Design Principles

Your first task in developing a WINS design is to determine whether you need WINS at all. One thing that you need to test for is whether NetBIOS over TCP IP is being used to communicate across the network.You can do this through the Performance Monitor. The following sidebar shows how to view WINS counters on a local computer.You can use Performance Monitor to connect to remote computers and monitor them as well. Once you determine whether NetBIOS naming is currently needed, your next task is...

Sizing Domain Partitions

Calculating the precise size of each Domain partition within an Active Directory forest is not a trivial task.The Domain partition size is dependent on a huge number of object types, each of which consumes a different amount of space in the database. Therefore, traditionally, there has not been a simple way to calculate the space requirements of an Active Directory database. Each object type has a number of mandatory attributes that must be assigned data and a number of additional, optional...

Self-sufficient Locations On Server Placement

Chapter 1 The Assessment Stage 1 Assessing the Technical Environment 3 Administrative Models 3 Components Used in the Logical Design of Active The Current Model 9 Identifying Formulating New Candidate Models 13 Service Identifying Existing Service Levels 16 Identifying Service Levels Requiring Change 18 Hardware and Software Deployments 19 Performing a Hardware Inventory 19 Analyzing Hardware Requirements 20 Performing a Software Inventory 22 Analyzing Software Requirements 23 Interoperability...

Self Sufficient Locations

Many organizations have smaller locations around the world that have slow, high-latency, unreliable, and nonredundant WAN links to their nearest hub location. Even though these locations have poor network links, they can require high availability for the Active Directory infrastructure so that their business is not interrupted. The nature of the business conducted at the smaller locations might dictate that they require continuous access to the Active Directory infrastructure, even in the event...

Defragmentation of the Active Directory Database

Back up the system state data for fault tolerance purposes. 2. Boot or reboot the computer. 3. When prompted, press F8 during Windows Server 2003 startup. 4. Select Directory Services Restore Mode (Windows domain controllers only) in the Windows Advanced Options menu that appears, and press the Enter key. 5. Select your operating system (for example, Windows Server 2003, Enterprise) and press the Enter key. 6. You will see a number of checks performed while the system is booting and eventually...

Trusts Within a Forest

Windows Server 2003 provides trust relationship control between forests, realms, and domains. Within a single Active Directory forest, as domains are created, two-way transitive trusts are automatically created. This is the built-in internal trust relationship provided by Windows Server 2003 by default between all domains in a forest. When users authenticate in their own domain, they are provided with a Ticket-Granting Ticket (TGT). This TGT provides a mechanism for the user to access other...

Active Directory Implications

All user, group, and computer account information is stored in the Windows Server 2003 Active Directory. These user, group, and machine accounts are organized into containers called organizational units (OUs). There's no limit to the number of OUs that can exist within an individual domain. And when it comes to user, group, and machine accounts, the Windows Server 2003 Active Directory can hold over a million objects. For this reason, the Windows Server 2003 domain isn't tied to any specific...

Network Topology Definitions

Physical topology is comprised of geometric components that make up the local area network (LAN) or wide area network (WAN).There are three basic physical topologies bus, ring, and star. Whatever physical topology is used in the environment, the components of that topology are the same Subnets A division of a network into an interconnected, but independent, segment, or domain, in order to improve performance and security. Because traffic is often the heaviest within a department, and Ethernet...

The Restricted Access Model

A closely related scenario to the previously described model is the Restricted Access model. In this scenario, there is a need to isolate sensitive data within the same organization, such that users can only access that data if granted explicit rights to do so. Figure 2.3 illustrates such a model. At first glance, this requirement appears to be met by the single forest model, since NTFS permissions can be used to grant and deny access to resources. However, remember that Domain Admins in any...

How Does the System Authenticate a User

Users are authenticated in Windows Server 2003 environments by first locating a domain controller and then using the proper authentication protocol. The process is completely transparent to the user. The only thing the user has to do is provide a username and password. Basically, what's happening here is that the users are proving to the system that they are who they say they are and that they should be allowed access to the system. The computer authenticates the user, or verifies his identity,...

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com solutions and click on the Ask the Author form. Q Why do Active Directory-aware applications affect service placement designs A Active Directory-aware applications often...

Design Features

Networks typically connect to the Internet, and you must consider how to handle name resolution within your network and on the Internet. Depending on your requirements, you might decide to use root hints, or a combination of forwarding and root hints.To increase DNS performance, you might decide on a Round Robin system. Security will also come into play within your DNS design. We will now drill down into features that drive DNS designs, including Security options within DNS Use of forwarding...

Active Directory Hosting Its Own DNS Namespace

The next option is similar in design to the option just described, with the exception that the Active Directory namespace connects to another internal rather than an external namespace. Active Directory-integrated zones can be used for the Active Directory namespace, but in the event that the Active Directory-integrated namespace needs to replicate with a non-Active Directory namespace, standard zones must be used for replication between the Active Directory namespace and the third-party...

Identifying DNS Record Requirements

Address Record Maps FQDN to 32-bit IPv6 address record Maps FQDN to 128-bit IPv6 address Maps a DNS domain name in the owner field to an ATM address referenced in the atm_address field. Maps an FQDN to an ISDN RFC1183 telephone number Contains a public key that is associated with a zone. In full DNSSEC defined later in this chapter implementation, resolvers, and servers use KEY resource records to authenticate SIG resource records received from signed zones. KEY resource records are signed by...

Domain Controller Sizing and Specification

We have examined how the Domain and Application Directory partitions influence the size of the Active Directory database and how to estimate the size of domain partitions based on number of users within each domain. In this section, we focus on the DCs housing this database and how they should be best configured, promoted, and placed for optimum performance and service. We begin by looking at best practices for DC hardware configuration, focusing on components such as disk, memory, and CPU....

IP Address Management and DHCP

0 Know how DHCP services work in a Windows Server 2003 Windows 2000 network. Make sure you understand how IP leases are requested and granted by DHCP. Be sure to understand the lease renewal and release process. Know what happens when a client fails to renew a lease. 0 Know the difference between scope properties and options and how and why they are assigned. 0 Know the time frames involved with DHCP leases. Understand that the client always requests an extension or a new lease when half the...

Defining the Audit Strategy

One of the first components of an audit strategy is setting a logging level. A good audit and logging strategy is important to the proper maintenance of your network and the systems that are used on it. Before we get deeper into defining your audit strategy, we need to deal with logging. Just what you want to log will be one of the most important questions you'll ask yourself. Defining an extensive logging and auditing strategy will lower the performance of your server and of your network....

DHCP Background

Using a client server model, a DHCP server maintains a pool of IP addresses. DHCP clients request and obtain leases for IP addresses during the boot process. DHCP is derived from the Bootstrap Protocol BOOTP , which was a protocol typically used to allow clients to boot from the network rather than from a hard drive.Through this boot process, BOOTP assigned an IP address dynamically to the client computer. Some benefits of using a Windows Server 2003 DHCP...

Identifying Active Directory Sites and Subnets

In the early days of Windows NT 4.0, the Internet was barely a thought on most people's minds, and the notion of network connectivity typically extended only as far as the office LAN. As the Internet quickly grew in popularity and the need for interconnectivity between offices increased, Windows NT 4.0's original design concepts for domain functionality began to show its age. As the network began to extend its reach, network infrastructure designs became more important to a properly functioning...

Secure Dynamic DNS

Types Integrated Zones

By virtue of it being dynamic, Dynamic DNS DDNS is designed for ease of administration. Clients register themselves and update their records whenever they receive an IP address from Windows Server 2003 DHCP. If you are the administrator of a DNS zone, the last thing you want is to have a bunch of unauthorized clients polluting the zone with unwanted resource records. This situation will add to your frustration levels, not to mention your workload, for cleaning out these DNS infidels....

Identify Zone Placement

DNS zones are used to divide the namespace and use servers to allocate resources and divide services. Namespace and zones are two sides of the same coin they both work hand in hand. As described earlier, the namespace must be designed to meet business requirements and make optimal use of technology resources such as available bandwidth within and between sites. Subdividing the namespace into zones will make it easier for DNS to manage the use of available bandwidth, which will increase...

Knowledge Consistency Checker

Running on every DC in the forest, is a process known as the Knowledge Consistency Checker or KCC.The KCC at regular intervals evaluates the site topology and available DCs and then generates intra-site connection objects for the local DC with other DCs in the same site to ensure efficient replication of Active Directory data. The parameters used by the KCC, which are stored in the registry, are described in Microsoft KB article 271988, which can be found at The KCC will attempt to construct a...

Interoperability with WINS and DHCP

DNS is a powerful, valuable service on its own. However, Microsoft has designed it so that it can be integrated with other network services to optimize the features of both DNS and these other services. WINS and DHCP are two very likely candidates for integration on any sized network because the integration reduces the amount of administrative effort for System Administrators. Windows Server 2003 DNS enables you to support an existing WINS deployment by allowing you to configure a DNS server to...

Distributed Management

In distributed IT management, an individual or a group is not ultimately responsible for the necessary administrative tasks throughout the enterprise. In the distributed management model, different functional groups within an organization are ultimately responsible for the IT administration of their respective infrastructures. Designing and implementing a distributed management model is highly dependent on the Active Directory container hierarchy. A distributed management model is basically a...

The Organizational Model

The final multiple-forest model considered is the Organizational model. This is probably the most widely used multiforest model, especially in larger companies where multiple, independent business units exist. Figure 2.5 depicts such a scenario. As previously mentioned, within a larger organization, the smaller businesses might have different requirements and or timescales for deploying Active Directory therefore, a single forest design might not meet the needs of all involved parties. This...

The Default Domain Controllers Policy

Numerous user rights assignment settings are predefined in the Default Domain Controllers Policy. Figure 4.19 illustrates the predefined user rights assignment settings for the Windows Server 2003 Default Domain Controllers Policy. Figure 4.19 Default Domain Controllers Policy User Rights Assignment Figure 4.19 Default Domain Controllers Policy User Rights Assignment As Figure 4.19 illustrates, several options are predefined in the Default Domain Controllers Policy. The main functions provided...

Select Networking Services and click the Details button

Check the box for Dynamic Host Configuration Protocol DHCP and click OK. 6. You will be returned to the Add or Remove Windows Components dialog screen. Click Next. 7. The DHCP Service will require a statically applied IP address, and prompt you to change to a static IP address if the server currently uses a DHCP address. 8. Click Start, then Administrative Tools, and select DHCP. 9. Right-click the server and select New Scope, as shown in Figure 3.20. Figure 3.20 Creating a New Scope Is an...

File Replication System

FRS is used to replicate SYSVOL data between DCs in the same domain. Where Active Directory replication occurs at the object and attribute level, FRS replicates at the file and directory level. Active Directory changes are replicated at the attribute level, so that only the change made to an object is actually replicated. However, FRS replicates at the file level, so if a SYSVOL housed file is changed, then the entire file is replicated, not just the changes.The FRS replication mechanism is...

Creating a Windows Server DNS Namespace

In this sidebar, we walk through the steps for creating Name Resolution University's parent internal domain. To complete this exercise, you need a PC running Windows Server 2003 Server Edition. Insert the Windows 2003 Server CD-ROM into your CD-ROM drive, and let's begin our exercise 1. If the CD-ROM starts automatically, cancel out of the autorun by clicking Exit. 2. Click Start Control Panel, and choose Add or Remove Programs. 3. Click the Add Remove Windows Components icon. 4. Scroll down...

Installing DHCP for Windows Server

Probably the simplest way to set up the DHCP service is to use the Configure Your Server Wizard to install it. The wizard will also walk you through creating a new scope. A second option is to manually install it through the Add Remove Programs tool. In this section we'll take a look at both options. You'll need to know first if you have a working DNS server in your network environment. Validating your DNS server is quick and easy. Click Start Run, and type cmd in the text box. Press Enter, and...

The Domain Controller Location Process

When a Windows client starts up, it attempts to locate a DC so that the user can be permitted to log on and access resources within the enterprise. It is important that the associated processes are understood so that you can more easily resolve startup and logon issues. This location process is as follows 1. The client contacts a DNS server, as configured in its IP settings. 2. If the client has yet to determine in what site it resides, the client requests a complete list of DCs registered in...

Active Directory Within an Existing DNS Implementation

If you are migrating to Windows Server 2003 or integrating Windows Server 2003 DNS with a third-party DNS infrastructure such as BIND on UNIX or Linux, you do not need to change the namespace design used in your third party DNS infrastructure. Although the design does not need to change, this option presents the fewest available features for use in the implementation. In essence, the number of available features is the lowest common denominator between Windows Server 2003 and the installed...

Defining Replication Topology

0 Sites link physical network constraints and connection information to Active Directory's logical structure. 0 Intrasite replication is notification based, uses RPC, uses a frequency of 15 seconds, is controlled by the KCC, and uses a ring topology. 0 Intersite replication is schedule based, uses RPC, uses a frequency set by the Admin default three hours , is controlled by the KCC, and uses a topology built by the Admin using sites, links, and costs. 0 ISTG has been significantly modified from...

Using a Dedicated Root Domain

A dedicated root or dedicated forest root domain is deployed simply to exist as the root domain. Figure 2.6 shows an example scenario. It does not house users or groups, beyond the default service administrator accounts, which are created automatically. The creation of this additional domain does not, therefore, incur any significant overhead regarding replica-tion.The domain only houses DC computer accounts and default user and group objects. The impact of this on the database size and...

Multiple Trees

If a degree of autonomy is required with respect to the namespace design by one business within the organization, then a separate tree should be created for that business. This will give them the freedom to both the name of the namespace and to create a hierarchy within that namespace as they require. An example can be found in Figure 2.11, which shows how the forest is split into separate trees for each function banking and sales , and each function is then split by region, with one domain for...

InPlace Upgrades

In designing an upgrade strategy for a migration to Active Directory, every domain in the new enterprise design will be either a new domain or a domain that has been upgraded in place. In-place upgrades, as the name implies, involve upgrading from a pre-Windows Server 2003 domain environment to Windows Server 2003's Active Directory using the same domain name and structure as that used in the original enterprise design.The advantage to an in-place upgrade is that user accounts do not have to be...

What Should You Standardize

Because certain objects and containers are common throughout a typical Active Directory infrastructure, they lend themselves to standardization. In the following sections, we look at several aspects of Active Directory and discuss typical standardization methods for various Active Directory objects. We also review the benefits we gain when we use standardization for each of these objects. Any discussion about naming systems and standardization in Active Directory requires an overview of the...

The Namespace

A namespace, strictly defined, is a set or group of names that are assigned according to some naming convention. DNS uses a hierarchical namespace that partitions names into top-level domains, which can be subdivided into subdomains, and then into zones.You or your organization would register a unique domain name and then use it along with a naming convention to aggregate and identify all of the hosts that are connected to your network. This may sound patronizing and blatantly obvious, but it...

Forest service admins are separated from domain service admins

Dedicated root domain approach has the advantage that domain admins outside of the dedicated root domain cannot elevate their rights so they have EA or SA rights, which they would be able to do in a single domain model, for example. This ensures that forest service administrator roles can be clearly separated from domain service admin roles. Simpler to reconfigure the forest If a dedicated root domain were not used, then any changes required to the name of the first domain created would result...

Flexible Single Master Operations Roles

Primary Domain Controller Emulator

The final subject covered in this chapter, is that of Flexible Single Master Operations FSMO roles.The acronym FSMO is frequently pronounced as fuzmo or fizmo. FSMO roles, their purpose, governing rules, and best practices are all discussed in this section. We start by explaining in some detail what FSMO roles are and why they are needed. Each role has a specific purpose and several have rules that govern where they can be placed within the enterprise. We then examine best practices for FSMO...

Default Domain Policy

Enforce Minimum Windows Password Length

Default Domain Policy controls security settings involving password and account policy settings, including Kerberos Policy. Figure 4.16 illustrates the password policy settings for the Windows Server 2003 Default Domain Policy.Table 4.11 lists each policy, with brief descriptions explaining the policy settings available. Figure 4.16 Default Domain Policy Password Policy Settings Figure 4.16 Default Domain Policy Password Policy Settings Table 4.11 Password Policies with Descriptions Password...

NTLM and Kerberos

Early Microsoft networking clients utilized LAN Manager authentication to provide user authentication for network access to resources. Windows NT 4.0 evolved from the LAN Manager network operating system. For backward compatibility, Windows NT 4.0 uses a version of LAN Manager authentication known as LAN Manager challenge response as well as Windows NT challenge response, known as NTLM for more recent systems. NTLM authentication is significantly stronger than LM authentication. Whether Windows...

Hub and Spoke

The most popular design is the hub and spoke, as seen in Figure 2.23.This design offers less redundancy than previous designs, but is far more scalable and therefore more suited to large organizations. The hub and spoke design relies on one or more hub sites that have slower WAN connections to multiple spoke or satellite sites. The hub sites are also generally connected to each other in a full mesh style, with very high-speed WAN connections. Hub and spoke designs offer the ability to segment...

DHCP Security Considerations

Although DHCP servers don't rank high on the hacker target list, there are several vulnerabilities that you need to address The number of IP addresses within each scope is limited. This means that an unauthorized user might launch a denial-of-service DoS attack on your network by requesting and acquiring a large number of IP addresses from the DHCP server. A DoS attack on your DNS can also be initiated by a hacker performing a large number of DNS dynamic updates through the DHCP. An...

Generator and Bridgehead Servers

While the KCC is responsible for intra-site connection objects, all inter-site connection objects are established by the Inter Site Topology Generator ISTG .The first DC in each site regardless of domain membership will assume the role of the ISTG.This role cannot be viewed or changed using standard Microsoft tools, and precisely one ISTG role per site exists for sites that house one or more DCs. The ISTG is responsible for assessing the replication needs of the site in which it resides in...

DHCP Design Principles

DHCP is heavily reliant on the network topology, and is heavily relied on by the hosts within the network. For DHCP to function at an optimal level, client computers must be able to access at least one DHCP server at all times. When you develop a DHCP approach for your network, you have some things to consider How many clients will be using DHCP for IP addresses Where are these clients located and what roles do they have What does the network topology look like Are there any unstable WAN links...

Radius

If you are planning to incorporate more than one RRAS server, then Windows Server 2003 should be configured to use RADIUS for authentication purposes. RADIUS is an access control protocol that uses a challenge response method for authentication. Each Windows Server 2003 RRAS server acts as a RADIUS client. Each of these RADIUS clients authenticates via a top-level RADIUS server, which itself can then authenticate to Active Directory. Figure 8.11 shows an example of Windows Server 2003 in a...

DNS Zone Storage Options

With Windows Server 2003, DNS zones can be stored in the domain or application directory partitions of Active Directory. As it relates to DNS, the official definition of a partition from Microsoft is that it is a data structure within Active Directory used to distinguish data for different replication purposes. The only way to take advantage of zone storage options is to install Windows Server 2003 and employ Active Directory-integrated zones for DNS. The ability to choose the type of directory...

Integrating with Existing Deployments

Other Third Party Remote Access Server Other Third Party Remote Access Server To integrate with RADIUS, the RRAS server must be configured as either a dial-up remote access server or a VPN gateway. These two types of servers authenticate clients from outside the network. Windows Server 2003 includes a supporting technology for RRAS called the Internet Authentication Service IAS . IAS can be configured to act as a RADIUS server. IAS can then perform client authentication on behalf of any RRAS...

Global Catalog Server Sizing and Specification

We previously discussed how a DC should be sized and configured in some detail. However, some or all of the DCs in the Active Directory forest s will also act as GC servers. The following section discusses the additional requirements of the GC role beyond that found for the DC role. We start with a discussion of the additional requirements regarding disk space, CPU, and memory, and then proceed to evaluate the additional placement factors and requirements. The space requirement for GC servers...

Active Directory Sizer Tool

Thus far, we have focused on Active Directory implementations with 1,000 users or more. However, many implementations involve smaller numbers than this, and for these installations, a useful sizing tool is Microsoft's Active Directory Sizer, which can be downloaded from Microsoft's Web site at Once downloaded, simply install the software, using the file setup.exe The Active Directory Sizer can be invoked via Start All Programs Active Directory Sizer Active Directory Sizer. Within the Active...

Other Policy Settings

Best practice dictates that GPOs should be linked to the highest container possible.This ensures that policy settings are not unnecessarily repeated in an AD design.As discussed earlier in this chapter, best practice also dictates that the Default Domain Policy and Default Domain Controllers Policy should not be modified. Conflicting policy settings should be accomplished by creating a new GPO and linking it to the Domain or Domain Controllers OUs. In a network environment, server data is...

Storing Zones in Application Partitions

In Windows Server 2003, DNS zones can be stored within the domain or in Active Directory data structures used specifically for replication purposes, known as application directory partitions. In the most generic sense, application directory partitions are most often used to store dynamic data. Because data changes more often than the configuration information for a forest, the replication scope and frequency of an application directory partition can be set for each partition.The replication...

Interoperability Issues

Just because Windows supports Plug and Play doesn't mean that hardware and software will play nicely together. Installing new hardware and software on a network can cause issues such as the devices and or program not functioning as expected, if at all. The software must interact with other programming code on the computer, and the operating system must be able to recognize and work with any hardware installed. These interoperability issues must be resolved for users to be able to utilize the...

Authentication and Accounting Strategy

The Internet Authentication Service IAS is the central component in Windows Server 2003 for authenticating, authorizing, and auditing users who connect to a network through a VPN or dialup access.The IAS server is an implementation of a RADIUS server and proxy. RADIUS is the authentication protocol most commonly used by Internet service providers ISPs . Another common usage is in the authentication of clients for network area storage NAS devices. IAS uses the data stored on the domain...

Ensuring Unique NetBIOS Names

The NetBIOS namespace is flat, meaning that there is no hierarchy to provide context for hosts in different locations. DNS is hierarchical therefore, hosta.vanc.nru.corp is not the same as hosta.nru.corp. In WINS, each name must be unique, and there must be a mechanism to convert the NetBIOS name to an address. WINS is the mechanism however, it is up to the network architect to devise a scheme to ensure that the names are unique across the whole enterprise, and not just within each location or...

Configuring Burst Handling Levels in WINS

Using the WINS MMC snap-in, you can configure the level of burst handling for the server, which modifies the size of the burst queue. To configure burst handling 1. In the WINS MMC snap-in, right-click the appropriate WINS server. 2. Select the Advanced tab from the server name properties dialog box as shown in Figure 5.10. 3. In Enable Burst Handling, select Low 300 , Medium 500 , High 1000 , or Custom between 50 and 5000 as the burst queue size. Figure 5.10 Setting a Burst Handling Threshold...

Setting the DHCP Lease Duration

The DHCP service is a process that responds to client requests. When a computer that is a DHCP client boots up on the network for the first time, a four-step process is initiated. 1. The client machine broadcasts a request for an IP address. The request is broadcast on Port 67 and is known as a DHCP Discovery Broadcast. 2. Any and all DHCP servers that exist on the local network subnet will respond to the client with a direct DHCP Offer. If there are no local DHCP servers but there is a relay...

Understanding the Default Policy

Let's take a few minutes to look over the default policy that is set in Routing and Remote Access when you install. By default, both Windows Server 2003 and Windows 2000 RAS ship with a default RAS policy. You find this policy in the RRAS snap-in under the remote access server by selecting the Remote Access Policies object and looking in the details pane on the right, as shown in Figure 6.17. Figure 6.17 Default RAS Policy Properties Routing aid P. m rte Access Server Status 3-- ARES local...

Active Directory Integrated versus Primary Zones

At the beginning of the chapter, several zone types were identified and described. Two principal zone types in Windows Server 2003 are primary and Active Directory-integrated. There are good reasons for using both types of zones. However, one type will be more appropriate than the other depending on how your DNS needs to function once the design has been implemented. This section will describe each zone type and where it would be most appropriately used. Primary and secondary zones are standard...