Você está na página 1de 46

Microsoft Solutions for Small & Medium Business: Medium IT Solution Series Medium Business Solution for Core

Infrastructure
Plan, Build, Deploy, and Operate

Chapter 3 Network and Directory Services

Version 1.0

Abstract This chapter provides guidance that can be used to plan, build, deploy, and operate reliable and secure network and directory services. The chapter provides guidance on configuring the DNS and WINS name resolution services, automating IP address allocation and managing IP configuration management on client computers using DHCP, and providing a consistent way to name, describe, locate, access, manage, and secure information using the Active Directory directory service. The

services covered in this chapter form the basis of a robust network infrastructure that provides the foundation for other services.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results of the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2005 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Outlook, Windows, Windows 2000, Windows NT and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399 USA 00

Table of Contents
INTRODUCTION..........................................................................................................................................1 SCOPE.............................................................................................................................................................2 PREREQUISITES..................................................................................................................................................2 ENVISION.......................................................................................................................................................3 USAGE SCENARIOS............................................................................................................................................3 INITIAL STATE ENVIRONMENT.............................................................................................................................3 END STATE ENVIRONMENT.................................................................................................................................4 BENEFITS.........................................................................................................................................................4 PLAN...............................................................................................................................................................5 NETWORK SERVICES DEPLOYMENT DESIGN..........................................................................................................6 Choices.....................................................................................................................................................7 Considerations.........................................................................................................................................7 Recommendations.....................................................................................................................................8 DNS NAMESPACE DESIGN.................................................................................................................................9 Registering a Public Domain Name.........................................................................................................9 Choosing the Internal DNS Namespace...................................................................................................9 Deploying the Public DNS Namespace..................................................................................................10 IP ADDRESSING CONVENTION...........................................................................................................................10 SOFTWARE RECOMMENDATIONS.........................................................................................................................14 INFRASTRUCTURE SERVER CONFIGURATION ........................................................................................................15 Operating System ..................................................................................................................................15 Active Directory and DNS......................................................................................................................16 Dynamic Host Configuration Protocol .................................................................................................16
Configuring Redundancy...................................................................................................................................17 Configuring Static IP Addresses........................................................................................................................18

Windows Internet Name Service (WINS)...............................................................................................20 Group Policy..........................................................................................................................................20 HARDWARE RECOMMENDATIONS.......................................................................................................................20 Processor and Random Access Memory (RAM)....................................................................................21 Storage Configuration............................................................................................................................21 Recommendations...................................................................................................................................22 BILL OF MATERIALS........................................................................................................................................23 BUILD............................................................................................................................................................24 GATHERING INFORMATION FOR INITIAL CONFIGURATION.......................................................................................24 CONFIGURING EXTERNAL DNS RECORDS..........................................................................................................25 CONFIGURING THE HARDWARE AND OPERATING SYSTEM......................................................................................26 PERFORMING INITIAL SECURITY AUDIT...............................................................................................................27 INSTALLING AND CONFIGURING ACTIVE DIRECTORY.............................................................................................27 INSTALLING AND CONFIGURING DNS................................................................................................................29 CONFIGURE THE WINDOWS TIME SERVICE..........................................................................................................31 INSTALLING AND CONFIGURING DHCP..............................................................................................................31 INSTALLING AND CONFIGURING WINS..............................................................................................................33 INSTALLING AND CONFIGURING THE CERTIFICATION AUTHORITY............................................................................34 INSTALLING INTERNET AUTHENTICATION SERVICE................................................................................................35 CONFIGURING GROUP POLICY OBJECTS..............................................................................................................35 PERFORMING FINAL SECURITY CONFIGURATION VALIDATION................................................................................36 DEPLOY........................................................................................................................................................37

TESTING THE SERVICES....................................................................................................................................37 Network Configuration Testing..............................................................................................................37 Active Directory Testing.........................................................................................................................37 DHCP Testing........................................................................................................................................37 DNS Testing............................................................................................................................................38 Redundancy Testing...............................................................................................................................38 BACKING UP SYSTEM AND VERIFYING THE BACKUP............................................................................................38 RELEASING THE SYSTEM TO USERS....................................................................................................................38 OPERATE.....................................................................................................................................................39 REMOTE MANAGEMENT...................................................................................................................................39 In-band Management.............................................................................................................................39 Out-of-band Management......................................................................................................................39 PATCH MANAGEMENT......................................................................................................................................39 SUMMARY...................................................................................................................................................40 REFERENCES.............................................................................................................................................41

Introduction
Network and directory services provide the foundation for running all other services in the medium IT environment. Solid and reliable IP address management, name resolution, authentication, and authorization help prevent systemic problems in other services, which has a broad impact on user experience. This chapter provides guidance on designing and deploying services that enable other services and network devices, such as computers and printers, to find, authenticate, and communicate with each other. The services covered in this chapter form the basis of a robust network infrastructure that provides the foundation required for offering a wide variety of services. These services include: Core network services: The core network services include: Domain Name System (DNS): Resolves DNS names to IP addresses. Dynamic Host Configuration Protocol (DHCP): Automatically configures network settings on clients and facilitates management of IP addresses and network configuration of clients. Windows Internet Name Service (WINS): Resolves NetBIOS names to IP addresses.

Directory services: Authenticate users and computers that try to access resources. The Medium Business Solution for Core Infrastructure uses the Active Directory directory service, which can also be used to centralize and simplify the management of network resources. Certificate services: Provide customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. A trusted organization that manages PKI can be called a certification authority (CA), but usually, this term, CA, is used only to refer to the computer that runs the certificate software. Remote Authentication Dial-in User Service (RADIUS): RADIUS is an Internet Engineering Task Force (IETF) standard. In the Medium Business Solution for Core Infrastructure, the Windows Server 2003 Internet Authentication Service (IAS) is used as the RADIUS server. It performs centralized connection authentication, authorization, and accounting for network access through wireless and virtual private network (VPN) connections.

A key difference between the Small IT Solution and the Medium Business Solution for Core Infrastructure is that the latter provides more reliable network and directory services by implementing service redundancy.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-1

Scope
The scope of the guidance provided in this chapter includes: Providing redundancy for the network and directory services. Designing the Active Directory service. Designing and deploying the network services. Using Group Policy objects (GPOs) to secure the environment. Choosing the hardware to implement the services. Testing the services to ensure proper functioning. Performing security audits. Releasing the system to the production environment. Managing the environment remotely.

Prerequisites
The prerequisites for implementing the network and directory services in the medium IT environment include: Connection to the LAN for two servers. Uninterruptible Power Supply (UPS) for two servers. A public domain name. Public DNS services from an ISP.

3-2

Medium IT Solution Series

Envision
This section describes the usage scenarios for and the benefits of implementing the network services in the medium IT environment. It provides the possible initial state environment where the guidance can be implemented and the expected end state of the environment.

Usage Scenarios
This chapter provides guidance that can be used for: Enabling centralized management of IP addresses. Enabling automatic IP configuration of clients. Providing name resolution services for clients. Authenticating and authorizing access to data and services on the network. Providing a directory service to centrally manage the resources in the IT environment. Enabling central management of security policies in the environment.

Initial State Environment


Medium businesses may already have network and directory services deployed. The types of deployments that may exist include: Server-based environment with no centralized logons. Microsoft Windows NT 4.0- and Window 2000- based environment. Linux- or Novell-based environment.

Deploying the Medium Business Solution for Core Infrastructure enables organizations to eliminate many problems that are common to these scenarios, such as: Unreliable and inconsistent network services. Security concerns around unauthenticated users. Multiple logons required to access different services and resources. High operations cost for basic network and directory services. Poorly designed directory structure. Decentralized structure, which requires excessive effort for making changes and additions to the environment. Lack of vendor support for outdated technology, poor vendor support from less established companies, or cross-vendor support issues where multiple non-homogeneous technologies are deployed. Lack of support for devices and applications that are used in old or nonhomogenous environments.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-3

End State Environment


The end state environment for network services will consist of: Two Microsoft Windows Server 2003-based servers providing redundant network and directory services. A single Active Directory domain and forest infrastructure. A domain-level Group Policy, applied to enforce domain-wide security requirements.

Benefits
The network and directory services recommended in the Medium Business Solution for Core Infrastructure provide the following benefits: Reliable infrastructure: The network and directory services are implemented on redundant servers for better reliability. Centralized resource management: Active Directory is used to provide a centralized database of all users, computers, and other objects on the network. It helps organize the resources in an IT environment based on the structure of the organization. Security: Active Directory is used to provide the security and authentication mechanism, which offers protected and controlled access to resources. Single sign on: Active Directory is used to enable single sign on, which essentially means that users need to provide their credentials only once. They need not provide credentials each time they try to access a resource on the network and the same set of credentials is used for accessing all resources. Well-defined and enforced security policies: Group Policy is used to define and enforce domain wide security policies in the medium IT environment. GPOs are used to ensure that security policies that are set in the medium IT environment are enforced on every object in the environment, and cannot be overridden by any client or other device.

3-4

Medium IT Solution Series

Plan
This section provides guidance on designing the network and directory services for the medium IT environment, choosing the right server hardware for hosting the services, and determining the prerequisites for building the services. The network and directory services implemented in the medium IT environment should: Meet the reliability, scalability, and security requirements. Be cost-effective to implement and maintain. Enable resolution of DNS and NetBIOS names to IP addresses. Automatically perform network configuration of devices that connect to the LAN. Centrally store information about network resources in an organized manner, which makes it easier for users to locate them. Provide user and computer authentication. Restrict access to resources to only authorized users, computers, and services. Facilitate application and enforcement of security policies. Provide the support required to issue, manage, and maintain PKI certificates. Provide RADIUS authentication services.

The following figure represents the medium IT infrastructure and highlights the servers that provide the network and directory services.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-5

Microsoft Solutions for Small & Medium Business Medium IT Solution (50-250 PCs) Network Architecture Drawing Branch Office
Desktop Computers

Branch Office LAN

Home User Remote User


Internet

Firewall and VPN Router

Business Partner Main Office

Internet Router Tape Library Primary Secondary Infrastructure Server Infrastructure Server (Active Directory, DNS, (Active Directory, DHCP, WINS, DNS, DHCP, WINS, Certificate Service , SUS) Exchange) Wireless Access Point Network-attached Storage Device (Windows Storage Server 2003 ) Firewall Server (ISA Server, VPN Server) Collaboration Server (IIS, Windows SharePoint Services ) Terminal Server (Microsoft Terminal Server ) Database Server Application Server (Microsoft (Microsoft and Partner SQL Server ) LOB applications )

LAN

`
PDAs and Pocket PCs Laptop Computer Smartphones Printers and Scanners Directly Attached Printer

Desktop Computers

Legend : If the optional File Server is not implemented , File Services will be hosted on the Primary Infrastructure Server . Also, the Backup drive (Tape Library ) will be attached to the Primary Infrastructure Server .

Figure 1. Medium IT Infrastructure

This section covers the following: Network services deployment design DNS namespace design IP addressing convention Software recommendations Infrastructure server configuration Hardware recommendations Bill of materials

Network Services Deployment Design


When implementing network and directory services in a medium IT environment, it is important to create a design that balances the need for reliability with the need to keep costs low. In the medium IT environment, a decision must be made regarding how to deploy network and directory services in the most optimal manner to achieve these goals.

3-6

Medium IT Solution Series

Choices
In the Medium Business Solution for Core Infrastructure, the following deployment designs were considered for the network and directory services: Single server: A single infrastructure server hosts the network and directory services. Clustered servers: Two infrastructure servers are deployed in a clustered configuration. Redundant servers: Two redundant infrastructure servers are deployed, both providing the same network and directory services. The network and directory services either have built-in mechanisms for providing redundancy across multiple servers, or are deployed in such a way that similar redundancy is achieved.

The following table presents the advantages and disadvantages of these choices.
Choice
Single server

Advantages
Inexpensive: Deployment and management costs are low. Easy to deploy: This configuration is easy to deploy.

Disadvantages
Less reliable: If the server fails, there is an inevitable downtime.

Clustered servers

More expensive: Requires one additional server and Windows Server 2003, Enterprise Edition on both servers. Cost: The deployment and management costs are in between the other two options. Easy to deploy: This configuration is easier to deploy than the cluster server option.

Complex configuration: Configuration, operation, and troubleshooting of this configuration are difficult. Management: Two servers need to be managed.

Redundant servers

Table 1. Network and Directory Services Deployment Choices

Considerations
The network and directory services are critical for the proper functioning of the medium IT environment. Using only a single infrastructure server minimizes costs, but it does not provide failover capabilities. Failure of the infrastructure server can cripple the entire medium IT environment. In addition, if the failure is caused by the server hardware, additional delays are often introduced while waiting for spare parts or replacement hardware. Deploying a cluster of servers offers redundancy and automatic failover capabilities. However, clustering requires Windows Server 2003, Enterprise Edition on both infrastructure servers, which is more expensive than Windows Server 2003, Standard Edition. In addition, configuring, operating and troubleshooting server clusters is complicated, and is generally recommended only for larger organizations.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-7

Deploying two redundant infrastructure servers in a non-clustered configuration is easy to configure. The Windows server-based network services and Active Directory services are designed to run across multiple servers, thus eliminating a single point of failure.

Recommendations
The Medium Business Solution for Core Infrastructure recommends deploying two redundant serverscalled the primary infrastructure server and the secondary infrastructure server. Under normal conditions, the primary infrastructure server provides most of the network services because the majority of client requests are first directed to this server. In cases where this server fails to give a timely response, most requests are then directed to the secondary infrastructure server. The majority of client requests are directed to the secondary server only when the primary server does not respond in a timely manner. The following table presents the services hosted on the primary and secondary infrastructure servers.
Service
Active Directory

Primary Infrastructure Server


Holds all of the operations master roles (also known as flexible single master operations or FSMO). Is the first server in the forest and domain, and is a global catalog server.

Secondary Infrastructure Server


Holds no operations master roles. Is a global catalog server.

DNS

Is configured as the primary DNS server on all clients.

Is configured as the secondary DNS server on all clients. Clients query this server only if the primary infrastructure server fails to respond in a timely manner. Same configuration as the primary infrastructure server. This server shares the DHCP client request load with the primary infrastructure server.

DHCP

Configured with a scope to cover over 250 clients, in addition to servers and other devices that require reserved address. Configured with scope options that designates the preferred and secondary DNS and WINS servers, default gateway, and proxy server information.

WINS

Configured as the preferred WINS server, which resolves IP addresses for NetBIOS names. Optionally, this server may be configured to host services that are less resource-intensive, such as: Certification Authority (CA)

Configured as the secondary WINS server.

Additional services

The server provides most network services only when the primary infrastructure server fails. Because this server is under less or no load at most times, it can be

3-8

Medium IT Solution Series

Service

Primary Infrastructure Server


Internet Authentication Service (IAS) Software Update Services (SUS) File services Print services

Secondary Infrastructure Server


used to host services such as messaging that require a lot of server resources.

Table 2. Services Hosted on the Primary and Secondary Infrastructure Servers

Lucerne Publishing opted to implement both the primary and the secondary servers after the introduction of a swing server in the environment. For more information on the implementation of a swing server, refer to the Medium Business Guide for Pilot Deployment and Mitigation. Following the successful implementation of both the primary infrastructure server and the secondary infrastructure server, Lucerne Publishing retired their old servers.

DNS Namespace Design


Designing the DNS namespace involves the following tasks. Registering a public domain name. Choosing the internal DNS namespace. Deploying the public DNS namespace.

Registering a Public Domain Name


Two of the many organizations that are used for registering domain names offer their services through their Web sites available at the following URLs: http://www.networksolutions.com http://www.register.com

These Web sites have useful domain name management tools to register and manage DNS name records. Each site can provide you with specific instructions and assistance with DNS record configuration. Lucerne Publishing already owned the domain name lucernepublishing.com, so they did not need to register an additional name.

Choosing the Internal DNS Namespace


In the Medium Business Solution for Core Infrastructure, the following choices were considered for the internal DNS namespace: Same as the public DNS namespace: The public DNS namespace is registered with the ISP, such as BusinessName.com, and is used to publish resources, such as the companys public Web site, on the Internet. In this option the internal DNS namespace is the same as the external DNS namespace, that is, BusinessName.com.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-9

Separated DNS namespace: In this option, a sub-domain of the public DNS namespace, such as corp.BusinessName.com, is used as the internal DNS namespace of the environment.

Using a separated DNS name space can offer some security advantages. However, it also makes the environment more complex and is typically suitable for large environments with dedicated IT staff. A single internal and external DNS namespace offers ease of configuration and simplicity. To maintain simplicity in the environment, the Medium Business Solution for Core Infrastructure recommends using a single DNS namespace for both the internal and external DNS naming. There is no need or real advantage of using separate internal and external DNS namespaces in a medium IT environment. Lucerne Publishing saw no need whatsoever to add complexity to their environment by introducing multiple DNS name spaces. They opted to just use the name lucernepublishing.com for both the internal and external DNS namespaces.

Deploying the Public DNS Namespace


The registered domain name points to a DNS server that is authoritative for the DNS namespace. The organization needs to decide whether to use a public DNS server, owned by an ISP, as the authoritative DNS server or to host their own DNS server that is authoritative for the DNS namespace. The Medium Business Solution for Core Infrastructure recommends using an ISPowned public DNS server as the authoritative DNS server for the DNS namespace of the organization because ISP DNS servers would provide better availability. For hosting your DNS namespace on the DNS server of an ISP, you need to buy the services from an ISP. DNS hosting services can typically be bought from the DNS registrar or from the ISP that is providing the Internet connection, and are often included as part of a package when registering a domain or hosting a public Web site. The domain name, such as BusinessName.com, registered with domain registrar needs to point to the authoritative DNS server of the domain. The authoritative DNS server maintains all the DNS records, such as www.BusinessName.com and remote.BusinessName.com, for the DNS namespace. The DNS records on the authoritative DNS server need to be maintained by the organization. Because in the medium IT environment, the authoritative DNS server is owned by an ISP, the ISP needs to provide some mechanism to enable the IT generalist to manage these records. In most cases, the ISPs provide a Web-based utility and logon credentials to the organizations when they buy the DNS hosting services. To enable access to services using the Internet, the organization needs to update, or add, DNS records on the public DNS server of the ISP. For more information, refer to the Configuring External DNS Records subsection of the Build section in this chapter.

IP Addressing Convention
All IP addresses are either public or private. These are defined as follows:

3-10

Medium IT Solution Series

Public: Public IP addresses are assigned by the Internet service providers (ISPs) and are unique across the Internet. Private: Private IP addresses can be used on internal network by anyone, without permission. Typically, private IP addresses are in the range of: 10.x.x.x 169.254.x.x 172.16.x.x 192.168.x.x

The following table provides the advantages and the disadvantages of both these types of IP addresses.
Choice
Public

Advantages
Allows a device to communicate with other devices on the Internet. Increases security because computers on the Internet cannot directly access this device. Reduces cost because you do not need to pay the ISP for additional public IP addresses.

Disadvantages
Expensive Limited availability Security risk Network Address Translation (NAT) is required for hosts to connect to the Internet. VPN or proxy is required for external computers to connect to internal hosts. Connecting two private networks through a VPN can result in multiple devices with the same IP addresses.

Private

Table 3. Public Addresses versus Private Addresses

IP addresses can be allocated to devices either by manually assigning static IP addresses to each device or by dynamically using DHCP. The Medium Business Solution for Core Infrastructure recommends the following for IP addresses: Use the private IP address range 10. x. x. x for the LAN at both the main office and branch office. More specifically, consider the following: Use the 10.0.0.0/16 subnet at the main office. Use the 10.1.0.0/24 subnet for the first branch offices. For additional branch offices, use the 10.n.0.0/24 subnet, where n is equal to 2 for the second branch office and increments by one for each additional branch office.

Use public IP addresses on the external interface of the firewall at the main office and the multipurpose router at the branch office.

Within these subnets, the addresses are further classified as shown in the following table. Examples are provided only for the first branch office.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-11

IP Address (or Range)


10.0.0.1 to 10.0.0.20 10.0.0.21 to 10.0.0.40

Subnet Mask
255.255.0.0 255.255.0.0

Location
Main office Main office

Used For
Servers. Remote management cards. (To get the card address for a server, add 20 to the last octet of the IP address of the server.) All other network devices that require static IP addresses (for example, printers, scanners, IP cameras, and switches). Assigned by the primary infrastructure server to DHCP clients at the main office. Assigned by the secondary infrastructure server to DHCP clients at the main office. Internal interface of the multipurpose router at the branch office. All other network devices that require static IP addresses (for example, printers and scanners). For DHCP clients at the branch office.

10.0.0.41 to 10.0.0.255

255.255.0.0

Main office

10.0.1.x

255.255.0.0

Main office

10.0.2.x

255.255.0.0

Main office

10.1.0.1 10.1.0.2 to 10.1.0.10

255.255.255. 0 255.255.255. 0 255.255.255. 0

Branch office Branch office Branch office

10.1.0.11 to 10.1.0.254

Table 4. IP Addressing Recommendations

Configure the public IP address, subnet mask, and default gateway provided by the ISP to the external interface of the firewall server at the main office. DHCP should be used to assign all IP addresses on the medium IT network, both static and dynamic, with the exception for the following three servers: Primary and secondary infrastructure servers: These servers run the DNS service, which requires that a static IP address be assigned on the computer. Internet Security and Acceleration (ISA) Server: This server is directly connected to the Internet. Therefore, this server requires a gateway to be configured that is different from all other servers. The medium IT environment uses options, including default gateway, as part of the DHCP implementation, this server must be excluded from using DHCP. Primary and secondary DNS servers Primary and secondary WINS servers Default gateway Domain suffix Web Proxy Auto Discovery Protocol (WPAD)

Use DHCP options to assign clients values for the following:

The external interface of the multipurpose branch office router should be configured with the IP configuration provided by the ISP. The multipurpose branch office router should also be configured as a DHCP server and should use
3-12 Medium IT Solution Series

the IP address range provided in the previous table. For more information on configuring the router, refer to the documentation provided by the manufacturer. Use the following DHCP options for branch office: DNS servers: Most multipurpose router that have DHCP capability allow configuring up to three entries for DNS servers and two entries for WINS servers. At least one internal DNS server and one external DNS server should be configured on the DHCP service on the branch office router. This is necessary so that the router is able to resolve host names for both internal and external hosts. It should also be ensured that the internal DNS servers are specified before the external DNS server in the list of servers, so that the router resolves host names using the internal DNS server first. If the internal DNS server is unable to resolve the name, the router will try to resolve the name using the external DNS server. If the order is reversed the router sends requests to the public DNS server to resolve internal names, which is not recommended. Use the following values for DNS server IP configuration: First DNS server: IP address of internal primary DNS server. Second DNS server: IP address of internal secondary DNS server. Third DNS server: IP address of the public DNS server given by the ISP that provides Internet connection to the branch office.

WINS servers: Use the IP address of the internal primary and secondary WINS servers. Default gateway: Use IP address of internal interface of branch office router.

Lucerne Publishing followed the Medium Business Solution for Core Infrastructure recommendations. The following table provides some examples of the IP addresses used by Lucerne Publishing.
Device Type
Firewall server (External Interface) Firewall server (Internal Interface) Primary infrastructure server Secondary infrastructure server Collaboration server Directly attached hardware (such as printers and scanners) Remote management cards Client devices

Name
MOISA MOISA MOCOR1 MOCOR2 MOXRNT LJ4KACCT, SCANRSLS

IP Address
Public address from ISP 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.41 10.0.0.255

FIN302, SAL201

10.0.0.20 + server IP address 10.0.1.0 10.0.2.254

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-13

Table 5. Example of IP Addresses used by Lucerne Publishing


Note: When configuring the IP parameters of the primary and secondary infrastructure servers and the firewall server with static IP addresses, configure all the DHCP options that are configured for DHCP client devices. Both the infrastructure servers should have their primary DNS and WINS servers configured with their own IP addresses and should have their secondary DNS and WINS servers configured with the IP address of the other infrastructure server. The default gateway for both these servers should be 10.0.0.1 (the IP address of the firewall server). On the firewall server, the primary DNS and WINS servers should be set to the IP address of the primary infrastructure server and the secondary DNS and WINS servers should be set to the IP address of secondary infrastructure server; the gateway should be left blank.

Software Recommendations
The network services (DNS, DHCP, and WINS) and Active Directory are built into the Windows Server 2003 operating system. Therefore, no additional software is required for deploying the network and directory services in the medium IT environment. The only decision that needs to be made is choosing between Windows Server 2003, Standard Edition and Windows Server 2003, Enterprise Edition. Windows Server 2003, Enterprise Edition supports additional features compared to Windows Server 2003, Standard Edition. These features include: Clustering: A cluster is a group of independent computers, called nodes, that work together to run a common set of applications and provide high availability. If one node on the cluster fails, the application can be failed over to the next node. Remote storage: Remote storage uses criteria that you specify to automatically copy less used files to removable media. If hard-disk space drops below the specified levels, remote storage removes the cached file content from the disk. If the file is needed later, the content is automatically recalled from storage. Up to eight processors support (compared to the support for up to four processors in Windows Server 2003, Standard Edition): The Windows Server 2003 family supports single or multiple central processing units (CPU) that conform to the symmetric multiprocessing (SMP) standard. Using SMP, the operating system can run threads on any available processor, which makes it possible for applications to use multiple processors when additional processing power is required to increase the capability of a system. 64-bit support for Intel Itanium-based computers: Support for 64-bit processing delivers far higher scalability than 32-bit file servers by providing a greatly enlarged virtual address space and paged pool area, the ability to handle increased numbers of users and connections, and increased hardware reliability through predictive error checking and notification of failures. Hot add memory: Hot add memory allows ranges of memory to be added to a computer and made available to the operating system and

3-14

Medium IT Solution Series

applications as part of normal memory pool. This does not require restarting the computer and involves no downtime. The Medium Business Solution for Core Infrastructure recommends using Windows Server 2003, Standard Edition for the infrastructure servers. This is because none of the additional features provided by Windows Server 2003, Enterprise Edition will be used in the medium IT environment. In addition, the Windows Server 2003, Standard Edition costs less than the Windows Server 2003, Enterprise Edition. Lucerne Publishing opted to install Windows Server 2003, Standard Edition. There were no factors present in the environment of Lucerne Publishing that required any of the features of Windows Server 2003, Enterprise Edition that are listed in this section.

Infrastructure Server Configuration


This section provides guidance on configuring the infrastructure servers, which includes the operating system, the network services, and Active Directory. It covers configuration of the following: Operating system Active Directory and DNS DHCP WINS Group Policy

Operating System
Following are the few choices to be made during the installation of the operating system: IP configuration: The DNS services hosted on the infrastructure servers require that the infrastructure servers be configured with static IP addresses. The IP addresses should be configured as per the guidelines provided in Chapter 2, Physical Network Design, of this solution. The following table lists the IP configurations recommended for the infrastructure servers in the Medium Business Solution for Core Infrastructure.
Parameter
IP Address Default Gateway Preferred DNS Server Secondary DNS Server Preferred WINS Server Secondary WINS

Primary Infrastructure Server


Static IP address (10.0.0.2) 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.2 10.0.0.3

Secondary Infrastructure Server


Static IP address (10.0.0.3) 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.2

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-15

Parameter
Server

Primary Infrastructure Server

Secondary Infrastructure Server

Table 6. Recommended IP Configuration for the Infrastructure Servers

Licensing: When installing the base operating system on the infrastructure servers, you must choose a client licensing mode. The Medium Business Solution for Core Infrastructure recommends the Per Device or Per User mode licensing. This is the most economical choice because client workstations in the medium IT environment consume services from a number of different servers in the environment on a regular basis. Server naming: The servers must be assigned a host name and a NetBIOS name. The names used for the servers should be in accordance with the naming convention guidelines of the Medium Business Solution for Core Infrastructure documented in Chapter 1, Core Infrastructure Design Overview, of this solution. As per the Medium Business Solution for Core Infrastructure naming convention, Lucerne Publishing named their primary infrastructure server MOCOR1, and the secondary infrastructure server was named MOCOR2.

Active Directory and DNS


Active Directory is the directory service for Windows Server 2003, Standard Edition. It stores information about objects on the network and makes it easy for administrators and users to find and use this information. Active Directory service uses a structured data store as the basis for a logical and hierarchical organization of directory information. In the medium IT environment, DNS is installed on both the infrastructure servers. All clients are then configured to send all queries to the primary infrastructure server. DNS requests go to the secondary infrastructure server only if the primary server is unavailable or does not respond. DNS is automatically installed on the primary infrastructure server. The installation of DNS is integrated with the installation of Active Directory on that server. After completing the Active Directory installation wizard on the primary server, both DNS and Active Directory are installed and configured. The installation of DNS on the second server is done manually after Active Directory is installed. Both DNS servers are set up as Active Directory Integrated DNS servers, which means that the DNS information is stored in Active Directory.

Dynamic Host Configuration Protocol


DHCP dramatically reduces the management overhead that is associated with IP address management. DHCP dynamically manages the allocation of IP addresses and IP configuration of network devices that are configured as DHCP clients. DHCP clients require less manual configuration, and are easy to support. However, static IP address configuration is required for servers, such as the servers running DNS, DHCP, Active Directory, and other services. This is because
3-16 Medium IT Solution Series

many services require a static IP address before installation, or because the servers need variances from the standard scope options assigned by DHCP.

Configuring Redundancy
In the medium IT environment, the DHCP service needs to be hosted on both the infrastructure servers to provide redundancy. This section provides guidance on implementing the DHCP service across the two servers. There are several ways in which two DHCP servers can be configured to provide redundant services in the medium IT environment. These include: Extraordinarily long lease time: The DHCP servers are configured to provide an extraordinarily long lease time (such as, one to two weeks or longer). This configuration may help minimize client connectivity issues if a DHCP server fails. This happens because the clients keep the IP address leased to them for the duration of the lease, if they are unable to contact the DHCP server. If all clients have obtained the IP configuration by the time the DHCP server fails, the environment will continue to operate normally provided the DHCP server comes back online prior to expiration of the lease. If the server is not restored prior to lease expiration, client computers will loose connectivity if the computers are restarted or when new computers are added to the network while the DHCP server is down. Therefore, only partial reliability is achieved. Standby DHCP server: A standby DHCP server is activated only in case the primary infrastructure server fails. If the primary infrastructure server fails, the secondary infrastructure server can be immediately activated resulting in no or very limited downtime for the clients. However, the problem with this configuration is that the activation of the backup DHCP server must be done manually because the failover is not automatic. Non-overlapping scopes: Two DHCP servers are configured with nonoverlapping scopes. In this configuration, each scope should have enough IP addresses to serve the entire environment in the event of a server failure. If one server fails, the other server should have enough IP addresses available to service all client requests. This option overcomes the weaknesses of other options because there is no service degradation during service failure, and the failover is automatic.
Choice
Extraordinarily long lease time

Advantages
Low cost: Requires only a single DHCP server.

Disadvantages
Availability: Services are limited or only partially available during outage. Reboots and addition of new machines during the outage will not get proper connectivity for the machines. No automatic failover: An administrator must detect the failure of the main server, and manually activate the second server. Additional cost: Requires at least two servers to implement.

Stand by DHCP server

Centralization: Keeps entire DHCP deployment on a single server.

Non-overlapping scopes

Automatic failover: This configuration has automatic

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-17

Choice

Advantages
failover. Full service: There is no degradation in service experienced by the clients during a service outage on one of the servers.

Disadvantages

Table 7. DHCP Redundancy Configuration Choices

The Medium Business Solution for Core Infrastructure recommends implementing two non-overlapping scopes, one each on the primary and secondary servers. It is important to ensure that the scope configured on each server has enough IP addresses to serve the entire environment in the event of a server failure. The medium IT environment may have up to 250 clients. So each scope should be able to provide at least 250 IP addresses. Lucerne Publishing implemented DHCP on the primary infrastructure server in conjunction with the old DHCP server. Once the scope was active on the primary infrastructure server, they were able to turn off the portion of the scope on the former PDC. Lucerne Publishing then set up the non overlapping portion of the scope on the secondary infrastructure server.

Configuring Static IP Addresses


There are two ways to assign static IP addresses to network devices. These are: Manual configuration: Manually configuring the network parameters of each device that requires a static IP address. DHCP reservations: In DHCP, reserve the IP address for the device that requires the static IP address. The device is identified by its media access control (MAC) address, and is always assigned the reserved IP address by the DHCP servers.

The following table presents the advantages and disadvantages of these choices.
Choice
Manual configuration

Advantages
No advance information gathering: There is no need to gather all of the MAC addresses ahead of time. No administration overhead: Configuration can be performed by anyone because it does not require access to the infrastructure servers. Single Configuration: Each device only has to be set up once.

Disadvantages
Disorganized: It is easy to loose track of the devices that are configured with a static IP address. IP conflicts: It is possible to accidentally configure more than two devices with the same IP address. Complex: The method of configuring each device is different. There is no standardization across devices, so each individual device must be figured out. Difficult to change: If there is ever a change required in an environment, such as a new address or scope option, each device will

3-18

Medium IT Solution Series

Choice

Advantages

Disadvantages
have to be visited and manually reconfigured.

DHCP reservations

Standard configuration: The steps to configure network parameters may differ in different devices from different manufacturers. Using reservations only requires enabling the device for DHCP. Apply uniform settings: Enables configuring uniform options (such as gateway and WINS server) on all devices requiring static addresses. Directory of addresses: The list of reservations provides a convenient directory of all network devices that are in use. Simplicity: DHCP reservations simplify making changes to IP configuration, such as a change in DNS server or gateway.

Cumbersome: This is because you need to: Gather the MAC address of all devices requiring a static IP address. Manually enter the network addresses and configure reservations on both DHCP servers. Human error: MAC addresses are long, complex strings, and there are chances of typing errors while entering the values into the servers. Additional overhead: Changes in the MAC address require updates to reservations on both infrastructure servers.

Table 8. Static IP Addresses Configuration Choices

The Medium Business Solution for Core Infrastructure recommends using DHCP reservations to assign static IP addresses to devices such as servers, printers, network devices, and scanners. This facilitates management of IP configuration on these devices. In addition, DHCP reservations provide a centralized documentation of all static IP addresses that are in use. The list of reservations can be used as a troubleshooting tool because it shows whether the address lease for a device is active or inactive. This can be useful in determining whether a problematic device is communicating properly with the DHCP servers. In addition, it enables making changes to the IP configuration from the DHCP server itself. Lucerne Publishing decided to use DHCP reservations for all devices, even though there were a large number of hardware devices in the environment and using DHCP reservations required the IT staff to gather the MAC addresses of all of the devices and manually enter them in DHCP. The IT staff of Lucerne Publishing decided to put in the initial effort because once this task was complete, they found the centralized database of all devices invaluable. They also realized that this was the last time they would ever have to perform this task, because any future IP address changes would be easy to accomplish. However, the following servers are exceptions, and the IP configuration on these servers needs to be done manually and not through DHCP reservations: Primary and secondary infrastructure servers: The DNS service hosted on these servers requires them to be manually configured with static IP addresses. Firewall server: The firewall server will not have the same default gateway as the rest of the servers.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-19

Windows Internet Name Service (WINS)


WINS is the Microsoft implementation of NetBIOS name resolution service. WINS resolves NetBIOS names of devices to their IP addresses. This helps cut down on broadcast traffic because when a device has the NetBIOS name of another device and wants the IP address of that device, it can query the WINS server rather than sending out a broadcast on the network. It is important in the medium IT environment to have redundant WINS servers because WINS is a critical service and needs to be reliable. Hosting WINS on multiple servers requires designing a replication topology that will keep all WINS servers synchronized without creating excessive network traffic. The Medium Business Solution for Core Infrastructure recommends configuring the primary and secondary infrastructure servers as WINS replication partners. Lucerne Publishing began by setting up their new infrastructure servers as replication partners with the existing WINS servers in the environment. This allowed for the WINS database to be automatically replicated to the new servers. As the original WINS servers retired, they were removed from the replica set on the new servers.

Group Policy
GPOs can be used in a domain environment to automatically perform configurations on client devices, servers, and to the user environment. There is a minimum set of Group Policy settings that should be applied, even if you do not plan to implement any other Group Policy settings in your environment. This minimum set of Group Policy settings are used to apply basic security settings at the domain level. The Medium Business Solution for Core Infrastructure provides a core domainlevel GPO as part of the core infrastructure. Because this GPO is applied at the domain level, organizational units are not required. It is strongly recommended to implement this GPO. Lucerne Publishing found that the implementation of the core domain-level GPOs provided with the Medium Business Solution for Core Infrastructure was the perfect answer to automatically enforce the stronger security requirements that the IT department has been looking to implement for some time. For more information on Active Directory, organizational units, Group Policy, and additional GPOs for the medium IT environment, refer to the Medium Business Solution for Management and Security using Active Directory Group Policy.

Hardware Recommendations
When choosing hardware for the infrastructure servers, the critical factors to be considered are: Processor and random access memory (RAM). Storage configuration.

3-20

Medium IT Solution Series

Processor and Random Access Memory (RAM)


When selecting processors for the infrastructure servers, consider the tasks that the servers will perform when the environment is fully built. In the medium IT environment, it is not expected that the basic network services will place significant burden on the processors. Among all the additional services that are recommended to be hosted on the infrastructure servers, only the messaging service requires more processing power. Therefore, a faster processor should be used on the secondary infrastructure server if messaging services are hosted on it. In many cases, the guidelines for selecting RAM very closely follow the guidelines for selecting the processor. For the basic infrastructure services and for providing additional services such as file and print services, a large amount of RAM is not required. However, for messaging services, additional RAM can improve performance.

Storage Configuration
Direct-attached storage (DAS) is used on the infrastructure servers for storing the system files and data. For general considerations and guidelines on choosing direct-attached storage, refer to the Guidelines for Choosing DAS Storage section in the Appendix I of this solution. When configuring RAID on the infrastructure servers consider the following options: Configure all drives as a single partition on a RAID 5 array. Configure all drives as multiple partitions on a RAID 5 array. Configure a system partition on a RAID 1 array and a data partition on a RAID 5 array.

Configuring all drives as a single partition on a RAID 5 array offers the advantage of simplicity. This configuration also avoids issues that may occur later where one partition becomes full while other partitions have a lot of free space. However, this configuration does not remain viable when partitions become very large, because performance suffers. In addition, with large partitions, certain features in the operating system no longer work. For example, you cannot use the built-in Windows backup utility to back up a partition to a file that is on the same partition. Configuring all drives as multiple partitions on a RAID 5 array with very large partitions gets rid of some of the performance-related issues. However, it creates additional issues, such as, having to choose the partitions onto which services and data should be deployed. When the partitions become full, there is no easy way to move these services to a different location. Configuring the system partition on a RAID 1 array and the data partition on a separate RAID 5 array eliminates all the issues that are present in the two other options discussed. In this configuration, the RAID 1 system partition uses only two disks, and is a smaller partition. Only operating system and other system files, such as patches and service packs, are placed on this drive. The RAID 5

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-21

partition is used for applications and data and is only required if the server hosts any of the following services: File service Messaging service Collaboration service

Recommendations
The Medium Business Solution for Core Infrastructure recommends configuring a system partition on a RAID 1 array. In addition, configure a utility partition. Most manufacturers provide a means to set up a utility partition on the disk that is designed to hold system and hardware utilities that can be used to aid configuration and troubleshooting of the hardware. Ensure that these utilities are set up according to the instructions provided by the manufacturer. The following hardware is recommended for the infrastructure servers in the medium IT environment: Intel Xeon-based processor of at least 2.4 GHz. 1 GB of RAM. SCSI RAID controller. Two SCSI hard drives with the following configuration: Minimum 10,000 RPM (15,000 RPM recommended). 18 GB or greater in capacity.

10/100/1000-Mbps Ethernet card. Remote management card. Redundant power supply.

3-22

Medium IT Solution Series

Note: If you plan to deploy the file, print, messaging, or collaboration services on the infrastructure servers, you will require an additional RAID 5 array for the data partition. For information on the additional hardware requirements for these services, refer to the following documents: - Chapter 5, File Services of this solution. - Medium Business Solution for Messaging Services. - Medium Business Solution for Collaboration Services. - Medium Business Solution for Print Services.

Lucerne Publishing performed a hardware inventory on their primary domain controller (PDC) and backup domain controllers (BDCs) and determined that their existing hardware was insufficient to run Windows Server 2003. Having budgeted for new hardware, Lucerne Publishing purchased new servers meeting the above configuration recommendations. Lucerne Publishing also realized that they planned to use their secondary infrastructure server for hosting messaging services. As a result, when they purchased this server, they also incorporated the guidelines in the Medium Business Solution for Messaging Services, and configured the server with 2-GB RAM (because messaging is a critical application for them), and six 15,000 RPM SCSI drives two 18-GB drives in a RAID 1 array for the operating system, and three 18-GB drives in a RAID 5 array (resulting in approximately 36 GB of usable space) for Exchange and the messaging databases. The sixth drive was used as a hot spare in case any of the drives failed.

Bill of Materials
The following table presents the bill of materials required to build the network and directory services in the medium IT environment.
Description
Domain name Windows Server 2003, Standard Edition Server Hardware Client Licenses

Quantity
For one year 2 2 Number of clients

Approximate Price (as of December 2004)


$10-$35 $999 each (includes 5 client access licenses) $3,000-$5,000 each $199 for each pack of five

Table 9. Bill of Materials

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-23

Build
Once the requirements listed in the Prerequisites section in this chapter are met and the items listed in the Bill of Materials section are purchased, you can start building network and directory services on the infrastructure servers. Perform the following tasks on the infrastructure servers: 1. Gathering information for initial configuration. 2. Configuring external DNS records. 3. Configuring the hardware and operating system. 4. Performing initial security audit. 5. Installing and configuring Active Directory. 6. Installing and configuring DNS. 7. Configure the Windows Time Service. 8. Installing and configuring DHCP. 9. Installing and configuring WINS. 10. Configuring GPOs. 11. Installing and configuring the CA. 12. Installing IAS. 13. Performing final security configuration Validation.
Note: If the steps in this section do not specify the exact values to be used while running a wizard, use the default values provided by the wizard.

Gathering Information for Initial Configuration


Before you start building the infrastructure server, gather the following information, which will be needed at various stages of the build process. The following information should be gathered from the domain registrar that was used for registering the public domain name of the organization: Name of the registrar. Contact numbers for technical support. Logon and configuration information for a configuration utility on the public DNS server that is authoritative for the domain. If the ISP does not offer a Web-based utility to create public DNS records, make sure to document the procedure and rules for having those records created as prescribed. IP address of public DNS servers: There should be at least two public DNS servers provided by the ISP.

The following information will be required while configuring the network services:

3-24

Medium IT Solution Series

DNS domain name: The DNS domain name should be the same as the primary publicly registered domain name that is, BusinessName.com. Public domain name: If the organization does not already own a public domain name, a public domain name will need to be selected and purchased from a domain name registrar. For an example, refer to the following URL: http://www.bcentral.com/products/wh/dnr.asp Lucerne Publishing already owned the domain name lucernepublishing.com, and elected to use that. MAC addresses: There should be a list with the names and MAC addresses of all of the network devices in the environment, including: Routers, switches, firewalls, access points, or other network devices (excluding servers or network-attached storage devices). Printers. Scanners. Video cameras.

Note: Follow the manufacturers instructions for each device in the environment to obtain the MAC or Hardware address. Also note that each device must be configured to obtain the IP configuration through DHCP (on some devices this is referred to as automatic configuration or obtain settings automatically). Follow the manufacturers instructions to configure the device to get IP configuration automatically from a DHCP server.

Downloads: From a computer that is already securely connected to the Internet, download the Group Policy Management Console installation file from the following URL and save it to a CD disk or a USB drive: http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Configuring External DNS Records


To access various services provided by the internal servers over the Internet using the domain name of the organization, the DNS names of these services must be updated on the public DNS servers of the ISP. The following table lists DNS records that should be updated on the DNS server for a medium business.
Fully Qualified Domain Name (FQDN)
remote.BusinessName. com mail.BusinessName.co m extranet.BusinessName .com

Record Type

Service

IP Address

A CNAME CNAME

Terminal Services Outlook Web Access Extranet

Static IP address used on the firewall server. remote.BusinessName .com remote.BusinessName .com

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-25

Fully Qualified Domain Name (FQDN)


vpn.BusinessName.com BusinessName.com

Record Type

Service

IP Address

CNAME MX Record

Remote Access Messaging

remote.BusinessName .com remote.BusinessName .com

Table 10. Records Configured on the ISP DNS Servers


Note: All of the DNS records that need to be set up with the ISP are included in the table. Some of the records set up in the table will not be usable until the environment is fully built and the services pointed to by the DNS records are built. In addition, one should wait for 2448 hours after setting up DNS records with the ISP before attempting to use them. There is sometimes a delay between the time when the records are set up and when they will actually become available on the public DNS servers of the ISP.

Configuring the Hardware and Operating System


Perform the following steps: 1. Configure both the infrastructure servers using the guidance provided in the Initial Server Configuration section in Appendix I of this solution. The following information will be required for the configuration: Primary infrastructure server: IP configuration: Static IP address: 10.0.0.2 Subnet Mask: 255.255.0.0 Default Gateway: 10.0.0.1 Server name: SMBDC Primary DNS server: 10.0.0.2 Secondary DNS server: 10.0.0.3 Primary WINS server: 10.0.0.2 Secondary WINS server: 10.0.0.3

Secondary infrastructure server: IP configuration: Static IP address: 10.0.0.3 Subnet Mask: 255.255.0.0 Default Gateway: 10.0.0.1 Server name: SMBEX Primary DNS server: 10.0.0.2 Primary WINS server: 10.0.0.3

3-26

Medium IT Solution Series

Secondary WINS server: 10.0.0.2

2. Install the Windows Support Tools on both servers. To install the Windows Support Tools, browse to the \support\tools directory on the installation CD. Right-click the suptools.msi file and click Install. The support tools might get updated in a service pack, so you may need to use the support tools that come with the latest service pack.
Note: The Windows Server 2003 installation CD will be required several times throughout the remainder of this chapter. It is a good idea to keep the CD in an easily accessible location.

Performing Initial Security Audit


After initial configuration of the two infrastructure servers, perform a security audit on both computers in the environment before continuing with the configuration of other services. This will ensure that your baseline installation is secure, and is done properly. For security audit, perform the following steps: 1. Begin by installing any updates available for the server and the installed software. 2. After all servers in the environment have been configured, it is important to run the Microsoft Baseline Security Analyzer (MBSA) tool against all computers in the environment. For more information on downloading, installing, and running MBSA, refer to Appendix I of this solution.

Installing and Configuring Active Directory


Active Directory needs to be installed on both the infrastructure servers (SMBDC and SMBEX). Installing and configuring Active Directory involves the following tasks: 1. Make SMBDC a domain controller. 2. Raise the domain functional level of the domain created to Windows Server 2003. 3. Make SMBEX a domain controller. 4. Make SMBEX a global catalog server. 5. Create a long, complex password for the administrative account. Make SMBDC a domain controller by performing the following steps: 1. Run the dcpromo command on SMBDC to start the Active Directory Installation Wizard. 2. Complete the wizard by performing the following: a. Click the Domain controller for a new domain option. b. Click the Domain in a new forest option.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-27

c. Type the DNS name gathered in the "Gathering Information for Initial Configuration" section in the Full DNS name for new domain text box. For example, lucernepublishing.com. d. Type the earlier DNS name without suffix in the Domain NetBIOS name text box. If the DNS name without suffix is longer than 15 characters, type an abbreviation with at most 15 characters. In the case of Lucerne Publishing, they chose to use the NetBIOS name Lucerne, because lucernepublishing is longer than 15 characters. e. If the server is configured with a single partition, accept the default locations for Database and Log Folders. If there is a separate system and data partition configured, change the drive letter to the drive letter of the data partition. f. If the server is configured with a single partition, accept the default location for the SYSVOL folder. If there is a separate system and data partition configured, change the drive letter to the drive letter of the data partition. g. Click Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server. h. Click Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems. i. Ensure that the password you supply for Directory Service Restore Mode is secure and documented in a safe location. j. After completing the wizard, click the Restart Now button. Raise the domain functional level of the domain created to Windows Server 2003 by performing the following steps: 1. Open the Active Directory Users and Computers Microsoft Management Console (MMC). 2. Right-click the domain name and click Raise Domain Functional Level. 3. On the Raise Domain Functional Level screen, select Windows Server 2003 from the Select an available domain functional level drop-down list then click the Raise button. 4. Click OK on any warning messages that display. Make SMBEX a domain controller by performing the following steps: 1. Run the dcpromo command on SMBEX to start the Active Directory Installation Wizard. 2. Complete the wizard by performing the following: a. Select the additional domain controller for an existing domain option. b. Type the administrator credentials for the domain. c. Type the domain name (for example, BusinessName.com). d. Type the password for Directory Services Restore Mode, which is the same password as that provided on SMBDC. e. After completing the wizard, click the Restart Now button. Make SMBEX a global catalog server by performing the following steps:
3-28 Medium IT Solution Series

1. 2. 3. 4. 5.

Open the Active Directory Sites and Services MMC. Expand Sites, Default-First-Site-Name, Servers, and SMBEX. Right-click NTDS Settings and click Properties. Select the Global Catalog check box and click OK. Close the MMC.

Create a long, complex password for the administrative account. The administrator account name is well known and therefore, it is best practice to use a long, complex password for this account. Perform the following steps to change the password: 1. Log on to a domain controller using the administrator credentials. 2. Open the Active Directory Users and Computers MMC. 3. Expand the domain name, and click the Users folder. 4. Right-click the administrator account and click Reset Password. 5. Type a new password in the New Password and Confirm Password text boxes. Use the following guidelines for selecting a complex password: Use a phrase, rather than using a single word. Use all four classes of characterscapital letters, lowercase letters, numbers, and symbols. Ensure that the password is at least 15 characters in length. Do not use any part of the user name. Do not use symbols or numbers only at the beginning or end of the password, use them throughout. Do not use any word that can be found in a dictionary or any proper nouns as part of your password. The most secure password is a random string of characters consisting of the four classes of characters mentioned previously.

Installing and Configuring DNS


DNS gets installed automatically on the first server in the new domain, SMBDC. DNS must be installed and configured manually on SMBEX, which involves the following tasks: 1. Install DNS on SMBEX. 2. Perform a manual replication of Active Directory to ensure that the DNS information is transferred to SMBEX. 3. Configure forwarders on both the DNS servers. 4. Configure reverse lookup zones on the DNS servers. 5. Configure each zone created in DNS with the e-mail address of the responsible person for the zone. Install DNS on SMBEX by performing the following steps: 1. Open Add or Remove Programs and click Add/Remove Windows Components.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-29

2. In the Windows Component Wizard, highlight Networking Services (do not select the check box) and click Details. 3. In the Networking Services dialog box, select the DNS check box. 4. Click Next to begin the installation. 5. If prompted, insert the Windows Server 2003 CD. Perform a manual replication of Active Directory by performing the following steps on either server: 1. Open the Active Directory Sites and Services MMC on SMBDC. 2. Navigate to Site Name (default is Default-First-Site-Name), Servers, SMBDC, and NTDS Settings. 3. Right-click the automatically generated connection and click Replicate Now. 4. Open the DNS Management console and verify that all of the zones created on SMBDC now show on SMBEX too. 5. Once DNS is installed and operational, change the DNS server in the IP configuration of SMBEX to point to 10.0.0.3 (its own IP address). Configure the secondary DNS server to point to 10.0.0.2. Configure forwarders on both the DNS servers by performing the following steps: 1. On each DNS server, right-click the server name in the DNS Management console and click Properties. 2. Click the Forwarders tab. 3. Enter the IP addresses of at least two public DNS servers in the order provided by your ISP (as per the information gathered in the "Gathering Information for Initial Configuration" section earlier in this chapter). Configure reverse lookup zones on both DNS servers by performing the following steps: 1. With the DNS Management Console still open, expand the <server name> and right-click Reverse Lookup Zone and click New Zone. 2. Complete the New Zone wizard by specifying the following settings: On the Zone Type page, choose the following options: Primary zone Store zone in Active Directory

On the Active Directory Zone Replication Scope page, choose: To all DNS servers in the Active Directory forest <BusinessName.com>

On the Reverse Lookup Zone Name page, enter the following network ID: 10.0 On the Dynamic Update page, choose the following option: Allow only secure dynamic updates (recommended for Active Directory)

Configure the responsible person for each zone created in DNS by performing the following steps on either server.
3-30 Medium IT Solution Series

1. 2. 3. 4.

Click the zone name in the DNS Management console. Right-click the zone and click Properties. Click the Start of Authority (SOA) tab. Enter the e-mail address of the administrative account substituting a "." for the "@" symbol (for example, administrator.BusinessName.com).

Configure the Windows Time Service


Configure the Windows Time Service on SMBDC by performing the following steps: 1. Open a command prompt window. 2. Type w32tm /config /manualpeerlist:time.windows.com tock.usno.navy.mil /syncfromflags:manual and press enter. The command completed successfully should be displayed. 3. Type w32tm /config /update and press enter. The command completed successfully should be displayed.

Installing and Configuring DHCP


Installing and configuring DHCP involves the following tasks: 1. Install the DHCP service. 2. Authorize the DHCP servers. 3. Create a new scope on SMBDC. 4. Create a new scope on SMBEX. 5. Configure reservations for network devices requiring static IP addresses. 6. Enable dynamic updates. 7. Enable server-side conflict detection on both servers. Install the DHCP service by performing the following steps on both the infrastructure servers: 1. Open Add or Remove Programs in Control Panel and click Add/Remove Windows Components. 2. In the Windows Component Wizard, highlight Networking Services (do not select the check box) and click Details. 3. In the Networking Services dialog box, select the DHCP check box. 4. Click OK and complete the wizard. Authorize the new servers by performing the following steps: 1. Open the DHCP console under the Administrative Tools folder. 2. Click the server name in the DHCP console. 3. Right-click server name and click Authorize. Create a new scope on SMBDC by performing the following steps: 1. Right-click the server name and click New Scope to start the New Scope Wizard. 2. Enter the following information while running the wizard:
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services 3-31

a. On the Scope Name page, enter the name of the scope (for example, you can use the same name as the name of the server that is SMBDC). b. On the IP Address Range page, enter the following information: Start IP Address 10.0.0.1 End IP Address 10.0.2.254 Length: 16 bits 10.0.0.1 10.0.0.255 10.0.2.0 10.0.2.254 On the Lease Duration page, accept the default 8-day lease duration.

c. On the Add Exclusions page, add the following exclusions:

d. On the Configure DHCP Options page, select Yes, I want to configure these options now. e. On the Router (Default Gateway) page, add the default gateway address (10.0.0.1). f. On the Domain Name and DNS Servers page, add parent domain (for example, BusinessName.com), and configure SMBDC (10.0.0.2) as the primary DNS and SMBEX (10.0.0.3) as the secondary DNS. g. On the WINS Servers page, add SMBDC (10.0.0.2) as the primary WINS server and SMBEX (10.0.0.3) as the secondary WINS server. h. On the Activate Scope page, click Yes, I want to activate this scope now. Create a new scope on SMBEX by performing the steps in the previous task, but with the following exceptions: Name of the scope: SMBEX Use the following exclusions: 10.0.0.1 10.0.0.255 10.0.1.0 10.0.1.255

Configure reservations on both servers by performing the following steps: 1. Right-click Reservations and click New Reservation. 2. Fill in the host name for name, IP address, MAC, and a meaningful description (for example, HPLJ1500NP for an HP LaserJet 1500 network printer). Use the MAC addresses gathered in the "Gathering Information for Initial Configuration" section earlier in this chapter. 3. Repeat the process for each network device (for example, routers, scanners, cameras, and switches) in the environment. Enable dynamic updates on both servers by performing the following steps: 1. Right-click the server name and click Properties. 2. Click the DNS tab. 3. Select all the following three check boxes on the DNS tab: Enable DNS dynamic updates according to the settings below

3-32

Medium IT Solution Series

Discard A and PTR records when lease is deleted Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0)

Enable server-side conflict detection on both servers by performing the following steps: 1. Right-click the server name and click Properties. 2. Click the Advanced tab. 3. Set the Conflict Detection Attempts value to 2.

Installing and Configuring WINS


Installing and configuring WINS involves the following tasks: 1. Install the WINS service on both servers. 2. Configure the WINS servers as replication partners. 3. Enable WINS forward and reverse lookup on both servers. Install the WINS service by performing the following steps on both the infrastructure servers (SMBDC and SMBEX): 1. Open Add or Remove Programs and click Add/Remove Windows Components. 2. In the Windows Component Wizard, highlight Networking Services (do not select the check box) and click Details. 3. Select the Windows Internet Name Service (WINS) check box. 4. Click OK and complete the wizard. 5. If prompted, insert the Windows Server 2003 CD. Configure the WINS servers as replication partners by performing the following steps on both servers: 1. Open the WINS console under the Administrative Tools folder. 2. Expand the server name. 3. Right-click Replication Partners and click New replication partner. 4. Enter the IP address of the other server. Enable WINS forward and reverse lookup by performing the following steps: 1. On SMBDC, open the DNS console under the Administrative Tools folder. 2. Expand the server name and then Forward Lookup Zones. 3. Click to select the zone name (that is, BusinessName.com) of each forward lookup zone. 4. Right-click the selected zone name and click Properties. 5. Click the WINS tab. 6. Select Use WINS forward lookup. 7. Enter the address of both the WINS servers (10.0.0.2 and 10.0.0.3).

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-33

8. On SMBDC in the DNS Management console, expand the server name and then Reverse Lookup Zones. 9. Click to select the reverse lookup zone name. 10. Right-click the zone name (which is, 10.0. x. x Subnet) of each reverse lookup zone and click Properties. 11. Click the WINS-R tab. 12. Select Use WINS-R lookup. 13. Enter the domain name to append to the returned name (for example, BusinessName.com) and close the Properties page.

Installing and Configuring the Certification Authority


Install and configure CA on SMBDC by performing the following steps: 1. Open Add or Remove Programs and click Add/Remove Windows Components. 2. In the Windows Components Wizard dialog, select the Certificate Services check box. A message box displays a message that the computer cannot be renamed and that the computer cannot be added to or removed from a domain after certificate services are installed. Click Yes. 3. Highlight Application Server (do not select the check box) and click Details. 4. Select the Internet Information Services (IIS) check box and click OK. 5. Click Next. 6. On the CA Type page, select the Enterprise root CA option. 7. On the CA Identifying Information page, enter the following information: In the Common name for this CA field, enter the common name of the CA, for example MyBusinessName CA. In the Validity period field, specify 10 years as the validity period for the root CA and click the Next button. Accept the default storage locations for the certificate database and the certificate database log.

8. Click the Next button. 9. Click Yes on the warning about installing Active Server Pages (ASPs). 10. Click Finish. 11. Verify that you can get to the Web enrollment page by opening Internet Explorer and navigating to http://localhost/certsrv. Ensure that Session State is enabled for successful CA enrollment through the certsrv Web site: 1. Open Internet Information Services Manager from Administrative Tools.

3-34

Medium IT Solution Series

2. Expand <servername> and then Web Sites. Then, right-click Default Web Site and click Properties. 3. Click the Home Directory tab, and then under Application Settings, click Configuration. 4. On the Application Configuration page, click the Options tab, and then ensure the Enable Session State check box is checked if not, click to select it. 5. Click OK on all screens and close IIS Manager. 6. Restart IIS by typing iisreset at a command prompt.

Installing Internet Authentication Service


Install IAS on SMBDC by performing the following steps: 1. Open Add or Remove Programs and click Add/Remove Windows Components. 2. In the Windows Component Wizard, highlight Networking Services (do not select the check box) and click Details. 3. In the Networking Services dialog box, select the Internet Authentication Service check box, click OK, and then click Next. 4. When prompted, insert the Windows Server 2003 CD. 5. After IAS is installed, click Finish, and then click Close. 6. On the command prompt and run the netsh ras add registeredserver command. The last step ensures that the IAS server is placed in the RAS and IAS Servers security group in Active Directory. This ensures that IAS servers have the appropriate permissions to read the remote access properties of user and computer accounts.

Configuring Group Policy Objects


The Medium Business Solution for Core Infrastructure provides a core GPO as part of the core network services. This GPO is applied at the domain level and therefore, organizational units are not required. Applying the GPO involves the following tasks: 1. Install the Group Policy Management Console. 2. Unlink and rename the default domain GPO. 3. Import the GPO into the environment. 4. Link the new GPO to the appropriate location. Install the Group Policy Management Console on SMBDC by performing the following steps: 1. Install the Group Policy Management Console from the CD disk or the USB drive to which it was downloaded as per the Gathering Information for Initial Configuration section. 2. Save and unzip the coreGPO.zip file distributed with the Medium Business Solution for Core Infrastructure.
Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services 3-35

Note: You need to download and install either the Medium Business Solution for Core Infrastructure or the entire Medium IT Solution Series. The coreGPO.zip file is located in the Medium Business Solution for Core Infrastructure v1.0 folder.

Unlink and rename the Default Domain Policy by performing the following steps: 1. Open GPMC by clicking the shortcut under Administrative Tools. 2. Expand Forest, Domains, BusinessName.com. 3. Right-click Default Domain Policy and click Delete, and then click OK. 4. Expand Forest, Domains, BusinessName.com, Group Policy Objects. 5. Right-click Default Domain Policy and click Rename. 6. Rename the policy to Original Default Domain Policy. Import the GPOs into the environment by performing the following steps: 1. Open GPMC and expand Forest, Domains, BusinessName.com. 2. Right-click Group Policy Objects and click New. 3. Name the policy Default Domain Policy. 4. Right-click the policy and click Import Settings. 5. Run the Import Settings Wizard using the default values. On the Backup Location page, specify the backup folder where the core GPO distributed with the Medium Business Solution for Core Infrastructure was saved and select the Default Domain Policy GPO backup. Link the new policy to the appropriate location by performing the following steps: 1. In the GPMC, expand Forest, Domains, BusinessName.com. 2. Right-click the domain object, BusinessName.com, and click Link an Existing GPO. 3. Select the Default Domain Policy and click OK.

Performing Final Security Configuration Validation


After completing the configuration of the two infrastructure servers, it is important to once again complete a full security audit on both the servers to ensure that they are completely secured. Begin by checking for any updates available for the server and installed software. Install any updates that are available. Run the MBSA tool against the first domain controller (SMBDC). For more information on running this tool, refer to the Medium Business Solution for Patch Management.

3-36

Medium IT Solution Series

Deploy
This section provides guidance on deploying the network services solution. Deploying involves the following: Testing the service. Backing up system and verifying the backup. Releasing the system to users.

Testing the Services


This section provides the tests that should be performed to verify the configuration of the network and directory services. These tests should be performed after the servers are moved into the production network, but before they are placed into service.

Network Configuration Testing


On both the infrastructure servers, perform the following steps to test the network configuration: 1. Use the ipconfig utility on the server to ensure that the network parameters are configured properly. 2. Use the ping command to check the network connectivity with other systems on the network. Ping the systems by name to ensure that DNS is working correctly. 3. Use the nslookup command for DNS name resolution of local and Internet systems.

Active Directory Testing


Perform the following steps to test the Active Directory: 1. Join a client computer to the new domain. Verify that the computer account is created in Active Directory. 2. Verify that it is possible to log on to a client computer with the domain user privileges.

DHCP Testing
Perform the following steps to test DHCP: 1. Check the IP configuration of a hardware device, such as a printer. Ensure that the correct IP information was received from the reservation on the DHCP servers. 2. Turn on a client computer and ensure that it receives proper IP information from DHCP.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-37

DNS Testing
Perform the following steps to test DNS: 1. From each server, ping the other server by name, and ensure that the name resolves to the proper IP address. 2. Turn on a new client computer and ensure that a proper A resource record is created in the DNS console for the workstation.

Redundancy Testing
Perform the following steps to test for redundancy: 1. Shut down the primary infrastructure server and perform all the tests mentioned earlier in this section to ensure proper operation of the core infrastructure services. 2. Once all the tests are performed, turn on the primary infrastructure server. 3. Shut down the secondary infrastructure server and perform all the tests mentioned earlier in this section to ensure proper operation of the core infrastructure services.

Backing Up System and Verifying the Backup


It is strongly recommended to perform a full backup of both the servers, including the system state information before releasing the system to users. In addition, verify and ensure that the backup does not have any problems. This way, if a server fails for any reason, the backup can be used to bring the system back to its original state. Use specific tapes for this backup and retain the tapes. Do not use the tapes as a part of normal rotation schedule.

Releasing the System to Users


After completing testing and backup, the system can be released to users for regular use. It may be necessary for the administrator to carry out some of the domain migration steps, including migrating any existing workstations before the system is ready for use. These steps are discussed in the Medium Business Guide for Pilot Deployment and Migration.

3-38

Medium IT Solution Series

Operate
This section provides guidance on managing and supporting the network services solution. Operating involves the following: Remote management Patch management Other support

Remote Management
Two options are available for remote management that allow the administrator or service provider to access the server remotely and provide support. These options are: In-band management Out-of-band (OOB) management

In-band Management
In-band management on the infrastructure servers in the medium IT environment is provided through Remote Desktop for Administration. When Remote Desktop for Administration is enabled, administrators can remotely connect to a server using Remote Desktop Connection and perform any function that can be performed from the console. This allows many routine tasks to be handled without ever having to physically visit each server.

Out-of-band Management
Out-of-band (OOB) management for the medium IT environment is provided through remote management cards installed and configured on the infrastructure servers.

Patch Management
The Medium Business Solution for Patch Management recommends using Software Update Services (SUS) version 1.0 with Service Pack 1. SUS is a Microsoft solution for patch management, which can provide a centralized distribution point for the updates to be applied on workstations and servers. SUS can be used to provide security updates and critical hotfixes to the medium IT environment. For more information on SUS, refer to the following URL: http://www.microsoft.com/windowsserversystem/sus/default.mspx

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-39

Summary
This chapter provided prescriptive guidance on designing, configuring, and deploying the first two infrastructure servers in a medium IT environment. The chapter provided step-by-step instructions on setting up the first two infrastructure servers, configuring a domain, configuring critical services in the environment, and providing redundancy for critical services.

3-40

Medium IT Solution Series

References
This section provides references to important supplementary information and other background material relevant to the contents of this chapter. These references include: Windows Server 2003 Active Directory home page, available at the following URL: http://www.microsoft.com/windowsserver2003/technologies/directory/activ edirectory/default.mspx TechNet White Paper "Active Directory Benefits for Smaller Enterprises", available at the following URL: http://www.microsoft.com/WindowsServer2003/techinfo/overview/adsmall biz.mspx Windows Server 2003 DHCP service home page, available at the following URL: http://www.microsoft.com/windowsserver2003/technologies/dhcp/default. mspx Windows Server 2003 Internet Authentication Service, available at the following URL: http://www.microsoft.com/windowsserver2003/technologies/ias/default.ms px For support information on Windows Server 2003, refer to the following URL: http://www.microsoft.com/windowsserver2003/community/default.mspx

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services

3-41