A network administrator is experiencing difficulty with one of his Windows Server 2003 servers and sends a Remote Assistance invitation via Windows Messenger to a league who works in ano
Trang 11 You are assigning the newest member of your staff responsibility for a new file serverrunning Windows Server 2003 He will be an Administrator on the server, and youwant him to be able to ask for help from his coworkers so that they can walk himthrough steps to resolve any issues that arise How would you have the new serverconfigured so that this new administrator can request Remote Assistance?
A Check the Remote Assistance box on the Remote tab in System Properties, andenable remote control in the Remote Assistance Settings dialog box
B Check the Remote Desktop box on the Remote tab in System Properties
C Check the Remote Assistance box on the Remote tab in System Properties, andadd him as a Remote User in the Add New Users window
D Enable Remote Assistance through Local Remote Assistance Group Policy
2 You just recently finished configuring the properties for Solicited Remote Assistance
in Remote Assistance Group Policy, and you start receiving complaints that certainexperts outside the organization cannot respond to the invitations that are embedded
in the body of e-mail messages.You verify that the correct ports on the firewall areopen and that the property for the format of e-mail invitations is set to Mailto.Whatcould be the problem?
A The experts do not have the Remote Assistance client installed
B The experts’ e-mail client cannot read HTML-formatted messages
C The Remote Assistance timeout period is too short
D The experts do not have the correct password
3 You want to restrict who can offer remote assistance to immediate members of theserver support team in your IT organization.You decide that creating a group is themost efficient way to manage this function.What kind of group is required, andwhere do you create it?
A Create a Local group on each server that could request remote assistance, and addthe group to the Local Administrators group
B Create a Domain group and add it to the Local Administrators group on eachserver that could request remote assistance
C Create a Universal group and add it to the Offer Remote Assistance GroupPolicy
D Create a Domain group and add it to the Offer Remote Assistance Group Policy
Self Test
A Quick Answer Key follows the Self Test questions For complete questions, answers,and explanations to the Self Test questions in this chapter as well as the otherchapters in this book, see the Self Test Appendix
Trang 24 You have given the ability to offer unsolicited Remote Assistance to members of theserver support team However, they find that they can connect but not take control ofthe servers they are supposed to manage.What is the most efficient way of enablingthe server support team members to take control of the servers they manage throughunsolicited Remote Assistance while controlling the amount of access they have?
A Add the members of the server support team to the Domain Administratorsgroup, and add the Domain Administrators group to the Local Administratorsgroup on each server that could request Remote Assistance
B Add the Domain group for the server support team members to the LocalAdministrators group on each server that could request Remote Assistance
C Add the Domain account for each member of the server support team to theLocal Administrators group on each server that could request Remote Assistance
D Create Local accounts for each member of the server support team and add them
to the Local Administrators group on each server that could request RemoteAssistance
5 You work for a consulting firm that has just installed Windows Server 2003.While atyour office, you receive a Remote Assistance invitation to resolve a hardware issuefrom your client.You connect to the remote server without any problems; however,during the Remote Assistance session, your attempt to send a file with an updateddriver is unsuccessful.What is the most probable cause for the lack of success?
A The client is refusing to accept the file
B The required ports on one or both firewalls are closed
C The client has insufficient rights to accept the file
D Windows Messenger is not installed on the remote server
6 The corporate service desk is overloaded, and management wants to leverage technicalknowledge that exists throughout the organization However, due to concerns overthe security of corporate data, managers are wary of providing access to the organiza-tion’s desktop and laptop systems to individuals outside the organization.They are alsowary of allowing individuals who do not possess the required knowledge to provide
“help.”What strategy would you recommend to satisfy management’s requirementswith the least amount of effort? (Choose all that apply.)
A Block Remote Assistance at the firewall
B Enable Remote Assistance in domain Group Policy and restrict it to members ofthe IT group
Trang 37 You receive your first Remote Assistance invitation from a colleague who works in ahighly secure unit within your organization, and you immediately respond Every timeyou try to connect, however, your connection attempt is refused.You are on the samesubnet and can ping to verify that you can “see” the remote server.There is noDomain Remote Assistance Group Policy; therefore, you verify the settings in yourLocal Remote Assistance Group Policy Everything looks normal to you.You noticethat Client Connection Encryption Levels is set to Client Compatible.What do yoususpect is happening?
A Port 3389 is closed on the firewall
B The client is refusing your request to take control of the remote server
C The Client Connection Encryption Level is set to High Level
D The Client Connection Encryption Level is set to Low Level
8 A network administrator is experiencing difficulty with one of his Windows Server
2003 servers and sends a Remote Assistance invitation via Windows Messenger to a league who works in another office.The colleague accepts the invitation and attempts toconnect to the remote system, but he is unsuccessful All offices are interconnected usingVPN connections over the Internet, and each office’s private network is protected by itsown firewall that is not running NAT.What should be done to enable the RemoteAssistance session? (Choose all that apply.)
col-A Have the firewall administrators in each office open the TCP/IP ports for WindowsMessenger on their firewalls
B Have the firewall administrators in each office open the TCP/IP ports used byRemote Desktop on their firewalls
C Instruct the network administrator to enable Remote Assistance in the TerminalServices section of the local Group Policy Object Editor
D The network administrator should create a Remote Assistance invitation file, attach
it to an electronic mail message, and send it to his colleague
9 You are experiencing a series of problems with a particular server that you manageremotely, and the hardware vendor is asking you for the system configuration.You knowyou can display the data on screen using msinfo32.exe, but the vendor is requesting apaper copy.What is the best way to print the information?
A Save the information from msinfo32.exe as a text file and copy it to your tion to print it on your default printer
worksta-B Configure printer redirection in Remote Desktop Connection, reconnect to theserver, and print the output of msinfo32.exe to your default printer
C Have msinfo32.exe print to the server’s default printer
D Display the output of msinfo32.exe in a Remote Desktop for Administration
Trang 410 You decide to start using Remote Desktop for Administration to manage the serversfor which you have direct responsibility Because you expect to have several RemoteDesktop Connection windows open, you configure Audio Redirection in yourRemote Desktop Connection client to “Bring to this computer.”This seems to beworking well because you notice that sound is being directed to your workstation forall your servers except one.The sound system on your workstation is fully operational.What are the possible reasons that audio features are not being redirected from thisone server? (Choose all that apply.)
A The server does not have a sound system or the sound system is disabled
B The “Allow audio redirection” setting in local Terminal Services Group Policy onyour workstation is set to Disabled
C The “Allow audio redirection” setting in local Terminal Services Group Policy onthe server is set to Disabled
D The “Allow audio redirection” setting in domain based Terminal Services GroupPolicy is set to Disabled
11 You take responsibility for a mission-critical server that absolutely has to be available
on a 24/7 basis As a result, you are issued a laptop computer so that you can managethe server whenever the need arises.You decide to use Remote Desktop for
Administration to connect remotely to the server At the office you can use the LAN,but at home only a dialup connection is available How should you configure RemoteDesktop Connection on your laptop to work efficiently from both locations? (Chooseall that apply.)
A Before you attempt a Remote Desktop for Administration session, click the
Experience tab and select LAN (10Mbps or higher) when connecting at the office or Modem (28.8Kbps) when connecting from home.
B Before you attempt a Remote Desktop for Administration session, click the
Experience tab and select Custom and check the appropriate boxes depending
on your location
C Click the Experience tab, select Custom from the drop-down box, check the
appropriate boxes for your location, and save the settings with a unique name on
the General tab for future use.
D Use the default setting for Remote Desktop Connection—Modem (56Kbps)—
for all connections
Trang 512 You find that you consistently keep several Remote Desktop Connection sessionsopen during the course of your workday.You are beginning to get a little frustratedwhen you issue Windows keystroke combinations, expecting them to execute on yourdesktop but they end up executing on a remote server, or vice versa.What can you do
to ensure that when you issue Windows keystroke combinations, they execute whereyou expect them to?
A Configure Apply Windows key combinations in Remote Desktop Connection to
On the local computer
B Configure Apply Windows key combinations in Remote Desktop Connection to
In full screen mode only
C Configure Apply Windows key combinations in Remote Desktop Connection to
On the remote computer
D Disable keyboard redirection in Local Terminal Services Group Policy on theremote servers that you manage
13 Your organization has implemented VPN technology in support of the IT ment’s new on-call policy for network administrators As part of this policy, networkadministrators have the ability to connect to and manage corporate servers using theirown ISPs.You find that the performance of Remote Desktop for Administration con-nections degrades in the early evening when utilization of your cable ISP’s services are
depart-at their highest.Whdepart-at can you do improve the performance of Remote Desktop forAdministration on those rare occasions when you need to manage a server duringyour ISP’s busy times?
A Select Broadband (128Kbps–1.5Mbps) on the Experience tab in Remote
Desktop Connection
B Select Custom on the Experience tab in Remote Desktop Connection and
accept the items that are checked by default
C Select LAN (10Mbps or higher) on the Experience tab in Remote Desktop
Connection
D Select Custom on the Experience tab in Remote Desktop Connection and
clear all check boxes
Trang 614 You have been asked to take primary responsibility for a server that is used to performsystems management and track software licensing for your organization’s entire net-work Due to the number of servers to which you need to connect, you need an effi-cient way to store the different connection configurations to the various servers Forsome servers you need direct access to the server console; for others you need aworkspace to enter data or generate reports How can you manage remote access toeach server for different levels of access?
A Install the Remote Desktop snap-in on the server and create connections forevery server which you need to access remotely, configuring some connections toconnect to the console and others to connect to individual sessions
B Install the Remote Desktops snap-in on the workstation you will use to connect
to the servers, configuring some connections to connect to the console and others
to connect to individual sessions
C Edit the Local Terminal Services Group Policy on the workstation you will use toconnect to the servers, configuring some connections to connect to the consoleand others to connect to individual sessions
D On the workstation you will use to connect to the servers, create a connectionprofile for each server, and save the profiles as RDP files in your home directory
Trang 7Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in thischapter as well as the other chapters in this book, see the Self Test Appendix
Trang 8Disaster Recovery Planning and Prevention
Exam Objectives in this Chapter:
3.1 Plan services for high availability3.1.1 Plan a high availability solution that uses clustering service3.1.2 Plan a high availability solution that uses Network Load
Balancing3.2 Plan a backup and recovery strategy3.2.1 Identify appropriate backup types Methods include full,
incremental, and differential
3.2.2 Plan a backup strategy that uses volume shadow copy.3.2.3 Plan system recovery that uses Automated System Recovery
Trang 9Our final topic for discussion is disaster recovery.We could dedicate an entire book to thistopic simply because it is an issue that can make or break your company Having a disasterrecovery plan in place is crucial to an organization’s livelihood Many companies have feltthe pain of being unprepared for a major catastrophe For example, let’s say that one of yourcritical database servers suffers a major hardware catastrophe All your company’s customerrecords and order information are stored on this system If you do not have a backup of theinformation stored on this server, how do you plan to fulfill your customer’s orders and billthem for your products if your server is destroyed?
While certain aspects of disaster recovery are beyond the scope of this book, one areathat you must be familiar with for the 70-296 exam is backup and recovery.You need tounderstand the types of backup strategies that are available in Windows Server 2003, how todevelop a plan for backing up your data, and the security concerns associated with doing
so Aside from backup and recovery, you also need to know some of the additional toolsthat Microsoft provides to aid you with disaster recovery issues, such as Automated SystemRecovery and the Recovery Console
In this chapter, you will learn about these topics as well as the various types of tering services available in Windows Server 2003 to help reduce the impact of a disaster.Microsoft offers tools such as Network Load Balancing and Server Clustering in WindowsServer 2003 to give you another degree of fault tolerance in your networking environment
clus-By the time you reach the end of this chapter, you will be able to plan, configure, andimplement these clustering services within your environment Let’s begin this chapter with
a discussion of the general concepts of disaster recovery
Understanding Disaster Recovery
Disaster recovery could be described as the Rodney Dangerfield of IT—it gets no respect.The irony here is that disaster recovery can be your best friend if you give it the attentionthat it requires.Too many times we’ve seen environments in which IT staff diligently swaptapes on a daily basis while otherwise ignoring their disaster recovery plans—assuming theyhave even developed them As a networking professional, you should make it a priority to
stay diligent in all aspects of disaster recovery.
Perhaps the most common reason that IT professionals do not pay attention to allaspects of disaster recovery is lack of understanding.This section covers two specific areasrelating to disaster recovery First, we discuss planning for disaster recovery and the funda-mentals of disaster recovery, as well as the steps you need to consider when planning a dis-aster recovery strategy.Then we discuss some of the ways that Microsoft assists you in therecovery of your Windows Server 2003 environment Let’s begin with a discussion of disas-ters and define the types of disaster
EXAM
70-296
OBJECTIVE
3.2.3
Trang 10Planning for Disaster Recovery
If you follow current events, the widespread effects of any disaster will become clear to yourather quickly Equipment, data, and personnel can be destroyed and staggering amounts ofmoney lost by individual businesses, the economic after-effects of which can be felt inter-nationally on a regular basis Some companies can tolerate a certain amount of downtime,but some never recover and find themselves out of business A disaster recovery plan identi-fies potential threats against your network, including terrorism, fire, and flood, in order toprovide employees guidance on how to deal with such events when they occur
Disasters can also result from the actions of people Such disasters can occur as a result
of employees accidentally or maliciously deleting data, system intrusions by hackers, virusesand malicious programs that damage data, and other events that cause downtime or damage
As with environmental disasters, a disaster recovery plan can be used to prepare and dealwith such “human catastrophes.”
Preparation for disaster recovery begins long before a disaster actually occurs Databackups must be performed daily to ensure that data can be recovered, plans need to becreated that outline the tasks that need to be performed and by whom, and other issuesneed to be addressed as well Of course, we hope that such preparation will never beneeded, but it is vital that you put a strategy in place to deal with incidents that could arise
The disaster recovery plan should identify as many potential threats as possible and includeeasy-to-follow procedures In greater detail, a plan should provide countermeasures thataddress each threat effectively
Disaster recovery plans are documents that are used to identify potential threats and line the procedures necessary to deal with various types of threats.When creating a disasterrecovery plan, administrators should try to identify all the types of threats that could affecttheir company For example, a company in California would need to be concerned aboutearthquakes, fire, flood, power failures, and other kinds of natural disaster but would need toworry less about blizzards Once the administrators have determined the disasters that theircompany could face, they can create procedures to minimize the risk of such disasters
out-Disasters are not limited to acts of nature but can be caused by electronic means Forexample, DoS attacks occur when large numbers of requests are sent to a server, which over-loads the system and causes legitimate requests for service to be denied.When an e-com-merce site experiences such an attack, the losses can be as significant as any natural disaster
Risk analysis should be performed to determine the company resources that are at riskwhen a disaster occurs.This analysis should include such elements of a system as:
■ Loss of data
■ Loss of software and hardware
■ Loss of personnel
Trang 11kept offsite so that they can be located and implemented when systems need to be restored.Configuration information should also be documented and kept offsite so that it can beused to return the system to its previous state.
Additional hardware should also be available Because hardware might not be easilyinstalled and configured, administrators might need to involve outside parties.You shouldcheck any such vendor agreements to determine whether they provide onsite servicewithin hours or days, because waiting for outsourced workers can present a significant delay
When considering the issue of personnel, administrators should designate memberswho will be part of an incident response team to deal with disasters when they arise.Members should have a firm understanding of their roles in the disaster recovery plan andthe tasks they need to perform to restore systems A team leader should also be identified,
so a specific person is responsible for coordinating efforts
Recovery methods discussed in the plan should focus on restoring the most critical requirements first For example, if a company depends on sales from an e-commercesite, restoring this server would likely be a high priority.This would allow customers tocontinue viewing and purchasing products while other systems are being restored
business-Another important factor in creating a disaster recover plan is cost.When planning fordisaster recovery, you need to plan for alternate sites in the event of a disaster.There are
three common types of sites: hot sites, warm sites, and cold sites A hot site has all the
equip-ment needed for a company to continue operation, including computer equipequip-ment,
utili-ties, telephone systems, and furniture A cold site provides office space but does not have the equipment and other features of the hot site A warm site falls somewhere in the middle, not
providing as much “plug-and-play” functionality as a hot site but not quite as bare-bones as
a cold site Hot, warm, and cold sites require additional cost such as rent, hardware thatmight not be used until a disaster occurs (if one ever does), office supplies, and other ele-ments that allow a business to run properly.This can present a dilemma; you do not want tospend more money on preparation than it would cost to recover from a disaster, but youalso do not want to be overly frugal and not be able to restore systems in a timely manner.Finding a balance between these two extremes is the key to creating a disaster recovery planthat is affordable and effective
Trang 12Windows Disaster Recovery
As a Windows Server 2003 MCSE, you need to know the various methods of disasterrecovery that Microsoft provides Aside from Windows backup and restore (which we talkabout in the next section), several other options are available in Windows Server 2003 thatcan assist you in recovering a downed server.Three options that we discuss in this section are:
■ Startup options
■ Recovery Console
■ Automated System RecoveryLet’s start our discussion of Windows disaster recovery tools with a look at theWindows startup options, a feature you’re probably familiar with from past versions of theWindows operating system
Startup Options
At some point, you will undoubtedly come across a server that is unable to start the
Windows Server 2003 operating system normally A normal startup implies that the server
can perform a reboot and bring up all startup services and applications without user vention.When you encounter a system that cannot start up normally, you can choose tostart up in one of eight different modes:
inter-■ Safe mode
■ Safe mode with networking support
■ Safe mode with command prompt
■ Enable boot logging
■ Enable VGA mode
■ Last known good configuration
■ Directory services restore mode
■ Debugging mode
Safe Mode
When you start a server in Safe mode,Windows defaults to the most basic settings for ning a server, including the Microsoft mouse driver,VGA video display, and other system-spe-cific drivers (such as SCSI controller drivers) that are needed to start Windows Safe mode can
run-be used for a variety of reasons For example, let’s say that you download and install a newdevice driver for your video card After installing the device driver, your screen resolution
EXAM
70-296
OBJECTIVE
3.2.3
Trang 13Safe Mode with Networking Support
We can use Safe mode to recover from situations such as malfunctioning software or devicedrivers, but what if we need access to resources on the network in order to recover thesystem? You can use Safe mode with networking.This startup mode allows to access resources
on your network as well as the Internet Safe mode with networking offers the same tionality of Safe mode plus additional drivers needed to support network connectivity
func-Safe Mode with Command Prompt
Safe mode with command prompt starts using basic files and drivers, but unlike the othertwo Safe mode variants, it displays a command prompt instead of the Windows desktopafter you’ve logged onto the system Safe mode with command prompt might be used insituations in which you need to perform command-level functions that Windows will notlet you use in the GUI environment For example, you might need to replace a system filethat would be protected by the operating system in Safe mode or Safe mode with net-working support In another example, if a file is locked for exclusive use when the
Windows GUI is present, you can manipulate this file using the command-level functions
EXAM WARNING
Make sure you know how the three types of Safe mode differ from one another:
■ Safe mode Defaults to the most basic settings for running a server,
including the Microsoft mouse driver, VGA video display, and othersystem-specific drivers
■ Safe mode with networking support Defaults to the most basic
set-tings for running a server, including the Microsoft mouse driver, VGAvideo display, and other system-specific drivers, but also adds net-working capabilities
■ Safe mode with command prompt Defaults to a command prompt
to allow you to use command-level functions that Windows will notlet you use in the GUI environment
Enable Boot Logging
When you choose to enable boot logging,Windows logs all drivers and services that wereloaded (or failed to load) during startup in a file called ntbtlog.txt, which is located in the
%systemroot% directory Boot logging is helpful when you’re not exactly sure what is causingyour server problems.You can see a sample ntbtlog.txt file in Figure 11.1; take special note ofthe lines in bold text that indicate drivers that failed to load during system startup
Trang 14Figure 11.1 A Sample ntbtlog.txt File
Microsoft (R) Windows (R) Version 5.2 (Build 3790)
5 18 2003 20:48:05.500 Loaded driver \WINDOWS\system32\ntoskrnl.exe Loaded driver \WINDOWS\system32\hal.dll Loaded driver \WINDOWS\system32\KDCOM.DLL Loaded driver \WINDOWS\system32\BOOTVID.dll Loaded driver pci.sys
Loaded driver isapnp.sys Loaded driver intelide.sys Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Loaded driver MountMgr.sys
Loaded driver ftdisk.sys Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS Loaded driver dmload.sys
Loaded driver dmio.sys Loaded driver volsnap.sys Loaded driver PartMgr.sys Loaded driver atapi.sys Loaded driver disk.sys Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS Loaded driver Dfs.sys
Loaded driver KSecDD.sys Loaded driver Ntfs.sys Loaded driver NDIS.sys Loaded driver Mup.sys Loaded driver agp440.sys Loaded driver crcdisk.sys Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Trang 15Figure 11.1 A Sample ntbtlog.txt File
Loaded driver \SystemRoot\system32\DRIVERS\atimpae.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\el90xbc5.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\DRIVERS\serial.sys
Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Continued
Trang 16Figure 11.1 A Sample ntbtlog.txt File
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Did not load driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS Loaded driver \SystemRoot\System32\drivers\afd.sys Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\parvdm.sys Loaded driver \SystemRoot\system32\DRIVERS\srv.sys Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
TEST DAY TIP
For the exam, remember that the ntbtlog.txt file is stored in the %systemroot%
directory Read the question carefully, because the answer choices might includedifferent %systemroot% directories than the Windows default
Enable VGA Mode
The difference between Safe mode and Enable VGA mode is that Enable VGA mode startsthe computer using the currently installed video driver at the lowest possible resolutioninstead of the Microsoft VGA driver.You could use VGA mode when you require the addi-tional functionality of your video card For example, if you needed a higher resolution thanthe regular Safe mode provides, you could boot into VGA mode instead
Last Known Good Configuration
This is an option that is probably very familiar to you if you’ve worked with Windows NTand Windows 2000.The last known good configuration starts by using Registry informa-tion that was saved during the previous logon Rather than using Safe mode to remove afaulty driver that was installed, you can restart using the last known good configuration,which stores information about the drivers that were installed previous to the faulty config-
Trang 17Directory Services Restore Mode
Directory services restore mode is an option that is only available on domain controllersand is used in restoring the SYSVOL directory and Active Directory Directory servicesrestore mode was covered in depth in Chapter 3, “Managing and Maintaining and ActiveDirectory Infrastructure.”
Debugging Mode
Debugging mode is one of those options that you might use only infrequently, but youshould still be aware of it should the need arise.When you boot a server in Debugging
mode, debugging information is sent to another computer using a device known as a null
modem A null modem is a serial cable that connects two computers and simulates a
con-nection similar to that of a standard analog modem.You might use Debugging mode whenyou’re working with a Microsoft technical support representative to troubleshoot a server.The debugging information can be captured by the other computer and sent to Microsoftfor analysis
Recovery Console
In some situations, you might not be able to boot your server into any of the startup modeswe’ve just discussed If this situation arises, all is not lost Using the Windows RecoveryConsole, you have the ability to read and write data on a local drive, enable and disablesystem services, format drives, and perform other types of tasks
Recognizing the potential for the Recovery Console to be exploited if a malicious usergained access to a server console, Microsoft developers made sure to keep security in mindthey designed this function.When you start a Recovery Console session, you are required
to provide the password for the administrator account On a domain controller, this will be
the username and password for the domain user account For standalone servers, the istrator account is the local administrator account.The Recovery Console interface looks
admin-like a standard command-line interface but also provides you a help file for the commandsthat are available in the Recovery Console
TEST DAY TIP
If you get a question about the Recovery Console on your exam, read it carefully Ifyou are asked about logging into the Recovery Console, check to see if the ques-tion mentions that the server is a domain controller or a standalone server Thisinformation will determine which administrator account to use
Trang 18E XERCISE 11.01
S TARTING THE R ECOVERY C ONSOLE
In this exercise, we restart a Windows Server 2003 computer using theRecovery Console Start this process by inserting the Windows Server 2003 CDinto your CD-ROM drive In addition, ensure that your server is set to bootfrom the CD-ROM as the primary device
1 Reboot your computer
2 During the boot process, you may be prompted to press a key to boot
to the CD Press any key
3 Windows begins running through the Windows Server 2003 installationprocess, then prompts you to make a decision on how to proceed
4 Press R to select “Repair a Windows installation using Recovery
Console.”
The Recovery Console in Real Life
I have only found the need to use the Recovery Console twice in my time as a working professional However, on both occasions it saved me from hours of trou-bleshooting and system recovery On the first occasion, I was attempting to remove
net-an application from a Windows 2000 server The application failed to uninstallproperly and left several files behind on the server This might not have seemed like
a big issue, but we were uninstalling the application to install a newer version
Unfortunately, the newer version was not configured to overwrite the older cation and required the older application to be completely removed When I tried
appli-to manually delete the files, I received a sharing violation error message on the files
Even in Safe mode, I was unable to remove the files due to this error Rather thanreinstalling the OS or spending hours on the phone with the application devel-oper’s technical support staff, I booted the server into Recovery Console and wasable to change to the directory where the files were stored and remove them
The second occasion was a little bit scarier One of the Oracle servers at mycompany failed to start properly, claiming that the OS could not be found
Obviously, in this situation Safe mode was not an option By booting into theRecovery Console, I was able to determine that the boot.ini file had become cor-rupted and was causing the server to fail on boot I manually recreated the boot.inifile on another computer and copied it onto the downed server via a diskette Afterreplacing the boot.ini file, the server started normally on the next reboot
Trang 195 The installation process terminates and begins launching the RecoveryConsole.
6 You will be prompted to select a Windows installation In our example,
choose option 1, C:\WINDOWS.
7 Next you may need to enter the administrator password for this
com-puter If this is not required, press Enter to continue.
8 Once you have entered the correct password, you will receive a DOSprompt From here, you can navigate various directories on the drive,
or you can pull up a list of Recovery Console commands by typing
HELP You can also find out more information about a particular
com-mand by typing HELP <comcom-mand>, where <comcom-mand> is the name
of a particular Recovery Console command
Automated System Recovery
In terms of Windows disaster recovery options, use Automated System Recovery (ASR)only as a last resort ASR can be used to back up the system state data, system services, andall other files associated with the operating system Along with the information itself, ASRcreates a “road map” to the data on a diskette, which contains information about the ASRbackup, the logical disk configurations, and how to perform an ASR restore.When you ini-tiate an ASR restore, the system reads the information on the diskette and restores all thedisk signatures, volumes, and partitions on the disks that are needed to start Windows Oncethe disk information is restored, ASR installs a stripped-down installation of Windows andautomatically starts to restore from backup using the backup ASR information ASR should
be used as a last resort only, because its purpose is to essentially rebuild from scratch ously stored information about the server By using ASR, you will lose any user data that isstored on the system drive unless it has been backed up through other methods AlthoughASR is a great tool and a nice addition to Windows Server 2003, you should exhaust allother recovery methods prior to using it
previ-E XERCISE 11.02
C REATING AN ASR B ACKUP
In Exercise 11.02, we create an ASR backup to diskette This diskette backs upall our critical system data in case we need to completely restore the systeminformation:
1 Click Start | All Programs | Accessories | System Tools | Backup.
EXAM
70-296
OBJECTIVE
3.2.3
Trang 202 When the Backup or Restore Wizard (see Figure 11.2) opens, click
Advanced Mode.
3 Select Automated System Recovery Wizard from the Backup Utility
window (see Figure 11.3)
4 When the Automated System Recovery Preparation Wizard starts, click
Next to continue.
5 Select a backup location for your ASR files (see Figure 11.4) Here weuse a mapped drive from another server to store the actual files
Figure 11.2 The Backup or Restore Wizard
Figure 11.3 Backup Utility
Trang 216 Once the ASR preparation process is complete (see Figure 11.5), click
Finish to begin backing up your system files Depending on the
amount of data, you might be asked to insert several disks
7 The files will begin copying to your diskette(s), as shown in Figure 11.6
Figure 11.4 Selecting a Backup Location
Figure 11.5 Completing the ASR Preparation
Trang 228 You will be prompted to insert a blank diskette into your drive; thesystem then copies the system settings and backup media information
to the diskette This completes the ASR backup process
EXAM WARNING
ASR is not a full-system recovery option In other words, it can be used to restore
the Windows OS and all vital OS information, but it does not back up any datafiles If you are presented with a question about ASR on your exam relating to therestoration of user data, remember that ASR cannot perform this function
Backup and Recovery
Data backup and recovery is the one area of disaster recovery with which networking fessionals are most familiar Everyone knows that they must back up their servers (and insome cases, workstations) to removable media in case anything should ever happen to theirhardware However, changing tapes on a regular basis is not enough; there are several otherfactors that you should consider in case such a disaster does occur As a Microsoft net-working professional, you will want to establish a backup and recovery plan for yourWindows Server 2003 servers
pro-Figure 11.6 Copying the ASR Files to Diskette
Trang 23It is important to keep at least one set of backup tapes offsite so that all tapes are not kept
in a single location If backup tapes were kept in the same location as the servers that werebacked up, all the data (on the server and the backup tapes) could be destroyed in a disaster
By rotating backups between different sets of tapes, data is not always being backed up tothe same tapes, and a previous set is always available in another location
A popular rotation scheme is the grandfather-father-son (GFS) rotation, which nizes rotation into a daily, weekly, and monthly set of tapes.With a GFS backup schedule, atleast one full backup is performed per week, with Differential or Incremental backups per-formed on other days of the week At the end of the week, the daily and weekly backupsare stored offsite and another set is used through the next week.To better understand thisconcept, assume a company is open Monday through Friday As shown in Table 11.1, a fullbackup of the server’s volume is performed every Monday, with Differential backups per-formed Tuesday through Friday On Friday, the tapes are moved to another location, andanother set of tapes is used for the following week
orga-EXAM WARNING
Since GFS is such a popular rotation scheme, expect this term to come up where on the exam
some-Table 11.1 Sample Weekly Backup Schedule
Sun Mon Tues Wed Thurs Fri Sat.
None Full backup Differential Differential Differential Differential None
backup backup backup backup, with
week’s tapes moved offsite
NOTE
We discuss Full, Differential, and other types of backups in our discussion ofbackup strategies
Trang 24Because it is too expensive to continually use new tapes, old tapes are often reused forbackups A tape set for each week in a month is rotated back into service and reused Forexample, at the beginning of each month, the tape set for the first week of the previousmonth is rotated back into service and used for that week’s backup jobs Because one set oftapes is used for each week of the month, most sets of tapes are kept offsite Even if one setwas corrupted, the set of tapes for the previous week could still be used to restore data.
In the GFS rotation scheme, the full backup is considered the “father,” and the dailybackup is considered the “son.”The “grandfather” segment of the GFS rotation is an addi-tional full backup that is performed monthly and stored offsite.The grandfather tape is notreused but is permanently stored offsite Each grandfather tape can be kept for a specificamount of time (such as a year) so that data can be restored from previous backups, evenafter the father and son tapes have been rotated back into service If someone needs datarestored from several months ago, the grandfather tape enables a network administrator toretrieve the required files
A backup is only as good as its ability to be restored.Too often, backup jobs are tinely performed, but the network administrator never knows whether the backup is per-formed properly until the data needs to be restored.To ensure that data is being backed upproperly and can be restored correctly, administrators should perform test restores of data tothe server.This testing can be as simple as attempting to restore a directory or small group
rou-of files from the backup tape to another location on the server
Offsite Storage
Once backups have been performed, administrators should not keep all the backup tapes inthe same location as the machines they have backed up After all, a major reason for per-forming backups is to have the backed-up data available in case of a disaster If a fire orflood occurred and destroyed the server room, any backup tapes in that room would also bedestroyed.This would make it pointless to have gone through the work of backing up data
To protect data, the administrator should store the backups in a different location so thatthey will be safe until they are needed
Offsite storage can be achieved in a number of ways If a company has multiple buildings
in different cities, for example, the backups from City A can be stored in a building in City B,and vice versa If this is not possible, there are firms that provide offsite storage facilities.Thekey is to keep the backups away from the physical location of the original data
When deciding on an offsite storage facility, administrators should ensure that the facility
is secure and has the environmental conditions necessary to keep the backups safe.Theyshould also ensure that the site has air conditioning and heating, because temperature changesmay affect the integrity of data.The facility should also be protected from moisture andflooding and have adequate fire protection.The backups need to be locked up, and policiesmust be in place that detail who is authorized to pick up the data when it’s needed
Trang 25Backup Strategies
Backing up data is a fundamental part of any disaster recovery plan.When data is backed
up, it is copied to a type of media that can be stored in a separate location.The type ofmedia will vary depending on the amount of data being copied, but can include digitalaudio tape (DAT), digital linear tape (DLT), compact disks, both recordable and rewritable(CD-R/CD-RW), or diskettes If data is unintentionally destroyed, it can be restored to itsoriginal state from the media
When making backups, the administrator needs to decide what data will be copied toalternative media Critical data such as trade secrets that a business relies on to function andother important data crucial to a business’s needs must be backed up Other data such astemporary files and applications might not be backed up since it can easily be reinstalled ormissed in a backup Such decisions, however, vary from company to company Once theadministrator has decided what information needs to be backed up, he or she can deter-mine the type of backup that will be performed Common backup types include:
data, system files, and software on a system.When each file is backed up, thearchive bit is changed to indicate that the file has been backed up
backup Because only files that have changed are backed up, this type of backuptakes the least amount of time to perform.When each file is backed up, thearchive bit is changed to indicate that the file has been backed up
full backup.When this type of backup is performed, the archive bit is notchanged, so data on one Differential backup contains the same information as theprevious Differential backup plus any additional files that have changed
in an “open” state.This is a new feature in Windows Server 2003
Because different types of backups copy data in different ways, the methods used toback up data may vary between businesses or even from server to server One companymight do Daily full backups, whereas another might use a combination of Full and
Incremental backups or Full and Differential backups
Volume Shadow Copy
Let’s take a few moments to discuss how volume shadow copy works, then we will walkthrough a couple of backup exercises As we mentioned, volume shadow copy is the latestaddition to the built-in backup functionality of Windows Server 2003 Unlike other types
of backups, you can now back up files and volumes, including files that are open or in use
by another user or system process.This was not previously possible without third-partybackup software Another advantage of volume shadow copy is that backups can be per-
EXAM
70-296
OBJECTIVE
3.2.1
Trang 26formed at any time (although it’s still best to perform backups during off-hours) withoutlocking users out of the storage areas that you are trying to back up.
TEST DAY TIP
Remember that the key to volume shadow copy is that it can back up open files,which is not possible with the other backup methods
Now that we’ve discussed the backup types available in Windows Server 2003, let’s take
a few minutes to perform a Differential backup in Exercise 11.03
E XERCISE 11.03
C REATING A D IFFERENTIAL B ACKUP
In this exercise, we create a Differential backup set using the Windows Server
2003 Backup utility Let’s begin by opening the Backup Utility:
1 Click Start | All Programs | Accessories | System Tools | Backup.
2 When the Backup or Restore Wizard (see Figure 11.7) opens, click
Trang 274 When the Backup Wizard starts, click Next.
5 When you are prompted on what you want to backup, select Backup
everything on this computer (see Figure 11.9) and click Next.
6 Choose a location to store your backup If you have a tape device,select it here Otherwise, you can use a network share You can also
name your backup, and then click Next to continue.
7 When you reach the completion of the Backup Wizard (see Figure
11.10), do not click Finish; click Advanced instead.
Figure 11.8 The Backup Utility
Figure 11.9 Selecting Data for Backup
Trang 288 Now we will select the type of backup (see Figure 11.11) Since we areusing a differential backup for this exercise, click the down arrow
beneath Select the type of backup and choose Differential.
Figure 11.10 Completing the Backup
Figure 11.11 Selecting a Type of Backup
Trang 2912 Now you will be prompted to select when the backup job will run (see
Figure 11.12) Select Later.
13 Enter a name for your job We called ours Differential.
14 Click the Set Schedule button to set the dates and times for the
backup
15 In the Schedule Job window (see Figure 11.13), change the Schedule
Task option to Weekly, and select Monday, Tuesday, Wednesday, and
Thursday Do not select Friday, since we will want to run a full backup
on Fridays
Figure 11.12 Selecting When the Backup Will Run
Figure 11.13 The Schedule Job Window
Trang 3016 Next, set the Start time to 9:00P.M.
19 Click Finish to complete the Backup wizard.
The Need for Periodic Testing
In the previous two exercises, we spent a lot of time talking about backups However,backing up data is only half the battle.You also need to perform periodic testing on yourbackups to verify that data has been backed up properly Performing periodic testing pro-vides for two very important points in disaster recovery:
veri-fying your data that has been backed up, you are veriveri-fying not only the data onthe tape media but also the integrity of the media itself.Too often media is left inrotation too long and fails to properly back up the data
verification of the plan itself as often as verifying the actual data, checking yourbackup plan for inconsistencies is nonetheless a critical matter By testing yourbackup plan, you ensure yourself and other members of your organization thatyour plan will work in case of a real disaster
When possible, you might also want to perform periodic testing on “test” equipment
It’s one thing to be able to recover a few Excel or Word files; it’s another to be able torecover an entire server If you have the equipment, you should consider testing yourbackup and recovery plan on it to verify that you can recover the contents of an entireserver based on the configuration of a production machine
Security Considerations
We’ve discussed security considerations throughout this book, and now comes the time that
we must discuss security for backups One consideration in planning a backup strategy isseparation of duties.This means that one user is authorized to back up data, and anotheruser is authorized to restore data By separating duties, you prevent one user from havingtotal control over the backup strategy and potentially exploiting the process Beyond access
Trang 31offsite storage If you are sending your media offsite, consider locking the media in a perproof lockbox If you place the media in a lockbox, it will be apparent if someone tries
tam-to access the media while it’s offsite or in transit.When the media is onsite, make sure thatthe tapes are locked in either a fireproof safe or at minimum a locked cabinet
TEST DAY TIP
Expect a question on access rights and backup/restore on the exam You’ll probablysee a question involving separation of duties and the inability of one user torestore backups he or she has made
Using Windows Clustering
Developing a backup and recovery strategy is important to provide a means of recovering asystem if it should fail However, wouldn’t it be great if you could circumvent a failurebefore it even occurred? The good news is that there are many ways to offer disaster
recovery prevention to your users and your network infrastructure Some third-party ware and software solutions can provide for this type of fault tolerance, but why use a third-party solution if you can do this within the Windows OS itself? As you are aware fromWindows 2000, high-availability solutions were included in the operating system for yourconvenience In this section, we discuss some of the features and benefits of high-availabilitysolutions that are now available in Windows Server 2003
relia-uptime than can be offered if your network possesses a single point of failure A single point of
failure occurs when the degradation or failure of a single device (whether a hub, a switch, arouter, a server, or the like) causes a system or service to become unavailable
For example, say that you have an Active Directory domain that contains only onedomain controller.This would be considered a single point of failure because if that domaincontroller fails for any reason, it will bring down your network infrastructure by preventingyour users from logging on and accessing needed network resources Another example is asingle file and print server that contains all your system printers and user files Losing thisserver and restoring from backup would not only be time consuming, it also greatly
decreases user productivity during the time required to perform the restore operation
In the following section, we spend some time planning a high-availability solution forour Windows Server 2003 network, but for now we dedicate a few pages to discussing thethree-part clustering strategies that are included in Windows Server 2003
Trang 32Availability and Features
As with Windows 2000, clustering is available only in the Enterprise and Datacenter sions of the Windows Server 2003 operating system Along with Windows Server
ver-Clustering,Windows Server 2003, Enterprise Edition offers support for expanded memoryand additional processors, allowing applications to run faster, which in turn provides betterresponse for your users Because of the additional horsepower that the Enterprise version ofWindows Server 2003 provides, it is a better candidate for clustering services than StandardEdition On the other hand, Network Load Balancing is available in any of the fourWindows Server 2003 editions (Web, Standard, Enterprise, or Datacenter) As we men-tioned, the clustering services provide for a two-part clustering strategy:
■ Network Load Balancing
■ Server Clustering
Network Load Balancing
NLB, unlike Server Clustering, is available in all versions of Windows Server 2003 (Web,Standard, Enterprise, and Datacenter Editions) NLB provides failover support for IP-basedapplications and services Using NLB, you can group 2 to 32 servers together to buildServer Clusters that support load balancing of TCP, UDP, and GRE traffic between them
Load-balanced servers are recommended for many server installations, including Webservers,Terminal servers, and media servers Using this technology eliminates the possibility
of a single point of failure on a server that provides such a crucial service In an NLB
cluster, a client requests a service from a virtual IP (an IP address that is not assigned to one
specific machine) that is shared by all the servers within the cluster, as illustrated in Figure11.14 In this configuration, should one of the servers fail for any reason, the other servers
in the cluster take over Using NLB is not only a way to provide high availability—it alsooffers you the ability to take a mission-critical server (such as a company Web or e-com-merce server) offline for maintenance without impacting business functionality
Server Clustering
The second type of clustering strategy is a Server Cluster A Server Cluster consists of one
or more Windows Server 2003 (Enterprise or Datacenter Edition) servers that worktogether as a single “server” so that applications and services remain available to clients and
other servers Each server in a Server Cluster is a node; each cluster can consist of up to
eight nodes.With servers clustered together, users access the nodes as though they were asingle system rather than unrelated individual computers In Windows Server 2003, you canconfigure three types of Server Clusters:
Trang 33■ Single-node Server Clusters A single-node Server Cluster has only one nodeand can be configured to use external storage or local hard disks configured as aclustered storage device.
Cluster has two or more nodes in which each node is attached to a cluster storagedevice In a single quorum device Server Cluster, the configuration informationfor the cluster is kept on a single storage device
two or more nodes, but the nodes may or may not be attached to one or morestorage devices Unlike the single quorum device Server Cluster, the configurationinformation for this cluster is stored on multiple storage devices within the clusterand is kept consistent by the clustering service
You can learn more about choosing a cluster type at view/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/SAG_MSCS2planning_6.asp
www.microsoft.com/technet/tree-Planning a High-Availability Solution
In this section, we use the information on using Windows clustering to plan for a availability solution using the two high-availability services.Within our plans, we take alook at some of the considerations that you must assess prior to implementing a server
high-Figure 11.14 A Network Load-Balanced Cluster
NLB Node NLB Node NLB Node
Trang 34cluster solution and what a typical Server Cluster deployment might look like.Then weexamine the factors for planning a load-balanced solution and create a new network load-balanced cluster.
Clustering Services
In the previous section, we discussed the two types of clustering technologies available forWindows Server 2003.The first step in planning a high-availability solution is to decide onthe type of cluster you need for your organization Again, the two types of available clus-tering technologies are:
■ Network Load Balancing clusters
■ Server ClustersEach of these technologies has its own features and benefits; they can be used individu-ally or together to provide an even more robust high-availability solution However, severalconsiderations will help you make a decision as to which solution is the best fit for you
Considerations
Unfortunately, Server Clustering is not available in Windows Server 2003 Standard Edition
In order to realize the benefits of Server Clusters, you must have Windows Server 2003Enterprise Edition or Datacenter Edition installed on your servers Beyond the limitation of
OS version, you must take other items into consideration prior to the deployment of yourserver cluster, including the hardware to be used within your cluster Check Microsoft’s list
of supported hardware for clustering technologies, which you can find at www.microsoft.com/whdc/hcl/scnet.mspx.You must also make sure that all the servers within your clusterare running the same version of the operating system.This means that a cluster cannot have
a mixture of Windows Server 2003 Enterprise Edition and Windows 2003 DatacenterEdition Before deploying your cluster, make sure you understand which version you needfor your installation
Typical Deployments
Microsoft recognizes the need for Server Clusters in many types of environments butspecifically recommends Server Clusters for mission-critical installations that may includeMicrosoft SQL Server, Exchange Server, and file and print servers Generally, you will want
to deploy a cluster server in any organization in which a particular application or servicecannot be unavailable for any reason
In many configurations, the servers in the Server Clusters reside in the same physicallocation However, you might find it necessary to create Server Clusters in separate physicallocations.You might install several servers in remote offices that are physically separated,
EXAM
70-296
OBJECTIVE
3.1.1
Trang 35servers within a cluster is for disaster recovery purposes For example, if one of the officeswhere one of the clustered servers is located is destroyed by a natural disaster, the applica-tions and services would still be available on the server in the second location.
Installing a Server Cluster
Before we begin our installation of a Server Cluster, we have to discuss the server locationsettings Each server within the cluster must have the same location configuration, meaningthat they must all be using the same language, country, and region set during the installation
of Windows Server 2003.You must also have the proper rights to the local computer or be
a member of the Domain Admins group in order to perform a Server Cluster installation.Once you have verified the server locale information and that you have proper rights tocomplete the Server Cluster installation, you can install your Server Cluster
TEST DAY TIP
Expect at least one question about access rights and clustering services Read thequestion carefully, and make sure that the exam question is depicting the properrights
Securing a Server Cluster
As you might expect, there are certain security considerations in installing a WindowsServer 2003 Server Cluster One of the first security points is the use of the service
accounts for the Server Cluster If you plan to have multiple Server Clusters, avoid usingthe same service accounts.This will keep users who might know the account informationfor one cluster from being able to manipulate administrative functions of another cluster.You will also want to avoid placing the cluster service account in the Domain Adminsgroup to avoid any chance of unauthorized changes to your domain In addition, restrictphysical access to the Server Cluster and any infrastructure relating to the cluster.This is notonly an important part of securing a Server Cluster—it is good practice for overall networksecurity Lastly, you will want to enable auditing for all security-related events in the cluster
By logging and auditing these events, you can keep track of authorized and unauthorizedaccess to the Server Cluster
Network Load Balancing
Although NLB works on any version of the Windows Server 2003 operating system, yourserver must meet certain hardware requirements Besides the minimum requirements for aWindows Server 2003 server (which you can find at www.microsoft.com/win-
dowsserver2003/evaluation/sysreqs/default.mspx), you also need between 750KB and 2MB ofadditional RAM per network adapter Although you can use just one network adapter forload balancing, you will get much better performance by using a second network adapter
EXAM
70-296
OBJECTIVE
3.1.2
Trang 36When your servers are configured in this way, you can use the first network adapter for eral network traffic, and the second network adapter can be dedicated to communicationsbetween the various nodes in the load-balanced cluster Besides server components, we mustdiscuss one other consideration prior to installation: sizing of the load-balanced cluster.
gen-EXAM WARNING
Read questions relating to hardware requirements and the installation of load ancing carefully You might see a question that asks you to calculate the necessaryamount of RAM based on Microsoft’s hardware recommendations
bal-Sizing a Load-Balanced Cluster
When you are planning a load-balanced cluster, you must take into consideration the number
of clients that will be using the load-balanced cluster.The anticipated number of clients (or
client load) directly affects the number of nodes that are participating within the cluster.
Although you can only have up to 32 nodes within a load-balanced cluster, you can mize your cluster’s performance using servers with a more powerful configuration Forexample, if you were reaching the 32-node limitation within your cluster, you could removethe four slowest servers and replace them with four faster and more powerful servers
maxi-Licensing and NLB
One area that usually falls through the cracks in load-balancing efforts is tion licensing Most application packages offer only a one-for-one licensing config-uration This means that a client license for an application only allows you to installthe application onto a single machine Even though you are only using the appli-cation in a load-balanced configuration to support additional users, installing theapplication onto multiple servers might be in violation of the end-user licenseagreement If you are unsure of the licensing for an application, read the end-userlicense agreement (which is either displayed during the installation process or isavailable in hard copy supplied with the software) before installation If you are stillnot sure whether you can use the application without purchasing additionallicenses, contact the software vendor It’s always a better idea to know aboutlicensing issues before installation than it is to find out down the road, during an
applica-IT audit
Trang 37Typical Deployment
There are four options for deploying a network load-balanced cluster in Windows Server2003.These models offer different features and functionality, but in the end they all servethe same purpose: balancing the client load for a particular service or application.The dif-ferent NLB installation models are:
which traffic to the nodes within a network cluster is low and the overhead ofcommunications between the nodes of the cluster is not an issue.You can also usethis configuration when normal network traffic between the cluster nodes is low
or nonexistent
in which network traffic from clients to server nodes within the cluster must not
be compromised or degraded by traffic within the cluster In this configuration,
the cluster management traffic (or heartbeat traffic) would be transmitted over the
second adapter
net-work traffic between the cluster nodes is necessary but is not generally affected bytraffic outside the cluster subnet
network communication among cluster hosts is necessary and there is a great deal
of traffic from outside the cluster subnet to the cluster nodes
EXAM WARNING
Watch for a question that involves cluster nodes that have mixed configurations ofunicast and multicast If a test question presents a Server Cluster that has oneserver using unicast and another server using multicast, that is very likely thereason that the cluster is functioning improperly
You can learn more about the advantages and disadvantages of each of these modes atwww.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/
windowsserver2003/proddocs/entserver/planning_choosing_an_NLB_model.asp In thefollowing exercise, we install a network load-balanced cluster using the single networkadapter in unicast mode model
Trang 38Installing Network Load Balancing
As with Server Clusters, you must use an account that is in the Administrators group oneach host to perform a Network Load Balancing cluster install.You might also want to set
up a dedicated account that will be used for the cluster rather than using an administrativeaccount, but you need to set the credentials for such an account.When (and if) you createsuch an account, make sure that this account is not used for any other purpose.You willalso want to make sure that the password for this account does not expire, since it will beused by the NLB cluster after the installation process as well Let’s move on to Exercise11.04 and set up the first node in a NLB cluster
E XERCISE 11.04
C ONFIGURING L OAD B ALANCING
In this exercise, we put two servers, SERVER1 and SERVER2, together in aNetwork Load Balancing cluster The first thing we need to do to enable andconfigure our Load Balancing cluster is to start the Network Load BalancingManager
1 To start Network Load Balancing Manager, click Start | Run, and type
NLBMGR.
Using a Single Network Adapter
Although you can install a network load-balanced cluster using only one networkadapter in unicast mode, there are two limitations to this solution:
■ Ordinary network communication among cluster hosts is not possible
This means that if these servers need to share information with oneanother for any reason (say, SQL servers within a load-balanced clustersharing database information), you should consider using either asingle network adapter in Multicast mode or multiple network adapters
in unicast or multicast mode
■ Network traffic intended for any individual computer within the clustergenerates additional networking overhead for all computers in thecluster
If you are not sure that you should use multiple network adapters, you canalways configure your cluster using a single network adapter prior to installingadditional network adapters for operational purposes
Trang 393 Next we need to enter the cluster parameters (see Figure 11.16) Thefirst parameter is the IP address of the cluster Keep in mind that thismust be a unique address and not one in use by another network
node Here we use 192.168.0.100.
4 Next enter the subnet mask for the cluster We use 255.255.255.0.
5 Lastly, enter the full Internet name for the cluster For this example, we
use cluster.mycompany.com.
6 Leave the rest of the options at the defaults, and click Next.
7 Now we can specify additional IP addresses for our cluster if it is
neces-sary Since we will use only the primary address, click Next.
Figure 11.15 The Network Load Balancing Manager
Figure 11.16 The Cluster Parameters
Trang 408 We are now allowed to select the ports we want to load balancebetween these servers (see Figure 11.17) Assume that these servers will
be hosting Web pages (secured and unsecured) We can limit the traffic
to these servers by first clicking Remove to delete the default selection
of all ports
9 Next, click the Add button to add a port rule.
10 In the Add/Edit Port Rule window (see Figure 11.18), change the port
range from 0 to 65535 to 80 to 80 and click OK This will allow HTTP
traffic to be load balanced
Figure 11.17 NLB Port Rules
Figure 11.18 The Add/Edit Port Rule Window