building a cicso network for windows 2000 phần 6 potx

Nextyou will need to force replication by opening the Active Directory Sites andServices console, then right-clicking on the NTDS Settings objects beloweach domain controller object and

Figure 7.10Performance monitor for replication traffic.

Figure 7.11Replication monitor

www.syngress.com

Figure 7.12Network monitor.

The problem with using the Network monitor lies in the fact that it tures every packet, and does not filter at the capture level according to thepacket type What you can do, however, is to set a port for RPC traffic byconfiguring the registry key at HKLM\System\CurrentControlSet\Services\

cap-NTDS\Parameters\TCP/IP Port

Once the port for this is set, you can start the Network monitor Nextyou will need to force replication by opening the Active Directory Sites andServices console, then right-clicking on the NTDS Settings objects beloweach domain controller object and selecting “Replicate Now.” Once replica-tion has completed, you can review the captured packets for those with theport number you configured Those will represent the RPC traffic If youhave configured a site link to use SMTP traffic, you should also look forpackets using port 25

Server Placement

Which servers do you place into which sites? Do they have to be domaincontrollers? Do they have to be Global Catalog servers? Which sites needDNS servers or DHCP servers? Where do you put a RAS server for dial up?

Where do you put a RAS server for VPN? What about a branch office with

www.syngress.com

30 users—do they need a domain controller or just a file and print server?Now server placement seems to be a dilemma—but it is one that is easilysolved.

First, there definitely will be an impact on your network traffic whenyou place servers in various sites The availability of the Active Directory isdirectly affected by the placement of various types of servers as well

Domain Controllers

When you start this exercise, you should already have a site topology planfor your network This will be your starting point for determining the place-ment of domain controllers In addition to the site topology plan, you

should have your domain/DNS plan, and an understanding of the physicallocation of the end-users who will exist in each domain This will allow you

to determine which domains span which sites, and vice versa, as shown inFigure 7.13

Figure 7.13Domains and sites spanning each other

It is highly recommended that, for each domain existing within a site,you also place a domain controller for that domain There are some excep-tions to this recommendation—if you have a set of 10 users in a site forDOMAIN.COM, and you have 287 users in that same site belonging toROOT.COM, then you will not need a DC for DOMAIN.COM in that site.However, if you have 100 users for DOMAIN.COM and 287 users for

ROOT.COM, then you will probably want to include a DC from both

Tree.com spans both Site 1 and Site 2.

Site 1 spans tree.com and root.com.

Site 2 spans tree.com and sub.tree.com.

Imagine if you have a large campus network with five domains in asingle site You would want to put five different DCs in that single sitesimply to support authentication traffic As you can see, the more domainsthat exist in a site, the more separate servers you will need And this is notcounting whether you need separate Global Catalog, DNS, DHCP, or otherservers running in those sites yet.

Once you’ve decided which sites will receive at least one domain troller from the domains in your plan, you need to determine how manydomain controllers total you will want for that domain This decision will

con-be based partially on the numcon-ber of sites that you deem require a domaincontroller, and partially on the size and power of the server hardware thatwill support the domain controllers A single-processor Pentium PC with a4GB hard drive will not support even a fifth as many users as a four-pro-cessor Pentium III server-class machine with a 40GB RAID array But youdon’t want to max out your server to start with either; you need to plan toleave room for growth You will want to take into account whether yourdomain controller will provide other services such as DNS, DHCP, or fileand print services because these services will reduce the capacity of thedomain controller to support the Active Directory services

So, there is no magic formula regarding the number of users a domain

controller will support But there is a way of figuring out how many your

domain controller will support The first thing to do is to look at some

statistics such as those in Table 7.2, and estimate what size servers youwill need for today and for the future Note that these are averages, andthat there may be some differences in the size of your Active Directoryobjects and replication traffic based on the number of attributes you fillout in each object, whether you include custom attributes, and whetherthese attributes are copied to the Global Catalog

www.syngress.com

Table 7.2Sizing Statistics

Security principal

NonsecurityprincipalAttributes

User, Group, any object that can begranted rights to other objectsOrganizational Unit, Organization, anyobject that is not granted rights toother objects

Additional attributes added to supportservices on the network, such as DNS

3600 bytes

1100 bytes

100 bytes perattribute

Continued

When you determine the size of your Active Directory storage needs,usually you can be assured that any standard hard drive will be able tohouse even the largest domain partitions Use the following equation toestimate your storage needs:

(#Security Principals * 3600 bytes) +

(#Non-security principals * 1100 Bytes) =

Active Directory Size

To ensure that you have enough space for growth, multiply this result

by at least 200 percent or more, depending on your company’s growth overthe last three years

Active Directory Size * 200% = Minimum DC capacity required

If you have a domain with 200,000 users, 1000 organizational units,then you can safely estimate your AD database storage needs:

(200,000 * 3600)+(1000 * 1100)= 721100000 Bytes = 687 MB * 200% =

1374 MB = 1.2 GB

Table 7.2 shows that the size of the replication of new objects andchanged attributes turns out to be more expensive than the incrementalstorage of that same data on a single DC hard disk For example, if youhave one DC storing all the objects in a single domain that is the onlydomain in its forest, then there is no replication traffic that will interruptother network traffic on the wire (However, you won’t have any redun-

The average amount of replicationtraffic generated within a site whenchanging a single attribute on an ADobject

The average amount of replicationtraffic generated between sites whencreating a new user account

The average amount of replicationtraffic generated between sites whenchanging a single attribute

13,000 bytes

4500 bytes

11,000 bytes

4000 bytes

dancy in case that DC fails, so always make certain to have two DCs perdomain.) If you have two domain controllers, then you will have one timereplication for each change on the Active Directory database If you havethree DCs, then replication will occur twice (from DC1 to DC2, then fromDC2 to DC3) for each update on the Active Directory Replication is simplythe number of DCs (one, as shown in Figure 7.14) Since hard drive

storage is cheap and bandwidth has a lot of competition for its use byapplications on the network, it is cheaper from a network traffic standpoint

to maintain fewer DCs!

Figure 7.14Active Directory replication between four DCs

A DC’s processor utilization increases as the number of users increases

in a domain Several factors contribute to this phenomenon The mainissue is not replication or storage, but happens to be the number of usersthat log on simultaneously or query the network for resources at the sametime The differences in processor types that are supported by Windows

2000 are widely varied Not only are the manufacturers and processormodels variables, but the speed of the processor (MHz) and the supportedbus speed of the motherboard (also in MHz, but different from the processorspeed) are also variables—and these can make all the difference in howyour processor performs You will need to test your processor in a lab envi-ronment to determine its maximum simultaneous processing capabilities

You can test these capabilities using Performance monitor and simulation

/benchmarking utilities (You can find many simulation or benchmarkingutilities on the Internet One of the largest benchmarking software devel-opers is ZDNet’s Benchmark Operation, whose Web site is

www.zdnet.com/zdbop/.) But just finding the maximum simultaneouscapacity is not enough; you need to consider the likelihood of that max-imum capacity For example, if you have a processor that reaches 99 per-cent utilization with 1000 simultaneous logons, you will also want to

consider how often 1000 users would log on simultaneously If 1000

people were to arrive at work at the same time and log on, they wouldprobably do so within the space of several minutes If you give them fiveminutes, then you would be estimating that your server could support up

to 5000 users in a network before it was maxed out

Again, the maximum capacity is not the beginning capacity for yournetwork; you want to make certain to include enough room for growth.One way to do this is to add domain controllers to the domain Anotherway to do this is to load up on the hardware for your domain controller Ifyou think that one processor will just about be sufficient to support yournetwork, two processors will be better, and four will give that domain con-troller room for growth for quite a while

Once you specify how many DCs you need in each domain, comparethat to how many domain controllers you will need to support your sites.From this comparison, select the number of DCs that is larger For

example, if you have three sites and intend to place a DC in each, and youhave determined that only two DCs are needed to support the domain’susers, then you will need three DCs in total What is nice about this situa-tion is that you know exactly where each DC will be placed However, ifyou have three sites and you need five DCs to support the domain, thenyou must determine where to place the other two DCs Look at the number

of users in each site If two of the sites have 200 users each, and the thirdsite has 7000 users, then the two other DCs should be placed in the sitewith 7000 users This method will ensure that the workload is balanced forthose DCs

Aside from balancing the workload, redundancy is another issue toconsider when deciding the number of DCs per site If a WAN link is

untrustworthy (it fails often or is overutilized), you should ensure that thenumber of DCs in each site connected to that WAN link is at least two

Global Catalog Servers

The Global Catalog is required to be available in each site if the Active

Directory forest consists of more than one domain The multidomain forest is

an important factor In a single-domain forest, there is no need for a Global

www.syngress.com

Catalog since all resources will be available in the domain partition of theActive Directory.

The Global Catalog is important for multidomain forests because:

■ It is used during the logon process to determine memberships ofuniversal groups If unable to contact a GC server, logon is refused

to ensure that the user had not been denied access to resourcesthrough a universal group membership

■ It is used for queries of resources that exist outside of a user’s owndomain

If you have more than one domain, you will want to place at least one

GC server in each site This will probably not require any extra physicalservers because a GC server is simply an enhanced domain controller, andwill consume only a minor amount of storage and processing power

Although you will not need as many GC servers as you do DCs, whereverpossible, you should try to ensure that workload is balanced among the

GC servers in a site, and that redundant GC servers are placed in sitesseparated by untrustworthy WAN links

DNS Servers

The Active Directory depends on DNS in order for

■ DCs to contact each other for replication

■ Users to contact DCs to log on to the network

■ Users to contact GCs to execute a queryWithout DNS, there is no communication—users can’t log on, and theActive Directory cannot replicate updates Because of DNS’s importance,you should ensure that at least one DNS server exists in each site, and twoshould exist in any site that is separated from other DNS servers by

untrustworthy WAN links

You can install DNS services on the existing DCs in the forest The DNSservice will consume a minor amount of storage and processing power It isrecommended that you test the capacity of a DC with additional servicesloaded on it when you add DNS and the Global Catalog

WINS Servers

Windows Internet Naming Service (WINS) is used to map NetBIOS names

to IP addresses WINS is not necessary to the working domain running innative mode You may not need to plan for WINS servers at all, but forthose networks that do need to provide WINS services for downlevel clients,

www.syngress.com

they should be placed in a centrally available network location You shouldhave at least two WINS servers on the internetwork for redundancy.

FSMOs

There are five Flexible Single Masters of Operations (FSMOs) that you need

to consider for placement on the network:

Relative ID (RID) Master

The RID master is a designated DC It provides unique relative ID portions

of the SID to other DCs When those DCs assign SIDs to security pals (users, groups, or other objects that can be granted rights), the RIDmaster ensures that the SID is unique This is especially necessary whenmoving an object between domains

princi-When placing the RID master, you need to consider which DC is mosteasily accessible by other DCs in the domain If you have a hub-and-spokeformation in your network where there is one main site and the rest ofyour sites all connect to it, it is fairly simple to select a DC in that site If,however, you have a more complex internetwork with several major sites,you should still select the site that is most central to all other DCs

In the case of a downed RID master, where the RID master is not erable, you will need to change the role to another DC on the internetwork.This means that you should select a DC to serve as the backup RID master.Remember that the RID master backup will not automatically happen byitself; you will need to change the role over manually:

recov-1 Open the Active Directory Users and Computers console

2 Right-click on the domain

3 Select Connect to Domain Controller from the menu

4 Select the DC which you are going to transfer the RID master roleto

5 Click OK

6 Right-click on the domain

7 Select Operations Master from the menu

www.syngress.com

8 Click the Change button on the RID tab.

9 Click OK

PDC Emulator

The PDC Emulator does more than act as a backward-compatible PDC in amixed mode domain It still exists in a native mode domain Overall, thePDC emulator handles these important functions:

■ Mixed mode PDC authority over Windows NT BDCs

■ Native mode and mixed mode central repository for domain word changes

pass-■ Native mode and mixed mode central authority for time nization

synchro-When the domain is in mixed mode, the PDC Emulator is the PDC forany Windows NT BDCs in the same domain The PDC Emulator cannotexist in a domain that has a Windows NT PDC in it, which is why a migra-tion plan must upgrade the Windows NT PDC first, when retaining thesame domain

When the domain is in any mode, the PDC Emulator is contacted byeach DC on which a password change has been made, and then storesthat password change If a user changes his or her password on one DC,and then attempts to authenticate to another DC that still holds the oldpassword, the DC first contacts the PDC Emulator to check for a passwordchange there In this way, the user’s logon can be accepted

The PDC Emulator also takes on the role of the time authority for thedomain All other DCs will synchronize their clocks to the PDC Emulator,and then serve that time to the time clients in the domain

The PDC Emulator needs to be highly available to the entire domain,especially to DCs in its own domain You will want to place that PDCEmulator in a location that is central to other DCs and is highly available

to them Because of the PDC Emulator’s critical nature for passwordchanges, you will want to give that role to a DC that has fault toleranthardware, such as a RAID array or cluster You will also need to designate

a potential backup PDC Emulator in case the original DC holding that rolefails To change the role of a DC to a PDC Emulator, follow a nearly iden-tical process as that of changing the RID master role:

1 Open the Active Directory Users and Computers console

2 Right-click on the domain

3 Select Connect to Domain Controller from the menu

www.syngress.com

4 Select the DC to which you are going to transfer the PDC Emulatorrole.

5 Click OK

6 Right-click on the domain

7 Select Operations Master from the menu

8 Click the PDC tab

9 Click the Change button

10 Click OK

Domain Naming Master

There is a single Domain Naming master per Active Directory forest Thefirst DC installed is granted this role by default The Domain Namingmaster ensures that the domain namespace is unique within a forest, and

is used each time a domain is added or removed from the forest TheDomain Naming master must be installed on a Global Catalog server.When placing the Domain Naming master, you should select a DCwithin the root domain (although being a member of the root domain is notnecessarily a requirement, it can enhance performance because of itsKerberos trust relationships) of the forest that is also a Global Catalogserver It must be available to each domain in the forest, so this DomainNaming master’s site must be site-linked or site-link-bridged to every othersite in the forest

You can change the Domain Naming master through the ActiveDirectory Domains and Trusts console:

1 Open the Active Directory Domains and Trusts console

2 Right-click the root

3 Select Connect to Domain Controller from the menu

4 Type the name of the DC that will be the new Domain Namingmaster (make certain you select a Global Catalog server) and pressEnter

5 Right-click on the root again

6 Select Operations Masters from the menu

7 Click the Change button

8 Click OK

www.syngress.com

Infrastructure MasterThere is a single Infrastructure master in each domain It is used to main-tain a reference to objects in other domains—specifically those objects thathave been moved to other domains, or group members that belong to otherdomains.

The Infrastructure master should reside on a DC that is highly able to the rest of the DCs for that domain Try to place the server in acentral location for that domain To change the Infrastructure master role:

avail-1 Open the Active Directory Users and Computers console

2 Right-click on the domain

3 Select Connect to Domain Controller from the menu

4 Select the DC that will be the new Infrastructure master

5 Click OK

6 Right-click the domain

7 Select Operations Masters from the menu

8 Click the Infrastructure tab

9 Click the Change Button

10 Click OK

Schema MasterThere is a single Schema master within an Active Directory forest It is theonly domain controller on which the schema can be changed You canchange the Schema master role from one DC to another

TIP

To make any changes to the schema or the Schema master, you mustinstall the Windows 2000 Administrative Tools To do this, use theAdd/Remove Programs icon in the Control Panel, select Windows 2000Administrative Tools, and click Change Then install all the administrativetools

To start the Active Directory Schema snap-in, click Start and then Run

Type MMC and press Enter Click the Console menu and selectAdd/Remove Snap-In Click Add and select the Active Directory Schema

Click Add, then Close and OK to return to the console window

www.syngress.com

Because the schema should not be changed often, and because only avery few persons should ever be granted access to change the schema, theplacement of the Schema master will not affect Active Directory perfor-mance You may wish to grant the Schema master role to a DC that is noteasily accessible To change the Schema master role:

1 Open the Active Directory Schema Manager console

2 Right-click on the root

3 Select Change Domain Controller from the menu

4 Type the name of the new Schema master

5 Click OK

6 Right-click on the root

7 Select Operations Master from the menu

8 Click the Change button

9 Click OK

RAS Servers

Placing a RAS server for dial-up users on the network is a matter of

bringing the server closer to the resources that users need to access If youare placing a RAS server for a VPN, then bring the server closer to the WANlink, from which users will be connecting In the best of worlds, you will beable to place that server close to the resources and move the WAN link ordial-up lines to where that server resides

DHCP Servers

If you apply static IP addresses to both clients and servers currently, thenyou should look into adding DHCP to the network DHCP will assign IPaddresses to workstations and servers when they authenticate to the net-work The addresses can be pooled so that they are efficiently handed out

to workstations on an as-needed basis If you are currently using DHCP,then you already know of the benefits that it can bring to your network.DHCP is important for every network client and server that uses it Aworkstation or a server would not be able to access the network withoutreceiving an assigned IP address from a DHCP server or being able to con-tact the DHCP server to renew it

When you consider the placement of the DHCP servers, you need tolook at the:

www.syngress.com

■ Number of sites

■ Size of the sites

■ Speed and reliability of the WAN linksYou will want to place DHCP servers at your main sites, and then placeDHCP servers at any site that is connected to the internetwork via slow orunreliable WAN links This does not necessarily mean adding yet anotherserver to the network; you can install the DHCP service on a Windows

2000 DC, or other Windows 2000 server

Terminal Services

Terminal Services offer a thin-client solution for applications across thenetwork They also have an option of being installed to provide server man-agement via remote control of the server console The placement of theTerminal server depends on the role that the Terminal Service is playing

If Terminal Services are being added to Windows 2000 servers anddomain controllers in order to provide a method of server management,then it does not matter where those servers are placed They should beplaced solely in accordance with the other services that they are providing

on the network

For example, if Terminal Services are installed on a Windows 2000server or domain controller in order to provide an application to thin-clients, then the server should be placed close to the application datasource You see, a Terminal server is the middle tier of a three-tier system,

as shown in Figure 7.15 As the middle tier, the Terminal server acts as aclient to network server applications The application client must beinstalled on the Terminal server Workstations are installed with aTerminal server client, with which they access the Terminal server, takeremote control of a session, and then use the application client to accessother network servers

Figure 7.15Terminal Services as the middle tier in a three-tier system

www.syngress.com

Data Server Hosts database for Terminal Services

Terminal Server Client to Data Server Host to Terminal Client

Terminal Client Client to Terminal Services Runs database client via remote control

Terminal Services should be placed close to servers that provide data tothe applications For example, if a Terminal server was going to be used foraccess to a SQL application, then the Terminal server and the SQL servershould both be placed on the same network segment, or two segments thatare well connected This rule does not prove true for the workstations sincethey use a thin-client application (which uses very little network band-width, for example) to take control of a Terminal server Workstations can

be placed anywhere on a network relative to the Terminal server

When you size a Terminal server itself, you need to consider thenumber of simultaneous users A single Pentium II processor generally canprovide sessions for about 20 to 25 users Therefore if you want to provideTerminal Services for 50 simultaneous users, you would need at least two

or more processors (Simultaneous users are not the total number of usersthat are allowed to use the server, but are the total number of users thatwould actually use the server at the exact same time.)

The number of simultaneous users also governs the amount of RAM.First, you would allocate about 256MB of RAM for the base operatingsystem Although Windows 2000 will operate with around 128MB of RAM,you will want to double it to 256MB to handle all the services that will run

on the server Then you will want to add 8MB RAM for each simultaneoususer This means that if you have 50 simultaneous users, you will addanother 400MB RAM to your total This gives us a total of 656MB RAM,but since no machine has that specific amount, you will round it up to thenext level or more So if the server supports RAM in 256MB increments,you would install 768MB or RAM of more (More RAM cannot hurt yourserver’s performance.)

Infrastructure Components

The infrastructure is everything that sits between a client workstation and

a Windows 2000 server, including the wiring, hubs, switches, routers, andgateways The Active Directory can be optimized to work well on manyexisting internetworks Generally, it can use the existing infrastructurecomponents Even so, the internetwork may perform better if it is alsooptimized to work with the Active Directory in return

The goal of sizing the infrastructure is to maximize the availability ofservices while minimizing the bandwidth that those same services con-sume One of the challenges that businesses face today is an increasinguse of the Internet to perform daily business procedures This leads tocompetition for bandwidth from all end-points to the Internet connection(or connections) that exist on the internetwork When reviewing infrastruc-ture components, you need to take this growing bandwidth consumption

www.syngress.com

into account and plan for managing it, whether through cache engines,proxies, or increased bandwidth availability.

Table 7.3 is a list of the components that you should review If thequestions that you ask reveal that any component currently is not suffi-cient or will not be sufficient in the future, then you should upgrade thatcomponent

www.syngress.com

Table 7.3Infrastructure Components

CablingCablingWAN LinksWAN LinksWAN Links

LAN LinksLAN LinksLAN Links

Routers/Bridges

Routers/Bridges

Network InterfaceCards (NICs)

Is the cabling stable, or does it perform with faults?

Can the cabling support faster Physical/Data Link protocols?

Is there available bandwidth on the existing WANlinks?

Are there redundant WAN links in case of a failure?

Will a WAN link support additional bandwidth sumption given an average of 5% compoundedgrowth in consumption month over month over thenext year?

con-Is the local LAN segment experiencing excessive delays

or, in the case of Ethernet, excessive collisions?

Are hubs used for shared network segment access?

Are switches used with microsegmentation (eachworkstation receiving its own port) or do switches connect multiple shared access hubs?

Does the infrastructure support all the protocolsrequired—TCP/IP, DNS, Dynamic DNS, DHCP, Quality ofService (QoS), IPSec?

Does the infrastructure support the needs for voiceand video data?

Are all network interfaces compatible with Windows2000?

reaches a Global Catalog server, it must use its processing power tohandle the changes to its database As a result, a user who accesses thenetwork can be denied access because the network is busy transmittingreplication traffic Or a user who attempts to access a Global Catalogserver at the time that it is processing these changes will be deniedaccess to the Active Directory or to the server’s resources.

Quality of Service

If you intend to deploy Quality of Service (QoS), you must ensure that theinternetwork will support it Many older versions of routers will not recog-nize a QoS packet When this happens, the packet is handled just like anyother packet, and if the header is stripped and rebuilt in order to pass thatpacket from one segment to another, then all remaining infrastructurecomponents will treat that packet without any priority whatsoever It isimperative for you to ensure that all infrastructure components supportQoS in the path from a packet’s source to its destination

Monitoring the Infrastructure

The same tools used to measure replication traffic can be used to monitorthe network infrastructure traffic Monitoring the infrastructure is critical

to managing an internetwork The activity on the network impacts the formance of both the infrastructure components and the Windows 2000servers

per-The types of information to monitor can be subdivided into each layer

of the OSI protocol reference model By dividing the monitoring tasks thisway, you can better trace a bottleneck to its source problem Table 7.4shows the types of data and the OSI Protocol model layers from which theyoriginate

www.syngress.com

Layer 6 and Layer 7

Physical and DataLink

Network

Transport

Session

Application andPresentation

Most physical protocols also contain

a data link portion To monitor thePhysical/Data Link traffic, monitorthe Network Interface of each server

This protocol handles the routeddata, which in turn requiresaddressing You will need to monitor

IP for the TCP/IP protocol, andNWLink for the IPX/SPX protocol

The transport layer handles tation and provides sockets, or ports,for upper layers to use You will need

segmen-to monisegmen-tor TCP and UDP for theTCP/IP protocol

The establishment and breakdown ofend-to-end sessions are handled atthis layer NetBIOS is implemented as

a Session layer API when it is usedover TCP/IP To monitor NetBIOS overTCP/IP, use the NBT Connection coun-ters

The Application and Presentationlayers are often grouped together

The Presentation layer manages theformat of data, inclusive of encryp-tion and compression, and theApplication layer provides the userinterface to the network To monitor

at these layers, look at the serverand redirector counters

Table 7.4Monitoring Traffic through the OSI Layers

Model Layer

Optimizing Windows 2000 TCP/IP Performance for

Slow WAN LinksWindows 2000 is fairly self-optimizing But if it is serving clientsacross a slow WAN link, it may benefit from some performance tuning

As it was for Windows NT, much of the Windows 2000 performance mization can be done through editing the registry To edit the registry,you need to execute the REGEDT32.EXE command

opti-Proceed with caution when you edit the registry! Whenever you editthe registry, your computer’s operability is being risked You shouldalways test a registry edit on a test computer before using it on a pro-duction computer In addition, you should always back up your produc-tion computer before editing its registry even if your tests werecompletely successful

The HKEY_LOCAL_MACHINE hive contains the parameters for TCP/IP

in HKLM\System\CurrentControlSet\Services\Tcpip\Parameters These arenot the only keys that can be changed, but for increased performance,you will definitely want to look at modifying the following keys:

MaxUserPort To increase throughput by allowing more sockets

to be created, increase this parameter It ranges from 0x400

to 0xFFFE The default behavior of Windows 2000 is to grantTCP ports between the value of 1024 and 5000, which is gen-erally sufficient Changing this key to a higher value willenable more ports to be available It will have a negativeeffect on the computer if its processor or memory is unable tohandle the additional load

MaxFreeTcbs To increase the number of available preallocated

Transport Control Blocks (TCBs) TCBs are maintained for eachTCP/IP connection The range for this parameter is between 0and 0xFFFFFFFF The default value is 2000 TCBs for serverswith more than 64MB RAM You should increase this valueonly when you have a lot of available RAM because it willreduce the available RAM by setting aside a cache for moreTCBs

For IT Professionals

Continued

Network Monitor

Network monitor is intended to analyze network activity sent to or from aWindows 2000 computer on a local area network segment Network mon-itor captures the frames that pass on the network segment When using aswitch between two devices, you will have difficulty tracking the data onthe network because each switch port is a separate network segment (Aswitch is simply a multiport bridge, and gains the higher throughput due

to the segmentation of each port.)

To get around this issue temporarily, you can replace a switch with ahub, given that they are both using compatible media and physical/

datalink network protocol and data rate A switch can connect Ethernet10BaseT over unshielded twisted pair with Ethernet 100BaseT overunshielded twisted pair In more rare cases, switches can connect thesewith Ethernet 10BaseF over fiber or 10Base2 over thin-wire coaxial cable

or 10Base5 over thick-wire coaxial cable The multiple media types canbecome an issue if the switch is replaced with a single-media hub

Alternatively, if the switch supports it, you can connect to the switch’sinternal “mirror port.” Some switches have a mirror port that is actually aninternal channel through which all data between the ports passes

IP frames include a header with the source address of the sending puter, the destination address of the computer that will receive the frame,other header information, and the actual data that is being sent Not onlydoes Network monitor look at frames, it also looks at bandwidth utilizationand transmission rates in bytes per second or frames per second

com-To use Network monitor, you must install it on the computer where youwant to capture data But you also install Network monitor on a Windows

2000 server to receive the data from multiple clients Then you capture thedata and review the results You can also monitor for certain patterns

within a frame and then execute a trigger such as stop capturing or

exe-cuting a command line

When you review data to solve a performance issue, you will want tolook for repeated sequences of data transmissions or for lengthy delays in

www.syngress.com

MaxHashTableSize To increase throughput (on a single

pro-cessor computer) by creating a faster connection lookup,increase this parameter It ranges from 0x40 to 0x10000 Thisparameter manages how fast a TCB can be found for a TCPconnection It should be increased only when you increaseMaxFreeTcbs

acknowledgements or replies Retries indicate that the network is congested

or that there is a breakdown in the path to the destination computer, oreven that there is a problem with a higher layer protocol timing out Whenthere are lengthy delays, it could indicate that either the destination com-puter, or some router in the path to the destination, is performing poorly

If you wish to test the ability of RPCs to travel across a link, you canuse the RPC Ping utility This consists of two components: one resides on aserver, RPINGS.EXE, and the other is executed on the client,

RPINGC32.EXE To use this, load the server component, and then run theRPINGC32.EXE component on the other machine

PathPing is a utility for tracing a path from one computer to another.What PathPing does is send a set of packets to each router along the way

to a destination computer Not only does PathPing trace the route betweenthe two computers, it then shows which routers dropped packets along theway

Case Studies

Preparing the infrastructure for Windows 2000 is more of an art than ascience The two case studies, ABC Chemical Company and West CoastAccounting, both will need to go through this exercise before installingWindows 2000 on the network

ABC Chemical Company

The ABC Chemical Company first needs to review its site topology plan.ABC has three sites in its site topology plan: one represents the campusand the other two represent the warehouses in its production forest (Sincethe e-commerce forest contains only a single site, we will only discuss theconfiguration of the production forest.)

Each warehouse is physically connected to the campus network viaFrame Relay links, which are slow 56 Kbps network connections The max-imum amount of traffic can be estimated by considering how much itwould take to replace each user account in the warehouse and uploadthose changes to the central site Then, estimate how much time it wouldtake to upload the changes based on the number of domain controllersthat would be replicating from the remote site to the central site (Weassume only one domain controller will upload replication across theFrame Relay link because there are only 50 users there.)

1 ReplicationCycle * 50 users * 11000 Bytes = 4296 Kbits / 56 Kbps = 76 onds for full upload + 10 seconds for overhead traffic = 86 seconds

sec-www.syngress.com

Note that this is the maximum traffic that could possibly be expected to

cross the link due to Active Directory You would probably see 10 percent

of this traffic or less at any time that replication occurs That means thatyou would want to upgrade the WAN link if 430 Kbits (10 percent of the4296) is too much traffic to occur once every hour, if you configure fre-quency of replication for 60 minutes

Once you have the time it would take for the most traffic you expect to

go across the WAN links, then you need to determine if this is tolerable, aswell how often such a change would happen Remember, ABC Chemicalcan adjust the frequency of replication and schedule if this is too muchduring high utilization hours, or upgrade the link speed ABC ChemicalCompany decides that the replication traffic should not occur from 10:00

AMto 2:00 PM for either link The site links are listed in Table 7.5 alongwith the site link bridge

www.syngress.com

Table 7.5ABC Chemical Company Site Links and Site Link Bridge

Site Link Bridge

EastWarehouse-HQWestWarehouse-HQEast-WestBridge

5510

60 minutes

60 minutesNA

Available 12:00 AM to 10:00 AM, 2:00 PMto 11:59 PM

Available 12:00 AM to 10:00 AM, 2:00 PMto 11:59 PM

Not configurable—follows the tive rules of the site links

addi-The next step is to decide how many DCs are required for the domain

Given only 1100 users, a single DC can be used; however, that does notallow for redundancy Since there are three separate sites, and each siteshould have a DC within it, there are three domain controllers requiredoverall, one in each site

Since there is only a single domain, ABC Chemical Company does notneed Global Catalog servers available to all the users ABC will place aGlobal Catalog server at the main HQ and install it on the existing DCthere The RID Master FSMO will be installed on that DC, as well as thePDC Emulator and the Domain Naming master However, the

Infrastructure master and the Schema master will each be placed on theDCs at the East and West sites, respectively

DNS services must be available everywhere, so the server at the HQ sitewill contain the primary zone, and the East and West DCs will run DNSservice with secondary zones to the HQ primary zone

DHCP is required at each site, and because the Frame Relay links havebeen very stable, ABC Chemical decides to use a single DHCP server at the

HQ site and forward DHCP requests to the warehouses ABC decides touse a Windows 2000 member server, rather than a DC for this role

ABC Chemical Company does not need RAS or Terminal Services, sothere is no need to place them on the network

Although the 1100 users for ABC Chemical Company will not tax even

a small, single-processor server with a 2GB hard drive and 256MB of RAM,ABC Chemical makes the decision to use a clustered server for the main

DC The decision is made to place the single DHCP server on a clusteredserver as well In addition, ABC Chemical installs three file and print

servers at the HQ site The final Windows 2000 infrastructure is depicted

DC Schema Master FSMO Seconday DNS Server

Clustered DC RID Master PDC Emulator Domain Naming Master Primary DNS Server

Clustered DHCP Server

File and Print Server

File and Print Server File and Print Server

HQ Site

Router Router

Router

West Coast Accounting, L.L.C.

West Coast Accounting has two domains in its production forest—

westcoast.com is the root domain and the e-commerce domain iswcacctg.com All users will belong to westcoast.com, but only Web usersbelong to the wcacctg.com, and they are connected through San Francisco

West Coast Accounting has five relatively small sites:

■ Seattle, with 50 users

■ Los Angeles, with 50 users

■ Portland, with 50 users

■ Phoenix, with 50 users

■ San Francisco, with 100 users

To calculate the maximum amount of traffic for West Coast Accounting,you can look at what would happen if each site updated all of its users atthe same time (We assume that there are four replication cycles becausethere are five DCs And we use a T1 line at 1.544 Mbps for the speed of theWAN link.)

4 Replication Cycles * 300 users * 11000 Bytes = 100 Mbits / 1.544 Mbps = 65seconds for upload + 10 seconds for overhead traffic = 75 seconds

Here, we’ve calculated the traffic for all the users in the entire domain

to be updated at once across a T1 line In reality, the traffic will be takingplace across multiple lines for far less than this It is likely that 56 KbpsFrame Relay links can withstand all the traffic that would be generatedfrom each of the various sites because the amount of traffic from any siteinto San Francisco would constitute about one-sixtieth of this (one-sixth of

300 users = 50 users * 10% = one-sixtieth)

Because San Francisco and Los Angeles share several cases inCalifornia, they require updates to be more available to each site WestCoast Accounting has the site links and site link bridges as shown in Table7.6

There is no need for more than a single DC to support 300 users forthe westcoast.com domain However, since users are spread throughoutthe various sites, there should be at least one DC for westcoast.com ineach site The wcacctg.com domain will exist only in the San Franciscosite The IT Group intends to use anonymous Web users initially and toadd the ability to support individual user accounts into the domain later

on For now, the decision is to place two DCs for wcacctg.com in the SanFrancisco site

www.syngress.com

Because of the multiple domains, there should be a Global Catalogserver in each site A Global Catalog will be installed on each DC for thewestcoast.com domain The PDC Emulator, the Domain Naming master,and the RID master will all be installed on a westcoast.com DC in the SanFrancisco site The LA site will have the Infrastructure master and Schemamaster on its DC wcacctg.com will have the Infrastructure master and RIDmaster installed on one of its DCs, with the PDC Emulator on the other

DC (Since the Schema master and Domain Naming master exist only asone per forest, they do not need to exist in wcacctg.com.)

West Coast Accounting decides to install DNS on each DC, with ActiveDirectory-integrated zones for each domain In addition, West Coast needs

to maintain WINS for backward compatibility for the remote workstationsthat end-users use to dial in to the network West Coast Accounting placesthe WINS service on a member server that also serves as a RAS server.West Coast Accounting also installs DHCP on the RAS server

West Coast Accounting installs Terminal Services on a member server inthe westcoast.com domain West Coast selects a four-way processor machinewith 1GB RAM in anticipation of heavy use of the thin-client sessions West Coast installs Internet Information Services on a member server

in the wcacctg.com domain to provide the e-commerce solution The finalWest Coast Accounting infrastructure is depicted in Figure 7.17

Table 7.6West Coast Accounting Site Links and Site Link Bridge

Site Link Bridge

60 minutes

30 minutes

60 minutes

60 minutesNA

Available all hoursAvailable all hoursAvailable all hoursAvailable all hoursNot configurable

Windows 2000 Server depends on the infrastructure of the network to beable to communicate with clients Because it is a network operatingsystem, it was built to work on an internetwork Windows 2000 is built onWindows NT technology Active Directory is a new feature that has beenadded to Windows 2000 The Active Directory is a multimaster directoryservice that organizes domains and servers

The infrastructure is affected by replication of the Active Directoryupdates between the various domain controllers on the internetwork Thereplication is controlled by the site topology that the administrator config-ures A site is a set of well-connected IP subnets, typically LANs, that aredesignated as sites in the Active Directory Sites and Services console

Within the site, replication traffic uses RPCs over IP It is uncompressedtraffic that occurs, by default, every five minutes A replication topology isgenerated automatically within a site by the Knowledge Consistency

Hub

Hub

DC-westcoast.com Global Catalog DNS

Infrastructure Master Schema Master

DC-westcoast.com Global Catalog DNS PDC Emulator RID Master Domain Naming Master

Terminal Services member westcoast.com

RAS Server member-westcoast.com WINS Service DHCP Service

DC-wcacctg.com PDC Emulator

DC-wcacctg.com RID Master Infrastructure Master

Internet Info Server member-wcacctg.com

Global Catalog DNS

DC-westcoast.com Global Catalog DNS

Figure 7.17West Coast Accounting infrastructure for Windows 2000

Checker (KCC), in which there are no more than three hops (four servers)

in a circle for replication to occur This ensures that synchronization of allupdates within a site can be completed within 15 minutes

Between sites, replication traffic can use either RPCs over IP, or SMTP.This traffic is compressed, and is configured by an administrator to occur

on a scheduled basis Site links and site link bridges are created by

administrators to create a conduit for replication traffic between sites Theintersite replication traffic can be scheduled to occur on a periodic basis,and the site link itself can be scheduled to be available during certainhours

FRS, the file replication service, also follows the replication topology.FRS enables files to be replicated between Windows 2000 servers Filesthat are updated are wholly replicated to other servers, rather than justupdates that were made on the files

There are four types of partitions in the Active Directory:

■ Schema

■ Configuration

■ Domain(s)

■ Global catalogThe schema and configuration partitions are rarely changed and do notcause much replication traffic Each domain is a separate partition of theActive Directory When a domain does not span a site, then less trafficcrosses between the sites—only the Global Catalog, schema, and configu-ration would be transmitted

Part of preparing a Windows 2000 infrastructure is knowing whereeach server will be placed on the internetwork, to which domains thoseservers belong, and what services they provide The map of the internet-work and the number of users within each site will enable you to deter-mine how much traffic to expect on your WAN links Then you can

determine whether to upgrade links or to optimize Windows 2000 Server Follow these general rules when determining your server placement:

■ Each site should have at least one domain controller

■ If there are multiple domains in the forest, each site should have

at least one Global Catalog server, installed on a domain controller

■ The RID master, Domain Naming master and PDC EmulatorFSMOs should be placed in highly available sites When using ahub and spoke configuration, they should always be located at thehub

www.syngress.com

■ The Schema master FSMO can be placed anywhere in the network.

contains the root domain of the forest

untrustworthy WAN links from the other sites

site that is separated by untrustworthy WAN links from the othersites

available site

users If users are dialing in, RAS servers should be near the

dial-up location If users are entering the network via a VPN over theInternet, the RAS servers should be placed near the Internet con-nection

servers that host the application data source

Infrastructure changes are expected since networks tend to grow andchange over time To optimize, an administrator can use the Performancemonitor, Network monitor, and Replication monitor tools for Windows2000

FAQs

sites so that you can control the flow of traffic between those sites This

is most effective when you have more than one domain controller ineach site, and when there are multiple IP subnets in each site Youwould probably want the traffic within a site to head toward the DCthat is located closest to the site link Then that DC, once configured as

a bridgehead server, would be the sole sender of replication traffic tothe other site You should ascertain that there are always a pair ofbridgehead servers configured, and that there are no connection objectsfor any other servers that cross the link in order to truly reduce thereplication traffic on that link

www.syngress.com

Q:I have two sites in the same domain and 12,000 users We are going toimplement video conferencing after we finish Windows 2000 deploy-ment The current link between the sites is 256 Kbps Is this enoughbandwidth?

A:No, the 256 Kbps is not enough bandwidth for the videoconferencing,never mind the overhead of the Active Directory replication traffic Ifvideoconferencing is going to be implemented for multiple users, youwill want to investigate the traffic needs that it will require and thencalculate the replication traffic overhead, or even consider schedulingreplication to occur only during hours that videoconferences will not

Q:With three sites that are spanned by two domains, can we use SMTPbetween the sites for replication traffic?

A:No SMTP traffic will not replicate updates to domain partitions It willreplicate traffic only for the Global Catalog, schema, and configuration

As such, SMTP can be used only between sites that do not containdomain controllers from the same domain

www.syngress.com

Designing the Cisco Infrastructure

Solutions in this chapter:

■ Getting started

■ Applications and network services

■ Server farm placement

■ Secondary server placement

■ WAN link considerations

■ LAN switching considerations

■ Redundancy and reliability design

Chapter 8

303