Chapter 3 Network and Directory Services

8/3/2019 Chapter 3 Network and Directory Services

1/46

Microsoft Solutions for Small & Medium

Business: Medium IT Solution Series

Medium Business Solution for CoreInfrastructurePlan, Build, Deploy, and Operate

Chapter 3 Network and Directory Services

Version 1.0

Abstract

This chapter provides guidance that can be used to plan, build, deploy, and operate reliable andsecure network and directory services. The chapter provides guidance on configuring the DNS andWINS name resolution services, automating IP address allocation and managing IP configurationmanagement on client computers using DHCP, and providing a consistent way to name, describe,locate, access, manage, and secure information using the Active Directory directory service. The


2/46

services covered in this chapter form the basis of a robust network infrastructure that provides thefoundation for other services.


3/46

Information in this document, including URL and other Internet Web sitereferences, is subject to change without notice. The entire risk of the use or the results of the use of this document remains with the user.

Unless otherwise noted, the example companies, organizations, products,domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization,

product, domain name, email address, logo, person, place or event is intended

or should be inferred.Complying with all applicable copyright laws is the responsibility of the user.Without limiting the rights under copyright, no part of this document may bereproduced, stored in or introduced into a retrieval system, or transmitted inany form or by any means (electronic, mechanical, photocopying, recording,or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document.

Except as expressly provided in any written license agreement fromMicrosoft, the furnishing of this document does not give you any license tothese patents, trademarks, copyrights, or other intellectual property.

2005 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Outlook, Windows, Windows 2000, Windows NT and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be thetrademarks of their respective owners.

Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399 USA 00


4/46

Table of ContentsINTRODUCTION..........................................................................................................................................1

SCOPE .............................................................................................................................................................2

PREREQUISITES ..................................................................................................................................................2ENVISION.......................................................................................................................................................3

USAGE SCENARIOS ............................................................................................................................................3I NITIAL STATE E NVIRONMENT .............................................................................................................................3E ND STATE E NVIRONMENT .................................................................................................................................4BENEFITS .........................................................................................................................................................4

PLAN...............................................................................................................................................................5

NETWORK SERVICES DEPLOYMENT DESIGN ..........................................................................................................6Choices.....................................................................................................................................................7 Considerations.........................................................................................................................................7

Recommendations.....................................................................................................................................8

DNS NAMESPACE

DESIGN

.................................................................................................................................9 Registering a Public Domain Name.........................................................................................................9Choosing the Internal DNS Namespace...................................................................................................9

Deploying the Public DNS Namespace..................................................................................................10IP A DDRESSING CONVENTION ...........................................................................................................................10SOFTWARE R ECOMMENDATIONS .........................................................................................................................14I NFRASTRUCTURE SERVER CONFIGURATION ........................................................................................................15

Operating System ..................................................................................................................................15 Active Directory and DNS......................................................................................................................16 Dynamic Host Configuration Protocol .................................................................................................16

Configuring Redundancy...................................................................................................................................17Configuring Static IP Addresses....................................................................................................................... .18

Windows Internet Name Service (WINS)...............................................................................................20Group Policy..........................................................................................................................................20

HARDWARE R ECOMMENDATIONS .......................................................................................................................20 Processor and Random Access Memory (RAM)....................................................................................21Storage Configuration............................................................................................................................21

Recommendations...................................................................................................................................22BILL OF MATERIALS ........................................................................................................................................23

BUILD............................................................................................................................................................24

GATHERING I NFORMATION FOR I NITIAL CONFIGURATION .......................................................................................24CONFIGURING EXTERNAL DNS R ECORDS ..........................................................................................................25CONFIGURING THE HARDWARE AND OPERATING SYSTEM ......................................................................................26PERFORMING I NITIAL SECURITY AUDIT ...............................................................................................................27I NSTALLING AND CONFIGURING ACTIVE D IRECTORY .............................................................................................27I NSTALLING AND CONFIGURING DNS................................................................................................................29

CONFIGURE THE W INDOWS TIME SERVICE ..........................................................................................................31I NSTALLING AND CONFIGURING DHCP..............................................................................................................31I NSTALLING AND CONFIGURING WINS..............................................................................................................33I NSTALLING AND CONFIGURING THE CERTIFICATION AUTHORITY ............................................................................34I NSTALLING I NTERNET AUTHENTICATION SERVICE ................................................................................................35CONFIGURING GROUP POLICY OBJECTS ..............................................................................................................35PERFORMING FINAL SECURITY CONFIGURATION VALIDATION ................................................................................36

DEPLOY........................................................................................................................................................37


5/46

TESTING THE SERVICES ....................................................................................................................................37 Network Configuration Testing..............................................................................................................37 Active Directory Testing.........................................................................................................................37 DHCP Testing........................................................................................................................................37 DNS Testing............................................................................................................................................38 Redundancy Testing...............................................................................................................................38

BACKING

UP

SYSTEM

AND

VERIFYING

THE

BACKUP

............................................................................................38R ELEASING THE SYSTEM TO USERS ....................................................................................................................38

OPERATE.....................................................................................................................................................39

R EMOTE MANAGEMENT ...................................................................................................................................39 In-band Management.............................................................................................................................39Out-of-band Management......................................................................................................................39

PATCH MANAGEMENT ......................................................................................................................................39

SUMMARY...................................................................................................................................................40

REFERENCES.............................................................................................................................................41


6/46

IntroductionNetwork and directory services provide the foundation for running all otherservices in the medium IT environment. Solid and reliable IP addressmanagement, name resolution, authentication, and authorization help preventsystemic problems in other services, which has a broad impact on userexperience.

This chapter provides guidance on designing and deploying services that enableother services and network devices, such as computers and printers, to find,authenticate, and communicate with each other. The services covered in thischapter form the basis of a robust network infrastructure that provides thefoundation required for offering a wide variety of services. These servicesinclude:

Core network services: The core network services include: Domain Name System (DNS): Resolves DNS names to IP addresses. Dynamic Host Configuration Protocol (DHCP): Automatically

configures network settings on clients and facilitates management of IPaddresses and network configuration of clients.

Windows Internet Name Service (WINS) : Resolves NetBIOSnames to IP addresses.

Directory services: Authenticate users and computers that try to accessresources. The Medium Business Solution for Core Infrastructure uses theActive Directory directory service, which can also be used to centralizeand simplify the management of network resources.

Certificate services: Provide customizable services for creating andmanaging public key certificates used in software security systems thatemploy public key technologies. A trusted organization that manages PKIcan be called a certification authority (CA), but usually, this term, CA, isused only to refer to the computer that runs the certificate software.

Remote Authentication Dial-in User Service (RADIUS): RADIUS is anInternet Engineering Task Force (IETF) standard. In the Medium BusinessSolution for Core Infrastructure, the Windows Server 2003 InternetAuthentication Service (IAS) is used as the RADIUS server. It performscentralized connection authentication, authorization, and accounting fornetwork access through wireless and virtual private network (VPN)connections.

A key difference between the Small IT Solution and the Medium BusinessSolution for Core Infrastructure is that the latter provides more reliable network

and directory services by implementing service redundancy.

Medium Business Solution for Core Infrastructure Chapter 3 Network and Directory Services 3-1


7/46


8/46

Envision This section describes the usage scenarios for and the benefits of implementingthe network services in the medium IT environment. It provides the possibleinitial state environment where the guidance can be implemented and theexpected end state of the environment.

Usage Scenarios This chapter provides guidance that can be used for:

Enabling centralized management of IP addresses. Enabling automatic IP configuration of clients. Providing name resolution services for clients. Authenticating and authorizing access to data and services on the

network. Providing a directory service to centrally manage the resources in the IT

environment. Enabling central management of security policies in the environment.

Initial State EnvironmentMedium businesses may already have network and directory services deployed.

The types of deployments that may exist include: Server-based environment with no centralized logons. Microsoft Windows NT 4.0- and Window 2000- based environment. Linux- or Novell-based environment.

Deploying the Medium Business Solution for Core Infrastructure enablesorganizations to eliminate many problems that are common to these scenarios,such as:

Unreliable and inconsistent network services. Security concerns around unauthenticated users. Multiple logons required to access different services and resources. High operations cost for basic network and directory services. Poorly designed directory structure. Decentralized structure, which requires excessive effort for making

changes and additions to the environment. Lack of vendor support for outdated technology, poor vendor support from

less established companies, or cross-vendor support issues where multiplenon-homogeneous technologies are deployed.

Lack of support for devices and applications that are used in old or non-homogenous environments.



9/46

End State Environment The end state environment for network services will consist of:

Two Microsoft Windows Server 2003-based servers providing redundantnetwork and directory services.

A single Active Directory domain and forest infrastructure. A domain-level Group Policy, applied to enforce domain-wide security

requirements.

Benefits The network and directory services recommended in the Medium BusinessSolution for Core Infrastructure provide the following benefits:

Reliable infrastructure: The network and directory services areimplemented on redundant servers for better reliability.

Centralized resource management: Active Directory is used to providea centralized database of all users, computers, and other objects on thenetwork. It helps organize the resources in an IT environment based onthe structure of the organization.

Security: Active Directory is used to provide the security andauthentication mechanism, which offers protected and controlled accessto resources.

Single sign on: Active Directory is used to enable single sign on, whichessentially means that users need to provide their credentials only once.

They need not provide credentials each time they try to access a resourceon the network and the same set of credentials is used for accessing allresources.

Well-defined and enforced security policies: Group Policy is used todefine and enforce domain wide security policies in the medium ITenvironment. GPOs are used to ensure that security policies that are set inthe medium IT environment are enforced on every object in theenvironment, and cannot be overridden by any client or other device.

3-4 Medium IT Solution Series


10/46

Plan This section provides guidance on designing the network and directory servicesfor the medium IT environment, choosing the right server hardware for hostingthe services, and determining the prerequisites for building the services.

The network and directory services implemented in the medium IT environmentshould:

Meet the reliability, scalability, and security requirements. Be cost-effective to implement and maintain. Enable resolution of DNS and NetBIOS names to IP addresses. Automatically perform network configuration of devices that connect to

the LAN. Centrally store information about network resources in an organized

manner, which makes it easier for users to locate them. Provide user and computer authentication. Restrict access to resources to only authorized users, computers, and

services. Facilitate application and enforcement of security policies. Provide the support required to issue, manage, and maintain PKI

certificates. Provide RADIUS authentication services.

The following figure represents the medium IT infrastructure and highlights theservers that provide the network and directory services.



11/46

Printers andScanners

Internet

Remote User

Home User

PDAs andPocket PCs

Laptop Computer Smartphones Desktop Computers

Microsoft Solutions for Small & Medium BusinessMedium IT Solution (50-250 PCs)

Network Architecture Drawing

Internet Router

Business Partner

LAN

` `

PrimaryInfrastructure Server

(Active Directory, DNS,DHCP, WINS,

Certificate S ervice, SUS)

SecondaryInfrastructure Server

(Active Directory,DNS, DHCP, WINS,

Exchange)

Database Server (Microsoft

SQL Server)

Application Server (Microsoft and Partner

LOB applications )

Collaboration Server (IIS, Windows

SharePoint Services )

Terminal Server (Microsoft

Terminal Server )

Firewall Server (ISA Server, VPN Server)

Branch Office

D e s

k t o p

C o m p u

t e r s

Firewall and VPNRouter

B r a n c h

O f f i c e

L A N

`

`

Tape Library

Legend: If the optional File Server is not implemented , File Services will be hosted on the Primary Infrastructure Server . Also, the Backup drive (Tape Library )will be attached to the Primary Infrastructure Server.

WirelessAccess Point

Main Office

Network-attachedStorage Device

(Windows StorageServer 2003)

`

Directly AttachedPrinter

Figure 1. Medium IT Infrastructure

This section covers the following: Network services deployment design DNS namespace design IP addressing convention Software recommendations Infrastructure server configuration Hardware recommendations Bill of materials

Network Services Deployment DesignWhen implementing network and directory services in a medium IT environment,it is important to create a design that balances the need for reliability with theneed to keep costs low. In the medium IT environment , a decision must be maderegarding how to deploy network and directory services in the most optimalmanner to achieve these goals.



12/46

ChoicesIn the Medium Business Solution for Core Infrastructure, the followingdeployment designs were considered for the network and directory services:

Single server: A single infrastructure server hosts the network anddirectory services.

Clustered servers: Two infrastructure servers are deployed in aclustered configuration.

Redundant servers: Two redundant infrastructure servers are deployed,both providing the same network and directory services. The network anddirectory services either have built-in mechanisms for providingredundancy across multiple servers, or are deployed in such a way thatsimilar redundancy is achieved.

The following table presents the advantages and disadvantages of these choices.

Choice Advantages Disadvantages

Single server Inexpensive: Deployment andmanagement costs are low.

Easy to deploy: This configurationis easy to deploy.

Less reliable: If the server fails,there is an inevitable downtime.

Clusteredservers

More expensive: Requires oneadditional server and WindowsServer 2003, Enterprise Edition onboth servers.

Complex configuration:Configuration, operation, andtroubleshooting of this configurationare difficult.

Redundantservers

Cost: The deployment andmanagement costs are in betweenthe other two options.

Easy to deploy: This configuration

is easier to deploy than the clusterserver option.

Management: Two servers need tobe managed.

Table 1. Network and Directory Services Deployment Choices

Considerations The network and directory services are critical for the proper functioning of themedium IT environment. Using only a single infrastructure server minimizescosts, but it does not provide failover capabilities. Failure of the infrastructureserver can cripple the entire medium IT environment. In addition, if the failure iscaused by the server hardware, additional delays are often introduced while

waiting for spare parts or replacement hardware.Deploying a cluster of servers offers redundancy and automatic failovercapabilities. However, clustering requires Windows Server 2003, EnterpriseEdition on both infrastructure servers, which is more expensive than WindowsServer 2003, Standard Edition. In addition, configuring, operating andtroubleshooting server clusters is complicated, and is generally recommendedonly for larger organizations.



13/46

Deploying two redundant infrastructure servers in a non-clustered configurationis easy to configure. The Windows server-based network services and ActiveDirectory services are designed to run across multiple servers, thus eliminating asingle point of failure.

Recommendations The Medium Business Solution for Core Infrastructure recommends deploying tworedundant serverscalled the primary infrastructure server and thesecondary infrastructure server . Under normal conditions, the primaryinfrastructure server provides most of the network services because the majorityof client requests are first directed to this server. In cases where this server failsto give a timely response, most requests are then directed to the secondaryinfrastructure server. The majority of client requests are directed to thesecondary server only when the primary server does not respond in a timelymanner. The following table presents the services hosted on the primary andsecondary infrastructure servers.

Service Primary Infrastructure Server Secondary Infrastructure Server

Active Directory Holds all of the operationsmaster roles (also known asflexible single masteroperations or FSMO).

Is the first server in the forestand domain, and is a globalcatalog server.

Holds no operations masterroles.

Is a global catalog server.

DNS Is configured as the primary DNSserver on all clients.

Is configured as the secondary DNSserver on all clients. Clients querythis server only if the primary

infrastructure server fails to respondin a timely manner.

DHCP Configured with a scope tocover over 250 clients, inaddition to servers and otherdevices that require reservedaddress.

Configured with scope optionsthat designates the preferredand secondary DNS and WINSservers, default gateway, andproxy server information.

Same configuration as theprimary infrastructure server.

This server shares the DHCPclient request load with theprimary infrastructure server.

WINS Configured as the preferred WINSserver, which resolves IP addressesfor NetBIOS names.

Configured as the secondary WINSserver.

Additionalservices

Optionally, this server may beconfigured to host services that areless resource-intensive, such as:

Certification Authority (CA)

The server provides most networkservices only when the primaryinfrastructure server fails.

Because this server is under less orno load at most times, it can be



14/46

Service Primary Infrastructure Server Secondary Infrastructure Server

Internet Authentication Service(IAS)

Software Update Services (SUS)

File services Print services

used to host services such asmessaging that require a lot of server resources.

Table 2. Services Hosted on the Primary and Secondary Infrastructure Servers

Lucerne Publishing opted to implement both the primary and the secondaryservers after the introduction of a swing server in the environment. For moreinformation on the implementation of a swing server, refer to the MediumBusiness Guide for Pilot Deployment and Mitigation . Following the successfulimplementation of both the primary infrastructure server and the secondaryinfrastructure server, Lucerne Publishing retired their old servers.

DNS Namespace DesignDesigning the DNS namespace involves the following tasks. Registering a public domain name. Choosing the internal DNS namespace. Deploying the public DNS namespace.

Registering a Public Domain Name Two of the many organizations that are used for registering domain names offertheir services through their Web sites available at the following URLs:

http://www.networksolutions.com http://www.register.com

These Web sites have useful domain name management tools to register andmanage DNS name records. Each site can provide you with specific instructionsand assistance with DNS record configuration. Lucerne Publishing already ownedthe domain name lucernepublishing.com, so they did not need to register anadditional name.

Choosing the Internal DNS NamespaceIn the Medium Business Solution for Core Infrastructure , the following choiceswere considered for the internal DNS namespace:

Same as the public DNS namespace: The public DNS namespace isregistered with the ISP, such as BusinessName.com , and is used to publishresources, such as the companys public Web site, on the Internet. In thisoption the internal DNS namespace is the same as the external DNSnamespace, that is, BusinessName.com .

http://www.networksolutions.com/http://www.register.com/http://www.networksolutions.com/http://www.register.com/


15/46

Separated DNS namespace: In this option, a sub-domain of the publicDNS namespace, such as corp.BusinessName.com , is used as the internalDNS namespace of the environment.

Using a separated DNS name space can offer some security advantages.However, it also makes the environment more complex and is typically suitable

for large environments with dedicated IT staff. A single internal and external DNSnamespace offers ease of configuration and simplicity.

To maintain simplicity in the environment, the Medium Business Solution for CoreInfrastructure recommends using a single DNS namespace for both the internaland external DNS naming. There is no need or real advantage of using separateinternal and external DNS namespaces in a medium IT environment.

Lucerne Publishing saw no need whatsoever to add complexity to theirenvironment by introducing multiple DNS name spaces. They opted to just usethe name lucernepublishing.com for both the internal and external DNSnamespaces.

Deploying the Public DNS Namespace The registered domain name points to a DNS server that is authoritative for theDNS namespace. The organization needs to decide whether to use a public DNSserver, owned by an ISP, as the authoritative DNS server or to host their ownDNS server that is authoritative for the DNS namespace.

The Medium Business Solution for Core Infrastructure recommends using an ISP-owned public DNS server as the authoritative DNS server for the DNS namespaceof the organization because ISP DNS servers would provide better availability. Forhosting your DNS namespace on the DNS server of an ISP, you need to buy theservices from an ISP. DNS hosting services can typically be bought from the DNSregistrar or from the ISP that is providing the Internet connection, and are often

included as part of a package when registering a domain or hosting a public Website.

The domain name, such as BusinessName.com , registered with domain registrarneeds to point to the authoritative DNS server of the domain. The authoritativeDNS server maintains all the DNS records, such as www. BusinessName.com andremote. BusinessName.com , for the DNS namespace. The DNS records on theauthoritative DNS server need to be maintained by the organization. Because inthe medium IT environment , the authoritative DNS server is owned by an ISP, theISP needs to provide some mechanism to enable the IT generalist to managethese records. In most cases, the ISPs provide a Web-based utility and logoncredentials to the organizations when they buy the DNS hosting services.

To enable access to services using the Internet, the organization needs toupdate, or add, DNS records on the public DNS server of the ISP. For moreinformation, refer to the Configuring External DNS Records subsection of theBuild section in this chapter.

IP Addressing ConventionAll IP addresses are either public or private. These are defined as follows:



16/46

Public : Public IP addresses are assigned by the Internet service providers(ISPs) and are unique across the Internet.

Private: Private IP addresses can be used on internal network by anyone,without permission. Typically, private IP addresses are in the range of: 10.x.x.x 169.254.x.x 172.16.x.x 192.168.x.x

The following table provides the advantages and the disadvantages of both thesetypes of IP addresses.


Public Allows a device tocommunicate with otherdevices on the Internet.

Expensive Limited availability Security risk

Private Increases security becausecomputers on the Internetcannot directly access thisdevice.

Reduces cost because you donot need to pay the ISP foradditional public IP addresses.

Network Address Translation(NAT) is required for hosts toconnect to the Internet.

VPN or proxy is required forexternal computers to connectto internal hosts.

Connecting two privatenetworks through a VPN canresult in multiple devices withthe same IP addresses.

Table 3. Public Addresses versus Private Addresses

IP addresses can be allocated to devices either by manually assigning static IPaddresses to each device or by dynamically using DHCP.

The Medium Business Solution for Core Infrastructure recommends the followingfor IP addresses:

Use the private IP address range 10. x. x. x for the LAN at both the mainoffice and branch office. More specifically, consider the following: Use the 10.0.0.0/16 subnet at the main office. Use the 10.1.0.0/24 subnet for the first branch offices. For additional

branch offices, use the 10.n.0.0/24 subnet, where n is equal to 2 for

the second branch office and increments by one for each additionalbranch office.

Use public IP addresses on the external interface of the firewall at themain office and the multipurpose router at the branch office.

Within these subnets, the addresses are further classified as shown in thefollowing table. Examples are provided only for the first branch office.



17/46

IP Address (orRange)

SubnetMask

Location Used For

10.0.0.1 to 10.0.0.20 255.255.0.0 Main office Servers.

10.0.0.21 to 10.0.0.40 255.255.0.0 Main office Remote management cards. (To get thecard address for a server, add 20 to the

last octet of the IP address of theserver.)

10.0.0.41 to10.0.0.255

255.255.0.0 Main office All other network devices that requirestatic IP addresses (for example,printers, scanners, IP cameras, andswitches).

10.0.1.x 255.255.0.0 Main office Assigned by the primary infrastructureserver to DHCP clients at the mainoffice.

10.0.2.x 255.255.0.0 Main office Assigned by the secondaryinfrastructure server to DHCP clients atthe main office.

10.1.0.1 255.255.255.0 Branchoffice Internal interface of the multipurposerouter at the branch office.

10.1.0.2 to 10.1.0.10 255.255.255.0

Branchoffice

All other network devices that requirestatic IP addresses (for example,printers and scanners).

10.1.0.11 to10.1.0.254

255.255.255.0

Branchoffice

For DHCP clients at the branch office.

Table 4. IP Addressing Recommendations

Configure the public IP address, subnet mask, and default gateway provided bythe ISP to the external interface of the firewall server at the main office.

DHCP should be used to assign all IP addresses on the medium IT network, both

static and dynamic, with the exception for the following three servers: Primary and secondary infrastructure servers: These servers run the

DNS service, which requires that a static IP address be assigned on thecomputer.

Internet Security and Acceleration (ISA) Server: This server isdirectly connected to the Internet. Therefore, this server requires agateway to be configured that is different from all other servers. Themedium IT environment uses options, including default gateway, as part of the DHCP implementation, this server must be excluded from using DHCP.

Use DHCP options to assign clients values for the following: Primary and secondary DNS servers Primary and secondary WINS servers Default gateway Domain suffix Web Proxy Auto Discovery Protocol (WPAD)

The external interface of the multipurpose branch office router should beconfigured with the IP configuration provided by the ISP. The multipurposebranch office router should also be configured as a DHCP server and should use



18/46

the IP address range provided in the previous table. For more information onconfiguring the router, refer to the documentation provided by the manufacturer.

Use the following DHCP options for branch office: DNS servers: Most multipurpose router that have DHCP capability allow

configuring up to three entries for DNS servers and two entries for WINS

servers.At least one internal DNS server and one external DNS server should beconfigured on the DHCP service on the branch office router. This isnecessary so that the router is able to resolve host names for both internaland external hosts.It should also be ensured that the internal DNS servers are specifiedbefore the external DNS server in the list of servers, so that the routerresolves host names using the internal DNS server first. If the internal DNSserver is unable to resolve the name, the router will try to resolve thename using the external DNS server. If the order is reversed the routersends requests to the public DNS server to resolve internal names, whichis not recommended.

Use the following values for DNS server IP configuration: First DNS server: IP address of internal primary DNS server. Second DNS server: IP address of internal secondary DNS server. Third DNS server: IP address of the public DNS server given by the

ISP that provides Internet connection to the branch office.

WINS servers: Use the IP address of the internal primary and secondaryWINS servers.

Default gateway: Use IP address of internal interface of branch officerouter.

Lucerne Publishing followed the Medium Business Solution for Core Infrastructurerecommendations. The following table provides some examples of the IPaddresses used by Lucerne Publishing.

Device Type Name IP Address

Firewall server (ExternalInterface)

MOISA Public address from ISP

Firewall server (InternalInterface)

MOISA 10.0.0.1

Primary infrastructureserver

MOCOR1 10.0.0.2

Secondary infrastructureserver MOCOR2 10.0.0.3

Collaboration server MOXRNT 10.0.0.4

Directly attached hardware(such as printers andscanners)

LJ4KACCT, SCANRSLS 10.0.0.41 10.0.0.255

Remote management cards - 10.0.0.20 + server IP address

Client devices FIN302, SAL201 10.0.1.0 10.0.2.254



19/46

Table 5. Example of IP Addresses used by Lucerne Publishing

Note: When configuring the IP parameters of the primary and secondary infrastructureservers and the firewall server with static IP addresses, configure all the DHCP options thatare configured for DHCP client devices. Both the infrastructure servers should have theirprimary DNS and WINS servers configured with their own IP addresses and should have their

secondary DNS and WINS servers configured with the IP address of the other infrastructureserver. The default gateway for both these servers should be 10.0.0.1 (the IP address of thefirewall server). On the firewall server, the primary DNS and WINS servers should be set tothe IP address of the primary infrastructure server and the secondary DNS and WINS serversshould be set to the IP address of secondary infrastructure server; the gateway should beleft blank.

Software Recommendations The network services (DNS, DHCP, and WINS) and Active Directory are built intothe Windows Server 2003 operating system. Therefore, no additional software isrequired for deploying the network and directory services in the medium ITenvironment . The only decision that needs to be made is choosing betweenWindows Server 2003, Standard Edition and Windows Server 2003, EnterpriseEdition.

Windows Server 2003, Enterprise Edition supports additional features comparedto Windows Server 2003, Standard Edition. These features include:

Clustering: A cluster is a group of independent computers, called nodes,that work together to run a common set of applications and provide highavailability. If one node on the cluster fails, the application can be failedover to the next node.

Remote storage: Remote storage uses criteria that you specify toautomatically copy less used files to removable media. If hard-disk spacedrops below the specified levels, remote storage removes the cached filecontent from the disk. If the file is needed later, the content isautomatically recalled from storage.

Up to eight processors support (compared to the support for up tofour processors in Windows Server 2003, Standard Edition): TheWindows Server 2003 family supports single or multiple central processingunits (CPU) that conform to the symmetric multiprocessing (SMP)standard. Using SMP, the operating system can run threads on anyavailable processor, which makes it possible for applications to usemultiple processors when additional processing power is required toincrease the capability of a system.

64-bit support for Intel Itanium-based computers: Support for64-bit processing delivers far higher scalability than 32-bit file servers byproviding a greatly enlarged virtual address space and paged pool area,the ability to handle increased numbers of users and connections, andincreased hardware reliability through predictive error checking andnotification of failures.

Hot add memory: Hot add memory allows ranges of memory to beadded to a computer and made available to the operating system and



20/46

applications as part of normal memory pool. This does not requirerestarting the computer and involves no downtime.

The Medium Business Solution for Core Infrastructure recommends usingWindows Server 2003, Standard Edition for the infrastructure servers. This isbecause none of the additional features provided by Windows Server 2003,

Enterprise Edition will be used in the medium IT environment. In addition, theWindows Server 2003, Standard Edition costs less than the WindowsServer 2003, Enterprise Edition.

Lucerne Publishing opted to install Windows Server 2003, Standard Edition. Therewere no factors present in the environment of Lucerne Publishing that requiredany of the features of Windows Server 2003, Enterprise Edition that are listed inthis section.

Infrastructure Server Configuration This section provides guidance on configuring the infrastructure servers, which

includes the operating system, the network services, and Active Directory. Itcovers configuration of the following: Operating system Active Directory and DNS DHCP WINS Group Policy

Operating System

Following are the few choices to be made during the installation of the operatingsystem: IP configuration: The DNS services hosted on the infrastructure servers

require that the infrastructure servers be configured with static IPaddresses. The IP addresses should be configured as per the guidelinesprovided in Chapter 2, Physical Network Design, of this solution.

The following table lists the IP configurations recommended for theinfrastructure servers in the Medium Business Solution for CoreInfrastructure .

Parameter Primary Infrastructure

Server

Secondary Infrastructure

ServerIP Address Static IP address (10.0.0.2) Static IP address (10.0.0.3)

Default Gateway 10.0.0.1 10.0.0.1

Preferred DNS Server 10.0.0.2 10.0.0.2

Secondary DNS Server 10.0.0.3

Preferred WINS Server 10.0.0.2 10.0.0.3

Secondary WINS 10.0.0.3 10.0.0.2



21/46

Parameter Primary InfrastructureServer

Secondary InfrastructureServer

Server

Table 6. Recommended IP Configuration for the Infrastructure Servers Licensing: When installing the base operating system on the

infrastructure servers, you must choose a client licensing mode. TheMedium Business Solution for Core Infrastructure recommends the PerDevice or Per User mode licensing. This is the most economical choicebecause client workstations in the medium IT environment consumeservices from a number of different servers in the environment on aregular basis.

Server naming: The servers must be assigned a host name and aNetBIOS name. The names used for the servers should be in accordancewith the naming convention guidelines of the Medium Business Solutionfor Core Infrastructure documented in Chapter 1, Core InfrastructureDesign Overview, of this solution.

As per the Medium Business Solution for Core Infrastructure namingconvention, Lucerne Publishing named their primary infrastructure serverMOCOR1, and the secondary infrastructure server was named MOCOR2.

Active Directory and DNSActive Directory is the directory service for Windows Server 2003, StandardEdition. It stores information about objects on the network and makes it easy foradministrators and users to find and use this information. Active Directoryservice uses a structured data store as the basis for a logical and hierarchicalorganization of directory information.

In the medium IT environment, DNS is installed on both the infrastructureservers. All clients are then configured to send all queries to the primaryinfrastructure server. DNS requests go to the secondary infrastructure serveronly if the primary server is unavailable or does not respond.

DNS is automatically installed on the primary infrastructure server. Theinstallation of DNS is integrated with the installation of Active Directory on thatserver. After completing the Active Directory installation wizard on the primaryserver, both DNS and Active Directory are installed and configured.

The installation of DNS on the second server is done manually after ActiveDirectory is installed. Both DNS servers are set up as Active Directory IntegratedDNS servers, which means that the DNS information is stored in Active Directory.

Dynamic Host Configuration ProtocolDHCP dramatically reduces the management overhead that is associated with IPaddress management. DHCP dynamically manages the allocation of IP addressesand IP configuration of network devices that are configured as DHCP clients.DHCP clients require less manual configuration, and are easy to support.However, static IP address configuration is required for servers, such as theservers running DNS, DHCP, Active Directory, and other services. This is because



22/46

many services require a static IP address before installation, or because theservers need variances from the standard scope options assigned by DHCP.

Configuring RedundancyIn the medium IT environment, the DHCP service needs to be hosted on both the

infrastructure servers to provide redundancy. This section provides guidance onimplementing the DHCP service across the two servers.

There are several ways in which two DHCP servers can be configured to provideredundant services in the medium IT environment. These include:

Extraordinarily long lease time: The DHCP servers are configured toprovide an extraordinarily long lease time (such as, one to two weeks orlonger). This configuration may help minimize client connectivity issues if a DHCP server fails. This happens because the clients keep the IP addressleased to them for the duration of the lease, if they are unable to contactthe DHCP server. If all clients have obtained the IP configuration by thetime the DHCP server fails, the environment will continue to operatenormally provided the DHCP server comes back online prior to expirationof the lease. If the server is not restored prior to lease expiration, clientcomputers will loose connectivity if the computers are restarted or whennew computers are added to the network while the DHCP server is down.

Therefore, only partial reliability is achieved. Standby DHCP server: A standby DHCP server is activated only in case

the primary infrastructure server fails. If the primary infrastructure serverfails, the secondary infrastructure server can be immediately activatedresulting in no or very limited downtime for the clients. However, theproblem with this configuration is that the activation of the backup DHCPserver must be done manually because the failover is not automatic.

Non-overlapping scopes: Two DHCP servers are configured with non-overlapping scopes. In this configuration, each scope should have enoughIP addresses to serve the entire environment in the event of a serverfailure. If one server fails, the other server should have enough IPaddresses available to service all client requests. This option overcomesthe weaknesses of other options because there is no service degradationduring service failure, and the failover is automatic.


Extraordinarilylong lease time

Low cost: Requires only asingle DHCP server.

Availability: Services are limitedor only partially available duringoutage. Reboots and addition of new machines during the outage

will not get proper connectivity forthe machines.

Stand by DHCPserver

Centralization: Keepsentire DHCP deployment ona single server.

No automatic failover: Anadministrator must detect thefailure of the main server, andmanually activate the secondserver.

Non-overlappingscopes

Automatic failover: Thisconfiguration has automatic

Additional cost: Requires at leasttwo servers to implement.



23/46


failover.

Full service: There is nodegradation in serviceexperienced by the clients

during a service outage onone of the servers.

Table 7. DHCP Redundancy Configuration Choices

The Medium Business Solution for Core Infrastructure recommends implementingtwo non-overlapping scopes, one each on the primary and secondary servers.

It is important to ensure that the scope configured on each server has enough IPaddresses to serve the entire environment in the event of a server failure. Themedium IT environment may have up to 250 clients. So each scope should beable to provide at least 250 IP addresses.

Lucerne Publishing implemented DHCP on the primary infrastructure server inconjunction with the old DHCP server. Once the scope was active on the primaryinfrastructure server, they were able to turn off the portion of the scope on theformer PDC. Lucerne Publishing then set up the non overlapping portion of thescope on the secondary infrastructure server.

Configuring Static IP Addresses There are two ways to assign static IP addresses to network devices. These are:

Manual configuration: Manually configuring the network parameters of each device that requires a static IP address.

DHCP reservations: In DHCP, reserve the IP address for the device thatrequires the static IP address. The device is identified by its media accesscontrol (MAC) address, and is always assigned the reserved IP address bythe DHCP servers.

The following table presents the advantages and disadvantages of these choices.


Manualconfiguration

No advance informationgathering: There is no need togather all of the MAC addressesahead of time.

No administration overhead:Configuration can be performed byanyone because it does not requireaccess to the infrastructure servers.

Single Configuration : Each deviceonly has to be set up once.

Disorganized: It is easy to loosetrack of the devices that areconfigured with a static IP address.

IP conflicts: It is possible toaccidentally configure more thantwo devices with the same IPaddress.

Complex: The method of configuring each device is different.

There is no standardization acrossdevices, so each individual devicemust be figured out.

Difficult to change: If there is evera change required in anenvironment, such as a new addressor scope option, each device will



24/46


have to be visited and manuallyreconfigured.

DHCPreservations

Standard configuration: Thesteps to configure network

parameters may differ in differentdevices from differentmanufacturers. Using reservationsonly requires enabling the device forDHCP.

Apply uniform settings: Enablesconfiguring uniform options (such asgateway and WINS server) on alldevices requiring static addresses.

Directory of addresses: The list of reservations provides a convenientdirectory of all network devices thatare in use.

Simplicity: DHCP reservationssimplify making changes to IPconfiguration, such as a change inDNS server or gateway.

Cumbersome: This is because youneed to:

Gather the MAC address of alldevices requiring a static IPaddress.

Manually enter the networkaddresses and configurereservations on both DHCPservers.

Human error: MAC addresses arelong, complex strings, and there arechances of typing errors whileentering the values into the servers.

Additional overhead: Changes inthe MAC address require updates toreservations on both infrastructureservers.

Table 8. Static IP Addresses Configuration Choices

The Medium Business Solution for Core Infrastructure recommends using DHCPreservations to assign static IP addresses to devices such as servers, printers,network devices, and scanners. This facilitates management of IP configurationon these devices. In addition, DHCP reservations provide a centralizeddocumentation of all static IP addresses that are in use. The list of reservationscan be used as a troubleshooting tool because it shows whether the address

lease for a device is active or inactive. This can be useful in determining whethera problematic device is communicating properly with the DHCP servers. Inaddition, it enables making changes to the IP configuration from the DHCP serveritself.

Lucerne Publishing decided to use DHCP reservations for all devices, even thoughthere were a large number of hardware devices in the environment and usingDHCP reservations required the IT staff to gather the MAC addresses of all of thedevices and manually enter them in DHCP. The IT staff of Lucerne Publishingdecided to put in the initial effort because once this task was complete, theyfound the centralized database of all devices invaluable. They also realized thatthis was the last time they would ever have to perform this task, because anyfuture IP address changes would be easy to accomplish.

However, the following servers are exceptions, and the IP configuration on theseservers needs to be done manually and not through DHCP reservations:

Primary and secondary infrastructure servers: The DNS servicehosted on these servers requires them to be manually configured withstatic IP addresses.

Firewall server: The firewall server will not have the same defaultgateway as the rest of the servers.



25/46

Windows Internet Name Service (WINS)WINS is the Microsoft implementation of NetBIOS name resolution service. WINSresolves NetBIOS names of devices to their IP addresses. This helps cut down onbroadcast traffic because when a device has the NetBIOS name of another deviceand wants the IP address of that device, it can query the WINS server rather than

sending out a broadcast on the network.It is important in the medium IT environment to have redundant WINS serversbecause WINS is a critical service and needs to be reliable. Hosting WINS onmultiple servers requires designing a replication topology that will keep all WINSservers synchronized without creating excessive network traffic.

The Medium Business Solution for Core Infrastructure recommends configuringthe primary and secondary infrastructure servers as WINS replication partners.

Lucerne Publishing began by setting up their new infrastructure servers asreplication partners with the existing WINS servers in the environment. Thisallowed for the WINS database to be automatically replicated to the new servers.As the original WINS servers retired, they were removed from the replica set on

the new servers.

Group PolicyGPOs can be used in a domain environment to automatically performconfigurations on client devices, servers, and to the user environment. There is aminimum set of Group Policy settings that should be applied, even if you do notplan to implement any other Group Policy settings in your environment. Thisminimum set of Group Policy settings are used to apply basic security settings atthe domain level.

The Medium Business Solution for Core Infrastructure provides a core domain-level GPO as part of the core infrastructure. Because this GPO is applied at thedomain level, organizational units are not required. It is strongly recommendedto implement this GPO.

Lucerne Publishing found that the implementation of the core domain-level GPOsprovided with the Medium Business Solution for Core Infrastructure was theperfect answer to automatically enforce the stronger security requirements thatthe IT department has been looking to implement for some time.

For more information on Active Directory, organizational units, Group Policy, andadditional GPOs for the medium IT environment, refer to the Medium BusinessSolution for Management and Security using Active Directory Group Policy .

Hardware RecommendationsWhen choosing hardware for the infrastructure servers, the critical factors to beconsidered are:

Processor and random access memory (RAM). Storage configuration.



26/46

Processor and Random Access Memory (RAM)When selecting processors for the infrastructure servers, consider the tasks thatthe servers will perform when the environment is fully built. In the medium ITenvironment, it is not expected that the basic network services will placesignificant burden on the processors.

Among all the additional services that are recommended to be hosted on theinfrastructure servers, only the messaging service requires more processingpower. Therefore, a faster processor should be used on the secondaryinfrastructure server if messaging services are hosted on it.

In many cases, the guidelines for selecting RAM very closely follow the guidelinesfor selecting the processor. For the basic infrastructure services and for providingadditional services such as file and print services, a large amount of RAM is notrequired. However, for messaging services, additional RAM can improveperformance.

Storage ConfigurationDirect-attached storage (DAS) is used on the infrastructure servers for storing thesystem files and data. For general considerations and guidelines on choosingdirect-attached storage, refer to the Guidelines for Choosing DAS Storagesection in the Appendix I of this solution.

When configuring RAID on the infrastructure servers consider the followingoptions:

Configure all drives as a single partition on a RAID 5 array. Configure all drives as multiple partitions on a RAID 5 array. Configure a system partition on a RAID 1 array and a data partition on a

RAID 5 array.

Configuring all drives as a single partition on a RAID 5 array offers the advantageof simplicity. This configuration also avoids issues that may occur later whereone partition becomes full while other partitions have a lot of free space.However, this configuration does not remain viable when partitions become verylarge, because performance suffers. In addition, with large partitions, certainfeatures in the operating system no longer work. For example, you cannot usethe built-in Windows backup utility to back up a partition to a file that is on thesame partition.

Configuring all drives as multiple partitions on a RAID 5 array with very largepartitions gets rid of some of the performance-related issues. However, it createsadditional issues, such as, having to choose the partitions onto which services

and data should be deployed. When the partitions become full, there is no easyway to move these services to a different location.

Configuring the system partition on a RAID 1 array and the data partition on aseparate RAID 5 array eliminates all the issues that are present in the two otheroptions discussed. In this configuration, the RAID 1 system partition uses onlytwo disks, and is a smaller partition. Only operating system and other systemfiles, such as patches and service packs, are placed on this drive. The RAID 5



27/46

partition is used for applications and data and is only required if the server hostsany of the following services:

File service Messaging service Collaboration service

Recommendations The Medium Business Solution for Core Infrastructure recommends configuring asystem partition on a RAID 1 array.

In addition, configure a utility partition. Most manufacturers provide a means toset up a utility partition on the disk that is designed to hold system and hardwareutilities that can be used to aid configuration and troubleshooting of thehardware. Ensure that these utilities are set up according to the instructionsprovided by the manufacturer.

The following hardware is recommended for the infrastructure servers in themedium IT environment:

Intel Xeon-based processor of at least 2.4 GHz. 1 GB of RAM. SCSI RAID controller. Two SCSI hard drives with the following configuration:

Minimum 10,000 RPM (15,000 RPM recommended). 18 GB or greater in capacity.

10/100/1000-Mbps Ethernet card. Remote management card. Redundant power supply.



28/46

Note: If you plan to deploy the file, print, messaging, or collaboration services on theinfrastructure servers, you will require an additional RAID 5 array for the data partition. Forinformation on the additional hardware requirements for these services, refer to thefollowing documents:- Chapter 5, File Services of this solution.- Medium Business Solution for Messaging Services .

- Medium Business Solution for Collaboration Services .- Medium Business Solution for Print Services .

Lucerne Publishing performed a hardware inventory on their primary domaincontroller (PDC) and backup domain controllers (BDCs) and determined that theirexisting hardware was insufficient to run Windows Server 2003. Having budgetedfor new hardware, Lucerne Publishing purchased new servers meeting the aboveconfiguration recommendations. Lucerne Publishing also realized that theyplanned to use their secondary infrastructure server for hosting messagingservices. As a result, when they purchased this server, they also incorporated theguidelines in the Medium Business Solution for Messaging Services , andconfigured the server with 2-GB RAM (because messaging is a critical application

for them), and six 15,000 RPM SCSI drives two 18-GB drives in a RAID 1 arrayfor the operating system, and three 18-GB drives in a RAID 5 array (resulting inapproximately 36 GB of usable space) for Exchange and the messagingdatabases. The sixth drive was used as a hot spare in case any of the drivesfailed.

Bill of Materials The following table presents the bill of materials required to build the networkand directory services in the medium IT environment.

Description Quantity Approximate Price (as of December 2004)

Domain name For one year $10-$35

Windows Server 2003, StandardEdition

2 $999 each (includes 5 clientaccess licenses)

Server Hardware 2 $3,000-$5,000 each

Client Licenses Number of clients $199 for each pack of five

Table 9. Bill of Materials



29/46


30/46

DNS domain name: The DNS domain name should be the same as theprimary publicly registered domain name that is, BusinessName.com .

Public domain name: If the organization does not already own a publicdomain name, a public domain name will need to be selected andpurchased from a domain name registrar. For an example, refer to thefollowing URL:http://www.bcentral.com/products/wh/dnr.aspLucerne Publishing already owned the domain namelucernepublishing.com, and elected to use that.

MAC addresses: There should be a list with the names and MACaddresses of all of the network devices in the environment, including: Routers, switches, firewalls, access points, or other network devices

(excluding servers or network-attached storage devices). Printers. Scanners. Video cameras.

Note: Follow the manufacturers instructions for each device in the environment toobtain the MAC or Hardware address. Also note that each device must be configuredto obtain the IP configuration through DHCP (on some devices this is referred to asautomatic configuration or obtain settings automatically). Follow themanufacturers instructions to configure the device to get IP configurationautomatically from a DHCP server.

Downloads: From a computer that is already securely connected to theInternet, download the Group Policy Management Console installation filefrom the following URL and save it to a CD disk or a USB drive:

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Configuring External DNS Records To access various services provided by the internal servers over the Internetusing the domain name of the organization, the DNS names of these servicesmust be updated on the public DNS servers of the ISP. The following table listsDNS records that should be updated on the DNS server for a medium business.

Fully QualifiedDomain Name(FQDN)

Record Type Service IP Address

remote. BusinessName.com

A Terminal Services Static IP address usedon the firewall server.

mail. BusinessName.com

CNAME Outlook WebAccess

remote. BusinessName.com

extranet. BusinessName.com

CNAME Extranet remote. BusinessName.com

http://www.bcentral.com/products/wh/dnr.asphttp://www.microsoft.com/windowsserver2003/gpmc/default.mspxhttp://www.bcentral.com/products/wh/dnr.asphttp://www.microsoft.com/windowsserver2003/gpmc/default.mspx


31/46


32/46

Secondary WINS server: 10.0.0.2

2. Install the Windows Support Tools on both servers. To install the Windows Support Tools, browse to the \support\toolsdirectory on the installation CD. Right-click the suptools.msi file and clickInstall .

The support tools might get updated in a service pack, so you may needto use the support tools that come with the latest service pack.

Note: The Windows Server 2003 installation CD will be required several times throughoutthe remainder of this chapter. It is a good idea to keep the CD in an easily accessiblelocation.

Performing Initial Security AuditAfter initial configuration of the two infrastructure servers, perform a security

audit on both computers in the environment before continuing with theconfiguration of other services. This will ensure that your baseline installation issecure, and is done properly. For security audit, perform the following steps:

1. Begin by installing any updates available for the server and the installedsoftware.

2. After all servers in the environment have been configured, it is importantto run the Microsoft Baseline Security Analyzer (MBSA) tool against allcomputers in the environment.

For more information on downloading, installing, and running MBSA, referto Appendix I of this solution.

Installing and Configuring Active DirectoryActive Directory needs to be installed on both the infrastructure servers (SMBDCand SMBEX). Installing and configuring Active Directory involves the followingtasks:

1. Make SMBDC a domain controller.2. Raise the domain functional level of the domain created to Windows

Server 2003.3. Make SMBEX a domain controller.4. Make SMBEX a global catalog server.5. Create a long, complex password for the administrative account.

Make SMBDC a domain controller by performing the following steps:1. Run the dcpromo command on SMBDC to start the Active Directory

Installation Wizard .2. Complete the wizard by performing the following:

a. Click the Domain controller for a new domain option.b. Click the Domain in a new forest option.



33/46

c. Type the DNS name gathered in the "Gathering Information for InitialConfiguration" section in the Full DNS name for new domain textbox. For example, lucernepublishing.com.

d. Type the earlier DNS name without suffix in the Domain NetBIOSname text box. If the DNS name without suffix is longer than 15characters, type an abbreviation with at most 15 characters.In the case of Lucerne Publishing, they chose to use the NetBIOS nameLucerne , because lucernepublishing is longer than 15 characters.

e. If the server is configured with a single partition, accept the defaultlocations for Database and Log Folders . If there is a separatesystem and data partition configured, change the drive letter to thedrive letter of the data partition.

f. If the server is configured with a single partition, accept the defaultlocation for the SYSVOL folder. If there is a separate system and datapartition configured, change the drive letter to the drive letter of thedata partition.

g. Click Install and configure the DNS server on this computer,and set this computer to use this DNS server as its preferredDNS server .

h. Click Permissions compatible only with Windows 2000 orWindows Server 2003 operating systems .

i. Ensure that the password you supply for Directory Service RestoreMode is secure and documented in a safe location.

j. After completing the wizard, click the Restart Now button.

Raise the domain functional level of the domain created to Windows Server 2003by performing the following steps:

1. Open the Active Directory Users and Computers MicrosoftManagement Console (MMC).

2. Right-click the domain name and click Raise Domain Functional Level .3. On the Raise Domain Functional Level screen, select Windows

Server 2003 from the Select an available domain functional leveldrop-down list then click the Raise button.

4. Click OK on any warning messages that display.

Make SMBEX a domain controller by performing the following steps:1. Run the dcpromo command on SMBEX to start the Active Directory

Installation Wizard .2. Complete the wizard by performing the following:

a. Select the additional domain controller for an existing domain

option.b. Type the administrator credentials for the domain.c. Type the domain name (for example, BusinessName .com ).d. Type the password for Directory Services Restore Mode, which is

the same password as that provided on SMBDC.e. After completing the wizard, click the Restart Now button.

Make SMBEX a global catalog server by performing the following steps:



34/46

1. Open the Active Directory Sites and Services MMC.2. Expand Sites, Default-First-Site-Name , Servers , and SMBEX .3. Right-click NTDS Settings and click Properties .4. Select the Global Catalog check box and click OK .5. Close the MMC.

Create a long, complex password for the administrative account. Theadministrator account name is well known and therefore, it is best practice to usea long, complex password for this account. Perform the following steps to changethe password:

1. Log on to a domain controller using the administrator credentials.2. Open the Active Directory Users and Computers MMC.3. Expand the domain name, and click the Users folder.4. Right-click the administrator account and click Reset Password .5. Type a new password in the New Password and Confirm Password text

boxes. Use the following guidelines for selecting a complex password:

Use a phrase, rather than using a single word. Use all four classes of characterscapital letters, lowercase letters,

numbers, and symbols. Ensure that the password is at least 15 characters in length. Do not use any part of the user name. Do not use symbols or numbers only at the beginning or end of the

password, use them throughout. Do not use any word that can be found in a dictionary or any proper

nouns as part of your password. The most secure password is a random string of characters consisting

of the four classes of characters mentioned previously.

Installing and Configuring DNSDNS gets installed automatically on the first server in the new domain, SMBDC.DNS must be installed and configured manually on SMBEX, which involves thefollowing tasks:

1. Install DNS on SMBEX.2. Perform a manual replication of Active Directory to ensure that the DNS

information is transferred to SMBEX.3. Configure forwarders on both the DNS servers.4. Configure reverse lookup zones on the DNS servers.5. Configure each zone created in DNS with the e-mail address of the

responsible person for the zone.

Install DNS on SMBEX by performing the following steps:1. Open Add or Remove Programs and click Add/Remove Windows

Components .



35/46

2. In the Windows Component Wizard , highlight Networking Services(do not select the check box) and click Details .

3. In the Networking Services dialog box, select the DNS check box.4. Click Next to begin the installation.5. If prompted, insert the Windows Server 2003 CD.

Perform a manual replication of Active Directory by performing the followingsteps on either server:

1. Open the Active Directory Sites and Services MMC on SMBDC.2. Navigate to Site Name (default is Default-First-Site-Name), Servers ,

SMBDC , and NTDS Settings .3. Right-click the automatically generated connection and click Replicate

Now .4. Open the DNS Management console and verify that all of the zones

created on SMBDC now show on SMBEX too.5. Once DNS is installed and operational, change the DNS server in the IP

configuration of SMBEX to point to 10.0.0.3 (its own IP address). Configurethe secondary DNS server to point to 10.0.0.2.

Configure forwarders on both the DNS servers by performing the following steps:1. On each DNS server, right-click the server name in the DNS

Management console and click Properties .2. Click the Forwarders tab.3. Enter the IP addresses of at least two public DNS servers in the order

provided by your ISP (as per the information gathered in the "GatheringInformation for Initial Configuration" section earlier in this chapter).

Configure reverse lookup zones on both DNS servers by performing the followingsteps:

1. With the DNS Management Console still open, expand the < server name >and right-click Reverse Lookup Zone and click New Zone .2. Complete the New Zone wizard by specifying the following settings:

On the Zone Type page, choose the following options: Primary zone Store zone in Active Directory

On the Active Directory Zone Replication Scope page, choose:

To all DNS servers in the Active Directory forest< BusinessName.com >

On the Reverse Lookup Zone Name page, enter the followingnetwork ID:10.0

On the Dynamic Update page, choose the following option:

Allow only secure dynamic updates (recommended for ActiveDirectory)

Configure the responsible person for each zone created in DNS by performing thefollowing steps on either server.



36/46

1. Click the zone name in the DNS Management console.2. Right-click the zone and click Properties .3. Click the Start of Authority (SOA) tab.4. Enter the e-mail address of the administrative account substituting a "."

for the "@" symbol (for example, administrator. BusinessName.com ).

Configure the Windows Time ServiceConfigure the Windows Time Service on SMBDC by performing the followingsteps:

1. Open a command prompt window.2. Type w32tm /config /manualpeerlist:time.windows.com

tock.usno.navy.mil /syncfromflags:manual and press enter. Thecommand completed successfully should be displayed.

3. Type w32tm /config /update and press enter. The command completed successfully should be displayed.

Installing and Configuring DHCPInstalling and configuring DHCP involves the following tasks:

1. Install the DHCP service.2. Authorize the DHCP servers.3. Create a new scope on SMBDC.4. Create a new scope on SMBEX.5. Configure reservations for network devices requiring static IP addresses.6. Enable dynamic updates.7. Enable server-side conflict detection on both servers.

Install the DHCP service by performing the following steps on both theinfrastructure servers:

1. Open Add or Remove Programs in Control Panel and clickAdd/Remove Windows Components .

2. In the Windows Component Wizard, highlight Networking Services(do not select the check box) and click Details .

3. In the Networking Services dialog box, select the DHCP check box.4. Click OK and complete the wizard.

Authorize the new servers by performing the following steps:1. Open the DHCP console under the Administrative Tools folder.2. Click the server name in the DHCP console.3. Right-click server name and click Authorize .

Create a new scope on SMBDC by performing the following steps:1. Right-click the server name and click New Scope to start the New Scope

Wizard.2. Enter the following information while running the wizard:



37/46

a. On the Scope Name page, enter the name of the scope (for example,you can use the same name as the name of the server that is SMBDC).

b. On the IP Address Range page, enter the following information: Start IP Address 10.0.0.1 End IP Address 10.0.2.254 Length: 16 bits

c. On the Add Exclusions page, add the following exclusions: 10.0.0.1 10.0.0.255 10.0.2.0 10.0.2.254 On the Lease Duration page, accept the default 8-day lease

duration.

d. On the Configure DHCP Options page, select Yes, I want toconfigure these options now .

e. On the Router (Default Gateway) page, add the default gatewayaddress (10.0.0.1).

f. On the Domain Name and DNS Servers page, add parent domain(for example, BusinessName.com ), and configure SMBDC (10.0.0.2) asthe primary DNS and SMBEX (10.0.0.3) as the secondary DNS.

g. On the WINS Servers page, add SMBDC (10.0.0.2) as the primaryWINS server and SMBEX (10.0.0.3) as the secondary WINS server.

h. On the Activate Scope page, click Yes, I want to activate thisscope now .

Create a new scope on SMBEX by performing the steps in the previous task, butwith the following exceptions:

Name of the scope: SMBEX Use the following exclusions:

10.0.0.1 10.0.0.255 10.0.1.0 10.0.1.255

Configure reservations on both servers by performing the following steps:1. Right-click Reservations and click New Reservation .2. Fill in the host name for name, IP address, MAC, and a meaningful

description (for example, HPLJ1500NP for an HP LaserJet 1500 networkprinter). Use the MAC addresses gathered in the "Gathering Informationfor Initial Configuration" section earlier in this chapter.

3. Repeat the process for each network device (for example, routers,scanners, cameras, and switches) in the environment.

Enable dynamic updates on both servers by performing the following steps:1. Right-click the server name and click Properties .2. Click the DNS tab.3. Select all the following three check boxes on the DNS tab:

Enable DNS dynamic updates according to the settings below



38/46

Discard A and PTR records when lease is deleted Dynamically update DNS A and PTR records for DHCP clients

that do not request updates (for example, clients runningWindows NT 4.0)

Enable server-side conflict detection on both servers by performing the followingsteps:1. Right-click the server name and click Properties .2. Click the Advanced tab.3. Set the Conflict Detection Attempts value to 2.

Installing and Configuring WINSInstalling and configuring WINS involves the following tasks:

1. Install the WINS service on both servers.2. Configure the WINS servers as replication partners.3. Enable WINS forward and reverse lookup on both servers.

Install the WINS service by performing the following steps on both theinfrastructure servers (SMBDC and SMBEX):

1. Open Add or Remove Programs and click Add/Remove WindowsComponents .


3. Select the Windows Internet Name Service (WINS) check box.4. Click OK and complete the wizard.5. If prompted, insert the Windows Server 2003 CD.

Configure the WINS servers as replication partners by performing the followingsteps on both servers:

1. Open the WINS console under the Administrative Tools folder.2. Expand the server name.3. Right-click Replication Partners and click New replication partner .4. Enter the IP address of the other server.

Enable WINS forward and reverse lookup by performing the following steps:1. On SMBDC, open the DNS console under the Administrative Tools

folder.2. Expand the server name and then Forward Lookup Zones .3. Click to select the zone name (that is, BusinessName .com ) of each forward

lookup zone.4. Right-click the selected zone name and click Properties .5. Click the WINS tab.6. Select Use WINS forward lookup .7. Enter the address of both the WINS servers (10.0.0.2 and 10.0.0.3).



39/46

8. On SMBDC in the DNS Management console, expand the server nameand then Reverse Lookup Zones .

9. Click to select the reverse lookup zone name.10.Right-click the zone name (which is, 10.0. x. x Subnet) of each reverse

lookup zone and click Properties .

11.Click the WINS-R tab.12.Select Use WINS-R lookup .13.Enter the domain name to append to the returned name (for example,

BusinessName .com ) and close the Properties page.

Installing and Configuring the CertificationAuthority

Install and configure CA on SMBDC by performing the following steps:1. Open Add or Remove Programs and click Add/Remove Windows

Components .2. In the Windows Components Wizard dialog, select the Certificate

Services check box.A message box displays a message that the computer cannot be renamedand that the computer cannot be added to or removed from a domainafter certificate services are installed. Click Yes.

3. Highlight Application Server (do not select the check box) and clickDetails .

4. Select the Internet Information Services (IIS) check box and click OK .5. Click Next .6. On the CA Type page, select the Enterprise root CA option.7. On the CA Identifying Information page, enter the following

information: In the Common name for this CA field, enter the common name of

the CA, for example MyBusinessName CA. In the Validity period field, specify 10 years as the validity period for

the root CA and click the Next button. Accept the default storage locations for the certificate database and

the certificate database log.

8. Click the Next button.9. Click Yes on the warning about installing Active Server Pages (ASPs).

10.Click Finish .11.Verify that you can get to the Web enrollment page by opening Internet

Explorer and navigating to http://localhost/certsrv.

Ensure that Session State is enabled for successful CA enrollment through thecertsrv Web site:

1. Open Internet Information Services Manager from AdministrativeTools .



40/46

2. Expand < servername > and then Web Sites . Then, right-click DefaultWeb Site and click Properties .

3. Click the Home Directory tab, and then under Application Settings ,click Configuration .

4. On the Application Configuration page, click the Options tab, and thenensure the Enable Session State check box is checked if not, click toselect it.

5. Click OK on all screens and close IIS Manager.6. Restart IIS by typing iisreset at a command prompt.

Installing Internet Authentication ServiceInstall IAS on SMBDC by performing the following steps:

1. Open Add or Remove Programs and click Add/Remove WindowsComponents .


3. In the Networking Services dialog box, select the InternetAuthentication Service check box, click OK , and then click Next .

4. When prompted, insert the Windows Server 2003 CD.5. After IAS is installed, click Finish , and then click Close .6. On the command prompt and run the netsh ras add registeredserver

command.

The last step ensures that the IAS server is placed in the RAS and IAS Serverssecurity group in Active Directory. This ensures that IAS servers have theappropriate permissions to read the remote access properties of user and

computer accounts.

Configuring Group Policy Objects The Medium Business Soluti

Documents

Chapter 3 Network and Directory Services