Quick Tip Uph
It is very important to assign appropriate quota levels to users. It is highly recommended to validate the space required on a per user basis before assigning quota levels. Do not deny disk space to users exceeding quota limits to test required quota levels. To test these limits, you will need to monitor quota usage through the use of the Quota Entries button at the bottom of the dialog box. Select both Log event when a user exceeds their quota limit and Log event when a user exceeds their...
Distributed Link Tracking
Windows 2000 first introduced the Distributed Link Tracking DLT service. This service is composed of a client and a server component. Both components are available on WS03, but only the client component is available on Windows XP. This service is designed to track distributed links, or rather shortcuts that have been created on a client computer. The basic purpose of the service is to ensure that shortcuts are always functional. For example, when a workgroup is working with a given set of files...
Implementing a New Enterprise Network
Chapter 2 introduced the concept of a parallel network for Active Directory implementation. The opportunities presented by the parallel network are quite bountiful and beneficial. For one thing, you get to recreate your production network from scratch using a design that capitalizes on the new operating system's core features. It's an ideal opportunity to revise every network concept and detail to see how it can be improved upon to further meet its basic objective, information service delivery...
Forest Design Example
Now that you're comfortable with the forest concept, you can identify the number of forests you need. Use the following examples to review the forest creation process. The first design example focuses on the identification of the number of forests for a medium-sized organization with 5,000 users. It is distributed geographically into ten regions, but each region is administered from a central location. The organization operates under a single public name and delivers the same services in each...
Quick Tip Dma
DNS is odd in AD. First, you must always begin by left-clicking on an item in the left pane. This updates the view in the right pane. Once this is done, you can right-click on the item to view the object's context menu. 9. Use either Root Hints or Forwarders. If you use Forwarders and you properly configured the client DNS settings earlier, you will see that at least one forwarder address has been entered by the DNS setup process. Add additional DNS servers as required, and then click OK to...
Using the Active Directory Blueprint
Like the Enterprise Network Architecture Blueprint presented in Chapter 1 refer back to Figure 1-5 , the Active Directory Design Blueprint emerges from the structure of the Microsoft Certification Exam number 70-219, Designing a Microsoft Windows 2000 Directory Services Infrastructure. It also includes the same prerequisites business and technical requirements analyses. The advantage of using the same blueprint structure for both operations is that you should already have most of this...
Completing the People OU Structure
Now that you have a better understanding of the major changes within WS03 for user management and administration, you are ready to begin the completion of your People OU infrastructure. The easiest way to do so is to detail the requirements for each OU within a table much like the one you used for the PCs OU design in Chapter 5 Table 5-1 . Table 6-4 outlines a possible People OU structure for T amp T Corporation. As mentioned before, T amp T has several main offices where user creation is...
Quick Tip Dze
Event logs don't actually provide the name of the person who exceeds the limit. You have to use WMI scripts to extract this information. But event logs will tell you that someone has exceeded the limit. Don't worry, you'll know who it is soon enough because users who exceed their limits are quick to call the help desk to complain. 4. You can select Apply if you want to, but you don't have to because you aren't done with this dialog box yet. Move to the Shadow Copies tab. 5. Before enabling this...
Installing the First Server in a Forest
The place to start is with the very first server in the forest. This server will have several characteristics it will be a DC with integrated DNS service, it is the Schema Master for the forest, it is also the PDC Emulator and the RID Master for the forest root domain, it hosts the Global Catalog service, it synchronizes time for the forest, and it is the forest License Manager. Server Installation and Configuration Begin with the Server Kernel Installation per the procedures outlined in...
The OU Design Process
In this design process, administrators must create a custom OU structure that reflects the needs of their organization and proceed to the delegation of its contents where appropriate. The best place to start the design process is with the Single Global Child Domain. Since this is the production domain, it will be the domain with the most complex OU structure. Once this domain's structure is complete, it will be simple to design the structure for other domains both within and outside the...
Using Local Security Templates
Local security templates can be applied in two manners through a graphical tool called the Security Configuration and Analysis or through a command-line tool called secedit. Both have their uses. Both can be used to analyze and configure a system based on a security template. The Security Configuration and Analysis is an MMC snap-in that provides a graphical view to system configuration and analysis. This can be quite useful since it provides the same interface that you use to either create...
Server Cluster Concepts
The nodes in a Server Cluster can be configured in either active or passive mode. An active node is a node that is actively rendering services. A passive node is a node that is in standby mode, waiting to respond upon service failure. It goes without saying that, like the Failsafe Server role presented in Chapter 1, the passive node is an expensive solution because the server hardware is just waiting for failures. But if your risk calculations indicate that your critical business services...
Product Activation
Product activation is a core component of the WS03 family of products. If you purchase a retail version of any version of WS03 or a new server including the operating system, you will have to activate the product. While there are a lot of discussions on the pros and cons of product activation, one thing is sure Microsoft needs to implement anti-piracy technologies to protect its copyrights. Activation will not be an issue for anyone acquiring WS03 through volume licensing programs such as Open...
Creating the Folder Structure
The folder structure is not the same as the shared folder structure because shares are regrouped by content type refer to Figure 7-1 . Though WS03 provides a Share a Folder Wizard that supports the creation of a folder structure on a NTFS disk, it is easier to use Windows Explorer to create the folders that will host file sharing. 1. Move to Windows Explorer Quick Launch Area Windows Explorer . 3. Create the three top level folders Administration, Applications, and Data. To do so, right-click...
Designing the Production Domain OU Structure
What's truly amazing with Active Directory is how a simple database can be used to manage objects and events in the real world. That's right, the objective of Active Directory is to manage the elements you store inside its database. But to manage objects, you must first structure them. Forests, trees, and domains begin to provide structure by providing a rough positioning for objects throughout the Active Directory database. This rough positioning needs to be vastly refined, especially when you...
Best Practices for Group ManagementCreation
Group management practices can become quite complex. This is why a group management strategy is essential to the operation of an enterprise network. This strategy begins with best practice rules and guidelines. It is complemented by a strategic use of Global groups or groups that are designed to contain users. The varying scopes of all of the groups within Active Directory will not help your group management activities if you do not implement basic guidelines for group usage. Thus there is a...
The Default Domain Controller Policy
The Default Domain Controllers Policy should also be modified, but the required modifications are too numerous to be listed here. The DC Promotion process will automatically secure different aspects of the local system and create the DC Security.inf template, but in most cases, additional DC security is required. In addition, it will be essential to ensure that all your domain controllers remain in the Domain Controllers organization unit, otherwise they will not be affected by your default DC...
Other Forest Domain Designs
Now that you have determined the domain structure to implement in your production forest, you can use it to derive the structure for the other forests you created. The staging forest is simple. It should represent the same structure as the production forest. As such, it requires a parent and a child domain. Since it is designed to represent only the production environment, it does not require additional domains for training, development, or other purposes. The development and utilitarian...
Configuring the Default Domain Policy
Chapters 3 and 4 outlined the importance of configuring the two default domain policies Default Domain and Default Domain Controllers at the Protected Forest Root Domain. The reason for this is so that the content of these policies will propagate to child domains as soon as they are created. This means the default policies should be customized as soon as the forest root domain has been created. The Default Domain Policy is the account policy for the domain. Since only one policy can contain...
Best Practices for Site Topology Design
Use the following best practices to design your site topology Use the default configuration for inter-site replication. Do not disable the Knowledge Consistency Checker. Do not disable transitive trusts. Do not specify Bridgehead Servers. Calculate replication latency between sites. Create sites according to network topology Site Links and WAN links should correspond. Make sure that no single site is connected to more than 20 other sites. Each site must host at least one DC. Do not use SMTP for...
Managing Printer Permissions
Printer permissions are much the same in Windows Server 2003 as they are in Windows NT. Print management is divided into printer queue and printer management. Print operators are allowed to manage both the physical device and the logical queue. In addition, each user that prints a job has control over their own job. That is, they can delete the job, but cannot change its priority. WS03 supports the segregation of printer and document management. Printer management allows operators to stop,...
Designing a Delegation Strategy
The delegation strategy you require will have a direct impact on your organizational unit strategy. This design will also have to take into account the Group Policy object strategy you outlined above. When designing for delegation, you need to take several factors into account. Begin by identifying the business needs that influence delegation. Many of these will have been inventoried at the very beginning of your project. You also need to have a good understanding of your IT organizational...
Creating the Dummy DNS Delegation
Return to the forest root server and use the Computer Management console to create a DNS delegation. Use the following procedure 1. Right-click on the TandT.net Forward Lookup Zone to select New Delegation from the context menu. This launches the New Delegation Wizard. Click Next. 2. Type in the name of the domain you want to delegate, in this case Intranet. Click Next. 3. Click Add. Type in the fully qualified domain name of the first domain controller in the child domain for example,...
A Structured Approach Using Standard Operating Procedures
To reduce costs and improve network stability, the corporation must implement standard operating procedures SOPs . SOPs not only ensure stability within a network, but can also greatly reduce costs. Having documented SOPs, even for interactive or manual procedures, can vastly reduce the margin of error when performing the procedure. A well-designed SOP will also supply a contact point for reference if something goes wrong during its operation. But technical staff often does not have the time or...
Integration with Active Directory
Full support for the Windows operating system today also means integration to the Active Directory. Each shared printer is now published within the directory, much in the same way file shares are. Printers are published in the directory by default. Their object names are stored in their parent domain. Users can use the directory to search for printers and automatically connect to the appropriate printing service. AD stores information about printer features and locations. Locations especially...
Multicast versus Unicast Modes
NLB clusters operate in either Multicast or Unicast mode. The default mode is Unicast. In this mode, the NLB cluster automatically reassigns the MAC address for each cluster member on the NIC that is enabled in cluster mode. If each member has only one NIC, member to member communications are not possible in this mode. This is one reason why it is best to install two NICs in each server. When using the Multicast mode, NLB assigns two multicast addresses to the cluster adapter. This mode ensures...
Quick Tip Aua
You could also use Active Directory in Application Mode AD AM for this purpose. AD AM is a special directory service that is an add-on to WS03 and that is designed to run as a pure lightweight application protocol LDAP directory. Its schema is much smaller than AD's, though it contains 30 objects and 160 attributes. More information is available at http Configuration data The structure of the forest, the number of trees it contains, and the domains in each tree as well as the structure of...
Microsoft MetaDirectory Services
MMS is a special application that is designed to oversee multiple directory services. MMS manages the operations of several directories to ensure data integrity. If you install MMS over AD and you identify AD as the primary source of information, MMS will automatically modify the values in other directory services when you modify values in AD. The Standard Edition of MMS is available for free http www.microsoft.com mms and is designed to support the integration of data between AD, AD AM, and...
NET Framework Authentication
Since the .NET Framework uses Web services, authentication models rely heavily on IIS, but there are some core functionalities within the framework itself since it provides role-based security RBS . The RBS in the framework can rely on three different types of authentication forms-based authentication generates a cookie , IIS authentication, and Windows authentication. The first must be programmed within the Web service. The second and third methods are administered by network operations. The...
The Castle Defense System
The best way to define an ESP is to use a model. The model proposed here is the Castle Defense System CDS . In medieval times, people needed to protect themselves and their belongings through the design of a defense system that was primarily based on cumulative barriers to entry. If you've ever visited a medieval castle or seen a movie with a medieval theme, you'll remember that the first line of defense is often the moat. The moat is a barrier that is designed to stop people from reaching the...