Isolating Domain Controllers

Because of the importance of domain controllers, your security measures should minimize the threats to the computers in every possible way. Physically, domain controllers should always be in a secured location, such as a server closet or a data center, which is accessible only to administrative personnel who have reason to be there. Secure the console with a complex password, so that even people who are in the room for other reasons are not able to access the server. In addition to limiting...

Lesson Implementing a DNS Name Resolution Strategy

Once you have determined your network's name resolution requirements and designed your DNS namespace, it is time to actually implement the name resolution services by installing and configuring servers. Towards this end, you must first decide how many servers you need and where you are going to locate them, and then determine how you are going to configure the servers. After this lesson, you will be able to Explain the functions of caching-only DNS servers and forwarders List the types of zones...

Active Directory Permissions

Windows Server 2003 has yet another system of permissions, which you can use to specify who can access and manage objects in the Active Directory database. On a large network, working with Active Directory objects is a common administrative task. Administrators frequently have to create or delete user objects or modify the properties of existing objects. To delegate these tasks to other people, you might want to modify the default permissions for all or part of the Active Directory database....

Configuring DNS Security

It is common for administrators to run the DNS Server service on Windows Server 2003 domain controllers, particularly when they use Active Directory-integrated zones. One benefit of storing the zone database in Active Directory is that the directory service takes over securing and replicating the DNS data. However, even if you do use Active Directory-integrated zones, there are additional security measures you might consider. See Also The Microsoft DNS Server service has its own security...

Using Fibre Channel

Fibre Channel is a high-speed serial networking technology that was originally conceived as a general purpose networking solution, but which has instead been adopted primarily for connections between computers and storage devices. Unlike SCSI, which is a parallel signaling technology, Fibre Channel uses serial signaling, which enables it to transmit over much longer distances. Fibre Channel devices can transmit data at speeds up to 100 megabytes per second using full duplex communications,...

Lesson Selecting Network Transport Layer Protocols

Once you have selected a data-link layer protocol for your network, your concerns for the physical infrastructure are finished. It is now time to move upward in the OSI reference model and select the protocols for the network and transport layers and above. There is no need to be concerned about protocol compatibility at this point, because all the data-link layer protocols in current use can function with any network transport layer protocol combination. After this lesson, you will be able to...

Lesson Selecting Data Link Layer Protocols

Connecting a group of computers to the same physical network gives them a medium for communication, but unless the computers can speak the same language, no meaningful exchanges are possible. The languages the computers speak are called protocols if the computers on a network are to interact, every computer must be configured to use the same protocols. Selecting the appropriate protocols for the network is an important part of the network infrastructure planning process. After this lesson, you...

Key Terms

Attenuation The tendency of a signal to weaken as it travels along a medium. The longer the distance traveled, the more the signal attenuates. All signals attenuate as they travel along a network medium, but different media are subject to different degrees of attenuation. Signals on copper-based cables such as UTP attenuate relatively quickly, while signals can travel longer distances over fiber-optic cable because they attenuate less. Ad hoc topology A wireless networking topology in which two...

Exercise Creating an MMC Console and Viewing the Default Policies

In this exercise, you create an MMC console containing the IP Security Policies snap-in and use it to view the default IPSec policies on your server. 1. Log on to Windows Server 2003 as Administrator. 2. Click Start, and then click Run. The Run dialog box appears. 3. In the Open text box, type mmc, and then click OK. The Consolel window appears. 4. From the File menu, select Add Remove Snap-in. The Add Remove Snap-in dialog box appears. 5. Click Add. The Add Standalone Snap-in dialog box...

Exercise Creating GPO Links

The GPO you created for the Domain Controllers container in the practice for Lesson 2 is not intended to stand alone. It builds on the Member Servers container's GPO you created in the practice for Lesson 1. In this practice, you link the Member Servers container's GPO to the Domain Controllers organizational unit. 1. Log on to your Server01 computer as Administrator. 2. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users And Computers. The...

Questions and Answers

For each of the following DNS server functions, specify whether you must have a. A DNS server with a registered IP address c. A DNS server with a connection to the Internet d. Administrative access to the DNS server 1.J Internet domain hosting a, b, c, and d 2.J Internet client name resolution c 3.J Web server hosting a, c, and d 4.J Active Directory domain hosting d 1.J What is the technical term for a DNS client implementation Resolver 2.J In what domain would you find the PTR resource record...

Desktop Hardware Specifications

Unlike the hardware specifications for servers, which tend to be more specialized, depending on their role, desktop workstations are more general-purpose computers. Your objective in creating desktop hardware specifications is to design systems suitable for a wide variety of tasks. The ideal situation would be a single desktop computer design that is suitable for all the users on your network. From a purchasing standpoint, this would enable you to order a larger number of identical computers...

Using Network Load Balancing Manager

When you display the Network Load Balancing Manager application, the bottom pane of the window displays the most recent log entries generated by activities in the NLB Manager (see Figure 7-8). These entries detail any configuration changes and contain any error messages generated by improper configuration parameters on any host in the cluster. El gjg Network Load Balancing Clusters S kj www.int.adatum.com (192.168.2. ' 03 CZ3NET(3COM) Host configuration information for hosts in cluster...

Deploying a Network Load Balancing Cluster

Once you have planned the network infrastructure for your NLB cluster and decided on the operational mode, you can plan the actual deployment process. The basic steps in deploying NLB for a cluster of Web servers on a perimeter network are as follows 1. Construct the perimeter network on which the Network Load Balancing servers will be located. Create a separate LAN on your internetwork and isolate it from the internal network and from the Internet using firewalls. Install the hardware needed...

Using a Proxy Server

NAT provides some security for unregistered computers while giving them access to the Internet, but because it operates at the network layer, it permits clients to use any application. NAT also provides little true firewall protection, except in the case of those NAT routers that support stateful packet inspection. For network administrators who want more protection, and who want more control over their users' Internet activities, another option, called a proxy server, is available. A proxy...

Using Static Routing

Another important element of your routing strategy is your decision to use static or dynamic routing on your network. To forward network traffic to the proper locations, the routers on your network must have the correct entries in their routing tables. With static routing, network administrators must manually create and modify the routing table entries. Dynamic routing uses a specialized routing protocol to update the table entries automatically. Static and dynamic routing both provide the same...

NLB Operational Modes

The servers that are going to be the hosts in your NLB cluster do not require any special hardware. There is no shared data store as in a server cluster, for example, so you do not have to build a storage area network. However, NLB imposes certain limitations on a server with a single network interface adapter in a standard configuration, and in some cases, you can benefit from installing a second network interface adapter in each of your servers. Windows Server 2003 Network Load Balancing has...

Lesson Designing a DNS Namespace

Once you have determined how your network will use the DNS, it is time to begin designing the DNS namespace for your network. The namespace design can include a host-naming pattern for all the computers on your network, as well as the more complex naming of the network's domains and subdomains, both on the Internet and in Active Directory. After this lesson, you will be able to Create an effective DNS domain hierarchy Divide domain and host naming rules Create a namespace with internal and...

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find the answers to the questions in the Questions and Answers section at the end of this chapter. 1. Which of the following servers does not require a computer with a registered IP address c. DNS servers used for Internet domain hosting d. DNS servers used for Internet name resolution 2. Which of the...

Objective Questions

You are a network administrator who has been given a security template. Your supervisor wants you to check that all the Windows Server 2003 domain controllers are using the account policies, audit policies, event log settings, and security options stored in the template. In the case of any domain controller that is not using the same settings, you are to apply only the missing elements from the template to that computer. Which of the following procedures would enable you to perform both...