building a cicso network for windows 2000 phần 2 pot

The main campus consists of three large complex buildings that housethe company’s five main departments: Research and Development, Executive Management, Sales and Marketing, Distribution

To connect to the Internet, you will need to have a registered IP addressfor your network Some organizations, however, require far moreaddresses than they have available in their registered address set To getaround this issue, Request for Comments (RFC) 1918 provides unregis-tered addresses To use them and still connect to the Internet, the orga-nization must translate between a registered IP address that is applied to

an interface connected to the Internet, and the unregistered IP addressesthat are applied to the hosts on the internal network This process iscalled network address translation (NAT) RFC 1918 reserves the fol-lowing addresses:

Class A–10.x.x.xClass B–172.16.x.x to 172.31.x.xClass C–192.168.1.x to 192.168.254.xRFC 1918 is available at ftp://www.arin.net/rfc/rfc1918.txt

The remaining addresses from 224 through 239 are reserved for class

D, or multicasting From 240 through 255, the addresses are consideredclass E or experimental No matter what address a host is assigned, itmust be unique on the internetwork

IP addressing and routing can be performed without the use of classes.This is called Classless InterDomain Routing (CIDR) Each distinct route

on the network is not advertised separately Instead, it is aggregated withmultiple destinations One benefit of using CIDR is to reduce the size ofthe routing tables

Each address must have a way of separating the network’s IP addressfrom the host’s IP address This is achieved with a mask When you “sub-tract” the mask from the full address, the result separates the two Eachclass of addresses has its own default mask A class A address has thedefault mask of 255.0.0.0 As you see, the first octet is masked, enablingthe IP address portion to remain The default mask for class B is

255.255.0.0, and the default mask for class C is 255.255.255.0

When a network administrator wants to apply a network address to twodifferent network segments, the IP address must be subnetted Subnetting

is the process of shifting the boundary from the network portion into part

of the host portion This creates multiple subnets that can be applied tophysically distinct network segments

www.syngress.com

Subnets are achieved by adding more 1 bits to the default mask Forinstance, a subnet mask for a class A address could be 255.192.0.0instead of 255.0.0.0 The addition of two 1 bits changed the mask

If you add two 1 bits to a class C subnet mask, you create two subnets,each with a possible 62 hosts available to it If you add three 1 bits, youcreate six subnets, each with a possible 30 hosts

www.syngress.com

Dynamic Host Configuration

Protocol for IP Address

ManagementUntil Dynamic Host Configuration Protocol (DHCP) arrived, IP addressmanagement was the bane of many a network administrator’s exis-tence Each host was matched up with an IP address that had to beunique from all other IP addresses In addition, the IP address uses amask to determine on which network segment the host is located; to do

so, all hosts on the same segment had to have the same mask Errors in

IP addressing, such as duplicate IP addresses and wrong subnet masks,were common In addition, there tended to be an inefficient assignment

of IP addresses If a user went on vacation, his or her workstation’s IPaddress went unused during that time If a workstation was replaced, itmay have been assigned a new IP address and the old one remainedassigned to a computer that was no more than a ghost on the network

With a dearth of IP addresses available, network administrators needed

to reclaim any unused IP addresses that they could DHCP was helpfulbecause it could allocate an IP address automatically, as it was needed,and configuration of the mask was performed a single time for a group

of IP addresses Above all, DHCP assigned IP addresses through a leasingsystem that reclaimed an IP address after the lease expired

For Managers

Case Studies

Throughout this book, various chapters will include discussions aboutimplementing the technology for two fictional companies

ABC Chemical Company

The ABC Chemical Company has the following characteristics It is a largeindustrial chemical company involved in the manufacturing of pharmaceu-ticals, household products, and raw chemical supplies for clientele Thecompany is housed in one large area—a campus environment—with theexception of two distribution warehouses: one on the east coast, one onthe west coast

The main campus consists of three large complex buildings that housethe company’s five main departments: Research and Development,

Executive Management, Sales and Marketing, Distribution, and IT/

to upgrade to Windows 2000 and Active Directory is being considered inorder to stay within FDA and government requirements for Internet andcompany security Secondary objectives are to increase productivity andcollaboration between the departments There is also a desire to gain astrategic advantage over competition by utilizing video and audio confer-encing over the Internet for sales and communication with clients Finally,the IT department intends to cut costs of administrating the internetwork

To accommodate the networking needs of the LAN environment on acampus backbone design, the company is investigating whether to deploy a

“hub and spoke” switch-intensive design The three main buildings at the

www.syngress.com

main campus would be linked in a triangular fiber gigabit configuration toallow for redundant backbone functionality while providing the best pos-sible speed between the campus buildings The switched network is pro-posed to be configured with two gigabit switches at the core, equipped withdual Route Switch Modules (RSM) and Supervisor cards One of the gigabitswitches may be configured as an online backup to the other gigabit

switch utilizing Hot Standby Routing Protocol (HSRP) to allow for a pletely redundant network core The RSM modules will be programmed toroute between the department virtual local area networks (VLANs) (seelater) and outlying company resources

com-Department switches are proposed to run into the core switches viafiber gigabit links to allow for connectivity to the user community Each set

of department switches will be configured with their own VLAN, thusallowing for better network performance within the departments and fortighter physical network security for data-sensitive areas such as HumanResources (a subsection of the Executive Management department) andResearch and Development

The IT department is considering setting up its own VLANs, to be usedexclusively for the corporate server farm and server backup systems The

IT department also houses two routers that it intends to keep: one for theInternet and voice communications systems and another to allow accessvia frame relay to the warehouse facilities

West Coast Accounting, L.L.C.

West Coast Accounting, Limited Liability Corporation, is a medium-sizedaccounting firm with offices in key cities up and down the west coast

There are offices in Seattle, Los Angeles, Portland, and Phoenix, with themain headquarters in San Francisco The San Francisco office has 100employees, including Executive Management, Human Resources,Accounting, and IT departments The IT department handles all connec-tivity to the Internet, e-commerce, and Web-hosting tasks, as well as thin-client server management and remote dial-in systems Each of the branchoffices house 50 employees, including accountants and support staff

There are a total of 300 employees

The company has grown over time via acquisition of smaller individualcompanies This caused a scenario in which IT has had to support multiplenetwork operating systems and configurations including peer-to-peerWindows sharing, Windows NT server/client architecture, and NovellNetWare architecture, as each acquisition was incorporated into the net-work All interoffice collaboration was done via phone, fax, or individualInternet e-mail accounts

www.syngress.com

The decision to install a Microsoft Windows 2000 and Cisco ment is being considered due to West Coast’s need to consolidate the com-pany onto one cohesive networking system This would allow data access

environ-to all offices and the Internet via one network in order environ-to reduce overallcommunications, network administration costs, and to integrate the e-mailsystems to one MS Exchange system for interoffice collaboration

Secondary objectives are to create an Internet presence for the entire pany under one Internet domain and to replace the old analog dial-in sys-tems with a more secure and dynamic virtual private network (VPN) accesssystem Finally, there is a desire to implement Voice over IP (VoIP) in thefuture to eliminate the long distance phone bills inherent in the operations

com-of the multicity company

Under consideration is a new WAN design in which a new Cisco-routedarchitecture will be implemented over Frame Relay connections The mainsite will have a switched core for the user community and central serverfarm running Windows Terminal Server (for centralized applications forbilling and reporting) and will be linked to the remote offices using redun-dant core Cisco 3640 routers linked over Frame Relay to Cisco 2610s out

at the offices The Internet will be connected at the main site using a 2610router equipped with the IP Plus feature set to allow for NAT translationand Cisco PIX Firewall capability

Summary

Directory enabled networking (DEN) is a new technology specification thatwas originally developed by Microsoft and Cisco The two companies thenpresented their specification to the Distributed Management Task Force(DMTF) and the Internet Engineering Task Force (IETF) for standardization DEN specifies a directory service, which has a common schema Theschema is the list of classes, or types of objects that can exist within thedirectory It also describes the attributes, or values, of the objects Objectsrepresent the services, resources, or user accounts that can participate onthe network The directory service can specify the policies that managehow these objects relate to each other

DEN’s value is in becoming a standard If directory services developed

by different vendors all meet DEN requirements, then different vendors’directories can be integrated The fewer directory services there are, theless administrative overhead will be utilized This can free up a traditionalinformation technology staff for more interesting projects than managingmultiple user accounts in multiple directories

www.syngress.com

One of the opportunities for DEN is to enable policy-based networkingsuch that a user’s account can be granted various capabilities on the inter-network through the application of a policy The alternative to policy-basednetworking is to micromanage the granting of capabilities when neces-sary—for the IP address or host name of the user’s computer.

Windows 2000 is the latest operating system released by Microsoft

This operating system has four versions:

Windows 2000 Professional The workstation version, also considered the

upgrade for Windows NT Workstation v4.0

Windows 2000 Server The workgroup server version, considered the

upgrade for Windows NT Server v4.0

Windows 2000 Advanced Server The enterprise server version,

consid-ered the upgrade for Windows NT Server v4.0 Enterprise Edition

Windows 2000 DataCenter Server A special original equipment

manufac-turer (OEM) release for high-performance server equipment

Microsoft has released Windows 2000 with a new feature called ActiveDirectory Active Directory is a directory service that provides a hierar-chical management of the Microsoft network resources, services, and useraccounts The Active Directory is an implementation that closely resemblesthe DEN specification

Cisco develops routing and switching equipment Cisco routers run theCisco Internetwork Operating System (IOS) The IOS has the capability ofscaling from small workgroup networks to global, wide area networks

Cisco produces not only the equipment and its operating system, but alsoseveral applications Some of the tools available for designing and man-aging a Cisco internetwork include:

Cisco ConfigMaker A free design tool that runs on Windows PCs.

Cisco FastStep A free configuration tool for some of the Cisco routers and

access servers, which also runs on Windows PCs

CiscoWorks A suite of management applications that has versions

avail-able for UNIX and for Windows

Cisco and Microsoft converge their technologies with the CiscoNetworking Services for Active Directory (CNS/AD) This technologyenables true policy-based networking extended to the routing and infras-tructure equipment on the internetwork

Networking basics apply to understanding the Microsoft and Ciscotechnologies These include the Open Systems Interconnection (OSI)

www.syngress.com

protocol reference model developed by the International Organization forStandardization (ISO) The OSI model encompasses seven layers:

Application layer (Layer 7) Provides the user interface and application

interface to the network

Presentation layer (Layer 6) Provides data format services such as

encryption and compression

Session layer (Layer 5) Establishes, maintains, and terminates

end-to-end sessions between two network hosts

Transport layer (Layer 4) Provides data multiplexing, segmentation, and

end-to-end reliability services

Network layer (Layer 3) Specifies the logical network segment and logical

network node addressing, and provides routing of data between distinctphysical segments

Data-link layer (Layer 2) Composed of two sublayers—the Media Access

Control and the Logical Link Control layers Provides the physical, or ware address; also known as the MAC address

hard-Physical layer (Layer 1) Specifies the data signaling and physical cabling

in order to provide the raw bitstream of data over media

The Department of Defense (DoD) created a model for the TCP/IP tocol stack This is a four-layer model consisting of these layers

pro-Application layer Handles application interface, data formatting, and

end-to-end session services

Host to Host Transport layer Handles data multiplexing and

segmenta-tion services; also enables reliability services

Internetwork layer Specifies the logical network and node addressing,

and the routing of the data throughout the internetwork

Network Access layer Specifies the media access, hardware addressing,

and the raw bitstream and frame format for data

In addition to understanding these models, you will need to understandthe workings of Internet Protocol addressing IP version 4 addressing is themost commonly used scheme on the Internet It uses a 32-bit address and

is commonly denoted in a dotted decimal format Each byte is translated to

a decimal by adding the binary value of the 8 bits, and then it is separated

by a dot The IP address of 01100111111100001010101100010011 istranslated to 103.240.171.19 for dotted decimal format

There are three commonly used classes of IP addresses:

www.syngress.com

Class A All networks with the first octet from 1 through 126 (network

127.x.x.x is reserved for loopback) The default subnet mask is 255.0.0.0

Class B All networks with the first octet from 128 through 191 The

default subnet mask is 255.255.0.0

Class C All networks with the first octet from 192 through 223 The

default subnet mask is 255.255.255.0

FAQs Q:What are the advantages of directory enabled servers?

A: A suite of directory enabled server applications can share tion Another advantage is that network devices don’t need to becompatible with multiple schemas; they only need to speak a stan-dard protocol

informa-Q: Does DEN replace SNMP?

A: No DEN is not a protocol like SNMP, it is a storage system thatcan store policies

www.syngress.com

A Tour of Windows 2000

Solutions in this chapter:

■ Windows 2000 overview

■ Understanding the changes since Windows NT 4

■ The Active Directory architecture

■ Migrating an NT network to Windows 2000

Chapter 2

43

Fasten your seatbelt! We are going to take a turbo-ride of Windows 2000.This is one-half of the technology that will guide how your network works.The other half is, of course, your Cisco infrastructure This chapter willgive you an overview of the Windows 2000 features that you will be imple-menting in your environment As you read further chapters, it will be likepeeling back the layers of an onion; each one will give you more informa-tion until you finally understand the whole architecture

What’s New Since Windows NT 4

Although Windows 2000 does not mention “NT,” it is still built on thattechnology In fact, Windows 2000 was originally named “Windows NT 5.0.”There are four versions of Windows 2000:

system has the capability of sharing files in a workgroup ment Enterprise workstations are typically consumers of informa-tion, rather than providers Windows 2000 Professional is theupgrade to Windows NT Workstation v4.0

32-bit network operating systems in the Windows 2000 family and

is meant for the business server It supports up to four processors,Terminal Services, Active Directory, security features such as IPSecurity and Kerberos authentication This is the upgraded version

of Windows NT Server v4.0

2000, Windows 2000 Advanced Server builds upon the features ofWindows 2000 Server It supports up to eight processors, up to8GB of RAM, two-node clusters, and network load balancing Thisversion is upgraded from Windows NT Server 4.0 EnterpriseEdition

be released by Original Equipment Manufacturers (OEMs) as anetwork operating system that is customized for an extremelyhigh-end server It supports up to 32 processors and four nodeswithin a cluster DataCenter Server is new, not an upgrade fromWindows NT

www.syngress.com

Active Directory

Active Directory is the directory service that organizes all Windows 2000user accounts, group accounts, servers, domains, domain controllers, andsecurity policies together into a hierarchical or tree structure The directoryservice is actually an Extensible Storage Engine (ESE) database that is dis-tributed across multiple domain controllers Distribution of the databasemeans that it must be synchronized whenever a change is made This isdone through multimaster replication All domain controllers are masters

of their own database portion This means that, unlike Windows NT, there

is no primary domain controller (PDC) that owns all the changes andcopies them to backups Instead, each domain controller can have achange made on it, and that change is then replicated to all other domaincontrollers to synchronize them

The Active Directory is a key differentiator between Windows 2000 andWindows NT It enables central management of the Windows 2000 net-work Even though there still exists a domain architecture for Windows

2000 domain controllers, Active Directory provides the Global Catalog (GC),which holds partial information about all user accounts and networkresources from every participating Active Directory domain, to make themavailable network-wide

Group policies can be distributed through the Active Directorydomains, sites, and organizational units (OUs) to define and control theenvironments of users and desktops These policies are a major portion ofIntellimirror desktop management and automated software distribution

From an administrative point of view, Active Directory’s hierarchicalstructure lets an administrator delegate specific rights and privileges toother administrators For example, an administrator can be given only theright to change passwords for a group of users, but not for others Thecommon way to manage users is through the Active Directory Users andComputers Console shown in Figure 2.1

Installation Options

For those of you who have deployed Windows NT Workstation in an prise environment, the enhancements made to Windows 2000 Professionalinstallation features will be deeply appreciated There are three ways todeploy Windows 2000:

■ Remote Installation Service

■ Unattended

www.syngress.com

SYSPREP is a method of copying an entire image from one workstationand using it on another with a nearly identical set of hardware You shoulduse SYSPREP when you have few different types of hardware, and a stan-dard image with identical applications SYSPREP does not offer much inthe way of customization of the image during installation; it is only whilecreating the image that you will be able to select the applications and con-figure the machine, or after you have “splatted” the image onto the work-station This method is used for fresh installations, not upgrades

Remote Installation Services (RIS) offers the shortest time for installingWindows 2000 and begins with an application called RIPREP, which issimilar to SYSPREP RIS requires that all the workstations have a Pre-boot-Execution-Environment (PXE)-capable Beginning Input Output System(BIOS) or network interface card (NIC) You will also need a Windows 2000Server to provide the RIS A PXE-capable NIC from some manufacturers,like 3Com, may come with management software If not, there may bemanagement software available from the manufacturer, so that the work-station (through the NIC) can be “awakened” and installed or configuredremotely without any need for someone’s presence at the other end Thedisadvantage to RIPREP, however, is the same as the SYSPREP issue inthat the image is established for a rigid set of hardware and applications

Figure 2.1 A view of the Active Directory Users and Computers snap-in

and is only used for fresh installations Figure 2.2 shows the location ofthe RIS.

An unattended installation using a file called unattend.txt is the legacyinstallation method from Windows NT 4 It does take longer to install aworkstation using unattend.txt because each application and the entireoperating system are installed from scratch One thing about the unat-tended installation is that you can use a different unattend.txt for differenttypes of hardware However, the base set of installation files is identical,which offers significant savings in storage and flexibility for hardwaretypes You can use unattend.txt files for upgrades and complete formatand reinstallations It takes much more time to configure an unattend.txtinstall project in the lab, but the flexibility of it saves time at the desktop

Security Options

Windows 2000 comes with a host of new security features

■ IP Security (IPSec), which is a way of encrypting traffic that passes

on the network

www.syngress.com

Figure 2.2 Remote Installation Service

■ Layer 2 Tunneling Protocol (L2TP) for an industry standard virtualprivate network (VPN) over the Internet.

■ Kerberos authentication for the Active Directory

■ The Encrypting File System, which allows users to encrypt data ontheir local hard drive

■ The Server version has a service for certification authority that canpass out certificates for security purposes

■ It implements Public Key Infrastructure (PKI) using a system ofdigital certificates provided by Certificate Authority servers

Besides these security options, Windows 2000 uses legacy securitymethods from Windows NT for backward compatibility When installed as astandalone server, legacy NTLM (Windows NT Challenge/Response authen-tication) security is used to authenticate users When using remote accessservices, the server implements protocols like Point-to-Point TunnelingProtocol (PPTP) for virtual private networking, and Microsoft ChallengeAuthentication Protocol (MS-CHAP) for authentication

Internet Information Services

What used to be delivered as a separate product for Windows NT is nowavailable as part of Windows 2000 Internet Information Services provides

a production quality Web server It also provides File Transfer Protocol(FTP) services, and fulfills other ancillary needs as well

Terminal Services

The history of Terminal Server is an interesting one Back during the days

of Windows NT 3.5, a company named Citrix licensed Windows NT fromMicrosoft and extended it to enable remote control of separate console ses-sions by multiple, simultaneous users in an architecture called Multiwin.Users could run these remote sessions from DOS, Windows 3.1, and otheroperating systems that might not support 32-bit Windows applicationsthrough a client application using a low-bandwidth protocol called

Independent Computing Architecture (ICA) Citrix named this productWinFrame

When Windows NT 4 was introduced, Microsoft announced that itwould develop a similar functionality for Windows NT 4 After that,

Microsoft and Citrix worked out an agreement to license back the Multiwinportion of the Citrix architecture Microsoft then introduced Windows NT 4Terminal Server Edition based on this technology with their own client for32-bit Windows Citrix retained the ICA portion as an add-on product to

www.syngress.com

Terminal Server called MetaFrame, which supports clients with both 32-bitWindows and other operating systems Terminal Services are now included

in the Windows 2000 Server family (see Figure 2.3)

As administrators of Novell’s NetWare servers know, one of the backs of managing Windows NT servers was the lack of a remote controlfunction for the server (such as NetWare’s RCONSOLE) Now, withTerminal Services for Windows 2000, remote control makes managing aWindows 2000 server easy—even across a phone line The benefits of usingTerminal Services for management have been realized by Microsoft, andthere is now a way to install Terminal Services with licensing meant justfor management of the server

draw-Remote Access Protocols

Remote access protocols have improved Besides a standard Point-to-PointProtocol (PPP) connection over a phone line, a user can connect remotely to

a network via the PPTP and L2TP/IPSec PPTP and L2TP/IPSec provide aVPN through the Internet The value of L2TP/IPSec is that the data is

www.syngress.com

Figure 2.3 Terminal Services

encrypted while traveling across the wire For example, if a user connectswith L2TP/IPSec and runs an e-mail application, that user’s e-mail mes-sages would not be readable if a packet sniffer picked them up The

Routing and Remote Access Console is illustrated in Figure 2.4

Network Load Balancing

Network load balancing is only available for Windows 2000 AdvancedServer and DataCenter Server versions When implemented, clients per-ceive that there is a single server responding to their requests, when infact, there are multiple servers providing the same service For example, inFigure 2.5 a workstation tries to access a Web site called

www.domain.com This Web site is replicated on three different servers.When the client makes the request, it is directed to the server that is theleast busy Network load balancing can ensure that a Web site is highlyavailable and provides a high performance level

www.syngress.com

Figure 2.4 Routing and Remote Access Console

Both of these are requirements for an Internet Web server, since outs and Server Not Found errors can cause a business to lose money andhave irreparable damage to their brand name Windows 2000 implementsnetwork load balancing as part of cluster services This pairing of serviceseffectively takes a highly reliable solution (clustering) and turns it into ahighly available solution (clustering with network load balancing)

time-NOTE

Alternatives to network load balancing from Cisco: Allowing Windows

2000 Server to manage network load balancing may not be the bestoption, since it will require some processing power of the server itself

Cisco offers a hardware-based alternative that does not have this back: the Cisco Local Director This box will direct traffic to designatedservers that host a replicated service The Local Director box expects tofind these servers on the same local network However, Cisco has a boxcalled a Global Director that can perform this same request redirection toservers located anywhere in the world The Global Director can evendetermine whether a client is located closer to one of the global serversand redirect its request to the closest one

What Happened to WINS?

Windows Internet Naming Service (WINS) still exists in Windows 2000 ifyou choose to deploy it WINS cross references a NetBIOS name for a hostwith its IP address In Windows 2000, you can choose to deploy DomainName System (DNS) without WINS, and servers will still be able to belocated However, some enterprises may choose to retain WINS, especially

if they maintain a mixed NT/2000 environment for any period of time.The new version of WINS in Windows 2000 comes with some extra fea-tures One is a new WINS Manager (see Figure 2.6) in which both dynamicand records can be deleted

Connections between WINS servers can be marked as persistent toensure that there is less overhead in opening and terminating a connec-tion Persistent connections also speed replication

www.syngress.com

Figure 2.6 WINS Manager

DNS Support

DNS is a requirement to run Windows 2000 Active Directory ActiveDirectory uses it as the locator service for domain controllers to communi-cate with other domain controllers, and for workstations to locate a

domain controller and to log on to the network While Windows NT didhave a DNS service within it, Windows 2000’s DNS has several new fea-tures (Figure 2.7)

the DNS database, can be integrated into several Active Directory domaincontrollers, thus gaining those zones the benefits of multimaster replica-tion

DNS servers must support SRV RRs, because they are the type of DNSrecord that provides location of services

dynamic updates—they are better than sliced bread Dynamic updatesallow DNS clients to update their own resource records on a DNS server

Without this functionality, a DNS administrator must manually edit IPaddresses and host names on the DNS server—a tedious and time-con-suming task

remove stale records from the DNS database Windows 2000 DNS has theability to age records and remove them (scavenge) if they are not renewed

sec-ondary servers for a zone Secsec-ondary servers periodically refresh theirrecords by downloading the latest information from the primary server

(called a zone transfer) In large DNS zones, this zone transfer can use up

quite a bit of bandwidth Incremental zone transfers reduce the bandwidthusage because they only download the changes that were made to thezone In a fairly static environment, the bandwidth consumption is greatlyreduced with this feature

www.syngress.com

Figure 2.7 Windows 2000 DNS Console

DNS Management during an UpgradeDNS was not required for Windows NT; in fact, neither was TCP/IP If youdid deploy TCP/IP, WINS was the required service to map NetBIOS names

to IP addresses WINS is more self-sufficient than a traditional DNSsystem—not requiring every host to be manually entered as DNSrequires So how do you handle the transition from a WINS system toDNS when you upgrade to Windows 2000?

First, you’re not going to be able to migrate a WINS database to aDNS database without more work than it would take to simply enter inDNS resource records Second, you’re going to need WINS to be onlinefor awhile—you can’t just flip the switch one day and change fromWINS to DNS

What you will need is an understanding of your DNS system

For Managers

Continued

■ Do you have an existing DNS server? If not, you will need toinstall a compliant DNS server Because you are alreadyinstalling Windows 2000 servers, you should consider installingthe Windows 2000 DNS service rather than looking elsewherefor a compliant DNS service

■ If you have an existing DNS server, does it meet the minimumrequirements for Windows 2000? If not, you will need toupgrade or replace that server with a compliant DNS server, oradd a compliant DNS server to manage the Windows 2000network

■ If you have a compliant DNS system, does it already have thedomain names for your Windows 2000 domains registered aszones within it? If not, you will need to register the zones inyour system and add in all the A (Address) resource recordsfor each of your Windows 2000 servers

■ If you have a compliant DNS system, do you have enoughDNS servers to provide redundancy and high performance forqueries and authentication? If not, you will need to installDNS servers with secondary zones in each designated loca-tion You can install the Windows 2000 DNS service and con-figure a secondary zone to an existing DNS server

■ If you wish to have as self-managing a system as possible,you should turn on dynamic updates for DNS This willensure that each host registers its domain name and IPaddress in the DNS database, and your work is greatlyreduced

You will also need to determine your phase-out plan for WINS

■ Do you have any systems that are dependent on WINS? Ifyou do, you will need to upgrade, replace, or retire those sys-tems in order to phase out WINS

■ Will you be using mixed domains, both Windows NT andWindows 2000? If so, you should keep WINS until yourdomains are entirely Windows 2000

■ Will you be upgrading your existing WINS servers toWindows 2000? If you are, you will need to upgrade theWINS service as well If not, you will need to plan a date forretiring the WINS servers

Continued

Recovery Console

The Recovery Console for Windows 2000 is not installed by default

Instead, it is accessible through the Windows 2000 installation CD-ROM,

or it can be installed after the server is functional by executing WINNT32/CMDCONS from a command prompt The Recovery Console makes

recovery of a Windows 2000 computer much faster and easier to performthan it was in Windows NT For example, in Windows NT, a DOS diskettewas used to boot the server to recover it, but an NTFS partition could not

be accessed and repaired without the use of a third-party tool UnderWindows 2000, the Recovery Console is able to access an NTFS partition

so that failed drivers or corrupt files can be replaced from a source such asthe Windows 2000 installation CD-ROM

Quality of Service

Windows 2000 supports Quality of Service (QoS) in both the server andclient versions QoS is a method of marking packets with a priority so thatthey are allowed to consume a dedicated portion of network bandwidth.For this reason, all nodes, whether they are the end nodes or the routersand switches in the middle, must support QoS One of the main reasonsthat an enterprise implements QoS is for multimedia—video, audio, andtelephony These types of traffic suffer when they are interrupted, but per-form well when QoS provides them with a dedicated channel of bandwidth.QoS does not change the bandwidth available on the network Instead, itmakes more efficient use of that bandwidth by being able to place priority

on mission-critical traffic

File System Changes and Disk Support

Windows 2000, by default, supports NT File System (NTFS), File AllocationTable (FAT), and 32-bit File Allocation Table (FAT32) In addition, Windows

www.syngress.com

The general plan for changing over from DNS to WINS is simple.Install DNS servers on the network Enable all clients to act as DNS clients.Upgrade WINS servers if they will be used as Windows 2000 servers in thefuture Upgrade or replace all systems that require WINS (such asWindows NT servers) Set a date to retire the WINS service Establish aback-out plan Back up the WINS servers—twice Disable the WINS service

on each WINS server Be prepared for WINS errors If there are any, able the WINS service and then troubleshoot the system that had a WINSerror If not, wait for two weeks or longer before uninstalling WINS

reen-2000 supports Compact Disc File System (CDFS) for CD-ROMs The newNTFS v5.0 is an upgraded version of Windows NT NTFS It has beenenhanced to support disk quotas, defragmentation while online, and com-pressed network I/O NTFS is required for all domain controllers, becauseActive Directory files cannot be stored on any other file systems The CON-VERT.EXE command is used to update a disk partition to NTFS All

domain controllers must be running NTFS before the Active Directory can

be installed The CONVERT/FS:NTFS command must be run with a switch

to indicate the file system FAT and FAT32 enable dual-booting and access

to local drives

In addition to the file system support, there are other enhancements toWindows 2000:

■ Encrypting File System (EFS)

■ Distributed file system (Dfs)

■ File Replication Services (FRS)When Windows NT came out with NTFS, the file system itself wasdeemed a form of security Without the password and ID to access the NToperating system, no one could access the files on the hard drive However,once third-party tools (such as NTFSDOS) were introduced that couldaccess an NTFS formatted partition from a DOS prompt, the files were nolonger secure In Windows 2000, EFS solves this security issue by enabling

a user to encrypt files or folders on the local hard drive EFS only works onlocal NTFS formatted disk drives The user can see his own files, but noone else will be able to read them EFS automatically decrypts the file to beused and re-encrypts it when it is saved Because EFS is built into the filesystem, it is transparent to the user and difficult for hackers to attack

This is an ideal technology for laptops; it adds extra protection in the event

a laptop is lost or stolen

EFS uses public and private key pair encryption technique The userwho encrypts a file is the only person assigned the private key The publickey is distributed from a PKI service The public key encrypts the key, andthe private key decrypts it That means that the user must log on to thenetwork in order to read encrypted files

Most enterprises have multiple servers that are accessed by multipleusers It is not uncommon to see a user with several mapped drives to dif-ferent servers in order to perform daily duties If the administrator doesnot map drives in a logon script, the user is left to search out data on hisown If shared volumes have cryptic names or names that have little to dowith their contents, it will take far longer for a user to find the data he

www.syngress.com

needs to perform his job, which, unfortunately, leads to a form of tive downtime.” Dfs can resolve this dilemma

“produc-Dfs is a logical namespace It enables an administrator to assign othernames to shares, names that more closely reflect the contents of the share.Dfs also allows an administrator to map multiple shared volumes as sub-folders of a single logical name—very handy when pushing the limitations

of the alphabet for drive mappings

Dfs consists of both a client and a server component, whose console isshown in Figure 2.8 The server component can be implemented as either

a single machine Dfs, or as an Active Directory domain integrated Dfs Themachine Dfs stores the topology in the registry of the Dfs server The ActiveDirectory domain Dfs stores the topology in the Active Directory and fur-ther supports replication via FRS

FRS replicates data between domain controllers and requires NTFS Itautomatically is installed to support the replication of the NetLogon com-ponent of the Active Directory domain controllers Only changes to dataare replicated between the multimaster domain controllers My recommen-dation for the maximum data to be replicated during a 24-hour period is1GB

www.syngress.com

Figure 2.8 DFS Console

Active Directory Architecture

Because the Active Directory will influence much of the traffic on the work, you need to understand its architecture In general, Active Directorytraffic can be subdivided into three types:

contents

Active Directory

con-trollers with updates to the Active Directory database and to thecontents of the FRS folder structure

Domain Architecture Changes

Like Windows NT, Windows 2000 Active Directory still implementsdomains However, these domains are now organized in a different struc-ture In Windows NT, a domain was the single topmost component of agroup of servers In Windows 2000, the topmost component is the forest

ForestThe forest is a group of domain trees as shown in Figure 2.9 All thedomains within the forest share a schema, configuration, and GlobalCatalog (explained later in the chapter) The domain trees do not share asingle namespace within a forest For example, one domain tree may haveTREE.COM as its namespace, while a second domain tree uses ROOT.COM

as its namespace Both of these domains are part of the same forest

However, only one of the domain trees can contain the root domain Theroot domain of the forest is the first domain installed into the forest

Domain Tree

A domain tree is a group of domains that all share a common namespace,schema, configuration, and Global Catalog Note that namespaces cannotcross outside a domain tree or a forest An example of a domain tree is thegroup of root.com domains shown in Figure 2.9 enclosed by an oval Thenamespace shared is root.com, while the schema, configuration, andGlobal Catalog are shared by all forest-wide domains

www.syngress.com

The Windows 2000 Active Directory domain is a group of domain trollers, much the same as it was in Windows NT Each Active Directorydomain is assigned a domain name, such as DOMAIN.COM, as well as abackward-compatible NetBIOS name, such as DOMAIN

con-Another of the differences is that there is no longer a primary domaincontroller or backup domain controllers (BDC) in the domain Instead, alldomain controllers are equal The domain information is stored in a strictpartition of the Active Directory, and each domain is a separate partition.For example, Server1.root.com will have the same domain information

stored within its Active Directory files as Server2.root.com, but will not

have the same domain information as Host.tree.com The fact that eachdomain holds a separate partition of the Active Directory plays a part inhow replication of data affects your infrastructure Balancing network uti-lization with user-perceived performance will play a part in deciding whatthe infrastructure looks like, as well as the Active Directory design

www.syngress.com

Figure 2.9 An example of a forest and domain tree

Forest

Domain Tree

root.com

sub.root.com

s1.sub.root.com

leaf.tree.com tree.com

One of the difficulties in managing a Windows NT domain was that amember server could not easily be updated to a domain controller ordemoted In Windows 2000, a server can easily be promoted to a domaincontroller and then demoted This is done with the Active Directory wizard,which is the executable DCPROMO.EXE.

SitesSites are defined as a group of well-connected IP subnets Whether linksare considered to be “well-connected” between those IP subnets is going to

be a subjective decision Aside from that issue, a site is used to control theway query, authentication, and replication traffic is sent across the net-work For example, when a user logs on to the network, the workstationattempts to log on to a domain controller that is located within its ownsite When replication occurs within a site, it uses uncompressed RemoteProcedure Call (RPC) based traffic However, when replication occursbetween sites, it uses compressed RPC-based traffic, but only on a sched-uled basis If replication occurs between sites and those sites do not sharethe same domain (meaning only Global Catalog, schema, and configurationdata is exchanged), then the replication can be configured to use onlySimple Mail Transfer Protocol (SMTP) As you can see, sites are the key tomanaging the Windows 2000 Active Directory traffic

Organizational Units

If you are familiar with Novell’s Directory Service (NDS) or with the tory service standard called X.500, then you can guess what organizationalunits (OUs) are OUs perform the same function in the Active Directory An

direc-OU is contained within a domain and is used as a container for accountsand network resources OUs can be nested within each other, and as such,are able to create a hierarchical structure The OU forms the basis for del-egation of administration for groups of users within a domain An example

of an OU structure is shown in Figure 2.10

User AccountsUsers are represented within the Active Directory as user accounts Eachuser account is a separate object within the Active Directory database

User accounts provide end users with their logon IDs, and provide istrators with a method of providing access to network resources to thoseend users, and organizing information about the end users Figure 2.11illustrates how a user account is seen in the Active Directory

admin-www.syngress.com

Figure 2.10 An OU hierarchy

Figure 2.11 User account

GroupsGroups are a form of an account within the Active Directory that logicallyarranges a set of accounts into a single unit An administrator can grantthe group rights and privileges to network resources one time, and themembers will receive those rights and privileges Groups are a time saverwhen the same rights and privileges must be assigned to multiple users—

especially hundreds or thousands of users While groups did exist inWindows NT, they have somewhat different rights under Windows 2000Active Directory Groups can be classified in two ways:

security group type is one that can be granted rights and privileges A tribution group type is used solely for e-mail

universal The group scope will act slightly differently depending onwhether the domain is in native mode or mixed mode Native mode is whenthe domain supports only Windows 2000 domain controllers Mixed mode

is the default state for a new domain, and is backward compatible toWindows NT backup domain controllers For example, a domain localgroup can contain only user and global groups from any domain in mixedmode In native mode, however, the domain local group can also containuniversal groups from any domain and domain local groups from the localdomain Therefore, in native mode, groups can be nested The one thingthat group scope will affect network bandwidth utilization in, however, isthe universal group A universal group is only available as a security group

in native mode It replicates each member to the Global Catalog, which isreplicated between domains across a forest When there is a large uni-versal group (with up to thousands of members), it can make replicationmuch larger than it has to be The fix for this is to only make other groupsmembers of universal groups; that will cut down the membership andresulting replication traffic issues

(RID) portion of SIDs (Security IDs that are applied to machines) to domaincontrollers to prevent conflicts within the forest

www.syngress.com