Windows Server 2003 Best Practices for Enterprise Deployments phần 1 potx

Server 2003 Best Practices for Enterprise Deployments Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com... 78 Chapter 4 Designing the Enterprise Network IP Infrast

Trang 2

Server 2003

Best Practices for Enterprise Deployments

Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com

Trang 3

About the Authors

Danielle Ruest is a workflow architect and process consultant focused on peopleand organizational issues for large IT deployment projects During her 22-yearcareer, she has led change-management processes, developed and deliveredtraining, and managed communications programs during process-implementationprojects Danielle is the co-author of numerous articles and presentations as well

as Preparing for NET Enterprise Technologies, a book on mastering change inthe enterprise

Nelson Ruest is an enterprise architect specializing in infrastructure design

He is a Microsoft Certified Systems Engineer and Microsoft Certified Trainer

The goal of his 22-year career has been to assist organizations in mastering thetechnologies they depend upon He is also a frequent guest speaker at Comdexand other conferences in North America Nelson is the co-author of numerousarticles as well as Preparing for NET Enterprise Technologies

Both work for Resolutions Enterprises (http://www.Reso-Net.com/),

a Canadian consulting firm that provides services in the architectural andproject management fields

About the Technical Editor

Stephane Asselin has been involved with information technology for thepast 11 years, with a majority of his time focused on hardware and networkingconfigurations He has done infrastructure assessment and host hardening onMicrosoft technologies for five years He is a Certified Information SystemsSecurity Professional (CISSP) and a Microsoft Certified Systems Engineer (MCSE)

More recently, he has been involved in supportability reviews for governmentagencies to help them prepare for their Windows Server 2003 migration He iscurrently a senior technical account manager for Microsoft Corporation

Trang 4

Server 2003

Best Practices for Enterprise Deployments

Danielle Ruest Nelson Ruest

McGraw-Hill/Osborne

New York / Chicago / San Francisco Lisbon / London / Madrid / Mexico City / Milan New Delhi / San Juan / Seoul / Singapore / Sydney / Toronto

Trang 5

2100 Powell Street, Floor 10

Emeryville, California 94608

U.S.A

To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please contact

McGraw-Hill/Osborne at the above address For information on translations or book distributors outside theU.S.A., please see the International Contact Information page immediately following the index of this book

Windows®Server 2003: Best Practices for Enterprise Deployments

Copyright © 2003 by The McGraw-Hill Companies All rights reserved Printed in the United States of America.Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed

in any form or by any means, or stored in a database or retrieval system, without the prior written permission

of publisher, with the exception that the program listings may be entered, stored, and executed in a computersystem, but they may not be reproduced for publication

1234567890 CUS CUS 019876543

ISBN 0-07-222343-X

Publisher Brandon A Nordin

Vice President &

Associate Publisher Scott Rogers

Acquisitions Editor Franny Kelly

Project Editor Patty Mon

Acquisitions Coordinators Emma Acker

Martin Przybyla

Technical Editor Stephane Asselin

Copy Editor Lunaea Weatherstone

Indexer Karin Arrigoni

Computer Designers Carie Abrew, Lucie Ericksen

Illustrators Melinda Moore Lytle, Michael Mueller,

Danielle Ruest, Lyssa Wald

Series Design Roberta Steele

Cover Series Design Jeff Weeks

This book was composed with Corel VENTURA™ Publisher

Trang 6

If there is one thing we have learned in our 22 years ofexperience, it is that even if technology is constantly changing,one thing remains the same: we must always take the time tomaster a technology before implementing it But, even before that,

we must fully comprehend our needs The best way to achievethis is to work as a team Including personnel from all areas ofthe enterprise can only make a better product in the end

Thus we dedicate this book to you, the reader, in hopes that

it will help you achieve this goal

Trang 7

This page intentionally left blankSimpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com

Trang 8

Contents at a Glance

Chapter 1 Planning for Windows Server 2003 1

Chapter 2 Preparing for Massive Installations of Windows Server 2003 36

Chapter 3 Designing the Active Directory 78

Chapter 4 Designing the Enterprise Network IP Infrastructure 140

Chapter 5 Building the PC Organizational Unit Infrastructure 198

Chapter 6 Preparing the User Organizational Unit Infrastructure 244

Chapter 7 Designing the Network Services Infrastructure 286

Chapter 8 Managing Enterprise Security 348

Chapter 9 Creating a Resilient Infrastructure 408

Chapter 10 Putting the Enterprise Network into Production 446

Index 469

Trang 9

Trang 10

Preface, xix Acknowledgments, xxi Introduction, xxiii

Chapter 1 Planning for Windows Server 2003 1

Windows Server 2003 2

Building the Foundation of the Network 3

The Server Lifecycle 4

The Service Lifecycle 5

A New Model for Server Construction and Management 8

The Benefits of the PASS Model 11

A Structured Approach: Using Standard Operating Procedures 12

SOP Best Practices 13

Enterprise Network Architectures 14

Building on Windows 2000: The WS03 Model 15

Product Activation 17

The Windows Server Enterprise Architecture 18

Designing the Enterprise Network Architecture 19

The Architectural Design Process 20

Performing a Situation Review and Needs Analysis 22

The Changing Role of Servers 22

Consolidating Servers with Windows Server 2003 23

Using the PASS Model 24

Migration Considerations 27

Trang 11

Upgrade versus Clean Installation 28

Using the Technological Lab as a Testing Ground 29

Moving On 32

Best Practice Summary 33

Chapter Roadmap 33

Chapter 2 Preparing for Massive Installations of Windows Server 2003 36

Choosing the Migration Approach 37

Choosing What to Migrate First 39

Detailed Inventories 44

Security Considerations 45

Licensing Considerations 46

Installing and Configuring Servers 47

Preparing for Massive Installations 47

Using Installation Documentation 54

The Installation Preparation Checklist 54

Documenting Server Installations 54

The Post-Installation Checklist 55

Massive Installation Processes 56

The Initial Installation 57

Customizing Your Server 60

Choosing the Massive Installation Method 65

Scripting Upgrades 66

Disk Imaging 67

Remote Installation 70

Putting the Server in Place 75

Chapter Roadmap 76

Chapter 3 Designing the Active Directory 78

Introducing Active Directory 79

New Features for Active Directory 83

The Nature of Active Directory 85

x Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.comW i n d o w s S e r v e r 2 0 0 3 : B e s t P r a c t i c e s f o r E n t e r p r i s e D e p l o y m e n t s

Trang 12

Designing the Solution: Using the Active Directory Blueprint 87

AD Partitioning 88

AD Service Positioning 88

Implementation Plan 89

Putting the Blueprint into Action 89

Forest/Tree/Domain Strategy 91

Forest Design Example 94

Production Forest Design 95

Domain Strategy Design 97

Other Forest Domain Designs 100

Forest Design Best Practices 100

Designing the Naming Strategy 101

Naming Best Practices 102

Designing the Production Domain OU Structure 104

The OU Design Process 104

The PCs Object OU Structure Design 107

The Services Object OU Structure Design 107

The People Object OU Structure Design 108

Replicating the OU Structure to Other Domains 109

Production OU Design Best Practices 109

AD and Other Directories 112

Microsoft MetaDirectory Services 113

Integrated Applications for NOS Directories 114

AD Integration Best Practices 115

Service Positioning 116

Operation Masters Positioning 116

Global Catalog Server Positioning 118

Domain Controller Positioning 119

DNS Server Positioning 119

Service Positioning Best Practices 120

Server Positioning Scenario 120

Site Topology 127

Site Topology Design 128

C o n t e n t s x i

Trang 13

Creating Site Link Bridges 128

Best Practices for Site Topology Design 130

T&T Corporation’s Site Topology Scenario 130

Schema Modification Strategy 133

Schema Modification Strategy Best Practices 135

AD Implementation Plan 135

The Ongoing AD Design Process 137

Chapter Roadmap 138

Chapter 4 Designing the Enterprise Network IP Infrastructure 140

TCP/IP in Windows Server 2003 142

New IP Features in WS03 143

Implementing a New Enterprise Network 147

Preparing the Parallel Network 148

Creating the Production Active Directory 152

Forest Staging Activities 154

Installing the First Server in a Forest 154

Creation of the Second DC in the Forest Root Domain 167

Creation of the First DC in the Global Child Production Domain 171

Creating the Second DC in the Global Child Production Domain 173

Connecting the Enterprise Network 176

Network Infrastructure Staging Activities 176

Server Installation and Configuration 176

Configuring the First Network Infrastructure Server 177

Configuring the Second Network Infrastructure Server 185

Moving Servers and Configuring Domain Replication 185

Upgrading Active Directory from Windows 2000 to WS03 189

The Upgrade Process 189

Ongoing Forest Management 194

Chapter Roadmap 196

x i i Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.comW i n d o w s S e r v e r 2 0 0 3 : B e s t P r a c t i c e s f o r E n t e r p r i s e D e p l o y m e n t s

Trang 14

Chapter 5 Building the PC Organizational Unit Infrastructure 198

Managing Objects with Active Directory 199

Group Policy Concepts 199

Group Policy Processing 201

GPO Inheritance (and Blocking) 202

Policy Loopback 205

Policy Filtering 207

Fast Logon Optimization 209

Policy Design 210

Designing a GPO Strategy 212

GPO Application and Processing Speed 212

Creating an OU Design for PC Management Purposes 214

Centralized PC Administration 214

Decentralized PC Administration 219

Designing for Delegation 220

Delegation in Active Directory 221

Designing a Delegation Strategy 225

Enterprise PC Management 225

Software Installations with WS03 226

Enterprise Software Assets 228

Software Delivery in the Enterprise 229

Completing the OU Strategy 234

Putting the PCs OU Infrastructure in Place 235

Using the Group Policy Management Console 239

Chapter Roadmap 242

Chapter 6 Preparing the User Organizational Unit Infrastructure 244

Managing User Objects with Active Directory 245

The Active Directory User Object 246

Using Template Accounts 254

Massive User Management 255

C o n t e n t s x i i i

Trang 15

Managing and Administering Groups 257

WS03 Groups Types and Group Scopes 258

Best Practices for Group Management/Creation 260

Creating an OU Design for User Management Purposes 266

The People OU Structure 266

User-Related GPO Concepts 269

Completing the People OU Structure 279

Putting the People OU Infrastructure in Place 280

Chapter Roadmap 283

Chapter 7 Designing the Network Services Infrastructure 286

Preparing File and Print Servers 288

Sharing Files and Folders 288

Expanding Disks for File Storage 289

Disk Structure Preparation 290

Creating the File Server 296

Creating the Folder Structure 297

Enabling File Server Services 298

Sharing Folders 301

Publishing Shares in Active Directory 302

Finding a Share in AD 304

Managing Folder Availability 305

Distributed Link Tracking 305

Working with the Distributed File System 306

Sharing Printing Services 312

WS03 Printer Drivers 313

Integration with Active Directory 314

Managing Printer Permissions 316

Internet Printing Protocol 316

Establishing a Shared Printer Policy 317

Creating the Print Server 319

x i v Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.comW i n d o w s S e r v e r 2 0 0 3 : B e s t P r a c t i c e s f o r E n t e r p r i s e D e p l o y m e n t s

Trang 16

Sharing Files and Printers for Non-Windows Clients 323

Macintosh Computers 323

UNIX Integration 324

Preparing Application Servers 324

Sharing Applications: Commercial and Corporate 324

Preparing Terminal Servers 329

Sharing Applications: Terminal Services 329

Collaboration Servers 337

Additional Network Infrastructure Server Functions 337

Preparing Remote Installation Services Servers 337

Server System Requirements by Role 339

Designing the Services OU Structure 340

Considerations for the Migration of Services to the Parallel Network 343

Chapter Roadmap 346

Chapter 8 Managing Enterprise Security 348

Security Basics 349

Designing a Security Policy 351

The Castle Defense System 351

The Security Plan 355

The Microsoft Security Operations Guide 356

Windows Server 2003 Security 357

Applying the Castle Defense System 359

Level 1: Critical Information 360

Level 2: Physical Protection 361

Level 3: Operating System Hardening 362

System Security Configuration 363

Security Template Best Practices 373

Antivirus Strategies 374

General Active Directory Security 375

File System Security 378

C o n t e n t s x v

Trang 17

Print System Security 380

.NET Framework Security 380

Internet Information Server 6.0 384

Final Operating System Hardening Activities 386

Level 4: Information Access 387

Smart Card Authentication 387

Securing User Identification 388

Managing Trusts 394

Web Server Access Control 396

.NET Framework Authentication 398

Access Audition and Monitoring 399

Level 5: External Access 399

Designing an Internal Public Key Infrastructure 400

Managing the Security Policy 403

Chapter Roadmap 406

Chapter 9 Creating a Resilient Infrastructure 408

Planning for System Redundancy 409

Preparing for Potential Disasters 411

Using WS03 Clustering Services 412

Network Load Balancing 414

Multiple-Node Server Clusters 420

Server Consolidation 425

Consolidation Through Server Baselining 426

Planning for System Recovery 428

Recovery Planning for the Enterprise Network 428

Data Protection Strategies 433

Finalizing Your Resiliency Strategy 441

Chapter Roadmap 443

x v i Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.comW i n d o w s S e r v e r 2 0 0 3 : B e s t P r a c t i c e s f o r E n t e r p r i s e D e p l o y m e n t s

Trang 18

Chapter 10 Putting the Enterprise Network into Production 446

Migrating Data, Users, and PCs to the Parallel Network 447

Using the Active Directory Migration Tool 450

Transferring Networked User Data 454

Decommissioning the Legacy Network 457

Revising the IT Role Structure 457

New and Revised AD IT Roles 458

Designing the Services Administration Plan 460

WS03 Administrative Tools 464

Final Recommendations 466

Chapter Roadmap 467

Index 469

C o n t e n t s x v i i

Trang 19

Trang 20

Windows Server 2003 is a graphical environment As such, many of its operations are

wizard-based We recommend you use the wizard interface even though there may be command-lineequivalents The reason for this is because a wizard enforces best practices and standard operatingprocedures automatically The wizard always uses the same steps and always provides the ability toreview your actions before they are implemented

This does not mean that you need to dally on screens that only provide information Read them

at least once and when you’re familiar with their content, move on to the screens where you need toperform actions

We cannot emphasize standard operating procedures enough An enterprise network simply cannot

be built on ad hoc procedures This is one of the reasons for this book It provides best practices andstandard procedures for building an enterprise network with Windows Server 2003 We hope you find

it useful

Comments can be sent to WindowsServer@Reso-Net.com

Trang 21

Trang 22

We would like to thank all of the people who helped make this book a reality, especially

Stephane Asselin of Microsoft Premier Support, our technical reviewer Thanks for all ofyour constructive ideas We would also like to thank Charles Gratton of Hewlett-Packard Canada forgiving so much of his personal time and dedication to let us test Windows Server 2003 on varioushardware configurations

Thanks also to Microsoft’s development and marketing team for Windows Server 2003 for all oftheir help in finding the right solution when issues arose Specifically, we’d like to thank Jan Shanahan,Jill Zoeller, Jenna Miller, Jackson Shaw, Kamal Janardhan, and B.J Whalen

Thanks to VMware Corporation for providing us with the software required to create our entiretechnical laboratory Thanks also to all of the other manufacturers that provided us with pre-releasesoftware tools so that we could cover enterprise needs as much as possible You’ll find yourselveswithin the book

Finally, thanks to McGraw-Hill/Osborne for all their patience and dedication in helping us makethis a better book Franny, it was fun to be part of your team

Trang 23

Trang 24

Building an enterprise network is no small task Worse, it seems you have to start over everytime the server operating system changes This book provides a structured approach that letsyou create a brand new enterprise network that is built on the best features of Microsoft’s new operatingsystem (OS), Windows Server 2003 This network is built in a parallel environment that does notaffect your current production network Then, when you’re ready to make the migration, it outlineshow to take security principals, documents, data, and applications and move them from your legacynetwork to the new, parallel environment This way, you can immediately begin to profit from thebest of this powerful OS

To achieve this goal, the book is divided into ten chapters, each building on the concepts of theprevious chapters to finally cover all of the elements required to build your new network The coreconcept of this book is its focus on enterprise features—only those features that are relevant to anenterprise environment Microsoft used a similar approach when they decided to remove such features

as Universal Plug and Play and scanner drivers from the OS because they are not server features andare not relevant in an enterprise Similarly, this book discards the features that are not intended forthe enterprise from Windows Server 2003’s more than 400 new features and improvements

Each chapter includes both discussion points and step-by-step implementations Each chapter ischock full of best practices, checklists, and processes In addition, each chapter ends with a ChapterRoadmap—a graphical illustration of the elements covered in the chapter, relevant figures, and toolsfound on the companion Web site (http://www.Reso-Net.com/WindowsServer/) The chapters aredivided into the following topics:

• Chapter 1: Planning for Windows Server 2003 gives an overview of the processes you need

to prepare your migration to the new OS It discusses the various elements you must have onhand before you proceed

Trang 25

• Chapter 2: Preparing for Massive Installations of Windows Server 2003 identifies thefour supported installation methods for Windows Server 2003 and helps you choose the mostappropriate massive installation method for your organization.

• Chapter 3: Designing the Active Directory reviews all of the requirements of an ActiveDirectory and outlines the steps required to build it It uses different scenarios to help youunderstand the most complex concepts of this powerful enterprise network feature

• Chapter 4: Designing the Enterprise Network IP Infrastructure focuses on TCP/IP, thecore communication protocol of the enterprise network Then it begins the parallel networkinstallation

• Chapter 5: Building the PC Organizational Unit Infrastructure looks at the elements youneed to put in place to manage PCs with Active Directory It begins the discussion on GroupPolicy, a discussion that will not end until Chapter 8

• Chapter 6: Preparing the User Organizational Unit Infrastructure examines how to

manage user objects through Active Directory It includes an extensive discussion of the

use of groups within an enterprise network

• Chapter 7: Designing the Network Services Infrastructure covers the services the network

is to deliver to users It outlines how these services should be built and identifies how theyshould be implemented

• Chapter 8: Managing Enterprise Security focuses on one element and one element only:security It introduces a new system, the Castle Defense System, which can be used to simplifysecurity policy design and implementation

• Chapter 9: Creating a Resilient Infrastructure is concentrated on making sure your servicesare always available As such, it covers both redundancy and disaster recovery

• Chapter 10: Putting the Enterprise Network into Production tells you how to migrate usersfrom your legacy network to the new, parallel environment you created In addition, it begins adiscussion of the new and revamped IT roles you will require now that you are running anetwork through Active Directory

Migrating to a new server OS is not a task that should be taken lightly This is why you shouldmake sure your project team includes all of the right players These should focus on at least twogroups: the first will work at the elaboration of the network architecture and the second will focus

on the preparation of installation procedures and perform the installation itself The technical

project team should include architects, system administrators, installers, user representatives, supportpersonnel, developers, and project managers You should make sure you involve your currentadministrative and operational staff in this project This will help you recover the best of the existingnetwork and help them learn more about the new operating system they will soon be using

x x i v Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.comW i n d o w s S e r v e r 2 0 0 3 : B e s t P r a c t i c e s f o r E n t e r p r i s e D e p l o y m e n t s

Trang 26

In addition, you need to make sure that you involve the right stakeholders in your project Nothaving the right stakeholders can be as disastrous as not making the right technical decisions.

Finally, managing a project of this magnitude can be complex and can give you the impression

it is never-ending unless you structure it properly Thus, each chapter has been designed to help youstructure the technical activities needed to perform the migration This does not mean that everychapter needs to be addressed in a sequential order Though this is possible and even appropriate

in some cases, in very large organizations it would improperly stretch the project timeline Somechapters require the participation of your entire technical project team, but others do not because theyare focused on specific areas of technical expertise Figure 1 illustrates a sample timeline distributionfor the activities found in each chapter It lets you divide the technical project team into appropriate

I n t r o d u c t i o n x x v

Figure 1 The Windows Server 2003 Migration Timeline

Tiêu đề	Windows Server 2003 Best Practices For Enterprise Deployments
Tác giả	Danielle Ruest, Nelson Ruest
Người hướng dẫn	Stephane Asselin, Technical Editor
Trường học	McGraw-Hill/Osborne
Thể loại	sách
Năm xuất bản	2003
Thành phố	Emeryville

Định dạng
Số trang	53
Dung lượng	1,59 MB