Active Directory Hosting Its Own DNS Namespace
The next option is similar in design to the option just described, with the exception that the Active Directory namespace connects to another internal rather than an external namespace. Active Directory-integrated zones can be used for the Active Directory namespace, but in the event that the Active Directory-integrated namespace needs to replicate with a non-Active Directory namespace, standard zones must be used for replication between the Active Directory namespace and the third-party...
Identifying DNS Record Requirements
Address Record Maps FQDN to 32-bit IPv6 address record Maps FQDN to 128-bit IPv6 address Maps a DNS domain name in the owner field to an ATM address referenced in the atm_address field. Maps an FQDN to an ISDN RFC1183 telephone number Contains a public key that is associated with a zone. In full DNSSEC defined later in this chapter implementation, resolvers, and servers use KEY resource records to authenticate SIG resource records received from signed zones. KEY resource records are signed by...
The Dedicated Root Domain
The first domain deployed into any forest is known as the root domain. While in many respects it can be viewed as just another domain, since it must adhere to naming rules and so forth, it has unique properties that no other domain in the forest has. The root domain is where special forestwide groups live Schema Admins and Enterprise Admins.These two groups are used to manage forestwide operations, such as the addition of domains and modifications to the schema. It is necessary, therefore, to...
Domain Controller Sizing and Specification
We have examined how the Domain and Application Directory partitions influence the size of the Active Directory database and how to estimate the size of domain partitions based on number of users within each domain. In this section, we focus on the DCs housing this database and how they should be best configured, promoted, and placed for optimum performance and service. We begin by looking at best practices for DC hardware configuration, focusing on components such as disk, memory, and CPU....
IP Address Management and DHCP 1
0 Know how DHCP services work in a Windows Server 2003 Windows 2000 network. Make sure you understand how IP leases are requested and granted by DHCP. Be sure to understand the lease renewal and release process. Know what happens when a client fails to renew a lease. 0 Know the difference between scope properties and options and how and why they are assigned. 0 Know the time frames involved with DHCP leases. Understand that the client always requests an extension or a new lease when half the...
Documenting All Namespaces
Before installing Active Directory and DNS on your network, you should document all namespaces that are currently used on the network. Domain names will need to be unique within the network. In other words, you couldn't have two domains within the forest named syngress.com, or two child domains named dev.syngress.com. If you did, DNS would be confused as to which domain users were attempting to log onto or access resources from. While domain names must be unique on the network, to a degree they...
FaultTolerant DHCP
Without an IP address, a computer can't communicate with other computers on your network or even connect to the Internet. As discussed previously, most computers will have a period of time without having to worry about network connectivity problems should your network lose the DHCP server. However, new computers on the network, returning laptops, or little used systems that haven't recently logged on won't be able to get access to the network should the DHCP fail. In this section, we look at a...
Defining the Audit Strategy
One of the first components of an audit strategy is setting a logging level. A good audit and logging strategy is important to the proper maintenance of your network and the systems that are used on it. Before we get deeper into defining your audit strategy, we need to deal with logging. Just what you want to log will be one of the most important questions you'll ask yourself. Defining an extensive logging and auditing strategy will lower the performance of your server and of your network....
Solutions Fast Track Ttk
0 Identify locations that require self-sufficiency. 0 Identify Active Directory-aware applications and their requirements. 0 Understand the affects on logon time that service placement can have. 0 Assess your organization's user populations. 0 Understand what other factors affect service placement and how they might alter the placement design. 0 Create an algorithm to be used to assign service components, which includes all factors understood to exist in your organization. 0 Assess which other...
DHCP Background
The way DHCP works is fairly simple. Using a client server model, a DHCP server maintains a pool of IP addresses. DHCP clients request and obtain leases for IP addresses during the boot process. DHCP is derived from the Bootstrap Protocol BOOTP , which was a protocol typically used to allow clients to boot from the network rather than from a hard drive.Through this boot process, BOOTP assigned an IP address dynamically to the client computer. Some benefits of using a Windows Server 2003 DHCP...
Identifying Active Directory Sites and Subnets
In the early days of Windows NT 4.0, the Internet was barely a thought on most people's minds, and the notion of network connectivity typically extended only as far as the office LAN. As the Internet quickly grew in popularity and the need for interconnectivity between offices increased, Windows NT 4.0's original design concepts for domain functionality began to show its age. As the network began to extend its reach, network infrastructure designs became more important to a properly functioning...
Secure Dynamic DNS
By virtue of it being dynamic, Dynamic DNS DDNS is designed for ease of administration. Clients register themselves and update their records whenever they receive an IP address from Windows Server 2003 DHCP. If you are the administrator of a DNS zone, the last thing you want is to have a bunch of unauthorized clients polluting the zone with unwanted resource records. This situation will add to your frustration levels, not to mention your workload, for cleaning out these DNS infidels....
Identify Zone Placement
DNS zones are used to divide the namespace and use servers to allocate resources and divide services. Namespace and zones are two sides of the same coin they both work hand in hand. As described earlier, the namespace must be designed to meet business requirements and make optimal use of technology resources such as available bandwidth within and between sites. Subdividing the namespace into zones will make it easier for DNS to manage the use of available bandwidth, which will increase...
Assessing and Designing the Administrative Model
When originally released, the domain was documented and designed to be the security boundary within an Active Directory. This implied that resources within any one domain within the forest would be isolated and autonomous from all other resources outside the domain. In other words, multiple domains could coexist within the same forest, in the knowledge that administrators from one domain could not access resources in any other domain, unless granted specific rights to do so. However, several...
Knowledge Consistency Checker
Running on every DC in the forest, is a process known as the Knowledge Consistency Checker or KCC.The KCC at regular intervals evaluates the site topology and available DCs and then generates intra-site connection objects for the local DC with other DCs in the same site to ensure efficient replication of Active Directory data. The parameters used by the KCC, which are stored in the registry, are described in Microsoft KB article 271988, which can be found at The KCC will attempt to construct a...
Interoperability with WINS and DHCP
DNS is a powerful, valuable service on its own. However, Microsoft has designed it so that it can be integrated with other network services to optimize the features of both DNS and these other services. WINS and DHCP are two very likely candidates for integration on any sized network because the integration reduces the amount of administrative effort for System Administrators. Windows Server 2003 DNS enables you to support an existing WINS deployment by allowing you to configure a DNS server to...
IP Address Management and DHCP
The simple truth is that any TCP IP-based network of any size needs to use DHCP. The DHCP server dynamically supplies client machines with IP addresses and network configuration information. DHCP can be considered an essential service on most TCP IP networks. Small networks need at least one DHCP server. Larger networks can use multiple DHCP servers to split the address space and provide fault tolerance. When designing you DHCP networks, you'll want to take many factors into account, including...
Distributed Management
In distributed IT management, an individual or a group is not ultimately responsible for the necessary administrative tasks throughout the enterprise. In the distributed management model, different functional groups within an organization are ultimately responsible for the IT administration of their respective infrastructures. Designing and implementing a distributed management model is highly dependent on the Active Directory container hierarchy. A distributed management model is basically a...
The Organizational Model 1
The final multiple-forest model considered is the Organizational model. This is probably the most widely used multiforest model, especially in larger companies where multiple, independent business units exist. Figure 2.5 depicts such a scenario. As previously mentioned, within a larger organization, the smaller businesses might have different requirements and or timescales for deploying Active Directory therefore, a single forest design might not meet the needs of all involved parties. This...
The Default Domain Controllers Policy
Numerous user rights assignment settings are predefined in the Default Domain Controllers Policy. Figure 4.19 illustrates the predefined user rights assignment settings for the Windows Server 2003 Default Domain Controllers Policy. Figure 4.19 Default Domain Controllers Policy User Rights Assignment Figure 4.19 Default Domain Controllers Policy User Rights Assignment As Figure 4.19 illustrates, several options are predefined in the Default Domain Controllers Policy. The main functions provided...
Select Networking Services and click the Details button
5. Check the box for Dynamic Host Configuration Protocol DHCP and click OK. 6. You will be returned to the Add or Remove Windows Components dialog screen. Click Next. 7. The DHCP Service will require a statically applied IP address, and prompt you to change to a static IP address if the server currently uses a DHCP address. 8. Click Start, then Administrative Tools, and select DHCP. 9. Right-click the server and select New Scope, as shown in Figure 3.20. Figure 3.20 Creating a New Scope Is an...
File Replication System
FRS is used to replicate SYSVOL data between DCs in the same domain. Where Active Directory replication occurs at the object and attribute level, FRS replicates at the file and directory level. Active Directory changes are replicated at the attribute level, so that only the change made to an object is actually replicated. However, FRS replicates at the file level, so if a SYSVOL housed file is changed, then the entire file is replicated, not just the changes.The FRS replication mechanism is...
Assessing BIND Implementations
BIND is an acronym for Berkeley Internet Name Domain, which is an implementation of DNS that has run in many variations on UNIX servers. Windows Server 2003 DNS is interoperable with different versions of BIND, and has been tested with the following versions If other servers on your network are running different versions of BIND, then Windows Server 2003 might not be interoperable with them, and you will need to either retire those servers or upgrade them to BIND 8.1.2 or later.
Creating a Windows Server DNS Namespace
In this sidebar, we walk through the steps for creating Name Resolution University's parent internal domain. To complete this exercise, you need a PC running Windows Server 2003 Server Edition. Insert the Windows 2003 Server CD-ROM into your CD-ROM drive, and let's begin our exercise 1. If the CD-ROM starts automatically, cancel out of the autorun by clicking Exit. 2. Click Start Control Panel, and choose Add or Remove Programs. 3. Click the Add Remove Windows Components icon. 4. Scroll down...
Installing DHCP for Windows Server
Probably the simplest way to set up the DHCP service is to use the Configure Your Server Wizard to install it. The wizard will also walk you through creating a new scope. A second option is to manually install it through the Add Remove Programs tool. In this section we'll take a look at both options. You'll need to know first if you have a working DNS server in your network environment. Validating your DNS server is quick and easy. Click Start Run, and type cmd in the text box. Press Enter, and...
The Domain Controller Location Process
When a Windows client starts up, it attempts to locate a DC so that the user can be permitted to log on and access resources within the enterprise. It is important that the associated processes are understood so that you can more easily resolve startup and logon issues. This location process is as follows 1. The client contacts a DNS server, as configured in its IP settings. 2. If the client has yet to determine in what site it resides, the client requests a complete list of DCs registered in...
Internal Versus External Names
Internal namespace does not provide for access from external systems via the Internet or via extranet scenarios. Even though internal namespace designs may not require or may not desire connectivity from external systems, it is recommended to use a registered DNS namespace for the AD forest name. This ensures that as design requirements change or if other organizations merge with your organization in the future, the namespaces will be able to coexist. Four options exist for organizations that...
Active Directory Within an Existing DNS Implementation
If you are migrating to Windows Server 2003 or integrating Windows Server 2003 DNS with a third-party DNS infrastructure such as BIND on UNIX or Linux, you do not need to change the namespace design used in your third party DNS infrastructure. Although the design does not need to change, this option presents the fewest available features for use in the implementation. In essence, the number of available features is the lowest common denominator between Windows Server 2003 and the installed...
Ownership and Responsibilities
We previously examined the importance of ownership within each forest. This concept is relevant in each domain too, however, since without overall ownership the domain will cease to be properly managed, maintained, and controlled. The forest needs ownership and sponsorship, and each domain within the forest requires an owner. The domain owner should perform two basic tasks Act as a representative within the forest In a multidomain and multibusiness forest, each domain and business should be...
Defining Replication Topology 1
0 Sites link physical network constraints and connection information to Active Directory's logical structure. 0 Intrasite replication is notification based, uses RPC, uses a frequency of 15 seconds, is controlled by the KCC, and uses a ring topology. 0 Intersite replication is schedule based, uses RPC, uses a frequency set by the Admin default three hours , is controlled by the KCC, and uses a topology built by the Admin using sites, links, and costs. 0 ISTG has been significantly modified from...
Service Autonomy
The third and probably most relevant factor when deciding on the domain design is the issue of service autonomy. If an organization is comprised of independent businesses, these different entities, while keen to share a common infrastructure and realize the lower associated TCO, might require a degree of autonomy within their own domain. This autonomy might simply be born out of the need to have their own service administrators, or it might be a result of requiring different domain security...
Autonomy
If an entity requires autonomy, then a degree of independence is required, but without precluding other entities from accessing resources inside that boundary autonomy. Autonomy can be achieved at the service admin level, implying that domain service admins have independence from service admins in other domains, but that these service admins accept that there are admins elsewhere in the forest with greater rights. These latter admins have the ability to remove rights from domain service admins...
Creating a Replication Diagram
In an Active Directory design that encompasses a few sites, designing and configuring replication might not warrant a complex diagram illustrating every detail. However, as an organization grows, or if you are designing a large-scale implementation, a good diagram will simplify the design process. Figure 4.34 illustrates an example of a replication diagram. A replication diagram should reflect site links and replication schedules to determine site link replication overlap availability. With the...
Network Access Quarantine
Windows Server 2003 provides several improvements to Windows remote access. One of the most useful features, the Network Access Quarantine Control feature, allows you to quarantine specific users. How does it work If a client system attempting to connect to your network via remote access isn't running the software you have specified, such as a specific service pack or a virus scanner, those client systems can be quarantined and won't be allowed to access your network. This feature can be...
The Physical Design
Design Internet connectivity for a company. Design a network and routing topology for a company. Design a TCP IP addressing scheme through the use of IP subsets. Specify the placement of routers. Design IP address assignment by using DHCP. Design a perimeter network. Design the remote access infrastructure. Ascertain network settings required to access resources. Design for availability, redundancy, and survivability.
Extranet Requirements
To support an extranet, you and your selected partners need to ensure that you are using a secure remote access solution and that they are using methods for connecting to your network that are compatible with your remote access solution. This could be a Web browser, but you might find that the best solution is typically a site-to-site VPN. Windows Server 2003 can provide this solution with the use of RRAS and dial-on-demand. Figure 8.9 shows how the site-to-site VPN works. In step 1, when...
Using a Dedicated Root Domain
A dedicated root or dedicated forest root domain is deployed simply to exist as the root domain. Figure 2.6 shows an example scenario. It does not house users or groups, beyond the default service administrator accounts, which are created automatically. The creation of this additional domain does not, therefore, incur any significant overhead regarding replica-tion.The domain only houses DC computer accounts and default user and group objects. The impact of this on the database size and...
Multiple Trees
If a degree of autonomy is required with respect to the namespace design by one business within the organization, then a separate tree should be created for that business. This will give them the freedom to both the name of the namespace and to create a hierarchy within that namespace as they require. An example can be found in Figure 2.11, which shows how the forest is split into separate trees for each function banking and sales , and each function is then split by region, with one domain for...
InPlace Upgrades
In designing an upgrade strategy for a migration to Active Directory, every domain in the new enterprise design will be either a new domain or a domain that has been upgraded in place. In-place upgrades, as the name implies, involve upgrading from a pre-Windows Server 2003 domain environment to Windows Server 2003's Active Directory using the same domain name and structure as that used in the original enterprise design.The advantage to an in-place upgrade is that user accounts do not have to be...
What Should You Standardize
Because certain objects and containers are common throughout a typical Active Directory infrastructure, they lend themselves to standardization. In the following sections, we look at several aspects of Active Directory and discuss typical standardization methods for various Active Directory objects. We also review the benefits we gain when we use standardization for each of these objects. Any discussion about naming systems and standardization in Active Directory requires an overview of the...
The Namespace
A namespace, strictly defined, is a set or group of names that are assigned according to some naming convention. DNS uses a hierarchical namespace that partitions names into top-level domains, which can be subdivided into subdomains, and then into zones.You or your organization would register a unique domain name and then use it along with a naming convention to aggregate and identify all of the hosts that are connected to your network. This may sound patronizing and blatantly obvious, but it...
Forest service admins are separated from domain service admins The
dedicated root domain approach has the advantage that domain admins outside of the dedicated root domain cannot elevate their rights so they have EA or SA rights, which they would be able to do in a single domain model, for example. This ensures that forest service administrator roles can be clearly separated from domain service admin roles. Simpler to reconfigure the forest If a dedicated root domain were not used, then any changes required to the name of the first domain created would result...
DHCP Design Features
When you plan the design around a network service, you must take into account its features. One of the features of DHCP is also a limitation DHCP Relay Agents. DHCP Relay Agents are used in networks that use routing between subnets, and do not have DHCP servers on those subnets.They provide a way to move DHCP data through the network. Another feature of DHCP is its ability to integrate with DNS. These two services running congruently can automate IP addressing management to a great degree....
Document DNS Server Locations
The locations of DNS servers on the network is vital to document. It is important that all users are able to access any DNS servers used in the new infrastructure so they can thereby access domain controllers, Active Directory, and any services or resources they might need to do their work. It is also important for domain controllers to be capable of connecting to the other DNS servers on the network, so that they can replicate information from the DNS database to the other servers for the...
Flexible Single Master Operations Roles
The final subject covered in this chapter, is that of Flexible Single Master Operations FSMO roles.The acronym FSMO is frequently pronounced as fuzmo or fizmo. FSMO roles, their purpose, governing rules, and best practices are all discussed in this section. We start by explaining in some detail what FSMO roles are and why they are needed. Each role has a specific purpose and several have rules that govern where they can be placed within the enterprise. We then examine best practices for FSMO...
Default Domain Policy
Default Domain Policy controls security settings involving password and account policy settings, including Kerberos Policy. Figure 4.16 illustrates the password policy settings for the Windows Server 2003 Default Domain Policy.Table 4.11 lists each policy, with brief descriptions explaining the policy settings available. Figure 4.16 Default Domain Policy Password Policy Settings Figure 4.16 Default Domain Policy Password Policy Settings Table 4.11 Password Policies with Descriptions Password...
NTLM and Kerberos
Early Microsoft networking clients utilized LAN Manager authentication to provide user authentication for network access to resources. Windows NT 4.0 evolved from the LAN Manager network operating system. For backward compatibility, Windows NT 4.0 uses a version of LAN Manager authentication known as LAN Manager challenge response as well as Windows NT challenge response, known as NTLM for more recent systems. NTLM authentication is significantly stronger than LM authentication. Whether Windows...
Hub and Spoke
The most popular design is the hub and spoke, as seen in Figure 2.23.This design offers less redundancy than previous designs, but is far more scalable and therefore more suited to large organizations. The hub and spoke design relies on one or more hub sites that have slower WAN connections to multiple spoke or satellite sites. The hub sites are also generally connected to each other in a full mesh style, with very high-speed WAN connections. Hub and spoke designs offer the ability to segment...
The Resource Forest Model 1
The next model is the Resource Forest model. In this model, a separate forest is deployed that houses resources that relate to a specific project or business. Refer to Figure 2.4 for an example of such an implementation. While user accounts are all stored centrally in one 'accounts forest, all resources relating to a project or business are stored in a separate forest, along with backup user accounts that can also be used to gain access to the resources in the resource forest. Users in the...
DHCP Security Considerations
Although DHCP servers don't rank high on the hacker target list, there are several vulnerabilities that you need to address The number of IP addresses within each scope is limited. This means that an unauthorized user might launch a denial-of-service DoS attack on your network by requesting and acquiring a large number of IP addresses from the DHCP server. A DoS attack on your DNS can also be initiated by a hacker performing a large number of DNS dynamic updates through the DHCP. An...