Académique Documents
Professionnel Documents
Culture Documents
Infrastructure
Plan, Build, Deploy, and Operate
Version 1.0
Abstract This chapter provides guidance that can be used to plan, build, deploy, and operate reliable and secure network and directory services. The chapter provides guidance on configuring the DNS and WINS name resolution services, automating IP address allocation and managing IP configuration management on client computers using DHCP, and providing a consistent way to name, describe, locate, access, manage, and secure information using the Active Directory directory service. The
services covered in this chapter form the basis of a robust network infrastructure that provides the foundation for other services.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results of the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2005 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Outlook, Windows, Windows 2000, Windows NT and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399 USA 00
Table of Contents
INTRODUCTION..........................................................................................................................................1 SCOPE.............................................................................................................................................................2 PREREQUISITES..................................................................................................................................................2 ENVISION.......................................................................................................................................................3 USAGE SCENARIOS............................................................................................................................................3 INITIAL STATE ENVIRONMENT.............................................................................................................................3 END STATE ENVIRONMENT.................................................................................................................................4 BENEFITS.........................................................................................................................................................4 PLAN...............................................................................................................................................................5 NETWORK SERVICES DEPLOYMENT DESIGN..........................................................................................................6 Choices.....................................................................................................................................................7 Considerations.........................................................................................................................................7 Recommendations.....................................................................................................................................8 DNS NAMESPACE DESIGN.................................................................................................................................9 Registering a Public Domain Name.........................................................................................................9 Choosing the Internal DNS Namespace...................................................................................................9 Deploying the Public DNS Namespace..................................................................................................10 IP ADDRESSING CONVENTION...........................................................................................................................10 SOFTWARE RECOMMENDATIONS.........................................................................................................................14 INFRASTRUCTURE SERVER CONFIGURATION ........................................................................................................15 Operating System ..................................................................................................................................15 Active Directory and DNS......................................................................................................................16 Dynamic Host Configuration Protocol .................................................................................................16
Configuring Redundancy...................................................................................................................................17 Configuring Static IP Addresses........................................................................................................................18
Windows Internet Name Service (WINS)...............................................................................................20 Group Policy..........................................................................................................................................20 HARDWARE RECOMMENDATIONS.......................................................................................................................20 Processor and Random Access Memory (RAM)....................................................................................21 Storage Configuration............................................................................................................................21 Recommendations...................................................................................................................................22 BILL OF MATERIALS........................................................................................................................................23 BUILD............................................................................................................................................................24 GATHERING INFORMATION FOR INITIAL CONFIGURATION.......................................................................................24 CONFIGURING EXTERNAL DNS RECORDS..........................................................................................................25 CONFIGURING THE HARDWARE AND OPERATING SYSTEM......................................................................................26 PERFORMING INITIAL SECURITY AUDIT...............................................................................................................27 INSTALLING AND CONFIGURING ACTIVE DIRECTORY.............................................................................................27 INSTALLING AND CONFIGURING DNS................................................................................................................29 CONFIGURE THE WINDOWS TIME SERVICE..........................................................................................................31 INSTALLING AND CONFIGURING DHCP..............................................................................................................31 INSTALLING AND CONFIGURING WINS..............................................................................................................33 INSTALLING AND CONFIGURING THE CERTIFICATION AUTHORITY............................................................................34 INSTALLING INTERNET AUTHENTICATION SERVICE................................................................................................35 CONFIGURING GROUP POLICY OBJECTS..............................................................................................................35 PERFORMING FINAL SECURITY CONFIGURATION VALIDATION................................................................................36 DEPLOY........................................................................................................................................................37
TESTING THE SERVICES....................................................................................................................................37 Network Configuration Testing..............................................................................................................37 Active Directory Testing.........................................................................................................................37 DHCP Testing........................................................................................................................................37 DNS Testing............................................................................................................................................38 Redundancy Testing...............................................................................................................................38 BACKING UP SYSTEM AND VERIFYING THE BACKUP............................................................................................38 RELEASING THE SYSTEM TO USERS....................................................................................................................38 OPERATE.....................................................................................................................................................39 REMOTE MANAGEMENT...................................................................................................................................39 In-band Management.............................................................................................................................39 Out-of-band Management......................................................................................................................39 PATCH MANAGEMENT......................................................................................................................................39 SUMMARY...................................................................................................................................................40 REFERENCES.............................................................................................................................................41
Introduction
Network and directory services provide the foundation for running all other services in the medium IT environment. Solid and reliable IP address management, name resolution, authentication, and authorization help prevent systemic problems in other services, which has a broad impact on user experience. This chapter provides guidance on designing and deploying services that enable other services and network devices, such as computers and printers, to find, authenticate, and communicate with each other. The services covered in this chapter form the basis of a robust network infrastructure that provides the foundation required for offering a wide variety of services. These services include: Core network services: The core network services include: Domain Name System (DNS): Resolves DNS names to IP addresses. Dynamic Host Configuration Protocol (DHCP): Automatically configures network settings on clients and facilitates management of IP addresses and network configuration of clients. Windows Internet Name Service (WINS): Resolves NetBIOS names to IP addresses.
Directory services: Authenticate users and computers that try to access resources. The Medium Business Solution for Core Infrastructure uses the Active Directory directory service, which can also be used to centralize and simplify the management of network resources. Certificate services: Provide customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. A trusted organization that manages PKI can be called a certification authority (CA), but usually, this term, CA, is used only to refer to the computer that runs the certificate software. Remote Authentication Dial-in User Service (RADIUS): RADIUS is an Internet Engineering Task Force (IETF) standard. In the Medium Business Solution for Core Infrastructure, the Windows Server 2003 Internet Authentication Service (IAS) is used as the RADIUS server. It performs centralized connection authentication, authorization, and accounting for network access through wireless and virtual private network (VPN) connections.
A key difference between the Small IT Solution and the Medium Business Solution for Core Infrastructure is that the latter provides more reliable network and directory services by implementing service redundancy.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-1
Scope
The scope of the guidance provided in this chapter includes: Providing redundancy for the network and directory services. Designing the Active Directory service. Designing and deploying the network services. Using Group Policy objects (GPOs) to secure the environment. Choosing the hardware to implement the services. Testing the services to ensure proper functioning. Performing security audits. Releasing the system to the production environment. Managing the environment remotely.
Prerequisites
The prerequisites for implementing the network and directory services in the medium IT environment include: Connection to the LAN for two servers. Uninterruptible Power Supply (UPS) for two servers. A public domain name. Public DNS services from an ISP.
3-2
Envision
This section describes the usage scenarios for and the benefits of implementing the network services in the medium IT environment. It provides the possible initial state environment where the guidance can be implemented and the expected end state of the environment.
Usage Scenarios
This chapter provides guidance that can be used for: Enabling centralized management of IP addresses. Enabling automatic IP configuration of clients. Providing name resolution services for clients. Authenticating and authorizing access to data and services on the network. Providing a directory service to centrally manage the resources in the IT environment. Enabling central management of security policies in the environment.
Deploying the Medium Business Solution for Core Infrastructure enables organizations to eliminate many problems that are common to these scenarios, such as: Unreliable and inconsistent network services. Security concerns around unauthenticated users. Multiple logons required to access different services and resources. High operations cost for basic network and directory services. Poorly designed directory structure. Decentralized structure, which requires excessive effort for making changes and additions to the environment. Lack of vendor support for outdated technology, poor vendor support from less established companies, or cross-vendor support issues where multiple non-homogeneous technologies are deployed. Lack of support for devices and applications that are used in old or nonhomogenous environments.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-3
Benefits
The network and directory services recommended in the Medium Business Solution for Core Infrastructure provide the following benefits: Reliable infrastructure: The network and directory services are implemented on redundant servers for better reliability. Centralized resource management: Active Directory is used to provide a centralized database of all users, computers, and other objects on the network. It helps organize the resources in an IT environment based on the structure of the organization. Security: Active Directory is used to provide the security and authentication mechanism, which offers protected and controlled access to resources. Single sign on: Active Directory is used to enable single sign on, which essentially means that users need to provide their credentials only once. They need not provide credentials each time they try to access a resource on the network and the same set of credentials is used for accessing all resources. Well-defined and enforced security policies: Group Policy is used to define and enforce domain wide security policies in the medium IT environment. GPOs are used to ensure that security policies that are set in the medium IT environment are enforced on every object in the environment, and cannot be overridden by any client or other device.
3-4
Plan
This section provides guidance on designing the network and directory services for the medium IT environment, choosing the right server hardware for hosting the services, and determining the prerequisites for building the services. The network and directory services implemented in the medium IT environment should: Meet the reliability, scalability, and security requirements. Be cost-effective to implement and maintain. Enable resolution of DNS and NetBIOS names to IP addresses. Automatically perform network configuration of devices that connect to the LAN. Centrally store information about network resources in an organized manner, which makes it easier for users to locate them. Provide user and computer authentication. Restrict access to resources to only authorized users, computers, and services. Facilitate application and enforcement of security policies. Provide the support required to issue, manage, and maintain PKI certificates. Provide RADIUS authentication services.
The following figure represents the medium IT infrastructure and highlights the servers that provide the network and directory services.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-5
Microsoft Solutions for Small & Medium Business Medium IT Solution (50-250 PCs) Network Architecture Drawing Branch Office
Desktop Computers
Internet Router Tape Library Primary Secondary Infrastructure Server Infrastructure Server (Active Directory, DNS, (Active Directory, DHCP, WINS, DNS, DHCP, WINS, Certificate Service , SUS) Exchange) Wireless Access Point Network-attached Storage Device (Windows Storage Server 2003 ) Firewall Server (ISA Server, VPN Server) Collaboration Server (IIS, Windows SharePoint Services ) Terminal Server (Microsoft Terminal Server ) Database Server Application Server (Microsoft (Microsoft and Partner SQL Server ) LOB applications )
LAN
`
PDAs and Pocket PCs Laptop Computer Smartphones Printers and Scanners Directly Attached Printer
Desktop Computers
Legend : If the optional File Server is not implemented , File Services will be hosted on the Primary Infrastructure Server . Also, the Backup drive (Tape Library ) will be attached to the Primary Infrastructure Server .
This section covers the following: Network services deployment design DNS namespace design IP addressing convention Software recommendations Infrastructure server configuration Hardware recommendations Bill of materials
3-6
Choices
In the Medium Business Solution for Core Infrastructure, the following deployment designs were considered for the network and directory services: Single server: A single infrastructure server hosts the network and directory services. Clustered servers: Two infrastructure servers are deployed in a clustered configuration. Redundant servers: Two redundant infrastructure servers are deployed, both providing the same network and directory services. The network and directory services either have built-in mechanisms for providing redundancy across multiple servers, or are deployed in such a way that similar redundancy is achieved.
The following table presents the advantages and disadvantages of these choices.
Choice
Single server
Advantages
Inexpensive: Deployment and management costs are low. Easy to deploy: This configuration is easy to deploy.
Disadvantages
Less reliable: If the server fails, there is an inevitable downtime.
Clustered servers
More expensive: Requires one additional server and Windows Server 2003, Enterprise Edition on both servers. Cost: The deployment and management costs are in between the other two options. Easy to deploy: This configuration is easier to deploy than the cluster server option.
Complex configuration: Configuration, operation, and troubleshooting of this configuration are difficult. Management: Two servers need to be managed.
Redundant servers
Considerations
The network and directory services are critical for the proper functioning of the medium IT environment. Using only a single infrastructure server minimizes costs, but it does not provide failover capabilities. Failure of the infrastructure server can cripple the entire medium IT environment. In addition, if the failure is caused by the server hardware, additional delays are often introduced while waiting for spare parts or replacement hardware. Deploying a cluster of servers offers redundancy and automatic failover capabilities. However, clustering requires Windows Server 2003, Enterprise Edition on both infrastructure servers, which is more expensive than Windows Server 2003, Standard Edition. In addition, configuring, operating and troubleshooting server clusters is complicated, and is generally recommended only for larger organizations.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-7
Deploying two redundant infrastructure servers in a non-clustered configuration is easy to configure. The Windows server-based network services and Active Directory services are designed to run across multiple servers, thus eliminating a single point of failure.
Recommendations
The Medium Business Solution for Core Infrastructure recommends deploying two redundant serverscalled the primary infrastructure server and the secondary infrastructure server. Under normal conditions, the primary infrastructure server provides most of the network services because the majority of client requests are first directed to this server. In cases where this server fails to give a timely response, most requests are then directed to the secondary infrastructure server. The majority of client requests are directed to the secondary server only when the primary server does not respond in a timely manner. The following table presents the services hosted on the primary and secondary infrastructure servers.
Service
Active Directory
DNS
Is configured as the secondary DNS server on all clients. Clients query this server only if the primary infrastructure server fails to respond in a timely manner. Same configuration as the primary infrastructure server. This server shares the DHCP client request load with the primary infrastructure server.
DHCP
Configured with a scope to cover over 250 clients, in addition to servers and other devices that require reserved address. Configured with scope options that designates the preferred and secondary DNS and WINS servers, default gateway, and proxy server information.
WINS
Configured as the preferred WINS server, which resolves IP addresses for NetBIOS names. Optionally, this server may be configured to host services that are less resource-intensive, such as: Certification Authority (CA)
Additional services
The server provides most network services only when the primary infrastructure server fails. Because this server is under less or no load at most times, it can be
3-8
Service
Lucerne Publishing opted to implement both the primary and the secondary servers after the introduction of a swing server in the environment. For more information on the implementation of a swing server, refer to the Medium Business Guide for Pilot Deployment and Mitigation. Following the successful implementation of both the primary infrastructure server and the secondary infrastructure server, Lucerne Publishing retired their old servers.
These Web sites have useful domain name management tools to register and manage DNS name records. Each site can provide you with specific instructions and assistance with DNS record configuration. Lucerne Publishing already owned the domain name lucernepublishing.com, so they did not need to register an additional name.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-9
Separated DNS namespace: In this option, a sub-domain of the public DNS namespace, such as corp.BusinessName.com, is used as the internal DNS namespace of the environment.
Using a separated DNS name space can offer some security advantages. However, it also makes the environment more complex and is typically suitable for large environments with dedicated IT staff. A single internal and external DNS namespace offers ease of configuration and simplicity. To maintain simplicity in the environment, the Medium Business Solution for Core Infrastructure recommends using a single DNS namespace for both the internal and external DNS naming. There is no need or real advantage of using separate internal and external DNS namespaces in a medium IT environment. Lucerne Publishing saw no need whatsoever to add complexity to their environment by introducing multiple DNS name spaces. They opted to just use the name lucernepublishing.com for both the internal and external DNS namespaces.
IP Addressing Convention
All IP addresses are either public or private. These are defined as follows:
3-10
Public: Public IP addresses are assigned by the Internet service providers (ISPs) and are unique across the Internet. Private: Private IP addresses can be used on internal network by anyone, without permission. Typically, private IP addresses are in the range of: 10.x.x.x 169.254.x.x 172.16.x.x 192.168.x.x
The following table provides the advantages and the disadvantages of both these types of IP addresses.
Choice
Public
Advantages
Allows a device to communicate with other devices on the Internet. Increases security because computers on the Internet cannot directly access this device. Reduces cost because you do not need to pay the ISP for additional public IP addresses.
Disadvantages
Expensive Limited availability Security risk Network Address Translation (NAT) is required for hosts to connect to the Internet. VPN or proxy is required for external computers to connect to internal hosts. Connecting two private networks through a VPN can result in multiple devices with the same IP addresses.
Private
IP addresses can be allocated to devices either by manually assigning static IP addresses to each device or by dynamically using DHCP. The Medium Business Solution for Core Infrastructure recommends the following for IP addresses: Use the private IP address range 10. x. x. x for the LAN at both the main office and branch office. More specifically, consider the following: Use the 10.0.0.0/16 subnet at the main office. Use the 10.1.0.0/24 subnet for the first branch offices. For additional branch offices, use the 10.n.0.0/24 subnet, where n is equal to 2 for the second branch office and increments by one for each additional branch office.
Use public IP addresses on the external interface of the firewall at the main office and the multipurpose router at the branch office.
Within these subnets, the addresses are further classified as shown in the following table. Examples are provided only for the first branch office.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-11
Subnet Mask
255.255.0.0 255.255.0.0
Location
Main office Main office
Used For
Servers. Remote management cards. (To get the card address for a server, add 20 to the last octet of the IP address of the server.) All other network devices that require static IP addresses (for example, printers, scanners, IP cameras, and switches). Assigned by the primary infrastructure server to DHCP clients at the main office. Assigned by the secondary infrastructure server to DHCP clients at the main office. Internal interface of the multipurpose router at the branch office. All other network devices that require static IP addresses (for example, printers and scanners). For DHCP clients at the branch office.
10.0.0.41 to 10.0.0.255
255.255.0.0
Main office
10.0.1.x
255.255.0.0
Main office
10.0.2.x
255.255.0.0
Main office
10.1.0.11 to 10.1.0.254
Configure the public IP address, subnet mask, and default gateway provided by the ISP to the external interface of the firewall server at the main office. DHCP should be used to assign all IP addresses on the medium IT network, both static and dynamic, with the exception for the following three servers: Primary and secondary infrastructure servers: These servers run the DNS service, which requires that a static IP address be assigned on the computer. Internet Security and Acceleration (ISA) Server: This server is directly connected to the Internet. Therefore, this server requires a gateway to be configured that is different from all other servers. The medium IT environment uses options, including default gateway, as part of the DHCP implementation, this server must be excluded from using DHCP. Primary and secondary DNS servers Primary and secondary WINS servers Default gateway Domain suffix Web Proxy Auto Discovery Protocol (WPAD)
The external interface of the multipurpose branch office router should be configured with the IP configuration provided by the ISP. The multipurpose branch office router should also be configured as a DHCP server and should use
3-12 Medium IT Solution Series
the IP address range provided in the previous table. For more information on configuring the router, refer to the documentation provided by the manufacturer. Use the following DHCP options for branch office: DNS servers: Most multipurpose router that have DHCP capability allow configuring up to three entries for DNS servers and two entries for WINS servers. At least one internal DNS server and one external DNS server should be configured on the DHCP service on the branch office router. This is necessary so that the router is able to resolve host names for both internal and external hosts. It should also be ensured that the internal DNS servers are specified before the external DNS server in the list of servers, so that the router resolves host names using the internal DNS server first. If the internal DNS server is unable to resolve the name, the router will try to resolve the name using the external DNS server. If the order is reversed the router sends requests to the public DNS server to resolve internal names, which is not recommended. Use the following values for DNS server IP configuration: First DNS server: IP address of internal primary DNS server. Second DNS server: IP address of internal secondary DNS server. Third DNS server: IP address of the public DNS server given by the ISP that provides Internet connection to the branch office.
WINS servers: Use the IP address of the internal primary and secondary WINS servers. Default gateway: Use IP address of internal interface of branch office router.
Lucerne Publishing followed the Medium Business Solution for Core Infrastructure recommendations. The following table provides some examples of the IP addresses used by Lucerne Publishing.
Device Type
Firewall server (External Interface) Firewall server (Internal Interface) Primary infrastructure server Secondary infrastructure server Collaboration server Directly attached hardware (such as printers and scanners) Remote management cards Client devices
Name
MOISA MOISA MOCOR1 MOCOR2 MOXRNT LJ4KACCT, SCANRSLS
IP Address
Public address from ISP 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.41 10.0.0.255
FIN302, SAL201
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-13
Software Recommendations
The network services (DNS, DHCP, and WINS) and Active Directory are built into the Windows Server 2003 operating system. Therefore, no additional software is required for deploying the network and directory services in the medium IT environment. The only decision that needs to be made is choosing between Windows Server 2003, Standard Edition and Windows Server 2003, Enterprise Edition. Windows Server 2003, Enterprise Edition supports additional features compared to Windows Server 2003, Standard Edition. These features include: Clustering: A cluster is a group of independent computers, called nodes, that work together to run a common set of applications and provide high availability. If one node on the cluster fails, the application can be failed over to the next node. Remote storage: Remote storage uses criteria that you specify to automatically copy less used files to removable media. If hard-disk space drops below the specified levels, remote storage removes the cached file content from the disk. If the file is needed later, the content is automatically recalled from storage. Up to eight processors support (compared to the support for up to four processors in Windows Server 2003, Standard Edition): The Windows Server 2003 family supports single or multiple central processing units (CPU) that conform to the symmetric multiprocessing (SMP) standard. Using SMP, the operating system can run threads on any available processor, which makes it possible for applications to use multiple processors when additional processing power is required to increase the capability of a system. 64-bit support for Intel Itanium-based computers: Support for 64-bit processing delivers far higher scalability than 32-bit file servers by providing a greatly enlarged virtual address space and paged pool area, the ability to handle increased numbers of users and connections, and increased hardware reliability through predictive error checking and notification of failures. Hot add memory: Hot add memory allows ranges of memory to be added to a computer and made available to the operating system and
3-14
applications as part of normal memory pool. This does not require restarting the computer and involves no downtime. The Medium Business Solution for Core Infrastructure recommends using Windows Server 2003, Standard Edition for the infrastructure servers. This is because none of the additional features provided by Windows Server 2003, Enterprise Edition will be used in the medium IT environment. In addition, the Windows Server 2003, Standard Edition costs less than the Windows Server 2003, Enterprise Edition. Lucerne Publishing opted to install Windows Server 2003, Standard Edition. There were no factors present in the environment of Lucerne Publishing that required any of the features of Windows Server 2003, Enterprise Edition that are listed in this section.
Operating System
Following are the few choices to be made during the installation of the operating system: IP configuration: The DNS services hosted on the infrastructure servers require that the infrastructure servers be configured with static IP addresses. The IP addresses should be configured as per the guidelines provided in Chapter 2, Physical Network Design, of this solution. The following table lists the IP configurations recommended for the infrastructure servers in the Medium Business Solution for Core Infrastructure.
Parameter
IP Address Default Gateway Preferred DNS Server Secondary DNS Server Preferred WINS Server Secondary WINS
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-15
Parameter
Server
Licensing: When installing the base operating system on the infrastructure servers, you must choose a client licensing mode. The Medium Business Solution for Core Infrastructure recommends the Per Device or Per User mode licensing. This is the most economical choice because client workstations in the medium IT environment consume services from a number of different servers in the environment on a regular basis. Server naming: The servers must be assigned a host name and a NetBIOS name. The names used for the servers should be in accordance with the naming convention guidelines of the Medium Business Solution for Core Infrastructure documented in Chapter 1, Core Infrastructure Design Overview, of this solution. As per the Medium Business Solution for Core Infrastructure naming convention, Lucerne Publishing named their primary infrastructure server MOCOR1, and the secondary infrastructure server was named MOCOR2.
many services require a static IP address before installation, or because the servers need variances from the standard scope options assigned by DHCP.
Configuring Redundancy
In the medium IT environment, the DHCP service needs to be hosted on both the infrastructure servers to provide redundancy. This section provides guidance on implementing the DHCP service across the two servers. There are several ways in which two DHCP servers can be configured to provide redundant services in the medium IT environment. These include: Extraordinarily long lease time: The DHCP servers are configured to provide an extraordinarily long lease time (such as, one to two weeks or longer). This configuration may help minimize client connectivity issues if a DHCP server fails. This happens because the clients keep the IP address leased to them for the duration of the lease, if they are unable to contact the DHCP server. If all clients have obtained the IP configuration by the time the DHCP server fails, the environment will continue to operate normally provided the DHCP server comes back online prior to expiration of the lease. If the server is not restored prior to lease expiration, client computers will loose connectivity if the computers are restarted or when new computers are added to the network while the DHCP server is down. Therefore, only partial reliability is achieved. Standby DHCP server: A standby DHCP server is activated only in case the primary infrastructure server fails. If the primary infrastructure server fails, the secondary infrastructure server can be immediately activated resulting in no or very limited downtime for the clients. However, the problem with this configuration is that the activation of the backup DHCP server must be done manually because the failover is not automatic. Non-overlapping scopes: Two DHCP servers are configured with nonoverlapping scopes. In this configuration, each scope should have enough IP addresses to serve the entire environment in the event of a server failure. If one server fails, the other server should have enough IP addresses available to service all client requests. This option overcomes the weaknesses of other options because there is no service degradation during service failure, and the failover is automatic.
Choice
Extraordinarily long lease time
Advantages
Low cost: Requires only a single DHCP server.
Disadvantages
Availability: Services are limited or only partially available during outage. Reboots and addition of new machines during the outage will not get proper connectivity for the machines. No automatic failover: An administrator must detect the failure of the main server, and manually activate the second server. Additional cost: Requires at least two servers to implement.
Non-overlapping scopes
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-17
Choice
Advantages
failover. Full service: There is no degradation in service experienced by the clients during a service outage on one of the servers.
Disadvantages
The Medium Business Solution for Core Infrastructure recommends implementing two non-overlapping scopes, one each on the primary and secondary servers. It is important to ensure that the scope configured on each server has enough IP addresses to serve the entire environment in the event of a server failure. The medium IT environment may have up to 250 clients. So each scope should be able to provide at least 250 IP addresses. Lucerne Publishing implemented DHCP on the primary infrastructure server in conjunction with the old DHCP server. Once the scope was active on the primary infrastructure server, they were able to turn off the portion of the scope on the former PDC. Lucerne Publishing then set up the non overlapping portion of the scope on the secondary infrastructure server.
The following table presents the advantages and disadvantages of these choices.
Choice
Manual configuration
Advantages
No advance information gathering: There is no need to gather all of the MAC addresses ahead of time. No administration overhead: Configuration can be performed by anyone because it does not require access to the infrastructure servers. Single Configuration: Each device only has to be set up once.
Disadvantages
Disorganized: It is easy to loose track of the devices that are configured with a static IP address. IP conflicts: It is possible to accidentally configure more than two devices with the same IP address. Complex: The method of configuring each device is different. There is no standardization across devices, so each individual device must be figured out. Difficult to change: If there is ever a change required in an environment, such as a new address or scope option, each device will
3-18
Choice
Advantages
Disadvantages
have to be visited and manually reconfigured.
DHCP reservations
Standard configuration: The steps to configure network parameters may differ in different devices from different manufacturers. Using reservations only requires enabling the device for DHCP. Apply uniform settings: Enables configuring uniform options (such as gateway and WINS server) on all devices requiring static addresses. Directory of addresses: The list of reservations provides a convenient directory of all network devices that are in use. Simplicity: DHCP reservations simplify making changes to IP configuration, such as a change in DNS server or gateway.
Cumbersome: This is because you need to: Gather the MAC address of all devices requiring a static IP address. Manually enter the network addresses and configure reservations on both DHCP servers. Human error: MAC addresses are long, complex strings, and there are chances of typing errors while entering the values into the servers. Additional overhead: Changes in the MAC address require updates to reservations on both infrastructure servers.
The Medium Business Solution for Core Infrastructure recommends using DHCP reservations to assign static IP addresses to devices such as servers, printers, network devices, and scanners. This facilitates management of IP configuration on these devices. In addition, DHCP reservations provide a centralized documentation of all static IP addresses that are in use. The list of reservations can be used as a troubleshooting tool because it shows whether the address lease for a device is active or inactive. This can be useful in determining whether a problematic device is communicating properly with the DHCP servers. In addition, it enables making changes to the IP configuration from the DHCP server itself. Lucerne Publishing decided to use DHCP reservations for all devices, even though there were a large number of hardware devices in the environment and using DHCP reservations required the IT staff to gather the MAC addresses of all of the devices and manually enter them in DHCP. The IT staff of Lucerne Publishing decided to put in the initial effort because once this task was complete, they found the centralized database of all devices invaluable. They also realized that this was the last time they would ever have to perform this task, because any future IP address changes would be easy to accomplish. However, the following servers are exceptions, and the IP configuration on these servers needs to be done manually and not through DHCP reservations: Primary and secondary infrastructure servers: The DNS service hosted on these servers requires them to be manually configured with static IP addresses. Firewall server: The firewall server will not have the same default gateway as the rest of the servers.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-19
Group Policy
GPOs can be used in a domain environment to automatically perform configurations on client devices, servers, and to the user environment. There is a minimum set of Group Policy settings that should be applied, even if you do not plan to implement any other Group Policy settings in your environment. This minimum set of Group Policy settings are used to apply basic security settings at the domain level. The Medium Business Solution for Core Infrastructure provides a core domainlevel GPO as part of the core infrastructure. Because this GPO is applied at the domain level, organizational units are not required. It is strongly recommended to implement this GPO. Lucerne Publishing found that the implementation of the core domain-level GPOs provided with the Medium Business Solution for Core Infrastructure was the perfect answer to automatically enforce the stronger security requirements that the IT department has been looking to implement for some time. For more information on Active Directory, organizational units, Group Policy, and additional GPOs for the medium IT environment, refer to the Medium Business Solution for Management and Security using Active Directory Group Policy.
Hardware Recommendations
When choosing hardware for the infrastructure servers, the critical factors to be considered are: Processor and random access memory (RAM). Storage configuration.
3-20
Storage Configuration
Direct-attached storage (DAS) is used on the infrastructure servers for storing the system files and data. For general considerations and guidelines on choosing direct-attached storage, refer to the Guidelines for Choosing DAS Storage section in the Appendix I of this solution. When configuring RAID on the infrastructure servers consider the following options: Configure all drives as a single partition on a RAID 5 array. Configure all drives as multiple partitions on a RAID 5 array. Configure a system partition on a RAID 1 array and a data partition on a RAID 5 array.
Configuring all drives as a single partition on a RAID 5 array offers the advantage of simplicity. This configuration also avoids issues that may occur later where one partition becomes full while other partitions have a lot of free space. However, this configuration does not remain viable when partitions become very large, because performance suffers. In addition, with large partitions, certain features in the operating system no longer work. For example, you cannot use the built-in Windows backup utility to back up a partition to a file that is on the same partition. Configuring all drives as multiple partitions on a RAID 5 array with very large partitions gets rid of some of the performance-related issues. However, it creates additional issues, such as, having to choose the partitions onto which services and data should be deployed. When the partitions become full, there is no easy way to move these services to a different location. Configuring the system partition on a RAID 1 array and the data partition on a separate RAID 5 array eliminates all the issues that are present in the two other options discussed. In this configuration, the RAID 1 system partition uses only two disks, and is a smaller partition. Only operating system and other system files, such as patches and service packs, are placed on this drive. The RAID 5
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-21
partition is used for applications and data and is only required if the server hosts any of the following services: File service Messaging service Collaboration service
Recommendations
The Medium Business Solution for Core Infrastructure recommends configuring a system partition on a RAID 1 array. In addition, configure a utility partition. Most manufacturers provide a means to set up a utility partition on the disk that is designed to hold system and hardware utilities that can be used to aid configuration and troubleshooting of the hardware. Ensure that these utilities are set up according to the instructions provided by the manufacturer. The following hardware is recommended for the infrastructure servers in the medium IT environment: Intel Xeon-based processor of at least 2.4 GHz. 1 GB of RAM. SCSI RAID controller. Two SCSI hard drives with the following configuration: Minimum 10,000 RPM (15,000 RPM recommended). 18 GB or greater in capacity.
3-22
Note: If you plan to deploy the file, print, messaging, or collaboration services on the infrastructure servers, you will require an additional RAID 5 array for the data partition. For information on the additional hardware requirements for these services, refer to the following documents: - Chapter 5, File Services of this solution. - Medium Business Solution for Messaging Services. - Medium Business Solution for Collaboration Services. - Medium Business Solution for Print Services.
Lucerne Publishing performed a hardware inventory on their primary domain controller (PDC) and backup domain controllers (BDCs) and determined that their existing hardware was insufficient to run Windows Server 2003. Having budgeted for new hardware, Lucerne Publishing purchased new servers meeting the above configuration recommendations. Lucerne Publishing also realized that they planned to use their secondary infrastructure server for hosting messaging services. As a result, when they purchased this server, they also incorporated the guidelines in the Medium Business Solution for Messaging Services, and configured the server with 2-GB RAM (because messaging is a critical application for them), and six 15,000 RPM SCSI drives two 18-GB drives in a RAID 1 array for the operating system, and three 18-GB drives in a RAID 5 array (resulting in approximately 36 GB of usable space) for Exchange and the messaging databases. The sixth drive was used as a hot spare in case any of the drives failed.
Bill of Materials
The following table presents the bill of materials required to build the network and directory services in the medium IT environment.
Description
Domain name Windows Server 2003, Standard Edition Server Hardware Client Licenses
Quantity
For one year 2 2 Number of clients
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-23
Build
Once the requirements listed in the Prerequisites section in this chapter are met and the items listed in the Bill of Materials section are purchased, you can start building network and directory services on the infrastructure servers. Perform the following tasks on the infrastructure servers: 1. Gathering information for initial configuration. 2. Configuring external DNS records. 3. Configuring the hardware and operating system. 4. Performing initial security audit. 5. Installing and configuring Active Directory. 6. Installing and configuring DNS. 7. Configure the Windows Time Service. 8. Installing and configuring DHCP. 9. Installing and configuring WINS. 10. Configuring GPOs. 11. Installing and configuring the CA. 12. Installing IAS. 13. Performing final security configuration Validation.
Note: If the steps in this section do not specify the exact values to be used while running a wizard, use the default values provided by the wizard.
The following information will be required while configuring the network services:
3-24
DNS domain name: The DNS domain name should be the same as the primary publicly registered domain name that is, BusinessName.com. Public domain name: If the organization does not already own a public domain name, a public domain name will need to be selected and purchased from a domain name registrar. For an example, refer to the following URL: http://www.bcentral.com/products/wh/dnr.asp Lucerne Publishing already owned the domain name lucernepublishing.com, and elected to use that. MAC addresses: There should be a list with the names and MAC addresses of all of the network devices in the environment, including: Routers, switches, firewalls, access points, or other network devices (excluding servers or network-attached storage devices). Printers. Scanners. Video cameras.
Note: Follow the manufacturers instructions for each device in the environment to obtain the MAC or Hardware address. Also note that each device must be configured to obtain the IP configuration through DHCP (on some devices this is referred to as automatic configuration or obtain settings automatically). Follow the manufacturers instructions to configure the device to get IP configuration automatically from a DHCP server.
Downloads: From a computer that is already securely connected to the Internet, download the Group Policy Management Console installation file from the following URL and save it to a CD disk or a USB drive: http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
Record Type
Service
IP Address
A CNAME CNAME
Static IP address used on the firewall server. remote.BusinessName .com remote.BusinessName .com
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-25
Record Type
Service
IP Address
CNAME MX Record
Secondary infrastructure server: IP configuration: Static IP address: 10.0.0.3 Subnet Mask: 255.255.0.0 Default Gateway: 10.0.0.1 Server name: SMBEX Primary DNS server: 10.0.0.2 Primary WINS server: 10.0.0.3
3-26
2. Install the Windows Support Tools on both servers. To install the Windows Support Tools, browse to the \support\tools directory on the installation CD. Right-click the suptools.msi file and click Install. The support tools might get updated in a service pack, so you may need to use the support tools that come with the latest service pack.
Note: The Windows Server 2003 installation CD will be required several times throughout the remainder of this chapter. It is a good idea to keep the CD in an easily accessible location.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-27
c. Type the DNS name gathered in the "Gathering Information for Initial Configuration" section in the Full DNS name for new domain text box. For example, lucernepublishing.com. d. Type the earlier DNS name without suffix in the Domain NetBIOS name text box. If the DNS name without suffix is longer than 15 characters, type an abbreviation with at most 15 characters. In the case of Lucerne Publishing, they chose to use the NetBIOS name Lucerne, because lucernepublishing is longer than 15 characters. e. If the server is configured with a single partition, accept the default locations for Database and Log Folders. If there is a separate system and data partition configured, change the drive letter to the drive letter of the data partition. f. If the server is configured with a single partition, accept the default location for the SYSVOL folder. If there is a separate system and data partition configured, change the drive letter to the drive letter of the data partition. g. Click Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server. h. Click Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems. i. Ensure that the password you supply for Directory Service Restore Mode is secure and documented in a safe location. j. After completing the wizard, click the Restart Now button. Raise the domain functional level of the domain created to Windows Server 2003 by performing the following steps: 1. Open the Active Directory Users and Computers Microsoft Management Console (MMC). 2. Right-click the domain name and click Raise Domain Functional Level. 3. On the Raise Domain Functional Level screen, select Windows Server 2003 from the Select an available domain functional level drop-down list then click the Raise button. 4. Click OK on any warning messages that display. Make SMBEX a domain controller by performing the following steps: 1. Run the dcpromo command on SMBEX to start the Active Directory Installation Wizard. 2. Complete the wizard by performing the following: a. Select the additional domain controller for an existing domain option. b. Type the administrator credentials for the domain. c. Type the domain name (for example, BusinessName.com). d. Type the password for Directory Services Restore Mode, which is the same password as that provided on SMBDC. e. After completing the wizard, click the Restart Now button. Make SMBEX a global catalog server by performing the following steps:
3-28 Medium IT Solution Series
1. 2. 3. 4. 5.
Open the Active Directory Sites and Services MMC. Expand Sites, Default-First-Site-Name, Servers, and SMBEX. Right-click NTDS Settings and click Properties. Select the Global Catalog check box and click OK. Close the MMC.
Create a long, complex password for the administrative account. The administrator account name is well known and therefore, it is best practice to use a long, complex password for this account. Perform the following steps to change the password: 1. Log on to a domain controller using the administrator credentials. 2. Open the Active Directory Users and Computers MMC. 3. Expand the domain name, and click the Users folder. 4. Right-click the administrator account and click Reset Password. 5. Type a new password in the New Password and Confirm Password text boxes. Use the following guidelines for selecting a complex password: Use a phrase, rather than using a single word. Use all four classes of characterscapital letters, lowercase letters, numbers, and symbols. Ensure that the password is at least 15 characters in length. Do not use any part of the user name. Do not use symbols or numbers only at the beginning or end of the password, use them throughout. Do not use any word that can be found in a dictionary or any proper nouns as part of your password. The most secure password is a random string of characters consisting of the four classes of characters mentioned previously.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-29
2. In the Windows Component Wizard, highlight Networking Services (do not select the check box) and click Details. 3. In the Networking Services dialog box, select the DNS check box. 4. Click Next to begin the installation. 5. If prompted, insert the Windows Server 2003 CD. Perform a manual replication of Active Directory by performing the following steps on either server: 1. Open the Active Directory Sites and Services MMC on SMBDC. 2. Navigate to Site Name (default is Default-First-Site-Name), Servers, SMBDC, and NTDS Settings. 3. Right-click the automatically generated connection and click Replicate Now. 4. Open the DNS Management console and verify that all of the zones created on SMBDC now show on SMBEX too. 5. Once DNS is installed and operational, change the DNS server in the IP configuration of SMBEX to point to 10.0.0.3 (its own IP address). Configure the secondary DNS server to point to 10.0.0.2. Configure forwarders on both the DNS servers by performing the following steps: 1. On each DNS server, right-click the server name in the DNS Management console and click Properties. 2. Click the Forwarders tab. 3. Enter the IP addresses of at least two public DNS servers in the order provided by your ISP (as per the information gathered in the "Gathering Information for Initial Configuration" section earlier in this chapter). Configure reverse lookup zones on both DNS servers by performing the following steps: 1. With the DNS Management Console still open, expand the <server name> and right-click Reverse Lookup Zone and click New Zone. 2. Complete the New Zone wizard by specifying the following settings: On the Zone Type page, choose the following options: Primary zone Store zone in Active Directory
On the Active Directory Zone Replication Scope page, choose: To all DNS servers in the Active Directory forest <BusinessName.com>
On the Reverse Lookup Zone Name page, enter the following network ID: 10.0 On the Dynamic Update page, choose the following option: Allow only secure dynamic updates (recommended for Active Directory)
Configure the responsible person for each zone created in DNS by performing the following steps on either server.
3-30 Medium IT Solution Series
1. 2. 3. 4.
Click the zone name in the DNS Management console. Right-click the zone and click Properties. Click the Start of Authority (SOA) tab. Enter the e-mail address of the administrative account substituting a "." for the "@" symbol (for example, administrator.BusinessName.com).
a. On the Scope Name page, enter the name of the scope (for example, you can use the same name as the name of the server that is SMBDC). b. On the IP Address Range page, enter the following information: Start IP Address 10.0.0.1 End IP Address 10.0.2.254 Length: 16 bits 10.0.0.1 10.0.0.255 10.0.2.0 10.0.2.254 On the Lease Duration page, accept the default 8-day lease duration.
d. On the Configure DHCP Options page, select Yes, I want to configure these options now. e. On the Router (Default Gateway) page, add the default gateway address (10.0.0.1). f. On the Domain Name and DNS Servers page, add parent domain (for example, BusinessName.com), and configure SMBDC (10.0.0.2) as the primary DNS and SMBEX (10.0.0.3) as the secondary DNS. g. On the WINS Servers page, add SMBDC (10.0.0.2) as the primary WINS server and SMBEX (10.0.0.3) as the secondary WINS server. h. On the Activate Scope page, click Yes, I want to activate this scope now. Create a new scope on SMBEX by performing the steps in the previous task, but with the following exceptions: Name of the scope: SMBEX Use the following exclusions: 10.0.0.1 10.0.0.255 10.0.1.0 10.0.1.255
Configure reservations on both servers by performing the following steps: 1. Right-click Reservations and click New Reservation. 2. Fill in the host name for name, IP address, MAC, and a meaningful description (for example, HPLJ1500NP for an HP LaserJet 1500 network printer). Use the MAC addresses gathered in the "Gathering Information for Initial Configuration" section earlier in this chapter. 3. Repeat the process for each network device (for example, routers, scanners, cameras, and switches) in the environment. Enable dynamic updates on both servers by performing the following steps: 1. Right-click the server name and click Properties. 2. Click the DNS tab. 3. Select all the following three check boxes on the DNS tab: Enable DNS dynamic updates according to the settings below
3-32
Discard A and PTR records when lease is deleted Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0)
Enable server-side conflict detection on both servers by performing the following steps: 1. Right-click the server name and click Properties. 2. Click the Advanced tab. 3. Set the Conflict Detection Attempts value to 2.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-33
8. On SMBDC in the DNS Management console, expand the server name and then Reverse Lookup Zones. 9. Click to select the reverse lookup zone name. 10. Right-click the zone name (which is, 10.0. x. x Subnet) of each reverse lookup zone and click Properties. 11. Click the WINS-R tab. 12. Select Use WINS-R lookup. 13. Enter the domain name to append to the returned name (for example, BusinessName.com) and close the Properties page.
8. Click the Next button. 9. Click Yes on the warning about installing Active Server Pages (ASPs). 10. Click Finish. 11. Verify that you can get to the Web enrollment page by opening Internet Explorer and navigating to http://localhost/certsrv. Ensure that Session State is enabled for successful CA enrollment through the certsrv Web site: 1. Open Internet Information Services Manager from Administrative Tools.
3-34
2. Expand <servername> and then Web Sites. Then, right-click Default Web Site and click Properties. 3. Click the Home Directory tab, and then under Application Settings, click Configuration. 4. On the Application Configuration page, click the Options tab, and then ensure the Enable Session State check box is checked if not, click to select it. 5. Click OK on all screens and close IIS Manager. 6. Restart IIS by typing iisreset at a command prompt.
Note: You need to download and install either the Medium Business Solution for Core Infrastructure or the entire Medium IT Solution Series. The coreGPO.zip file is located in the Medium Business Solution for Core Infrastructure v1.0 folder.
Unlink and rename the Default Domain Policy by performing the following steps: 1. Open GPMC by clicking the shortcut under Administrative Tools. 2. Expand Forest, Domains, BusinessName.com. 3. Right-click Default Domain Policy and click Delete, and then click OK. 4. Expand Forest, Domains, BusinessName.com, Group Policy Objects. 5. Right-click Default Domain Policy and click Rename. 6. Rename the policy to Original Default Domain Policy. Import the GPOs into the environment by performing the following steps: 1. Open GPMC and expand Forest, Domains, BusinessName.com. 2. Right-click Group Policy Objects and click New. 3. Name the policy Default Domain Policy. 4. Right-click the policy and click Import Settings. 5. Run the Import Settings Wizard using the default values. On the Backup Location page, specify the backup folder where the core GPO distributed with the Medium Business Solution for Core Infrastructure was saved and select the Default Domain Policy GPO backup. Link the new policy to the appropriate location by performing the following steps: 1. In the GPMC, expand Forest, Domains, BusinessName.com. 2. Right-click the domain object, BusinessName.com, and click Link an Existing GPO. 3. Select the Default Domain Policy and click OK.
3-36
Deploy
This section provides guidance on deploying the network services solution. Deploying involves the following: Testing the service. Backing up system and verifying the backup. Releasing the system to users.
DHCP Testing
Perform the following steps to test DHCP: 1. Check the IP configuration of a hardware device, such as a printer. Ensure that the correct IP information was received from the reservation on the DHCP servers. 2. Turn on a client computer and ensure that it receives proper IP information from DHCP.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-37
DNS Testing
Perform the following steps to test DNS: 1. From each server, ping the other server by name, and ensure that the name resolves to the proper IP address. 2. Turn on a new client computer and ensure that a proper A resource record is created in the DNS console for the workstation.
Redundancy Testing
Perform the following steps to test for redundancy: 1. Shut down the primary infrastructure server and perform all the tests mentioned earlier in this section to ensure proper operation of the core infrastructure services. 2. Once all the tests are performed, turn on the primary infrastructure server. 3. Shut down the secondary infrastructure server and perform all the tests mentioned earlier in this section to ensure proper operation of the core infrastructure services.
3-38
Operate
This section provides guidance on managing and supporting the network services solution. Operating involves the following: Remote management Patch management Other support
Remote Management
Two options are available for remote management that allow the administrator or service provider to access the server remotely and provide support. These options are: In-band management Out-of-band (OOB) management
In-band Management
In-band management on the infrastructure servers in the medium IT environment is provided through Remote Desktop for Administration. When Remote Desktop for Administration is enabled, administrators can remotely connect to a server using Remote Desktop Connection and perform any function that can be performed from the console. This allows many routine tasks to be handled without ever having to physically visit each server.
Out-of-band Management
Out-of-band (OOB) management for the medium IT environment is provided through remote management cards installed and configured on the infrastructure servers.
Patch Management
The Medium Business Solution for Patch Management recommends using Software Update Services (SUS) version 1.0 with Service Pack 1. SUS is a Microsoft solution for patch management, which can provide a centralized distribution point for the updates to be applied on workstations and servers. SUS can be used to provide security updates and critical hotfixes to the medium IT environment. For more information on SUS, refer to the following URL: http://www.microsoft.com/windowsserversystem/sus/default.mspx
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-39
Summary
This chapter provided prescriptive guidance on designing, configuring, and deploying the first two infrastructure servers in a medium IT environment. The chapter provided step-by-step instructions on setting up the first two infrastructure servers, configuring a domain, configuring critical services in the environment, and providing redundancy for critical services.
3-40
References
This section provides references to important supplementary information and other background material relevant to the contents of this chapter. These references include: Windows Server 2003 Active Directory home page, available at the following URL: http://www.microsoft.com/windowsserver2003/technologies/directory/activ edirectory/default.mspx TechNet White Paper "Active Directory Benefits for Smaller Enterprises", available at the following URL: http://www.microsoft.com/WindowsServer2003/techinfo/overview/adsmall biz.mspx Windows Server 2003 DHCP service home page, available at the following URL: http://www.microsoft.com/windowsserver2003/technologies/dhcp/default. mspx Windows Server 2003 Internet Authentication Service, available at the following URL: http://www.microsoft.com/windowsserver2003/technologies/ias/default.ms px For support information on Windows Server 2003, refer to the following URL: http://www.microsoft.com/windowsserver2003/community/default.mspx
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services
3-41