Tài liệu Module 3: Integrating Windows 2000 Datacenter Server pptx

Identifying Active Directory Considerations Prior to installing Datacenter Server, students need to determine how to integrate the data center with their Active Directory directory servi

Contents

Overview 1

Identifying Active Directory

Identifying Tools for Interoperating

with Other Operating Systems 23

Configuration Check Tool 25

Demonstration: Configuration Check Tool 28

Review 31

Module 3: Integrating Windows 2000

Datacenter Server

Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2001 Microsoft Corporation All rights reserved

Microsoft, Active Directory, BackOffice, FrontPage, Outlook, PowerPoint, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Program Manager: Don Thompson Product Manager: Greg Bulette Instructional Designers:April Andrien, Kelley Umphrey

Subject Matter Experts: Conrad Cahill (Entirenet), Jack Creasey Classroom Automation: Lorrin Smith-Bates

Graphic Designer: Andrea Heuston (Artitudes Layout & Design) Editing Manager: Lynette Skinner

Editor: Lori Kane Copy Editor: Gwen Bloomsburg (S&T Consulting) Production Manager: Miracle Davis

Build Manager: Julie Challenger Print Production: Lori Walker (S & T Consulting)

CD Production: Eric Wagoner Test Manager: Eric R Myers Test Lead: Robertson Lee (Volt) Creative Director: David Mahlmann Media Program Manager: Scott Daniels Media Producer: Dean Connolly Lead Production Artist: Scott Serna Localization Manager: Rick Terek Operations Coordinator: John Williams Manufacturing Support: Laura King; Kathy Hershey Lead Product Manager, Release Management: Bo Galford Lead Technology Manager: Sid Benavente

Lead Product Manager: Ken Rosen Group Manager, Courseware Infrastructure: David Bramble Group Product Manager, Content Development: Julie Truax Director, Training & Certification Courseware Development: Dean Murray General Manager: Robert Stewart

Instructor Notes

This module provides students with the knowledge to identify issues and situations that may occur when integrating a data center and Microsoft®Windows® 2000 Datacenter Server into a computing environment For students

to be successful, they must be aware of the special considerations and requirements that apply to planning, server installation, and hardware

Identifying tools for interoperating with other operating systems

Running the Windows 2000 Datacenter Server Configuration Check tool

Identifying the benefits of Winsock Direct for system area networks (SANs)

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the following materials:

Microsoft PowerPoint® file 2089a_03.ppt

Module 3, “Integrating Windows 2000 Datacenter Server”

Preparation Tasks

To prepare for this module, you should:

Read all of the materials for this module

Complete the demonstration

Presentation:

60 Minutes

Module Strategy

Use the following strategy to present this module:

Identifying Domain Roles This topic discusses the roles of Datacenter Server as a domain controller or

a member server It covers operations masters, multimaster replication of directory data on a SAN, large global catalogs, and protecting the forest root In addition, there is a discussion on justifying directory services on Datacenter Server and another discussion justifying Datacenter Server as a member server

Identifying Active Directory Considerations Prior to installing Datacenter Server, students need to determine how to integrate the data center with their Active Directory directory service structures This topic covers containers, groups, and Group Policy object association

Identifying Application and Service Requirements Prior to installing Datacenter Server, the students need to consider how various applications and services will interact with and depend on Datacenter Server This topic covers considerations and requirements for line-of-business applications, cluster-aware applications, supported Microsoft products, Microsoft SQL Server™ 2000, and Microsoft Exchange 2000 Server

Managing Servers Running Datacenter Server Prior to installing Datacenter Server, the students need to identify how to efficiently manage the servers within a data center environment This topic discusses Terminal Services and Windows Management Instrumentation

Identifying Tools for Interoperating with Other Operating Systems This topic covers Microsoft Windows Services for UNIX and Microsoft Host Integration Server 2000 Interoperability is an important factor when placing Datacenter Server in existing data centers

Configuration Check Tool This topic introduces the Configuration Check tool The students will learn the major functions of the tool and how they can use it to manage data center server

Demonstration: Configuration Check Tool This is a very simple demo that shows the use of the Configuration Check tool You might want to create additional files to compare against the Datacenter Server

Winsock Direct for SANs This topic is a brief introduction to Winsock Direct for SANs If the student

is an administrator in a SAN, they will need to identify this feature of Windows 2000 Datacenter Server, because it allows existing applications to become transparently SAN-enabled

Overview

Identifying Tools for Interoperating with Other Operating Systems

*****************************ILLEGAL FOR NON-TRAINER USE*****************************

Before you install Microsoft® Windows® 2000 Datacenter Server, you must decide whether to configure it as a domain controller or as a member server You also need to consider how to design and implement Microsoft

Active Directory™, the directory service for Microsoft Windows 2000 Server Applications and services that are installed in the data center can have dependencies or requirements that need to be evaluated if they are configured for a four-node cluster, critical line-of-business applications, or applications certified to run on Datacenter Server As the data center administrator there are several tools or management features in Datacenter Server that you can use to efficiently manage the data center

This module identifies issues and situations that may occur when you integrate

a data center and Windows 2000 Datacenter Server into your computing environment After completing this module, you will be able to configure and manage Datacenter Server, including:

Identifying planning considerations for making Datacenter Server the domain controller or member server

Identifying Active Directory directory service considerations and requirements prior to installation of Datacenter Server

Identifying application and service considerations and requirements prior to installation of Datacenter Server

Identifying management services considerations and requirements prior to installation of Datacenter Server

Identifying tools for interoperating with other operating systems

Running the Windows 2000 Datacenter Server Configuration Check tool

Identifying the benefits of Winsock Direct for system area networks (SANs)

In this module, you will learn

about the integration of

Windows 2000

Datacenter Server

Explain the purpose of this

module

Identifying Domain Roles

Domain Controller

Member Server

*****************************ILLEGAL FOR NON-TRAINER USE*****************************

Windows 2000 Datacenter Server can be either a domain controller or a member server Before installing Datacenter Server, you must think about its role in the data center and identify its role in the domain Depending on the applications and services that will be located on Datacenter Server, you may need to configure Datacenter Server as a domain controller

An important planning issue is determining where to locate domain controllers and global catalog servers for your enterprise This is because after

Active Directory is installed and configured, the majority of Active Directory traffic is related to Active Directory clients querying Active Directory for information Directory replication traffic is usually a less important consideration, unless the organization is in a state of constant change Placing a domain controller at each geographical site optimizes queries but can increase replication traffic Nevertheless, placing a domain controller at a site that has users in that domain is usually the best solution

It is not recommended that Datacenter Server be installed in a workgroup (not a member of a domain) because services such as four-node clustering require domain accounts to function

Topic Objective

To identify planning

considerations and

requirements for making

Datacenter Server the

domain controller

Lead-in

Windows 2000

Datacenter Server can be

either a domain controller or

a member server

Configuring Datacenter Server as a Domain Controller

Justified for:

*****************************ILLEGAL FOR NON-TRAINER USE*****************************

A server running Windows 2000 Datacenter Server in a domain can have one of two roles: domain controller or member server Domain controllers contain matching copies of the user accounts and other Active Directory data in a given domain Multiple domain controllers provide better support for users than just one domain controller Multiple domain controllers provide automatic backup for user accounts and other Active Directory data, and they work together to support domain controller functions You would configure Windows 2000 Datacenter Server as a domain controller to:

Protect the forest root

Protect single operation masters

Support very large Active Directory schemas

Support applications that must be installed on a domain controller

Provide high performance with large global catalogs

Features of Datacenter Server, such as Winsock Direct and Enterprise Memory Architecture (EMA), are designed to meet the demands of specialized domain controllers in your computing environment The increased reliability of Datacenter Server makes it an ideal system to protect operations masters as well

as the forest root The expanded EMA support of Datacenter Server can increase performance in the largest Active Directory implementations Winsock Direct provides high bandwidth, low latency communication for super-fast directory replication within SANs

domain can have one of two

roles: domain controller or

member server

Protecting the Forest Root

The forest root is the domain controller that you promote first The most important server in any Active Directory implementation is the forest root The forest root is the location of the root domain It cannot be renamed or removed

It is the location of the schema master and the domain-naming master If the forest root becomes unavailable, your entire Active Directory service structure ceases to function If the forest root is permanently unavailable, your forest is gone and must be rebuilt from scratch The best place to put the forest root is on the server in your organization that is the most stable and most reliable

Datacenter Server is the most appropriate host for the forest root in your organization

Protecting Operations Masters

Because Datacenter Server is the most reliable server in the forest, it is the logical home for the schema and domain-naming masters In the

Active Directory directory service, there are certain operations that are single master, which means that they are not permitted to occur in different places in the network at the same time These operations, called operations masters, must

be protected and controlled

Large Global Catalogs

Any Active Directory implementation loads as much of the global catalog into main memory as possible This speeds any Active Directory directory service operations but, depending on available resources, can impede local services on the domain controller With up to 64 gigabytes (GB) of memory by using EMA, Datacenter Server supports fast and large Active Directory structures Locating directory services is a decision you may need to make There are some

considerations that will help you make the best choice for your organization’s needs

If the domain tree is large, you should not place a global catalog server at each site because this can create large amount of replication traffic You should place global catalog servers only at large regional sites Remember that replication of modifications made to your Active Directory might take some time to

propagate throughout your enterprise For example, if you create a new user account object, it might be a few minutes before the user can actually log on to the network using the account

Justification to Locate Directory Services on Datacenter Server

In some cases it is best to have directory services hosted on your Datacenter Server It is recommended that you put directory services on Datacenter Server computers if you must:

Protect operations masters or other critical services

Provide directory services to a directory-aware application

Support a server cluster or a number of server clusters

A domain controller is necessary to a Windows-based environment to service server clusters A Windows Clustering server cluster requires access to a domain controller or it fails So, if you have clustered critical services on Datacenter Server, you must have a domain controller accessible by the cluster

to protect cluster services If the cluster service account cannot authenticate to a domain controller, the service fails and the server cluster fails with it

Configuring Datacenter Server as a Member Server

center

*****************************ILLEGAL FOR NON-TRAINER USE*****************************

A member server is a computer that is running Windows 2000 Datacenter Server and is a member of a domain and not a domain controller Member servers belong to a domain but do not contain a copy of the

Active Directory data Because it is not a domain controller, a member server does not handle the account logon process, does not participate in

Active Directory replication, and does not store domain security policy information

If you are seeking the highest performance from the Datacenter Server platform, do not host Active Directory services on a member server If you have reliable directory services local to your data center, those services may prove sufficient to your needs

Datacenter Server and is a

member server of a domain

and not a domain controller

Identifying Active Directory Considerations

*****************************I LLEGAL FOR N ON -T RAINER U SE *****************************

Typical multi-application configurations running on Windows 2000 Datacenter Server can include directory-aware applications Directory-aware applications can extend the Active Directory schema to include information critical to the operation of the applications For example, Active Directory is the directory service used for Microsoft Exchange 2000 Server and is therefore critical to the operation of Exchange within an enterprise

Windows 2000 Active Directory directory service is integrated with and dependent on the Domain Name System (DNS) as a means of locating services DNS is critical to the functioning of Active Directory When designing a data center that uses servers running Windows 2000 Datacenter Server, you must consider the design and implementation of Active Directory to maximize the performance of the data center Design decisions on the configuration of DNS, domain controllers, forest root, and global catalog are critical to provide the required level of reliability and redundancy for the applications being hosted

Topic Objective

To describe the

considerations for

integrating Active Directory

within a Datacenter Server

Planning DNS Services in the Data Center

Redundancy

reduces zone transfers

*****************************ILLEGAL FOR NON-TRAINER USE*****************************

Active Directory uses DNS as its name location service, so the availability of DNS within the data center can impact both performance and reliability of services and applications Active Directory uses DNS to resolve domain names into Internet Protocol (IP) addresses, and it can also use non-DNS naming conventions to locate objects in the directory These other naming conventions include:

The Lightweight Directory Access Protocol (LDAP) naming convention of distinguished names and relative distinguished names This includes LDAP Uniform Resource Locators (URLs)

User principal names for identifying users and groups

Security Accounts Manager (SAM) account names for user accounts

Universal Naming Convention (UNC) paths for shared network resources

If the server in the data center is a domain controller, DNS is running locally and is integrated with Active Directory, but running additional services can limit performance on the data center server If the data center server is a member server, name resolution can be impacted by network speed and availability You should ensure that high-speed communication is provided between the data center servers and the DNS name server

A name server can function in one of four roles in the DNS:

Caching-only name server, which does not contain any zone information

Master name server, which can provide zone information to secondary name servers

Primary name server, which contains the master copy of the zone file for the zones it has authority over

Secondary name server, which obtains its zone files using a zone transfer from a master name server

Active Directory uses DNS

as its name location service,

so the availability of DNS

within the data center can

impact both performance

and reliability of services

and applications

When using Berkeley Internet Name Domain (BIND) based name servers, you must ensure that redundant primary name servers exist to improve the DNS reliability Where DNS traffic within the data center is high, you can implement multiple caching-only servers to distribute the DNS query load without

incurring zone transfer traffic

Windows 2000 gives you the options of integrating DNS with Active Directory This results in zone data being stored in Active Directory and eliminates the need to manually configure zone transfers between primary and secondary DNS servers This integration provides:

A more efficient mechanism for zone transfers through the domain replication process of Active Directory

Additional fault tolerance for the DNS information because all Active Directory integrated zones are primary zones and therefore contain a copy of the zone data

Consider integrating your DNS zone information into Active Directory because this stores the DNS zone information in the distributed Active Directory This facilitates and simplifies updates of zone information through replication between domain controllers and improves the reliability of the DNS service Creating a data center domain with multiple domain controllers can improve the performance of Active Directory queries and the DNS queries while providing service redundancy

Active Directory Directory Service Containers

Datacenter Server in

a domain

Datacenter Server in

a domain

Datacenter Server in an Organizational Unit

Datacenter Server in an Organizational Unit

*****************************ILLEGAL FOR NON-TRAINER USE*****************************

Windows 2000 Active Directory provides both administrative and user level access control for information in Active Directory The Active Directory structure or hierarchy permits control to be applied at the following levels:

If your enterprise depends on applications such as Exchange 2000, a single forest is recommended, in which transitive trusts simplify the authentication requirements Although a single forest simplifies the Active Directory design for an enterprise, there can be a requirement to have a unique schema for computers in a data center If your data center design includes the requirement for a unique schema, multiple forests are required, and trusts must be

established to allow authentication for resource access

The first domain built defines the starting point for the forest and takes on the special designation as the forest root The forest root domain is significant in that you cannot rename or remove the forest root domain after you create it Because of the special nature of the forest root, this domain must be protected and replicated to ensure the domain's availability and recoverability It is recommended that the forest root be installed on Datacenter Server to ensure the highest possible reliability

Active Directory provides

both administrative and user

level access control for

information in

Active Directory

Domain

A domain is a container within Active Directory that partitions replication, partitions the DNS namespace, provides secure boundaries, and provides Group Policy scopes Multiple domains can be combined into a domain tree, and multiple domain trees can be combined within a single forest Domains represent logical partitions within Active Directory for both security and directory replication Administrative rights are limited to domain boundaries

By placing the data center servers in their own domain, you can effectively separate the control of rights and permissions, but there is overhead associated with replication traffic in enterprise domains You may also need to control the scope of replication because of geographical concerns, such as when your data center is in a remote location In this type of scenario, a separate domain may be required to provide adequate control of replication traffic

Organizational Unit

An organizational unit is a container within the Active Directory directory service that provides partitions for administration and receptacles for policy Organizational units enable the most granular delegation of administrative tasks Users, computers, and other Active Directory objects can be collected within an organizational unit, when the administration of that organizational unit is delegated to the proper administrator

In the data center, it is very important that only certain people have administrative authority One of the ways you can ensure that administrative authority is delegated to the proper people is by organizing the computers, users, and other important data center objects within a single organizational unit

Group Policy can be applied at the organizational unit level, and it is recommended that all data center servers be placed in a single organizational unit with a single Group Policy object providing security definitions for the data center computers

Site

A site is one or more well-connected TCP/IP subnets Sites contain only server objects and configuration objects They define replication topology for domain controllers and can control the association of Group Policy Because a site is simply a logical collection of objects that exist in physical locations, it can span domains and organizational units

Replication between domain controllers in different sites is performed on a schedule so network bandwidth during peak hours can be conserved and managed In the data center, there may be multiple networks providing good connectivity that can be defined by a site Within a site, updates trigger replication between domain controllers, which reduces latency, and replication between domain controllers is not compressed, reducing the CPU load for replication traffic

If the data center servers use SAN-based Winsock Direct to provide intrasite communication, performance can be improved over what is available with Ethernet-based networks

Securing Access to Datacenter Server by Using Groups

*****************************ILLEGAL FOR NON-TRAINER USE*****************************

To achieve efficient and secure management of your data center, you need to understand the three types of security groups in the Active Directory directory service The three types of groups include:

Domain local groups May contain users from any domain but can be used

only in the domain in which they are created Therefore, domain local groups are well suited to limiting the scope of their usage while allowing membership from any domain

Global groups Contain users from only the local domain but may be used

anywhere Use global groups if the membership of a group is intended to be limited to a single domain but access to global resources is required

Universal groups May contain users from any domain and are used to

assign access rights to resources

In the data center, the most common group used for administration is the global group so that a traditional administrative structure can be maintained in which higher-level administrators have access to lower domains This can be problematic if you try to restrict users with administrative access to the data center With careful planning and management, you can partition the groups so that the data center remains secure In situations where the data center is in its own domain, domain local groups provide an ideal way to add necessary users while restricting their authority to the data center

You should always delegate administrative control at the level of organizational units, not at the level of individual objects This allows you to better manage access to Active Directory because organizational units are used to organize objects in the domain tree For example, you can delegate authority to those who are responsible for creating users, groups, computers, and other objects that commonly change in an enterprise

You should always assign permissions to groups instead of to individual users Groups can be nested within one another and together with inheritance of permissions; they organize the administration of Active Directory

Topic Objective

To describe the types of

groups in Active Directory

Lead-in

To achieve efficient and

secure management of your

data center, you need to

understand the three types

of security groups in the

Active Directory directory

service

Group Policy Object Association

No Override = FALSE

Group Policy Object

Group Policy Object

Domain

Block Inheritance = TRUE

No Group Policy Associated

No Group Policy Associated

STOP

No Override = TRUE

Group Policy Object

Group Policy Object

Organizational Unit

Domain

Block Inheritance = TRUE

Group Policy Associated

Group Policy Associated

STOP

Forced Group Policy Object Inheritance

Blocking Group Policy Objects

Organizational Unit

*****************************ILLEGAL FOR NON-TRAINER USE*****************************

Group policies are applied to users when they log on and to computers when they boot up Group policies can be assigned to domains, sites, or

organizational units If multiple policies apply to a user or computer and they

do not conflict, they are applied in a cumulative fashion Users are subject to group policies that apply to them as users and to group policies that apply to the computer at which they log on

Group Policy gives administrators granular ability to manage and control users, computers, and other directory objects at the container level Specifically, within the data center, Group Policy provides administrators with the ability to control security settings at the level of sites, domains, and organizational units Depending on your Active Directory structure within the data center, you need

to associate Group Policy with different containers in the directory and, if required, block inheritance to stop permissions flowing

Group policies are typically used to simultaneously configure the desktop working environments of a group of users or computers, but they have many other uses as well Group policies can be used to:

Assign scripts for startup, shutdown, logon, and logoff events

Manage applications, for example, by configuring policies to allow users to install applications published in Active Directory or to automatically install

or upgrade applications on their computers

Manage security, for example, to control users’ access to files and folders, control user logon rights, and configure account lockout restrictions

Manage software, for example, to configure user profiles such as desktop settings, Start menu, and other common settings

Redirect folders from the Documents and settings folder on a user’s local computer to a share on the network

Topic Objective

To describe the effects of

Group Policy objects on a

Datacenter Server

installation

Lead-in

Group policies are applied

to users when they log on

and to computers when they

boot up

Group Policy Object

A Group Policy object is a collection of settings that affect a given user or

computer regardless of physical location Because only the logical location of the user or computer is important, it is extremely important to be aware of your directory structure Group Policy is defined by three different behaviors that help you understand its effects on the data center environment:

Accumulation is the description of Group Policy effects These effects

associate, in sequential order, to all containers in which the Group Policy effects exist

Filtering is the process of allowing or denying Group Policy to associate

depending on the membership of a user or a computer in a group

Inheritance is the process by which a Group Policy object associated with a

container also associates with children of that container

If you understand these behaviors, you can predict what Group Policy objects associate with the containers that define the logical location of the data center

Best Practices

You must ensure that the data center containers are located in such a way that detrimental Group Policy objects do not associate with them To accomplish the kind of Group Policy isolation necessary to ensure that detrimental Group Policy objects are kept out of the data center, use filtering to set an initial barrier to Group Policy object association

By default, all Group Policy objects are inherited from parent to child

containers On a per container basis, you can block policy inheritance on

containers connected with the data center However, you must make sure that there is a responsible process governing group policy association, because block policy inheritance can be overridden if no override is enabled on Group Policy objects

The inheritance of a Group Policy object never extends beyond the domain in which it was created, so inheritance is influenced only by either forcing containers to accept and associate a policy or by blocking policy inheritance at the container level

If you use a site to define the data center, you must remember that sites act like parents of domains for the purpose of policy This means that any Group Policy object that you define within the site may affect only a portion of a domain or organizational unit For a site that spans multiple domains, the site’s actual Group Policy object is only stored in one of the domains

You must also think about the effects of group policy accumulation when planning for the data center Group Policy associated with a container is processed in a specific order, both within the hosting container, as well as within those containers to which it is inherited Accumulation can take the form

of true accumulation or aggregation In other words, some policy actions might

be duplicated, whereas others may legitimately occur more than once

Because Group Policy acts as an editor for Active Directory, caution must be used at all times when creating Group Policy objects so that irrevocable problems and detrimental results do not occur