Module 12: Strategies for Combining Networking Services

Module Strategy Use the following strategy to present this module: Benefits of Combining Services By combining multiple networking services on a single Windows 2000–based computer, you

Contents

Overview 1

Constraints of Combining Services 4

Securing a Design by Combining Services 6

Discussion: Combining Networking Services 8

Networking Services

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries/regions

Project Lead: Don Thompson (Volt Technical)

Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc

Instructional Design Consultants: Paul Howard, Susan Greenberg

Program Managers: Jack Creasey, Doug Steen (Independent Contractor)

Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies

Graphic Artist: Kirsten Larson (S&T OnSite)

Editing Manager: Lynette Skinner

Editor: Kristen Heller (Wasser)

Copy Editor: Kaarin Dolliver (S&T Consulting)

Online Program Manager: Debbi Conger

Online Publications Manager: Arlo Emerson (Aditi)

Online Support: Eric Brandt (S&T Consulting)

Multimedia Development: Kelly Renner (Entex)

Test Leads: Sid Benevente, Keith Cotton

Test Developer: Greg Stemp (S&T OnSite)

Production Support: Lori Walker (S&T Consulting)

Manufacturing Manager: Rick Terek (S&T OnSite)

Manufacturing Support: Laura King (S&T OnSite)

Lead Product Manager, Development Services: Bo Galford

Lead Product Manager: Ken Rosen

Group Product Manager: Robert Stewart

Other product and company names mentioned herein may be the trademarks of their respective owners

At the end of this module, students will be able to:

Identify the benefits of combining networking services on a single computer

Improve the networking services design by specifying the appropriate combinations of networking services

Secure a networking services design by specifying the appropriate combination of networking services

Enhance the availability of networking services by specifying the appropriate combination of services

Optimize the performance of networking services by specifying the appropriate combination of services

Upon completion of the lab, students will be able to design a networking services solution that supports the combining of networking services

Course Materials and Preparation

This section provides you with the required materials and preparation tasks that are needed to teach this module

Required Materials

To teach this module, you need the following materials:

Microsoft PowerPoint® file 1562B_12.ppt

Preparation Tasks

To prepare for this module:

Review the contents of this module

Read any relevant information in the Windows 2000 Help files, the Windows 2000 Resource Kit, or documents provided on the Instructor CD

Review discussion material and be prepared to lead class discussions on the topics

Complete the lab and be prepared to elaborate beyond the solutions found there

Read the review questions and be prepared to elaborate beyond the answers provided in the text

Presentation:

60 Minutes

Labs:

30 Minutes

Module Strategy

Use the following strategy to present this module:

Benefits of Combining Services

By combining multiple networking services on a single Windows 2000–based computer, you simplify the network and use hardware resources efficiently Explain that by combining the networking services on a computer, the number of computers in a network can be reduced, and the security, availability, and performance of the networking services design can be improved

Constraints of Combining Services Point out that hardware resources, network topology, and applications are major constraints in combining applications

Securing a Design by Combining Services Usually, services can be combined on a computer that is within the private network Point out that combining networking services on computers that establish or reside within screened subnets can compromise the security of the network design

Discussion: Combining Networking Services Ensure that students understand the scenario description and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class discussion on the students’ responses

Enhancing Availability by Combining Services When combining multiple services on a single computer, the availability of that computer becomes essential for network operation Emphasize that the availability of networking services can be enhanced by combining services

on computers that have signed drivers and stable, third-party software Explain the guidelines for combining networking services that are cluster-aware

Optimizing Performance by Combining Services The resources used on a computer can be increased by combining the networking services on that computer The performance of each networking service is based on the availability of resources to the service Explain the use of combinations that reduce network traffic and avoid resource contention

Discussion: Enhancing Combined Services Solutions Make sure that students understand the scenario description and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class discussion on the students’ responses

Lab Strategy

Use the following strategy to present this lab

Lab A: Designing a Combined Services Solution

In the lab, students will design a routing solution based on specific requirements outlined in the given scenario

Students will review the scenario and the design requirements and read any supporting materials They will use this information, and the knowledge gained from the module, to develop a detailed design by combining networking services

To conduct the lab:

Read through the lab carefully, paying close attention to the instructions and

to the details of the scenario

Consider dividing the class into teams of two or more students

Present the lab and make sure students understand the instructions and the purpose of the lab

Direct students to use the planning worksheet to record their solutions

Remind students to consider any functionality, security, availability, and performance criteria provided in the scenario and how they will incorporate strategies to meet these criteria in their design

Allow some time to discuss the solutions after the lab is completed A solution is provided in your materials to assist you in reviewing the lab results Encourage students to critique each other’s solutions and to discuss any ideas for improving their designs

Overview

Benefits of Combining Services

Constraints of Combining Services

Securing a Design by Combining Services

Discussion: Combining Networking Services

Enhancing Availability by Combining Services

Optimizing Performance by Combining Services

Discussion: Enhancing Combined Services Solutions

By combining multiple networking services on a single Microsoft® Windows®

2000–based computer, you simplify the network and use hardware resources efficiently Dedicating individual computers to single networking services increases the number of computers in the network When more computers are added to the network, the administration and ongoing support for a network becomes more complex

In addition, by combining certain networking services, you improve the security, availability, and performance of the networking services design In this module, you will evaluate and create designs that combine networking services on a single computer

At the end of this module, you will be able to:

Identify the benefits of combining networking services on a single computer

Improve the networking services design by specifying the appropriate combinations of networking services

Secure a networking services design by specifying the appropriate combination of networking services

Enhance the availability of networking services by specifying the appropriate combination of services

Optimize the performance of networking services by specifying the appropriate combination of services

In this module, you will

evaluate and create

networking services designs

that combine networking

services on a single

computer

Benefits of Combining Services

Reducing the Number of Computers

Improving Security, Availability, and Performance

Screened Subnet C

Server Cluster

You can combine multiple networking services on a single computer to reduce the network management When combining networking services on a single computer, you must also consider its impact on the security, availability, and performance of the network

Reducing the Number of Computers

You can optimize your network design by combining multiple networking services, which reduces the number of computers in the design Combining services on a computer also reduces the management of the network because there are fewer computers to monitor and maintain

Combine services to reduce the number of computers in your network design if:

Combining the services improves or achieves the design criteria for the security, availability, and performance of the network

The existing computer hardware resources can support the combined services

The organization’s goal is to reduce the number of computers that it must manage and maintain

In the preceding illustration, Server A1 is running DNS and Server A2 is running DHCP If the hardware resources of Server A1 are sufficient to support DNS and DHCP, you can combine DNS and DHCP on Server A1 This eliminates the requirement for Server A2, or allows Server A2 to act as a redundant server to Server A1

single computer to reduce

the number of computers

that you must manage in the

network

Delivery Tip

Refer to the slide when

explaining the scenario

Tell the students that all of

the topics in this module

refer to the same scenario

and the relevant portions

are highlighted on the slide

Improving Security, Availability, and Performance

The goal of combining networking services is not just to reduce the number of computers in your network design, but to also optimize your network design You can optimize your networking services design to improve the security, availability, and performance of network resources

The following table describes the situations in which combining networking services on the same computer can improve the security, availability, and performance of your network resources

To improve Combine the services to Example

Security Isolate the networking services

that manage confidential data

When combining a remote access server with a DNS server that contains public zone data in a screened subnet Availability Reduce the probability of a failure

that results in the loss of the networking service

When combining WINS and DHCP on a server cluster

Performance Reduce the network traffic, or

optimize the computer resources that are underused

When combining WINS and DNS on the same computer

You need to identify the primary reason for combining the networking services, and then prioritize secondary reasons accordingly Ensure that you always achieve the primary reason, even at the expense of one of the secondary reasons

For example, in network designs in which security is a primary concern, ensure that the combination of networking services enhances the security of the network After you have dealt with the security concerns, you can address the availability and performance concerns accordingly

All of the topics in this module refer to the same scenario and the relevant portions are highlighted on the slide

Note

Constraints of Combining Services

Hardware Resources

The computer hardware resources are the most common constraint in combining networking services on a single computer Each networking service requires different hardware resources Some services require a large amount of memory resources, whereas other services are processor-intensive

As a best practice, you can combine services on a single computer until the hardware resources of the computer are fully used

Physical Networks

The physical network can constrain the combination of networking services because combining the networking services can create an increase in network traffic The increase in network traffic can saturate intermediary routers or wide area network (WAN) segments

You can combine services on the same computer in your network design if:

The clients that access the combined services reside in the same geographic location as the computer that runs the combined services

The intermediary routers and network segments can support the increase in traffic when clients access the combined services from a remote segment

Applications

Applications running on existing computers can prevent you from combining some networking services Applications may consume all of the hardware resources and may require periodic restart of the computer for updates to the application

As a best practice, avoid combining networking services on the same computer as application servers such as Microsoft SQL Server™ or Microsoft Exchange Server

Tip

Securing a Design by Combining Services

Server C1

Server C2

Proxy Servers

Screened Subnet C

In your networking services design, you include combinations of networking services that improve network security Usually, you combine services on a computer that is within the private network

Combining networking services on computers that establish or reside within screened subnets can compromise the security of your network design Proxy servers and routers are examples of these computers

Combining Services Within the Private Network

Any computer that resides within the private network is at the lowest security risk within the organization The risk is low because access to these computers

is granted to only authenticated users within the organization Because the computer resides within the private network, the security risks for combining services on this computer are addressed by the private network security

Combining Services Within Screened Subnets

Any computer that resides within a screened subnet is at a higher security risk than a computer within the private network because access to the computers

within screened subnets is granted to users outside the organization

Within screened subnets, combine services on the same computer if all of the

users that access the computer:

Are at the same security level

Require access to all of the networking services running on the computer

Slide Objective

To introduce the guidelines

for combining networking

services to secure a network

design

Lead-in

You can combine

networking services to

improve network security

Point out the red/dark circles

on the slide to explain which

services to combine for

securing a network design

When combining services on the same computer within a screened subnet, consider that:

After a user can communicate with that computer, all services are

potentially at risk to unauthorized access

Most networking services store configuration information in the Windows 2000 registry, or in files on the computer Without proper security measures, unauthorized users can gain access to the registry or these configuration files and modify the configuration of the networking service

In the preceding illustration, consider combining DHCP, Routing and Remote Access, and Remote Authentication Dial-In User Service (RADIUS) on Server D1 If the users accessing Server D1 require access to only Routing and Remote Access and RADIUS, the DHCP service is at risk from unauthorized access To prevent unauthorized access to DHCP, you must remove the DHCP services

Isolating Services That Define Screened Subnets

Computers that run services used in defining screened subnets (such as Microsoft Proxy Server or Routing and Remote Access), are at the highest security risk in your design because unauthorized users can access them When combining services on these computers, you must consider the risks involved in unauthorized users accessing these services

On computers that connect to public networks, combine only those

services that are required to define the screened subnet

In the preceding illustration, consider combining Microsoft Proxy Server and DNS on one of the proxy server computers The DNS service on the Proxy Server will be at risk because unauthorized users outside the private network might be able to access the DNS zone database

Tip

Discussion: Combining Networking Services

New York Washington DC Atlanta

Kansas City

To create designs in which you combine networking services, you need to determine the networking services to include in the design and how you will combine the networking services This discussion involves designing basic combinations of networking services During the discussion, note any ideas presented by other students in the class that are relevant to the solution

The following scenario describes the current network configuration of a telemarketing company Read the scenario and answer the questions Be prepared to discuss your answers with the class

Scenario

A telemarketing research company conducts studies to collect demographics on potential consumers for other organizations’ products and services At each location, a group of market research analysts conduct telephone interviews to determine the purchasing decisions of the target consumer profile Each location has a dedicated T1 or T3 connection to the Internet

The market research analysts use a Web-based application for call tracking and recording of the consumer responses The organizations that are funding the study can examine the results over the Internet by using a Web-based application, or they access the data directly from a Microsoft SQL Server™

located in the Kansas City location

services, you must decide

on the required networking

services and how you will

combine these services

Delivery Tip

Read the scenario to the

students and review the

questions as a group Give

the students time to

consider their answers and

then lead a discussion

based on their responses

Remind the students that

there can be more than one

possible solution to the

scenario

Questions

1 The telemarketing research company will deploy Windows 2000 and will use the Active Directory™ directory service to provide directory services Which networking services that are provided by Windows 2000 could you recommend to the company?

You could include the following networking services:

You could set up any combination of DHCP, DNS, and WINS on the same computer

3 Which services would you recommend combining or isolating from one another to improve the security of the combined services solution?

Isolate Routing and Remote Access from the other networking services Isolate Proxy Server from the other networking services

Enhancing Availability by Combining Services

Combining with Signed Drivers and Third-Party Software

Combining with Windows Clustering

If you combine multiple services on a single computer, the availability of that computer becomes essential for network operation If you combine services to meet the high availability requirement of specific networking services, you must select a combination of services that ensures the availability of the required services

You can increase the availability of services combined on a single computer with hardware fault-tolerance solutions You can also enhance the availability

of the networking services by:

Combining services on computers that have signed device drivers, signed applications, signed services, and stable, third-party software

Combining the networking services with Windows Clustering technologies

computer, the availability of

that computer becomes

essential for network

operation

Combining with Signed Drivers and Third-Party Software

Server D2

Proxy Servers

Server Cluster

Combining Services with Signed Software

Windows 2000 supports signed device drivers, signed services, and signed applications Signed software contains a digital key that identifies the manufacturer of the software When unsigned software is loaded, Windows 2000 issues a warning

As a best practice, load only signed device drivers and services on the computers that require high availability

In the preceding illustration, consider combining the DNS and WINS services

on Server B1 Because Server B1 provides DNS and WINS name resolution for all users on Subnet B, the design requires these services to be highly available Load only signed drivers on Server B1 to reduce the risk of an unsigned driver becoming unstable and forcing a restart of the computer

Combining Services with Third-Party Software

Windows 2000 signed device drivers, applications, and services are tested and certified to run on the same computer Unsigned third-party device drivers, applications, or services are not necessarily tested and certified to run on the same computer An unstable, third-party device driver, application, or service can force a computer restart Combine networking services with unsigned third-party software when the software is proven to be stable

In the preceding illustration, consider a scenario in which Server D1 runs an unsigned, third-party gateway service that periodically becomes unstable To reduce the risk of the service becoming unstable and forcing a restart of the computer, avoid combining services that require high-availability on Server D1

Slide Objective

To introduce the guidelines

for combining networking

services on computers that

have signed drivers and

third-party software

Lead-in

Signed software contains a

digital key that identifies the

manufacturer of the

software

Point out the highlighted

areas on the slide when

explaining the examples in

the student text

Tip

Combining with Windows Clustering

Cluster-Aware Networking Services

Cluster-Unaware Networking Services

Server D2

Proxy Servers

Server Cluster

Subnet B

Server B1 Server D1

Server C1

Server C2

Certain networking services, such as DHCP and WINS, directly integrate with

Windows Clustering technologies and are known as cluster-aware services

Combining Networking Services That Are Cluster-Aware

Cluster-aware services, such as WINS, automatically store any necessary data

on the cluster-based drives Cluster-aware services automatically fail over when the primary server in the cluster fails

When combining networking services that are cluster-aware, ensure that:

Both servers in the cluster have the services installed and configured for automatic failover

The networking services select different primary servers to improve performance

In the preceding illustration, consider distributing DHCP and WINS within the server cluster by assigning Server C1 as the primary server for DHCP and backup server for WINS You would then assign Server C2 as the primary server for WINS and backup server for DHCP

Combining Networking Services That Are Unaware

Cluster-When combining networking services that are cluster-unaware, ensure that:

Both servers in the cluster have the services installed and configured for automatic fail over

Any data used by the networking service is stored on a shared cluster drive For example, for DNS, you would store the DNS zone files on the shared cluster drive

The networking services select different primary servers to improve performance

Slide Objective

To introduce the strategies

for combining networking

services with Windows

Clustering technologies

Lead-in

The strategies for combining

are different for

cluster-aware networking services

and cluster-unaware

networking services

Point out the highlighted

area on the slide while

explaining the examples in

the content You can ask the

students to identify the

computers and the services

that can be combined on

those computers to enhance

the availability of the

networking services

Optimizing Performance by Combining Services

Combinations That Reduce Network Traffic

Combinations That Avoid Resource Contention

By combining networking services on a single computer, you increase the resources used on that computer The performance of each networking service

is based on the availability of resources to the service The performance of a service can deteriorate if the availability of critical resources is constrained You can optimize performance by using combinations that reduce network traffic and avoid resource contention

single computer increases

the resource usage on that

computer

Combinations That Reduce Network Traffic

Server Cluster

Server A1

Server A2

Server D2 Server D1

Screened Subnet D

Screened Subnet C

Server C1

Server B1

Within your network, many networking services may frequently exchange information If the services are on separate computers, the information must travel across the network, thereby increasing the network traffic

Combine services on the same computer to reduce network traffic in your design if:

The networking services exchange a large amount of information over a period of time

In the preceding illustration, assume that Server D1 is a remote access server and Server B1 is a DHCP server Server D1 and B1 exchange only

200 Kilobytes (KB) of information in a 24-hour period of time Combining these services on the same computer would result in a negligible reduction

of network traffic

In the preceding illustration, consider another example in which Server A1 runs DHCP and Server A2 runs DNS The DHCP service on Server A1 performs dynamic updates to the DNS service on Server A2 You can combine DHCP and DNS on Server A1 to reduce the network traffic on Subnet A

You can combine many instances of the networking services

In the preceding illustration, Servers A1, B1, and C1 are DHCP servers that dynamically update a DNS server running on Server D2 Combining Server A1 and D2 would result in a minimal reduction of traffic However, combining Servers A1, B1, C1, and D2 would result in a significant

reduction of traffic because all instances of the DHCP services and DNS

services are running on the same computer

Combining the networking services does not cause the network design’s functionality, availability, or performance to fall below the design specifications

Slide Objective

To introduce the guidelines

for combining networking

services that result in a

reduction of network traffic

Lead-in

Exchange of information

between networking

services can increase the

network traffic if the services

are on separate computers

Point out the highlighted

areas on the slide while

explaining the examples in

the content You can ask the

students to identify the

computers and the services

that can be combined on

those computers to optimize

the performance of the

networking services

Combinations That Avoid Resource Contention

Server Cluster

Server A1

Server A2

Server D2 Server D1

Screened Subnet D

Screened Subnet C

The performance of each networking service is based on the resources available

to the service Certain services use more of a specific resource than other resources, such as a service that consumes a lot of memory, but very little processor, disk, or network resources

As a best practice, combine networking services on a single computer to improve performance if the computer has sufficient resources for all services

You can optimize the performance of networking services by:

Combining networking services on computers that have sufficient resources

as required by the services

In the preceding illustration, place services that heavily use disk resources

on Server D1, which has a large-capacity, high-speed disk subsystem to improve performance

Isolating networking services that consume the resource that is limited on

a server

In the preceding illustration, you can move services that heavily use processor resources from Server D1 to Server D2, which has multiple high-performance processors

Slide Objective

To introduce the guidelines

for combining networking

services that result in

avoiding resource

contention

Lead-in

The performance of each

networking service is based

on the resources available

to the service

Tip