 users. It has a ten dency to eat up precious processor cycles needed by Active Directory. This problem is further / discussed in Chapter 17.
Was this article helpful?