Domain Controller Service Records

In order for Active Directory to function properly, the DNS servers that host the Active Directory zones must provide support for Service Location (SRV) resource records described in RFC 2052, A DNS RR for specifying the location of services (DNS SRV). In the introduction to the RFC document, an SRV RR is defined as a DNS RR that specifies the location of the server(s) for a specific protocol and domain (like a more general form of MX). As described in Table 5.2, SRV resource records map the...

Self Sufficient Locations

Many organizations have smaller locations around the world that have slow, high-latency, unreliable, and nonredundant WAN links to their nearest hub location. Even though these locations have poor network links, they can require high availability for the Active Directory infrastructure so that their business is not interrupted. The nature of the business conducted at the smaller locations might dictate that they require continuous access to the Active Directory infrastructure, even in the event...

Service Levels

It might be tempting to treat the placement of infrastructure components as a precise science by assigning a points, or similar, system. However, as discussed in Chapter 1, The Assessment Stage, existing SLAs agreements might override any decisions made thus far. While all other requirements discussed thus far might dictate that a particular location should not receive any Active Directory infrastructure components, SLAs in place between the business and the IT department might dictate that...

Chapter Designing the Logical Components

Your organization has five locations connected as shown in Figure 4.35 on page 590. Analog dialup and ISDN connections are nonpersistent connections. Specify transport for each link. A. A-B(Transport IP), A-C(Transport IP), A-D(Transport IP), A-E(Transport SMTP) B. A-B(Transport SMTP), A-C(Transport SMTP), A-D(Transport IP), A-E(Transport SMTP) C. A-B(Transport SMTP), A-C(Transport SMTP), A-D(Transport IP), A-E(Transport IP) D. A-B(Transport IP), A-C(Transport IP), A-D(Transport IP),...

Chapter Developing the Network Services Design

You have been hired to design the network services for BlueBell Corp. BlueBell is planning on implementing Windows Server 2003 network services with Active Directory that will be migrated from their existing Novell NetWare and Unix systems. Which of the following services must you design before implementing these network services Answer B is correct. Only DNS is an absolute requirement of Active Directory. Answer A is incorrect because while you must use TCP IP, you can manually apply static IP...

Internal Transitive Trusts

When users authenticate in their own domain, they are provided with a Ticket-Granting Ticket (TGT). This TGT provides a mechanism for the user to access other resources throughout the local forest or any forest available via a trust. The user's TGT is used to negotiate with various servers throughout the forest until a KDC in the resource domain is reached. The KDC in the resource domain provides a service ticket to the user if the user is supposed to be given authorization to the requested...

The Dedicated Root Domain

The first domain deployed into any forest is known as the root domain. While in many respects it can be viewed as just another domain, since it must adhere to naming rules and so forth, it has unique properties that no other domain in the forest has. The root domain is where special forestwide groups live Schema Admins and Enterprise Admins. These two groups are used to manage forestwide operations, such as the addition of domains and modifications to the schema. It is necessary, therefore, to...

Identifying DNS Record Requirements

A Resource Record (RR) is to DNS what a record is to a database. A Resource Record is part of DNS' database structure that contains the name information for a particular host or zone. Table 5.2 contains an aggregation of the most popular RR types that have been collected from the various RFCs that define their usage Maps a DNS domain name to a server subtype that is either an AFS version 3 volume or an authenticated name server using DCE or NCA Maps a DNS domain name in the owner field to an...

Chapter Service Sizing and Placement

Figure 7.1 The Active Directory Sizer Interface Figure 7.2 The Ntdsutil compact to Command Figure 7.3 A Suggested Algorithm for Determining Domain Controller Placement Figure 7.4 Flow Diagram Indicating when a Global Catalog Server Is Required Figure 7.5 Enabling Universal Group Membership Caching Figure 7.6 The Domain Naming Master FSMO Role Holder Figure 7.7 The Schema Master FSMO Role Holder Figure 7.8 The Password Replication Algorithm Figure 7.9 The Primary Domain Controller Emulator FSMO...

Chapter The Physical Design

In designing the network for Chapter Five Industries, you have been given the requirement that the company will be hosting its own Web site. What is the first thing you should do to ensure that the company will be able to achieve e-commerce on the Internet Answer C is correct. The first thing you should do is research and obtain a domain name. You want to ensure this is taken care of before someone else obtains the same name. Answer A is incorrect, because you can design the placement of the...

Er Developing the Active Directory Infrastructure Design

Your organization is comprised of six different business units. Each requires a certain level of independence from each of the other businesses within the Active Directory environment. Which of the following terms are relevant when considering the level of independence required (Choose all that apply.) Answers A and B are correct. As discussed in the section Assessing and Designing the Administrative Model, the terms that Microsoft has introduced so that different levels of independence can be...

Primary Domain Controller Emulator

A Windows NT DC was either built as a primary domain controller (PDC), or as a backup domain controller (BDC). Each Windows NT domain has precisely one PDC and one or more BDCs. All changes to the domain occur on the PDC, which are then replicated to all BDCs in the same domain. This model is referred to as single master, since all changes, including password changes, occur on one DC (the PDC), and changes cannot be made on any other DCs in the domain. While Active Directory DCs perform changes...

Distributed Management

In distributed IT management, an individual or a group is not ultimately responsible for the necessary administrative tasks throughout the enterprise. In the distributed management model, different functional groups within an organization are ultimately responsible for the IT administration of their respective infrastructures. Designing and implementing a distributed management model is highly dependent on the Active Directory container hierarchy. A distributed management model is basically a...

Segmenting the Intranet from the Internet

Most organizations use two different yet similar methods of separating the internal network (intranet) from the Internet. Routers are used as both a stand-alone method and in conjunction with a firewall. Some routers have built-in firewall features to help alleviate having multiple pieces of equipment. Depending on how much work will be required of the router, it might make sense to have a separate firewall to offload the work from the router. An intranet is an internal Web environment that...

Configuring Implementing Secure Dynamic DNS

By virtue of it being dynamic, Dynamic DNS (DDNS) is designed for ease of administration. Clients register themselves and update their records whenever they receive an IP address from Windows Server 2003 DHCP. If you are the administrator of a DNS zone, the last thing you want is to have a bunch of unauthorized clients polluting the zone with unwanted resource records. This situation will add to your frustration levels, not to mention your workload, for cleaning out these DNS infidels....

Memory and CPU

Microsoft has published some best practices for DC memory and CPU requirements that depend on the number of users being supported in the site where the DC is located. Table 7.13 summarizes the suggested minimum specifications, as found in the Windows Server 2003 Deployment Guide available at www.microsoft.com Table 7.13 Recommended Domain Controller CPU and Memory Requirements Memory Required Per Domain Controller Experience shows that while fast processors are important when configuring DCs,...

Pre Promotion Checks

Before commencing with the promotion of a member server into a DC, several checks and best practices should be performed to ascertain whether the server is ready and able to be promoted. These checks are described in the Table 7.15. Before commencing with the promotion of a member server into a DC, several checks and best practices should be performed to ascertain whether the server is ready and able to be promoted. These checks are described in the Table 7.15. Table 7.15 Pre-Promotion Check...

Configuring Implementing Active Directory Sizer Tool

Thus far, we have focused on Active Directory implementations with 1,000 users or more. However, many implementations involve smaller numbers than this, and for these installations, a useful sizing tool is Microsoft's Active Directory Sizer, which can be downloaded from Microsoft's Web site at Once downloaded, simply install the software, using the file setup.exe

Identifying Active Directory Sites and Subnets

In the early days of Windows NT 4.0, the Internet was barely a thought on most people's minds, and the notion of network connectivity typically extended only as far as the office LAN. As the Internet quickly grew in popularity and the need for interconnectivity between offices increased, Windows NT 4.0's original design concepts for domain functionality began to show its age. As the network began to extend its reach, network infrastructure designs became more important to a properly functioning...

Chapter Name Resolution

On occasion, clients need to resolve DNS records for external resources. When this occurs, the client sends its query to its appropriate internal DNS server. The DNS server sends additional queries to external DNS servers, acting on behalf of the client, and returns the query information to the client once the server obtains it. What type of query occurs when a DNS server is used as a proxy for DNS clients that have requested resource record information outside their domain Answer A is correct....

NTLM and Kerberos

Early Microsoft networking clients utilized LAN Manager authentication to provide user authentication for network access to resources. Windows NT 4.0 evolved from the LAN Manager network operating system. For backward compatibility, Windows NT 4.0 uses a version of LAN Manager authentication known as LAN Manager challenge response as well as Windows NT challenge response, known as NTLM for more recent systems. NTLM authentication is significantly stronger than LM authentication. Whether Windows...