MCSE: Windows® 2000 Network Infrastructure Design Study Guide
William Heldman
SYBEX®
Using Your Sybex Electronic Book To realize the full potential of this Sybex electronic book, you must have Adobe Acrobat Reader with Search installed on your computer. To find out if you have the correct version of Acrobat Reader, click on the Edit menu—Search should be an option within this menu file. If Search is not an option in the Edit menu, please exit this application and install Adobe Acrobat Reader with Search from this CD (doubleclick on rp500enu.exe in the Adobe folder).
Navigation Navigate throught the book by clicking on the headings that appear in the left panel; the corresponding page from the book displays in the right panel.
Search
To search, click the Search Query button on the toolbar or choose Edit >Search > Query to open the Search window. In the Adobe Acrobat Search dialog’s text field, type the text you want to find and click Search. Use the Search Next button (Control+U) and Search Previous button (Control+Y) to go to other matches in the book. The Search command also has powerful tools for limiting and expanding the definition of the term you are searching for. Refer to Acrobat's online Help (Help > Plug-In Help > Using Acrobat Search) for more information.
Click here to begin using your Sybex Elect ronic Book!
www.sybex.com
MCSE: Windows® 2000 Network Infrastructure Design Study Guide
William Heldman
San Francisco • London Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Associate Publisher: Neil Edde Acquisition and Developmental Editor: Jeff Kellum Reviser: Quentin Docter Editor: Sarah Lemaire Production Editor: Molly Glover Technical Editors: Dale Liu, Larry Passo Book Designer: Bill Gibson Graphic Illustrator: Tony Jonick Electronic Publishing Specialist: Jill Niles Proofreaders: Nanette Duffy, Emily Hsuan, Laurie O’Connell, Yariv Rabinovitch, Nancy Riddiough Indexer: Lynzee Elze CD Coordinator: Christine Detlefs CD Technician: Kevin Ly Cover Designer: Archer Design Cover Photographer: Natural Selection Copyright © 2002 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. The author(s) created reusable code in this publication expressly for reuse by readers. Sybex grants readers limited permission to reuse the code found in this publication or its accompanying CD-ROM so long as (author(s)) are attributed in any application containing the reusabe code and the code itself is never distributed, posted online by electronic transmission, sold, or commercially exploited as a stand-alone product. Aside from this specific exception concerning reusable code, no part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. First edition copyright © 2000 SYBEX Inc. Library of Congress Card Number: 2001096241 ISBN: 0-7821-2953-6 SYBEX and the SYBEX logo are trademarks of SYBEX Inc. in the USA and other countries. Screen reproductions produced with Collage Complete. Collage Complete is a trademark of Inner Media Inc. The CD interface was created using Macromedia Director, © 1994, 1997–1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com. Internet screen shot(s) using Microsoft Internet Explorer version 5 reprinted by permission from Microsoft Corporation. Microsoft Internet Explorer © 1996 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft Internet Explorer logo, Windows, Windows NT, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. SYBEX is an independent entity from Microsoft Corporation, and not affiliated with Microsoft Corporation in any manner. This publication may be used in assisting students to prepare for a Microsoft Certified Professional Exam. Neither Microsoft Corporation, its designated review company, nor SYBEX warrants that use of this publication will ensure passing the relevant exam. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
To Our Valued Readers: When Sybex published the first editions of the four core Windows® 2000 MCSE Study Guides, Windows® 2000 had been out for only six months, and the MCSE exams had just been released. In writing the Study Guides, the authors brought to the table their experience with Windows® 2000 as well as insights gained from years of classroom teaching. With the official Microsoft exam objectives as their guides, the authors set out to write comprehensive, yet ultimately clear, concise, and practical courseware. And we believe they succeeded. Over the past year, however, our authors have learned many new things about how Windows® 2000 works and have received significant and useful feedback about how Microsoft is testing individuals on the vast array of topics encompassed by the four core exams. We at Sybex have also received a tremendous amount of invaluable feedbackboth praise and criticismregarding the four core Windows® 2000 Study Guides. The second edition that you hold in your hand is the product of the feedback that readers such as yourself have provided to us. So what “new and improved” material will you find in this new edition? We have confidence in the core instructional material in the books, so the authors have made only minor modifications to this content. They have, however, made the chapter review questions and bonus exam questions more challenging, to better reflect the type of questions you’ll encounter on the actual exams. We’ve also added Real World Scenarios throughout the book. This new feature allowed the authors to add critical context and perspective on Windows® 2000 technologies that wasn’t available when Microsoft first released the products. Finally, we’ve added Exam Essentials to the end of each chapter. These reemphasize those subject areas that are most important for success on the exams. We believe you’ll find this Study Guide to be an indispensable part of your exam prep program. As always, your feedback is important to us. Please send comments, questions, or suggestions to
[email protected]. At Sybex we’re continually striving to meet and exceed the needs of individuals preparing for IT certification exams. Readers like you are critical to these efforts. Good luck in pursuit of your MCSE!
Neil Edde Associate Publisher—Certification Sybex, Inc. SYBEX Inc. 1151 Marina Village Parkway, Alameda, CA 94501 Tel: 510/523-8233 Fax: 510/523-2373 HTTP://www.sybex.com
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the "Software") to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms. The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the "Owner(s)"). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not reproduce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media. In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or warranties ("End-User License"), those End-User Licenses supersede the terms and conditions herein as to that particular Software component. Your purchase, acceptance, or use of the Software will constitute your acceptance of such End-User Licenses. By purchase, use or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations may exist from time to time. Reusable Code in This Book The authors created reusable code in this publication expressly for reuse for readers. Sybex grants readers permission to reuse for any purpose the code found in this publication or its accompanying CD-ROM so long as all three authors are attributed in any application containing the reusable code, and the code itself is never sold or commercially exploited as a stand-alone product. Software Support Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material but they are not supported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media. Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s). Warranty SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase. The
Software is not available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com. If you discover a defect in the media during this warranty period, you may obtain a replacement of identical format at no charge by sending the defective media, postage prepaid, with proof of purchase to: SYBEX Inc. Product Support Department 1151 Marina Village Parkway Alameda, CA 94501 Web: www.sybex.com After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX. Disclaimer SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fitness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage. In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting. The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agreement of Terms and Conditions. Shareware Distribution This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a shareware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files. Copy Protection The Software in whole or in part may or may not be copyprotected or encrypted. However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
To my ever loving, always patient wife, Kim. Bill Heldman
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Acknowledgments
I’d like to thank God for giving me the ability to write and for creating the circumstances where I could find a publisher who would let me do so. Bill Heldman
Kara, as always, thank you for being there through another project. We’ve been through a lot in the last few months, and it will only make us stronger. Abbie, your smiles and “dadas” warm my heart more than you can imagine. Doc and Sue, and Mike and Marsha, Kara and I can’t thank you enough for your support. Y’all are such cute grandparents! To the former geek side of the crew at Microcert: Scott, Rob, Joe, Troy, and Jill, you are all crazy. But it was great working with you. On the office side: Adrienne, Caroleigh, Tessa, Donnie, and Mike, you are all crazy too, but fortunately not in that geeky sorta trainer way. Thanks for making me smile when I needed it the most. Thanks to all my students (you know who you are) that made me think. And last but certainly not least, thank you David Lanz for providing endless hours of wonderful heavy mellow entertainment with your considerable talents. Quentin Docter
The authors also wish to thank the excellent Sybex crew involved on this second edition: Neil Edde, Jeff Kellum, Sarah Lemaire, Molly Glover, Jill Niles, and Tony Jonick. Readers should know that the editorial staff at Sybex consists of very patient, extremely diligent, and hard-working souls who strive to make the books that get published the best quality computer books on the shelves. Special thanks to the technical editors, Dale Liu and Larry Passo, to the proofreaders, Nanette Duffy, Emily Hsuan, Laurie O’Connell, Yariv Rabinovitch, and Nancy Riddiough, and to the indexer, Lynnzee Elze.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
Microsoft’s Microsoft Certified Systems Engineer (MCSE) track for Windows 2000 is the premier certification for computer industry professionals. Covering the core technologies around which Microsoft’s future will be built, the MCSE Windows 2000 program is a powerful credential for career advancement. This book has been developed to give you the critical skills and knowledge you need to prepare for one of the core requirements of the new MCSE certification program: Designing a Microsoft Windows 2000 Network Infrastructure (Exam 70-221).
The Microsoft Certified Professional Program Since the inception of its certification program, Microsoft has certified over one million people. As the computer network industry grows in both size and complexity, these numbers are sure to grow—and the need for proven ability will also increase. Companies rely on certifications to verify the skills of prospective employees and contractors. Microsoft has developed its Microsoft Certified Professional (MCP) program to give you credentials that verify your ability to work with Microsoft products effectively and professionally. Obtaining your MCP certification requires that you pass any one Microsoft certification exam. Several levels of certification are available based on specific suites of exams. Depending on your areas of interest or experience, you can obtain any of the following MCP credentials: Microsoft Certified System Engineer (MCSE) This certification track is designed for network and systems administrators, network and systems analysts, and technical consultants who work with Microsoft Windows 2000 client and server software. You must take and pass seven exams to obtain your MCSE.
Since this book covers one of the MCSE Core Design exams, we will discuss the MCSE certification in detail in this Introduction.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xxviii
Introduction
Microsoft Certified Solution Developer (MCSD) This track is designed for software engineers and developers and technical consultants who primarily use Microsoft development tools. Currently, you can take exams on Visual Basic, Visual C++, and Visual FoxPro. You must take and pass four exams to obtain your MCSD. At the time this book was written, Microsoft is planning to release Visual Studio 7, but no dates had yet been set. You can expect the requirements for this track to change after its release. Microsoft Certified Database Administrator (MCDBA) This track is designed for database administrators, developers, and analysts who work with Microsoft SQL Server. As of this printing, you can take exams on either SQL Server 7 or SQL Server 2000. You must take and pass four exams to achieve MCDBA status. Microsoft Certified Trainer (MCT) The MCT track is designed for any IT professional who develops and teaches Microsoft-approved courses. To become an MCT, you must first obtain your MCSE, MCSD, or MCDBA; then you must take a class at one of the Certified Technical Training Centers. You will also be required to prove your instructional ability. You can do this in various ways: by taking a skills-building or train-the-trainer class; by achieving certification as a trainer from any of a number of vendors; or by becoming a Certified Technical Trainer through the Chauncey Group (www.chauncey.com/ctt.html). Last of all, you’ll need to complete an MCT application.
At the time this book was being written, Microsoft announced plans for its Windows XP and .NET certification, although exams had not yet been released. You must still take four core exams, but you will have eight exams to choose from. Also, they announced lower level administration and developer certifications. For more information on the new requirements and new certifications, go to http://www.microsoft.com/trainingandservices/default.asp?PageID= mcp&PageCall=requirements&SubSite=cert/mcse&AnnMenu=mcse and for more information on the new certifications, go to http://www.microsoft .com/trainingandservices/default.asp?PageID=mcp&PageCall=newcerts& SubSite=articles.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxix
Windows 2000 Over the next few years, companies around the world will deploy millions of copies of Windows 2000 as the central operating system for their missioncritical networks. This will generate an enormous need for qualified consultants and personnel who can design, deploy, and support Windows 2000 networks. Because Windows 2000 is such a vast product, its administrators must have a wealth of professional skills. As an example of Windows 2000’s complexity, consider that it has more than 35 million lines of code as compared with Windows NT 4’s 12 million! Much of this code is needed to support the wide range of functionality that Windows 2000 offers. The Windows 2000 line comprises several versions: Windows 2000 Professional This is the client edition of Windows 2000, which is comparable to Windows NT Workstation 4 but also includes the best features of Windows 98, as well as many new features. Windows 2000 Server/Windows 2000 Advanced Server A server edition of Windows 2000, this version is for small to mid-sized deployments. Advanced Server supports more memory and processors than Server does. Windows 2000 Datacenter Server This is a server edition of Windows 2000 for large, wide-scale deployments and computer clusters. Datacenter Server supports the most memory and processors of the three versions. Companies implementing the expansive Windows 2000 Operating System want to be certain that you are the right person for the job being offered. The MCSE track is designed to help you prove that you are.
How Do You Become an MCSE? Attaining MCSE certification has always been a challenge. In the past, students have been able to acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new MCSE exams, this is simply not the case.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xxx
Introduction
Microsoft has taken strong steps to protect the security and integrity of the new MCSE track. Now, prospective MCSEs must complete a course of study that develops detailed knowledge about a wide range of topics. It supplies them with the true skills needed, derived from working with Windows 2000 and related software products. The new MCSE program is heavily weighted toward hands-on skills and experience. Microsoft has stated that “nearly half of the core required exams’ content demands that the candidate have troubleshooting skills acquired through hands-on experience and working knowledge.” Fortunately, if you are willing to dedicate the time and effort to learn Windows 2000, you can prepare yourself well for the exams by using the proper tools. By working through this book, you can successfully meet the exam requirements. This book is part of a complete series of Sybex MCSE Study Guides, published by Sybex, Inc., that together cover the core Windows 2000 requirements as well as the new Design exams needed to complete your MCSE track. Study Guide titles include the following:
MCSE: Windows 2000 Professional Study Guide, Second Edition, by Lisa Donald with James Chellis (Sybex, 2001)
MCSE: Windows 2000 Server Study Guide, Second Edition, by Lisa Donald with James Chellis (Sybex, 2001)
MCSE: Windows 2000 Network Infrastructure Administration Study Guide, Second Edition, by Paul Robichaux with James Chellis (Sybex, 2001)
MCSE: Windows 2000 Directory Services Administration Study Guide, Second Edition, by Anil Desai with James Chellis (Sybex, 2001)
MCSE: Windows 2000 Directory Services Design Study Guide, Second Edition, by Robert King and Gary Govanus (Sybex, 2001)
MCSE: Windows 2000 Network Infrastructure Design Study Guide, Second Edition, by Bill Heldman (Sybex, 2002)
MCSE: Windows 2000 Network Security Design Study Guide, Second Edition, by Gary Govanus and Robert King (Sybex, 2002)
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxxi
Exam Requirements Candidates for MCSE certification in Windows 2000 must pass seven exams, including four core operating system exams, one design exam, and two electives, as described in the sections that follow.
For a more detailed description of the Microsoft certification programs, including a list of current and future MCSE electives, check Microsoft’s Training and Certification web site at www.microsoft.com/trainingandservices. While Microsoft does not require you to take these exams in any particular order, it is highly recommended that you take the Core exams first, starting
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xxxii
Introduction
with the Professional and Server exams first, followed by the Directory Services and Network Infrastructure Administration exams. A number of the case study questions assume you have a basic knowledge of the topics tested in those exams (see below for more information on case study questions).
This book is not designed to teach you all you need to know from the ground up for network infrastructure design. We assume you have a basic knowledge of Windows 2000 and have taken our advice and taken the Core exams first.
The Designing a Windows 2000 Network Infrastructure Exam The Designing a Windows 2000 Network Infrastructure exam covers concepts and skills required for the support of Windows 2000 computers. It emphasizes the following areas of Windows 2000 support:
Standards and terminology
Planning
Implementation
Troubleshooting
This exam focuses on the business aspects and technical requirements for creating a functional Windows 2000 network infrastructure. It can be particular about how administrative tasks are performed in the operating system. It also focuses on fundamental concepts relating to Windows 2000’s operation. Careful study of this book, along with hands-on experience, will help you prepare for this exam.
Microsoft provides exam objectives to give you a very general overview of possible areas of coverage on the Microsoft exams. For your convenience, this Study Guide includes objective listings positioned within the text at points where specific Microsoft exam objectives are discussed. Keep in mind, however, that exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit Microsoft’s Training and Certification web site (www.microsoft.com/trainingandservices) for the most current listing of exam objectives.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxxiii
Types of Exam Questions In an effort to both refine the testing process and protect the quality of its certifications, Microsoft has focused its Windows 2000 exams on real experience and hands-on proficiency. There is a higher emphasis on your past working environments and responsibilities, and less emphasis on how well you can memorize. In fact, Microsoft says an MCSE candidate should have at least one year of hands-on experience.
Microsoft will accomplish its goal of protecting the exams’ integrity by regularly adding and removing exam questions, limiting the number of questions that any individual sees in a beta exam, limiting the number of questions delivered to an individual by using adaptive testing, and adding new exam elements.
Exam questions may be in a variety of formats. Depending on which exam you take, you’ll see multiple-choice questions, as well as select-and-place and prioritize-a-list questions. Simulations and case study–based formats are included, as well. You may also find yourself taking what’s called an adaptive format exam. Let’s take a look at the types of exam questions and examine the adaptive testing technique, so that you’ll be prepared for all of the possibilities.
For more information on the various exam question types, go to www.microsoft .com/trainingandservices/default.asp?PageID=mcp&PageCall=tesinn& SubSite=examinfo.
MULTIPLE-CHOICE QUESTIONS
Multiple-choice questions come in two main forms. One is a straightforward question followed by several possible answers, of which one or more is correct. The other type of multiple-choice question is more complex and is based on a specific scenario. The scenario may focus on a number of areas or objectives. SELECT-AND-PLACE QUESTIONS
Select-and-place exam questions involve graphical elements that you must manipulate in order to successfully answer the question. For example, you
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xxxiv
Introduction
might see a diagram of a computer network, as shown in the following graphic taken from the select-and-place demo downloaded from Microsoft’s web site.
A typical diagram will show computers and other components next to boxes that contain the text “Place here.” The labels for the boxes represent various computer roles on a network, such as a print server and a file server. Based on information given for each computer, you are asked to select each label and place it in the correct box. You need to place all of the labels correctly. No credit is given for the question if you correctly label only some of the boxes. In another select-and-place problem you might be asked to put a series of steps in order, by dragging item from boxes on the left to boxes on the right, and placing them in the correct order. One other type of question requires that you drag an item from the left and place it under an item in a column on the right. SIMULATIONS
Simulations are the kinds of questions that most closely represent actual situations and test the skills you use while working with Microsoft software interfaces. These exam questions include a mock interface on which you are asked to perform certain actions according to a given scenario. The simulated interfaces look nearly identical to what you see in the actual product, as shown in this example:
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxxv
Because of the number of possible errors that can be made on simulations, be sure to consider the following recommendations from Microsoft:
Do not change any simulation settings that don’t pertain to the solution directly.
When related information has not been provided, assume that the default settings are used.
Make sure that your entries are spelled correctly.
Close all the simulation application windows after completing the set of tasks in the simulation.
The best way to prepare for simulation questions is to spend time working with the graphical interface of the product on which you will be tested. CASE STUDY–BASED QUESTIONS
Case study–based questions first appeared in the MCSD program. These questions present a scenario with a range of requirements. Based on the information provided, you answer a series of multiple-choice and select-andplace questions. The interface for case study–based questions has a number of tabs, each of which contains information about the scenario.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xxxvi
Introduction
Expect to see case study–based questions on the Designing a Windows 2000 Network Infrastructure exam. I recommend that you become familiar with these types of questions prior to taking the exam. In addition, you should look at the case study questions on this book’s CD as well as any of the number of test simulation software programs out on the market. You can also download the case study demo from the test’s page on Microsoft’s web site.
ADAPTIVE EXAM FORMAT
Microsoft presents many of its exams in an adaptive format. This format is radically different from the conventional format previously used for Microsoft certification exams. Conventional tests are static, containing a fixed number of questions. Adaptive tests change depending on your answers to the questions presented. The number of questions presented in your adaptive test will depend on how long it takes the exam to ascertain your level of ability (according to the statistical measurements on which exam questions are ranked). To determine a test-taker’s level of ability, the exam presents questions in an increasing or decreasing order of difficulty.
Because of the structure of the Design exams, which are case study–based, they are not offered in an adaptive format.
Exam Question Development Microsoft follows an exam-development process consisting of eight mandatory phases. The process takes an average of seven months and involves more than 150 specific steps. The MCP exam development consists of the following phases: Phase 1: Job Analysis Phase 1 is an analysis of all the tasks that make up a specific job function, based on tasks performed by people who are currently performing that job function. This phase also identifies the knowledge, skills, and abilities that relate specifically to the performance area being certified.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxxvii
Phase 2: Objective Domain Definition The results of the job analysis phase provide the framework used to develop objectives. Development of objectives involves translating the job-function tasks into a comprehensive package of specific and measurable knowledge, skills, and abilities. The resulting list of objectives—the objective domain—is the basis for the development of both the certification exams and the training materials. Phase 3: Blueprint Survey The final objective domain is transformed into a blueprint survey in which contributors are asked to rate each objective. These contributors may be MCP candidates, appropriately skilled exam-development volunteers, or Microsoft employees. Based on the contributors’ input, the objectives are prioritized and weighted. The actual exam items are written according to the prioritized objectives. Contributors are queried about how they spend their time on the job. If a contributor doesn’t spend an adequate amount of time actually performing the specified job function, his or her data are eliminated from the analysis. The blueprint survey phase helps determine which objectives to measure, as well as the appropriate number and types of items to include on the exam. Phase 4: Item Development A pool of items is developed to measure the blueprinted objective domain. The number and types of items to be written are based on the results of the blueprint survey. Phase 5: Alpha Review and Item Revision During this phase, a panel of technical and job-function experts reviews each item for technical accuracy. The panel then answers each item and reaches a consensus on all technical issues. Once the items have been verified as being technically accurate, they are edited to ensure that they are expressed in the clearest language possible. Phase 6: Beta Exam The reviewed and edited items are collected into beta exams. Based on the responses of all beta participants, Microsoft performs a statistical analysis to verify the validity of the exam items and to determine which items will be used in the certification exam. Once the analysis has been completed, the items are distributed into multiple parallel forms, or versions, of the final certification exam.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xxxviii
Introduction
Phase 7: Item Selection and Cut-Score Setting The results of the beta exams are analyzed to determine which items will be included in the certification exam. This determination is based on many factors, including item difficulty and relevance. During this phase, a panel of job-function experts determines the cut score (minimum passing score) for the exams. The cut score differs from exam to exam because it is based on an item-by-item determination of the percentage of candidates who answered the item correctly and who would be expected to answer the item correctly. Phase 8: Live Exam In the final phase, the exams are given to candidates. MCP exams are administered by Prometric and Virtual University Enterprises (VUE).
Tips for Taking the Network Infrastructure Design Exam Here are some general tips for achieving success on your certification exam:
Arrive early at the exam center so that you can relax and review your study materials. During this final review, you can look over tables and lists of exam-related information.
Read the case studies carefully. Don’t be tempted to jump to an early conclusion. Make sure you know exactly what the scenario is.
Answer all questions. Remember that the adaptive format does not allow you to return to a question. Be very careful before entering your answer. Because your exam may be shortened by correct answers (and lengthened by incorrect answers), there is no advantage to rushing through questions.
On simulations, do not change settings that are not directly related to the question. Also, assume default settings if the question does not specify or imply which settings are used.
For questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect answers first. This improves your odds of selecting the correct answer when you need to make an educated guess.
Exam Registration You may take the Microsoft exams at any of more than 1,000 Authorized Prometric Testing Centers (APTCs) and VUE Testing Centers around the world. For the location of a testing center near you, call Prometric at 800755-EXAM (755-3926), or call VUE at 888-837-8616. Outside the United States and Canada, contact your local Prometric or VUE registration center.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxxix
Find out the number of the exam you want to take, and then register with the Prometric or VUE registration center nearest to you. At this point, you will be asked for advance payment for the exam. The exams are $100 each, and you must take them within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day registration is available in some locations, subject to space availability. Where same-day registration is available, you must register a minimum of two hours before test time.
You may also register for your exams online at www.prometric.com or www.vue.com.
When you schedule the exam, you will be provided with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from Prometric or VUE. Microsoft requires certification candidates to accept the terms of a NonDisclosure Agreement before taking certification exams.
Is This Book for You? If you want to acquire a solid foundation in the principles of Network Infrastructure Design, and our goal is to prepare for the exam by learning how to use and manage the new operating system, this book is for you. You’ll find clear explanations of the fundamental concepts you need to grasp, and plenty of help to achieve the high level of professional competency you need to succeed in your chosen field. If you want to become certified as an MCSE, this book is definitely for you. However, if you just want to attempt to pass the exam without really understanding Windows 2000, this Study Guide is not for you. It is written for people who want to acquire hands-on skills and in-depth knowledge of Windows 2000.
How to Use This Book What makes a Sybex Study Guide the book of choice for over 100,000 MCSEs? We took into account not only what you need to know to pass the
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xl
Introduction
exam, but also what you need to know to take what you’ve learned and apply it in the real world. Each book contains the following: Objective-by-objective coverage of the topics you need to know Each chapter lists the objectives covered in that chapter, followed by detailed discussion of each objective. Assessment Test Directly following this Introduction is an Assessment Test that you should take. It is designed to help you determine how much you already know about Windows 2000. Each question is tied to a topic discussed in the book. Using the results of the Assessment Test, you can identify those areas where you need to focus your study. Of course, we do recommend you read the entire book. Exam Essentials To highlight what you learn, you’ll find a list of Exam Essentials at the end of each chapter. The Exam Essentials section briefly highlights the topics that need your particular attention as you prepare for the exam. Key Terms and Glossary Throughout each chapter, you will be introduced to important terms and concepts that you’ll need to know for the exam. These terms appear in italic within the chapters, and a list of the Key Terms appears just after the Exam Essentials. At the end of the book, a detailed Glossary gives definitions for these terms, as well as for other terms you should know. Review Questions, complete with detailed explanations Each chapter is followed by a set of Review Questions that test what you learned in the chapter. The questions are written with the exam in mind, meaning that they are designed to have the same look and feel of what you’ll see on the exam. Following each chapter's Review Questions, you will find a Case Study that draws from the topics discussed in the chapter. These Case Studies and their corresponding questions simulate what you will see on the exam. Real World Scenarios Because reading a book isn’t enough for you to learn how to apply these topics in your everyday duties, we have provided Real World Scenarios in special sidebars. These explain when and why a particular solution would make sense in a working environment that you’d actually encounter. Interactive CD Every Sybex Study Guide comes with a CD complete with additional questions, flashcards for use with a Palm device, and two complete electronic books. Details are in the following section.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xli
What’s on the CD? With this new member of our best-selling MCSE Study Guide series, we are including quite an array of training resources. The CD offers numerous simulations, bonus exams, and flashcards to help you study for the exam. We have also included the complete contents of the Study Guide in electronic form. The CD’s resources are described here: The Sybex Ebook for Network Infrastructure Design Many people like the convenience of being able to carry their whole study guide on a CD. They also like being able to search the text via computer to find specific information quickly and easily. For these reasons, the entire contents of this Study Guide are supplied on the CD, in PDF format. We’ve also included Adobe Acrobat Reader, which provides the interface for the PDF contents as well as the search capabilities. The Sybex MCSE Edge Tests The Edge Tests are a collection of both multiple-choice and case study questions that will help you prepare for your exam. There are four sets of questions:
Two bonus exams designed to simulate the actual live exam.
All the questions from the Study Guide, presented in a test engine for your review. You can review questions by chapter, by objective, or you can take a random test.
The Assessment Test.
Here is a sample screen from the Sybex MCSE Edge Tests:
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xlii
Introduction
Sybex MCSE Flashcards for PCs and Palm Devices The “flashcard” style of question offers an effective way to quickly and efficiently test your understanding of the fundamental concepts covered in the exam. The Sybex MCSE Flashcards set consists of more than 150 questions presented in a special engine developed specifically for this study guide series. Here’s what the Sybex MCSE Flashcards interface looks like:
Because of the high demand for a product that will run on Palm devices, we have also developed, in conjunction with Land-J Technologies, a version of the flashcard questions that you can take with you on your Palm OS PDA (including the PalmPilot and Handspring’s Visor).
How Do You Use This Book? This book provides a solid foundation for the serious effort of preparing for the exam. To best benefit from this book, you may wish to use the following study method: 1. Take the Assessment Test to identify your weak areas. 2. Study each chapter carefully. Do your best to fully understand the
information. 3. Read over the Real World Scenarios to improve your understanding of
how to use what you learn in the book.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xliii
4. Study the Exam Essentials and Key Terms to make sure you are familiar
with the areas you need to focus on. 5. Answer the review and case study questions at the end of each chapter.
If you prefer to answer the questions in a timed and graded format, install the Edge Tests from the book’s CD and answer the chapter questions there instead of in the book. 6. Take note of the questions you did not understand, and study the cor-
responding sections of the book again. 7. Go back over the Exam Essentials and Key Terms. 8. Go through the Study Guide’s other training resources, which are
included on the book’s CD. These include electronic flashcards, the electronic version of the chapter review question (try taking them by objective), and the two bonus exams. To learn all the material covered in this book, you will need to study regularly and with discipline. Try to set aside the same time every day to study, and select a comfortable and quiet place in which to do it. If you work hard, you will be surprised at how quickly you learn this material. Good luck!
Contacts and Resources To find out more about Microsoft Education and Certification materials and programs, to register with Prometric or VUE, or to obtain other useful certification information and additional study resources, check the following resources: Microsoft Training and Certification Home Page www.microsoft.com/trainingandservices This web site provides information about the MCP program and exams. You can also order the latest Microsoft Roadmap to Education and Certification. Microsoft TechNet Technical Information Network www.microsoft.com/technet 800-344-2121 Use this web site or phone number to contact support professionals and system administrators. Outside the United States and Canada, contact your local Microsoft subsidiary for information.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xliv
Introduction
Palm Pilot Training Product Development: Land-J www.land-j.com 407-359-2217 Land-J Technologies is a consulting and programming business currently specializing in application development for the 3Com PalmPilot Personal Digital Assistant. Land-J developed the Palm version of the flashcards, which is included on the CD that accompanies this Study Guide. Prometric www.prometric.com 800-755-3936 Contact Prometric to register to take an MCP exam at any of more than 800 Prometric Testing Centers around the world. Virtual University Enterprises (VUE) www.vue.com 888-837-8616 Contact the VUE registration center to register to take an MCP exam at one of the VUE Testing Centers. MCP Magazine Online www.mcpmag.com Microsoft Certified Professional Magazine is a well-respected publication that focuses on Windows certification. This web site hosts chats and discussion forums, and tracks news related to the MCSE program. Some of the services cost a fee, but they are well worth it. Windows 2000 Magazine www.windows2000mag.com You can subscribe to this magazine or read free articles at their web site. The study resource provides general information on Windows 2000. Cramsession on Brainbuzz.com cramsession.brainbuzz.com Cramsession is an online community focusing on all IT certification programs. In addition to discussion boards and job locators, you can download one of a number of free cram sessions, which are nice supplements to any study approach you take.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessment Test 1. Which routing protocols can be configured with auto-static updating?
Choose all correct answers. A. RIP for IP B. IGMP C. RIP for IPX D. SAP for IPX 2. Why is it important to understand how users access various servers
and applications? Choose all reasons that apply. A. Process improvement B. Change management C. Infrastructure issues D. Server adequacy 3. Bob has set up NAT on his 100-node network, and things seem to be
working fine. He has one problem, though: Some users cannot get out on the Internet. On top of that, every few days the problem seems to sporadically change to a different bunch of users, though one or two stragglers may stay behind. What could be the problem? A. Bob has a second DHCP server on the network. B. The machines are configured with static IP addresses. C. There’s a problem with the LMHOSTS file. D. DNS is not configured correctly. 4. You’re planning on using a VPN setup for your dial-up telecommuters
to access your private network via their ISP and the Internet. You want to use L2TP. What encryption protocol should you use? A. PGP B. IPSec C. DES D. MPPE
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xlvi
Assessment Test
5. What is the process of ensuring that you’ve documented changes that
you’re going to make to production systems? A. Process improvement B. Change management C. Change provisioning D. Change implementation 6. Your company’s main headquarters is in Chicago, and you have two
smaller locations, one in Omaha and one in Cheyenne. Both of the smaller locations are connected to you by fractional T1 lines, and there is a small workgroup server at each location. In thinking about this setup, where is the most likely single point of failure (SPOF) going to be? A. Server at hub location B. Server at headquarters location C. Router D. Frame relay connection 7. Name the components of a typical RADIUS installation. Choose all
that apply. A. Remote access client B. RADIUS client C. RADIUS server D. Telephony circuits 8. Name two advantages of Windows 2000 Dfs. A. You can maintain multiple instances of the Dfs database. B. Domain-based roots can be replicated through AD. C. Clients of various platforms can host Dfs links. D. You can interlink one Dfs link to another.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessment Test
xlvii
9. Can a company’s growth be a risk to its success? A. Yes B. No 10. A new message has been added to the Windows 2000 DHCP message
system. What is this message? A. DHCPQUERY B. DHCPAD C. DHCPINFORM D. DHCPROUTE 11. Choose three different types of users. A. Power user B. Dumb terminal C. Internet D. 3270 emulation user E. Managerial/professional/executive F. Network 12. You’ve installed a hardware RAID array controller card in one of your
servers, and now you’re going to re-initialize the drives and put the operating system back on them. What sort of technique are you implementing? A. Fault recovery B. Fault management C. Fault tolerance D. Fault obliteration
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
xlviii
Assessment Test
13. Your company is going to hire external contractors to work on a big
software development project. What is this technique called? A. Outsourcing B. Contractor negotiations C. Software development life cycle (SDLC) D. Code externalization 14. You don’t know very much about routers. You’re the network admin-
istrator for a small company that has grown to have two locations. You need to link these two locations, plus you’d like to set up an Internet connection for your users. You’re not sure you have the time or the money it takes to get into the whole internetworking thing, learning all about routers and how to set them up. Plus, your company’s on a tight budget. Is there an easier way to set up some routing, both internally and to the Internet, using Windows 2000 servers? A. Yes, but it’s isolated to the Windows 2000 Advanced and Data-
center Server products. B. Yes, and it’s easy to do across all the Windows 2000 server products. C. No, there is no method. D. No, routing is included only for Windows NT 4 backward
compatibility. 15. Your management staff, from your boss on up the food chain to the
CEO, seems to be very good about letting you do your job with little or no interference. What management style most represents your management? A. Loose-bundle B. Neutral C. Autocratic D. Laissez-faire
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessment Test
xlix
16. What is EAP? A. A router access protocol B. A network authentication method C. A VPN protocol D. A WAN protocol 17. Which authentication protocols can be used with two-way authenti-
cation in Windows 2000 demand-dial routing? Choose all correct answers. A. MS-CHAP v2 B. MS-CHAP C. EAP-TLS D. CHAP 18. You have a robust SNA Server deployment and would now like
to migrate to Windows 2000. Does SNA Server work with Active Directory (AD)? A. Even the oldest version of SNA Server works with AD. B. The SNA protocol is now built into Windows 2000 with no need
for adjunct software. C. Only Host Integration Server 2000 works with AD. D. SNA Server doesn’t work with Windows 2000. 19. In DNS, what does the SRV source record do? A. Pinpoints specific servers B. Designates the standard primary DNS server C. Points to multiple servers performing similar TCP/IP services D. Points to the Active Directory global master
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
l
Assessment Test
20. Which component(s) might you assess as part of your infrastructure
evaluation? Choose all that apply. A. Switches B. Telephony systems C. Routers D. Servers E. Hubs F. Cable plant 21. In pursuit of your Windows 2000 design finalization, you become
interested in the various geographic locations of your technical people. What is the exam term given to the distribution of people across geographic locations? A. Outsourcing B. Centralization C. Resource distribution D. Decentralization 22. What is a screened subnet? A. A subnet that targets specific IP addresses B. A subnet that contains only certain groups of computers C. A subnet that does not provide DNS services D. A subnet beyond the corporate firewall 23. You work for a government contractor that wants telecommuting
users working on sensitive documents to log on to the network using smart cards. What new Windows 2000 protocol could ostensibly help you accomplish this business rule? A. OSPF B. BAP C. EAP D. Dfs
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessment Test
li
24. You work for a company that has four Macintosh computers in the
Publishing department. How can they be connected to your Windows 2000 network? A. Use the Services for Macintosh (SFM). B. Use the Macintosh File Control Protocol (MFCP). C. Use the Gateway for Macintosh (GFM). D. There is no connectivity for Macintosh in Windows 2000. 25. You have several non-WINS NetBIOS clients on a subnet. What can
you do to make sure they are able to adequately resolve NetBIOS names? Select the best answer. A. Place a WINS server on that subnet. B. Install a WINS proxy agent on a computer in that subnet. C. Install a WINS proxy agent on a computer in the subnet where the
WINS servers reside. D. Adjust the routers so they allow NetBIOS broadcasts over the router. 26. What indicators can you personally look at when assessing a company
in your design of a new network? Choose all that apply. A. Risk B. Growth and growth strategies C. Capital markets D. Total cost of operations E. Company priorities F. Laws and regulations 27. A new setting in Windows 2000 DHCP server is the default router
metric base. What does this setting do? A. Provides the global default gateway B. Allows you to type in multiple default gateways so the client can
pick one at initialization and configuration time C. Provides the path to the DHCP server in a non-routed (layer 3
switch) environment D. Sets up a cost value for providing a low-cost, reliable router-hop
count to correct default gateway
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
lii
Assessment Test
28. Your company would like to set up a method for re-creating the mission-
critical servers in the event of a catastrophe. What name do you give this methodology? A. Disaster recovery B. Disaster avoidance C. Disaster amelioration D. Disaster blotting 29. You’re installing an L2TP/IPSec VPN server in Sweden. What two
strengths of encryption are you allowed to configure? A. 40-bit B. 56-bit C. 128-bit D. 40-bit DES E. 56-bit DES F. 3-DES 30. Suppose that you have a routed network of several hundred users, and
you want to control the way that the users access the Internet. What feature should you use? A. Internet Connection Sharing B. Microsoft Proxy Server C. Shared access D. Network Address Translation 31. Help! You have so many UNC sharenames on the network, distributed
over numerous servers, that your users are confused as to what to connect to. What Windows 2000 feature helps eliminate this problem? A. RADIUS B. Global catalog server C. L2TP D. Dfs
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessment Test
liii
32. Mary is responsible for managing all of the backup operations. The
backup system runs on two System V Unix computers that talk to a StorageTek tape silo. Both the Unix and NT networks, along with the Oracle, SQL Server, and Exchange databases, are backed up to this system using VERITAS software. Does the work that Mary performs apply to an enterprise-oriented or a workgroup-oriented situation? A. Workgroup-oriented B. Enterprise-oriented 33. You have several Windows 2000 WINS clients. How many WINS
servers can they talk to? A. 6 B. 12 C. 18 D. 24 34. Why would a remote access client use a VPN circuit to connect to a
RADIUS client? Select all answers that apply. A. Secure authentication and encryption of all data. B. To come in through the Internet. C. Because RADIUS clients only work with VPNs. D. VPNs cannot be used with RADIUS clients. 35. How can you create fault tolerance in a Windows 2000 stand-alone
Dfs root? A. By creating a root interlink B. By linking with a domain-based root C. By setting up a root replica D. By setting up a link replica
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
liv
Assessment Test
36. Joleen is a mainframe programmer who used to use a 3279 dumb
terminal. Now she uses a PC. How does she do this? A. FTP connection to the mainframe B. Telnet session with the mainframe C. 3270 emulation session with the mainframe D. NFS session with the mainframe 37. Your company’s main headquarters is in Chicago and you have two
smaller locations, one in Omaha and one in Cheyenne. Both of the smaller locations are connected to you by fractional T1 lines, and there is a small workgroup server at each location. What sort of company model do you have? A. Frame/hub B. Frame/spoke C. Hub/spoke D. Spoke/spoke 38. Would a not-for-profit organization have a board of directors? A. Yes B. No
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Assessment Test 1. A, C, D. While IGMP is indeed a Windows 2000 routing protocol, it
cannot be used with auto-static updating. RIP for IP, RIP for IPX, and SAP for IPX can be configured with this feature. See Chapter 16 for more information. 2. C, D. The two predominant things that user access patterns reveal to
you are the health of the infrastructure at heavy load time and the preparedness of application, file, or print servers to handle user load. Both of these issues have to be addressed before your Windows 2000 rollout. See Chapter 3 for more information. 3. A. Most likely, the problem is that Bob has a second DHCP server on
his network handing out IP addresses that don’t correspond to NAT’s 192.168.0.0 range. See Chapter 14 for more information. 4. B. You’ll have to use IPSec with L2TP. IPSec requires a certificate
server, so plan on having this configuration up and running before you implement your VPN servers. See Chapter 17 for more information. 5. B. Change management, a term that’s as old as the first computers, is
not one that’s highly used in the PC network industry—yet. But it should be, and Microsoft would like to see you get more involved with change management in order to provide a more secure change environment, one that everyone has a relative certainty will work and work well. See Chapter 2 for more information. 6. C. The most likely answer is the router, though the others are certainly
areas you’d want to look at. See Chapter 1 for more information. 7. B, C, D. RADIUS setups require at least one RADIUS client and one
RADIUS server, plus some form of telephony circuit, whether that circuit is POTS, ISDN, or X.25, for the remote access client to connect to. A remote access client is not a component of the RADIUS installation; it’s a user of the installation. Note that telephony circuits might not be needed at all between the RADIUS client and server if the installation includes a VPN to the Internet. But the remote access client would still probably connect using POTS (although DSL, cable modem, satellite, and ISDN are now also viable options). See Chapter 15 for more information.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
lvi
Answers to Assessment Test
8. B, D. Domain-based roots are replicated through AD and thus provide
enterprise-wide visibility to the Dfs root structure. You can set up one Dfs link that points to a link on a different Dfs server. See Chapter 13 for more information. 9. A. Absolutely. Companies that grow too fast put themselves at risk
simply because they cannot assimilate all of the new load in a timely manner. In today’s roller-coaster economy, this is a common problem. See Chapter 1 for more information. 10. C. The DHCPINFORM message is used by Windows 2000 DHCP
servers to find out information about Active Directory authorization. See Chapter 10 for more information. 11. A, D, E. A, D, and E are the correct answers. A dumb terminal isn’t a
user; it’s a piece of equipment. The Internet isn’t a user type, nor is a network. There are certainly many other user types, but these are three readily identifiable types of users. See Chapter 5 for more information. 12. C. Fault-tolerance strategies are those that try to anticipate where a
failure might occur and prevent (or at least offset) them before they happen. With a hardware RAID array controller card, you’re probably going to set the drives up in either a mirror or a RAID 5 array. If one of the drives fails, the system will continue running until you have a chance to fix it. See Chapter 6 for more information. 13. A. Hiring outsiders to do a company’s work is called outsourcing.
See Chapter 2 for more information. 14. B. While most networks already have a plethora of hardware-based
routers, it is certainly within your power to set up a software router instead by using any of the Windows 2000 server products. OSPF and RIP version 1 are natively supported in Routing and Remote Access Service (RRAS), a service that’s automatically installed so it’s easy to get up and running quickly. See Chapter 8 for more information. 15. D. Laissez-faire managers typically don’t get involved in the day-to-
day operations of their people. There’s a trust level there, one that’s earned, not necessarily deserved. The good part of a laissez-faire style is that you don’t have somebody breathing down your neck all the time. The bad part is that when you need management input, it may not be there exactly when you need it. See Chapter 2 for more information.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Assessment Test
lvii
16. B. The Extensible Authentication Protocol (EAP) is a network
authentication method intended to be used by smart cards and token cards. It can be used over VPNs, but that’s not its only purpose. See Chapter 8 for more information. 17. A, C. You can use MS-CHAP v2 or EAP-TLS as an authentication
protocol that would be used by two routers shaking hands with one another. See Chapter 16 for more information. 18. C. You’ll have to use Host Integration Server 2000 (the new SNA
Server, once code-named Babylon) for this task. See Chapter 9 for more information. 19. C. Predominantly used for web servers, the SRV record points to
many servers performing similar TCP/IP services. See Chapter 11 for more information. 20. A, B, C, E, F. Of the answers above, all but D qualify as infrastructure
components. Some would argue (and probably have a good argument) that telephony systems belong in a category other than infrastructure. The servers are certainly in a category by themselves. See Chapter 4 for more information. 21. C. One of the 70-221 exam objectives is that you determine the com-
pany’s size and the user and resource distribution on the network. See Chapter 3 for more information. 22. D. A screened subnet is often used for web servers that live beyond the
corporate firewall and allow the Internet public to make requests of their DNS services. The general design theory for a screened subnet, also sometimes referred to as a DMZ, is that you first have the corporate network, then a firewall, the web servers and their associated services, then another firewall. See Chapter 11 for more information. 23. C. The Extensible Authentication Protocol (EAP) is what you want.
Users using this protocol can authenticate over RAS using a smart card. Now, are there any at-home readers for such a protocol? I’m not sure about that! But technically, you could certainly forge ahead with such a plan if you could find one. See Chapter 7 for more information.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
lviii
Answers to Assessment Test
24. A. The Services for Macintosh (SFM), a service native to Windows NT,
has been ported to Windows 2000. See Chapter 9 for more information. 25. B. The quickest, easiest method is to simply install a WINS proxy
agent on the subnet where the non-WINS clients are. This way you avoid the expense, time, and configuration hassle of setting up an additional WINS server, and yet the non-WINS clients can resolve NetBIOS names. See Chapter 12 for more information. 26. A, B, D, E, F. As a Windows 2000 network designer, you would not
typically be interested in a company’s capital markets. See Chapter 1 for more information. 27. D. This is kind of a tricky thing. When we talk about the path from
one computer to another, we sometimes talk about it in terms of router hops: the number of routers that a packet will have to go across in order to get to its destination. The default router metric base allows you to assign a router-hop variable (the default being 1) that will prevent messages from going across multiple hops to find a gateway. For example, suppose that you have a very large site with numerous routers spread out over large geographic distances. You don’t want your clients in Poughkeepsie to obtain an IP lease from a DHCP server in San Diego, because there would be way too many router hops involved. Typing in a default router metric base prevents this kind of problem from happening. See Chapter 10 for more information. 28. A. Disaster recovery is the act of assuming that you’ve had a cata-
strophic event occur wherein the network is not available. You figure out ways of making sure that all mission-critical servers and applications can be restored as quickly as possible. See Chapter 6 for more information. 29. D, E. When using IPSec, you use DES security for your encryption. You
have two strength choices: 40-bit DES and 56-bit DES. In the U.S. and Canada, you can also use 3-DES. See Chapter 17 for more information. 30. B. Large networks require a Microsoft Proxy Server deployment,
especially in a routed environment. While the books say that NAT will work with large quantities of users, the one prerequisite is that they must not be on a routed network. See Chapter 14 for more information.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Assessment Test
lix
31. D. The Distributed File System (Dfs) is used for setting up one server
that links to different UNC shares across the network. Highly scalable, Dfs will be a major improvement in the way that users access UNC shares. See Chapter 7 for more information. 32. B. Mary’s work is more enterprise-oriented in nature than work-
group-oriented, though she may occasionally have to do a restoration that applies to a workgroup. See Chapter 4 for more information. 33. B. Old Windows 3.x, 9x, and NT clients can only talk to one or two
WINS servers. Windows 2000 clients can talk to as many as 12. See Chapter 12 for more information. 34. A, B. The predominant reason you want to use a VPN, whether
through the Internet or otherwise, is to obtain high security through advanced authentication and encryption. Tunneling through the Internet is certainly the most prevalent use of a VPN, but it’s not a requirement for setting one up. RADIUS clients will indeed work with VPNs, but they’re not limited to VPN circuits. See Chapter 15 for more information. 35. C. Create a second Dfs root on a different server. From the first Dfs
server’s Distributed File System MMC window, right-click the root and select New Root Replica. Remember that you’ll have to manually replicate this stand-alone root—thus, fault tolerance is somewhat minimal, relying on your ability to regularly replicate. See Chapter 13 for more information. 36. C. Joleen uses some sort of 3270 emulation software that allows her to
access the mainframe to do her work. See Chapter 5 for more information. 37. A. In thinking of a bicycle, the main part is the frame, which is con-
nected to hubs or wheels. Your company’s central headquarters is the frame and the two remote locations are the hubs. If an office in, say, Billings were to connect to the Cheyenne office, which in turn were to connect to your central office, then you’d have a frame/hub/spoke setup. See Chapter 1 for more information. 38. A. The reason a board of directors exists is to accomplish a fiduciary
duty—acting as the trustee of an organization’s funding. In the case of a not-for-profit organization, even though the organization doesn’t have a stock offering, it requires that a body act as a trustee for the people that donate money to it. A board of directors exists as an accountability factor. See Chapter 2 for more information.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
1
Analyzing Business Models and Strategies MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Analyze the existing and planned business models.
Analyze the company model and the geographical scope. Models include regional, national, international, subsidiary, and branch offices.
Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decision-making.
Analyze factors that influence company strategies.
Identify company priorities.
Identify the projected growth and growth strategy.
Identify relevant laws and regulations.
Identify the company’s tolerance for risk.
Identify the total cost of operations.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
W
indows 2000—its nuances, its changes from NT, its subtleties, and all of its associated add-on components (I speak here of Exchange 2000, SQL Server 2000, etc.)—is not what Windows used to be. You thought you knew all about the Windows network operating system. Now, suddenly, with Windows 2000, you really don’t. You might have assumed that all would be the same—that Microsoft wouldn’t change very much in its quest for an improved network operating system (NOS)—but the changes are vast, dynamic, and extremely time-consuming to learn. Presumably, you want to learn the changes, and that’s one of the reasons why you have this book in your hand now. Microsoft is requiring that you understand the ramifications of network design for your Windows 2000 design tests. No longer is it important to only know what the technology does, but you also need to understand where it’s most appropriately used. The good news is, if you understand the what part, the where is usually fairly logical as well. Of course, making the right design decisions doesn’t just depend on the technology—it depends on the company’s physical and geographic layout as well. With this in mind, let’s begin this book by examining business models and strategies.
Assessing Your Company
B
efore venturing into the deployment of Windows 2000 in your enterprise, you first need to take a hard look at your company and see what your company is about, in terms of its construction and how it conducts business. The exercise of digging in and examining a company’s model and processes isn’t just good for your Windows 2000 rollout and absolutely necessary to pass test 70-221; it’s also good for you. After going through such an exercise,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Your Company
3
you’ll undoubtedly find that there were holes in your thinking about certain daily company processes. In some cases you’ll be able to help find a better way to make these processes happen. In other situations, you might find that your own knowledge has increased and you’ve learned something about the way that others have solved a business problem. Certainly in many situations, a business process will be just what you expected it to be, and you can go on to the next one. But the point of this exercise is that the more knowledge you accumulate about how your company does its business, the better the fit you can create between Windows 2000 and your company.
Microsoft wants all its MCSEs to be responsive to the needs of their businesses, and so has made these kinds of analytical skills a critical part of this exam.
Your first step is to analyze the company’s business model and its geographic scope. Understanding how the company is set up and where it calls home can assist you in your Windows 2000 design. In fact, critical design decisions will be based entirely on this information.
Please recognize that, at this stage, you would not even have ordered the equipment for your deployment yet. Right now you’re simply in informationgathering mode; you are not yet ready to size the gear or write a purchase order. The only equipment you need for the first few chapters of this book is a clipboard and a pen.
Overall Company Model You begin by examining the company’s overall business model. What are the business models, and how will you recognize them as you start to drill in on this objective?
Microsoft Exam Objective
Analyze the existing and planned business models.
Analyze the company model and the geographical scope. Models include regional, national, international, subsidiary, and branch offices.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
4
Chapter 1
Analyzing Business Models and Strategies
Let’s take a moment to outline the various company models and what they encompass: Local A local company is only in business within a city or a very localized surrounding area relative to a city. For example, suppose you work for a flower company that has retail stores in several suburban towns and cities close to its headquarters. None of the retail stores are out of state, and all are within a few miles of one another. This is an example of a local company. Regional A regional company operates in several widely geographically dispersed cities within a state or in several states or both. Suppose, for example, that you work for a company that operates a chain of restaurants localized within one large state, but with a presence in different cities within that state. This would be an example of a regional company. Another example would be an electrical utility that supplies power to customers in towns and cities in several different states; this kind of company can also be called regional. National A national company is one with a presence of some kind across its country of origin. In a U.S. example, this does not specifically imply that there is an office in every state or an office of great proportions, but it does imply that there is some presence in most states. The most common example is a company that requires a small office in each state to maintain a sales force local to that state. An office might comprise just a few people, but it would nonetheless be part of your company and make for interesting connectivity and computing planning. Most national companies have at least one headquarters office where the bulk of the corporate decision-making goes on. International A company that has offices all over the world is said to have an international presence. Again, these offices don’t necessarily have to be large to influence your evaluation and planning. A company might have a distributed environment with a headquarters office in, say, Chicago, another large one in the U.K. (perhaps a “mini-HQ”), and several smaller offices staffed predominantly with salespeople and support personnel in many other countries. The small international offices would report their work to the U.K. office, which would subsequently report its progress to the central office in Chicago. Sounds charming, doesn’t it? Getting it to work well, that’s another story. This model undoubtedly carries with it the most complexity. You may have to deal with language and cultural barriers, tariffs, and political issues.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Your Company
5
Just because a company has an international presence does not necessarily indicate that it also has offices all across its home country. A company that specializes in imports wouldn’t necessarily need a host of offices in its own country, but would require several strategically located international ones.
Subsidiary Offices Some companies specialize in a certain venture and then find that they need something else to make their particular area of expertise more palatable to the public. So, rather than reinventing the wheel, they buy a company that’s already doing whatever they need done. Microsoft is a really great example of this. Although Microsoft has lots of developers feverishly working overtime on its software, that doesn’t mean Microsoft writes everything that it bundles on a CD. It also buys companies that have a certain software-writing expertise. A company that is purchased and yet retains its own identity is a subsidiary. If, for example, a nationally recognized dairy were to buy a farm machinery company, it’s very possible that—for financial, patent, and other reasons—the newly purchased company would retain its own name, possibly its original staff, its location and buildings, and so forth. The parent company would certainly dictate and make changes, but the subsidiary could go on doing business as it has been doing all along. Subsidiaries present unique challenges to network designers and IT people because typically you inherit a legacy group of administrators who are accustomed to doing things their way and who may not necessarily be amenable to reinventing their lives in order to fit their new parent’s mold. Branch Offices Some companies may maintain one central headquarters office but also have several branch offices that have some autonomy relative to HQ. Perhaps the most obvious examples are insurance companies. Since the insurance regulations are so different from state to state in the U.S., the central headquarters office may be forced to comply with certain regulations within one state that they don’t have to obey in another. Size also dictates the need for a branch office. A bank that has substantial operations in one state may require a large investment in buildings and employees there, thus granting a certain autonomous status, of necessity, to the branch. That autonomy is, of course, relative to the stuffiness of headquarters. An interesting side effect of a branch office is that it may feed several satellite offices within a jurisdiction. For example, a nationally
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
6
Chapter 1
Analyzing Business Models and Strategies
known beverage company may have one or two large canning and bottling facilities in a state that, in turn, supply many downstream wholesalers and retailers. To make the branch office model run smoothly, you need to concentrate on what it takes for each branch to be successful.
The Frame-Hub-Spoke Concept Think of a bicycle. Your company’s main office is the bike’s frame. You couldn’t get anywhere without a frame to ride on, could you? The larger regional sites are like the hubs of the bicycle wheels. You can have multiple hubs, can’t you? But the hubs are attached to the bicycle, and they turn where the driver says they’ll turn. The smaller three-, four-, or five-person offices are called spokes. They’re a part of the hub, and there’s a layer between them and the bicycle frame. They’re not as intrinsically important as the hubs or the frame (one spoke can break on a bicycle and you can limp along for a while until you get it fixed), but they’re nonetheless part of the enterprise. Most environments have enormous computing power located at the headquarters office. The hubs typically have moderate equipment needs, but not to anywhere near the degree that headquarters has. The spokes often have very low hardware requirements and may not even have their own server. Users at spoke sites typically log on to servers located at the hubs and are connected to the hubs by somewhat thin WAN connections. Are there other network deployments apart from the frame-hub-spoke method? There are certainly differences in the methodology, but I think if you poke hard enough into figuring out your business design, you’ll see that it fits this basic layout. There may be several frames, for example. Some companies may have a main office but also have many, many other offices that handle enormous amounts of workload and are essentially autonomous. A setup like this would be a frame/frame (or frame/frame/frame) deployment. There are also hub/hub sites and spoke/spoke sites. Smaller companies that have specific goals for each site are representative of a hub/hub deployment. Autonomy is high, as is creativity, and there’s no need for the “my way or the highway” ethic. Sites like this make it very difficult for network administrators because of the laissez-faire nature of the business model.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Your Company
7
Spoke/spoke sites are essentially composed of small units attempting to garner some sense of connectibility. If you’re the owner of a small network consulting firm in Denver and you set up a small office in Salt Lake City, you want some method of getting files and e-mail to the remote office, but you’re not necessarily interested in calling every shot on every sale. You want to grant some autonomy and yet assure yourself of connectivity at the same time. Frame/spoke sites are those with one massive central HQ and tons of spokes that may or may not be connected to each other. Almost every conceivable combination of a frame, hubs, and spokes is possible. You probably have a frame-hub-spoke layout of some sort at your workplace. It’s easy to spot, easy to diagram. Get out your clipboard and see if you can diagram what your company looks like.
Geographical Boundaries and Scope The geographical scope of a company really presents an interesting twist to the whole network design scenario. Suppose, for example, that you’ve drawn out your company’s model in Visio or on a piece of paper. What does it look like? How many cities, counties, states, regions, or countries does it traverse? What economic, geographic, facilitation, and political issues do you face with a given connection? Are you comfortable with, or even familiar with, the costs involved to set up communications between two sites? If you have a frame/hub/spoke setup, from what you know now was it correctly designed? Look at the ordinary accounting difficulties (for instance, one country charges a tariff for crossing boundaries while another does not) that your network presents. To a company of any size, costs are the one thing that must be managed. A company that can’t manage its costs will at some point be forced to, or it’ll go out of business. But there’s a fine line between managing costs and digging too far into productivity—reducing costs so much that people can’t effectively get their work done. Unfortunately, even though you may not have an accounting degree, as a network designer you’re the one faced with the charge of managing that dilemma.
As an MCSE candidate, you have to understand these issues if you want to pass the exam. For example, should you design your Active Directory (AD) deployment so that the organizational units (OUs) you set up—the individual spokes or hubs as you define them—comprise logical geographic separations, business separations, or some iteration of both?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
8
Chapter 1
Analyzing Business Models and Strategies
The Windows 2000 model consists of forests, trees, and domains. Domains that share a contiguous namespace within a single active directory make up a tree. Several trees make up a forest. Now think of the frame-hub-spoke model. Your entire organization is a domain; the central headquarters would probably be an OU within the domain. Out of it would come various geographic locations that are close together, or have some business function in common; these would also be OUs. Each subdivision at each geographic location would be a child OU within its respective parent OU. So you can apply the frame-hub-spoke model to the Windows 2000 forest model fairly easily.
You can create multiple domains for one company, like you did in Windows NT if your network needed separation. However, with Windows 2000, Microsoft typically recommends keeping it simple and using one domain for your entire corporation.
Details about sites, domains, trees, forests, and OUs are tested in more detail on the Active Directory tests than on the Network Infrastructure Design exam. However, in designing a network and/or preparing for the design exam, you do need to be familiar with how and when to use the various containers.
Location Makes the Difference How is your company physically structured? Where are its locations? How many people are at each facility? What do employees at those locations do? The answers to these questions can make all the difference in your network infrastructure planning. Consider, for example, a company with three physical locations within the same state. There is one central office and two branch offices. Personnel at the branch offices are required to submit weekly reports containing detailed sales figures. Is it critical for the branch offices to have a dedicated T1 line to headquarters? Probably not. However, if the employees need constant and updated access to information in your Oracle database located at headquarters, the story might be different. How many people are located at each branch? 5? 50? 500? The more the merrier, of course, but also the more you will likely need to pay for proper bandwidth. What about a single point
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Your Company
9
of failure (SPOF)? If the connection dies, how much of an impact will it have on your business? The previous example is a simpler study than a large international corporation. First of all, you are likely to have many physical locations, some of them in countries outside of the United States. How are things going to be set up? Will the main IT office in the U.S. handle all major networking issues? Will there be a European hub and an American hub, each with spokes reporting to them? What about connectivity issues? Once again, how many people are at each location, and what do they do? How much traffic will need to go between locations? Is there enough bandwidth, or will there be a bottleneck? The larger your organization is, the more you need to worry about. So in your network design, you now have two additional things to think about. The first is an economic issue: How much is it going to cost to connect one location to another? As you’ve seen, the answer to this question depends a great deal on how your company is organized and on its geographic scope. The second point asks the same “how much?” question, albeit from the other end: Based on the users and the scope of the work they do, what’s the impact on the company if the connection goes down due to an SPOF or bottleneck? You won’t answer these questions by yourself; a host of people have to participate. Microsoft recognizes this point in the case studies on the exam by giving you the perspective of employees from all levels of a fictional enterprise. To determine the best solution, you’ll have to take all these perspectives into account.
Understanding Business Models You just got hired at a company that has two large campuses, Campus A in the suburbs and Campus B within the city. The campuses are about 10 miles from one another, but because of the navigational problems of big-city driving, it takes about 30 minutes to drive from one location to another. The campuses are currently connected to one another by a T1 line provided by a regional phone company. At each place, there are about 500 users and an older Cisco 1000 router connected to a patch panel that has wiring to the servers and users. Your first day on the job, you realize that this is the classic local company model.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
10
Chapter 1
Analyzing Business Models and Strategies
There are mid-level managers at both locations, some reporting only to one location, others with offices in both locations. Campus A houses the executives and, though there is moderate autonomy, the ultimate directional goals come from those executives. Just before your three-month review, management purchases eight small entrepreneurial organizations that they’d like to connect to. These small facilities are composed of only a few people each. Two locations are within 30 miles of the city, two others are in different cities within 100 miles of the main headquarters, and four others are in small towns in the same state. Your boss asks you to start thinking about some of the issues related to this proposed new setup. First off, you quickly figure out that your company has expanded to a regional model. With these new sites, there might be some problems with rooted-in autonomy; they have been running their own network for some time and may not be receptive to proposed changes to their network. This calls for serious communication by you—rapid and explicit relationship-building with these new stakeholders. You also quickly grasp the importance of the SPOFs that you’re likely to set up; you want to think long and hard about possibilities for reducing bottlenecks and providing fault tolerance and redundancy wherever possible. Your design goal involves high-speed data links provided by your phone company. The phone company will provide the routers, so you’ve been assured that they’ll be the latest and greatest that can be had. You get this agreement in writing. Redundant circuits are quite out of reason for these small groups, so you opt for a Remote Access Service (RAS) setup on the local servers, just in case. Finally, you put your foot down and insist on good quality server gear at these locations, over-engineered by 20%–50%. Having visited each location, you’re underwhelmed by the caliber of gear they’ve provided themselves, and you decide that you want to make their connectivity experience pleasurable and their impression of you quite professional. In some situations, you’ll need to visit all locations to see what the layout is. In others, you can simply discuss strategy with the local administrators. In either case, you need to understand what is currently in place and where the network needs to go in order to make a good design.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Examining Your Company’s Processes
11
Examining Your Company’s Processes
Analyzing your company’s business model and geographic setup can lead to questions that worker bees—employees who don’t hold power positions— don’t often ask. What does my business do and how does it go about doing it? For example, why do we have a site in the Netherlands? Why is the engineering group based out of Detroit? Why do we have a sales team in Altoona? Who’s the network administrator in Kuala Lumpur?
Microsoft Exam Objective
Analyze the existing and planned business models.
Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decision-making.
Do you know why your company does what it does? Maybe you don’t agree with the decision-making that went into a particular decision, but somebody must have put some thought into why the company acted in a certain way or established a certain geographic presence. Even if it makes no sense to you why the network is the way it is, you always have to be objective and nonemotional. Remind yourself that no matter how lame, there must have been some thought and decision-making effort put into placing a given office and putting certain people to work at a given task. It’s not up to you to question the whys; it’s up to you to figure out the hows.
This is especially important relative to Windows 2000 deployments, because now it’s all about what your Active Directory design is like and how the forests, domains, sites, and OUs are set up.
I can hear you arguing that your company employs 30,000 people, you have offices all over the world, and you’re only responsible for one small part of its overall operation. You may well be only a small fish in a big pond, but you nevertheless have to communicate with other entities or agencies in your company. It’s critical that you know how your company functions relative to how other companies function.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
12
Chapter 1
Analyzing Business Models and Strategies
Consider the following example: If the software developers need to use Linux computers and Unix servers, but you’re planning a Windows 2000 deployment and need to maintain regular file transfers with them, how will you do this? IT people get in trouble when they don’t know or don’t understand what it is that their business does. Integration, interoperation, and interchange are keys to the enterprise administrator/network designer’s world. Understanding business process is a worthwhile—no, paramount— investment of your time.
Understanding Your Company’s Information Flow How does your company get information from one point to another? Do you use Lotus Notes and have developers who have created collaborative frameworks within Notes for information transfer? Do you use public folders on the Exchange servers? Do you have a mainframe? Is there an intranet? Who are the people that maintain these systems? Where do these systems live, what servers are they on, and what buildings are they in? Here’s the best question of all: Are there systems? Some companies do quite a bit of their information interplay with paper or word of mouth, not thinking that computer systems can accomplish the same goal. If your company wants to say something new—to go where no one has gone before—how does it accomplish that? How does your company get information from one point to another? That’s the one of the elements you’re looking to discover when you do your network design and diagramming. Many companies have successful information-flow procedures. The question is, how did they get that way? Did it just happen by accident? Probably not. Successful information flow—getting the data into the company in a timely manner and getting it back out in a useful form—takes planning and training. How is the information input in your company? Do people have to fill out paper forms, and other workers key it in? There may be a way you could simplify the process by creating electronic forms. What about mobile workers? One solution may be to provide them with laptops and a cellular connection to the central network. For every networking difficulty there is a solution, and your job is to find it.
Understanding Your Company’s Communication Flow How do people communicate with one another in your company? This question can actually be approached from two different perspectives, both equally
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Examining Your Company’s Processes
13
important in terms of network design. Not only are we talking about intercompany communications such as e-mail, intranet, and virtual meetings, we’re also talking about the communications ethos that has been set up where you work. Let’s talk about the easier topic first—the hardware/software component—and then tackle the more abstract component.
How Companies Use Hardware and Software to Communicate This is where you sit down and take a physical inventory of how your company handles its communications. For example, what’s your phone system like? Does one centralized set of Lucent Difinity switches handle the core business or does every geographically separate site have its own system? Are you in the midst of trying to accomplish a voice over IP (VoIP) goal using software or routers? If you are, how’s it going? Moreover, are the majority of intra-company communications voicebased, or do you work for a more e-mail-centric company? As companies migrate more and more to network-based communications, e-mail has become the central method of communicating. Some people prefer e-mail. Others, especially salespeople, are lost without a phone, so it’s all relative. That’s the judgment call you have to make relative to your network design. Why is it so important that you understand your company’s physical communications component? Here’s one example that might serve as a launching point in your mind to bring about several other reasons. If your company is predominantly e-mail-centric, it is incumbent on you as a network designer to make sure that the e-mail system is protected and highly fault-tolerant. How will you design your Windows 2000 deployment in such a way as to make your e-mail systems more fault-tolerant, more readily available, and more intelligent in how they work? My guess is that you’ll go with Exchange 2000 because of its integration into the Windows 2000 Active Directory, but that’s your design decision to make. If your company cannot communicate with customers for any reason, you will lose significant amounts of revenue. That, in turn, does not reflect well on the IT department and staff.
How People Communicate Much more nebulous in its nature is how people interact in their daily business dealings. Can you assess how managers communicate to their direct reports? Can you readily determine how the worker bees get their requests up to management? Once again, it’s not up to you to question why, but to understand how. Knowing how the chain of command (and information flow) works will allow you to create a better network design.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
14
Chapter 1
Analyzing Business Models and Strategies
As a network designer, you need to understand how interpersonal communication at your company works before you start interrogating people about their technical and business needs. If you don’t adapt your approach to the company culture, then your message will never get across. Above all, be patient and forgiving with people. Not everybody knows what you know about computers and Windows 2000. If you’re in a stakeholders’ meeting where you’re trying to convince some computer-illiterate people to part with $500,000 for your upgrade, then you need to put yourself in their shoes and answer their questions (as best as you can) from a nontechnical, nonthreatening position. Instead of making them worry about throwing money away, show them how the money they spend is an investment and can increase company profits over the long term.
On the exam, you’ll be asked to design a solution based, in part, on the needs of various individuals within an organization. If you don’t take note of what each person tells you, you won’t create an effective solution and you won’t pass the test! Also be keenly aware of company pecking order. If the CEO tells you that automating the coffee machines is the most critical priority but the accountants want a database that works, it looks like it’s time to bring on the decaf.
While understanding your company’s communications culture is important, you also need to be keenly aware of what you are communicating. If you present your ideas aggressively and continually make demands, you are less likely to get your way. It’s a good idea to approach meetings with the decisionmakers with a bit more diplomacy. You may have heard the phrase, “It’s not what you say, but how you say it.” This is especially true when dealing with people who have less knowledge about a subject (computer networking) than you do. As an example, in order to pull your Windows 2000 upgrade off, you’re going to have to convince a lot of people why the upgrade needs to happen. Prepare documents that lend credibility to your argument. Answer all of the questions that people pose you. Prove your case, or you won’t get a nickel to venture forward into an unproven new technology. You’ve got to get rid of the noise and professionally introduce your recommendations. You know that you need to do the upgrade. The hard part is convincing others to see the same thing.
Understanding Product and Service Life Cycles Not that long ago, WordPerfect 5.1 for DOS was the premium word-processing product available. There were 10 tests to attain the WordPerfect 5.1
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Examining Your Company’s Processes
15
for DOS certification! And it was a pretty big deal at the time. There was a WordPerfect magazine. WordPerfect, at that time based out of Orem, Utah, was riding a high crest. Where is WordPerfect today? Well, it’s hidden in a perfectly good product, Corel Office, but it’s not nearly the power software player that it was back in the early 1990s. So what happened? The product life cycle caught up with WordPerfect, and I suspect that some poor management decisions were made relative to its continued growth and improvement. It’s as simple as that. Products ride a life cycle where they increase in popularity, hit their apex, and eventually fade out of sight. In today’s market, it seems that the pace is accelerated. New and improved versions of a product are always available, and the old products ride off into the sunset. Service life cycles consist of roughly the same concepts. The hardware works well for a while, but then eventually becomes outdated. Once it’s outdated, it will be supported for a while, but eventually the manufacturer will drop all support. Those 386 machines you have in the office have worked well (well, relatively), but what happens when some of the RAM goes bad? Are you going to be able to find any 30-pin SIMMs? The service life cycle applies not only to hardware, but to software. Microsoft recently dropped their Windows for Workgroups 3.11 test from the MCSE program. Why? The product has reached the end of its practical life cycle, and so the service life cycle should cease also. The service life cycle lasts only somewhat longer than the product life cycle. The most likely reason for this is that some people tenaciously hang onto a proven thing rather than upgrade to an unknown entity. Sometimes this is a good position to take, but most times it’s not. In any case, you have to consider both the product and service life cycles when performing your network design assessments and recommendations. For example, if you drive out to your site in Hoboken and find that they’re on a shared-10MB hub that’s covered with an inch of dust, I’d advise you to jot it down as a target for replacement before Windows 2000 rolls out to this office. Ideally, you’ll be able to get replacement hardware that is not only current, but will last you well into the foreseeable future. But remember, you’ve got a budget to meet too.
Identifying the Decision-Making Processes This is probably the most complicated part of your network design segment to try to figure out: Who makes the decisions? Does the CIO listen to input that is generated from her managers (whom, we can only hope, get their
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
16
Chapter 1
Analyzing Business Models and Strategies
input from people like you) and then funnel it upstairs to the vice presidents? Or does the CEO read about a new product or software methodology in a business journal and order it implemented? Some companies have an “emerging technologies” department that’s charged with the research and recommendation of new technologies. Other companies use the “architect” concept—people who have tons of everyday experience in the industry and are now equipped to make corporate decisions regarding technical direction. Does money drive the majority of the decisions at your company? In your Windows 2000 network design and upgrade proposal, you need to highlight the dollars issue. Be prepared to tell the financial chieftains who can approve or deny the project how much it’s going to cost. This is after you wow them with obvious need and the benefits to be attained from going forward with this project. Why is it important for you to understand the decision-making process? Because you need to know the political climate in order to make good decisions. You need to know who makes what decisions, both technologically and financially. If you’re able to address their concerns, your project will run a lot smoother. Also be aware of decision-making timetables. At some companies, you can dream up a plan and roll it out in a few weeks. Other organizations are notoriously slow when it comes to making decisions. Have realistic expectations of when things will get done and save yourself a lot of stress.
Identifying Plans for the Future
F
inally, let’s talk about a fascinating aspect of network design and upgrade recommendations: strategic planning. Technical people spend lots of time reading about the latest and greatest, but they seldom look out beyond today’s pages to see what lies beyond. Strategic thinking—getting out the crystal ball, tea leaves, and chicken bones in an effort to forecast what’s on the horizon—is not an easy thing, but it’s a necessary exercise to go through. Strategic thinking will affect you in two ways within your company:
What is your company planning for its future?
Where will the software and hardware that you’re recommending be in the future? Are you over- or under-engineering?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Identifying Plans for the Future
17
You may think that we’re asking you to be psychic and predict the future. Well, in a way, we are. It might not be as hard as you think, though. Oftentimes there are strong indicators about your company’s future. Layoffs or acquisitions are good opposing examples. It helps to keep a watchful eye on your company’s movements.
Strategically Planning in Heady Corporate Times You need to have a clear perception, if at all possible, of where your company is heading, what it’s about, where it has been, and where it doesn’t want to go. If you can’t get your arms around these notions, how can you adequately plan a Windows 2000 deployment? For example, suppose that you work for a high-tech company of just a few hundred employees. You’ve gone through your IPO, and money is (thankfully) not the object it was back when the firm was you, the CFO, and a developer or two. You and your cohorts feel that you’re on the verge of a breakthrough in the new software you’re releasing. The release of this new breakthrough software could generate a tremendous growth surge in your company. Why should this matter to you? Because when you were originally setting up your Windows 2000 network, you didn’t see the need for multiple domains in a forest. You had a domain with just a few hundred users, and everything was cool. Now, in strategically thinking about the impact of a sudden, large growth spurt in your company, you realize that any new acquisitions or additions to the current network user list might affect your network design. Windows 2000 can handle this impact much more handily than the old Windows NT 4 trust relationship paradigm; but nonetheless, it’s up to you to think about and plan for these eventualities in your network design.
Strategically Planning Your Software and Hardware Future What’s out there on the horizon? Where are you going to turn? They’re looking at you to make that decision. You’re the IT guru, you’re the one who knows this stuff—what’s the hot thing for the next 5, 10, even 20 years? There are two places you can go for these kinds of answers:
Read every technical journal you can get your hands on.
Talk with those in the industry who are driving technology’s future by going to shows, attending chat rooms, and asking people who work at the forefront companies.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
18
Chapter 1
Analyzing Business Models and Strategies
The point is that you cannot simply turn in a 100-page document stipulating why your network should be upgraded to Windows 2000 today. You need to include information in there about what the future looks like and why it’s good for you to implement Windows 2000 now as a segue to the future. For example, you’ve been reading about Exchange 2000’s ability to use Active Directory. With the organization that you’re in, spanning multiple geographic boundaries, coupled with the problematic communications methods you currently use, you can see that this combination of Windows 2000 and Exchange 2000 provides a one-two punch for your network problems. But you can also see that this not an easy deployment to accomplish; you see it as several steps. Now you need to strategically devise a method with which to first deploy Windows 2000, then Exchange 2000, all the while retaining current network connectivity without any computing loss to the users. You see this as a yearlong expedition into the future. Seeing the future and somehow integrating it into the present is the hardest part of developing a network design and upgrade document. If your stakeholders don’t ask you what the future of computing is and how your recommendations interface with that projected future, shame on them! But it’s still up to you to have that information ready and to bring it forward as part of the overall planning conversation.
Avoiding Communication Pitfalls “Jake the Brake” is his name, your CEO, that is. What a tough old son of a gun he is! Nothing gets by old Jake—there is no approval process that takes place without his input or acceptance. The problem is, the company has grown from the time when it was just him, his wife, and one or two friends working out of a crummy, old downtown office to the 8,000 employees he has nestled all over the world today. And you: You joined the company when it was several years into the gestation phase, when there were a few hundred employees. You’ve seen phenomenal growth at Widgets, Inc., haven’t you? You started out as their primary network administrator and, through attrition and experience, you now find yourself in the position of NT architect. This is a very good thing (especially in terms of salary), but it’s not so good because you’ve lost touch with the company’s overall networking makeup, especially in light of its phenomenal growth.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Identifying Plans for the Future
19
You run Exchange Server 5.5 for your e-mail system. All users use Exchange with Outlook as their client. You also have a highly evolved intranet and, in fact, have a full-time team of intranet developers on staff. The majority of your business processes are homegrown client/server applications running against Oracle databases. Near as you can tell, you’ve got a frame/hub/spoke model in place, with the central headquarters where you work being the frame, several geographically distant sites acting as hubs, and lots of small sales offices working as spokes. The NT administration team asks you to begin looking into Windows 2000 and come up with a deployment design document so that you can roll out Windows 2000 in the third quarter. You have to make some decisions fast. You begin by analyzing your company’s current communications processes. The more you think about it, the more you realize that you’re in a highly autocratic environment, where the orders will come from the top and when Jake says “jump!” everybody asks, “how high?” This merits a lot of investigation into exactly how the communications processes work so that you can effectively negotiate the yea/nay terrain. You realize that a strategic decision point would be to move users off of the Exchange 5.5 servers and onto Exchange 2000. But you also realize that there’s a long commitment to the design goal involved as you bring up the new server plan and begin to segue users from one scenario to another. This presents you with the next obstacle: What do you think is the best way to communicate this information? With only the barest of details in these few paragraphs, it still appears evident that you need to first formulate a solid, detailed plan on how you’re going to accomplish this goal; then meet with the stakeholders to make a presentation to them on the “problem” and your solution; and finally, after getting buy-in from them, approach Jake for final adoption say-so. The biggest problem here is that Jake, still in the small entrepreneurial frame of mind, might not see the big picture. Your communications should be set up such that he understands today’s largescale environment and tomorrow’s even bigger base.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
20
Chapter 1
Analyzing Business Models and Strategies
Assessing Company Strategies
Every company has a strategy. Some are good; others are not so good. The companies that are successful generally have good strategies. I know that sounds obvious, but have you ever taken the time to sit down and figure out what your company’s strategy for success is? Understanding your company’s plans, both long- and short-term, can be a trying process. Coming up with a good strategy is even more difficult. But whether you are guiding your company to the top of your industry or simply trying to figure out what your company is doing, there are some basic premises you should be aware of. They include establishing company priorities, looking toward growth, assessing risk, identifying relevant laws and regulations, and calculating total cost of ownership. Sounds like a lot to keep track of, doesn’t it? It is, but keeping abreast of company strategies is a strategy in its own right.
Identifying Company Priorities Every company has priorities, and they’re not universal, or even obvious. You need to seek out what your firm finds important. Why is it important to have a feel for your company’s priorities? Most companies are in the business to make money. But have you ever considered why and how a company got started? How did so-and-so ever get into the casket business, for example? Some companies are so big that it’s difficult to picture what goes on the minds of the corporate heads who live in the ivory towers. Maybe they don’t even have a grasp of the original priorities that the company was founded on, but the concern is the present. What is your company in business for today?
Microsoft Exam Objective
Analyze factors that influence company strategies.
Identify company priorities.
By identifying a company’s priorities and goals, you’ll be able to drill in on how computing technology will help the company to meet those goals. Then, as a matter of course, if you don’t have that computing technology in place,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Company Strategies
21
you’ll need to design it in and provide it. For example, suppose that you know one of your company’s priorities to be in-sourcing their call-center activities for their product’s technical support, thus getting away from expensive outsourcing. You might have very definite plans about call-routing scenarios and computing gear that meets those needs. Next question: Does this gear and software work with Windows 2000? That’s the concept behind knowing company priorities, then somehow translating them into IT priorities. People who work for government and not-for-profit organizations will have a much easier time identifying these priorities than corporate workers will. Nevertheless, the exercise is yours to accomplish, no matter who you work for.
Although it may seem like your company has no priorities, nearly every company does. Of course, a major motivator for many organizations is money. Profit indeed drives business. However, some companies have nobler or more obscure pursuits. For example, your company may be focused on improving environmental conditions, or your CEO may be overjoyed by making a schoolchild smile every day because of something his company did. It’s your responsibility to find out what your company’s priorities are and design the network with those goals in mind.
Let’s start with some ways that you can begin to identify your company’s priorities. There are lots of places where you can begin to look for clues as to what your company’s leaders are concerned with:
Does your company publish an annual report? Most publicly held companies produce an annual report and usually, somewhere near the front, you’ll find the company’s mission statement. If your company has an intranet or newsletter, you’ll probably also find the mission statement posted there.
Did you attend an orientation when you went to work for this company? If so, the presenters undoubtedly gave you a clue about what the company considers important somewhere along the line.
Do you have all-company meetings in which the CEO gets absolutely everybody together to discuss issues? If so, that’s very good! If you listen closely, you’ll probably hear some priorities coming out.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
22
Chapter 1
Analyzing Business Models and Strategies
Are your company’s priorities clearly reflected in the communications that managers send down to their employees? If the company’s big enough, the answer is probably not, but it’s still important to see whether you can hear it in your manager’s communications to you.
What do people stress in team meetings? What consistently comes up as the most crucial part of any project? Often you get the clearest sense of what a company’s priorities are by listening to employees at the grassroots level—that’s where the burden of a company’s goals usually falls.
If you work for a not-for-profit organization, do you know the mission of your organization? Here, more than in any other organization, mission statements are important, highly utilized, and fundamental to the organization’s operation.
If you work for a government entity, do you know why the legislature spun that entity into motion? Or has the entity spun so far off of its orbit that the initial mission isn’t recognizable anymore?
Think about your company. What are your company’s actual priorities? Certainly making money is the obvious one, but what I mean here is, how does your company go about making money? Do your company’s leaders take the market into consideration when they make a decision? Are they fastpaced and quick to act, or are they stodgy about the decisions they make? Some companies have gotten into trouble when they stayed with the “tried and true,” only to find that the market was outpacing them; I think IBM is a good example of this kind of thinking. They started out with the PS/2 and its proprietary Micro Channel Architecture (MCA), thinking that since they were king of the hill and everybody would jump on the MCA bandwagon. And they stuck stubbornly by their guns, even while the clone makers were coming up with alternatives that didn’t have all the baggage associated with the PS/2. It took IBM a while to realize what was happening in the marketplace and make a change in its priorities. One thing, I think, is very clear. In the first decade of the 2000s, change is the operating word of the day, and companies and technical personnel that understand this are the ones that will succeed in the long term. Slow, stodgy companies that don’t get the new high-paced environment aren’t going to be able to hang on. When performing your analysis on the existing network and planning for the future, keep a careful list of everything people mention as possible
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Company Strategies
23
upgrades. Obviously, some will be ridiculous and canned right away. For the ones that make sense, prioritize. The higher the priority, the greater the need to implement. If some of the lower priority items take a year or two to implement, that may be okay, depending on your company’s timetable.
The High-Tech Startup Company You work for a startup company, funded completely by venture capital and governmental research grants. The goal of the company is a cool one—to perfect the concept of using scanning tunneling microscopes (STMs) to place individual atoms on other atoms, thus customizing new atomic compounds. What could someone do with such technology? The two founders of the company, both fundamental-particle physicists, think that the sky’s the limit. Builders could forge new building materials that are stronger, lighter, and more malleable than any known presently. Biologists could perfect new organic compounds that might fight disease very efficiently. But physicists, as you might be aware, are stuck in the awesomeness of the universe and essentially have no practical sense about business. So the marketing guy’s frustrated because he can’t get the founders out of the clouds, the sales guys have nothing to sell yet, and the mission of the company is not really clear. But, for all of the problems with trying to put a product together with a technique, there’s incredible energy in this company. Everybody’s on the same page in terms of what the capability to synthesize new atomic compounds can do. The founders have published numerous articles, and there are always research fellows, pharmaceutical company brass, governmental types, and commercial alloy researchers walking through the door. It’s just that, well, you don’t feel like you connect with anything in the real world. It’s almost like you’re selling air. You’re selling a concept and you’re curious as to how much a concept is worth. How can you identify your priorities relative to this company’s priorities? Will you find it hard to support the technological needs of a company such as this if you don’t feel it’s going anywhere or that it’s just in the business of gaining grants and not really going forward with its research?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
24
Chapter 1
Analyzing Business Models and Strategies
Assessing Company Growth and Growth Strategy Managers, especially entrepreneurial types, can sometimes be very cautious about a company’s growth and rightly so. Too much growth too soon can kill a company, or at the very least stifle its capabilities for years to come. Too little growth can keep a company from seizing opportunities that might propel it to a new, higher level. It takes skill and thought to make the right decisions that position a company’s future in such a way as to obtain a strategically planned kind of growth.
Microsoft Exam Objective
Analyze factors that influence company strategies.
Identify the projected growth and growth strategy.
Your Windows 2000 rollout has to include the planning and forethought that you bundle in as a result of taking a look at these prospects. For example, growth will have a definite impact on your design of the Active Directory (and its future growth), not to mention the adequate provision of services such as DNS and Dfs. Being able to look out into the future and determine how the company will grow allows you to plan for that kind of momentum. This kind of planning will most likely find its way into over-engineering infrastructures and computers that aren’t being used to their fullest potential today but will be tomorrow.
The Windows 2000 test will assess your ability to formulate valid judgments about a company’s growth and its growth strategy. But what kinds of factors are involved in company growth patterns? On the test, case studies will provide a lot of clues as to the expected growth of the company, and therefore your requirements for possible network expansion. In real life, the clues aren’t always so obvious.
Not very long ago, some computer enthusiasts in San Francisco were inventing a new computer technology—virtual reality (VR). You’d use computer code to design a building before it was ever built, then put on some gloves and a mask and go inside the computer for a virtual visit of the building. VR was touted in its day as a highly relevant science that would enormously
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Company Strategies
25
assist engineers in their quest to build a better mousetrap without having to assemble tons of prototypes. To some degree, the techniques of VR have been assimilated and are truly being used in engineering applications, but to nothing like the radical degree that VR proponents would like to have seen. Suppose that you worked for a company that thought VR was going to be the biggest thing since the invention of the laser printer. They invested tons of time and money perfecting both the code that’s needed to generate VR images and the accoutrements that a person would need to wear to view the VR images in the computer. But then, VR never catches on, dies a big death, and the company went out of business. How could that company have capitalized on its product, its technique, and its future, and not gone out of business? Thinking about it another way, what’s the difference between a WordPerfect and a Microsoft Word? WordPerfect was an awesome product. Why is it now on its fourth or fifth owner and yet Word just keeps chugging along? In this case, it’s not the technology that’s dead, so what the heck happened? How about a company that has a highly mature product like an automobile? How do you take an ordinary thing like a car and turn it into an extraordinary thing that people will clamor for? Where is the company in the maturity life cycle of its product? What are the leaders at the company like? Often a leader who refuses to spend money on new projects kills the company with their practicality. “Nope, nope, nope. Gotta think about the bottom line!” Yes, but then there won’t be a bottom line if the product line doesn’t match what’s being released by the competition. Does the company stand on its laurels? “We’ve been Acme Insurance for 110 years! Solid, reliable, no-nonsense insurance you can trust.” Yeah, so can you advise me on mutual funds? Can you convert my term policy to a whole life account? What perks are you offering that your competition just offered me? The business of doing business is a very interesting thing. Some people think of it as a game. You put the players here, make the strategic move there, force this battle over there, and so forth. Is your company playing the game? Are the leaders expert players? Are the decisions that are being made relevant to the rest of the competition? Is your company the one that aces out the competition all the time? Are you the idea guys? Are you sitting on a cash cow product and just raking in the bucks, not concentrating on the next step? What’s your company’s future? You have to consider all these factors as you design a network. If you fail to do so in real life, your design will suffer. If you fail to do so on the exam, your grade will suffer!
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
26
Chapter 1
Analyzing Business Models and Strategies
Truly, What Is the Best Fit? You begin to work a new job for a civil engineering firm, one that builds the cloverleafs and bridges and other highway elements that are needed for safe travel. The engineers, you begin to find, are a humorous bunch with a large intelligence quotient and tons of ideas. They’re easy to get along with. Until you try to mess around with their computer systems, that is. Then they get really riled. For example, some of their favorite software is based on VAX/VMS, ancient as the sands of the Gobi, and you really think they could better themselves by checking into something with a little more chutzpah. Your company uses Windows NT for the majority of its networking needs. You have a couple of Exchange Servers, the financials are kept in Oracle on some Unix boxes, your admin staff uses the standard office support tools, and, all in all, the whole place sails smoothly, except for this antiquated software that you can’t see any reason why the engineers keep. You begin to do some checking around. You’d like to implement a thorough Windows 2000 upgrade, and you’d really enjoy proposing a design that would include bringing the latest in engineering software to their desktops. You think you can make the case for things like a reduced cost of operations, because the engineers won’t have to work so hard to do what they do, payroll time will be reduced, and software resources will be consolidated. After your presentation, you find that the engineers are quite amenable to your suggestion. So much so that, instead of you, they appoint one of their gurus to go out and research the newest, latest, and greatest in the field. You’re disappointed to think that your growth plans still won’t include the engineers’ software. Why? Because the solution the guru found is based on, you guessed it, Linux. Now you have only one of two options on your hands. You can try to argue with the engineers that Linux is not the solution for your network (possibly even getting forceful with them in the process—something you’ll learn that engineers will never stand for), or you can submit to their desires.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Company Strategies
27
What’s the call? How would you design this network? A couple of thoughts here might help you out. While your intentions are wonderful, realize that you already have Oracle sitting on Unix servers. It’s unlikely that you’ll convince people to move software they’re totally reliant on. I’m not convinced you’d want to make that move, not unless you’re a glutton for punishment. So Linux isn’t all that big a stretch for the environment anyway. Second, engineering apps are highly specialized. It’s quite possible that the best fit isn’t on an NT platform. You like Ford, another likes Chevy, still another likes Dodge. Which is best? That’s up to the person using the vehicle, isn’t it? Finally, note that Windows 2000’s tight Unix integration, while not a marriage made in heaven, doesn’t rule out the systems cohabiting. All is not lost—it’s merely integrated!
Assessing Risk Risk is the business concept that you’re placing some critical aspect of your company, maybe even the whole company, into jeopardy by going forward with an idea you firmly believe in, one that you think will forge new ground for you and for your customers. Some companies are risk averse. Others are like tightrope walkers, willing to take that step out onto the taut line.
Microsoft Exam Objective
Analyze factors that influence company strategies.
Identify the company’s tolerance for risk.
The first thing a good manager should look at when pondering a company’s potential for growth is the risk-management aspect of it. How much can this company grow before it’s in a danger zone and you’ve gone too far with it? How little do you want it to grow? When should you stop growing the company so that it stays manageable? The answers to these questions are as far reaching as the managers that are asking them. Suppose that you’re an entrepreneurial restaurant manager. Business is good, customers are flocking to the door, and your reviews in the newspaper are sterling. Would you consider building another restaurant? Probably so. But how far, realistically, could you take such an operation by yourself? You
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
28
Chapter 1
Analyzing Business Models and Strategies
probably wouldn’t grow your restaurant “chain” much larger than the point at which quality began to drop, because you couldn’t keep up with the demands of attending to each restaurant. But then, consider a restaurant chain like Denny’s or the Olive Garden. How do companies like those maintain the quality of their food while growing out over thousands of restaurants in many different countries? The secret is in the planning for growth: planning for the capitalization of the growth, training the managers, and preparing a special one way that things are to be done. You have to have plenty of capital to pull off such a venture. It’s a risky thing and you have to plan for the inevitable failure of a restaurant or two. The entrepreneur doesn’t have that luxury. So there’s risk associated with both kinds of endeavors, but the risk for the ambitious entrepreneur is far greater than for the corporation that’s starting up its 1,000th restaurant. In the IT world, the planning that’s needed is identifying risks and eliminating or at least reducing them. For example, it’s a risky thing for an IT shop to maintain their own external DNS and all of the ramifications associated with installing and maintaining the service. The risk is that computers won’t resolve names correctly; users will take longer finding computers than they used to. The mitigation of the risk is to learn everything you can about DNS, apply what you’ve learned in a small setting such as a lab, then go forward with the rollout. You still won’t be home free—you’ll have some cuts and bruises to show for the risk you took—but the patient will indeed live. Maybe it’s that way where you work. You want to roll out a Windows 2000 solution. You’ve got plenty of managerial backing, the financing is there, and you have people who can help you with the rollout—people who are anxious to get the experience. You’ll prepare a project plan and go slowly. The risks are not that great because if you fail, you’ll only have failed in one tiny segment of your rollout. You can back it out and see what fix is needed. On the other hand, the administrator who works by himself with a handful of servers—the kind who troubleshoots user problems by day and only has the luxury of configuring Windows 2000 rollouts at night—is in much greater danger of failure.
How much risk you can take should always be at the front of your mind when planning any network change. Of course, everything should be backed up before you begin. But if your company can only handle zero downtime, your planning will take a different route than if you could bring the network down for a few hours during the middle of a day.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Company Strategies
29
So risk assessment, both of how you think your company’s going to grow and of how risky your rollout is, plays a big part in how you’ll handle the design and deployment of your new Windows 2000 environment.
Targeting Laws and Regulations Affecting the Company Today’s wild ride in the corporate world means that you never know what to expect regarding the laws and regulations that are set down before a company. Some of the world’s largest mergers have taken place just within the last couple of years. Consider, for example, the merger of Time Warner and America Online (and now EMI music in Britain). Here you have an absolutely enormous media conglomerate that owns everything from books to magazines to movies to TV studios (CNN included) and now to the Internet and the Beatles’ catalog of songs! Are they a monopoly? What about Microsoft? How is each going to be regulated by the government?
Microsoft Exam Objective
Analyze factors that influence company strategies.
Identify relevant laws and regulations.
As a network designer, you may feel that you’re far removed from these considerations, but you’re not. When you create a network design, you have to take into account how government regulations affect the way your company does business. Are there any trust-busting law enforcement agents looming on the horizon? What about environmental protection officials with emissions detectors? How about setting up networks in other countries, where the rules are different, the networking standards are far removed from your own, the security standards may or may not be enforced, and even the language set that you install on the computer is different from your own? There are lots of rules to learn and understand, especially in multinational enterprise environments. The bottom line is that companies have so many places to look for potential trouble spots as they grow that once they hit a certain size, it’s worth their while to keep a full-time cadre of legal experts on retainer just for the times when their opinions are needed in cases such as a multinational environment. Imagine, for example, being in the gas and oil business. You’re heavily regulated,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
30
Chapter 1
Analyzing Business Models and Strategies
both in the way that you run your company and in the manner that you deliver your products to market. On top of that, you always have the whims of OPEC on your mind. What will tomorrow’s oil be worth? Then there’s how potentially dangerous refineries can be and the constant oversight that occupational safety authorities maintain at such a facility. Top that all off with environmental concerns, with the difficulty of finding good people, and struggles with unions. So why does anyone go into the oil business? Because it’s profitable, that’s why. But what if you’re an upstart, entrepreneurial oil company, or is there such a thing today? How do you break into competition with players like Mobil, Shell, and Conoco? What if you head up Conoco and you see the recent megamerger between Mobil and Exxon forming the largest oil company on earth? Are you jealous? Is there a way that you could merge with another big oil company too and become even larger? Just how large is too large? What would the Justice Department, the SEC, the United Arab Emirates, and a host of others have to say about it? How long would it take your lawyers to talk to their lawyers to get the whole thing nailed together? What if you were slapped with a lawsuit? No! You can’t do that! This is the kind of thing that keeps CEOs up nights: worrying about how they’re going to pull off such a huge growth spurt.
Be careful to mind what your legal team says. Of course, they will have their priorities for the new network as well, but if something can’t be done for legal reasons, pay attention.
The Plethora of Laws and Regulations There is hardly a business in the world today that isn’t regulated in some way. It seems like it’s almost a fourth law of physics: For every business endeavor, there’s an equal but opposite legal reaction. For example, take the recent Y2K brouhaha. There was actually talk of the lawyers making oodles of money because they would sue large corporations for not seeing to their duty of providing a computing environment free of capricious bugs. It was outrageous, but for all of its outrageousness, lots of people were totally serious. So, what kinds of legal ramifications can a company face in its decisionmaking efforts, especially relative to a Windows 2000 rollout? Let’s enumerate some. There’s no doubt that you can personally augment this list tenfold. But the point here is to get you thinking about what sorts of laws and regulations you might have to work with and how they might impact you in your efforts.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Company Strategies
31
Medical Regulations Not only are clinics, hospitals, and doctors involved here, so are the medical equipment manufacturers and pharmaceutical companies. If patient information were to become public or if someone died because of a computer failure, there could be severe backlash. Commerce Regulations Trucking and shipping companies are at the forefront of this category. What are the interstate shipping guidelines? If you ship internationally, what about tariffs? Are you going to try to ship to an embargoed nation? That could get ugly. Other issues like sales tax and Internet shopping also apply here. Government Agencies This one almost doesn’t need explanation. What rules is your agency bound by? Are you doing your best to spend the taxpayer’s dollars in their best interests? Federal, state, and local governments all have different guidelines by which they operate. Be familiar with your boundaries. Once again, consult your legal team. You are getting paid to make sure that the network is the best that it can be. They get paid to cover the legalities. Work together and most problems should be eliminated before they even happen.
The Government Contractor Suppose that you work for a big company whose mission is to act as a contractor to the U.S. government. A lot of what the company does is highly classified. The most mission-critical component of your company is its ability to maintain its work according to the various layers of classification that are imposed on it by its government contracts. You currently use a variety of NOS platforms: Novell NetWare, Unix, and even some OS/2 Warp servers, plus, of course, Windows NT 4. Your management is considering consolidating everything onto one NOS, a big, tough, expensive, and gutsy move. The leading contender, of course, is Unix for the servers, Linux for the desktops. You’re asked, as one of the NT designers, what Windows 2000 would have to offer that Unix could not.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
32
Chapter 1
Analyzing Business Models and Strategies
After nobody laughs at your line about how hard it would be to find Microsoft Office for Linux, you then begin to talk about the security features of Windows 2000 that Unix does not have. Specifically, you mention the triple Kerberos security paradigm. You talk about Active Directory and how its use of Kerberos makes for a one-time, secure logon anywhere in the plant. You talk about how AD can segment the rather large operation into meaningful entities, regardless of how small or large they need to be. Forests can be created, as can trees and groups. You can have universal groups, domain global groups, and local groups. You mention that the telecommuting factor, a strong one at this company, has been highly updated in terms of its security. RADIUS can now be used on the RAS servers. There is support for highly secure VPNs. You also mention that Windows 2000 Professional workstations are highly secure and even more “user-proof” than they were before due to the Windows Installer. All in all, there is little convincing evidence that would make a company migrate from Windows to a complete Unix environment and much more evidence to support the opposite move.
Identifying the Total Cost of Operations The total cost of operations (TCO)—the costs incurred by procuring, installing, and maintaining a specific system—is another factor in how a manager chooses to grow the business. There are many factors in the TCO question, many considerations and details to think about. For example, what if you make garden equipment and you’d like to begin offering motorized equipment that could be used for mowing lawns, trimming shrubs, mulching, and the like? You set up your new business branch and purchase the small engines that go inside lawnmowers and weed trimmers. You personally manufacture the chassis, frames, and so forth that are used in the devices. As time goes by and your new motorized tool division gains some steam, you begin to look at the books and realize how much it costs you to purchase the crates full of engines that you need for your business. What if you could find a company making small engines and merge with them? You could effectively cut down your TCO and grow the company at the same time!
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Company Strategies
Microsoft Exam Objective
33
Analyze factors that influence company strategies.
Identify the total cost of operations.
You may be more familiar with the term “Total Cost of Ownership” as TCO. Although Microsoft calls it operations, the concept is the same.
But what risks would there be in such an undertaking? Probably capitalizing the merger would be the single biggest problem: How are you going to pay for it? What kinds of other issues might you face in such a venture? What if you purchase a company with problems that are cleverly hidden, and you inherit a mess? Would you reduce your total cost of operations, or would you actually see an increase in the total cost? It’s highly possible that even though a company thinks they’re leveraging themselves in such a way as to make a huge dent in the marketplace, they actually make a mess of their company and wind up with less than they had to start with. This is what it’s like to take stock of the growth of a company and make sure that growth is managed well. As a network designer, your job will probably not be to make financial decisions, but it will be to understand financial decisions. Furthermore, it’s up to you to present a network design in the best possible financial light and then to objectively compare and confirm whether a decision to go forward with a design is the financially most amenable approach. You’ll have to detach your technological thinking and think about things purely in dollars and cents. You may or may not have a specified budget for your network upgrade. If not, consider yourself lucky! Other times, you may be given the ambiguous ultimatum to “make it work, but watch costs.” It’s then your job to, as they said, make it work. But at the same time, don’t go crazy with purchases. Sure, it would be nice to run fiber to everyone’s desktops, but is it worth it?
The Decentralization of the Windows Network Probably the most fundamental accounting talk you should have with yourself, before you talk to the financial folks at your company, is how you’re going to set up your server farm. In fact, you’ll have to pay pretty close attention to where
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
34
Chapter 1
Analyzing Business Models and Strategies
you’re going to place things. The day and age of having every single application running on one or two servers, even in small shops, is now officially over. As soon as you implement Windows 2000, you are no longer going to be able to run your entire shop on one box and meet network user performance or uptime requirements. It’s as simple as that. You need to examine ways that you can decentralize the server software components of your network. What I mean by that is look at the jobs the various servers are involved in. If you run into a server that’s involved in several dissimilar duties—for example, the server is doing WINS and DHCP, is print serving, hosts an application or two, plus acts as a file server for some users—you’re going to want to split that duty out. Why? Your server simply won’t have the bandwidth for all the activity that’s going to be placed upon it by Windows 2000 and your users. The centralized concept is not a good design point, and it’s one you must jettison as you go forward into your new upgrade design. There’s one little exception: It’s fine to have one or two servers acting as domain controllers and hosting your DHCP/WINS/DNS environment. That’s all they do, validate users and keep TCP/IP happy. In a centralized fashion, this particular design will work fine. But then, once your centralization of your domain controllers is done, don’t go loading Exchange or SMS or any of the hundreds of other NT-based apps on them! Place applications on servers that are engineered and built specifically for hosting applications. File and print-sharing boxes have the heft needed for multiple simultaneous user accesses. And so on. Figure 1.1 shows a small network design that goes from being highly centralized to highly decentralized. In this diagram, the old network only had two computers. Even in the Windows NT 4 environment and with a small shop of only 25 to 50 users, they were undoubtedly highly overworked computers. You had tons of things happening on each computer: SQL, Exchange, file and print, plus the everyday, garden-variety user validation. In a Windows 2000 design, you won’t get away with this. For starters, the computers would have to be so large that this design wouldn’t be cost-effective. But more importantly, it’s just not a good design. The key to stability in the Windows environment is to not introduce numerous variables into any one system. The new server farm shows that you’ve had to purchase six more computers! (And probably beef up the two you already have.) But you’ve wisely decentralized your computing environment so that disparate computers are handling dissimilar apps. You’ve opted to put Navision, your Windows 2000– certified financials software, on a cluster so that it has higher fault tolerance than even one native Windows 2000 box can provide.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Company Strategies
FIGURE 1.1
35
Decentralizing your server farm Old server farm
PDC Exchange 5.5 SQL Server DHCP WINS 6 Printers
BDC SMS 2 Navision WINS 12 Printers File sharing
New server farm
DC DNS DHCP WINS AD
DC DNS DHCP WINS AD
MS Apps Exchange
SQL Server
SMS
Navision Cluster Navision
Navision File & Print File & Print
All of these design issues, of course, mean that you’re going to meet with the financial folks and ask for way more computing equipment so that you can accomplish your design. Do you have buy-in from the stakeholders and managers on going forward into Windows 2000? If so, you shouldn’t have a problem obtaining the funding for the new equipment. If you don’t have initial buy-in for the project or they won’t fund the new gear, my advice would be to not go into Windows 2000 until you can do so.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
36
Chapter 1
Analyzing Business Models and Strategies
Breaking the Bank You have a small network, you’re interested in going to Windows 2000, and you’ve come up with a solid design plan. The chief financial officer has told you that you cannot purchase the extra six computers you need; he doesn’t see the need for all those computers. But you can purchase three, provided you can get a good price for them. He has told you that you can spend $10,000 on your total computer hardware budget. You’ve looked at the existing domain controllers, and you know you’ll have to upgrade them from their current 64MB of RAM apiece to a minimum of 256MB. The disks look OK; there’s quite a bit of space on them and they’re both using hardware RAID controllers. You estimate that the new memory going to cost you $2,100, so you’ve officially cut your budget down to $7,900. The computers you need to buy must be fairly sophisticated. They must have enough RAM in them to make the applications and the NOS happy. You’d like to have lots of disk space for your file and print servers, and you’d prefer to put everything on hardware RAID controllers for optimum speed, disk efficiency, and fault tolerance. There are now two design issues. The first is this: Can you redesign your server farm in such a way that you can adequately host the apps on three additional servers? The second question follows: Can you purchase the computing power you need with this limited budget?
Summary
Y
ou begin your Windows 2000 design journey by assessing your company’s model; types of models include local, regional, national, international, subsidiary, and branch. Identifying the model that your company fits will assist you in determining the Active Directory makeup of your new Windows 2000 framework. For example, should domains and organizational units be designed around geographic or business boundaries or both? Next, you examine your company’s processes to determine the method in which communications are made and in which business decisions are implemented. This is a much more subtle perspective to try to assess, but it has the same kind of importance, in terms of your Windows 2000 deployment, as
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Exam Essentials
37
determining the model of your company. Strategic planning—making a bestguess decision about what your future network looks like—plays a critical part in your overall design as well. What are the company’s priorities? Asking this simple question can alert you to whether a new design is appropriate or not; if the company’s priorities are not IT-oriented, then what’s the point? But more appropriately, the company’s priorities will show you what your design should ultimately look like and will act as a guide for you as you formulate your Windows 2000 network. Next, you identify your company’s growth and growth strategies. Will this company grow? If so, how much? Can you pinpoint the company’s growth strategy? Does your company intend to grow itself as large as possible, do its managers see themselves as not growing very much, or are they somewhere else along this spectrum? Windows 2000 networks are scalable and highly amenable to growth, but your network design still needs to take into account the potential for growth. Make sure to think about the importance of relevant laws and regulations that your company has to take into consideration when going through a network design. Many companies have to obey strict rules in everything they do, and your design might have to take those rules under advisement. Finally, consider your company’s total cost of operations. IT and commensurate operations account for a large percentage of a company’s investment in its future, so the money that is spent to upgrade the IT area must be wisely spent and provide the most bang for the buck. What kind of return on investment will your Windows 2000 network design provide?
Exam Essentials Know what type of business model your company falls under. This is one of the first keys to understanding how to set up a new network depending on your business model. Smaller companies generally have fewer networking issues that you need to be aware of. If you are an international organization, the networking issues may be far-reaching and complex. Understand the decision-making process at your company. Knowing who makes the decisions is critical. You need to listen to various managers at your company, and then decide what needs to be done first. Prioritize events for your future rollout. Know what kind of a time schedule you are working with.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
38
Chapter 1
Analyzing Business Models and Strategies
Know what the company priorities are. Obviously, money is a good first choice. But in terms of the network, who wants what? Listen to everybody involved. Prioritize options based on the importance of the input. Be able to predict the future. When listening to managers and executives, listen to what they say about the future of the company. Design the network so that it will be able to accommodate the expected growth. Understand all relevant laws and regulations affecting your company. Invariably, if the laws or regulations affect the company, they will affect your network. How to design remote access, configure security, and set up remote locations are some of the things you’ll need to be concerned with. Know how much risk your company can tolerate. If your network can’t handle any downtime, it’s best you don’t perform any risky procedures during business hours. Know what the expectations are for the upgrade. Carefully plan when, where, and how it will be performed before you begin any of the actual work.
Key Terms
Before you take the exam, be sure you are familiar with the following terms: bottleneck
risk
international
single point of failure (SPOF)
local
strategic planning
national
subsidiary
organizational units (OUs)
total cost of operations (TCO)
regional
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
39
Review Questions 1. Your company has purchased another company that specializes in creat-
ing some hardware you need to bundle with your newest product. The other company will retain its original name and really not integrate into the framework of your company. What kind of model is this? A. Branch office B. Subsidiary C. Wholly owned IPO D. Spin-off 2. The company you work for has been involved for years in the business
of writing tax return software for businesses. Now you hear a rumor that they’re talking about possibly getting out of that business and venturing into the e-commerce business of filing electronically on behalf of businesses. In other words, a business that had at one time used their software would now simply do all their updates online to your company and you would handle the filing. What areas do you think will produce problems, should this rumor prove to be true? Choose all that apply. A. Priorities B. Laws and regulations C. Risk D. Growth E. Total cost of operations
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
40
Chapter 1
Analyzing Business Models and Strategies
3. You work for a state government agency. You have a dozen small
locations with 10–30 users each, spread out across your state. They are unconnected, but new state legislation is going to require that you interconnect all locations in order to accomplish the business goal this legislation mandates. Specifically, you’ll require some method of transferring data back and forth between Windows 2000 servers at each site. What are the two steps that you should include in your business plan to accomplish the legislation goals? A. Arrange for a high-speed data circuit leading from your central
location to each of the outlying locations. The circuit should be as high-speed as you can afford, up to a full T1. B. Provide training to your outlying users. C. Set up Windows 2000 servers in each location, connecting all to
the same domain. D. Install an Exchange Server at each location. 4. You are an administrator for a technical consulting firm that specializes
in marketing Asian, Indian, and Pakistani software developers to the U.S. and Europe. You have a main office in Sydney and two other offices, one in Beijing and the other in New Delhi. What is your company’s model? A. Regional B. National C. International D. Transoceanic 5. You work for a large pharmaceutical company. You’re considering a
Windows 2000 rollout. What one item do you particularly need to have in mind relative to the design and commensurate rollout? A. Priorities B. Growth and growth strategies C. Laws and regulations D. Risk E. Total cost of operations
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
41
6. You would like to go forward with a Windows 2000 rollout. The
company you work for, an electronics engineering and design firm, is right in the middle of designing a revolutionary new product. Your managers are hesitant to allow the upgrade to go forward for the time being and want you to wait. What item is at the top of their mind regarding this suggested rollout? A. Priorities B. Growth and growth strategies C. Laws and regulations D. Risk E. Total cost of operations 7. You’re a network design consultant who has been called in to render
counsel and advice in the design of a new Windows 2000 network that a large restaurant supply company would like to implement. The company is thinking that updating their technology will help increase their efficiency and hence their bottom line. When you visit the company, though you’re no MBA, you can see lots of disarray in terms of how the company is organized, who reports to whom, and other subtle nuances that hint to you of a much larger problem than a technical one. While you don’t want to turn down the design and rollout job, you have some concerns that you want to bring to management. Around which item do these concerns revolve? A. Priorities B. Growth and growth strategies C. Laws and regulations D. Risk E. Total cost of operations
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
42
Chapter 1
Analyzing Business Models and Strategies
8. Your CIO can see merit in your Windows 2000 upgrade suggestion.
Now she wants to know how you would improve the current situation where you have only a few computers and the users are complaining about the slowness. What actions should you recommend? Choose all that apply. A. Put enterprise apps onto one dedicated server per application. B. Reduce the number of domain controllers and consolidate the
TCP/IP portion of networking (WINS, DHCP, DNS) to the domain controllers. C. Upgrade the tape backup software. D. Purchase dedicated network-based RAS servers, taking the RAS
job away from Windows. 9. Your company, a sporting goods manufacturer, desperately needs two
separate improvements, but only has the funds for one. They need a new set of assembly-line devices to allow them to make their sporting goods equipment faster and cheaper. They also need to totally revisit their IT infrastructure, upgrade accordingly, and move to a Windows 2000 environment. The IT upgrade would allow them to complete the billing, invoicing, and materials-handling cycles on a much more timely basis. What would be your suggestion as to which one to do first? A. Manufacturing equipment upgrade—impacts company’s
bottom line. B. Computing environment upgrade—impacts company’s
bottom line. C. Neither. Sounds like the company is close to bankruptcy. D. Both, but use a phased approach that would allow you to
handle both things at once, just more slowly than projected.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
43
10. Your company started out as a “Ma and Pa” outfit with only a couple
of employees 15 years ago. Today, the company has thousands of employees spread out over several countries, and it continues to grow at startling rate. You’ve suggested that the company look at launching a Windows 2000 deployment and switching from their current Windows NT 4 implementation of 20 separate domains and hundreds of servers. In context of what was discussed in this chapter, what might be one of your main concerns relative to this rollout? A. Priorities B. Growth and growth strategies C. Laws and regulations D. Risk E. Total cost of operations
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
44
Chapter 1
Analyzing Business Models and Strategies
Answers to Review Questions 1. B. Subsidiaries are often the lifeblood of a company. Why reinvent
the wheel when some other company out there is doing exactly what you need done? Perhaps they need a helping hand staying in business, while you need a hand making your business better. 2. A, B, C. Well, first of all, never ever give credence to the rumor mill
until you hear the same thing from the horse’s mouth. But that being said, given the little bit that you know right now, it appears that there may be a priority issue. Why abandon a perfectly good cash cow? You’ll undoubtedly run into lots of legal issues with this prospective new angle, and there is definitely risk associated with anything related to e-commerce. 3. A, C. You’re not told that e-mail is a priority, so D, while a nice thing
to have, doesn’t solve the business need. Also, though you will certainly need to train the users at some point, this objective does not solve the business need either. Answers A and C are the first bullet points that should go on your planning document. 4. C. The answer is C. But this is an interesting model because you’re
really not doing anything in Sydney, or in greater Australia at all, are you? All of your work is focused in other countries. You’re truly international in your business makeup. 5. C. A heavily regulated industry like a pharmaceuticals firm has to
consider the legal and regulatory impacts of any upgrades it makes to its computing environment. 6. D. They’re thinking that they should let sleeping dogs lie until the
new product is ready and shipping. Then, when things have settled down, you might be able to reconsider the design and rollout. This is good advice—listen to it. While priorities are always on the minds of managers, hopefully you have their ear. If you say that you think Windows 2000 would be a go, and they sense that you have the personal bandwidth for such a project, then priorities might not be the leading fear. My sense is that risk probably brings more to this table than priorities.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
45
7. A. It sounds like the company is going the wrong direction—thinking
that technology will fix managerial problems. While the technological aspect of your job is wonderful and you’d like to go ahead, management needs to know that you spot other issues here. This is a highly risky consulting proposition because you’re being brought in as a technology consultant, not a management consultant. Nevertheless, it might be beneficial to point out that you see inefficiencies elsewhere in the business cycle that technology will not improve. 8. A, B. The top two answers are the best ones. Segmenting your heavily
used enterprise apps onto dedicated servers will increase their performance and decrease the likelihood that they’ll crash (or interrupt other network processes if they do crash). Consolidating domain controller activity is a very good idea—one you can implement without benefit of Windows 2000, but one that will work with Windows 2000. Items C and D might be practical, but they have little relevance to the Windows 2000 upgrade apart from the question as to whether your old tape backup software will work with Windows 2000 or not. Dedicated hardware-based RAS servers are great things, but not really necessary in the Windows 2000 environment. Windows 2000 addresses many RASrelated issues. 9. A. See, it’s a question of priorities. The company can get along with the
current computing environment. All right, so they work slowly, but at least they work. But the manufacturing thing, well, that’s the company’s bread and butter. If they can’t compete in terms of being able to manufacture the latest and greatest in fine sporting gear, they might as well go bankrupt because the competition will quickly overrun them. 10. B. Not so much growth as growth strategies. You already know the
company’s capable of rapid growth. What you should really be concerned about is management’s viewpoint on continued growth. It’ll be tough for you to plan a network based on growth if you don’t know how the firm is going to grow.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
46
Chapter 1
Analyzing Business Models and Strategies
The Billing Company
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Background You work for a company that performs billing and receiving of bill payments for other companies. Companies that don’t want to go to the added expense of billing and maintaining the payments of their own accounts, or who can’t really afford to set up such an operation at this particular juncture in their growth, will outsource the work to your company. Your company is responsible for the timely preparation and submission of bills to the clients of the companies that you represent and for processing the payments of those bills. You don’t handle the collections part for bills that aren’t paid on time—your client companies do that. You have a Windows NT 4 network that is working fine. Your company has 475 employees, the majority of whom work on remittance-processing machinery. The remittance-processing machines are hooked to the network so that regular reports and accountability functions can be run.
Current System You have 10 Windows NT 4 servers connected to a standard 100Base-T Ethernet network. Everybody that is not a remittance-processing operator logs on to the Windows NT network. You run Exchange Server, a financials package, and some other applications, and you have a BRI ISDN web connection that’s hooked to a Proxy Server. The remittance-processing machines (your company calls them “the line”) can talk to the network but require no logon of their own. The supervisors who head up the remittanceprocessing personnel can log on to the equipment and maintain it as needed. They have the ability to run reports that provide system uptime and other status updates. It is critical that the remittance-processing devices be able to talk to the network at all times so that the supervisors have an idea of how much is being processed through the systems, thus giving everybody an idea of how on track the company is with that day’s processing cycle.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Billing Company
47
Overview You want to upgrade the entire network to Windows 2000, including bringing all of your users up to Windows 2000 Professional. There is no need to update the remittance-processing devices because they were updated last year at this time. Your Supervisor You’ve taken your project notes to your supervisor and presented your vision and goals to her. She says, “This is a fine idea. I’m all for it as long as you can control costs and assure us that the line can continue to talk to the network.” Remittance-Processing Manager “I really don’t care what you run on your network as long as these remittance-processing machines continue to run and process the bills. Downtime on this line means lost revenue to the company!”
Security You are responsible for the security of your network. Your supervisor says, “From a security standpoint, I’m not concerned about a Windows 2000 upgrade. I just want to make sure that the line can continue to talk to the network.”
Availability Overview Your business is a standard 40-hour-a-week environment. Very little overtime is worked. Uptime is critical, though; the servers need to be up when the line is up. Your Supervisor “Remember that when the line is up, the servers need to be working. Can you provide me with a statement that tells me what benefits this upgrade will bring about for the network? For example, will this upgrade make the network run faster?”
Maintainability One of the things you’re excited about with a Windows 2000 rollout is your ability to maintain copies of installed software on the network and then use a Group Policy Object (GPO) to download the apps to users, whereupon client
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Envisioned System
CASE STUDY
48
Chapter 1
Analyzing Business Models and Strategies
software in the form of Windows Installer sees to it that the software is installed and correctly configured. Then, when a user breaks an app—which happens more frequently than you’d care to admit—it’s automatically repaired. You think this will help make your life much easier.
Performance Overview The 100Base-T infrastructure is well designed and runs fine. You have some concerns about servers. You’re wondering if maybe you should move the reporting app that the remittance-processing team uses from the server it’s currently on—actually nothing more than a desktop that had a server installed on it—to an actual dedicated server of its own. Your Supervisor “You don’t have to sell me on this idea. The desktop acting as a server situation isn’t a good one and keeps me up nights wondering when it’s going to crash. Thank goodness we haven’t had all that many problems with it.” Remittance-Processing Manager “I don’t mind if you upgrade the computer, especially since you’re telling me that it’ll improve the reporting performance. Be aware that you’ll have to replace it on a weekend, and you’ll have to guarantee that it’s operational by Monday!”
Questions 1. What is the business’s main concern? A. Money B. The line C. Their customers D. Timely billing processes
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Billing Company
49
column in the order that you should begin working on this project. (Note: These tasks are certainly not all-inclusive. In a real deployment you’d have many more tasks than this!) Tasks
Tasks Assess what brand and model of computer you will buy for the reporting server replacement. Prepare the business need documents for distribution to the managers. Obtain managerial buy-in. Prepare a presentation detailing the business need. Prepare the budget forecast. Meet with the stakeholders. Identify the Windows 2000 licensing costs. Prepare the overall project plan and identify the project phases, milestones, and resources. Arrange to test your Windows 2000 deployment in a lab with a spare remittanceprocessing device. Prepare the reporting server. Cut the reporting server from desktop to new server.
3. What’s the biggest risk associated with this project? A. Windows 2000 won’t work with the line. B. The reporting server won’t be any better than before. C. There’s a steep learning curve from Windows NT to Windows 2000. D. You don’t have enough time to get project accomplished.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
2. In the following chart, move tasks from the right column into the left
CASE STUDY
50
Chapter 1
Analyzing Business Models and Strategies
4. In your project planning, what will be your biggest priority to assure
the project’s success? A. Assuring that the reporting server works as advertised. B. Assuring that the remittance-processing devices can continue to
talk to the network. C. Making sure the servers have increased reliability. D. Assuring that Exchange stays up. 5. None of the people you talked to indicated that there were any laws or
regulations involved that might hinder your work. Nevertheless, can you think of any laws or regulations might be involved as you go about your Windows 2000 upgrade planning? A. Your company has a fiduciary responsibility for the companies
they’re representing. Inaccurate billing representation could result in a lawsuit for your company. B. SEC regulations control companies such as yours. C. The Accounting and Finance Act of 1980 applies to your company. D. You could be held liable for all of your client company’s torts. 6. Looking at the following table, list the people or groups from the right
column in the left column, in the order of their bearing on the success of this project (from most important to least). Person or Group
Person or Group You Your supervisor Remittance-processing supervisors Remittance-processing managers Client companies CFO Remittance-processing users Reporting server users
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Billing Company
51
1. B. If you haven’t gathered that the line is everything, you haven’t
been listening! The line is everything; it’s the company’s money stream, the reason they have customers, and the reason for their existence. Take care of the line! Priorities, priorities! 2. See the following chart:
Tasks Prepare the business need documents for distribution to the managers. Obtain managerial buy-in. Identify the Windows 2000 licensing costs. Prepare the budget forecast. Prepare a presentation explaining the business need. Meet with the stakeholders. Prepare the overall project plan and identify the project phases, milestones, and resources. Assess what brand and model of computer you will buy for the reporting server replacement. Arrange to test your Windows 2000 deployment in a lab with a spare remittance-processing device. Prepare the reporting server. Cut the reporting server from desktop to new server. 3. A. Without a doubt, the biggest risk in this project is the line. They’ve
made it very clear that you must not hinder the operation of the line. 4. B. The most important piece of this puzzle, the one with the biggest
priority associated with it, is the assurance that once you cut over to Windows 2000, the remittance-processing boxes will continue to talk to the network. The second-biggest priority will be to make sure that the reporting server can see what the line is doing and accurately report on its progress. The two are pretty close priorities, almost head to head.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
Answers
CASE STUDY ANSWERS
52
Chapter 1
Analyzing Business Models and Strategies
5. A. You have no other information other than the fact that you know
your company is acting on behalf of other companies and as such, you’re a representative of them. This implies that if something went wrong with your network design and billings were inaccurate, untimely, or in some other way incorrect, your company could be in a lot of trouble. 6. See the following chart:
Person or Group You Remittance-processing users Remittance-processing supervisors Your supervisor Reporting server users Remittance-processing managers CFO Client companies Unfortunately, in this case you are by far the biggest factor on the success of this project. And, from the sounds of what you were told in the interviews, you have no breathing room in terms of making sure the network works with the line. Here is where the concept and the need for a lab environment can really pay big dividends. If you could thoroughly test your concepts in the lab before you deploy, you’d be able to sleep better. Unfortunately, it may not be possible to free up one of the big remittance-processing boxes just for some lab work. The next best thing is to take up a serious dialogue with the makers of the remittanceprocessing gear, alert them of your intentions, and see if you can get any feedback on how well this will work in a production setting.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
2
Analyzing Organizational and IT Management Structure MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans. Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process, and change-management process.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
I
t’s vital that you understand the underpinnings of how management thinks, how decisions get made, and how they’re integrated into the society of your company so that you can plan a Windows 2000 deployment that’s appropriate for your environment and makes sense to your managers. It’s important to hear clearly what your managers are saying to you and then to take the time to neutralize any misunderstandings they have about this deployment and what it means to the company. Certain management entities can tack on provisos and a quid pro quo or two to your plan that may not make sense in the overall scheme of things. Some managers simply don’t have a feel for what you’re really talking about (though they’ll tell you that they do). Others are definitely on the same page as you are, but they may not have the power to help you get your mission accomplished. All in all, you’re faced with the delicate task of advising your leaders what the upgrade is all about, asking for what potentially could be a lot of money, and then assuring them that you have what it takes to get things installed and working. Understanding company logistics is critical to network implementation success, but so is analyzing the structure of IT management. There are few companies whose bottom line is not seriously affected by the way the IT department is structured and goes about its business. Even from just the hardware standpoint alone, there are few other parts of a company’s makeup that require as much capitalization on such a regular basis. Add to that enterprise software purchases, including user licenses for all of the client software, and the salaries of the technical folks themselves, and you come up with a large sum of money devoted strictly to making IT work. Small wonder that senior managers and other non-IT people become annoyed when they don’t see an IT project deploy on time or, worse, when it finally does deploy but doesn’t work correctly.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Understanding the Management Model
55
With a Windows 2000 rollout, the stakeholders generally are the IT managers. They’re the ones with a vested interest in making sure the project goes forward smoothly and finishes on time and within budget. IT managers are the ones whose heads will roll if your deployment isn’t as secure or fast as you said it would be, or if it doesn’t provide the added benefits you described in your project plan. IT managers are the ones who’ll be watching the progress of the project, who’ll want regular status updates they can pass up the food chain, and who’ll require an accounting for the money you’re spending. On top of it all, there’s a strategic aspect to your rollout. Most end users won’t notice much of a change once the network is running Windows 2000. But the people on the backside—the IT managers—will be monitoring every nuance. You need to know how IT managers think in order to properly understand how a Windows 2000 network will fit into their plans—their paradigm. This may be your project, but it’s their baby. This chapter continues to focus on the organizational side of your network, but not necessarily on technological specifics. You should already have an understanding of your company as a whole and what motivates the company to go forward. This chapter digs deeper inside your organization to look at specific structures, including structure of the all-important IT management.
Understanding the Management Model
W
hile the Microsoft test objectives don’t come right out and pinpoint the various management models you might experience in your career, you certainly don’t have to have an MBA to be able to spot the management models in place within any given company—just a few years’ experience under your belt will do. Let’s start by looking at the typical management hierarchy, from the top down, then segue into the management structures that get adopted as a result of various leadership styles.
Microsoft Exam Objective
Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
56
Chapter 2
Analyzing Organizational and IT Management Structure
Management Hierarchy You’ve probably been through this exercise on your own, but it’s always good to review your firm’s management structure based on somebody else’s definition, just to see if you arrive at the same conclusion. In the case of a Windows 2000 design and deployment, buy-in at all levels may be critical, so it’s important to take a hard look at your company’s hierarchy. Figure 2.1 shows an organizational chart that might look very much like the one at your company. Chances are, you can look at a chart like this and figure out where you fit in. FIGURE 2.1
Typical corporate organizational chart CEO
Chief General Counsel
President
Sr. Vice President
Vice President
Sr. Manager
Board of Directors
Vice President
Director
Sr. Vice President
Vice President
Sr. Project Manager
Manager
Scientist
Supervisor
Supervisor
Director
Vice President
Sr. Manager
Technical Advisor
Team Leader
You?
Your company may be laid out very differently. Perhaps you work for a military organization, where you have a similar kind of organization, but you have different names for the various roles that are played. On the other hand, small companies have one or two people who assume several of these
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Understanding the Management Model
57
roles. It’s up to you to decide exactly how your company is laid out. Frequently, somebody has taken the time to come up with an organizational chart that explains clearly how the senior staff is arranged. The staff arrangement usually includes a person in charge of the entire company, a board of directors, various levels of management (depending on company size), and then the employees.
Company Leaders Most companies operate with some sort of senior leader, be that a president, a chief executive officer (CEO), or someone who holds the combination of those two roles. In a privately held company, the president is the owner of the company, frequently the person who started the company in the first place. Often, as a company goes from privately to publicly held, the role shifts from president to CEO, but owners can tend to retain some semblance of the old mixed in with the new. The CEO is usually looked at as the visionary— the captain of the organization—calling out the direction wherein land and good times lie.
The Board of Directors Since a publicly held company is obligated to comply with a fiduciary duty— a responsibility to act as the trustee on someone else’s behalf of an organization’s funding, in this case the shareholders—often there’s a board of directors that oversees the company’s operations. A chairperson heads up the board; this is most often not the same person as the president, though I’ve heard of cases where this was so. The board is typically comprised of several stakeholders, often those with a heavy venture capital risk at stake, and various officers, including a secretary, a financial officer, a chief technical officer, and so forth.
Executive Management Beneath this layer are the senior vice presidents and vice presidents. These individuals, the president, CEO, and board, together with an occasional benefactor chair or chief legal counsel, make up senior management. Executives can be tricky to figure out. Why? Because by the time a person gets to the rarified air of executive management, he or she often has what the regular folks in the company perceive to be mixed goals. For example, a vice president of sales must be highly outspoken about the outstanding capabilities of their company’s newest products. Even if they don’t necessarily believe in a new product, they have to make sure the company sells lots of it.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
58
Chapter 2
Analyzing Organizational and IT Management Structure
Middle Management Directors and managers make up middle management. Depending on the makeup of the company, they may or may not have input into the company’s direction—that is, they have different levels of power. There are many factors that govern the effectiveness of a mid-level manager. The visibility and importance of the department that’s being overseen, for example, can have a major influence on whether a project is given the go-ahead by executive management.
Regular Employees Supervisors, team leaders, project managers, and “regular employees” round out the rest of the company. Most of these people are critical in the day-today business operations. However, they are quite a ways down on the scale of importance when viewed from the top of the company. From a networking perspective, this is going to be your largest group of users. They will have ideas for improving the network, just like senior management will. This is also going to be the group you will likely have the most contact with. Senior management will have one of “their people” call you to complain, whereas these employees will contact you directly. It’s important to take their considerations seriously, but also remember company priorities and company hierarchy.
Why Knowing the Senior Management Makeup Is So Important There’s a reason why it’s good for you to take the time to diagram your senior management: because decision dissemination rolls downhill, not up. You might trickle information upward to your management—in fact, your input will be invaluable to the technical leads of your company—but senior managers control the purse strings and, in the final analysis, the expense that will be required for a Windows 2000 upgrade will merit senior management buy-in. If you want to get this deployment going, you and they need to be on the same page.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing the Organizational Structure
59
Perhaps senior management mandated the study and you’re simply complying. Or, more likely, you’ve got the vision, and you’re now trying to make the case for the upgrade. Maybe you were brought in as a hired consultant by management so that they have the official word on what should be done. In any event, it’s both crucial and wise for you to assess the management style that your senior management uses, because knowing how they operate is going to give you many clues about how you should operate. It’s important for you to know and understand how this food chain is set up, who the players are, what their management styles are like, and how you can best present your business case to them. On the exam, you’ll be asked to balance these various interests and read between the lines to get at the correct solution.
Analyzing the Organizational Structure
As important to your Windows 2000 design as the company’s management personnel is the organizational structure of the company. Identifying an organizational structure can be as full of hidden, esoteric nuances as identifying management styles, so take your time and really assess the situation carefully. There are two parts to figuring out a company’s organizational structure:
Microsoft Exam Objective
How is the management organization laid out?
How is the organization itself logically laid out?
Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans.
Organization of Management The previous section talked about management organization in great detail, so you already have a feel for how to diagram such an organization. But it’s
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
60
Chapter 2
Analyzing Organizational and IT Management Structure
important to mention that your company’s management structure could be a bit tricky to figure out; things might not always be as they seem. Here’s an example. Often the management of a group of people falls to a person who has absolutely no clue what the group does—especially, for some reason, in network administration. Very often in smaller companies, the network administration team reports to the financial officers, maybe because it’s thought that the administrators spend way too much money on computers. But if the manager of the network administration group isn’t savvy about computers, guess what? Communications become exceedingly more difficult and projects are that much harder to get approved and implemented. Another common situation involves someone from a remote site, who from the outside appears not to have much power at all, but actually possesses a great deal of input on given projects. You create a huge project document, explaining to the nth degree how it will be accomplished, only to have this remote-site person swagger into a meeting one day and put the kibosh to the entire thing! (And smile while he’s doing it!) Your careful analysis of the organization of your management is all for naught because of a geographic oversight on your part. I call these situations icebergs because, to you, the people involved appear to be inconsequential blips on the radar screen, when in reality they have the capability to rip a large hole right through your keel. An analysis of the management organization would have prevented the iceberg. You would have known that this person was out there, would be present in high-level meetings, and might have strong input.
The Organization’s Logical Layout You now need to determine how the organization is logically laid out. In other words, you try to put together as best as you can the compilation of the management structure, where each manager is located, and what they’re responsible for. Then, as an added bonus, you begin to identify those situations where you have problems looming on the horizon. Why is it important to find the potential problems? Well, maybe for you it’s not, especially if you’re involved in just a minor percentage of the company’s overall computing environment. Maybe your charge is only to upgrade the engineering division’s servers to Windows 2000, and you really don’t care about the sales department’s servers. OK then, no problem. But what if you’re designing a deployment that’s going to reach out and touch all servers? Or, more importantly, what if your deployment actually winds up affecting other departments in tacit ways you haven’t thought of yet? That’s where the icebergs come into play.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing the Organizational Structure
61
For example, suppose that you have a company that spans multiple geographic regions. You have administrators in each region—smart, capable people whose input you respect. You’ve talked with them about the Windows 2000 rollout, and everybody’s champing at the bit to move forward. But as you go forward and begin to meet with stakeholders and managers, you find quite a bit of friction in the form of one vice president of engineering in a region far away from you. Now you’ve got an iceberg; how do you steer around it? My suggestion is to first of all assure yourself that you have complete devotion to the project from the stakeholders and as far up the management chain as you need to go. Since this person’s a vice president, you might need to have some pretty big rudders to steer around this iceberg, in the form of executive management go-ahead. Next, you need to assess this executive’s credibility in the overall scheme of things (e.g., do others take this vice president’s complaints seriously?), and then you need to come up with your action plans. It’s not an easy task, but it’s one you need to anticipate and be prepared to deal with.
Identifying Potential Problems You’ve worked for a medium-sized service organization for years. There are about 2,500 employees spread out over a dozen states, each with a campus of about the same size, connected together by standard data network connectivity. The campuses all basically function the same in terms of their management structure and mission. In other words, executive management has its headquarters at one location, and then within each site there are managers who effectively do the same thing as managers in the other sites. You have, for example, a service department that handles the intake, repair, and redeployment of goods needing service. There is a service manager at each location, all earning essentially the same pay, all handling roughly the same amount of traffic each month, all with about the same number of employees. Windows 2000 will provide your company with enormous benefit in terms of
name server resolution problems you’d been having with old legacy systems
Active Directory (AD) deployment
Dfs implementation
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
62
Chapter 2
Analyzing Organizational and IT Management Structure
virtual conferencing using LDAP and NetMeeting solutions
advanced applications that you intend to install
One of your goals, for example, is to jettison a fairly large legacy database using a well-known enterprise database software product and replace it with a Microsoft SQL Server solution. You’ve taken a hard look at the management of your company and, since you’ve been there so long, you feel you have a pretty good handle on the majority of people in the upper ranks, personality wise. Since the management layout is logically so flat and, from all appearances, benign, you don’t think that you have any problems with this suggested database replacement. You have serious credibility with your management, the CIO looks to you for your suggestions and leadership capabilities, and you feel pretty confident. Ask yourself: Are there any potential problems? The key word in this scenario is legacy. Regardless of how wonderful something new seems, people do not like change. I have a friend who is, to this day, administering a 10-node coax 10Base-2 network with Windows 3.11 workstations, and he’s happy as a clam with the setup, as is his boss. In this scenario I think there is a definite problem waiting to surface, especially when it comes to discussing a change to a legacy database system that has worked well all these years. You might well find that more than one of the managers you think you know so well will surface and try to thwart your plans. Here’s how I would attempt to plan for such an event, though I have to tell you that sometimes you just give up on situations like this and learn to live with them. I’d really do my homework on why the database upgrade will help the company, how it will help them, and how much money it will save them. Be prepared with numbers that make good practical and economic sense. Don’t worry about trying to wow non-computer-types. Try to put a TCO (total cost of operations) spin on the presentation. It’s good that you have credibility with your leadership; that’ll go far. But now you need to put some practical business sense into why you’re suggesting this maneuver. If it turns out that you yourself really can’t see the reason, other than it looks like the really cool thing to do, you’ll never in a hundred years convince others that the change is necessary—especially the stakeholders who are working with the system and are more or less happy with it.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Defining Your Vendor, Partner, and Customer Relationships
63
On the other hand, if the stakeholders have come to you and complained that the current database reeks of rotten eggs and that they’d really like you to come up with a replacement, then you have a different scenario.
Defining Your Vendor, Partner, and Customer Relationships
I
n business as in life, relationships are everything. Treat someone reasonably and you’ll likely get reasonable treatment back. Treat them harshly and they’ll likely return the favor. Some companies seem to understand this phenomenon, while others don’t seem to ever get it. But even if your company is neither hot nor cold regarding its relationships, you’ll probably find yourself in the middle of various alliances that you’ll have to treat with care if you hope to nurture and grow them. That’s what this section is about: the definition of and attention to your business relationships. Microsoft has seen fit to define three different kinds of relationships, though there may be others that you can readily define. Too, you may find that you are dealing with people who present a mix of types. The important action here is to define them so that you can begin to work positively with them.
Microsoft Exam Objective
Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans.
Vendor Relationships Vendors are those who sell you the equipment, software, and services you need to get your job done. Some companies that manufacture products also act as the vendor for those products. It used to be that you had to go through a middle tier, a vendor of some kind, to purchase PCs. But recently some PC manufacturers such as Compaq and IBM have gone into the business of being vendors, along with continuing to have authorized channel resellers.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
64
Chapter 2
Analyzing Organizational and IT Management Structure
Other companies such as Dell and Gateway have basically been vendors from the get-go, and thus have driven the older legacy firms toward the same environment. PC manufacturers are a given. But what about software vendors? Can you go straight to, say, Oracle Corporation, to buy their latest and greatest software? You might be able to, especially if you’re a big enough client. But in the high-end enterprise software world, unlike the PC world, a middle tier comes into play frequently. This has to do with the ongoing support and maintenance assistance that some large software products require, and the hands-on intervention of an authorized vendor provides for quicker remediation and service than a large software firm can afford to provide. There seems to be a striation, of sorts, within this framework. For example, you can either choose to purchase your BackOffice software through an authorized dealer, or you can purchase it directly from Microsoft.
Partner Relationships Partners are companies or individuals that are in the business of helping you do business. Microsoft is perhaps the best example of a company that thrives on partner relationships. They have thousands of Microsoft Certified Solutions Providers and Microsoft Certified Training and Education Centers all over the world that assist them with the massive job of training and providing programming support for Microsoft software. Microsoft uses not one, but two different partners to provide testing for the various Microsoft certification programs. Microsoft also maintains strong partner relationships with Intel and Compaq. Lots of people might say that the companies benefiting from these partner relationships are the partners and not Microsoft, but don’t you think that Microsoft would really have a hard time doing business if they didn’t have all this help at the ready? It’s a “you scratch my back, I’ll scratch yours” relationship, one that’s been in place for years. Can you analyze the kinds of partner relationships that your company might be involved with? Maybe in your IT area, perhaps in the financial, engineering, training, operations, or management offices? How about legal partnerships, where your firm doesn’t have a bunch of corporate lawyers but retains several lawyers for a rainy day? Some partnerships are obvious; others are quite subtle. But you need to clearly understand the partnerships in place at your company. Why? Because these partnerships may be the foundation that helps you in your quest to get a Windows 2000 network going. Many of your design requirements will deal with how to give these partners access to your resources.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Defining Your Vendor, Partner, and Customer Relationships
65
Maybe you have partners who can help you figure out the little nuances of software that has to interface with Windows 2000. For example, suppose that you obtain most of your BackOffice software through a Microsoft Certified Partner (MCP). They might have lots of experience in working with Exchange deployments and can give you oodles of hands-on help and pointers on what to do and what not to do. All of these ideas and more are the reason that you need to pinpoint your partner relationships.
Customer Relationships What’s the most important part of your business? Your customer. Can you identify who your customer really is? What sort of person or business represents the main type of customer your company usually works with? If you’re involved with a chain of bookstores, maybe your customer is the average person walking in off the street. If you’re a medical supply-manufacturing firm, perhaps your average customer is a hospital or a doctor’s office. It’s vital that you personally know and understand what or who your company’s customers are. Grocery stores have for several years now been obtaining demographic information about their customers. It’s no secret that the reason you have to obtain a discount card in order to reap the benefits of some markdowns is that the grocery is assimilating demographic information on what you purchase every time you go shop. Did you buy bread? What kind of bread was it? How many loaves? Your grocery store’s IT department could probably whip up a fairly quick ad hoc report that would provide a very detailed profile of your grocery shopping habits. That’s how important it is for companies to know who their customers are. So, think hard, who are your company’s customers? But even more important, who are your customers? That’s right, who would you say represents your personal customer within your company? If you’re a project manager, your customer probably consists of two groups: the stakeholders and the managers to whom you report. If you’re a network architect, then you have a slightly different set of customers: your managers and the team that will receive the application that you’re designing for deployment. If you’re a network administrator, your customers are the network users. It’s important to understand who your company’s customers are because it keeps you focused on why you’re doing what you’re doing. It’s important to understand your own customers because it keeps you focused on what they’re doing. You need both to get this Windows 2000 deployment established correctly.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
66
Chapter 2
Analyzing Organizational and IT Management Structure
Planning for Future Acquisitions
Some company CEOs, especially those who head up small businesses, are interested in grooming the company to a state of health where it’s ready for an acquisition of some kind. The company has a product that’s unique, the engineering and marketing forces are in place, and the firm is moving strongly forward. It’s almost like dangling a worm in front of a school of catfish and wiggling the poor thing enough so that one of the fish takes the bait.
Microsoft Exam Objective
Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans.
There are many different reasons why your company may look to acquire a new business. Let’s look at a few of them here: Acquiring a Needed Service or Item Some companies are so huge that when they need something that fits into the profile that they’ve established for a given product or service, they often buy a company making that very something rather than make it themselves. For example, if you need a speaker to fit into the console of a new electronic device you are manufacturing, but you know nothing about making speakers, wouldn’t it be easier to simply buy a company that knows how to make speakers and then have them put speakers in your devices? Sounds like a stretch, but it’s done every day. It’s sure easier than trying to reinvent the wheel and make your own speakers. Plus, it might be cheaper than buying specially made speakers by the boxcar-full. Acquiring a New Business Venture Another reason for acquisition is that one company is doing something that another company looking to acquire wants to get into. If you’ve got a big communications company, for example, that specializes in magazines, books, movies, television, and radio, but you’re hungry to get into the Internet, what do you do? You look for an ISP of some success and size that’s available for acquisition. And, depending on the price, they’re all available for acquisition. It’s been said that everyone has his or her price.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Planning for Future Acquisitions
67
Acquiring to Accumulate Market Share Often a company is overwhelmed by its competition. A brutish little firm somehow manages to make a far better product than its oversized competitor. The bigger company’s solution to the problem? Simply buy the technology and get rid of the waifs! Other times a large company will buy a firm that has developed a part, device, service, or software solution that they desperately need. Cisco, for example, recently purchased a smallish Boulder firm that specialized in VPN software. Why? To assist with Cisco’s overall goal of providing a VPN presence to any company that desires one. Years ago, 3Com purchased a small company in Israel that was manufacturing ATM switch chassis. And so it goes. One thing any Windows 2000 deployment is going to require is the ability to see what you’ve already got, in terms of the overall computing environment, then to make plans for the transition from the ’90s Windows to the ’00s. If you can clearly see that your company is inevitably going to be acquired, maybe you’ll decide that it’s not necessary to go to Windows 2000. What if this was a big turnoff to companies that are courting you? On the other hand, if you work for a high-technology company, maybe already being up and running on Windows 2000 would be a big attraction to potential buyers. Microsoft wants you to put on your future-vision goggles (too bad they don’t come with your MCP package) and see if you can figure out where your company’s leaders are steering the ship—not to mention what life rafts, dinghies, barges, or battleships they’re going to be picking up along the way.
Planning Your Network’s Future Direction A very large bank, family-owned yet publicly held, has gained in stature, favor, and notoriety to the point where it now employs 40,000 people and has branches spread out over many states in the U.S. The bank was so old that, in fact, it is one of few that was grandfathered in under a rule disallowing banks from participating as brokerages. So the officers of the bank have purchased several brokerages in order to be able to add to the current suite of product offerings. The bank has been able to successfully manage these smaller acquisitions and bring them into your native computing environment, with your help.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
68
Chapter 2
Analyzing Organizational and IT Management Structure
You’re the network architect for this bank. You have successfully engineered your environment to the point where all users’ workstations and all servers run entirely on Windows NT. You’re running Systems Management Server for your asset management, and you’re heavily invested in the full BackOffice suite of product offerings. In addition to the basic network computing environment, the bank also has a mainframe and plenty of mainframe developers who write CICS transactions that are used by bank personnel to track accounts. These personnel use 3270 emulation software on their NT workstations to perform mainframe transactions. You also have some large enterprise databases that run on SQL Server. Everything works very smoothly. You’re in the throes of planning your Windows 2000 upgrade, a massive project that’s going to require considerable time and expertise to accomplish. One day you find out that the officers of your bank have once again gone into acquisition mode and have purchased their nearest competitor: another huge bank, also with 40,000 employees! To your amazement, you also learn that this bank is entirely based on NetWare 4.x—not a stick of NT anywhere to be found. You have Exchange Servers; they use GroupWise. You use SMS 2; they use ZEN Works. They have huge Unix servers running Oracle databases; you use n-way Intel computers running SQL Server. Their physical plant is still on 10Base-T; you migrated to 100Base-T with a gig backbone last year. Your users all use Windows NT workstations; all of theirs are on Windows 9x. Negotiations begin between you and your team and their network architects. Your management has instructed you that the assimilation of your computing environment needs to be accomplished as quickly and easily as possible. Suddenly, you go from having a substantial Windows 2000 project plan on your hands to having to figure out how this whole new situation is going to happen. You have three options: You can go along with the flow and fully get into the NetWare way of life. You can “fight” the change (using diplomacy, business sensibility, and building the business case), but you probably won’t win. Or you can polish up your resume and get out of Dodge.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IT Management Structure
69
Analyzing IT Management Structure
By now you should be comfortable with how your company is structured and have a better understanding of your management’s thought processes. IT management needs to follow many of the same procedures as the rest of the company, but IT managers have specific issues they need to deal with as well.
Microsoft Exam Objective
Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management process.
IT managers have to be aware of new technical trends and products, be able to manage their technicians properly, and strive to make the company more profitable all at the same time. It’s certainly not an easy task. This exam objective and the following sections in this chapter hone in on the issues that the IT manager needs to constantly be aware of:
How are you going to set up a logical management structure?
Where does the money come from, if anywhere?
Do we need outside help?
Can I delegate some decision-making?
How do we move from one product or configuration to another?
As you can tell, the IT manager has a lot to deal with already. Now you come along, looking to provide input about the best way to make the network work better by upgrading to Windows 2000. You already understand the company structure and company plans. Now you need to turn your attention to the people directly in charge of what you want to mess with: the network. Understanding their roles and concerns will allow you to create a better plan for their future. You can start off by figuring out how the network is currently managed—primarily from one central location or from many locations.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
70
Chapter 2
Analyzing Organizational and IT Management Structure
Identifying Centralized and Decentralized IT Structures The first question you should ask is, “Is your IT organization centralized or decentralized and how can you tell?
Microsoft Exam Objective
Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management process.
Let’s first describe the two different categories of organizational makeup, and then see how you can design a well-thought-out Windows 2000 upgrade based on each. By the way, there’s a lot of gray between these two opposites. Figure 2.2 shows the way that I think about this scale. FIGURE 2.2
Where does your firm weigh on the centralization scale?
Centralized IT environment
Your company probably fits somewhere in between the two extremes. Could be that one division of IT is centralized and another decentralized.
Decentralized IT environment
It’s possible that one arm of your IT organization is decentralized while another is centralized; these organizations are very difficult to manage. But what exactly is meant by the terms centralized and decentralized, and how will you know a particular environment type when you recognize it? Continue on to get a sense of what to look for.
Centralized IT Structure The best way to think about a centralized IT organization is to think about the phrase, “one group for the common good.” The centralized IT structure has
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IT Management Structure
71
one important leader, typically a chief information officer (CIO), followed by several directors or senior managers who head up various areas, and then the leadership trickles down from there. If you have an autocratic CIO with a very firm grip on the direction of the IT organization, you’ll find that centralized environments can really do marvelous things. Two caveats accompany that statement, though. First, CIO visionaries must know what they’re talking about. Somehow business schools have begun teaching that the CIO of a company doesn’t have to be technological. No! This is wrong. That’s like saying that a hospital’s chief surgeon doesn’t have to be a physician. Yes, CIOs must be good businesspeople, but they must also know technology, understand it, and be able to converse with those who are wrestling with it. The second caveat is that CIOs cannot have such a dogmatic management style that there’s no room for others beneath them to breathe. The “my way or the highway” ethic doesn’t go very far with technical people who know and understand systems and who are trying to illustrate to the CIO the fine points of why something won’t work. It’s far better for the key leader to place some level of trust in the lieutenants that the work will get done— maybe not completely the way she’d have it to get done, but it’ll get done nevertheless. Centralized structures do not lend themselves to renegades or rogues, though it’s interesting that you’ll often find one of these people in a high management job within the organization, and somehow that person seems to find favor with the CIO. But for the most part, a centralized structure can be highly effective, much more so than a decentralized structure, as long as the leadership at the top is strong, organized, and effective at communicating the process and then insisting on accountability when it’s time to turn in the code. Planning for a Windows 2000 rollout in a centralized organization means that you’ll have to present your plans to a cast of thousands. You’ll be faced with hundreds of questions; you’ll be told “no” by more people than you can shake a stick at. And yet, if you present a good solid business case, and the CIO is convinced that you’ve got something there in what you’ve said, you’re likely to get the green light.
Decentralized IT Structure In a decentralized organization, there are different groups of people handling different computing scenarios and that are managed by different authorities. It’s possible that all groups report to the same CIO, but that’s about where the
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
72
Chapter 2
Analyzing Organizational and IT Management Structure
similarities stop. From there, it’s any person’s guess as to what line of definition there is for a given computing environment. When setting up a decentralized environment, there are two different methods of accomplishing the goal: You can choose to decentralize across specialties or across geographic lines: Decentralization Across Specialties An IT shop that’s decentralized across specialties has managers who manage specific groups of people. For example, one group located in the downtown headquarters office building might be responsible for the Oracle DBA work, while another group in another part of town is responsible for the SQL Server DBA duties. The mainframe development team has one manager; the scheduling team, which handles the JCL that submits the jobs to the mainframe, has their own manager as well. The network administration team is broken into so many sections that it’s basically not a team. Your Macintosh administrators live on the marketing floor of headquarters; the NT administrators are segmented out by logical line of business (finance, HR, sales, etc.); and the internetworking people (those who handle the routers) are based at some small engineering office elsewhere in the city. There is a manager or supervisor responsible for each distinct group of people. Chances are that one group isn’t even aware of the other’s work and vice versa. Decentralization across specialties is a good thing when the company is so diverse in its computing needs that it just doesn’t physically make sense to maintain a centralized environment. Decentralization Across Geographic Lines There’s another reason to decentralize: the geographic location of one entity compared to another. For example, perhaps you work for a large company that has satellite offices in many states in the U.S. and in countries all over the world. You have one big mainframe environment based in a large U.S. city and several computing centers in other cities. Here it would make sense to decentralize the environment into more manageable chunks. Decentralization has, at its core, one fundamental good point. Since decentralized units are broken up into such bite-sized entities, it makes them quite easy to manage. You don’t have to worry about a broad-based set of skills in your managers, because they only have to manage one distinct skill set. You don’t have to worry about broad-based training for your people, because they’re hired for only one or two skill sets. You can move more quickly and in much tighter fashion than you can in a centralized environment.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IT Management Structure
73
On the other hand, decentralization does have its down side. If you’re broken into little pieces and spread out across the land, your communications model has to change in order to be assured that everyone hears the message. In a centralized environment, you only have to have one message that’s heard by all. The other advantage to decentralization is that you can proceed with the rollout in well-defined phases. Maybe corporate headquarters will upgrade one weekend, and each office will upgrade in subsequent weeks. If some part doesn’t go right, you will only negatively impact one area of your business instead of the whole thing.
Windows 2000 in a Decentralized Environment You work for a fairly large company, about 10,000 employees. The company has all of the various computing platforms that accompany big-corporation IT environments: mainframe, Unix, client/server, NT, Mac, etc. You use Exchange server for your e-mail system. All of your users validate through NT servers, though many of them work off of a terminal emulation client to gain access to a Unix host. You have TCP/IP and SNA as your predominant network protocols. Your company is spread out over five geographic areas that are separated by hundreds of miles. The four remote locations are hooked to you by fast WAN links (several T1 frame relay circuits), and speed isn’t typically an issue across the WAN links. The network structure is solid, and there are no speed issues there either. The majority of the speed problems that you’ve run into have to do with badly written web or database code that slows down certain operations. There are NT administrators at each of the four remote sites, but they are junior-level administrators and do not report to your supervisor. They report to managers located at each of the remote sites. There is not much rhyme or reason to why certain managers were picked for the job. For example, at one of your remote sites, the two NT administrators you have there report to the controller, while at another site they report to the chief engineering officer!
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
74
Chapter 2
Analyzing Organizational and IT Management Structure
The management structure is singularly top-down, and most of this has to do with your product offering. You have a very limited, discrete product line that appeals to only a certain category of clientele, so management can afford to make unilateral decisions in a fairly autocratic fashion without much challenge from the “rear guard” in each of the four remote sites. There’s a bit of cowboy blood at these sites. For the most part management is very hierarchical and strict. The exceptions to this are the IT departments, which are managed almost as if to say, “I don’t know about your team; I’m a part of the only IT team in the company.” You say one thing and another thing gets done, even though you’re a part of the central IT team and are supposed to be making up the rules. You’ve had lots of different problems as a result of this. There was the time you inherited several OS/2 servers that you had to scramble to find support for, and one or two non-standard databases that have surfaced from time to time. You’re bothered by the decentralized model. Why is management so rigorous about everything else they do, but so noncommittal about the lack of structure across their IT teams? You need to get everybody, all 15 NT administrators, on the same page and talking to each other in clear precise terms. Your Windows 2000 rollout will not succeed if you don’t, especially at location 3, where you have a group of administrators who are very seriously looking at a complete Unix/Linux model and thinking about completely getting away from Windows. While you don’t think this would fly with management, clearly there are schisms that require senior management intervention to rectify. You approach your boss, tell her about the issues you face, and describe the problem that presents in terms of going forward with any new server NOS rollouts. She’s disheartened because she wants the project to go forward, is interested in Windows 2000, understands the viability of what it brings to the table in terms of increased networking capabilities, and wants to help out. She’s especially concerned about rogue elements that are trying to introduce unwarranted software that’s not a part of the corporate structure. She agrees with you that you need to escalate this up the chain of command. She gives you a plan: Get a dialogue going with the senior managers, make it very clear that there are serious IT issues and that centralization is in order, and present a centralization plan. Your centralization plan will be met with harsh political criticism and will take valuable time away from your rollout. But you’ve got to go forward. The decentralization is killing you!
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IT Management Structure
75
Analyzing Funding Models No matter where the money comes from, you need to know how much you have available. Obviously, non-profit organizations typically don’t have as much to spend as government agencies or privately held companies. But everyone still needs to expand their network at some point, even the low-margin entities. Even though it’s important to understand your business model and have an idea of what financial obstacles you will be facing, the issue with funding is clear: Do you have the money to perform the necessary upgrades? The three major funding models you need to be familiar with are:
government
private sector
not-for-profit
Government Funding Unlike their private-sector counterparts, government IT departments are not distinct profit-center entities that can make major corporate decisions. A government takes in money from the people by collecting taxes. The government has a fiduciary duty to assure that the taxes are spent with the greatest benefit to the taxpayer in mind (never mind whether you think that fiduciary duty is really accomplished). Someone has to decide whether your IT department and your IT projects are worthy of spending hard-earned taxpayer dollars on them. If not, then you won’t get approval. That’s how government IT departments are funded. When talking about how an IT department gets funded and working within the confines of a government organization, we might literally be talking about the department getting funded from year to year. The legislature or other controlling body decides how much of a pot of money the IT unit is going to get each year. The legislature doesn’t decide this on a strictly arbitrary basis—they use the history of previous IT budgets, in comparison with the budget requested for the current fiscal year and advice from the controlling body, to make decisions about how best to fund the department. Here are some other issues you may face in government funding: The Watchdog Committee There may be some sort of a watchdog committee, person, or group that is responsible for reviewing the department’s planned projects, checking the project plans for completeness, accuracy, and need, and approving or disapproving accordingly. It’s possible that if you work for a government entity of some type and want to go forward
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
76
Chapter 2
Analyzing Organizational and IT Management Structure
with a Windows 2000 rollout, you’ll be told, “No, you can’t do that,” because the overseeing body has called a moratorium on any new upgrades for a year after the upgrade’s release to the public. The body also might decide to reject your project plan because there’s no money for the project, or because they want to divert money to a more important project within a different agency or unit. Outsourcing For better or worse, some government entities are outsourcing lots of their IT, and this may affect whether you can upgrade to Windows 2000 because somebody else will decide whether to go forward with a rollout. As always, know who makes the decisions, and know if they are in your organization or not. Wrong Platform Choice Losing your funding might be blamed on as simple a thing as the fact that the ultimate decision-maker on a department’s funding might be biased toward one kind of computing environment over another. You are not allowed the opportunity to go forward with your rollout because you’re not using this specific platform. Annual Budget Cycle In some cases, you’re allowed only enough money to get you through one year’s worth of activity. You cannot carry forward into next year a budget that you didn’t completely use this year. This kind of “annually retiring” budgeting has many frustrations associated with it, especially the inability to strategically plan anything that has a project implementation plan of more than one year with the certainty that funding will be available for subsequent years. While there are many clever workarounds to this situation, budget planners and IT personnel who work for entities with this sort of restriction are careful to make arrangements around it. Vendor Problems Often you have to submit a written proposal for the kind of equipment you’re looking for and then take bids from people who think they can match the items within your proposal. Then you must go with the lowest bidder. If, for example, you want Compaq gear throughout, but Compaq isn’t on the award list of vendors who can sell to you, then you must either go with a different vendor or write up a proposal in such a way that Compaq and only Compaq computers will work.
Private-Sector Funding In the private sector, you don’t have the unique situation that you have in government, where somebody completely separate from you is making decisions about how you can spend your money or telling you what brands of equipment
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IT Management Structure
77
you can and cannot buy. From that perspective, funding for IT shops in the private sector is much freer and allows for projects to be implemented more spontaneously. While this is generally the case, just because a company may have the money to fund your project doesn’t necessarily mean that they want to spend it. In the private sector, one of the main tasks is to prove that the network and your proposed upgrades are worth the investment. Often times, profit centers have an easier time proving this compared to cost centers. Cost Center vs. Profit Center The first thing to establish is whether your IT department constitutes a cost center or a profit center. There is quite a bit of difference in the way that managers look at funding for a department, given the answer to this question. If your IT department helps to create software that your company is selling, then your contribution is intrinsic to the company’s success and you are involved in a profit center. You help make a profit for the company. On the other hand, if you are involved with an IT department whose mission is simply to keep things on the straight and narrow on a daily computing basis—meaning that the servers stay up, the databases stay fast, and so forth—then you probably are considered a cost center. You cost the company money to maintain, and you really don’t contribute much toward helping them earn a buck. It should be obvious if you’re working for a cost center that the chances are it’s going to be much harder for you to get new projects pushed through than if you work for a profit center. After all, working for a profit center means that all you have to do is go to your management and say, “We need thus-and-so to make this project succeed,” and you’ll probably get it. Companies usually help support products that turn a profit.
Not-for-Profit Funding The not-for-profit organization is a tough one to design for. You have no money—or at least, you’re not likely to get approved for much money with which to upgrade computing equipment—and you shouldn’t be involved with a not-for-profit organization if you don’t expect those kinds of things. The goal of a not-for-profit is to provide some service that’s benevolent to mankind. While computers certainly are bought and networks are installed by not-for-profits, they are nowhere near the size or grand design of business networks. Funding for not-for-profits comes mostly from the contributors, the people who donate money and in-kind services to keep the organization going. Many times the “funding” is in the form of donations of older equipment that somebody else can no longer use but you can. A Windows 2000 rollout in an environment
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
78
Chapter 2
Analyzing Organizational and IT Management Structure
like this is going to take lots of planning, careful consideration, and, most importantly, lots of time to see the project from start to completion.
Your Perceptions, Their Priorities You took a network architect job with a mid-sized high-technology firm that’s involved in computer communications. The firm is quite progressive, and you feel like you’ve been riding a whirlwind the entire time you’ve been working for them. But you took the job because you wanted to learn more about computers and networking, and you felt that this company’s attitude toward all things high-tech was the right fit. Windows 2000 is now out and, while you understand that you can’t just run out tomorrow and get the deployment going, you’d like to begin your project plan and really take your time in thinking about how the whole thing will come together. Right now you’ve got 15 domains, most of which have complete trusts, 5,000 users, and a geographic span that includes an office in every major city in the U.S., Canada, and most of Europe. It’s exciting and, you think, it’s pragmatic that you’d go to Windows 2000, if for nothing else than the Active Directory help. Your cadre of senior IT managers, good, respectable people all, has met and looked at all the projects on their plate; there are boatloads of them! The managers feel that they can safely handle 10 highly important projects—hot potatoes, every one. On top of that, they’ve listed 15 other projects that have varying degrees of importance, but which will be included only after the first 10 projects are safely completed. Your problem is this: None of the projects include anything having to do with a Windows 2000 upgrade and rollout! In fact, the managers have added a little blurb that says, in essence, “Here are projects we’re not going to work on this year: Windows 2000.” So the law’s been laid down. Now, the question is, what are you going to do about it? Can you find a challenge elsewhere in one of the other projects? No, not if your heart’s set on Windows 2000—there’s nothing quite as cool (or resume building) as a new NOS, is there? On top of that, the other projects don’t really apply to you; they’re developer kinds of things.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IT Management Structure
79
You don’t think money is the problem. The way this company spends money on IT, if a Windows 2000 rollout were the hot button for the year, no expense would be spared in obtaining it. So the question for you now is what you’re going to do. Should you try your best to make a solid business case for a rollout? Should you wait the year out and hope for a new decision next year? Or should you send out your resume and find a company that is going to do a Windows 2000 upgrade? All valid solutions, all requiring intense thought and objective decision-making.
Identifying Outsourcing Risks and Strategies The word outsourcing became a business fad in the late 1980s and early 1990s because it promised great financial returns to companies that were heavily invested in the IT world and whose managers did not feel they were getting the biggest bang for the buck from their regular staff. They felt that by outsourcing IT functions, the overhead associated with maintaining and operating an IT department would go away and costs would be significantly reduced.
Microsoft Exam Objective
Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management process.
There were several problems with outsourcing, however, and though the problems were obvious to IT folks, they weren’t necessarily as obvious to managers thinking about going forward with outsourcing. Outsourcing itself is not a big deal, provided you know why you’re doing it and what you’re outsourcing. The problem came about when managers made a blanket statement that they were going to completely eliminate IT departments and let somebody else do the work, all in order to save costs. That’s the experiment that failed. I’d like to elucidate the kinds of problems that companies ran into for you here, so that you have fodder you can use when discussing outsourcing ramifications with your managers.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
80
Chapter 2
Analyzing Organizational and IT Management Structure
Outsourcing Risks First, let’s examine the risks associated with an outsourcing maneuver. Here are some arguments you can use make if you disagree with a manager’s consideration to outsource: Outsource entities can’t understand internal functionality. Companies that have spent thousands, hundreds of thousands, or millions of dollars developing internal software programs that are specifically customized for their business can’t expect outsource entities to come right in and understand the ramifications of the program. If it took you years to master the complexities of the custom program that your company is using, do you think some consultant can understand it in a few days or a week? Companies don’t typically save money by outsourcing; they lose money. Outsourcing isn’t cheaper, it’s more expensive. Good networking people, those who actually understand networks and know what they’re doing, demand at a minimum $125 an hour. Just any old paper MCSE on the bench that the consulting company is trying to get placed will run $90– $100 per hour. Consultants are not cheap. Consultants are good, but they’re not perfect. Consultants are often not much better at a task than you and your staff. Unless you pay the bigdollars freight for a very specific knowledge category—a highly specialized person who knows all about one specific subject—you’re wasting your time and money. The people you have on staff are as adequately prepared (or can quickly become that way) as the people you bring in. Outsourcing doesn’t work if you use the consultants as the project managers. Perhaps the biggest mistake companies make is in outsourcing an entire huge project, then using some of the consultants as the project managers. First, the project managers are the ones who understand the project from stem to stern. That doesn’t describe, however, contractors who don’t completely understand how your business runs. And if the project managers are consultants, who has final authority and control? You? Nope, think again. Use your own staff as project managers or run the risk of having your project end up being an expensive joke.
Outsourcing has another drastic effect on companies: it causes “talent flight.” Once a company announces that it’s going to outsource, the good folks are generally gone in a hurry, on to newer and better ground.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IT Management Structure
81
Outsourcing Strategies There are two situations where outsourcing may come in handy—two separate situations where you need to think about yourself and your company’s involvement:
Outsourcing a specific component of an IT project
Outsourcing a specific IT project
Outsourcing a Specific Component of an IT project There are times when outsourcing is the only safe, feasible way to go. Web programming is probably today’s best example. You want to come up with a killer web page but don’t have the technical expertise or the money to train someone to come up to speed on that expertise. So you outsource. In the Windows 2000 design world, you may very well find that some outsourcing is necessary for specific components of expertise that you require. DNS is a great example. Maybe you’ve never worked with DNS, and the highest form of name resolution work that you ever got into was the occasional WINS problem. Now you’re faced with DNS over a big AD deployment. How do you handle such a problem—design its components and make sure they run? Here is a place where outsourcing makes sense. Outsourcing a Specific IT Project When designing a Windows 2000 network, outsourcing a specific IT project is going to be an important consideration for you. Why? Because your company is going to bring in contractors who have a given objective in mind. They’re going to assess the current environment—probably not asking questions about the future environment—and then design a solution that fits today’s network. You need to make sure you work with the contractors, trying to figure out what they’re going to recommend, making sure the software solutions they’re recommending will play politely with Windows 2000, assuring that they pick gear that comes with compatible Windows 2000 device drivers, and so on. It’s a big challenge, one that’ll require a lot of extra legwork on your part. But if you don’t do that legwork, you can realistically expect your Windows 2000 upgrade to be killed indefinitely.
The Decision-Making Process Decisions in your company are made through some process. The process could be as simple as “Oh, why the heck not?” or as complicated as thorough review
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
82
Chapter 2
Analyzing Organizational and IT Management Structure
boards and diagnostics and tons of spreadsheet documentation to prove your point. Only you can know what the decision-making process is like for your company. But you need to ascertain this information and keep it in the back of your mind for the purposes of your Windows 2000 rollout.
Microsoft Exam Objective
Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management process.
For example, suppose that all major decisions involving the kind of money a Windows 2000 upgrade will entail require that you go through the CFO for final approval. He wants to see spreadsheets and vendor information and project timelines—all that good project management stuff you would naturally have assembled in the course of putting the project together in the first place. But of course, the CFO is an incredibly busy man, so once you turn in a complete project to your boss and she reviews it, passes it upward to the operations manager, and he approves it and sends it to the CFO, you might be looking at 90 days of wasted time before you even know whether you can go forward. On the other hand, you might decide to phase the system in one server at a time and then upgrade the whole thing to a native Windows 2000 environment once the entire structure has been updated. This way you can do a piece at a time, avoid some of the pitfalls of submitting big project plans to managers, and maybe get things done more quickly. Not to mention that you get a better feel for what the product can do once it’s unleashed. Alternatively, it’s possible that you submit only part of the project plan at a time and work through it, then submit the next, work on it, and so forth. It’s all relative to the kinds of decision-making techniques that are in use where you work. Can your operations manager sign off on smaller segments of projects so that you can get going early on and stage in the various components of the upgrade (e.g., this group of servers, that group of servers, etc.)? Should you prepare complete project plans, even for small stages of a deployment? (Yes.) How will decisions be made regarding your project?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IT Management Structure
83
The Change-Management Process Finally, let’s discuss the change-management process. It’s a good thing that Microsoft has included this in the testing programs for Windows 2000. Mainframers have used change management for decades to make sure that changes are well documented and that there’s a backout methodology in place before a change is implemented. Well-implemented change-management techniques can all but guarantee a safer and more successful rollout of an application or project.
Microsoft Exam Objective
Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management process.
What does change management mean, anyway? It’s a simple concept, but one that’s terribly difficult to implement, simply because it requires so much rigor to stick with the program. Basically, what any change-management program requires is that when you want to make a change to a system, you document the change, going through a series of steps in your documentation procedure. Specifically, your change-management document should contain all of the information shown in the sample document in Figure 2.3. Change-management documents are usually official documents that are signed off by managers. If the evidence that you’re sure the change won’t crater something is insufficient, managers will often either refuse to sign off on the change or they’ll require that you watch the change and implement backout procedures as soon as you see something wrong happening. The owner of the change-management document (the one making the change) is the one who must be with the system (or be immediately available) the entire time the change is being made. Change management is something you should seriously consider as you go forward with your Windows 2000 upgrade. You start by making sure you test things in a lab environment. Does it work there? Yes. What did you observe when you implemented something in the lab? Can you be sure that will emulate itself in the production environment? How can you take back what you just did (back out)? Then, after making sure your ducks are in a row, having worked
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
84
Chapter 2
Analyzing Organizational and IT Management Structure
through things in the lab, you file a change-management document stipulating what your intentions are, what’s going to happen, what people should observe happening, how you’re going to test the rollout, and what your backout policies are. Get it approved by all the stakeholders, set a time to deploy, and follow the letter of the document. That’s how change management works, and it works very well. FIGURE 2.3
A sample change-management document
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Summary
85
Summary
This chapter was all about how your company is made up. What’s the management model like? First, you need to look at how your company is constructed. Is there a board of directors? Do you have a CEO? Do you have a president? Who are the senior officers? Is it publicly held? Next, you determine the company organization. There are two key components involved here: determining how your management is laid out, as you just accomplished using the techniques described in this chapter, and then figuring out the logical layout of your management. You must have a firm grip on who the players are so that you can present your case in a way that suits them. It’s not about wanting to accomplish a Windows 2000 rollout, but about how to communicate to others why it’s necessary and how you’re going to do it. Next you analyze vendor, partner, and customer relationships that you or your company have built. They’re going to be critical in your endeavors as well. You must also understand whether your company is either in a position to be acquired or will be acquiring other companies as time goes on. This too has substantial importance in how your Windows 2000 project plan will be formulated. Finally, this chapter pointed out some IT management structural issues. For example, upon close examination of your IT group’s makeup, would you say that you’re centralized in nature or decentralized? How is IT funded? Are you a profit center or a cost center? What about outsourcing? How does the decision-making process work in your company? For example, some companies are quick to make decisions at a departmental level, but then things get stalled when the decision needs to be made by a board or a high executive. Change management is the process of actively documenting all changes that are made to production systems; providing for testing of desired results, and stating backout procedures in the event the change isn’t successful. Good change management always calls for a thorough lab test before rolling into production.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
86
Chapter 2
Analyzing Organizational and IT Management Structure
Exam Essentials Understand your company’s organizational and IT management structure. The big question really is: Are you centralized or decentralized? Each structure brings with it its own special requirements for planning a network upgrade. Know what vendor, partner, and customer relationships your company has. These will undoubtedly affect your network design. At some point, you will likely rely on one of your vendors or partners for some technical help. You will also probably have to give vendors, partners, or customers some sort of access to your network, so you’ll need to design a dial-up or VPN type of solution. Be aware of any acquisition plans. Specifically for the exam, you need to worry more about who you are going to purchase, not if your company will be purchased. If there are any acquisition plans on the horizon, make sure to design your network with expandability in mind. Understand your funding. On the test, it’s not as important where the money is coming from, but is there money? Generally, you will be given a guideline as to what you can spend in general terms. You may be told to upgrade the network at any cost. You may also be told to spend as little as possible. The correct answers depend on the budget you are working with. Know your company’s decision-making process. You will receive input from many people—from executives to mail room employees. Obviously, the main decisions are made by people in upper management. Generally, whatever the CEO says goes. However, input from the CFO and CIO will influence your decisions on how to proceed with the upgrade as well. Know how your company manages change. Know what documents are required to enact changes on the network. Make sure someone is placed in charge of filling out the required paperwork. Know when to outsource. There are a couple of good times to use outsourcing. One is for running new network cabling. Another is when the product that you need to implement requires extensive experience that you do not have.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
87
Key Terms
Before you take the exam, be certain you are familiar with the following terms: backout
decentralized
centralized
fiduciary
change management
outsourcing
cost center
profit center
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
88
Chapter 2
Analyzing Organizational and IT Management Structure
Review Questions 1. You are the CIO of a multinational American import and shipping
firm. Your company has offices in New Zealand, Hong Kong, and Los Angeles. There will be Windows 2000 administrators in all locations, but they will all report directly to you, and you have final say on all networking decisions. What sort of administrative model is this? A. Laterally responsible B. Centralized C. Mobilized D. Decentralized 2. Your company has merged with another company of roughly the same
size and with the same operating philosophies in mind. You will double in size after this merger completes. As a network designer with a fresh Windows 2000 deployment about ready to come out, what are some of the considerations that you’ll have to bear in mind as you go through this merger? Choose all that apply. A. Network operating systems in place in the other company B. PC operating systems in use in the other company C. Mid-frame and mainframe computing environment D. Licensing ramifications E. Budgeting structure of the new company 3. You are designing the Windows 2000 network infrastructure for a mid-
sized health insurance company. The company maintains a database with current rates and all customer information at its headquarters. To expedite the insurance claims process, hospitals need to be able to update records electronically. In designing your network, who do you need to pay attention to in regards to access? A. Customers B. Vendors C. Partners D. Employees
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
89
4. You are planning on rolling out a Windows 2000 upgrade in one
month. At the urging of your supervisor, you design a document that formalizes a process so that whenever anyone makes a change to a server, you can refer back to what was done. What is the name given to this process? A. Risk aversion B. Change formalization C. Change management D. Centralization of administration 5. You are the network administrator for a government agency. You
want to implement a Windows 2000 rollout, but you have a problem. You can’t get the entire budget approved, at least for this year. What is the most likely reason? A. Your agency has an all-time spending limit on computing equip-
ment that you cannot go over. B. There are laws and regulations affecting this rollout. C. You can’t get the budget through committee if it’s too high. D. You’re on an annual fiscal budget. 6. You are an up-and-coming network consultant. Recently, due to the
nature of your excellent work and good reputation, you have acquired four potential contracts at the same time. You have done a quick analysis and determined that you can only handle one contract at this time. From what you know about financing network upgrades, which is the least likely project for you to accept? A. Private-sector profit center B. Private-sector cost center C. Government D. Not-for-profit
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
90
Chapter 2
Analyzing Organizational and IT Management Structure
7. Your company has an IT department that handles the development of all
new software for the company’s systems. Another department handles all server upgrades, and yet another department handles all internetworking (routers, switches, and so forth). What kind of administration model is this? A. Decentralized B. Centralized C. Loose-bundle D. Laissez-faire 8. You are redesigning the network for a regional department store
chain. They are currently running a mix of NT 4.0 and NetWare 4.11 servers, and their inventory database is stored in Oracle. You have convinced them to upgrade to Windows 2000. In talking with the sales associates, you find that their main concerns are price checks and being able to see quickly if another store has merchandise they are out of. The sales managers want to pull daily sales reports based on the performance of each sales associate. The CEO of the company wants to make sure it’s secure, and if it crashes, that business can still continue. The CIO’s primary concern is redundancy of the sales database. List the considerations that are most important, the most urgent first, when performing this network upgrade. A. Price and merchandise checks B. Sales reports C. Secure transactions and communications D. Database fault tolerance
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
91
9. You work for a company that has offices in New Zealand, Hong
Kong, and Los Angeles. You’re based in the L.A. office, and you have a team of three people. The administrators in the Hong Kong and New Zealand offices are separate from you and, though you all maintain the same Windows 2000 Active Directory, each group is responsible for unique domains. What administration model is this? A. Complete trust B. Decentralized C. Master model D. Centralized 10. Why would a Windows 2000 rollout in a government environment
have a different look, feel, and context than one in a private company? Choose all correct answers. A. Government bodies report to the people, either indirectly through
an oversight body or directly. B. Government bodies have much more money to spend. C. Legislation may hinder the kind of technology you can use. D. Budgetary time constraints are different than they are in private
companies.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
92
Chapter 2
Analyzing Organizational and IT Management Structure
Answers to Review Questions 1. B. Seems like it should be a decentralized model, doesn’t it? After all,
about two-thirds of the other administrators are hundreds of miles from you. But with today’s virtual technologies, not to mention the global features of Windows 2000, you actually have a centralized administrative environment. 2. A, B, C, D. Of all of the considerations, E is the least likely to be
something you’ll have to worry about, though it may crop up. You’re certainly going to have to be concerned about the NOS that’s currently in place, as well as the PC operating system. You’ll have to know what kinds of intermediary environments are in place, and you’ll surely be interested in the licensing scenario. 3. C, D. While it may be beneficial for customers to be able to view their
accounts, nothing of that sort was mentioned in the question. Certainly employees need access to the database, and partners—the hospitals in this case—need access as well. 4. C. You’re practicing good change-management techniques. Good
for you! 5. D. While the other answers might be possible, the most likely answer
is D. You’re on a budgetary cycle where the budget is an annual one and any money you have left over this year is forfeited. Then you get a whole new budget and set of money to deal with. In situations like this, you’re forced to break large projects up into chunks if you see that they’re going to go beyond annual budget. 6. D. Although it may be the best one to choose for humanitarian
reasons, not-for-profit organizations typically are cash-strapped. Of course, there are some exceptions, but this is generally the rule. 7. A. This is a decentralized model. Often models such as these create
lots of trouble because entities don’t communicate very well with one another. In most cases, I’d recommend that units centralize when possible and where it makes sense.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
93
8. C, D, B, A. Basically, this is just a question of pecking order. The CEO
is at the top of the managerial food chain, followed by other major officers, like the CFO, CIO, COO, and others. Upper management, mid-management, and regular employees round out the food chain. 9. B. This scenario describes a decentralized structure. I’m not a big fan
of a structure like this because there’s not much room for collaboration of the teams. Even if there’s a desire to intercommunicate, it’s difficult, and often networks will tend to go off in different directions than the original designers intended. 10. A, C, D. Though it sometimes may not seem like it, government bodies
have a duty to the people. Government isn’t in existence for itself; it exists for the good of the people. It’s possible that the legislative body that gives a government body its direction will not allow a certain technological jump—or if it does, at the very least there will have to be some serious study done before rollout. Governments have a whole different budgetary cycle than private companies do, and an upgrade rollout of Windows 2000 will have to take that into consideration.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
94
Chapter 2
Analyzing Organizational and IT Management Structure
The State Revenue Agency
Give yourself 10 minutes to review this case study, diagram it as needed, and complete the questions for this testlet.
Background You work for a state agency that handles a wide variety of civilian needs such as driver’s licenses, motor vehicle registrations, income tax, and liquor licenses. Basically, anything that generates income for the state is within your agency’s jurisdiction. You have about 1,000 employees, and while you’ve got employees tucked away in little offices all over the state, the majority of your employees are based at two campuses that are just a few miles apart. The two campuses are separated predominantly by the kinds of business activities they’re involved with. One campus is essentially oriented toward taxation, the other campus is oriented toward licensing issues. The agency has one CIO, who has managers under her who work at both campuses. The CIO maintains an office at both campuses. You are the network manager for this agency, and you report directly to the operations manager of the taxation campus. You have several people under you who handle the day-to-day network activities of the taxation campus and some outlying offices. The other campus has its own set of network managers, somewhat autonomous in nature. Unfortunately, your CIO has made the statement that she wants all of the network managers to be involved in a selfdirected work team, which you set up. You are the lead network manager for the entire group.
Current System The licenses campus has a strong Windows NT network and an OS/2-based network made up of highly proprietary gear and software that talks to some county offices. The taxation campus is a straight Windows NT 4 network. Both networks and all outside offices use Exchange Server for e-mail. There is a mainframe involved as well, and several of the taxation and licensing systems exist as mainframe systems. Workers access these systems via 3270 terminal emulation software. There are about 25 servers in total. The network infrastructure is a switched 10Base-T network and, in terms of throughput, it’s quite healthy. WAN circuits are redundant and high speed. The kind of gear that you buy
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The State Revenue Agency
95
Availability Overview The agency is beholden to many different people and groups. The county offices and their respective county commissioners have a great deal of say when something goes wrong, not to mention the governor and the legislature. And how could you forget the oversight committee? The directors of each area of the agency are also powerful, though heavily computer illiterate. All want the system to be readily available 24×7. CIO “I want a dial-tone network. I want people to be surprised when they can’t log on—just like you’re surprised when you pick up the phone and you don’t hear a dial tone.”
Maintainability Overview The caliber of worker that you have on the network team can be challenging. You have some people who are incredibly capable: selfstarters, problem-solvers, and challengers. Others just want to be out of the office at 4:30, no matter what’s going on. The maintainability of a serious system such as the one you’re planning is going to require some thought and care. CIO “I think it’s to your benefit to try to set up some mini-training sessions for the self-directed work team (SDWT).” Taxation Operations Manager “There’s not a lot of money for training in the budget.”
Performance Overview Your biggest concern is the OS/2 proprietary network. Somehow you’ve got to find a workaround to connecting with it. Today the Windows NT 4 network connects just fine, but you wonder about
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
depends on which vendors are on the state award for that year and the brands of gear that they carry. You’ve been fortunate in that every year you’ve been able to purchase Tier 1 vendor equipment for your network. Your budget is an annually retiring budget, meaning that if you have money left over at the end of the year and you don’t spend it, you lose it and you run the risk of having your budget for next year cut.
CASE STUDY
96
Chapter 2
Analyzing Organizational and IT Management Structure
the Windows 2000 network. You’re wondering if there’s a potential upgrade path where you can get rid of the OS/2 segment and get everybody on flat Windows 2000. Licenses Operations Manager “Listen, this system works and works well. I have no intention of upgrading it unless you can give me a very good business reason for doing so.” Taxation Operations Manager “I think we really need to figure out a way that we can get the heck off of OS/2!” CIO “If at all possible, I’d like to see us have one and only one network operating system. Work with the SDWT to see if you can accomplish a compromise.”
Envisioned System and Funding Overview You want to upgrade the entire network to Windows 2000. You will not bring the users up on Windows 2000 Professional until the next year or even the following year; they’ll stay on Windows 9x. There are no Windows 3.x or DOS workstations, though there are two OS/2 Warp workstations at the licensing campus. You design a two-year, two-segment rollout. Year 1 will affect the taxation and licenses campuses; Year 2 will upgrade the OS/2 components and outlying offices. The projected first-year segment of the rollout looks like it’ll cost around $500,000. The second year is just a bit less at $450,000. This price includes updating the servers (and workstations where needed), some new network infrastructure components, a consultant to help you with the OS/2 conversion, and the Windows 2000 software and licensing itself. Taxation Operations Manager “OK. Good. This is a lot of money. If it were anybody else but you, I’d say we’ve really got to think about it, but I think you can make this happen.” CIO “I’m going to have to get buy-in from all the directors of the various departments. I’ll need some time.” CFO “Cool!”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The State Revenue Agency
97
1. What is the administration model for the network? A. Co-management B. Decentralized C. Complete trust D. Centralized 2. Look at the following chart. Move the tasks from the right to the left
column into the order that you should begin working on this project. (Note: These tasks are certainly not all-inclusive. In a real deployment you’d have many more tasks than this!) Tasks
Tasks Get buy-in from the self-directed work team on the project. Prepare a detailed project plan for both years’ segments, identifying project phases, milestones, and resources. Prepare both years’ budgets. Meet with the directors to explain how the project is going to be rolled out. Install systems. Identify Windows 2000 licensing costs. Assimilate the self-directed work team into a cohesive body. Meet with county commissioners to determine their requirements and needs regarding replacing the OS/2 system. Arrange to test your Windows 2000 deployment in a lab. Purchase new gear.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Questions
CASE STUDY
98
Chapter 2
Analyzing Organizational and IT Management Structure
3. What is the funding model in use at this agency? A. Capitalized budget over several years B. One-time project budget C. Annual budget that expires every year D. Budget that contains a depreciation clause 4. What outsourcing component are you going to use? A. Retain a contractor to help set up the servers. B. Retain a budgeting assistance contractor. C. Retain a contractor to help with the OS/2 to Windows 2000
conversion and to find a replace software package for the one currently in existence. D. Retain a contractor for help with the project design. 5. The decentralization of these different network teams is not good for
this project’s finalization. In the left column of the chart below, list the steps in the order you should act to assure that your decentralized environment behaves as a centralized one, in spite of your CIO’s insistence that you stay decentralized. Step
Step Formulate a SDWT. Make sure all computing entities are represented on team (e.g., mainframe, internetworking, etc.). Prepare regular reports to CIO on SDWT status. Prepare regular reports to operations managers on SDWT status. Set up leadership roles in SDWT. Use SDWT to publish the project plans and budgets.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The State Revenue Agency
99
most influential, in terms of their capacity to impact a design-go or a design-stop decision? List them in order in the left column, from the most influential on down. Person or Group
Person or Group Taxation operations manager Licenses operations manager CIO Directors Oversight committee Governor & Legislature County commissioners SDWT
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
6. In terms of the decision-making process, who do you think are the
CASE STUDY ANSWERS
100
Chapter 2
Analyzing Organizational and IT Management Structure
Answers 1. B. You’ve got a classic decentralized model. 2. See the following chart:
Tasks Assimilate the self-directed work team into a cohesive body. Get buy-in from the self-directed work team on the project. Prepare a detailed project plan for both years’ segments, identifying project phases, milestones, and resources. Meet with the directors to explain how the project is going to be rolled out. Identify Windows 2000 licensing costs. Prepare both years’ budgets. Arrange to test your Windows 2000 deployment in a lab. Purchase new gear. Install systems. Meet with county commissioners to determine their requirements and needs regarding replacing the OS/2 system. You wouldn’t meet with the county commissioners until Year 2 because you don’t have to worry about the second segment until then. However, it would be to your benefit to prepare the SDWT and the directors for the eventual replacement. This includes buy-in from the licenses operations manager, who is currently opposed to the idea. The directors are going to be concerned with costs and benefits, and if you meet with them before identifying licensing costs and preparing budgets, they are likely to nix the project.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The State Revenue Agency
101
have enough money to meet the entire project’s expenses this year, especially in light of all the other projects the taxation operations manager has to fund, so you must break the project out into two years. 4. C. The biggest hurdle you’ve got to overcome is the one in which you
face a disparate NOS situation. You’ve got the licenses operations manager telling you, “No, never,” on the one hand, and on the other hand, your CIO is saying she wants everything on one system. On top of that, you’re looking at proprietary software you may not be able to upgrade to Windows 2000. This could be a messy part of the project! A contractor who knows something about the software and can suggest replacements that will work with Windows 2000 is in order. 5. See the following chart:
Step Formulate a SDWT. Make sure all computing entities are represented on team (e.g., mainframe, internetworking, etc.). Set up leadership roles in SDWT. Use SDWT to publish the project plans and budgets. Prepare regular reports to CIO on SDWT status. Prepare regular reports to operations managers on SDWT status. It’s not necessary to report your findings to the directors or to the oversight committee at this time. They need to see progress, and you certainly need to keep them informed, but it’s overkill at this point.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
3. C. You have an annual budget that expires every year. You don’t
CASE STUDY ANSWERS
102
Chapter 2
Analyzing Organizational and IT Management Structure
6. See the following chart:
Person or Group County commissioners Licenses operations manager CIO Taxation operations manager SDWT Directors Oversight committee Governor & Legislature
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
3
Evaluating the Technical Environment MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Evaluate the company’s existing and planned technical environment and goals.
Analyze company size and user and resource distribution.
Assess the available connectivity between the geographic location of work sites and remote sites.
Assess net available bandwidth and latency issues.
Analyze performance, availability, and scalability requirements of services.
Analyze data and system access patterns.
Analyze network roles and responsibilities.
Analyze security considerations.
Design a resource strategy.
Plan for the placement and management of resources.
Plan for growth.
Plan for decentralized resources or centralized resources.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
S
o far, you have analyzed the company’s business model and its organizational structure. You’ve also examined factors that influence business strategies, and you’ve learned about the IT management structure. You can see how in these first two chapters the scope has been large (the company’s overall business model) and you’ve begun to drill down, one step at time, examining the various components of a company’s business until you’ve now reached the internal structure of IT. This chapter takes this drillingdown one more level and discusses the technical environment you’ll encounter at a company.
The “Plan for growth” subobjective under “Design a resource strategy” is covered in Chapter 5, “Analyzing Client Access Requirements.” Chapter 7, “Designing a Management and Implementation Strategy for Windows 2000 Networks,” contains more information on the centralization of resources.
It’s important to know the technical environment because now you’re beginning to learn about how you’re actually going to get your Windows 2000 rollout to happen. Understanding the nuances of how the technical environment is laid out will help you figure out a game plan for how to get a certain step accomplished. So far, we’ve talked a lot about geographically segmented sites and the uniqueness that you find when you try to do enterprise rollouts to sites such as these. This issue is all-important, one that most administrators will deal with. We’ve also briefly touched on the issue of decentralized vs. centralized organizations and this, too, carries importance in technical areas just as it did in management ones. Now let’s begin to dive into deeper fundamentals of issues that you’ll encounter as you ponder the technical environment.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Planning Company Resource Distribution and Management
105
Planning Company Resource Distribution and Management
W
hen thinking about a nebulous exam topic like “company resource distribution and management,” you must first ask yourselves what the phrase “company resource” means. Microsoft is pretty good about using the term “resource” in very esoteric ways, so you need to think about and define what are resources in a technical environment. Resources can be divided into six categories:
Servers and associated tie-in gear, such as RAID array controller cards, fax boards, CD-ROM towers, etc.
Routers and associated internetworking gear (CSU/DSUs, for example)
Network infrastructures, including cable plants, network closets containing the patch panels and switches and hubs, and the actual switches and hubs themselves
Telephony gear not used for internetworking (RAS devices, for example)
Printers and network printing gear (JetDirect cards, etc.), including scanners, plotters, and other miscellaneous peripheral gear used in day-to-day business activities
People
This list is certainly not all-inclusive. You may add other items to this list that I’m not even aware of. For example, if you work for an engineering company, you undoubtedly have tons of test gear sitting around that qualifies as company resources and may very well play into your Windows 2000 design. Suppose an expensive piece of electrical test gear uses a dedicated server, but you’re dismayed to find that the server cannot be upgraded to Windows 2000 because the company that made the test device wrote the associated server code to Windows NT 4 Server, not Windows 2000. Either they have no plans to upgrade the code to Windows 2000, or they plan to release it much later than you need it. This is part of why resources and associated resource distribution are so important. It’s not the whole reason, but it’s a big part of it.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
106
Chapter 3
Evaluating the Technical Environment
Microsoft Exam Objective
Evaluate the company’s existing and planned technical environment and goals. Analyze company size and user and resource distribution.
Design a resource strategy. Plan for the placement and management of resources.
Let’s talk about these six categories one at a time in terms of how and why they’re resources, where they’re distributed, and how they’ll need to be accounted for in a Windows 2000 rollout. Plan to draw up a resources document to represent what you have and where it is.
Servers and Associated Gear You need to document the location of every server within the scope of your Windows 2000 rollout, its function in life, and how it will play into your upgrade plans. Information that you glean about each server should include the following:
the current version of operating system (NT, Linux, NetWare, etc.) it’s running
the processor
memory
hard drives
fault-tolerance gear
brand of computer
network connectivity
drivers
peripherals
installed software
users working on it
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Planning Company Resource Distribution and Management
107
If a box isn’t running NT (maybe it’s on Windows 3.x, 9x, or Linux), are you going to upgrade it to Windows 2000? It’s useful to have baseline information on each server before you roll out Windows 2000 so that once you upgrade, you can compare the outcome to its previous performance. Figure 3.1 shows what a sample first page of your resources document might look like, capturing this server survey. If the server is acting in an applications server capacity, it might be a good idea to include documentation about its major software components in addition to its physical components. For example, if the computer has software such as SMS, SNA Server, Exchange, Oracle, or SQL Server loaded on it, you’d want that on your list as well. FIGURE 3.1
Servers and associated tie-in gear, documented in a sample resources document Notes: A-PDC • HP LH4 • 256MB RAM • 3 9.6GB HD • NetRaid controller • 100Base-T … and so on
Atlanta A-BDC1 A-PDC Fax card A-BDC2
A-APFS
Denver D-BDC1 D-PDC
D-APFS D-BDC2
Ask yourself about the mission-criticality of each server. When can you down it for upgrade? What impact will this have on users? What testing and backout plans will you need to formulate? Will peripherals continue to function for you in the Windows 2000 world?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
108
Chapter 3
Evaluating the Technical Environment
Keep in mind that if you don’t go to a completely 100 percent Windows 2000 environment for your domain controllers, you cannot use the native mode, and you’ll have to work toward that goal. Your goal is native mode for your Active Directory (AD), and that means that all domain controllers have to be Windows 2000 servers. The biggest problem you’ll run into here will be finding Windows 2000 device drivers for the peripheral gear you’ve got hanging off of the servers or for RAID array adapters that are already in the box. You may wind up having to go to the vendor to get updated Windows 2000 drivers for these devices. The RAID cards aren’t super-critical because they run off of their own BIOS, but managing them with software (such as HP TopTools for HP servers) that worked in Windows NT 4 might not work in a Windows 2000 system.
When Windows 2000 first came out, the availability of drivers was a big issue. As with any other operating system, as Windows 2000 ages, more and more drivers will become available.
Routers and Associated Internetworking Gear The biggest challenges that Windows 2000 network planners are going to run into, in terms of working with in-place internetworking gear, fall into two categories:
Replacing older routing equipment with Windows 2000 routers
Using modern routers that are capable of hosting DNS and dynamic host configuration protocol (DHCP)
Figure 3.2 shows you what this part of a resources document might look like, illustrating where your routers are. You may opt to replace some of your older routing equipment with a Windows 2000 router (that’s precisely one of the topics covered in Chapter 16, “Planning a Routing and Remote Access Implementation”). Windows NT 4 server was capable of acting as a Routing Information Protocol (RIP) router pretty early on in its release period, and supported Open Shortest Path First (OSPF) later on in life. Windows 2000 routers support RIP, OSPF, AppleTalk routing, PPTP and Layer Two Tunneling Protocol over IP Security (L2TP over IPSec). For most networks, Windows 2000 Server functions as a perfectly capable router. However, in a huge environment where you have thousands of users, you’re going to want to get into the router business and purchase real hardware-based routers.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Planning Company Resource Distribution and Management
FIGURE 3.2
109
Routers and associated internetworking gear in a resources document
Atlanta
Notes: Atlanta • Cisco 2500, integrated CSU/DSU Denver • Cisco 2500, integrated CSU/DSU WAN • T1 frame relay, 1.544Mbps
Router
Router Denver
Today’s high-dollar, high-tech routers have the capability of doing DNS and DHCP at the router and switch level, thus relieving servers of this duty. My problem with this isn’t in the DCHP realm; it’s with DNS. Since Windows 2000 uses dynamic DNS—learning about new users as it goes, populating WINS, generating reverse address lookups—you’re going to want a strictly Windows 2000 DNS implementation. And since Windows 2000 DNS can also make use of the DHCP addresses that are sent to it by a Windows 2000 DHCP server (see Chapter 10, “Designing a DHCP Solution,” for more info). That means you’ll want to use Windows 2000 to host DHCP as well. Network designers should probably not plan for routers and switches to perform these functions unless a viable solution is already in place. Again, just as with your servers, you need to document the location, brand, size, and type of routing and internetworking equipment (including relevant firmware or software versions) that you have now and are planning for in the future.
Network Infrastructures Another resource at your disposal, one that you may not think of as a resource, is your actual network infrastructure. Take a serious look at all network infrastructures on every campus. Diagram where the switch and hub closets are. What is the brand name of the patch panels? Do the closets contain switches, hubs, bridges, or some combination? What is the backbone between closets made of? Figure 3.3 shows how you might depict this in a resources document.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
110
Chapter 3
Evaluating the Technical Environment
Identify the core closets and core switches, then identify your spanning switches. Brand names and model numbers of switches and hubs are necessary, including any updates that have been applied to the firmware. Document all add-on cards in the switches or hubs, and again, any firmware or software versions. Target replacement for aging devices. As long as you’re budgeting this rollout, you need to budget replacement of networking gear that won’t cooperate with Windows 2000. FIGURE 3.3
The network infrastructures section of a resources document Atlanta
Wiring closets: Atlanta North closet • Apex patch panel, 48 ports • CAT5 backbone with redundant cabling • 3 - 3Com 1000 switches, 3.05.01 firmware … and so on
North
South
Wiring closets
Denver
North
South
East
Got Cat3? It’s time to get the wiring people in to update any old Cat3 wiring to Cat5 throughout your network. That means backbone connections and closet-to-user connections. Remember that you’re thinking enterprise now. If you’re going to roll out Windows 2000, the rollout doesn’t just happen at the servers. Windows 2000 is going to use those network infrastructures to get its AD updates, logon validations, application serving, printing, and other functionality out the door. Your infrastructure’s quality is as important as that of the servers themselves.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Planning Company Resource Distribution and Management
111
Non-Internetworking Telephony Gear You also need to clearly document telephony gear used in the network that will be affected by Windows 2000. I can think of two very specific categories, but you can probably come up with more:
RAS switches that are not servers
IVR servers
See Figure 3.4 for an example of how you draw up this gear in your resources document. FIGURE 3.4
Telephony gear diagrammed in a resources document Atlanta Notes: Atlanta RAS Switch • 3Com • 48 ports • Authentication software A-IVR • Edify software • HP LH3 • 256MB RAM • 500Mhz • 3 - 9.6GB drives • NetRaid Denver D-RAS • 8-port Digi asynchronous card • U.S. Robotics Sportster 56K modems • Compaq Proliant 800 • 128MB RAM • 2 - 4.2GB disks … and so on
RAS switch Atlanta PBX
A-IVR
Denver
8-port Digi
D-RAS
Administrators often buy boxes that act as RAS devices. One such device from 3Com (a leader in this kind of technology) has an on-board Windows NT server, places for several 24-port modem cards, and a router designed for
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
112
Chapter 3
Evaluating the Technical Environment
RAS! Suppose you own a box like this? How is that device going to operate in your Windows 2000 design? Also note that some older RAS switch devices had the capability of using an on-board database or, optionally, you could purchase authentication packages for them (including authentication for Windows NT 4). In other words, when you connect, either the RAS switch itself could authenticate you or it would offload authentication to the domain controllers (DCs) in the network. You need to figure out where all of these RAS devices are, what they have on them, what code level they’re at, whether they’re using authentication packages, and what your upgrade path is going to be, if any.
Windows 2000 Server natively supports multiple RAS authentication schemes as well, including RADIUS. This will be discussed more in Chapter 15, “Designing a Remote Access Solution.”
You probably use interactive voice response (IVR) technology almost every day. When you call a company and begin to cycle through a series of menus, you’ve contacted an IVR system. It’s big business and very important for many corporations because their bread and butter lies in how well they communicate with their customers. IVR systems are unique because they talk to the company’s PBX, but they typically run some form of server software as well—often Windows NT Server. Be sure to document where these IVR boxes are, what version of server software they’re running, what version of IVR code they have on board, and how they’re going to run in your deployment.
Printers and Network Printing Gear If you have a large enterprise, documenting your printing resources could be a complicated task, but it is essential. Figure 3.5 illustrates the printers portion of a sample document. First, figure out what servers are acting as print hosts for your networkconnected printers. This includes Microsoft and third-party print servers. Next, try to get a handle on where the printers are, what they are, and how they’re connecting. I don’t think you need to include personal printers that are attached to desktops, just network-attached printers. One good thing that will arise from this work is that you’ll identify old and ailing print server boxes or JetDirect cards that need to be updated. In addition, you
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Planning Company Resource Distribution and Management
113
should probably try to figure out what level of firmware your print boxes and cards are at so that you know which ones need updating. Cards and boxes that can’t be updated to the latest and greatest firmware, in my opinion, need to be replaced. FIGURE 3.5
The printing section of the resources document Atlanta Notes: Atlanta A-PRT • HP LC3 • 128MB RAM • 2 mirrored 4.5GB A-PrintQ1 • HP 5SI • JetDirect firmware 5.06 … and so on
HPLJ-5SI HPLJ-5SI A-PRT HPLJ-5SI HPLJ-8000
Denver
HPLJ-8000 D-PRT HPLJ-8000
HPLJ-8000
Figure out whether your printers are using Line Print Daemon (LPD) via TCP/IP or Data Link Control (DLC) to talk to the servers. All of this information needs to be mapped out so that you know what printer talks to what print server using what LPD port and IP number. You also need to document the share names and the permissions associated with each printer share. There are a number of third-party programs available to help you document your network. Two of the most popular are HP’s Openview and NetworkIT from Computer Associates.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
114
Chapter 3
Evaluating the Technical Environment
People Finally, you need to map out the personnel at each site, their level of responsibility, the applications they manage, and so forth, as illustrated in Figure 3.6. Include internetworking personnel, NT server admins, Unix admins, PC techs, and any others that will be affected. Anyone who may come in contact with this Windows 2000 upgrade—not as a user but as a participating technology owner—must be included in the list. FIGURE 3.6
People—the final section of the resources document Atlanta
Notes: Atlanta John • NT admin • MCSE • Exchange admin Maggie • PC Tech
Maggie John
Sue • Telephony/IVR … and so on
Bill
Sue
Denver
Mary Dean Wilbur
It’s up to you to communicate your Windows 2000 plans to the people targeted in this documentation and then keep them updated as you go along. It’s not difficult to whip up a quick little e-mail for the people who are routinely being hit by the changes so they know what progress you’ve made. Be prepared for detractors and arguments; Rome wasn’t built in a day, and it wasn’t built without a lot of wars!
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Evaluating Centralized vs. Decentralized Resources
115
Note that your resources document might take up many more than six pages or sections—it’s all relative to the size of your network. Resources documentation will likely be a large undertaking and will take a good chunk of time to complete. This is a good thing—the more you plan in the beginning, the fewer problems you will have in the end.
Generating a Sizable Resources Document You work for a moderate-sized company (12,000 nodes). You’re charged with handling the entire Windows 2000 rollout in a decentralized environment spread out over several geographic locations. You need to build a resources document. Where do you start? You start by contacting the team lead for each location’s NT admin group. You make an appointment with this person and visit (preferably in person but maybe by phone), sharing with them your project charge, and you begin assessing names and technology components for their site. You make several return visits to each location, finding it necessary to physically go to each location to get a better feel for how the closets are laid out or what condition the components are in. You can begin putting faces with names and job functions as well, so this phase of the rollout has been very beneficial to you. You feel more like you’re working with a team than fighting disparate components of a large company.
Evaluating Centralized vs. Decentralized Resources
Y
ou have all of your resources pinpointed and written down. A good exercise, don’t you think? Now ask yourself: Are your “people” resources centralized or decentralized?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
116
Chapter 3
Evaluating the Technical Environment
Microsoft Exam Objective
Design a resource strategy.
Plan for decentralized resources or centralized resources.
Chapter 2, “Analyzing Organizational and IT Management Structure,” talked about centralization vs. decentralization, its good features and its bad. Now it’s time to figure out whether your IT personnel structure qualifies as one or the other type. This may not be so easy. To illustrate, here are some examples—some “mini-case studies”—to help you learn to determine whether you’re looking at a centralized or decentralized IT team: Geographically Dispersed IT Members Susan works for a multinational training company based in San Francisco. She’s not only a Microsoft Certified Trainer (MCT) who does some daytime training work, but she also maintains the company’s widely diversified network. A staffing coordinator named Bob is responsible for Susan and her team members. Bob has other administrators in other cities, fulfilling about the same duties as Susan, but it’s understood that Susan is the team lead over the other members. There’s Jerry in the Seattle office, Norma in Atlanta, Brian in Fort Worth, and Allison in Toronto. Bob usually puts the onus of project coordination on Susan’s plate, but occasionally he gives instructions to the other team members directly. This is particularly annoying to Susan when she’s in the office, because she feels like she should be the one to distribute all work. So, what’s the verdict? Centralized or decentralized? If your thoughts center on the geographically diverse aspect of the team makeup, rest assured that geography doesn’t usually determine whether a team is decentralized. That’s not always the case, but centralization vs. decentralization has more to do with management’s attitudes (or an excess of managers with decisionmaking and budgetary power) than the geographic location of the respective members. There are lots of development teams that are separated by entire continents, who nonetheless get a lot of work done! Bob’s penchant for occasionally giving out work to the other members without alerting Susan might tempt you to think the team is decentralized, but my take on this scenario is that they’re largely centralized. Help Desk/PC Tech/NT Admins Jeremy works for a medium-sized manufacturing business as a PC technician. Because the nature of the
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Evaluating Centralized vs. Decentralized Resources
117
company is manufacturing, Jeremy is all over the place every day looking at computing equipment, repairing as needed. He seldom reports to anyone other than responding to an occasional e-mail from his boss, the technical support manager. Most of Jeremy’s correspondence has to do with keying entries into HEAT, a help desk/PC technician program that allows you to create a knowledge base of problems you’ve encountered. Jeremy almost never talks to the network team—only when they have a question about something he said in a HEAT ticket related to a network problem. The help-desk people seldom interact with either the PC technicians or the network team. They spend their days talking with users on the phone and, in the event they can’t solve the problem over the phone, entering a HEAT ticket for the PC technicians to work on. The network team spends its days maintaining the servers, server apps (including HEAT), and network infrastructure, and they hardly ever talk to either the PC technicians or the help-desk personnel. The PC technicians and help-desk personnel report to the technical support manager; the network team reports to the operations manager, the same person who’s responsible for a small team of software developers. Both managers report to the CIO. OK, now then. Is this group centralized or decentralized? With the little information presented here, the team looks largely decentralized. There doesn’t seem to be much “ownership” of one another’s jobs and daily activities; it feels like there’s a lot of disinterest on the part of the other teams. This setup doesn’t sound like a centralized environment, where everybody communicates through some common medium. The existence of HEAT might have misled you into thinking that the teams are actually centralized, but the only time HEAT acts as a centralizing factor is when it presents a source of contention, pitting one group against another. In my mind, a Windows 2000 rollout would have to first do something about this centralized/decentralized dichotomy before anyone could progress with the upgrade. One of the keys when looking for centralization vs. decentralization is the autonomy of the groups involved. If they are all reporting to and basically managed by the same entity, then they are usually considered centralized. If they have a great deal of autonomy, however, they are likely to be a decentralized organization.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
118
Chapter 3
Evaluating the Technical Environment
The IT Support Personnel Mercedes works for a large, geographically diverse company as an NT administration team lead in the central office. There are many locations, with anywhere from a couple of users to more than 1,000. The larger locations have a dedicated NT admin or two all their own. For locations with between 2 and 20 users and only one server (there are about 30 such places), the company has opted to have IT support personnel (ITSP) “own” several geographically close locations and travel among them. The ITSPs are sort of jacks-of-all-trades (in the sense that they can do a bit with an NT server, though they’ve had no training), but they’re not fully qualified to administer every nuance of the servers, nor are they allowed to configure them. The ITSPs also handle updates to the phone system’s user database, provide help-desk and PC technician support to their offices, and so forth. Mercedes reports to the manager of the Enterprise Server Group (ESG), but the ITSPs report to the manager of the Remote Location IT Group (RLIT). While Mercedes is free to contact the ITSPs and ask them to help her out with things that go on with field servers (for which she is ultimately responsible), she has gotten into trouble for this at times when one or another of the ITSPs did not like the way that she asked for assistance. On the other hand, when the ITSPs ask her for help, she occasionally gets a little perturbed because she doesn’t feel like it’s her job. As a contract Windows 2000 network designer, you’ve studied this organizational setup for a while now. You think you’ve come to the realization that this setup doesn’t really fit the description of a centralized group, with one entity reporting to one manager and vice versa. However, it’s also not a decentralized group because the two groups depend on each other a little. Although they occasionally tick each other off with some request, that little bit of evidence alone implies that they’re comfortable working with one another within the confines of a centralized environment. You decide to treat this setup as a hybrid centralized-decentralized environment requiring special care and handling at deployment time.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Network Connectivity
119
Assessing Network Connectivity
These days, the words “network” and “connectivity” can mean many things, and you’ll have to judge their meanings before you can assess the real world behind the words.
Microsoft Exam Objective
Evaluate the company’s existing and planned technical environment and goals. Assess the available connectivity between the geographic location of work sites and remote sites.
There are two things you need to keep in mind when assessing connectivity. First, know how the network is currently arranged. Is there just one central office, or are there branch offices that need connectivity to the main network? What about Internet access, or partner access? Second, understand what the future plans are for the network. Chapter 2 talked about planning for the future and assessing growth. This is where that assessment starts to pay off.
Assessing Current Connectivity The phrase “network connectivity assessments” has three distinct connotations:
Assess how disparate networks connect to each other. How do offices in Chicago and Tokyo talk to each other, if at all?
Determine how telecommuters connect to the network. Do you have RAS servers, VPNs, high-speed telephony interfaces, or some other method of allowing contact with your network?
Determine how users connect to the network.
The first bullet item is a straightforward one to assess. A simple call to the internetwork WAN people will yield the appropriate information. They can usually tell you the type of WAN connection between buildings, the speed, the carrier that’s providing the connectivity, and any special information you need. Assessing the WAN connectivity is vitally important for those companies that
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
120
Chapter 3
Evaluating the Technical Environment
have geographically separate entities that are connected to one another. Two questions come to mind when assessing WAN connections:
If the speed is too slow to support a Windows 2000 upgrade, can it be upgraded, and if so, to what speed?
If no connection is present, what’s the possibility of getting them connected soon?
You can always use RAS for interconnection in the Windows 2000 network, but a WAN connection is greatly preferred! The second bullet item is probably more difficult to assess, and the second half of this book talks in detail about telecommuters and their special needs. Microsoft has done tremendous work with Windows 2000 to provide enhanced connectivity for telecommuters. Major questions arise when considering RAS, such as whether they’re using NT-based RAS or switch-based RAS—and if they’re using switch-based RAS, are they using an authentication package? If VPNs are in use, what is the company’s ISP, and is it a software solution or hardware (such as Cisco VPN switches)? What about allowing DSL or cable modems? Are telecommuters coming in through an ISP (implying that they’re using a VPN) or natively, through duplicate equipment at the company site? Ditto for high-speed lines like ISDN. Finally, an assessment of how users connect to the network is important. First, find out what kinds of clients are connecting. There is a profusion of connectivity options. Users can connect through NetWare or via a Macintosh. The operating system makes a difference in the connection client; OS/2 clients have a client that looks (and acts) different than Windows for Workgroups, and Windows 3.x and 9x clients even differ among themselves. Then there’s the protocol issue: What protocol are clients connecting with—and for multiple protocols, which one is at the top of the stack?
Assessing User Usage Patterns It’s not enough to know which user components are accessing the network. You also need to determine the times of the day that users access the network more heavily and which applications or files garner the most access. This has practical application in determining how the infrastructure handles things when the network is at critical mass. Knowing usage patterns also allows you to make scalability decisions about servers that are constantly being hit. You can use Windows 2000’s System Monitor or Windows NT’s Performance
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing the Usage of Network Services
121
Monitor for a lot of the usage tracking you need, and several good, thirdparty products can help you get more details. Your network manager can sniff the network and give you some idea about which packets are traversing the LAN at what times. Knowing usage patterns helps you strategically place servers that will handle the most load and beef up infrastructures that are too weak to handle user onslaught.
Planning for the Future Back to the task of predicting the future. Once you have figured out current network patterns, including remote offices and user usage patterns, it’s time to look at where your company is headed. If there are plans for expansion, you need to prepare for them in advance. Preparing ahead of time does a couple of good things for you. One, you look like a genius when management goes to expand and you’re all ready for them. Two, you won’t have to fight for more budget approvals when the expansion does come around, because you already have sufficient infrastructure in place. This will save you many headaches. There are a couple of common issues to look for when planning for the future. One of the easiest to deal with and control is expansion at your current location. This usually involves running some new cable, maybe adding a wiring closet, and hooking everything up right. More complex to forecast is the addition of external locations and/or providing network access to partners and vendors. When all else fails, ask management what they have in mind for the future and be ready for it. Even if they don’t mention any specific plans, keep the network design flexible enough to accommodate vendor and partner access as necessary. If management indicates that partners or vendors will need access, find out what they will need access to. While it’s hard to predict the future, it’s not hard to find indicators of what might happen so that you’re not taken by surprise when it does.
Assessing the Usage of Network Services
D
etermining how users access the network takes more than knowing how users connect to the network. Here you must pause and take a long, hard look at how the network is used. What kinds of things are users doing when they connect?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
122
Chapter 3
Evaluating the Technical Environment
Microsoft Exam Objective
Evaluate the company’s existing and planned technical environment and goals. Analyze data and system access patterns.
In many cases, you’ll find the network is utilized in a totally different way than you might have imagined. I can think of at least five separate categories of network utilization to which you should direct your attention:
E-mail/scheduling services
File server services
Print server services
Application server services
TCP/IP configuration services
E-mail/Scheduling Services Users use the network for e-mail and calendar-sharing purposes. Generally, in a Windows NT environment, there is at least one Exchange Server where Exchange clients inherit the right to use Schedule+, and Outlook users can opt to use Schedule+ or Outlook calendars. Calendars can be shared to schedule meetings, and users can actually view one another’s free and busy times. Exchange services like public folders, custom forms, Outlook Web Access (OWA), and distribution lists are not visited as frequently as they could be. There are some cool uses for these services, and it’s a shame when NT administrators fail to leverage the power of Exchange Server and Outlook. Exchange Server supports a variety of e-mail clients, making it an almost universally acceptable tool for the users on your network.
File Server Services File serving is a huge part of any user’s network utilization, even though the user may not realize that he or she is getting files from the network. Many organizations provide large RAID arrays with gigs of hard drive space that are made available to users so they can store all kinds of important documents, which are then subject to routine tape backups. A famous use for large-capacity network storage is the famous “shared” folder, where everybody in the company is allowed to drop files that they’d
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing the Usage of Network Services
123
like to share with other users. You have to stay on top of global directories like this because the NTFS permissions can be a bear to maintain, especially in large, dynamic environments. On the other hand, logon scripts make it easy to connect large numbers of users to one share point, so shared folders are used frequently. Windows 2000 IntelliMirror allows users to work on network-based copies of their files, and then take those copies with them when they disconnect from the network. When the user reconnects, IntelliMirror kicks in and synchronizes the files worked on in stand-alone mode with the files kept on the server.
Print Server Services Print serving is another widely used feature. You set up one or two NT computers and then just map a bunch of printers, through either LPD or DLC connections. (Pick good, quality hardware that’s more than adequately equipped for the job, please, especially when it comes to over-equipping the box with RAM.) Share the printers, apply appropriate permissions, set the printer settings you’d like, and allow users to map to the printers. The biggest problem with this type of setup is Windows 9x users, who must have a locally loaded driver for the type of NT-shared printer they’re trying to connect to. NT computers don’t have this problem; they simply download the driver if they don’t have it.
Windows NT and Windows 2000 can automatically provide print drivers to clients. There is no additional configuration (other than sharing the printer) needed if the client and server are the same operating system. However, if you have 9x clients, you’ll need to configure the server to provide those clients with their respective driver and supply the server with a copy of the right driver. If you are using a 16-bit operating system (Windows 3.x or DOS), you’ll need to install the printer drivers on each local machine.
From a maintenance standpoint, the biggest headache associated with printer shares is when a printer goes down and users have to temporarily point to a different network printer for their printing needs. If they haven’t already been set up for the additional shares, they might not understand how to accomplish this without a visit from a PC tech. You can fix this small problem before it pops up by simply adding a second standby share to the user’s printers folder.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
124
Chapter 3
Evaluating the Technical Environment
Application Server Services Users access the network for applications, all kinds of applications. They might be using applications you weren’t even aware were loaded on the network. Some of the kinds of applications that can be used on a network can be described as follows:
Server-based applications such as SQL Server or Exchange Server, which typically require some kind of user interface or application.
Internet/intranet-based applications requiring only a browser for access to the application. This is called thin-client computing.
Terminal applications that need terminal emulation software, which then allows users to access a Windows Terminal Server or Citrix MetaFrame server. SNA Server also requires a client that acts as a front end to an NT computer, which in turn communicates with a mainframe host.
n-tier client/server applications that depend on some sort of user application, which talks to the NT computers that talk to a Unix or mainframe backend host, sometimes using middleware to do so.
Remote Bootstrap Protocol (BootP) devices that, upon bootup, send out a BootP request looking for a validation server that can supply the credentials (and applications) needed to participate on the network.
TCP/IP Configuration Services You don’t often think of DHCP, DNS, or WINS as applications, but they really are. The user boots up and sends out a DHCP request, a DHCP server answers because it’s running the DHCP application, and the user is equipped with the proper TCP/IP credentials.
Analyzing Service Requirements
A
solid Windows 2000 design requires the analysis of an existing network and its associated server services, plus forward thinking about the growth of the network and the needs of users as time goes on.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing Service Requirements
Microsoft Exam Objective
125
Evaluate the company’s existing and planned technical environment and goals. Analyze performance, availability, and scalability requirements of services.
When we talk about server services, we’re typically speaking not of applications running on the network—things like Exchange or SQL Server—but of OS-associated services that users use (sometimes unwittingly) on a daily basis: DHCP, DNS, WINS, RRAS, print and file services, and directory services such as AD. When you think of server services, think about users and their needs relative to these services. So with your network design in mind, concentrate on the quantity and location of the users in order to make good design decisions about the placement and requirements of the services. There are three coefficients of these services that you’re required to study:
Performance
Availability
Scalability
Performance There are three places where an administrator can drive off the road when considering service performance:
User count
Configuration
Under-engineered hardware
You may underestimate the number of users who will be utilizing a service. For example, suppose that you have only two WINS servers in a six-campus network. You anticipate that most users will cross the wire to obtain name server services from one server that’s faster than another. But lo, your internetworking engineers have the routers set to forward differently than you had anticipated, and your weaker server is getting hit harder. Or, as another example, you might have one print server handling dozens of printers with
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
126
Chapter 3
Evaluating the Technical Environment
hundreds of users printing to it. In cases like these, the hardware may not be under-engineered, but the number of users hitting it may make it appear to be. A poorly configured service can cause problems as well. For example, an inadequately configured DHCP scope—one that does not supply additional parameters such as the default gateway, DNS, or primary and secondary WINS servers—can really create havoc on a network. It’s not enough to configure a scope; you must also configure either global or scope properties that accompany the scope. Under-engineered hardware probably accounts for the majority of a network’s woes when it comes to services. I understand that smaller networks need to consolidate their operations onto one or two computers, but why does that computer have to be a garage clone that the administrator built in his basement one evening? When buyers and technical managers who are on strict budgets look at cutting costs with server purchases, then you have trouble. The server farm and its associated trappings are the bread and butter of a corporation’s IT (second only to its people, of course). A file server that has hundreds or thousands of users hitting it for routine files must be engineered to handle the load. That may imply that you equip it with super-fast SCSI hard drives on a RAID controller card or make sure it has adequate RAM. Probably the best way to measure server service performance in Windows 2000 is with the System Monitor, formerly known as Performance Monitor (found in the Performance console in Administrative Tools). There, you can set up object counters for just about any service that’s installed on the computer. In fact, third-party software often includes performance object counters for their software. There are counters for DNS, DHCP, WINS, and other services as well.
Availability In Windows 2000 you can enhance server availability by utilizing a couple of methods. One is network load balancing—clustering and redundant servers sharing the load. Chapter 7 describes clustering in more detail. But the more important, more useful technique—the key to providing availability of services—is to provide redundancy for server services. For example, Chapter 10 describes a DHCP concept called scope splitting. The idea is that you take a pool of IP addresses and split it, say 80 percent one way and 20 percent another. How does the telephone company provide 99.9999 percent dial-tone availability? Heavy-duty redundancy of their switch gear. Even the best-run computer networks only dream of having six 9s uptime. However, redundancy will help get you closer to that goal.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing Service Requirements
127
With all Windows 2000 services, look for ways to provide redundancy to enhance availability. Let’s go back to the print server example. Suppose that you’re happy with one computer doing all print-server work for your network. That’s fine. But what happens if that computer does down? How do you provide print services to your network users while you fix the computer? The answer is, of course, network load balancing, where a failover would take place and a second, equally configured, computer would begin taking print requests in the stead of the failed computer. Tough to set up? Not too much so—it requires a little thought and some testing, but it’s doable. And it will save the day if your print server ever keels over.
Scalability Scalability is a new catchphrase in the computer industry. Basically, how big a network or how many users can your device (or application) support? Of course, there are small-scale issues too, but most of the time the concentration is on growth. The concept behind scalability is really the notion of overengineering. As usage increases on a computer, you need to be able to expand its hardware as necessary. Alternately, scalability also includes providing more than one server for a service. Users coming across a slow WAN link from Atlanta to your office in Boston in order to hit a DNS server might benefit from a second DNS server placed at their office. Maybe when you first set up the Atlanta office, there were only a handful of users there, so they were able to effectively use the DNS server in Boston. But now, with 100 users and that same slow WAN link, you have quite a different scenario. Scalability connotes that the savvy network designer is able to design in “just enough for the current network and a little bit more,” and then provide avenues for scaling up as corporate hot spots build up. So, the bottom line is this: How can you adequately plan for the performance, availability, and scalability of your Windows 2000 service components? You need to observe and take notes of what you see. Use the event logs, System Monitor, and the command utilities at your disposal (things like PING, NETSTAT, and other applications) to ascertain how quickly services react to your requests. As more and more users come online and begin to use a service, plan for more computers running the same service so that you can offload the operation of the current server a bit. Proactively upscale the hardware rather than reactively trying to add hardware to a sick computer. Use fault-tolerance measures, redundancy, network load balancing, and other features to make sure the services are available. And most importantly, think
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
128
Chapter 3
Evaluating the Technical Environment
about these services, because they are the most highly used components of your entire network!
Analyzing Network Management
Y
ou may think that network management is a straightforward consideration, but there are more parts to it than you might imagine. Network management can be broken into many different components, depending on how you define each area of the network. However, most networks have the same general set of items that need to be managed. They include the physical network, the logical network, and most importantly, the people that take care of the network. Let’s learn about some different concepts around which network management revolves.
Microsoft Exam Objective
Evaluate the company’s existing and planned technical environment and goals.
Assess net available bandwidth and latency issues.
Analyze network roles and responsibilities.
Physical Network Management The physical management of the network has to do with the people who sit and watch the status of the network infrastructure. In a switched virtual LAN (VLAN) environment on a large network, this activity can be a fulltime job for one or more people. Using HP OpenView, CA Unicenter, or another network management system (NMS), network managers watch Simple Network Management Protocol (SNMP) traps for specific events on different pieces of network gear. They watch for TCP/IP events such as duplicate named devices and IP numbers, and for devices that fail in their operation. The advent of smart switching and routing has led to a whole new breed of devices that can cleverly report their status to a centralized management station, where people who know what to watch for can make decisions that anticipate network behavior.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing Network Management
129
Another management technique is network sniffing, where somebody can do an actual network protocol capture and do thorough analyses of what’s happening on the network. Windows 2000 Server comes with Network Monitor to help monitor network traffic. However, realize that Network Monitor is a stripped-down version; it can only capture data sent to or from the NIC in the machine running the service. To get full packet-sniffing services, you’ll need an additional product like Network General’s Sniffer or Microsoft’s Systems Management Server (SMS). Network managers are typically internetworking experts who know their way thoroughly around OpenView or other network management software. This is the thrilling job of watching SNMP MIBs report a trap to the management station for complete monitoring. It’s knockdown boring but highly critical, especially in a large environment. These people typically report to the network staff, not to the Windows 2000 staff. In smaller environments, the network manager may be the same person as the Windows 2000 admin. Internetwork managers also look at the overall latency of the network, the speed with which a packet can travel the network from point A to point B relative to the expected speed. It’s all about deltas (changes or differences in speed). The slower the packet is traveling, the more that internetwork managers wonder about incorrectly configured routers or virtual LANs (VLANs), pointers to invalid VLANs, poor name resolution, cards or switches going bad, even bad wiring. Latency says, “The speed here should theoretically be 0.05s per packet on a network in normal use. I’m really reading 0.08s per packet. The delta-T is 0.03s—where’s the problem?” It’s not normally your job as a network designer or server admin to worry about the latency, but for the test and for your design, you should make yourself aware of it.
Latency is also frequently known as delay.
Logical Network Management Another internetworking bailiwick lies in the complicated and highly evolved world of logical network layout—the internal management of VLANs on switches and routers. You can significantly isolate portions of the network that do the most talking to each other, keeping them from other similar network environments, all through the magic of VLANs. Typically, especially in larger networks, the internetworking experts will manage the router and VLAN configurations; the Windows 2000 admin won’t be involved.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
130
Chapter 3
Evaluating the Technical Environment
Managerial Network Management This is probably the most fascinating aspect of network management, simply because it revolves around how the people are arranged to accomplish solid network management, not how the switches and routers are configured. There are, as you might imagine, many ways that a manager can set up staff so that the network is competently managed. Let’s bring one or two of these to the fore, to give you a flavor for what I’m talking about in terms of strategic layout of personnel to produce the most effective network management scenario:
The number one method is to separate internetworking (router/ switch) people, server people, applications people, PC techs, and helpdesk personnel all into different camps. This is a harsh methodology because one hand does not know what the other is doing.
I prefer to see more cooperation among these teams, but my experience has been that once you isolate the various elements of network management into these categories, you have specialists who never experience the other components of the network. The only exception to that rule, of course, is the help-desk person who wants to get off the help desk and do PC tech work, or the PC tech who wants to stop troubleshooting computers and move up to working on networks.
Application administrators are often absolutely married to one app. In large companies, specific people handle Exchange Server and all of its application nuances. The server admin configured the box, but the app admin manages the app on it.
Another method is to have the server administrators also function as server application admins. (This doesn’t include database administrators, who tend to just work large databases by virtue of the special problems associated with management of those resources.) The help-desk and PC tech people stay where they are, but the server and application administrators are one and the same. The person who configured the Exchange Server also installed the app on it and manages the mailboxes.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing Network Management
131
Another example is the person who runs the help desk, maintains the PCs, configures the servers, and installs and supports application software. Typically this is seen in very small (500 nodes or fewer) networks.
Finally, there is the unusual combination where the PC techs are the help-desk personnel and vice versa. Can’t figure the problem out over the phone? Personally visit the computer. Note that this person isn’t yet a full-fledged administrator, but is functioning in the dual role of help-desk person and PC tech.
When you think of your managerial network management setup, you probably come up with some sort of mixture of these methodologies, but at least you get a feel for what I’m trying to describe: the disparate nature of help-desk work; PC tech work; server, app, and database administration; and internetworking.
Systems Management Server 2 and its remote tools allow help-desk personnel to remotely access computers and potentially solve problems without having to send a PC technician out to the computer. This is a terrific boon to large, geographically separated environments.
Unbundling Network Management and Coordinating a Project Plan You work for a medium-sized entertainment organization, about 2,500 users. You have help-desk personnel, PC technicians, internetworking gurus, server admins, and apps admins. There is also a database administrator (DBA) who handles both the SQL Server on NT and Oracle on Unix DBA chores. You are the server systems architect for the company. Your task is to figure out a way to upgrade the network to Windows 2000, including moving all workstations from a combination of Windows 9x and NT Workstation computers to Windows 2000 Professional.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
132
Chapter 3
Evaluating the Technical Environment
You first must coordinate with the PC technicians to figure out which user machines need to be brought up to correct hardware compatibility list (HCL) standards for Windows 2000 Professional. You set up a project timeline for this to happen. You examine the servers in the same way, making sure that the server admins know which servers need to be beefed up or replaced, and you create a project timeline and budget that reflects the necessary hardware upgrades. You then work with the internetworking folks to make sure that the switches and routers are in OK status, and that the TCP/IP structure in place is solid. You coordinate with the app admins on a strategic plan to move toward Exchange 2000 and SQL 2000. You’d like to see SMS come in the door at some point, but you delay that until the following year after rollout of the new network structure. You coordinate your efforts with the DBA so they’re aware of your thoughts and can advise the most strategic movement toward keeping the database apps available. Some terminal apps need to be addressed because several users are using terminal sessions into the Unix boxes. Finally, you prepare a complete project plan to handle all of the various segments of this undertaking.
Analyzing Network Security Considerations
N
etwork security has its own unique ramifications, some of which are completely beyond the scope of this book (security being a career unto itself) and others that you can manage in your project plans.
Microsoft Exam Objective
Evaluate the company’s existing and planned technical environment and goals. Analyze security considerations.
There are at least three considerations that you need to take into account when thinking about the security of the network in your rollout:
Protecting the network from those trying to get in
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing Network Security Considerations
133
Protecting the network from employees who have the potential to compromise network security
Protecting the network from terminated employees who have the ability to harm the network
Protecting the Network from Outside Intruders Firewalls and Proxy Servers protect networks from outside intruders, but they’re only as good as the people who program them and the network design. For example, suppose that your network team has designed a company web site that consists of several web servers sitting on the public side of the firewall (unprotected). Suppose you’ve allowed a hole to be poked through the firewall on a certain port so that transactions can take place between the web servers and database servers on the private side. This is a very common technique, but there’s a security flaw here—one that’s not trivial. If a hacker can come in from the outside and figure out the IP address of the web server he’s hitting, and if he can ascertain the port that the web server’s using, he has essentially all he needs to get inside the corporation and poke around a bit. Don’t think it happens? There are some astonishingly good freeware programs available for downloading that can make life easy for port sniffers. A hacker will often come in from the outside, hit port 25 (the SMTP port) of your e-mail server, and use standard SMTP commands to send e-mail to whomever he desires. Sometimes it’s just a joke; sometimes it’s not funny at all. Suppose, for example, that somebody entered your system this way and e-mailed an assassination threat to your CEO. Whose door would the police knock on, yours or the hacker’s? Another common attack is called the SYN attack. A SYN is a TCP/IP synchronization request sent by a user trying to contact one of your external servers, typically a web server. The idea here isn’t to hack into your private network, it’s to disrupt you. If someone wrote a program that would send a SYN request to a server, then somehow mask their IP address and re-send the very same SYN, mask their IP again and re-send the SYN again, doing this thousands of times in a few seconds, they could theoretically overload a server that’s trying to acknowledge all of the SYNs. A second disruption attack is a simple ICMP attack (or ping for packet Internet groper), where you simply ping the box millions of times, the result of which is to bring the server to its knees. This was used on Microsoft a couple of years ago, and it did a good job of cratering their servers for a few hours.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
134
Chapter 3
Evaluating the Technical Environment
Today, if you try to ping a Microsoft host, you won’t get a reply. Why? They’re trying to keep out ICMP attacks. The point I’m making here is not about what software to buy to protect yourself, but that you should be aware that there are many tricks in the kit bag of a hacker who really, really wants to get to your servers. Your Windows 2000 design is going to have to include some plan for people like this, whether it’s Windows 2000 Proxy Server or a Cisco PIX firewall or a combination of both. You must account for the security details in your design.
Protecting the Network from Inside Intruders There’s a second, potentially much more dangerous aspect of network security: the kind of damage a user can cause to a network. Some stunts that users pull are really just inconvenient; others are potentially catastrophic. Let me say here that when you consider a Windows 2000 rollout, you need to consider developers as users, not as network people and power users to boot. I’ll explain why in a moment; first I want to give you several illustrations of what to think about when contemplating this category of network security. A shared drive on a massive RAID array is as common as tomato soup. Every network has a dumping ground where users place their common stuff for other users to be able to see. Two examples of this are Exchange public folders and regular disk shares that are mapped out as \\Server_name\Shared with the Everyone group having Change permissions. Here’s how your users drive you off into the weeds: If the rights on the Shared directory aren’t sufficiently examined, a user with Change permission to absolutely everything can simply drag and drop a critical folder somewhere else in the system with one click of a mouse button and not even know it happened! Then the users who need this share get ticked off looking for it, submit backup-restoration help-desk tickets, and send hate e-mails to you wanting to know how this happened. Not a good scenario. Your developers, engineers, and power users present a whole different kind of threat. They’re usually smart enough not to drag an entire shared folder to a different spot on the RAID array. But that’s the problem—they’re smart. They can figure out workarounds for situations that you’re trying to guard against and really smash your nose into the sidewalk with them. One famous software developer muck-up is to write a bunch of code and then immediately place it onto a production box with no testing. Seldom, if ever, does code work right out of the developer’s mind, so change-management procedures need to be implemented to prevent this kind of “development.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing Network Security Considerations
135
The standard procedure is to have a developer work in a development (dev) environment that looks exactly like the production (prod) environment (barring, of course, space issues on dev boxes). When the developer thinks the code is satisfactorily safe to test, he moves it to a test environment that also looks exactly like the prod environment. Testing takes place with live test users, and when everybody’s satisfied that the code works and is bugfree, then it’s OKed to be rolled into prod. This is a long process, typically a couple of weeks. You don’t just roll code into a prod environment in a couple of hours. This dev test prod methodology has worked well for mainframes for decades; it’ll work well for you.
I’m talking here about production software, not things like logon scripts and little stuff that doesn’t take long to crank out. Big VBScript, Perl, and Rexx logon scripts need to go through the dev test prod routine just like everything else.
The thing to plan for, relative to a Windows 2000 rollout and internal user security, is to understand who has what rights today and to either mimic those rights on the new system or to crack down even further. I’m a huge believer in providing the fewest rights possible and tweaking up until it’s just enough, as opposed to giving the Everyone group full control. Mapping user rights is going to be a huge pain, especially on your Shared directory, but you need to manage those NTFS and share rights proactively during design time. This is one of the places where you can begin immediate implementation without waiting for rollout. Documenting all the users and groups is going to present you a large challenge.
Protecting the Network from Terminated Employees Terminated employees, especially network admins or developers and engineers with tons of rights, need to be observed very closely at termination time. Whether the user is being fired or is quitting, I don’t think it’s good to leave power-user accounts active for their last couple of weeks. You just don’t know what kind of mentality somebody might have, and Remote Access Service (RAS) is a great back door. A power user could be very disgruntled with the company and find a new job. Then, the Saturday before he takes the new job, he just tests his RAS account, and sure enough, it works! He maps to a server admin share, does a quick DEL *.*, and you’re in there for the next 14 hours doing a server and tape restoration.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
136
Chapter 3
Evaluating the Technical Environment
A Windows 2000 designer should ask the security person who handles the terminations how they’re handled. If the answer is, “I don’t know, we eventually get around to it,” the designer should insist on disabling the account, and eventually deleting it. This disabling/deleting/activity should happen on the day the person is terminated.
Several companies have an HR person watch the person being terminated to make sure they don’t log on to the network as they collect their stuff. At the same time, a network administrator is on User Manager for Domains, disabling the account. This stuff sounds like incredible overkill, but it could wind up killing your network if you don’t watch it.
Protecting the Network You’re in the throes of a Windows 2000 design on your little 200-node network. You’re horrified to find out that your entire company has been sitting out on the Internet, all nice and exposed, without benefit of proxy or firewall for a year or better! You’ve got a standard Class C network number and registered domain with your ISP, and when you ping an internal host from home, you get a reply! You lose sleep at nights when you begin to realize that anyone who wanted to could simply come along and do their hacker thing. You’re shocked that you haven’t been hit by now. It’s time to react. You don’t really have time to wait for the Windows 2000 deployment, do you? It’s serendipitous that you haven’t been hit yet, but it would be stupid to trust your luck even further. So you, knowing nothing about internetworking gear, negotiate with an internetworking consultant and get a hardware firewall put in place between you and the Internet. The only thing you allow into your company are SMTP requests on port 25. You allow all users access to the outside. To them, it looks just like before. Now you can take some time and plan proxy-server integration behind the firewall. This way you can tighten up port-25 hacks and begin to filter user web requests. You really do need both the firewall and the proxy—one doesn’t do the job of the other—but you’ve bought yourself some time before going forward with the Windows 2000 rollout.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Exam Essentials
137
Summary
T
his chapter captured some meaty detail that you’ll need for your Windows 2000 design. It started by discussing the company’s size and resource distribution and pointed out that the term “resources” means more than just people; it also includes servers, routers, telephony, and printers and associated network peripherals. When talking about resources, we also defined the difference between centralized and decentralized resources. Planning your Windows 2000 network will require that you figure out which are which. Then we discussed how these resources are placed and how they’re managed— their connectivity. We talked about the various breakups of IT teams, decentralization and centralization of same, and how to manage those components. We also talked about network connectivity, determining speed factors, and making sure you understand the latencies between sites—why they exist and what’s being done about them. This kind of determination allows you to have a feel for the kind of performance you’re going to get out of the network and also for any scalability planning you might like to do. We talked about how users access the network, about the various network roles (not people; people can be replaced but the role stays the same). Finally, we discussed the various security considerations involved in making Windows 2000 decisions.
Exam Essentials Know how company size and user and resource distribution affect your network design. Obviously, the larger your network is, the more you’ll have to worry about. If all of your users and resources are in one location, you will likely only have to deal with Internet connectivity, and possibly remote access. However, distributed environments often require expensive dedicated (and secure) connections. Know what connectivity options are available for remote locations. It would be great to have a T-1 line between all locations in your company. The problem is that it gets expensive. You need to balance connectivity speed with your available budget. Understand bandwidth and latency issues. Bandwidth and latency issues are more common when you are dealing with WAN connectivity than with LAN connectivity. Make sure you know how much available bandwidth you have, know what it’s being used for, and have a plan to speed up the network if latency gets too high.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
138
Chapter 3
Evaluating the Technical Environment
Understand how various services impact your network. You need to know what services people are using, when they are using them, and how critical the services are. If the service in question is absolutely mission-critical, find a way to make it fault-tolerant or give it redundancy. Know who is responsible for the network. This is closely related to the issue of centralized vs. decentralized administration. If there is only one IT group centrally located, everyone can be brought in to the planning meetings. If everyone is disbursed, you may have issues with getting everyone on the same page for your upgrade. Understand security issues. This is probably the most important consideration on your network. If vital resources are hacked, there could be severe repercussions. Once you start giving access to outside entities (vendors and partners) and access to remote locations, the scope of your security problems increases.
Key Terms
Before you take the exam, be certain you are familiar with the following terms: Bootstrap Protocol (BootP)
Open Shortest Path First (OSPF)
Data Link Control (DLC)
Routing Information Protocol (RIP)
ICMP attack
Simple Network Management Protocol (SNMP)
interactive voice response (IVR) SYN attack latency
thin client
Line Print Daemon (LPD)
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
139
Review Questions 1. You are the e-mail administrator for a medium-sized network. Recently,
some users have been calling to complain that interoffice e-mails seem to take forever to get delivered, but it didn’t used to be a problem. Checking the Exchange Server, you see no problems. You call up one of the techs responsible for network monitoring and ask her to investigate. She tells you that you’ve been experiencing a slow delta-T in throughput of network packets from point to point. What kind of potential problem does this indicate? A. High latency B. Saturated collision domains C. Router saturation D. Not enough VLANs 2. You are beginning to plan a Windows 2000 upgrade from your existing
NT network. You have developed a project team and need to perform a current network analysis. What are some of the most important resources you’ll have to have your project team account for before starting your Windows 2000 rollout? Choose all that apply. A. Servers B. Mainframes C. Telephony gear D. Routers 3. Your database server just crashed. After five frantic hours of fixing the
server, your boss storms into your office demanding that this not happen again. What two solutions can you present to him to lessen the risk of a recurring problem? A. Install a RAID card B. Install a tape backup unit C. Use redundant servers D. Cluster your servers
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
140
Chapter 3
Evaluating the Technical Environment
4. Because of recent publicized hackings, you decide it’s time to protect
your network. It seems that every vendor thinks that they have the perfect hardware and software combo package to fit your needs. Which two features are you primarily looking for to put on your network to enhance security between your company and the Internet? A. Proxy Server(s) B. Layer 3 switches C. Firewall D. Virus scanner 5. Jenny and Joe are NT admins who work in the Honolulu office. Steve
and Sherry work in the Brownsville, Texas, office. All four people report to the same manager. In plotting this layout of human resources for your upcoming Windows 2000 upgrade, what sort of resource allocation does this describe? A. Decentralized B. Centralized C. Hybrid centralized/decentralized D. Top-down 6. You have a spoke location in Phoenix that has no server. Users in the
Phoenix office log on to a server in Denver over a 56K wire. When they print, they send their print request to the server in Denver and the job is sent back across the wire to the printer in Phoenix. What two unintentional design flaws does this network model describe? A. Net available bandwidth B. Latency C. Resource distribution D. Security
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
141
7. You are the network administrator for your company. The company
is planning a complete Windows 2000 upgrade in the near future. To test some network operations, two Windows NT 4.0 machines have already been upgraded to Windows 2000 member servers in your domain. One of your assignments is to track server utilization to better determine which machines will need hardware upgrades during the final stages of the rollout. What should you use to assess your current test server’s performance? A. Event Viewer log files B. System Monitor C. Ping times D. Network Monitor 8. While examining your network, you find that the biggest periods of
usage for your Oracle database are between 8:00 A.M. and 5:00 P.M. What useful piece of design information does this provide you with for your Windows 2000 upgrade? A. System access patterns B. Network roles C. User access patterns D. Management of resources 9. One of the major concerns that management has expressed over your
current network is speed. Simply put, it crawls. It’s imperative that you find an adequate solution while performing the network upgrade to Windows 2000. What are the two primary components you need to assess for available bandwidth? A. RAS servers B. Internal LAN infrastructure C. VPN connectivity D. WAN links
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
142
Chapter 3
Evaluating the Technical Environment
10. You are planning a Windows 2000 upgrade for your network. One of
the senior managers recalls a time when a previous network upgrade took place. The network engineer said that the hardware would be sufficient, but he turned out to be wrong when more users were added to the picture. It ended up costing the company more money in the long run, and the manager wants to avoid that situation again. What type of concern is this manager expressing? A. Scalability B. Offloading C. Availability D. Performance
Objective: 1
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
143
Answers to Review Questions 1. A. Latency is the difference between what’s expected and what’s
observed relative to packet speeds on the network. This is not something the normal Windows 2000 designer is involved with calculating; it’s the responsibility of the internetwork engineers. Latency can be addressed in a variety of ways, and it’s not a showstopper, but the Windows 2000 network designer needs to know it’s out there. 2. A, C, D. A, C, and D are good answers. You’re not likely to get
involved with the mainframe from a resource perspective, although you might work with it in terms of using a host emulation software program. For the purposes of a Windows 2000 design, the best three answers are A, C, and D. 3. C, D. You can increase availability by providing redundant equipment
or by implementing a cluster server. The tape backup is (hopefully) already in place. After all, you were able to salvage some data. RAID is a tempting choice, but remember that for all its glory, not every RAID solution provides fault tolerance. 4. A, C. Proxy servers and firewalls protect users from the big bad
Internet (and vice versa). Item D is valid—you certainly want virus protection—but it doesn’t enhance security, it protects files. 5. C. From a managerial standpoint, everybody is centralized, but from
a resource standpoint, these people are decentralized. 6. B, C. You’ve deliberately introduced latency into the system with
such a setup. Validating to a spoke server is fine, but hauling print jobs up the wire to Denver for print preparation, and then dragging the job back down to Phoenix to the printer is a different story. You’ll need to address this problem. 7. B. System Monitor, the replacement for the old Windows NT 4.0
Performance Monitor, would be the tool of choice to see how a computer is behaving. You have wonderful granularity that you can apply with this tool—all based on the objects and their associated properties that you decide to count.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
144
Chapter 3
Evaluating the Technical Environment
8. C. You’re assessing user access patterns. When users come to the
office in the morning, they log on, pull up their e-mail, and so forth. So 8:00 A.M. and right after is a large user access period when systems are busy. The database will have pretty constant access for most of the working day. Closing time, around 5:00 P.M., when users are getting ready to log off for the day and are closing files and checking that e-mail one last time, is also a busy period. 9. B, D. You’ll be assessing the bandwidth of your internal infrastructure
and your WAN links. Since there’s a connection with a private telephone company in the middle when users connect via RAS, you may have little say in their bandwidth. Ditto for VPN connectivity. 10. A. Scalability’s goal is to provide computing equipment and periph-
eral gear that is easily upgraded in order to accommodate an influx of new users utilizing the computer’s services.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Large Corporate IT Environment
145
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Background You work for a large utility of about 5,000 employees that provides gas and electricity to a large midwestern city. The company is publicly held and has other locations besides the one that serves the city you live in and its surrounding community. The utility has subsidiaries that perform natural gas storage, appliance repair, and research into renewable energies; these subsidiaries don’t feel much need to be subservient to the parent company. Your task is to design and implement a Windows 2000 deployment.
Current System The company’s IT unit is broken up into several distinct groups. A mainframe coding and maintenance organization has developers spread out over several different buildings; the thinking is that if the developers are placed where the users need them, their response times will be faster. A network group handles all of the building infrastructures but not the internetwork structure (WAN links and routers); this group, comprising six people, is centrally located. The internetworking group of three technical persons is based in the same building as the network team. The help-desk and PC technicians are scattered about the various buildings you have throughout the metro area. The help-desk ticket management product in use is HEAT. All the techs—network, internetwork, PC technicians, help-desk, or server admins—use this ticket system. All groups report to different managers, and the management of the various groups could potentially differ by geographic region. Some groups don’t know the people who are members of others; there is little dialogue between groups. While you don’t have problems with things like multinational links, you do have lots of small buildings that house dissimilar parts of the utility, zoned by geographic designation. The company is broken out into four large segments (northwest, northeast, southeast, and southwest), following logical geographic separations in the contour of the city. Some large facilities in each
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
The Large Corporate IT Environment
CASE STUDY
146
Chapter 3
Evaluating the Technical Environment
of these segments house a few hundred users apiece. In addition, many smaller facilities run the gamut as far as user population. The majority of the users are on Windows 95 running on standard Pentium computers, hooked to the Ethernet network and logging onto Windows NT. Lots of users access the mainframe with a 3270 host emulation program. The company has a wide variety of engineers spread out across the city and outlying areas. These engineers predominantly use Solaris workstations or Windows NT Workstation as their computing environment of choice. You have several Exchange Servers and have exploited them heavily with custom forms and public folders. There are pockets of customized and off-the-shelf apps running in various areas all over the company. As near as you can discern, there isn’t a lot of thought or attention paid to the apps scenario; there is no centralization of apps management or knowledge. The technical environment is complicated and decentralized, one that will require pulling together widespread system resources and fixing the problem of lack of communications lines among the people resources. Your assessment is that the majority of your Windows 2000 rollout problems and issues will fall along these lines.
Envisioned System Overview Your boss is the supervisor over the architect team. There are three people on the team: yourself as the network architect, an internetwork architect, and a server architect. You present your concerns and plans to your supervisor. Your Supervisor “The plan looks good. I agree with you that we’ve got a problem on our hands with the decentralized atmosphere around here. I want you to work closely with the field office IT reps and the network and internetwork teams in coordinating this effort. Try to figure out what apps there are, so that we don’t kill them as we deploy. You’re the deployment manager as of today.” Network Team Members “We’re completely behind the idea. As you know, we’ve recently upgraded the network to support 100Base-T to each desktop and gigabit on the backbone.” Internetwork Team Members “From a bandwidth and latency standpoint, you have no issues. All WAN circuits, with the exception of the link
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Large Corporate IT Environment
147
Server Admins “The Solaris boxes are doing DNS right now. We understand your need to go to Windows 2000 dynamic DNS, but that will take some coordination with the engineers because they have lots of field gear with static entries coded into it. As far as the apps go, we’ve put together some spreadsheets and Visio documents that may help you figure out what’s going on in specific areas, but nobody really has the full scoop on all of the apps.”
Performance Overview Your biggest concern is the applications that the users use and their safe integration into the Windows 2000 environment. Server Admins “The majority of the apps are well behaved and don’t require special Windows NT drivers. It’s probably a good idea to do some checking with the manufacturers of the apps, but we’re pretty confident that most apps will play nicely with Windows 2000.”
Questions 1. What are this deployment’s chief business problems? Choose two. A. Decentralized environment B. Apps C. Geographic disparity D. Lack of cooperation
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
to two of the control stations, are T1 frame relay. The control stations only need 128K since there is hardly ever anyone there.”
CASE STUDY
148
Chapter 3
Evaluating the Technical Environment
2. In the following chart, group the tasks on the right into the deployment
topics on the left, corresponding to the type of tasks you’ll need to go through to finalize deployment. Not all the suggested tasks will be used. Deployment Categories
Tasks
Applications Issues
In lab, test migration of app to Windows 2000 server.
Name Resolution Issues
Get rid of coaxial DLC connections to mainframe.
Mainframe Issues
Identify Windows 2000 DNS servers. Identify all apps. Meet with engineers to discuss DNS migration. Identify app servers. Ask development team to check for problems with custom app migration to Windows 2000. Confirm that the 3270 emulator is Windows 2000–compliant Identify app stakeholders. Verify Windows 2000 conformity with app vendors. Coordinate with Unix server admins to move DNS from Unix to NT, if possible. Test dynamic DNS implementation in lab. Identify whether 3270e is on the mainframe. Identify app stakeholders.
.
Set up a Unix box as a secondary zone. Investigate what’s needed for WINS backward compatibility. Upgrade Unix version of BIND if Windows 2000 DNS move not possible. Identify app functionality.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Large Corporate IT Environment
149
of the apps can migrate? A. You’ll have to stop the entire project until the problem is rectified. B. Apps residing on non-DC boxes can continue to live there just fine
and not hinder Windows 2000 native mode. C. Apps must be upgraded. D. Stick with standard non-native mode until all apps are replaced. 4. What will happen if you can’t move the network to dynamic DNS for
some reason? A. Nothing. B. Big problems—AD needs to use dynamic DNS. C. Try to use Unix as best as you can. D. Don’t need DNS in the Windows 2000 environment anyway.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
3. What will be the biggest issue with the Windows 2000 rollout if not all
CASE STUDY ANSWERS
150
Chapter 3
Evaluating the Technical Environment
Answers 1. A, B. The foremost issue you face here is the decentralization issue
and making sure everybody’s on the same page. After that, you’ve got to take a serious look at the apps. 2. See the following chart:
Deployment Steps Applications Issues Identify all apps. Verify Windows 2000 conformity with app vendors. Identify app servers. Identify app stakeholders. Identify app functionality. Ask development team to check for problems with custom app migration to Windows 2000. In lab, test migration of app to Windows 2000 server. Identify app servers. Name Resolution Issues Meet with engineers to discuss DNS migration. Identify Windows 2000 DNS servers. Coordinate with Unix server admins to move DNS from Unix to NT, if possible. Test dynamic DNS implementation in lab. Investigate what’s needed for WINS backward compatibility. Upgrade Unix version of BIND if Windows 2000 DNS move not possible. Mainframe Issues Get rid of coaxial DLC connections to mainframe. Identify whether 3270e is on the mainframe. Confirm that the 3270 emulator is Windows 2000–compliant.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Large Corporate IT Environment
151
the Windows NT 4 environment just fine. You’re not going to hurt the global catalog by having Windows NT 4 boxes out in the world. That way, you can take your time and upgrade accordingly. Apps on DCs are not a good idea anyway, but also they’ll be a showstopper in terms of your rollout if they can’t get along with Windows 2000. Chapter: 3 Objective: 1 4. B. Windows 2000 domains require dynamic DNS in order to
function. Dynamic DNS can be provided by Unix DNS servers or Windows 2000 DNS servers. Of course, Microsoft prefers that you use Windows 2000 DNS with Active Directory domains. Chapter: 3 Objective: 1
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
3. B. Apps that reside on non-DC computers can stay there and run in
Chapter
4
Anticipating the Impact of Infrastructure Design MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Analyze the impact of infrastructure design on the existing and planned technical environment.
Assess current applications.
Analyze network infrastructure, protocols, and hosts.
Evaluate network services.
Analyze TCP/IP infrastructure.
Assess current hardware.
Identify existing and planned upgrades and rollouts.
Analyze technical support structure.
Analyze existing and planned network and systems management.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
C
hapter 3, “Evaluating the Technical Environment,” went into detail about the technical environment, its makeup, the roles that make up the network’s operation, and how the network management team is spread out. This chapter goes a little further down that road and begins to discuss the nitty-gritty details of the enterprise. We start out by talking about the applications that are on the network (an important and often undernoticed subject). We then look at the network services and the existing TCP/ IP infrastructure. We also examine current hardware situations, with an eye toward what you need to do to fix weaknesses. You need to identify any planned rollouts or upgrades, analyze the support structure, and describe the layout of network and systems management facilities. This is another busy chapter, one that very much rides the coattails of the previous one, and one that’s highly important for Windows 2000 rollout considerations.
Defining Your Enterprise Network Applications
Let’s begin with a discussion of what applications are on your network and how you can sort them into distinct cubbyholes that match functional profiles.
Microsoft Exam Objective
Analyze the impact of infrastructure design on the existing and planned technical environment. Assess current applications.
There are two separate distinctions that need to be made here:
The application’s scope, whether it is enterprise or workgroup
Regardless of scope, whether the application is client/server or web-based
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Defining Your Enterprise Network Applications
155
Enterprise vs. Workgroup Scope Network applications can be split into two different varieties: enterprise and workgroup. This is a loose definition, but one that you can safely use in your network examinations. An enterprise application is one that is used daily by a lot of people. Exchange is an enterprise application, but that’s an obvious one. Another example is a front-end client that talks to an Oracle database. Often, organizations have customized an application that lives on the client’s desktop and maintains connectivity either with the enterprise databases or with middleware that, in turn, talks to the databases. The scope of these kinds of applications is usually large, and they’re generally enterprise-class applications, based on the application’s volume of use. Think of enterprise applications as applications that have a mission-critical status, that are being used by large numbers of people, and that are in use almost all of the time during working hours. How about Internet Explorer (IE)? Is that an enterprise application? I’d say no; it only brings web pages back to the local user and doesn’t further the corporate good globally. An intranet application that lives on a web server and is used with IE is a different story. The number of users and daily volume of use could be vast. A workgroup application lives on a server and serves a purpose specifically for one group of people. Financial applications are probably the most common of several good examples. Not everybody in the company needs to use server-based financial software—typically, only the accountants and payroll people. Nevertheless, the software is large and expensive, requires tons of training for the admins and end users, and needs a lot of care and feeding. Often a client-based GUI has to be installed and periodically upgraded. I’ve seen financial software that bundles extra features into Excel; the accountants and finance people then work with spreadsheets, coupled with the added financial package features. Another good example is Visual SourceSafe (VSS) for developers. Few people in the company need VSS, but the software lives on a server and requires a lot of admin maintenance. How about engineering or statistical applications that supply important information to an entire group of engineers? Or legal software on CD that provides case information to lawyers? The list goes on, but the scope of these applications is not enterprise; they’re local in nature and shouldn’t be considered enterprise software.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
156
Chapter 4
Anticipating the Impact of Infrastructure Design
“Enterprise” can be defined many different ways, not just by number or scope of users. Besides, the “volume of use” or “corporate good” definitions here, you could decide that the difference between enterprise and workgroup applications is determined by whether the application serves the whole company (enterprise) or a specific subgroup of the company (workgroup). Mission-criticality could be your criterion for “enterpriseness.” Even Microsoft uses the term loosely!
Client/Server vs. Web-Based A second distinction, independent of the scope of the application, is the way that the application is distributed across the environment. Do you have a client/ server application or a web-based application? Let’s start by differentiating the various client/server iterations, so you can get a feel for how complicated an applications disbursement can be: 2-Tier Client/Server A 2-tier client/server typically means that a client software piece is installed on several computers and then this client component talks to the server. A database is usually involved. Exchange Server is a good example of 2-tier client/server. It includes a set of centralized databases (that are replicated to other servers, but that’s a different story) and clients such as an Exchange client, the Outlook client, or Outlook Web Access (OWA). Clients can be homegrown with tools such as PowerBuilder or Visual Basic, or they can come with the application (as in the case of Exchange Server). Figure 4.1 illustrates a typical 2-tier client/server model. FIGURE 4.1
A 2-tier client/server model
Client
Server
The client may have some serious client-side “brains” and help offload the server from part of its work. Maybe the client requests a rowset from a SQL server, then brings the result set back and performs some modeling on it. Other clients are only moderately smart, while some are completely stupid.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Defining Your Enterprise Network Applications
157
3-Tier Client/Server Suppose that you have a database living on a Unix server, and you want to get at it with your Windows NT Workstation client. How can you do that? A third piece called middleware is introduced into this client/server picture; middleware in a predominantly Windows environment usually resides on a Windows NT computer. The user makes a request to the middleware box, which in turn passes the request on to the Unix host, and then sends the result set back to the user. These three components make up a 3-tier client/server model, as illustrated in Figure 4.2.
In the Windows NT and Windows 2000 worlds, Gateway Services for NetWare is a great example of middleware. Conversely, Client Services for NetWare is simply a client, thus fitting into the 2-tier model.
You don’t always have a client talking to NT middleware that then talks to Unix. You might find hundreds of different variations on a theme, but the point is that there are three players in the application system. The client component that the user uses can be homegrown (with Visual Basic, PowerBuilder, Oracle tools, Delphi, and others) or a client that actually comes with the application. FIGURE 4.2
A 3-tier client/server model
Server 1 Middleware
Client Three-tier client/server implies that there is some sort of preprocessing, if you will, going on at Server 1. The client requests a recordset from the database server. The request is passed to Server 1, where the middleware formulates a request and passes it to Server 2. Server 2 gets the appropriate result set, passes it back to Server 1, and Server 1 then in turn passes it to the client. There are bandwidth and coding concerns involved in 3-tier systems that can be more serious than with 2-tier ones.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Server 2 Database
158
Chapter 4
Anticipating the Impact of Infrastructure Design
n-Tier Client/Server The phrase n-tier client/server is given to systems, like the one shown in Figure 4.3, with much more complicated levels than standard 2-tier or 3-tier systems. Suppose an interactive voice response (IVR) system comprises a 24-port T1 telephony card, a database repository on an NT server, a Unix flat file that is periodically downloaded to the database, and a client component that communicates with the system. Here you have deeper “granularity” than a simple 2-tier or 3-tier system; in fact, you could theoretically have a system that goes many levels deep. This is why it’s called n-tier, because the design dictates how many tiers deep you go. Databases that replicate and consolidate with other databases might also qualify as n-tier systems. N-tier systems are highly complicated and require careful attention by server and application admins and DBAs. FIGURE 4.3
An n-tier client/server model
Client
Server 1 Middleware
Server 3 Database
n-tier client/server computing has n levels of complexity associated with it. In this example, the client requests a recordset from the servers. Server 1 passes the request to Server 2 and Server 3, because the recordset requested is obtained from two different tables living in two separate databases on two different servers. Server 2 also has to provide an image, so it makes a request for the image from Server 4. The entire result set is then sent back to the client. This could potentially be quite a bandwidth- and processing-intensive scenario, as you might imagine.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Server 2 Database
Server 4 Images database
Application Clients
159
Thin-Client/Server Thin-client computing is truly client/server computing, called “thin” because very little processing goes on at the client level and much processing takes place at the server. Thin clients access server applications via a web browser, the best example being access to an Exchange Server for e-mail. When you access an Exchange Server via OWA, you’re accessing a database and using a browser to read it. You’re not truly out on the Internet or even the intranet; you’re using the browser software’s limited skill for a different purpose. Terminal Services also employs thin-client technology. Relying on the power of the server is what a thin client is all about. A thin-client/ server system looks just like Figure 4.2, but instead of a GUI-based client you hit the application with a browser.
You can purchase thin-client computers, pizza-box-sized computers that don’t have a hard drive but do have RAM, a CPU, and the ability to boot the network via BootP (or, alternately, via PXE in the Windows 2000 world). These computers are touted as low cost, and users can’t corrupt them by installing files that shouldn’t be there.
Web-Based Web-based applications also rely on a browser, but their functionality rises entirely from coding paradigms that center on the Web, things like ASP, HTML, XML, Java, and VBScript. When you use a browser to access an intranet application that talks to a database, you’re using 3-tier client/server (because your browser requests a row from a database and the web application on the server carries out the request and brings back the result set), but you’re working in a strictly web-based environment.
Application Clients
W
hen dealing with client/server applications, there are two questions that the Windows 2000 network designers need to keep in mind. The first question is: What client are the users using? Is it a homegrown application that was developed using software like Delphi, Visual Basic, or PowerBuilder, or was it developed with something else? Homegrown client components can be scary from a design perspective because you don’t know whether the client
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
160
Chapter 4
Anticipating the Impact of Infrastructure Design
will continue to cooperate in the upgraded environment. If the programming staff in your client/server shop has developed some custom front ends, it’s a really good idea to test the client accessing the databases on a Windows 2000 server to make sure things will continue normally. I’d also test the client on a Windows 2000 Professional workstation, just to make sure that it can play in that sandbox as the time arrives to upgrade the user machines. With off-the-shelf client software, you have a little bit better opportunity to find out what sorts of compatibility issues you’ll run into. The company that wrote the software should be able to give you a good idea of the client component’s capability of working with Windows 2000, and I’d definitely check this out before the project went too far. The second question is: Will the server software itself behave in the Windows 2000 environment? Some cases may be a slam dunk; others may be complicated. Suppose, for example, that you have some middleware that you need to use to talk to a Unix database. It works just fine on NT, but when you port it to Windows 2000 for testing, it breaks. What’s the deal? This could be a long, arduous, tricky road. What about Microsoft SQL Server 7? If you’re using it for your current databases, will you run into difficulties if you migrate the databases to a Windows 2000 box? Presumably you won’t, but it’s worth testing anyway.
BackOffice and Off-the-Shelf Server Applications
S
ome applications are designed to run in a heavy enterprise environment. All of the Microsoft BackOffice suite is, of course, built that way. But there are many other server software programs that reside on NT boxes and provide large user support for a specific function. It’s important to identify these applications and then check with the vendor to make sure they’re going to be able to keep up with the Windows 2000 environment. Test these applications before things get too far down the road just to make sure everything will work. When working out your Windows 2000 design on paper, a big part of the activity that you’ll perform is describing all of the different applications that are installed on servers throughout your enterprise. You need to determine type and scope of each application, its use in the company, and whether it’s
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Evaluating the Current Network Environment
161
going to cooperate with Windows 2000. You’ll probably need to do some testing on the application in a Windows 2000 environment (something that might be much harder to set up than you first imagine) to make sure it’s going to be OK with the change. One last component of this kind of thinking has to do with parallel processing. It’s practically—if not completely—impossible for you to have a small body of users hitting one production database that’s in the Windows 2000 environment and have another body hitting a copy of the same database in NT. You’re asking for trouble if you consider allowing parallel user processing and somehow consolidating the databases after they’ve gone home or even after you’ve finished a piecemeal upgrade. It’s a lot safer to extensively test the deployment first and then plan a cutover date when the old application or database is locked out from users and the new one goes live.
Evaluating the Current Network Environment
C
hapter 3 talked a lot about evaluating your network, but now it’s time to do a finer analysis. If you’re not the internetworking and/or infrastructure keeper of the knowledge, that person’s going to have to be available when you begin this undertaking.
Microsoft Exam Objective
Analyze the impact of infrastructure design on the existing and planned technical environment.
Analyze network infrastructure, protocols, and hosts.
There are three separate issues you need to concern yourselves with: infrastructure, protocols, and hosts.
Evaluating Your Infrastructure The infrastructure is the way that the various buildings your company occupies are wired, the health of the various switch closets, the backbone that connects the switch closets, and the switches, hubs, and routers that build the
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
162
Chapter 4
Anticipating the Impact of Infrastructure Design
switching matrix of each building. When designing Windows 2000 for your company, select a building for examination. Take a walk through the building, getting a feel for where the wiring closets are and how they’re wired. Are the patch panels old? What about the terminations into those patch panels? How about the connectivity between the switch closets? Is it fiber-optic or copper? Cat3 or Cat5? Are you running a totally switched environment— one where you have no hubs whatsoever in any part of the building—or do you still have some hubs you have to replace? Worse, are you still completely on hubs? How about your switch layout? Do you have one or two core switches that the closet switches hook into, or is everything running off of closet switches? Figure 4.4 shows three wiring closets, two of which are “user closets,” where users connect from their office to the switches in the closet. Data travels the backbone to the core switch and then to the servers. FIGURE 4.4
A typical network infrastructure model Client
Client
Fiber-optic backbone
Patch panels
Closet switches
Core switch
Server
Older networks that started out as Cat3 and have steadily gone through wiring upgrades to Cat5 are the ones you need to worry the most about, in terms of assuring yourself that the network is healthy and happy. For a client computer to obtain satisfactory 100Base-T service to the desktop, the following is required:
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Evaluating the Current Network Environment
163
Closet Switches Closet switches usually have a high number of ports. Users connect to the ports on the closet switches via a jumper cable that runs from the patch panel node corresponding to the user’s wall plate to a port on the closet switch. The closet switches have one (or more) cables that connect to special ports on the patch panel. The patch panels connect to one another via Ethernet or fiberoptic cable. You can have redundant runs of either. The core switch has one (or more) connections going into the patch panel as well. Servers often hook to a port on the core switch for higher speed. Cat5 wiring throughout is required for 100Base-T or 1000Base-T (gigabit) speeds. Fiber-optic cable is a much better choice for backbone connections. In gigabit backbone environments, servers can feasibly connect to the core switches via gigabit network cards.
The connecting cable from the NIC to the computer has to be Cat5.
The wiring from the jack in the user’s office to the patch panel has to be Cat5.
The patch cable from the patch panel to the switch has to be Cat5.
All of the planets have to align. It’s scary to think about older buildings that have a bizarre mixture of dark coax, in-use Cat3, and some Cat5. The whole wiring plant has to be up on Cat5 for 100Base-T or Gigabit Ethernet. You can get switches to talk to each other via either Cat5 or fiber-optic cabling, but fiber-optic cabling is greatly preferred. You must have special cards in each of the switches to accept a fiber input (there are two different types of fiber connectors: type SC and type ST) and they’re more expensive, but when the company you hire runs the fiber, they add extra pairs within the cable so that you have a fallback in the event that the pair you’re on fails. That’s good fault tolerance, and it’s better than having a dark, spare Ethernet cable running through the ceiling. It’s very plug-and-play because your fiberoptic installer will terminate the other fiber pairs in the fiber patch panel, and picking up the entire network is as easy as swinging the connectors from the dead patch panel terminator to the spare on both sides of the house. Very cool from a fault-tolerance perspective. If you have switches that support
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
164
Chapter 4
Anticipating the Impact of Infrastructure Design
multiple fiber connections, you could even run a redundant link across the backbone and protect yourself from any downtime whatsoever (provided both cables don’t fail at once). Infrastructures can be complicated. You have to watch the connections at the patch panel terminators to make sure they’re professionally installed. You want to run plenum Cat5 through ceilings. Don’t run the wire parallel to any lights or up chases with phone lines (crosstalk occurs in both cases), only across lights. You should always outsource your fiber-optic cable installations, and I recommend that you outsource all cable installations. Your cable plant is your lifeblood, so have an expert build it. The switches you pick need to come from reputable vendors and should be periodically replaced with newer technology. Just like computers, your switch gear needs to be on a three-year replacement plan. Why switches instead of hubs? Because hubs are dumb, passive devices that simply relay packets. They have no intelligence whatsoever. Switches have a CPU in them that manages the bandwidth, and they’re a godsend for networks. They’re an order of magnitude more expensive than hubs, but they’re worth every penny. Generally, you price switches by the port cost. You add up your users, servers, printers, and other peripherals, and that’s how many ports you need (called port density). You should buy enough switches to service your current needs as well as expansion. Just like servers, you don’t want to go with clone switches; go with tier 1 vendors (3Com, Intel, Cisco, etc.). Routers are an entire science unto themselves. Would you like chassisbased or stand-alone? Do you need to do wire-speed routing (on a layer 3 card in a switch chassis), or are you happy with standard 10Base-T throughput? What vendor should you use? What WAN protocols does the thing need to know? What LAN protocols should it pass? The list goes on and on. Are you a CCNA or CCIE? No? You might want to consider outsourcing your router purchase, configuration, and maintenance. Keep in mind that contractors offering router configuration services might not be much further ahead of the curve technically than you are, so shop around for somebody who has solid credentials. While we’re on the subject of infrastructure hardware, I recommend that you consider hardware-based firewalls. The Cisco PIX firewall is a great example and is in use all over the world. Wire-speed firewalls give you the comfort of firmware-based protection, knowing that you won’t have a Dr. Watson or some other problem. Certainly, hardware breaks, but hardware firewalls are eminently more uncrackable and faster than software.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Evaluating the Current Network Environment
165
Pay attention to your infrastructure (the cable plant, switches, routers, and patch panels), and it’ll take care of you. Go bottom dollar, and you’ll rue the day you put the cheap gear in production.
Evaluating Protocols Four major categories of protocols you will commonly deal with are as follows:
LAN protocols (used on the network itself)
WAN protocols (used by the routers and frame relay gear to get your packets to outlying destinations)
Communication protocols (used by modems)
Specialized protocols
By and large, you probably won’t mess around too much with the WAN protocols. Routers convert most LAN protocols into packets that the WAN can understand, so you don’t have many concerns there. One thing you’ll have to consider are networks with older protocols still hanging around. For example, suppose you had a Banyan VINES deployment at one time, and you’ve still got a couple of legacy VINES boxes being used by outlying employees. But you want to upgrade the router. Guess what? Either you will not be able to host the VINES protocol over the new router, or you’ll have to pay some hefty cash to have support for VINES included. And that includes VINES TCP/IP, a proprietary TCP/IP implementation that works only with VINES and that routers still don’t understand without add-on software. So you either stick with the old stodgy 10Base-T router, or you figure out a way to bag the VINES servers once and for all. It’s a tough call that network designers have to make and develop a project plan for. But what about LAN protocols? Now that you’re in the thick of planning a Windows 2000 rollout, the best thing you can do is migrate toward a straight TCP/IP environment. Windows 2000 can deal with many legacy protocols, but they require drivers provided by the company requiring the protocol. VINES is one famous legacy example: Windows 2000 does not provide native support for VINES, but if VINES were to provide Windows 2000 support then you wouldn’t have a problem. The implication isn’t that Windows 2000 will only support a handful of protocols; it’s rather that a handful of protocols are
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
166
Chapter 4
Anticipating the Impact of Infrastructure Design
the ones that occupy the vast majority of the computing world. Exotic protocols require third-party support. You might be able to hook up with your vendor for protocols that are specific to legacy applications or peripherals. But if the application can also use TCP/IP (and most can), then why complicate things? Of course, some legacy applications have to stay around—some forever. That’s life, but all in all, now is the time to jettison all unsupported protocols and go with a flat TCP/IP stack on your network. It’s up to you to ascertain which protocols are on the LAN side of the house and make plans to get rid of unsupported protocols. This may involve a server-to-server visit, just to find out what’s on each computer and thus what’s running on the LAN.
LAN Protocols NetBEUI is still supported, but is outdated. Sure, it was fast and required no configuration, but it wasn’t routable. IPX/SPX is also supported, for backward compatibility to legacy NetWare boxes. NetWare went straight TCP/IP a few years back, and they’ve never gone back to IPX. But there are scads of old NetWare 3.11 boxes still hanging around, running only IPX and with users needing to access them. You’ll use IPX/SPX in a legacy NetWare environment, but only long enough to convert the NetWare boxes to TCP/IP (or to Windows 2000). Windows 2000 supports the IPX/SPX protocol with the Microsoft implementation of IPX/SPX, a protocol called NWLink. An AppleTalk network integration is included for continued support of Macintosh clients. Both Intel-based and Apple clients can share files and printers using this feature.
Communication Protocols The Point-to-Point Tunneling Protocol (PPTP) is supported in Windows 2000. Its single purpose is to assist with the nailing up of virtual private networks (VPNs). PPTP has been around the Microsoft camp for several years now and works well. A second VPN protocol, newer than PPTP, is the Layer 2 Tunneling Protocol (L2TP). It too is used for VPNs, but L2TP does not rely on vendor-specific encryption technologies. Microsoft expects the L2TP protocol to wind up being the industry VPN standard. The RADIUS protocol is predominantly used for dial-up users accessing a third-party RAS server device, but ISPs also use it for tunneled network
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Evaluating the Current Network Environment
167
users. All three protocols—PPTP, L2TP, and RADIUS—use the tunneling method. What this means is that the user’s packets are buried deep in TCP/IP packets as they fly along the Internet. At the place where they knock on the door of the network, they are authenticated and unbundled and the data is read.
Specialized Protocols Simple Network Management Protocol (SNMP) is still supported in Windows 2000. With this protocol, your network-monitoring software such as HP OpenView can obtain information from network gear and other equipment that has the ability to send SNMP traps. The Hewlett-Packard DLC protocol is also included for backward compatibility with DLC connections to shared printers. There are other specialized protocols such as the exotic infrared-device protocols IrDA-FIR and IrDA-SIR, but for the most part, the protocols in this section are the ones you’ll be using most often.
Evaluating Hosts The word “hosts” is a TCP/IP word. Whenever anyone says the word “host,” you generally think of “computer.” Technically, anything with an IP address is a host. However, host most often refers to a node (server, workstation, printer, etc.) on the network. That’s why the old Unix file that resolves fully qualified domain names (FQDNs) to IP addresses is called hosts; it lists the hosts on your network. Although the hosts file was great, it’s antiquated. You need to assess the kinds of hosts you have on the network. This is categorically done by assessing what kinds of operating systems are loaded on your computers. Linux is growing steadily in popularity. Do you have Linux hosts operating in your environment? If you do, then they’re probably going to make LPR print calls to your shared NT printers. They’ll also probably mount NFS volumes (Unix’s way of sharing out files for access by others), and you’ll find that you can map to these NFS volumes and grab data—provided they’re set up accordingly. Linux hosts that use StarOffice and whose users don’t have a regular Windows 9x or NT box with which to run Office will probably run into file-sharing issues with others on the network that need to see their documents. Do you have Macintosh hosts? These users have very unique requirements, but Windows 2000 has provided accessibility (just as Windows NT did) so that your Mac users can access files and printers just like your Windows users do.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
168
Chapter 4
Anticipating the Impact of Infrastructure Design
Microsoft does not provide any support for IBM’s OS/2. However, IBM is planning on releasing their Primary Logon Client 4.4 for Windows NT and Windows 2000 sometime in 2001. But even when this software product becomes available, it’s not likely to be tested. A better Microsoft answer would be to upgrade the OS/2 machines to Windows 2000 Professional.
Old-time mainframers call the mainframe itself “the host.” A mainframe is considered a host, just like any other computer on the network. How do your users currently connect to the mainframe? If they’re using some kind of 3270 or 5250 emulation software, be sure you check to make sure it’s going to live on in the Windows 2000 world. Since everything’s done through TCP/ IP these days, the issue isn’t nearly as complicated as it sounds. It’s just a matter of making sure the GUI works in the Windows 2000 world like it did in the NT or 9x world. What about other hosts that have proprietary protocols associated with them, such as the VINES hosts talked about earlier? Unless they can speak native, nonproprietary TCP/IP, the chances are the company that developed them will have to write software that makes them compatible with Windows 2000. And that’s always dicey, because you really don’t want other exotic protocols loaded on your systems—you want native TCP/IP and only TCP/IP. The astute Windows 2000 designer would take this opportunity to find replacements for those old software components that aren’t dancing at the same disco as Windows 2000.
The New Administrator’s Position You’ve been hired by a small startup company to administer their network. The company is a small software-development company that’s very high-tech. You’re expecting to see really great infrastructure when you arrive at your first day on the job, but you’re disappointed to find cables sticking out of the RJ-45 connectors, poorly terminated patch panels, old-fashioned hubs, and a variety of other problems throughout the office. The majority of the wiring is Cat3, with Cat5 between the two switch closets.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Network Services
169
You’re told on your first day’s orientation that the company would like to migrate as quickly as possible to Windows 2000. You wonder how they’re getting any computing done at all on their seven Windows NT 4 servers, based upon the incredibly poor infrastructure! You meet with your boss, the CFO, and explain that the wiring plant is in incredibly decrepit shape. You want to replace all of the Cat3 wiring with Cat5. Next you want to add a fiber-optic run on the backbone but keep the existing Cat5 for backup purposes. You want to get rid of the hubs and purchase enough switches for all 100 users on the net, about five switches. (No core switches are needed.) This will bring the network up to 100Base-T or 1000Base-T capability. Then, and only then, do you want to go forward with the Windows 2000 rollout, and that will only happen after you’ve assessed the servers, the network’s protocols, and all of the other pertinent discovery items. You tell the CFO the cost of the cable plant rewire is about $18,000, and the switches will cost around $10,000. Project total costs will be around $28,000–30,000 and will take about two weeks to complete. You can install the switches, but you’ll outsource the wiring updates.
Assessing Network Services
T
he purpose of this section is to talk about services consisting of either software or hardware that comes to the aid of the network in order to formulate a stronger, better-functioning system. Let’s discuss some of the various network services categories.
Microsoft Exam Objective
Analyze the impact of infrastructure design on the existing and planned technical environment.
Evaluate network services.
Network Monitoring Network-monitoring services typically consist of network-monitoring software coupled with a computer that’s designated to handle only the influx of SNMP and remote network monitoring (RMON) traffic from the LAN. The
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
170
Chapter 4
Anticipating the Impact of Infrastructure Design
combination of the network-monitoring software and hardware is called a network management system (NMS). Some companies have many NMS computers housed in one area, strictly for the purpose of monitoring their huge networks. Sound pretty dull? Oh yeah, like watching paint dry. Is it necessary? You bet it is. Many NMS computers in one location is called a network operations center (NOC). Network devices report their status to the NMS via the SNMP protocol. Management information bases (MIBs) loaded on the NMS know how to prepare and present the freshly reported data. The most common NMS software around the world is HP OpenView or CA Unicenter TNG, though there are others.
Metrics Monitoring The concept of metrics focuses on determining how much uptime the servers have had the luxury of experiencing. There are two methods of determining uptime, each at opposite ends of the scale. You could opt to manually keep track of every time that a server went down, how long it was down for, and what the cause of the outage was. It would be easy to keep track of this kind of thing in a spreadsheet. Then, at the end of the month, you could go through and tally up the amount of time that a server was down in, say, minutes and then calculate the percentage of that downtime over the whole month. For example, suppose that you had a server that went down for 15 minutes in the month of April. Since there are 30 days in April and 1,440 minutes per day, there were 43,200 minutes in that month. Take 15 / 43200 and you come up with 0.00035. Now multiply by 100, and you get the downtime as a percent: 0.035. Subtract this number from 100 and you get 99.965 percent uptime, quite remarkable for a server!
Industry standards vary, but there are two basic delimiters that you’ll hear when people talk about uptime statistics: 4-nines means 99.99% uptime; and 5-nines means 99.999% uptime. You probably won't be able to achieve 5-nines uptime (though phone companies do) and probably not even 4-nines. More than likely, you'll be in the 99.8% to 99.9% range. At 99.99% uptime, you have 53 minutes of downtime per year. Think about that number for a minute, and then decide whether you can realistically keep servers up for that kind of time. Purchasing high-quality equipment that’s on the Microsoft hardware compatibility list (HCL) and keeping only one application on a server are good ways to increase uptime, but it’s still difficult to hit even 3-nines or better.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Network Services
171
The number of outages that occur on a specific server can be quite revealing information as well. If you know, for example, that a server was down four times in one month, you might find out that an application had been recently loaded on the server and that this was the cause for all the outages. What you’d do to correct that problem is another story, but at least you think you have a handle on what’s causing all the outages. A more elegant solution is that of software that handles metrics monitoring. NetIQ, BMC Patrol, and ManageX are all designed to give you excellent granularity in terms of watching critical servers and services, handling problems with them, and alerting you of the issues.
TCP/IP Services TCP/IP services include DHCP, WINS, LDAP, and DNS. The most interesting of these are DHCP and DNS. In legacy environments where DNS servers are already running and handling things nicely, you might have a really hard time convincing people that you think DNS should move to Windows 2000. However, Windows 2000 DNS does have some nice features, which are discussed later in this book. Lucent Technologies offers a replacement DNS/DHCP/WINS application called QIP, which lives on servers and takes the place of regular NT services. It shows the kind of thought that people have put into TCP/IP services. Some switch and router gear can host TCP/IP services. Again, it’s not feasible for switches to do your DNS work because you need Windows 2000 to do it for you.
Security Monitoring Security monitoring, in my mind, has to do with the alerting that goes on with proxy and firewall servers. Recently, for example, there was a rash of attacks on web servers. These attacks are called SYN attacks (short for synchronization) and essentially amount to a request that a host makes for connection to another host (typically a server). If the hacker can duplicate enough bogus SYN requests and barrage the server with them, the server is so busy acknowledging SYNs that it can’t do any other work. A firewall product would be expected to alert the administrator that some sort of attack was transpiring. Moreover, good firewall software should have some method of ascertaining when it’s being hit by a SYN attack and dismantle the attack before it craters the network.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
172
Chapter 4
Anticipating the Impact of Infrastructure Design
Another famous type of attack, one that had basically the same effect on servers a few years ago, was the ICMP (or ping) attack. Here you simply ping the host over and over again, hundreds of thousands of times. The poor computer is so busy answering pings that it cannot do anything else. Very clever, very easy, and terribly disruptive. The same kinds of security-checking features apply with the ICMP attacks as with SYN attacks. The firewall should be able to monitor for ICMP attacks and then proactively shut them down. Some companies don’t respond to a ping because of the potential for this kind of attack. Their ICMP-defense software simply keeps anyone from being able to ping the box in the first place.
Fault-Tolerance Monitoring When you install tools like HP’s TopTools or Compaq’s equivalent, Insight Manager, one of the things you do is monitor the fault-tolerant gear that’s installed in the server. This is fault-tolerance monitoring. For example, HP’s brand of RAID array adapters, NetRAID, responds to faults by alerting the TopTools agents if there is a problem. SNMP could be said to be acting in a fault-tolerance monitoring capacity when it sends out a trap alerting the administrators that a redundant link (a special port on switches that allows you to set up a second, fallback link into them) has gone down. When this happens, of course, the switch represents a single point of failure (SPOF) and needs to be addressed quickly.
Web Monitoring A new kind of monitoring activity that administrators have to be cognizant of is monitoring the company’s web sites, both internal and external. With web sites you’re interested in a variety of things. You’d like to know how many people hit the site on a daily basis and where they “clicked through” to. You want a feel for the performance of your pages—how fast they load and how accurate they are, in terms of whether they generate script errors and so forth. You also would like to capture any visitor information that you can get. Most importantly, you need to keep the sites from being hacked and changed in some ways. Some of the things that hackers do may sound like they’re pretty funny. As a not-so-good web site developer, I can tell you that there’s a heck of a lot of work that goes into developing even a cheesy little site, and it’s devastating to see somebody else tank all of your hard work.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing the TCP/IP Infrastructure
173
Assessing the TCP/IP Infrastructure
Assessing the TCP/IP infrastructure is probably one of the simpler tasks that you’ll be involved with in your Windows 2000 network design. You need to know where critical servers are and what their names and IP addresses are. You need to know the network IDs and subnet masks in use on the network. You need to know what the router, firewall, and proxy server IP addresses are.
Microsoft Exam Objective
Analyze the impact of infrastructure design on the existing and planned technical environment. Analyze TCP/IP infrastructure.
Here are the kinds of things you’ll be watching out for:
Critical servers are the DNS, DHCP, and WINS servers in the environment. Find out these servers’ names (both NetBIOS and FQDN) and IP addresses and where they’re located. While you’re locating this information, also identify the server scopes: where they are, what they’re composed of, and the various global or scope settings that are applied.
Identify all of the network IDs. Also find out what subnet masks are in use throughout the various parts of your network.
Obtain all of the critical connector server information such as router addresses (typically the network ID with a .1 address—e.g., 10.1.1.1). You’ll also want to know the NetBIOS and FQDN names and the IP addresses of the various proxy servers and firewalls on the network.
Obtain the IP addresses of the printers and the locations of their LPR, DLC, or HP ports.
List the IP addresses and NetBIOS and FQDN names of the servers.
If a BootP server is in use for thin-client workstations that have no hard drive and use BootP to boot off of the network, you need to identify the server names and IP addresses.
Identify any RAS servers, their names, and IP addresses. While identifying these boxes, it’d be a good idea to jot down the phone numbers that are associated with the servers.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
174
Chapter 4
Anticipating the Impact of Infrastructure Design
For more information on using TCP/IP, go to Chapter 8, “Designing TCP/IP into Your Network.”
Assessing Current Hardware
D
epending on the size of your network (and whether or not you have Systems Management Server installed), you might have to spend several weeks getting information about the hardware on your network. You need to diagram several different categories of hardware in order to have a more complete understanding. In larger installations, a complete view might be impossible, but it’s at least possible to ascertain what servers are in the domain. Once you know that, the very least that you should do is to find out what hardware the servers have.
Microsoft Exam Objective
Analyze the impact of infrastructure design on the existing and planned technical environment.
Assess current hardware.
The point of this exercise is to find weak spots on the network that need to be addressed before you go forward with the design and deployment. In terms of budgets, if you’re going to ask for the money for the upgrade, also ask for the hardware upgrade dollars you’re going to need to support this new NOS. When assessing your current hardware, and future hardware needs, here are some areas to concentrate on: Servers are the most critical part. Figure out which servers are on the network. Identify the brand; write down how much RAM is in each, how many CPUs and their speed, the hard disks and their size and remaining space, and whether they have FAT or NTFS partitions. Note any special peripheral equipment on the box, such as hardware RAID controllers, DAT or DLT tape drives, fax cards, and so forth. Determine whether your servers fit the Windows 2000 hardware guidelines. It might be a good idea to arrange the servers by function, i.e., file, print, application, database, and web.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessing Current Hardware
175
Identify networked printers by type, manufacturer, and model. If you can obtain the printer’s duty cycle, the number of pages it is rated for monthly, that’s a great piece of information to have on hand. If you know roughly how many pages are printed in a day and you know the printer’s duty cycle, you can very quickly tell whether a printer is overworked and ready for replacement. You should also jot down the amount of RAM the printer has, the driver it’s using, the amount and type (laser or ink) of any cartridges, whether it’s connected by an internal card or an external network box, and the card type (JetDirect, for instance). From the print server, you should also get the IP address and port that the printer is using. Don’t forget specialized printers such as plotters. Ascertain the type of switches and hubs you have on the network. You’re interested in the port density of each switch, the types of ports (fiber, Ethernet, etc.), the types of uplink cards, the brand name, model number, firmware revision level, and how you get into the switch or hub’s user interface to maintain it (telnet, web, etc.). Hubs connected to hubs connected to hubs should make you sit down and do a complete infrastructure redesign, then go into the Windows 2000 design. Document your routers. It is good to know the router’s WAN connectivity, overall throughput speed, model number, and manufacturer. The type of routing protocol it’s using would be good information to jot down as well. For years, Cisco used a proprietary routing protocol that didn’t work well with the other router vendors like 3Com. This kind of routing protocol information may come in handy at router update time or in the event you decide to do some Windows 2000 routing. Revisit your tape backup systems. Windows 2000 is a much bigger NOS than NT and requires much bigger tape-backup horsepower. Make sure your current backup strategy can handle it. DLT is practically the only way to go for enterprise backups these days, and the Windows 2000 deployment presents an excellent opportunity for you to make sure backups are adequate for the new network paradigm. Evaluate your RAS servers. Stand-alone devices that provide telecommuting interfaces into your network—such as those made by Shiva, US Robotics, and 3Com—are also going to come into play on the new Windows 2000 network. Write down the model and manufacturer of the RAS server. If the server is using a database to validate telecommuting users, state so; if it’s using NT authentication software, then note that. You need
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
176
Chapter 4
Anticipating the Impact of Infrastructure Design
to know how many ports are on the server, what kinds of modems it is using, the relevant firmware revisions to the box, and the telephone numbers (and if they’re hooked to a hunt group), including toll-free numbers. List miscellaneous devices. There are all kinds of devices that come to mind. For instance, manufacturing lines, sometimes called packout lines, often have specialized computers on them that handle the flow of the line. Test gear, imaging equipment, network scanners, and other exotic peripherals should be listed, along with their manufacturer, model, and a description of what they do.
Identifying Existing and Planned Upgrades and Rollouts
It’s possible that you work for such a large operation you can’t possibly know all the things that are going on from an IT perspective. And yet, Windows 2000 is going to mandate that you somehow get a handle on at least the major undertakings. For example, suppose that you have a development group that’s planning to go forward with a huge computer telephony integration (CTI) application sometime in the next few months. They’ve spent several weeks looking for the ideal product/vendor mix that will provide the application zest and business fit that they’re looking for. Now all of a sudden, you’re going to saunter in and apply a NOS that their system may not work with. In the best case, you’ll be guilty of bad timing. In the worst case, if you try this with a business unit that has a high profile, you could see your upgrade project killed!
Microsoft Exam Objective
Analyze the impact of infrastructure design on the existing and planned technical environment.
Identify existing and planned upgrades and rollouts.
It is crucial that you identify any existing or planned upgrades or rollouts that might be affected by your Windows 2000 plans. Let’s identify the difference between an upgrade and a rollout:
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing the Technical Support Structure
177
Upgrade An upgrade is something that happens to an already extant system or device—an improvement over a like existing system. If you have 3Com switches in your closets and the network folks are going to go through and apply the latest rev of firmware, that’s an upgrade. If your database people are on Oracle 8 and they’re changing to Oracle 11, that’s an upgrade. An HP 5SI network printer that’s being replaced by an HP 8000 is an upgrade. Rollout Implementing a new hardware device, a new way of doing a business task, or a new software application, is a rollout. Suppose that for years your parts department simply wrote down the parts they worked with on a form. The forms were entered into a spreadsheet that somebody kept track of on a PC. But when too many people needed to see the results of that spreadsheet and there came to be too many parts people, a client/ server system was needed. So developers were brought in and the system was developed (VB over SQL Server, of course). When the developers were ready to go live with the new system, they were said to be in rollout stage. Whenever your company moves ahead with its network, you can categorize the progress as either an upgrade or a rollout. The biggest difference is, if the structure existed before, it’s an upgrade. If this is a new product, it’s a rollout. Perhaps a bigger issue than identifying upgrade vs. rollout is dealing with the network change. If your company has already told you that it plans on making a specific change to the network, like upgrading your DNS servers to Windows 2000, then it’s something you should be aware of and you can plan for. The harder part is planning for future upgrades and rollouts. It’s not likely that you can predict the future; otherwise you would be working as a psychic instead of in the computer field. However, when designing your network, keep in mind how aggressive the company has been historically in upgrading and expanding the network. This will give you a good indication of what to expect in the future. Past results do not guarantee future performance, but past results do give you valuable clues.
Analyzing the Technical Support Structure
A
fter you’ve analyzed the equipment and code, it’s time to find out what people and procedures your company uses to maintain all that. Who is going to support all of this equipment and provide a place for developers to display their wares?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
178
Chapter 4
Anticipating the Impact of Infrastructure Design
Microsoft Exam Objective
Analyze the impact of infrastructure design on the existing and planned technical environment.
Analyze technical support structure.
There are two ways to look at this exam objective, and it’s safe to examine both. You must ask yourself, as you prepare your Windows 2000 upgrade plans, what kind of technical support is in place for the administrators who are going to have to own the system, and for the users who are going to use it? These are two separate technical support domains and require two different assessments and answers.
Network Manager Support What technical support do you and your deployment managers require for the Windows 2000 rollout? Is today’s technical support environment adequate? In other words, how much support do you think you’ll need as you go forward with the rollout and begin to get people used to the new system? You’re undoubtedly going to encounter problems—how ready for those problems are you? How much technical support from Microsoft can you afford? Will you have contractors helping you and will they agree to provide support for a limited time after deployment? If you’re bringing Windows 2000 into an environment that includes third-party applications, will the vendor support the application on Windows 2000? How much support can you expect? This may be the time to examine the possibility of replacing applications that you’re not happy with and that you know won’t work in the Window 2000 arena. The answers to the questions in the preceding paragraph may or may not be easy to find. This is where it’s important for you to do some research. Again, it’s hard to predict the future, but past clues can play a large role in planning ahead. As an example, if your company traditionally requires a great deal of outside support, either from Microsoft or from other consultants, the chances are you will continue to do so. One solution would be to implement a new training regimen to go along with your upgrade.
End-User Support The second kind of technical support is the structure that your users expect. Do you have help-desk personnel in place, and if so, are they aware of the changes that are coming their way? Chances are good that if you deploy
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing the Current Network Management
179
Windows 2000 correctly, the users won’t notice the change on the servers, but they’ll obviously notice Windows 2000 Professional. That’s what communicating the changes and training are all about—putting your users on a knowledge level where they can use the network the way they used it before the rollout. Considering that end users (as opposed to network personnel) constitute the majority of your employees, this could be a problem area. Many users will feel uncomfortable knowing that you are upgrading the network, whether it affects them much or not. There are a couple of keys to making the end users feel more relaxed when it comes to upgrading their network. First of all, conduct meetings to explain (in general terms) what is happening and provide a forum to answer all of their questions. If they need training to make their new network experience easier, then provide sessions for that as well. Most importantly, make sure your help-desk people are trained about potential new issues and are sensitive to the end users’ concerns.
Analyzing the Current Network Management
F
inally, you need to figure out how the network is being managed today and how the Windows 2000 change is anticipated to affect the network managers.
Microsoft Exam Objective
Analyze the impact of infrastructure design on the existing and planned technical environment.
Analyze existing and planned network and systems management.
Depending on the size of your network, you’ll find that network managers fall into several different categories. It’s important to identify the various layers of network management that are involved at your location, who manages what, and the depth of each person’s knowledge when it comes to Windows networks and TCP/IP. A training chart is called for, one that has “Current” and “Windows 2000” as column headers. Write the network manager’s name, the type of management he or she is responsible for, and the level of knowledge currently possessed. Then you can write in the Windows 2000 column
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
180
Chapter 4
Anticipating the Impact of Infrastructure Design
how much training is required for this person and how much involvement will probably happen on the new network. Let’s pinpoint some of the kinds of network management tasks that various people might be performing: Backup Managers These people are responsible only for the backup of the network. It’s possible that these are Unix people who happen to also back up the NT network, a very feasible paradigm. Internetwork (Data-Comm) Managers These people are responsible for the routers and WAN connections, though they may not be responsible for the infrastructure. There may be a logical separation of the two camps (internetwork and infrastructure). Infrastructure Managers These people manage the overall infrastructure of the network. They handle the cable plant, the wiring closets, the patch panels, and the hubs and switches. Applications Managers Someone is responsible for the enterprise applications on the network. Often they have one or, at most, two separate applications that they manage. There might be several different applications managers. A really great example of an application that requires specialized management is an IVR system. These people might not know much at all about how Windows NT functions, let alone Windows 2000, and you can rest assured that they probably don’t know much about servers. But the interconnection between the IVR software and telephony—now that’s something they’re keenly aware of. Print Managers In larger companies, believe it or not, there are people who do nothing but handle print queues all day long. If you’ve ever hassled with JetAdmin software over a new printer on the network, you’ll know how challenging this job can be. Database Administrators (DBAs) DBAs set up tables, create namespaces, write stored procedures, perform business analysis on new database systems, and so forth. They’re usually very skilled in terms of the database software and they can be wonderful resources for you. Generally they have a good understanding of enterprise concepts. NOS Managers Some companies have people who strictly handle the setting up of servers and the installing of the NOS. These people would not be terribly application-aware, but chances are they would be highly aware of the changes coming their way in Windows 2000.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Summary
181
E-mail Managers E-mail systems can grow to be so large and ponderous that dedicated administrators are required. This part of network management would then be relegated to the e-mail managers. Web Managers For both Internet and intranet sites, dedicated web administrators are sometimes required. Telephony Systems Managers Telephony systems managers are the rare breed of individual who are responsible for the telephony systems and associated interfaces into the corporate network. Generally, telephony people either have an incredibly up-to-date knowledge of Windows NT, or they don’t know a thing about it. Windows NT 4 was highly CTIaware, and Windows 2000 is even more so. Security Managers These folks create and manage user accounts, groups, NTFS permissions, mainframe logons, Internet usage accounts, and so forth. Software Management In addition to the activities that some of the previously listed human managers perform, you may have software management involved in your network as well. HP OpenView, CA Unicenter, and other management software products can help perform some of the tasks that human managers might be involved in. Systems that help manage the enterprise in this way are called enterprise management systems (EMS). EMS installations are complicated, typically requiring a dedicated person or two in order to manage them. It’s perfectly reasonable, especially on smaller networks, for one person to occupy many roles. But on larger networks, you might have a “cast of thousands” who all work together for the good of the corporate network. It’s possible that one entity might not even know that another exists. Nevertheless, all of these various management components need to know and be aware of the ramifications of a Windows 2000 network that’s barreling their way.
Summary
T
his chapter’s goal was to discuss all the ramifications of the infrastructure design on the existing and planned technical environment—with emphasis on technical environment. What you’re really being asked to do here is to
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
182
Chapter 4
Anticipating the Impact of Infrastructure Design
take a huge overall look at the network and make determinations about its present and its future. How will the Windows 2000 rollout be affected by the various components, and how will the components be affected by the rollout? A Windows 2000 designer must look at many things when making these kinds of determinations. This chapter started out by looking at the enterprise applications on the network. You need to discern the difference between an enterprise application and a workgroup application. While both applications are important, the enterprise application obviously has more weight in decisions relative to a Windows 2000 rollout. There are different types of applications as well: client/server, web, and back-office applications are three of the major delineations that can be made. Next, we discussed the evaluation of the current network environment. This topic includes describing the infrastructure, the protocols in use (Windows 2000–supported protocols are largely unchanged from Windows NT 4, with the exception of the addition of VPN protocols), and hosts. Hosts are nothing more than computers. In computerese, the word “hosts” is a TCP/IP term for any node on the network with an IP address. We talked about assessing network services, identifying several that need to be looked at when considering a Windows 2000 rollout. Among them were network monitoring, metrics monitoring, various TCP/IP services such as DHCP and DNS, security monitoring, fault-tolerance monitoring, and web monitoring. All are important to the health and well-being of the network. We then discussed the assessment of the current TCP/IP infrastructure. There are many details to examine here, chief of which is the placement of DNS. Unix-based DNS is no longer the best option in a Windows 2000 world. Some shops have brought in third-party DHCP managers that live on Windows NT servers—this too needs to be examined. The overall network ID, subnet mask, and VLAN characteristics are highly important to the design of the new network. We also talked about assessing current network hardware: servers, printers, internetworking gear, infrastructure gear, specialized hardware, and RAS servers. You need to identify existing and planned rollouts and upgrades. We talked about the technical support structure and its two facets: the user component and the network manager component. By far, the network managers will need the most technical support as you go forward with your rollout, but users need to also be aware of the many issues surrounding the rollout. Finally, we discussed the very relevant topic of how your network is being managed today. Depending on the size of the network, it’s possible that you have a wide variety of manager types, and each network administration function may be performed by separate people, by one person, or by a group.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
183
Exam Essentials Know what your current network structure is like. You need to know what applications, services, and protocols your network is running. Know what your TCP/IP infrastructure is. Your network may not even be running TCP/IP at the moment. However, you will need to run TCP/ IP with Windows 2000. Know what services are running (DHCP, DNS, WINS) and what services you’ll need after the upgrade. Know what your current hardware situation is. It’s important to take a hardware inventory. Once your inventory is complete, figure out what hardware is compatible with Windows 2000 and what hardware will need to be upgraded. Understand your technical support structure. Know who is in charge of managing the network and who is in charge of dealing with end users. They will be critical players in your network upgrade. Know what the existing and future plans for the network are. Document all existing expansion and upgrade plans for the network. Be aware of potential future upgrades and design the network so that it can easily accommodate future expansion as necessary.
Key Terms
Before you take the exam, be certain you are familiar with the following terms: 2-tier client/server
n-tier client/server
3-tier client/server
Point-to-Point Tunneling Protocol (PPTP)
client/server
RADIUS
enterprise application
rollout
enterprise management systems (EMS) Simple Network Management Protocol (SNMP) host
thin-client
Layer 2 Tunneling Protocol (L2TP)
upgrade
network management system (NMS)
workgroup application
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
184
Chapter 4
Anticipating the Impact of Infrastructure Design
Review Questions 1. Your network is running Windows NT 4.0, and you are planning an
upgrade to Windows 2000. One of the primary concerns of IT management is a smooth transition for resolving names on the company intranet. Currently you have three Windows NT DNS servers, one primary and two secondary, in one zone. What should your recommended solution be for implementing DNS during the upgrade? A. Keep the current NT DNS implementation. B. Install Unix-based DNS servers with at least BIND version 4.9.6. C. Install Windows 2000 DNS servers. D. DNS is not required on a Windows 2000 intranetwork. 2. Your Windows NT 4.0 domain has three domain controllers and three
member servers. A NetBIOS-based accounting application resides on one of the member servers. You are planning to upgrade all of your servers to Windows 2000 Server and all clients to Windows 2000 Professional. The vendor of the accounting application insists that the program should work fine on Windows 2000, but it has not been thoroughly tested. Based on this scenario, what should your two primary concerns be as the upgrade progresses? A. Sufficient hardware in the servers to run Windows 2000 B. Application compatibility with Windows 2000 C. The availability of DNS services after the upgrade D. The availability of WINS services after the upgrade
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
185
3. You are analyzing your current 200-node Windows NT 4.0 domain
for a Windows 2000 upgrade. Every workstation on the network has a copy of Microsoft Office installed. Many users on your network use multiple applications in the Office suite, but some users simply use Excel, and others just use Word. When you perform the upgrade to Windows 2000, you are planning on keeping Office. Based on this scenario, what type of scope is this application suite said to have? A. Workgroup B. Enterprise C. Domain D. Local 4. Based on the preceding question, what category does the Office suite
fall under? A. Client/server B. Web-based C. Stand-alone D. Mainframe 5. Users on your network access your Microsoft Exchange 5.5 Server
through Outlook Web Access. Your boss complains that this 3-tier setup is too slow and cumbersome. When you upgrade your network to Windows 2000, one of your priorities is to ensure 2-tier e-mail architecture. How should you accomplish this? A. Install Microsoft Outlook on each client machine. B. Install Microsoft Internet Explorer on each client machine. C. Install the Outlook Web Access direct connect patch from
Microsoft’s website on each client machine. D. Install the Lotus Notes connector on each client machine.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
186
Chapter 4
Anticipating the Impact of Infrastructure Design
6. You are in charge of analyzing your company’s network infrastructure
for an impending Windows 2000 upgrade. During your investigation, you notice that your entire building is wired with Cat3. You also have one 100MB hub acting as a central connectivity point, and four 10MB hubs connecting to all nodes on your network. What do you need to do before you proceed with your Windows 2000 upgrade while maintaining your budget? Choose all that apply. A. Upgrade all cabling to at least Cat5. B. Upgrade all cabling to fiber. C. Replace all hubs with 100MB switches. D. Replace the central hub with a router and replace all outlying hubs
with 100MB switches. 7. You are in charge of cataloging all relevant hardware for your pending
Windows 2000 upgrade. Management wants to see a report outlining the current hardware available and identifying which pieces of hardware will need to be upgraded. Which devices should you include in your inventory list? Choose all that apply. A. Servers B. Switches C. RAS devices D. Mainframes 8. You are the network administrator for a 200-node Windows NT 4.0
network. You are planning an upgrade to Windows 2000. Currently, all computers on the network run the TCP/IP, NWLink, and NetBEUI protocols. Management is interested in simplifying network administration and reducing network traffic caused by excessive broadcasting. What should you do to alleviate the current problems? A. Deinstall all protocols except TCP/IP. B. Deinstall all protocols except NWLink. C. Deinstall all protocols except NetBEUI. D. Continue to run all protocols and install DHCP.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
187
9. On your Windows 2000 network, a computer sits in a tiny, unattended
control room. This computer’s responsibility is to send back reconnaissance data on critical metering equipment. What is this computer considered to be in TCP/IP terms? A. TCP reference B. ICMP computer C. Host D. Layer 2 switch 10. Your company is planning to upgrade its existing 250-node Win-
dows NT 4.0 domain to a Windows 2000 domain. Since you are a manufacturing firm, you have multiple software applications that deal with design and planning of future products. Some of your users perform light shared programming duties to automate mechanical processes. You also have a group of four users who use an Excel spreadsheet to keep track of comp time for the department. What sort of application is this said to be? A. Workgroup B. 2-tier client/server C. 3-tier client/server D. n-tier client/server
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
188
Chapter 4
Anticipating the Impact of Infrastructure Design
Answers to Review Questions 1. C. The best solution for a Windows 2000 network is Windows 2000-
based DNS. It integrates tightly with Active Directory and supports all necessary features. If you do use a BIND DNS server, it should be at least version 8.1.2 or higher. Windows NT DNS is not recommended for a Windows 2000 network. 2. B, D. Based on the scenario, B and D are the right answers. Hardware
was not mentioned. Even though this is always a concern, it was not presented in this case. Of course, a major issue is, will the application work? Also, since the application is using NetBIOS, you will need to rely on WINS, not DNS, to resolve names. 3. B. If everyone (or almost everyone) uses it, it’s enterprise. If it were only
a few users based on task, then workgroup would be more appropriate. 4. C. Office is a stand-alone application. 5. A. Sometimes the simple answer is the right answer. Microsoft Out-
look is a stable e-mail client that allows a direct connection to an Exchange (or other e-mail) Server. 6. A, C. If your network is still using Cat3, it’s time to move into the new
millennium. Cat5 is serviceable and can handle Gigabit Ethernet. Fiber is wonderful but more expensive and not necessary for going to the desktop. There is no mention of excessive network traffic, which would necessitate a router to divide the network. However, the hubs need to go. 7. A, B, C. Although this list should be considerably longer, these three
types of devices are the relevant choices among the four listed. Hopefully, you’ll be able to phase out your mainframe, but for purposes of a Windows 2000 upgrade, the mainframe is really peripheral. 8. A. It’s best to simplify your network and use only one protocol. TCP/
IP is the best choice. DHCP is a useful service for assigning IP addresses, but doesn’t do much in the way of reducing network traffic. 9. C. Computers that participate on the TCP/IP network are called hosts. 10. A. This application qualifies as a workgroup application since it
doesn’t involve very many people. It is certainly not client/server in any sense of the word.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The State Agency with the Complicated Technical Environment
189
Y
ou should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Current System You are the network manager for a large state agency. About 1,500 employees occupy one entire building adjacent to the capital. You are designing a Windows 2000 deployment and have reached the point where you’re ready to look at the technical environment. The system in use is exceedingly complicated. For starters, you have about 150 users, on IBM 3279 dumb terminals, who are still using expensive coaxial SNA connections to the mainframe computer at the state’s computing center across town. Others are using 3270 emulation software and TCP/IP to connect to the host, a much cheaper solution. Several homegrown systems use old DOS FoxPro to access databases, then write the results that are entered to a flat file that’s uploaded to the mainframe via FTP. The systems were never designed to be used by as many users as they do today, and they’ve turned into a poor man’s client/server system. They break frequently, and you have to go in and rebuild the indexes. There are many printers hooked to the network using JetDirect cards and boxes. You find, after a review of the infrastructure, that you’re on an old 10Base-T hub-based system; users are quite unhappy with the throughput. After reviewing the server “farm” (10 servers that are quite antiquated), you discover that serious work needs to be done to upgrade them. Several department heads are demanding that some form of telecommuting be put in, but nothing has been done along those lines yet. There is one router: an older Cisco 1000 that has a 10Base-T connection to the main computing center. All users have web access; there is no Proxy Server. The computing center handles the firewall process. You’re being barraged by department-head requests for some form of control over what users are allowed to surf to on the Internet. There is a request for an intranet. There was an old VINES-toNT conversion, but you still have two VINES boxes hanging around— you’re not sure what for even though you’ve been repeatedly told why.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
The State Agency with the Complicated Technical Environment
CASE STUDY
190
Chapter 4
Anticipating the Impact of Infrastructure Design
The only good part about this entire network is about a year ago a complete rewire of the cable plant was done and everybody is now up on Cat5 cabling throughout. The patch panels are wired together with Cat5 (there is no fiber). E-mail is another plus, having been recently converted to Exchange 5.5, but it’s very slow to use.
Problem Statement Your mandate is twofold: Clean up the mess and get Windows 2000 installed (including a complete detachment from the VINES apron strings). The biggest problem here is that you’re just not sure where to begin. There are so many problems, so many specialized systems, so little technical help from others, that you’re just not sure you can even get everything done.
Envisioned System Overview Your boss, the CIO for the agency, has told you that he wants a complete Windows 2000 upgrade. When you press him with the detail of what a mess you’ve found, he says that he’ll do whatever “pavement pounding” he needs to do to make sure things are caught up. You’re at once heartened by the promise to help raise the necessary resources, but you’re also not sure that the network is salvageable at this point. You have three people under you who can assist you, but they’re all junior people and not ready for the prime time that this project is going to involve. CIO “I want to take this pathetic little network out of the Stone Age and put it into the rocket age. I’m a realist, and I’m aware that this might take some cash and contracting resources to get done. I’ll do whatever pavement pounding is needed. By that I mean visiting the other department heads to see what kind of budgetary resources they can scrounge up. You have one year to get everything accomplished; remember that we’re on a year-long fiscal cycle, so things have to get done in one year. If you need to bring in some contractors, I’m OK with that, but make sure you document what you need so we can prove it to the oversight watchdogs.” Team Members “We’re excited!” Data-Comm Technicians “Boy, oh boy, do you have your work cut out for you!”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The State Agency with the Complicated Technical Environment
191
State Computing Center Head “The state has provisioned a DS3 circuit that we want all agencies to utilize. We’re doing this because of the heavy mainframe traffic. We want to increase throughput and efficiency of our mainframe TCP/IP clients.”
Security Security Personnel There are two people who handle all security: mainframe, network, and e-mail. They tell you, “We need to talk about naming standards to use as we roll forward into this new environment. When we were on VINES, everybody got to pick his or her own username, and that philosophy has found its way into the NT network. We want standards just like the mainframe has.” Department Heads “Is there any way that you can keep our people out of certain websites? We have some people that want to surf into sites they shouldn’t be allowed to, and it has caused us some trouble in the past. What’s the policy?”
Availability The system has to be up as often as possible. You’re striving for 4-nines uptime (99.99% up, or 52.5 minutes downtime per year, including maintenance windows). The CIO agrees with the department heads that you must get a handle on this ridiculous downtime situation: “I want dial-tone reliability. As soon as you’re done with deployment, I want metrics on this network.”
Maintainability You know you can maintain the network just fine, but if you ever leave, the junior ranking of the rest of your team members leaves you wondering if they could handle a very complicated network. Their response is, “With the right training, we think we can handle it.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Department Heads “It’s imperative that we not quit processing at any time! The taxpayer is our customer, and you can’t possibly understand how important it is that we continue to provide great service to them.”
CASE STUDY
192
Chapter 4
Anticipating the Impact of Infrastructure Design
Questions 1. What is this network’s biggest technological hurdle? Order the problems
in the following chart from most important to fix to least important to fix. Problem List
Problem Old custom DOS FoxPro applications Poor infrastructure Poorly maintained server farm Proprietary forms readers Continued support of VINES servers Old SNA mainframe connections
2. In the following chart, select tasks from the right column to form
deployment-step trees on the left that you’ll need to go through to finalize deployment. Deployment Steps
Tasks
Infrastructure Upgrade
Change out all hubs to closet switches.
Server Farm
Procure contractors for FoxPro application conversion.
Old DOS FoxPro Applications
Identify server deficiencies.
RAS Server
Identify applications on servers.
3279 Users
Procure a DS3 to the state computing center.
Proprietary Forms Reader System
Update router.
Internet Use
Convert FoxPro systems to client/server (VB over SQL Server). Migrate coax users to 3270 emulation software over TCP/IP.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The State Agency with the Complicated Technical Environment
193
Coordinate linkup with state computing center’s mainframe. Procure hardware for server upgrades or replacement. Install Proxy Server. Purchase a core switch for the computer room. The core switch has two cards with eight 100Base-T ports in it and a two-gigabit card (for linking to important servers and router). Install SmartFilter and configure to keep users from certain locations. Purchase 100Base-T switches with gigabit uplink cards for the closets. Upgrade or replace servers. Procure new router with DS3 WAN interface, redundant power supplies, gigabit LAN port, and updated firmware code. Do nothing at this time. Investigate after rollout is done. Logically separate applications by moving them to different servers as required, including dismantling of VINES servers. Install fiber cable to all switch closets for backbone. Perform a protocol analysis. Procure a RAS server for telecommuting purposes.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Procure PCs for coax users.
CASE STUDY
194
Chapter 4
Anticipating the Impact of Infrastructure Design
3. Based on the description of the current environment, which protocols
seem to be in use on the network? Choose all that apply. A. TCP/IP B. NetBEUI C. VINES TCP/IP D. DLC E. SNA 4. Why is the DS3 requirement being laid down by the computing center? A. For future growth purposes B. Because of so many mainframe TCP/IP users C. Because of the FoxPro applications D. To connect to the SONET ring 5. What is the biggest technical support hurdle you have to overcome? A. Learning how switches work B. Continued support of FoxPro applications C. Learning routing D. Team needs lots of care and feeding to help support the new network
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The State Agency with the Complicated Technical Environment
195
1. See the following chart:
Problem List Poor infrastructure Poorly maintained server farm Continued support of VINES servers Old custom DOS FoxPro applications Old SNA mainframe connections Proprietary forms readers Your biggest problem is the infrastructure. It’s also going to be the most expensive problem. Then you have to look at the server farm, which would include getting rid of the VINES servers. You also have a problem with some DOS FoxPro applications that almost certainly need to be upgraded, since they’re being used in a client/server setting that FoxPro was not intended for. The SNA connections are expensive and need to be eliminated. Why are some users using coax anyway? Finally, you have the proprietary forms readers to contend with, and they might not be a problem anyway. 2. See the following chart:
Deployment Steps Infrastructure Upgrade Install fiber cable to all switch closets for backbone. Procure a DS3 to the state computing center. Procure new router with DS3 WAN interface, redundant power supplies, gigabit LAN port, and updated firmware code. Purchase closet switches. Purchase core switch. Change out all closet hubs to switches. Coordinate linkup with state computing center’s mainframe.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
Answers
CASE STUDY ANSWERS
196
Chapter 4
Anticipating the Impact of Infrastructure Design
Server Farm Perform a protocol analysis. Identify server deficiencies. Identify applications on servers. Procure hardware for server upgrades or replacement. Upgrade or replace servers. Logically separate applications by moving them to different servers as required, including dismantling of VINES servers. Old DOS FoxPro Applications Procure contractors for FoxPro application conversion. Convert FoxPro systems to client/server (VB over SQL Server). RAS Server Procure a RAS server for telecommuting purposes. 3279 Users Procure PCs for coax users. Migrate coax users to 3270 emulation software over TCP/IP. Proprietary Forms Reader System Do nothing at this time. Investigate after rollout is done. Internet Use Install proxy server. Purchase SmartFilter and configure to keep users from certain locations.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The State Agency with the Complicated Technical Environment
197
TCP/IP connection with the 3270 emulation software folks. Several printers use JetDirect cards, so there may be a possibility of DLC. There are 150 coax (3279) users in place, and that means only one thing: SNA. Finally, since VINES is in use along with TCP/IP, we can surmise that VINES TCP/IP is in use, though the native VINES protocol may be in use as well. Who’s to say until we do a thorough protocol review? 4. B. The main reason is because of so many mainframe TCP/IP con-
nections. But other state connectivity will also benefit, and the pipe is certainly over-engineered and big enough for future projects. Internet connectivity will benefit as well. DS3 is 44 megabits per second, and it’s a huge pipe. The SONET ring thing would work out well if you went forward with an ATM deployment, but since you’re on a gigabit connection to the state, they’ll have to haul you across the SONET ring by converting your data to cells. You have no responsibility for this. The FoxPro applications don’t come into the picture, since they don’t leave the network. 5. D. Without a doubt, your biggest concern in terms of technical sup-
port will be your junior team members. They need lots of training, coaching, hand-holding, and encouragement to assimilate this new, totally revitalized network!
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
3. A, C, D, E. We know that TCP/IP is in use because of the mainframe
Chapter
5
Analyzing Client Access Requirements MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Analyze the network requirements for client computer access.
Analyze end-user work needs.
Analyze end-user usage patterns.
Design a resource strategy.
Plan for growth.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Y
ou’re making progress on the design that you’re creating and now this book heads into the sections where you’ll learn about the raw details of Windows 2000 infrastructure. However, we must still discuss design for just a bit more. This chapter talks about the analysis of your end users: how they access the network and how they work on it when they get there. We’ll first talk about the needs and behaviors of the end user, and then we’ll talk about plans for the network’s growth in terms of the user count. Some networks grow startlingly fast; knowing that and planning for it are critical facts for the Windows 2000 designer. (The placement and centralization subobjectives under the objective “Design a resource strategy” are covered in Chapter 3, “Evaluating the Technical Environment,” and Chapter 7, “Designing a Management and Implementation Strategy for Windows 2000 Networks.”)
Determining the Needs and Behaviors of End Users
T
his section has two separate threads of thoughts. First, you need to identify specific needs of users, and then you need to ascertain what their behavior is. The goal of these analyses is to design systems, especially network additions, so that they benefit users.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Determining the Needs and Behaviors of End Users
Microsoft Exam Objective
201
Analyze the network requirements for client computer access.
Analyze end-user work needs.
Analyze end-user usage patterns.
For example, if you know that there are many Exchange Servers spread throughout the enterprise, all linked with connectors, then it might be to your benefit to create a bridgehead server that doesn’t host users, but hosts the connectors instead. This provides two advantages: If an administrator feels a reboot of the bridgehead server is necessary, he doesn’t affect any end users by booting it during the day. Also, with such a methodology, you create a more fault-tolerant environment for users because you take one potential trouble source out of the Exchange mailbox servers and move it elsewhere. You can accomplish this only if you choose to observe user behavior.
Analyzing End-User Habits If you stand back and take a good look at why and how users access the network, you’ll probably find yourself putting users into different categories that describe their behavior. Let’s identify some of those classifications so you get a head start on determining how users access the network. Knowing user patterns helps you plan better implementations of future network rollouts.
Power Users The power user is one who is potentially dangerous. This person knows enough about computers to be able to do tasks like erasing critical files, hacking the registry of the local machine, changing .ini files, and so forth. Power users are quite special to administrators. They’re the reason that Windows NT Workstation exists—to come up with a serious lockdown that keeps them out of harm’s way. Engineers typically fall into this category, though you’ll find power users in any department that accesses the network. It’s important to identify the power users because you can make educated decisions about how to address their needs and yet keep them out of trouble. Power users will often tell you that they need something far more powerful
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
202
Chapter 5
Analyzing Client Access Requirements
than they really do need, and it’s up to you to study their needs, accommodate them, but keep them from being able to do things they shouldn’t. The good news about your power users is that most of them do know enough to get themselves out of trouble once they are in it. Whether that means undoing the changes that they made or reinstalling Windows, most of them can fix their own issues. This is a good thing if you do decide to give them some freedom on the network. However, most network administrators want to have more control over the network so they choose to lock everyone down. If you have power users that are continually messing up their system and leaning on you for help in fixing it, don’t hesitate to limit what they can do. That’s what group policies were created for.
3270 Emulation Software Users These users don’t use their PC for a whole lot, maybe just the Web and e-mail. Typically they’re either mainframe programmers running 3270 emulation software to access the mainframe in order to do their programming, or they’re order-entry or billing users who use the mainframe to check records and edit data that’s already in the system. There are also operations people who schedule jobs to run, review job control language (JCL), and so forth, but they’re better categorized as mainframe programmers. Users who are on the mainframe most of the time normally don’t require the latest and greatest in computing machinery the way power users do. The biggest problem you’ll run into with these users is when the mainframe isn’t working well and they cannot access their host session. It’s not usually your problem to deal with, but nonetheless you might be called in to look at it.
Macintosh, Unix, Linux, and OS/2 Users These users have special needs that you’ll have to handle on a case-by-case basis. For example, a Linux user might want to mount a Samba NFS share for people on the Windows 2000 network to look at. Or a Unix host might need to extract files from a Windows 2000 host using FTP. Linux users will also want to surf the Web, exchange e-mail, and create documents that are available for non-Linux users. Macintosh users have very specific computing needs. Macintoshes are commonly used on the network for graphics purposes. Graphics files get quite large, and Mac users typically like to save their large graphics files out to a RAID array on the Windows NT or Windows 2000 network. That’s a
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Determining the Needs and Behaviors of End Users
203
perfectly fine use for them and one that you should sanction, because the files are privy to backup at that point. Windows 2000 has addressed the Macintosh access issue and has made it easier for administrators to maintain. Mac users will also want to surf the Web and exchange e-mail and documents. Unix users access the Unix servers either via an emulation host on their PC or through a Unix workstation that sits next to their PC. The basic needs are the same, with the exception of Unix admins, who require the ability to modify server files. Of all the different user types, Unix users are probably the most proficient in the NT world and will eventually be in the Windows 2000 world as well. They’re also the most likely to resent using anything resembling Windows as well. Though you might not have many dealings with OS/2 users, they’re definitely out there, and the operating system is still quite common. Typically, OS/2 requires its own special software for anything that you might want it to do on the Windows 2000 network. OS/2 users are often power users choosing that operating system for very special reasons.
Even though users of these various operating systems become very attached to their particular platforms, your network administration will be much easier if you can eliminate some. The fewer operating systems that you have to deal with, the fewer compatibility issues you will have. Although it may be a fight, see if the users of alternate operating systems can perform their jobs on a Windows 2000 machine.
Managerial, Professional, and Executive Users These users are usually accustomed to having things move quickly, and they expect you to take every bit of time you need in order to get their computing needs solved, even though the entire network may be burning down around you! It seems that the higher you go up the corporate ladder, the more demanding they get. That’s not exactly fair, because they’re usually quite nice about the way that they go about getting you to fix the problem, but they’re firm in that managerial kind of way. Although these users can be a pain to deal with, remember that they are in important positions of power within the company. It’s generally a good idea to attend to their needs. At the same time, most of these users are bright enough to understand that if their sound card isn’t working but the sales database is down, that their sound card can wait.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
204
Chapter 5
Analyzing Client Access Requirements
“Regular” Users These are the people who just want to log on and get a day’s work done. By far, this will be the largest group of users on your network. The “regular” user e-mails, probably surfs the Web, uses Microsoft Office, and possibly runs some specialized applications that pertain to his or her area of the company. For example, an accounting aide might use Navision financials while a manufacturing or engineering employee might use Agile. These users are relatively harmless. They don’t typically bring software in from home or the Web, although they can get into trouble with e-mail attachments that take up a lot of room or use a lot of CPU cycles. All users deserve a high-quality, ergonomic work environment (this component is probably not under your control) and a good quality computer. The monitor needs to be at eye level, not higher or lower. The higher you can adjust the resolution of the monitor, the better their vision will be at the end of the day. A resolution of 1280 × 1020 with 75Hz is very good and will be less straining on the eyes. A mouse needs to be lower than the user’s arm when the arm is held in a 90° crook. Nothing is more frustrating for users than trying to cope with inferior computing machinery, especially those users who must use the computer and the network all day long.
Analyzing End-User Behaviors Have you ever really looked at the way that your users go about interacting with their computer? Try it some time when you’re visiting a PC for a trouble call. You’ll be fascinated to watch how people react to various windows, how they dutifully obey error boxes, and how they get lost so easily when the computer is telling them what to do. Especially watch their eyes and their head movements as they scan the monitor looking for information from the computer. You can easily spot the people who aren’t very comfortable with computers and those who have worked with them for years. Watching users is one way to analyze user behaviors. What sorts of programs do users have loading up in the morning when they log on? Is their logon time incredibly long? Do they have enough time to log on, go get their coffee, and come back before they’re finally logged in? Does the computer snap to life and instantly give them all of the things that they need to get their day started? If not, this isn’t necessarily indicative of a PC issue. It’s very
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Determining the Needs and Behaviors of End Users
205
possible you also have a slow network—or, at the very least, so many users hitting the network all at once that bandwidth is completely gone. Try to spend some time just watching a variety of user types. See if you can glean any information about how ordinary users go about their computing lives. It’ll be informative and time well spent. You can also run performance monitoring on the main servers (applications servers such as Exchange, and file and print servers) to get information about the load at specific times. If you run performance-monitor scans periodically over the course of a few days, you’ll have good benchmarks as to how the network performs. On most networks, it’s safe to say that you can anticipate your heaviest loads in the morning hours when people first log on, then around midday when users log out and get ready to go to lunch, and then at the end of the day. Web-surfing volumes go up during lunch and during the afternoons. In organizations where you have two or three different shifts, you’ll observe some radically different access times, but at least you’ll know when your peak times occur. E-mail is another story. Most companies are fairly e-mail-centric now, so it’s a good bet that the server is in heavy use throughout the business day. However, it’s understandable that your main peak time for e-mail (when everybody has opened their e-mail and is reading the day’s news) would be the morning hours. You can get a good feel for e-mail traffic by watching the Exchange performance-monitor threads and by checking out the IMS queues. The biggest problem you can run into with e-mail—something that’ll affect everybody—is the person who decides to either send an extremely large attachment (80–100MB) to somebody, or to send an e-mail to 5,000 recipients all at once. You can really slow down an e-mail server quickly that way but Exchange provides the capability of limiting file sizes that can be received or sent. Network managers might be able to sniff the network and give you some idea of usage patterns, though the information will mostly be about broadcasts and the amount of traffic going across the wire. Some metrics software such as NetIQ or ManageX might be helpful to you too, in your quest for user-behavior information.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
206
Chapter 5
Analyzing Client Access Requirements
Maintaining Administrative Control on the Network Your network has a large number of Windows NT Workstation users. When you open up Server Manager for Domains, then select Workstations view, you see all of the computers, but some are grayed out. When you double-click a grayed-out computer to bring up the Properties window, you’re told that the device cannot be found. Yet you’ve verified that the computers are online and out there in the network world. In fact, you’ve physically checked the computers to see if they really are powered up and connected to the network, even though a user may not be logged on. You wonder what the problem could be. In your investigation, you determine that one of two things could be wrong. Either the workstation services and server services are shut off at the desktop, or WINS doesn’t have an entry for this computer. But how is it that a third of your workstations show up offline? Upon rebooting a couple of the errant computers, they show back up online. You surmise that people have gotten the word around that if they don’t want you remotely managing their PC (by doing a Net Use to the C$ share), they can just turn off the server service and, boom, you no longer have access to their computer! You wonder how this will affect Windows 2000 Professional computers. The answer is, the same way. If users decide to stop a service and that service happens to prevent you from hitting their computer, nothing new in Windows 2000 Professional will prevent this. But the one good thing you have in both situations is the fact that you’re dealing with workstation-category software; you can begin to implement a little more serious lockdown that will keep the users out of Services and out of the Registry. If users interfere with your ability to administrate their machines, whether locally or remotely, it’s time to lock them down.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing Future Network Plans
207
Analyzing Future Network Plans
Imagine that the company you currently work for is a very high-tech, high-speed company that is in constant growth mode. For example, you have about 15 spoke locations that have a single server at them. You anticipate that this year alone, that number will increase by 50! That’s a lot of servers. In an environment like that, it’s really tough to plan strategically for growth of any kind. You’re going so fast that you feel like a moving target—you have to react quickly, assess the situation in a short period of time, and make a solid judgment call with very little time to mull the whole thing over. Gone are the days of passive engineering! But there’s a larger problem with this scenario, and one that is common throughout high-tech environments. Management has a hard time communicating what new things are on the horizon. So even though they might’ve talked about the upcoming changes among themselves, it’s very difficult for them to find the time to explain to those under them what the changes are all about. Most of management is so busy that when they do get the time to explain the changes that are coming, they can only do it in a quick alldepartment meeting where nobody has time to ask questions, and the managers themselves don’t have time to develop the ideas that they’re thinking about. It’s really a problem.
Microsoft Exam Objective
Design a resource strategy.
Plan for growth.
So, how do you make any kind of plan for a Windows 2000 upgrade that’s going to be involved in a high-growth environment? How do you assure yourself that as things progress, the new changes are added to your plans? Moreover, how do you assure yourself that your managers have given you complete information on what’s happening down the line?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
208
Chapter 5
Analyzing Client Access Requirements
Communicating in High-Growth Environments In high-growth areas, it’s best that you take the initiative to stay informed. Let’s suppose that you’ve finalized and submitted a Windows 2000 project plan. Everybody likes the plan; it looks solid. Here’s what you have in mind: You’ll install Windows 2000 on the PDC, including Active Directory (AD). You’ll leave all other Windows NT 4 servers (BDCs and member servers) alone for now. Then you’ll upgrade the entire user community to Windows 2000 Professional—using Remote Installation Services (RIS), of course. Finally, you’ll upgrade the rest of the servers to Windows 2000 and switch the AD over to native mode. It’s a good plan, one that allows you to make sure the user body is up on Windows 2000 (and trained on its use) before you switch the rest of the network over. So you set up an appointment with your management team and make your presentation to them. They like the plan and give you the go-ahead. Now’s your chance to present the management team with the news that you have a real need to know when changes to the user environment or network are coming your way. You might even create an Outlook e-form that helps minimize their effort, yet allows you to get the information you need. The concept is twofold: You understand that they’re busy people and can’t constantly communicate changes in the company, but you have a legitimate need to be kept abreast of the changes. So when the company plans to hire, train, and turn loose a new group of users in the next month or two, instead of cheap-and-easy Windows 95 computers that will work on any old box, you can prepare some hardware compatibility list (HCL)–compatible boxes (a necessity for Windows 2000 Professional) and give your users a real computer that you can really manage. The point here is communication. You have to ask what’s going on, you have to listen to what they’re telling you, and you have to be ready to react to the news. One problem, at least for some companies, is managers who tell you that they’re indeed growing and planning on bring new users online, but they won’t give you the resources to meet those new user needs. Or at the very least, they won’t give you the resources until the last possible moment in order to maximize the time the money stays in the company’s account and not in somebody else’s. How do you manage a situation such as this? You need to communicate back that your design requires HCL-compatible computers, that Windows 2000 Professional is the company’s new operating system, and list its benefits. Then you wait for their answer, which could go either way. If you explain the scenario in the right light, it’ll usually be met with the right attitude on their part.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing Future Network Plans
209
Growing Networks with Limited Resources The opposite end of the spectrum from the high-tech company that is moving at lightning speed is a company that’s sluggish to make technological decisions and very tight with a buck. Some of these organizations can’t help it— not-for-profit entities come to mind. There’s just nothing you can do if the money isn’t there to support the design. But networks like this need to grow anyway. Just because the organization is poor doesn’t mean that it can’t hire employees or bring on more volunteers. So, if the network is in growth mode and you’d like to bring it into the Windows 2000 arena, is this really possible in a sluggish, stingy organization? It’s possible, but you need to keep some things in mind before going to Windows 2000:
Windows 2000 requires a minimum of 2GB for the operating system partition of the server. If you can’t afford new disk space, even though you have the room to install Windows 2000 now, chances are you won’t have the room to grow it in any way—in the form of applications or added services.
Networks that struggle along with low-end computers that use “borrowed” software and that skimp along with the least they can get away with are not good candidates for a powerhouse operating system like Windows 2000. This deployment is going to take more money than the software will cost you—it’s going to take serious money in the form of infrastructure, server, and workstation upgrades. It’s a fact and knowing it up front helps you make your decision early on.
The HCL is even more critical than in earlier versions of Windows NT. Why? Because of Windows 2000’s plug-and-play features. The drivers portion of Windows 2000 itself is a huge chunk of code! Windows 2000 can find a lot of hardware. But throw in some older device that’s now exotic or defunct, and you have a plug-and-play problem. The computing device, equipped as it is, is what you need to measure against the HCL.
Need quality HCL information? Check out www.microsoft.com/windows2000/ upgrade or www.microsoft.com/hcl.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
210
Chapter 5
Analyzing Client Access Requirements
The information in the preceding list presents a pretty gloomy picture for non-profit and other cash-strapped organizations with regards to upgrading to Windows 2000. This isn’t to say that these organizations can’t upgrade, but they need to be realistic. If money is tight and the network works as it is, it may not be in their best interest to pursue Windows 2000. That being said, for companies that are tight on money, the key to a successful Windows 2000 upgrade is still communication. You may not be able to purchase as extravagant hardware as you would have if money were plentiful. However, you may still be able to get serviceable machines to meet your needs. Communicate with the decision-makers and see where the network needs to go. If the decision is made and the resources are available to go to Windows 2000, make sure economy is practiced.
Planning for the Middle-of-the-Road Network The final portion of this puzzle is the network that’s growing, that expects you to plan for its growth, but has moderate resources to give you as you go forward. It is possible to deploy a Windows 2000 network in this kind of situation, but you have to be patient and diligent. Your one-year plan may turn into a three-year plan. You install Windows 2000 on one or two domain controllers that are on the HCL and, as you get a little money, you upgrade another server and put Windows 2000 on it. When you visit a workstation to reinstall the operating system for a user, if the workstation’s on the HCL and can handle Windows 2000 Professional, you go ahead and install it. In other words, you roll out the deployment as you get the opportunity and financing to do so. Eventually, all users and servers are up on Windows 2000, and the time comes when you can convert AD from mixed mode to native mode. But that day isn’t in the here and now; it’s a long way down the road. If you can live with that principle, you can make this design happen. The big caveat here is that you must communicate to management that this is your design intent and you don’t want to waver from it. You communicate to them that you’re looking for buy-in on their part, for joint ownership of the idea. They’ll like the idea because you’re taking your time, and you’re not breaking the bank as you go. You’ll like the idea because you can deploy Windows 2000, just not as quickly as you’d like to. Slower methodologies like this afford you the time to learn the ins and outs of the system— to really get comfortable with its nuances. By the time three or four years
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing Future Network Plans
211
have elapsed, you’ll be completely comfortable with how this operating system works and how it’s supposed to respond.
The Company That Doesn’t Think It Needs Windows 2000 You work for a small enterprise, about 500 users. There are a half-dozen servers that are big enough to handle a unified workflow methodology. Two of the servers do basic logon and TCP/IP functionality for the network; the others are application, file, and print servers. The servers are all running Windows NT Server 4, all equipped with Service Pack 5. The majority of your users are on either Windows 95 or 98; you, in fact, are the only user on Windows NT Workstation. You really want to go forward with a Windows 2000 deployment. You think that Windows 2000 is more solid than Windows NT and that it has tons of new features to offer. You install Windows 2000 Server on a machine at home and play with it a bit. You get semi-comfortable with it, and you’d like to begin planning a deployment at work. You work up a design and present it to management. It’s met with a solid ho-hum. Some of the managers don’t like the idea of spending the money; others don’t like giving up Windows 95 and having to re-train on a new operating system (not to mention spending the money to upgrade their computers to run the new system). Others just simply don’t see the need for the upgrade. What do you do? Is there a way to make them see that this upgrade would be good for them? Unfortunately, networks like these still exist all over the country. Some of them are running NetWare 3.11 on 10Base-2 (that’s right—coaxial cable with barrel connectors and terminators). Others are still running LanMan Server. Some are even still running Windows NT 3.1 or 3.51.You are stuck with a company that doesn’t have a technological vision, but probably does have a business vision. You’re going to have to face the notion that the managers are looking at what’s best for the company’s health, and this upgrade just does not make good economical or practical sense to them.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
212
Chapter 5
Analyzing Client Access Requirements
In cases like these, you need to find a way to present the upgrade in a way that will show the managers that the improved network will make the company money. If they still don’t go for it, it may be time to look for employment elsewhere.
Summary
C
ompared to the last few chapters, this one was nice and short. In this chapter we talked about analyzing end-user work needs. We identified several different categories of users and spent some time analyzing end-user behaviors. While watching users is a good way to identify patterns of usage, you can use more sophisticated techniques such as performance monitoring and network sniffing to gain greater insight into user behavior patterns. Neither of these techniques yields absolutely scientific results. Typically, internetworking experts will be able to help with network sniffs to obtain usage patterns. Finally, we talked about planning for growth and came up with three different scenarios in which you might find yourself trying to plan a Windows 2000 rollout. You might have the fortunate possibility of working with a company that is growing rapidly and can afford to throw lots of money at the project. You’ll be allocated everything you need to make it succeed. But there are very poor companies or organizations where you might find that it is truly difficult to roll out Windows 2000, simply because you don’t have the money for the needed infrastructure, even if the organization is on a growth spurt. And there is the middle-of-the-road company—one that wants you to watch your budget, but also to go forward with the rollout as best as you can. Of the three growth patterns, working for a poor entity is the hardest because you may be forced to completely jettison any Windows 2000 upgrade plans until things are much better.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
213
Exam Essentials Know how your users use the network. This involves watching the users to see what they do and monitoring the network to see when the busy times are. Know how to plan for growth in an organization. The two keys are communication and money. Communication is critical so that you know where the company is headed. Along with that, it’s hard to upgrade a network if there is no money. Know what resources are available.
Key Terms
B
efore you take the exam, be certain you are familiar with the following terms: hardware compatibility list (HCL) power user Remote Installation Services (RIS)
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
214
Chapter 5
Analyzing Client Access Requirements
Review Questions 1. You are the network administrator for a small mail-order company. You
have tried to talk your boss into upgrading to Windows 2000 with no success. Recently, your boss frustrated you with the question, “What are users doing on the network?” to which you didn’t have an adequate response. What’s one of the simplest ways to find an answer to this question? A. Performance Monitor B. Task Manager C. HP OpenView D. Observation 2. Rumors have been circulating at your company that expansion is on
the horizon. Being the network administrator, you are concerned about what this means for your network. What’s the best way to plan for the potential growth of your network? A. Regularly speak with management about their future plans for the
company. B. Get users off the mainframe. C. Migrate the network to Windows 2000. D. Observe users. 3. You are the network administrator for a company that is notoriously
strict on its budget. Your boss informs you that some limited funds have become available, and you get to choose one upgrade to the computing environment. Which one would you choose for your users? A. Hubs B. Ergonomically comfortable work environment C. Uninterruptible power supplies D. Regular breaks
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
215
4. You recently completed a user survey on your network. You asked the
users what they need to get their job done properly. Of the following, which two are the most legitimate user work needs? A. Connectivity to e-mail systems B. 21” monitor C. Connection to the network D. 800MHz processor 5. While in your office, your boss notices you observing the network.
When asked to explain what you are doing, you reply that you are trying to see if you can figure out its heaviest use times. What does your boss know you are analyzing? A. End-user work needs B. End-user usage patterns C. Growth characteristics D. Network utilization 6. You are the network administrator for a company that has manufac-
tured the same kind of candy for a hundred years. The manufacturing process doesn’t change much, nor do the quantities of candy that the company sells. How should you plan for growth? A. There is no growth to plan for here. B. Anticipate some company atrophy. C. Grow the network at a moderate pace. D. Plan for rapid growth. 7. You are the network administrator for a manufacturing plant that is in
operation 24 hours a day. Recently, your boss has told you to monitor your end users in preparation for a Windows 2000 and network infrastructure upgrade. What will be the most fundamental assessment you’ll have to make about your end users? A. Usage patterns B. Work needs C. Network connectivity D. Growth plans
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
216
Chapter 5
Analyzing Client Access Requirements
8. You are the network administrator for a development firm. Most of
your workers are engineers who design high-tech components for the space industry. You have been instructed to make sure their needs are met. What work need are they most likely to have? A. State-of-the-art PCs B. UPS C. Fluorescent lighting D. RAID array 9. Because of recent network abuses, you need to tighten control of users
on your network. What are some protections that you can place on user computers? Choose all that are correct. A. DHCP leases B. Virus scanner C. Profiles D. Windows Installer packages 10. Of the following companies or organizations, which one is the most
likely to be subject to continuous aggressive growth? A. Not-for-profit organization B. High-tech start-up C. Large publicly held corporation D. Medium-sized publicly held corporation
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
217
Answers to Review Questions 1. D. Simple observation is probably one of the better techniques you
can use for analyzing user patterns. Performance Monitor can help yield information about users attaching to resources, logons per second, and other such information. The Task Manager produces memory and CPU data and other information about servers and workstations. HP OpenView produces SNMP information and is helpful for tracking how the users and their usage patterns are impacting server performance. 2. A. Of all of these answers, A is the best choice. 3. B. While C is a great answer, B is the most significantly important
one that will impact user’s work needs. D sounds good too, but that decision is probably out of your control. 4. A, C. Differentiating between needs to have and nice to have is a tough
decision that administrators make about end-user support on a daily basis. Where needed, A and C are valid choices. Answer D probably falls within the “nice to have” category; most users could get along nicely with less. 5. B. You’re trying to assess end-user usage patterns. 6. C. Odds are that, even though the manufacturing part of the business
is fairly uniform, the company has a sales data mart in place, tracking where, when, who, how, and why the candy is sold and how that varies from store to store and demographic to demographic. So, while you might be tempted to say there is no growth plan, the chances are they’ll actually grow at a moderate pace. You always want to keep your technology up to date. 7. A. User usage patterns will be a critical consideration to you with a
network like this. Especially important will be considerations such as using the Windows Installer to provide packages to end users. If the network is always in use, which shift should be the one that gets the packages?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
218
Chapter 5
Analyzing Client Access Requirements
8. A. The other needs are nice, but engineers will most likely demand
very high-tech PCs. 9. B, C, D. Virus scanners are a protective feature that keeps users
safe. Profiles keep users from doing harm to themselves, as do Windows Installer packages. 10. D. Of all of these answers, B, C, and D are all highly possible. You
might be tempted to select B, but it’s more likely that they’ll sustain a period of rapid growth and then even out until after the IPO. Large corporations don’t necessarily grow aggressively, but they do grow. Medium-sized corporations, especially highly successful ones, are the most likely sources of phenomenal growth.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Large Shoe Retailer
219
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Current System You are the network manager for a large shoe retailer with stores all over the U.S., several in Canada and Mexico, and even some in Europe—about 1,300 stores in all. The company has made it clear to employees and shareholders that it’s poised for growth and will continue its European growth. In the spring, it plans to move into Asia. Each of the stores is equipped with point-of-sale (POS) terminals that use Windows CE and can use Ethernet to upload the day’s information to the servers at your headquarters office. Also, the back room of each store has a Windows 95 workstation that the manager can use to send e-mail, maintain corporate spreadsheets, and enter sales and ordering information into the proprietary client/server GUI that talks to the headquarters office SQL Servers. Because the company tries to be prudent in their enterprise connectivity, the speed of the connections from the retail stores to headquarters often isn’t all that impressive. Your charge is to update the network to Windows 2000 without hindering the POS terminals (which work fine). You are also supposed to consider whether to get rid of the client/server GUI and replace it with a terminal server connection to a very high-speed server at HQ (which would also run the GUI), minimizing the speed problems that managers experience at peak load times.
Problem Statement Your biggest problem is that you’re not sure whether the terminal server component is necessary. Yes, it’s a pain in the neck to prepare new updated machines for periodic replacements for the managers, but on the other hand, you’re not convinced that the terminal server method is all that it’s cracked up to be either.
Envisioned System Overview Your boss, the CIO, has told you that she would really like to see this terminal server thing work. But if it doesn’t seem plausible, the
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
The Large Shoe Retailer
Chapter 5
Analyzing Client Access Requirements
next best thing would be to adopt a plan for steadily migrating the manager PCs to Windows 2000 Professional, which would require a hardware upgrade on two-thirds of the computers.
CASE STUDY
220
CIO “We’ve looked at the usage patterns of our managers. In most cases, managers don’t sign in to the database system until well after closing, often right around midnight, and it just absolutely hammers the system. We get lots of complaints that managers think they could go home earlier if the network wasn’t so slow and if the GUI didn’t crawl along. We think the terminal server part of Windows 2000 will really help this part of it. Obviously we can’t control when managers find the time to be able to log on and work, but we can try to make things faster. But if I can avoid updating all those computers at once, I’d rather go that route. Changing out managers’ PCs is a very expensive proposition.”
Availability The system has to be up around the clock. Managers have the ability to come in any time in order to enter the day’s work. You’ve had some fairly serious outages in the past, and managers aren’t happy about it because it means they have to make double the entries the following night.
Maintainability Overview You have to admit that the maintainability of the terminal server component would provide fewer hassles for the NT admins. If they only had to change one GUI instead of thousands, life might be easier for them. On the other hand, you need the terminal server client anyway, so you’re not sure if there’s a difference there. You could use Windows Installer and group policy objects (GPOs) to download the GUI updates on a regular basis, so the jury’s still out on the terminal server component. CIO “As you’re probably aware, the managers have, in times past, managed to delete the GUI, and we’ve had hassles getting a copy to them so they can work again. If you can make sure that the managers can’t shoot themselves in the foot this way, then I’d be amenable to looking at keeping the GUI and not going forward with the terminal server solution.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Large Shoe Retailer
221
Questions 1. What is the end user’s primary work need? In the following chart,
order the work needs of the end users from highest priority to lowest. Work Need
Work Need Improved hours Faster WAN connectivity Better performing computers Ability to work during the daytime hours Round-the-clock support No loss of data
2. What would you say is the main usage pattern in this complicated
network? A. Round-the-clock usage B. Between the hours of midnight and 3:00 a.m. C. Between the hours of midnight and 8:00 a.m. D. Between the hours of 6:00 p.m. and midnight 3. How would Windows 2000 terminal server services improve the
WAN connection speed? A. Less data travels across the network. B. There’s more security for NT admins. C. Only one GUI update is required when new GUIs are written. D. Managers could keep PCs longer.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
NT Admins “We’ve been downloading the GUI through logon scripts for years now. The process works fine. If you have a better method, we’ll take a look at it.”
CASE STUDY
222
Chapter 5
Analyzing Client Access Requirements
4. How does this Windows 2000 rollout affect the company’s above-
average growth plans? Choose as many reasons as apply. A. The terminal server implementation would help facilitate growth. B. Using Windows Installer to provide updated GUIs would help
facilitate growth. C. There is no effect on the company’s growth plans. D. The terminal server implementation would adversely affect
growth. 5. What is the biggest technical-support hurdle you have to overcome? A. Testing and verifying that terminal server is a viable approach B. Testing the installation of new GUIs via Windows Installer C. Curbing slowness on the WAN as managers log on D. Preventing hackers from getting into the system
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Large Shoe Retailer
223
1. See the following chart:
Work Need Faster WAN connectivity Improved hours Round-the-clock support No loss of data Better performing computers Ability to work during the daytime hours While the answers are subjective, the main problem is the speed with which managers can file their order-entry work. Terminal servers might indirectly improve WAN connectivity because you’d be moving the network from 2-tier client/server to thin-client/server. 2. B. C looks like it might be a correct answer too, and indeed there
might be some managers who are logging on after 3:00 a.m., but that’s probably because the network isn’t available until then because it’s so heavily in use. It’s probably safe to say that managers don’t want to stay that late. Answer B is the most predominant usage pattern. 3. A. Windows 2000 terminal server services provide the ability to run
applications on a fast server and send the user the data, thus cutting down on the local PC’s processing. This would definitely trim down the WAN connection time per user because less data would have to cross the network and thus the managers could go offline sooner. The effect would be marked in terms of freeing up network bandwidth. 4. A, B. Any time you can automate processes and offload the time that
it takes for technicians to visit PCs and install new software, you’ve augmented the network’s capability to grow. This would be true of either A or B. Which is more practical is up to you. 5. C. The problem is the slowness that managers experience when they log
on for the night in order to fill out their order entries. Whatever method you use to solve the problem, that’s your biggest hurdle to overcome.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
Answers
Chapter
6
Analyzing the Current Disaster Recovery Strategy MICROSOFT EXAM OBJECTIVE COVERED IN THIS CHAPTER: Analyze the existing disaster recovery strategy for client computers, servers, and the network.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
I
t may seem amazing how there is only one test objective listed for this entire chapter. But this objective is so all encompassing, so full of potential detail, that you must examine it thoroughly. On top of that, this particular objective is so vital to a network’s well-being that it deserves to stand on its own. You can see that the objective has three parts: client computers, servers, and the network. You’re asked to examine the existing disaster recovery strategy, but the purpose behind this is an eye toward improvement, especially as you venture forth into the Windows 2000 environment. How will Windows 2000 help you in your quest for more disaster-proof networks? Does this new operating system provide you with more tools than you currently have in your kit? Are you adequately prepared today for any kind of disaster recovery? If not, how do you get there? Furthermore, there is some room for examination of exactly what is meant by “disaster recovery,” so this chapter starts with a discussion of the difference between that and fault tolerance. They are two very different concepts. Once these two concepts are defined, this chapter will trace their application through your system. First, we’ll delve into the topic of fault tolerance and disaster recovery for client computers, and then examine the same for servers. We’ll wind up the chapter by going over the same concepts at the network level. From a practical standpoint, you are highly interested in making sure that the network is as fault tolerant as you can make it and that you have a solid disaster recovery plan in place should the worst-case scenario happen.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Defining Fault Tolerance and Disaster Recovery
227
Defining Fault Tolerance and Disaster Recovery
T
he differences between fault tolerance and disaster recovery have been known in the mainframe, VAX, Unix, and AS/400 worlds for decades. The differences between the two are vital to you and your network. So before we go forward with a discussion of the components in your network and how you apply fault tolerance and disaster recovery techniques to them, we need to clarify the differences so you know what operational platform we’re on when we talk about the two.
Defining Fault Tolerance Providing fault tolerance means assuring that a system is protected from some sort of catastrophic event, be it a disk failure, power outage, or other anomaly. Systems might need to be protected from several different kinds of failures or anomalies, so it’s possible that you’ll have to apply many different techniques in order to assure yourself that a given computer or system component is adequately covered. Fault tolerance is like an insurance policy that you give to yourself—making sure that, in the event of a failure of some kind, your computers and system components keep running until you can fix them. There are many different methodologies you can employ in fault-tolerance planning. We’ll discuss these methods throughout the chapter, and we’ll include fault-tolerance methodologies used by Windows 2000 to help you move toward your goal of a reliable, fault-tolerant network.
Redundancy When possible, add redundant features to the servers and workstations that require it. Dual power supplies, for example, are an excellent idea in servers. In addition, you can often equip network components such as routers and switches with a redundant power supply (RPS). You run a second cable from the extra socket on the back of the switch or router to the RPS. Then, if the device’s power supply fails, the RPS takes over and alerts administrators that this has happened. An RPS itself has two power supplies. Of course, all of this redundant-power backup work does no good if your computer room isn’t hooked to a generator and the power goes out. Using multiple cooling fans in devices is another example of redundancy.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
228
Chapter 6
Analyzing the Current Disaster Recovery Strategy
Redundant Array of Inexpensive Disks (RAID) It should be fundamental network administration for server hard drives to be hooked to a RAID array controller card, and either a mirror (RAID 1) or RAID 5 array should be implemented on the disk set. Yes, purchasing a hardware RAID array controller card will add another $1,000 or so to the server bill, but it’s worth it. Not only will the fault tolerance of the server improve, but throughput will improve as well, due to the addition of the disk I/O management capabilities of the RAID array card. Some high-end servers have drive bays that are hooked to two different on-board SCSI (not RAID array) adapters. As a result, you can set up several drives on drive bay A, for example, and several on drive bay B (as illustrated in Figure 6.1). If the SCSI adapter goes on drive bay A, where is your fault tolerance? You need that RAID array controller card! If you purchase two RAID cards for such a high-end server, hook one to drive bay A and one to drive bay B; then you’d have fault tolerance. FIGURE 6.1
Modifying a server with a RAID card SCSI A SCSI B
Motherboard Drive bay A
Drive bay B
Drive bay A
Drive bay B
RAID array card
Motherboard
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Defining Fault Tolerance and Disaster Recovery
229
A high-end server typically includes two SCSI adapters embedded in the motherboard. A SCSI cable connects drive bay A and another connects drive bay B, as shown in the upper diagram in Figure 6.1. If SCSI adapter A on the motherboard fails, drive bay A goes down, but drive bay B could continue working. The problem here is, if the operating system is on drive bay A, it doesn’t matter whether drive bay B is working or not! Where’s the single point of failure (SPOF) in this picture? Actually, you have three: the motherboard and each embedded SCSI adapter. If a drive in any of the bays goes out, the data on it is lost. If you change this server by adding a two-channel hardware RAID array controller card (illustrated in the lower diagram in Figure 6.1), you can now hook drive bay A’s cable to the first channel on the card and drive bay B’s to the second channel. Then you can mirror the two drive bays and create different arrays within that mirror as you see fit. You gain two benefits from such a method. First, fault tolerance is drastically improved because the drives are mirrored. Second, disk I/O is managed more effectively. You still have two SPOFs: the motherboard and the RAID card. You could clear the up RAID card SPOF by simply adding one more RAID card. You won’t be able to get rid of the motherboard SPOF without clustering. The basic RAID configurations that you’ll be interested in are RAID 1 (mirroring) and RAID 5 (striping with parity). Often you might want to mirror the drive the operating system is installed on, so you implement a mirror. Both RAID 1 and RAID 5 are good, but you’re better off on a RAID 5 array because access is faster and it doesn’t burn as many hard drives.
Windows 2000 Server supports software RAID. While software RAID isn’t as fast or as foolproof as hardware RAID, it comes free with the operating system.
Clustering The technique of clustering is old and proven in mini-computing environments. In PC networks, the methodology is much newer. Microsoft’s first foray into the world of clustering came about with Microsoft Cluster Server, which was only available on Windows NT 4 Enterprise. Clustering is an integrated component of Windows 2000 Advanced Server and Datacenter Server; you simply install, enable, and configure. It’s not available with Windows 2000 Professional or Windows 2000 Server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
230
Chapter 6
Analyzing the Current Disaster Recovery Strategy
The concept of clustering is that you have two identical computers standing side by side. They can talk to each other through a heartbeat cable that connects them. Clustered servers often follow one of two paradigms: Both cluster boxes talk to a single RAID array (such as in an EMC cabinet), or they’re both identically configured with the same applications. Clustering works best with file servers or with cluster-aware applications; it does not work well with devices that require special hardware additions where the systems are specifically addressed by applications. Clustering in Windows NT is something that didn’t garner a whole lot of usage. The jury’s still out on whether Windows 2000 clustering will catch on or not.
Power Conditioning and Power Protection Power conditioning and power protection are related to your need to provide steady power flow to the servers. Power conditioning is making sure that the incoming power does not fluctuate too much because power spikes are not healthy for electronic equipment. Power protection is when you have a backup power source in case your building loses power. Implementing an uninterruptible power supply (UPS) is a good example of power conditioning and power protection.
Power Generation Some companies go so far as to provide backup power generators for their server rooms so that even if there is a prolonged power outage, the servers can be gracefully downed instead of experiencing an abrupt shutdown.
Defining Disaster Recovery Where fault tolerance means building in protection against emergencies, disaster recovery (DR) is making and testing a plan for the complete restoration of critical systems in the event that a catastrophe happens. Suppose, for example, that a huge flood hits your company. The server rooms are totally flooded out, as are the switch closets and the majority of the user workstations. The floodwaters are so high that essentially everything is under water. This may be good news to some users because they don’t have to go to work for a while, but to you it means chaos and disaster. How are you possibly going to replace all of those servers? More accurately, how are you going to replace the data that’s on them? That’s where DR comes in to play. It is not good enough to have a DR plan; it’s vital that you also periodically
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Establishing Fault Tolerance and Disaster Recovery for Client Computers 231
go through a DR test so your plan makes sense and includes recent changes. Of the two elements of physical network security, DR is by far the more esoteric to try to accomplish and, though probably never needed, will be the most important if that catastrophic day ever arrives.
Disaster recovery is also called fault recovery.
You can employ some interesting DR techniques. For example, you can create a sophisticated setup where you copy the data on your network, in real time, to another repository using a utility like Legato Octopus (www.legato.com). Real-time data mirroring, as this is called, allows for data to be copied from one server to another, preferably one that’s offsite, in order to protect that data. There are variations on this theme, but it’s a good (and expensive) DR strategy. Recovering from backups is another part of a good DR plan. Tape backup operators, the administrators who maintain the system, are charged with making sure that the backups are reliable and that they occur on a regular basis. The majority of corporate backup systems are not very reliable; backups are missed, and if managers only knew how poorly they were backed up, they wouldn’t sleep well at night. Yes, there are solid, reliable implementations of backup operations, but they’re reliable because they require meticulous care and maintenance and somebody (or lots of somebodies) makes sure they get it. As you might imagine, you cannot simply set up a backup system and then ignore it. These systems require a plan for backing up the servers and critical workstations on your network; this plan must be revisited frequently because your network changes almost constantly. Many tape backup systems require that you install a software agent on each computer.
Establishing Fault Tolerance and Disaster Recovery for Client Computers
E
very day, users log on, pound away at the keyboard, and save files— some of them to the network, some of them to the client computer hard drive. How much company-critical data is on client computers, data that’s not being stored on backed-up file servers? If the entire network were to
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
232
Chapter 6
Analyzing the Current Disaster Recovery Strategy
experience a flood like the one described in the previous section, how much of that client computer data is irreplaceable? We’re not talking about the user’s resume or that cooking shareware that he downloaded one day or the millions of joke e-mails that she saved in her PST file. We’re talking about the end-of-year report that Bob the controller was working on and failed to save to a file server before the weekend that the flood hit. How about the price sheet that the sales office spent an entire week working up and that, unfortunately, was saved to a client computer hard drive that wasn’t being backed up? You were flooded, and the price sheet is just a bunch of soggy bits now. Just before the flood, the engineers were prototyping a new technology they were getting ready to roll out to production. The schematics were still on Joanne’s hard drive and hadn’t yet been uploaded to the SQL Server repository. One of the developers had whipped up a neat little JavaScript applet that he was going to implement on the company’s web site on Monday. He hadn’t saved it to the network, though, and now he has to reinvent the code. What do you do with client computers that contain company-critical information? Yes, the users should have been saving critical data to the file servers. However, that’s not always the case, and you are the caretaker of the company’s data. It’s true that you can’t be everywhere all the time, knowing what everyone is saving, but it’s also true that you can make a protracted effort to assure yourself (and the company) that critical data like this is taken care of. So let’s see if we can put our heads together and come up with some ways to handle these situations so you’re protected next time.
Microsoft Exam Objective
Analyze the existing disaster recovery strategy for client computers, servers, and the network.
Step one will be to look at user behavior (using the information discussed in the previous chapter). Hopefully, you’ve examined your user behaviors, and you know who your power users are—the critical ones who save lots of important files to the local disk. You have to target these individuals first, making sure that you have some fault-tolerance methodologies in place for them.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Establishing Fault Tolerance and Disaster Recovery for Client Computers 233
Step two is to communicate strongly with your users. Make sure that all end users understand that company-critical data needs to be saved to file servers, not to the local, unprotected drive. You can do this in a variety of ways: periodic cautionary e-mails, one-on-one conversations, company meetings, training opportunities. The word needs to be put out repeatedly that users must save critical files to backed-up environments. Some users won’t understand what you’re talking about, so it’s always good for network managers to take the extra time to explain to naïve end users what is meant by saving the files to a network drive and then show them how to do it. Most users are usually anxious to be sure they help maintain a safe computing environment, but often they just don’t know how to help.
Implementing Fault Tolerance on Client Computers What kinds of things can you do to the local end-user computer to make it more fault tolerant? Are there steps that you can take to make sure that crashes don’t occur as frequently, files are not lost, and data is backed up? Indeed, you can take several steps to minimize the danger to your end users.
Fault-Tolerant Workstations Most end users don’t require fault-tolerant workstations, but some do, like your developers, engineers, legal people, accountants, marketing folks, and other power users like them. When I say “fault-tolerant workstation,” I don’t mean giving the user a personal tape backup unit hooked to their computer. I mean that you might consider a SCSI-based high-end workstation equipped with a RAID array card, with added multiple hard drives in a mirror or RAID 5 array. I do not pretend to advise you that all users should be so equipped, but your power users are worthy of such consideration.
IntelliMirror Windows 2000 Professional workstations operating in Windows 2000 Server environments lend themselves very well to the IntelliMirror concept. The idea behind IntelliMirror is that while you’re hooked to a network, the system is keeping track of changes and synchronizing the local copy. If the network goes down or you take your laptop home, you have a local copy to work on. Then, when you get back to work, the files synchronize up to the server and you’re back to working on a network copy. The only problem with IntelliMirror is that it has the potential to be very bandwidth intensive,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
234
Chapter 6
Analyzing the Current Disaster Recovery Strategy
and networks that don’t already have excess bandwidth might find themselves burdened with the extra load.
Editing Work on Server-Based Home Directories All users should be provided with a home directory on a server—a place where they can keep important work files. These home directories should be part of the nightly tape backup jobs. That way, if a user somehow deletes a file or it becomes corrupt, you can then restore the last good backup of that file back to the home directory. This technique has been in use for years. There are two problems associated with this technique. The first problem is that administrators may not provide adequate disk space for their users to keep all the files they want to save in their home directories. Windows 2000 provides quota management software that allows you to limit users’ disk space. Quotas are a good thing, but they can unnecessarily restrict users in some cases. Quotas are best for users who like to copy non-business files to the server, and wind up using space that’s better reserved for files necessary to the workplace. A second problem with the home directory technique is that users often don’t make use of the space. This is a training issue; make sure the users know what the home directory is for and how to use it properly.
Installer-Based Applications Any applications installed using the Windows Installer will be a blessing for administrators. If, for some reason, the user decided to delete, say, Office 2000’s Winword.exe, the Installer can put the file back. The Installer is a Windows 2000 service, not an application-generation tool. You’ll need a way to generate .msi files that you can download to Windows 2000 users, and then the Installer will handle the rest.
Windows 2000 Server and Professional disks come with a light version of Winstall by Veritas, which creates MSI files (cd\valueadd\3rdParty\mgmt\winstle). For more functionality, you can buy the full version of this or other packaging software.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Establishing Fault Tolerance and Disaster Recovery for Client Computers 235
Policies and Group Policy Objects Lots of network administrators have discovered the beauty of policies on Windows NT workstations. When a user logs on, they automatically launch a policy that locks them out of administrator-defined critical areas of the computer. In the Windows 2000 arena, you use group policy objects (GPOs). GPOs are policies that run in Active Directory and are easier to administer than the old Windows NT 4 policies.
Windows File Protection Application installation programs are not allowed to write to the Winnt\System32 directory. By default, Windows File Protection will allow a temporary overwrite of a critical system .DLL file, but upon reboot, Windows restores the old .DLL file that was in the directory to begin with. Not only that, but applications that are trying to overwrite system files cause Windows 2000 to put up an error box telling you that this is happening and that it’s not going to be tolerated. This very cool feature helps keep application installation programs from crashing computers. What about the applications that actually require the .DLL file they’re trying to install and not the other version that’s already in the Winnt\System32 directory? Developers are granted the ability in Windows to put a tag file in the application installation’s directory and place the .DLL files there instead. This way, when the application is launched, it checks for the instance of the .DLL file in the application installation directory instead of in the system directory.
Implementing Disaster Recovery on Client Computers Perhaps the biggest disaster recovery step you can take with client computers is a proactive one: Make sure that end users understand that critical business files need to be saved to file servers for safekeeping. Ask yourself this question when considering DR (on client computers or otherwise): “What parts of the system can I not recreate with standard techniques?” This question will help you identify absolutely critical parts of end-user systems that have no other replacement option. What is irreplaceable on these machines? The answer, of course, has to be data files. You can probably replace almost every other component of the system (drivers, the operating system, applications, etc.), but you cannot replace files that the user created. So your job
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
236
Chapter 6
Analyzing the Current Disaster Recovery Strategy
is to coach users to understand that their files need to be saved to servers, not to the local machine. This might seem to contradict the earlier fault-tolerance discussions, but all the fault tolerance in the world still needs human effort. Even if your user has a RAID controller on her computer and three hard drives set up in a RAID 5 array, if two drives go bad on their computer, then you’re in trouble and the user is out of luck. IntelliMirror would come in handy in a situation like this, but you still need to have users keep files on server hard drives that are subject to regular tape backups. Another option—probably one you’d use for users who have to stored locally highly sensitive or mission-critical data that must be privy to regular backups—is to install a backup agent on their PC, then regularly back them up over the network. This methodology often leads to turf wars and jealousy about who’s being backed up, but it is a viable option.
Packaging Applications In the midst of your Windows 2000 design, you begin to realize that part of your fault-tolerance methodology will be to “push” software-installation packages to users instead of using the old manual method, where PC technicians visit the computers and run through a personal installation procedure. This kind of hands-on application installation takes time, costs lots of money, and is somewhat error-prone. Having recently upgraded to a 1000Base-T environment, the network’s bandwidth can support the extra load that this packaging effort might create. You purchase a third-party repackage utility that can create .msi files and decide that all new packages will be packaged as Windows Installer files so that you can advertise them to your Windows 2000 Professional users. Which packages will get this treatment? Any software, registry keys, or files that you need to drop on the user’s hard drive and that the Installer can guarantee will be replaced if accidentally deleted.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Establishing Fault Tolerance and Disaster Recovery for Servers
237
This methodology, of course, requires Windows 2000 Professional workstations. It also requires that you understand how to package files using repackaging utilities (something that’s not hard to learn). As technology progresses, you should have an easier time with things like mass installations of software. Windows 2000 takes a major step toward that objective by providing Windows Installer. As .msi packages become more popular, this technology will do nothing but improve your network administration experiences.
Implementing fault tolerance and disaster recovery on workstations is certainly not a bad idea. However, it can quickly get expensive. For the most part, your user’s workstations are going to be fairly homogenous. If one of them crashes, it’s easiest to repair the hardware (if necessary) and use a diskimaging product to blow down a new copy of their operating system. If the users are storing their files on the network servers, the reinstallation process is quick and simple. The key for you is to get the users to store their files on the server, where you can back them up.
Establishing Fault Tolerance and Disaster Recovery for Servers
N
ow we come to a subject with much more depth: How do you provide fault tolerance and solid DR techniques to servers? With servers you’ll find that you cannot make unilateral decisions the way you can with workstations. You must examine each server separately, recording the software that is installed on the computer and then making decisions about the faulttolerance and DR methodologies you’ll put in place for that server. While establishing fault tolerance and DR on client machines is a nicety, implementing it on servers is critical to the well-being of any network. Failure to employ proper fault-tolerant or DR solutions on network servers can cause the death of a company.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
238
Chapter 6
Analyzing the Current Disaster Recovery Strategy
Implementing Fault Tolerance on Servers You’re working with a print server that was a Windows NT 4 server in a previous life, but it has had a Windows 2000 Server upgrade. There are about 30 printers set up on the computer using LPR ports. (In Microsoft terminology, “printer” means the logical print queue you’ve set up on the server; “print device” is the actual physical printer itself.) There are no other exotic services running on the computer, nor are there any applications. This server is a print server and nothing more. Before you upgraded the computer, you checked the HCL for this product and found that it was fine. You did a quick check of the hardware that’s installed and found the box to be RAM-starved. So you purchased a second DIMM for the computer, boosted its RAM up a bit, and installed Windows 2000. The computer has two hard drives that are put together in a mirror using software RAID. Is there something wrong with this fault-tolerance picture? If anything, it’s the software RAID portion of the computer. Purchasing the RAM was a fine idea, but you also need to purchase a hardware RAID array controller card. The hardware RAID controller will give some added I/O performance, but more important, you’ll get increased comfort knowing that hardware is handling the mirror and not software. Generally, hardware RAID is more reliable than software RAID. Besides the techniques discussed for client computers, there are extra things that you can do for servers. Two techniques that can really go a long way toward bringing fault tolerance to a high level in servers are redundancy and clustering. For example, in the print server mentioned earlier in this section, what else could you do beyond providing a hardware RAID card and setting up a mirror to make sure that the computer didn’t fail? Would dual processors help provide fault tolerance? Absolutely! While you would only gain marginal increases in performance (because Windows networking printing is predominantly a RAM thing), if the CPU died for any reason, you could remove the dead processor and get by with a single processor for a time. Now, is it worth it to go to the expense of purchasing a dual-processor computer for a print server? That’s a question you’re going to have to answer, but it’s obvious that a print server with 40 printers on it is busy and will be sorely missed if it’s out of service for any length of time at all. Would dual power supplies be useful in a print server? Again, it’s obvious that if one power supply failed, you’d save users a lot of grief if another could keep the computer running until you had a chance to down it (after hours, of course) and replace the power supply.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Establishing Fault Tolerance and Disaster Recovery for Servers
239
Hopefully these two examples have helped you think about the fault-tolerance advantages of something as simple as redundancy. The phone company has a very reliable system. It’s not that way because they purchase really good gear. It’s reliable because they have redundancy upon redundancy built into their systems. You most likely don’t need to emulate the reliability of phone systems. You probably don’t have the money for it, nor is it necessary. But just a little bit of redundancy applied judiciously to servers that are highly utilized will go a long way toward making your end users feel safe when they use the network. Clustering is a more complicated and detailed task. Use clustering for a mission-critical file or applications server that you can’t afford to lose for any amount of time. Here’s the scenario: Users are on computer A and working happily along. Computer A goes down, for whatever reason; the cluster software sees the failure and immediately transfers operation to server B. This event is called a failover. Failover usually takes several minutes, so users will definitely see a small problem. It’s supposed to happen so fast that users don’t see anything unusual, but even if users see a temporary delay, clustering will save the day because inevitably the failed process does come back up and users can continue working. Windows 2000 Advanced Server and Datacenter Server support clustering.
Implementing Disaster Recovery on Servers Almost all administrators know a lot about fault tolerance; the techniques have been taught for years now. But something that few admins talk about, something as important as fault tolerance, is the idea of coming up with a great DR plan. You want a plan so solid and so tested that, if the day ever comes when the network completely dies, you’re ready to bring everything up from the ashes. That’s the heart and soul of DR. The question’s an important one: What will I do if something catastrophic happens and I need to get this network running again with nothing but a handful of backup tapes? Of course, backups are absolutely important to a DR plan. They’re all you have at your disposal when your servers are sitting there smoking, with the water from the fire sprinklers still dripping off them. (Actually, most computer rooms should be equipped with halon fire protection, but the water picture really drives the point home.) That and a plan. But what if you’ve never actually practiced restoring things from tape? What if you’re not really sure that you can pull it off, that the SQL Server module you’ve been trusting
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
240
Chapter 6
Analyzing the Current Disaster Recovery Strategy
all this time really isn’t working? What do you do now that your CIO is staring at you with that vacant, hungry stare on his face, hoping against all that is good that you can make the company’s data rise again? The real key to DR is in the regular planning and execution of a DR plan. You design a DR plan, and then you test it to make sure it’s going to work. Here are some simple steps to take: 1. Write down the components that make up your server farms. Write
down each server’s name, its critical configuration information, the applications and services running on it, and its hardware configuration. You need to know what was on the servers in order to recreate them. 2. Get your backup jobs running in a trustworthy fashion. If you have
problems with the backup jobs, figure out why and fix the problem. Make sure that your backups are executing as planned, day in and day out. That’s a tall order and may require a dedicated person in larger enterprises. Backups require a regular calendar, documentation of the jobs that are set up on the system, and absolutely rigorous attention to maintenance and detail of the system. Make sure the tapes are routinely rotated offsite. 3. It would be wonderful if you had image CDs that you’d burned for
each server and could use in a DR pinch to get servers quickly back up and running. The problem with image CDs is that you have to regularly update them so they’re current, and you must have an offsite copy of the image software, just in case you need it to create a boot disk to restore the image from. 4. Test your recovery theory. Set up a couple of restoration servers that
closely mimic the real-world environment and practice restorations on those computers. (A restoration that’s directed to a different computer is called a redirection.) This step may require that you have users standing by ready to test the redirected application to make sure that it works okay. Schedule a restoration drill every quarter or so, just to make sure that you’re in top form. 5. Finally, write down the steps you’ll take if there ever is a disaster. Spec-
ify in detail exactly what you’ll do, how you’ll recreate the servers, where the tapes are, what applications need to be restored first, and how you’ll validate that things are working correctly.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Establishing Fault Tolerance and Disaster Recovery for Servers
241
Some companies use third-party DR specialists to help them with all the details involved in a complete DR plan. But no matter how you do it, somebody needs to take charge of DR in your network. The more complicated the network becomes, the more you need a DR plan.
Retrofitting Windows NT 4 Servers to a Fault-Tolerant Windows 2000 Network You’ve taken a serious look at every piece of your network: servers, infrastructure, applications, everything. You find that a couple of your more important servers are woefully lacking in fault tolerance. Specifically, you have an Exchange Server that you’re very worried about. It has SCSI drives in it, but they’re not on any kind of RAID array whatsoever. Furthermore, your print server is on a desktop PC—not even a server—and it has one single, solitary IDE drive in it! Upgrading the Exchange box is going to be really ugly. First, you have to back the computer up to tape. Then you must install the RAID card, then format the drives using the RAID card’s utility. Next, you restore from tape. Sounds like it’s fairly easy, but there’s so much that can go wrong! The print server’s a challenge as well. About 20 printers are set up on the server, and you have to do basically the same thing as with the Exchange Server—format and start over. How do you get the print queues moved over? That’s actually pretty simple; you copy over two registry entries and a directory. Should you handle this work before or after the Windows 2000 upgrade? There could be a hundred ways to do it, but it’s generally better for you to bring the servers up on HCL-compliant gear, then upgrade them to Windows 2000. Even though it will take some work to make sure all of your computers have adequate fault-tolerance and disaster recovery methods in place, the effort will pay off in the long run. You may never need to use your disaster recovery strategy. But if you do, you will be beyond ecstatic that you created one.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
242
Chapter 6
Analyzing the Current Disaster Recovery Strategy
Establishing Fault Tolerance and Disaster Recovery for the Network
N
ow that you have implemented fault tolerance and disaster recovery on your computers, it’s time to look at the rest of the network. We often think about what we would do if our servers were to crash, but we frequently ignore the fact that our connectivity could fall apart. If that were to happen, it doesn’t matter that your servers are still running smoothly. What good are they if no one can connect to them? Let’s now dive into the techniques you can use to provide fault tolerance and disaster recovery on the network and its infrastructure. The techniques are somewhat similar to what you would see for computers. Redundancy is the primary key to network fault tolerance, but there are other techniques that you can employ on the network that you wouldn’t employ on the servers.
Implementing Fault Tolerance on the Network The key component for routers, switches, and hubs are redundant parts. Think for a minute about a switch sitting inside a switch closet like the one in Figure 6.2—one that’s connected to your core switch back in the main computer or network room. What’s the main SPOF that this switch is likely to experience? FIGURE 6.2
A common switch closet layout
Fiber-optic multi-mode (MM) cable Server or network closet
MM uplink card
Closet switches, 100Base-T
To users
100Base-T Cat5 cables
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Establishing Fault Tolerance and Disaster Recovery for the Network
243
Typically, you purchase uplink cards that match the type of cabling you have for the backbone. In the example illustrated in Figure 6.2, you’re running multi-mode fiber from one closet switch to the core switch in the server room. The core switch is usually a chassis-based cabinet that has multiple cards in it for different purposes. In this instance, you have at least one multimode card in the chassis so that it can accept multi-mode cables coming in from the closets. Beneath the main 100Base-T switch that has the uplink card in it, you have two other 100Base-T switches. You run a cable from the RJ45 port on each switch to the 100Base-T port on the uplink switch; the other ports go out to users. Everything on the switches comes in at 100Base-T speeds and, in this case, leaves the uplink port at gigabit headed for the chassis switch. The switches mix the incoming data, keep the collision domains down, and guarantee each user 100 megabits per second bandwidth. It’s a pretty cool setup. Note that some switches have regular cables that allow the switches to stack one on top of another, as shown in Figure 6.2. In either case, the result is the same—users talk to the switches at 100 megabits per second, and all data that is not destined for another user on the switch is uploaded to the core switch and possibly out to a router. But the question remains: Where is the SPOF in this design? The uplink card definitely presents the biggest problem with this design. If the uplink card goes out, three switches and multiple users are worthless until you get things fixed. Perhaps there’s an Exchange or a SQL Server at the other end of the line; users won’t be able to hit it until you repair that uplink card. Now, you know what the next question is: How do you add some fault tolerance to this network design? The fiber-optic cable has multiple pairs inside its sheath so that if one goes out, you can easily change pairs. The switches have multiple ports so that if one goes out, it might be possible to just move the cable over one port and be on your way. But that uplink card— there’s only one of them and that’s where your problem lies. The best fix for this design would be to purchase multiple uplink cards, perhaps even one for each switch (though that’s going overboard), and then have two fiber-optic runs going into the closet. That way, if one uplink card goes out, the other can pick up the slack and users won’t notice the outage. Figure 6.3 shows the new setup.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
244
Chapter 6
Analyzing the Current Disaster Recovery Strategy
FIGURE 6.3
Adding a redundant uplink card to the switch layout
Fiber-optic multi-mode (MM) cable
Server or network closet
MM uplink cards Second uplink card and cable
Closet switches, 100Base-T 100Base-T Cat5 cables
To users
Some patch panels provide multiple backbone ports that allow for redundant links to other closets. Switches often provide a redundant link capability that you can implement to provide extra fault tolerance.
The closet switches should also have some redundancy built into them. For example, it might be to your benefit to purchase a redundant or uninterruptible power supply for the closet switches. The core switch would raise even more potential fault-tolerance design issues. You’d want to have redundant cards in it, redundant power supplies, and possibly even redundant switch engines. Your goal with network gear is to look for SPOFs, spend the extra money to eradicate them, and assure yourself that the boxes you place in the network will remain up and functional. This isn’t always possible, of course, but with just a little extra money and some planning you can greatly decrease the amount of downtime your network users run into.
Implementing Disaster Recovery on the Network The DR rules you have in place for your network aren’t going to be nearly as important as the ones you use for your servers. Why? Because if your building gets caught in an earthquake, you can always purchase more servers
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Establishing Fault Tolerance and Disaster Recovery for the Network
245
and restore from images and backup tapes. But a destroyed network infrastructure isn’t something you can provide much DR readiness for. Your main concern with DR on networks and network infrastructures will be in the area of redundant links on your backbone (including WAN backbones, if necessary) and with your routers and hardware firewalls. When thinking about DR for your network in the event your company’s building completely collapses, ask yourself what part of the business needs to come up first, and what next, and next after that. In other words, if your company is completely web-oriented, after you get the basic cable plant back up, the chances are that your link to your ISP is the first thing you need to establish. That means that you need a router that’s preconfigured and acting as a cold standby, probably offsite. It also means the same thing for any firewalls you may have had in operation at crash time. These are expensive solutions, but how much is a day of your company’s downtime worth? With some companies, it could mean the corporation’s demise, not to mention your job. With other companies, getting the financial servers back up on a solid infrastructure will be the primary goal. But always, your primary DR question is: What needs to be brought back up if the company’s physical structure completely goes away? It can’t be stressed enough that you need to practice, at least once a year, a mock DR run. You need to know what steps you’re going to take if the ultimate crash ever happens. Not that it will, but it’s better to be prepared for nothing than to be unprepared for something.
Implementing Chassis Switches with Redundant Switch Engines Working with core switches can be really scary. With an average cost of anywhere between $50,000 and $250,000, you don’t want to mess around with these switches. That’s the way I felt when I configured a 3Com ATM CELLPlex switch (now called CoreBuilder). We purchased all the parts; they arrived in separate boxes, and I had to take an hour and put them together. Although it was easy, it was frightening too, because I knew I was working with delicate electronic equipment that would cost thousands of dollars to replace if I somehow goofed up.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
246
Chapter 6
Analyzing the Current Disaster Recovery Strategy
We purchased redundant switch engines for this switch. They were narrow little things, each fitting into a half-height slot. I put them in the top two bays of the switch. The trick was that you left one switch engine unseated and sitting a half-inch out of the chassis when you first began configuring the switch. I configured the first switch engine, then plugged the second one in. In just a few seconds, I saw a steady flashing on switch engine two and I realized that the database on the top engine had downloaded itself to the second engine! How cool! They shared the same MAC and IP addresses. If the first engine failed for any reason, the second one would kick in right away, log the failure, and send traps to the network-monitoring system. The switch also had redundant power supplies, which I fed into an RPS for good measure. There were tons of cooling fans in the chassis, so a cooling failure wasn’t as big a concern. But I felt much safer knowing that the extra money we spent ($16,000) for that redundant switch engine was not going to waste! Every day that the engines didn’t have to transfer was a great day because the gear was working as it was supposed to. It was kind of like buying a fire extinguisher: You hoped you never had to use it, but you were sure glad it was there if you ever needed it. Good fault-tolerance design means sniffing the SPOFs and then wiping them out the best as you can.
Summary
F
ault tolerance and disaster recovery (DR) are two big topics in any network environment. The larger the network gets, the more intensive your fault-tolerance and DR regimens have to be. Fault tolerance is making sure that devices will still operate even if a problem happens. Fault tolerance carries with it the ideas of redundancy, backups, clustering, power conditioning, RAID, and other techniques that can keep computers up and running. Disaster recovery is all about bringing the network back up after a failure has happened. This primarily involves backups and disk images. With client computers, you’re first forced to get users accustomed to saving data to backed-up network drives and not their local drives. Next, you identify computers that are used by power users who really need local fault-tolerance methodologies. Users like these might wind up with a power workstation hooked up with a RAID array controller card and SCSI drives. Windows 2000
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
247
IntelliMirror will help both non-power and power users to keep copies of their work even if there is a network outage. Group policies will help you lock down computers where users have had a tendency to play in ways they shouldn’t. Fault tolerance and DR on servers involves highly proactive measures: hardware RAID, UPS systems, power conditioning, backups, and clustering. DR on servers means maintaining a server image library and practicing a disaster simulation from time to time. Network fault tolerance amounts to redundancy in both the network gear and the backbone links that connect the closets together. DR on a network includes replacing the parts that were affected by a disaster.
Exam Essentials Understand what fault tolerance is. Fault tolerance is the idea that even if you have a system failure of some sort, the machine will keep running. This is often implemented with RAID and other redundancy, clustering, and power solutions like a UPS. Understand what disaster recovery is. Disaster recovery assumes that the problem has already taken place, and you need to get the network or computer back up and running. Typically, disaster recovery involves using tape backups or CD-based images.
Key Terms
B
efore you take the exam, be certain you are familiar with the following terms: clustering
redundant power supply (RPS)
disaster recovery (DR)
single point of failure (SPOF)
failover
uninterruptible power supply (UPS)
fault tolerance
uplink card
real-time data mirroring
Windows File Protection
redirection
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
248
Chapter 6
Analyzing the Current Disaster Recovery Strategy
Review Questions 1. You are the SQL administrator for your network. Management wants
to ensure that the database is protected. To employ fault tolerance, you hook two computers together and configure them to share the database. One can take over if the other fails. What type of fault tolerance is this? A. RAID array B. Power conditioning C. Cluster D. UPS 2. You recommend to your network staff to rotate backup tapes for your
servers. Included in your backup plan, you want to store backup tapes offsite. Why did you recommend this? A. Tapes that are offsite can’t be stolen as easily. B. Tapes that are offsite can be used to restore computers in the event
of a disaster. C. Tapes that are offsite aren’t as likely to suffer from potential
erasure. D. You won’t be as prone to try to reuse a good tape if it’s offsite. 3. You have an engineer user who keeps private patent information on
his local hard drive. He absolutely will not allow you to force him to keep the files on the server, insisting that there are lots of prying eyes on the network. How can you protect this person’s data without forcing him to save it to the network? Choose all that apply. A. Purchase a workstation with a RAID controller, two SCSI drives,
and local tape backup. B. Talk to his manager. C. Insist that he write the files to the network. D. Use a tape backup agent to back up his personal workstation.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
249
4. You have network switches in two closets. There are six or eight
switches in each closet, with one uplink switch that is connected to the backbone. How can you apply fault tolerance to this setup? Choose all correct answers. A. Redundant link B. Multiple fiber backbones C. Resilient links D. RPS 5. You are a network administrator for your company. Management is con-
cerned that Windows 2000 does not support advanced fault-tolerant features. They also do not want to spend the money for hardware RAID. What two fault-tolerant RAID levels does Windows 2000 support? A. RAID 0 B. RAID 1 C. RAID 6 D. RAID 5 6. You are the network administrator for your company. Recently, a
server crashed and critical data was lost. Fortunately, the company was able to survive, even through the loss of data. In order to prevent future data loss, you are instructed to implement an inexpensive disaster recovery plan. What is the single most important disaster recovery methodology that you can implement? A. Redundancy B. Tape backup system C. UPS D. RAID
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
250
Chapter 6
Analyzing the Current Disaster Recovery Strategy
7. One of your power users, an executive who travels a lot with his laptop,
understands your plea for keeping his data on a backed-up network drive, but he also needs to take current copies of his work with him on the road. What Windows 2000 feature can help you (and him) answer this need? A. Windows File Protection B. Terminal Server C. IntelliMirror D. RADIUS 8. You are planning a Windows 2000 migration on your network. Your
boss is concerned that Windows 2000 does not provide adequate workstation-based security on the network. She does not want users being able to mess up their machines, causing extra help-desk calls. What Windows networking feature allows you to keep users from changing the settings on their Windows 2000 Professional computers? A. Profiles B. Registry entry C. Group policies D. Windows Installer download 9. You are the network administrator at a medium-sized agricultural
products company. You report to the manager of the Finance department. He just read about clustering servers and wants to know how you can implement it on your network. What do you tell him? A. Clustering is included as a configurable service with all Windows 2000
server products. B. Clustering is included as a configurable service with Windows 2000
Advanced Server and Datacenter Server. C. Clustering is included as a configurable service only with Win-
dows 2000 Datacenter Server. D. Clustering is an add-on product that you must purchase separately
from Windows 2000 Server, Advanced Server, or Datacenter Server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
251
10. Recently, you and one of your co-workers had a discussion about
firewalls and fault tolerance. Neither of you was sure whether or not firewalls constitute a fault-tolerance solution. After some research, you come up with a few ideas on the subject. Your co-worker then asks you, “Is a firewall considered part of a fault-tolerance design?” Choose all correct answers. A. Yes, because it keeps hackers out of the private network. B. Yes, because it prevents servers from breaking. C. No, because it’s used in the security arena, not fault tolerance. D. No, because it requires that fault-tolerance measures be applied to
the firewall as well.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
252
Chapter 6
Analyzing the Current Disaster Recovery Strategy
Answers to Review Questions 1. C. Clustering is a sophisticated fault-tolerance technique where two
computers share the same data or application. If the computer that’s currently involved in user activity goes down, the second computer sees the event and a failover occurs, allowing the second computer to take the place of the first. 2. B. A set of backup tapes that are stored offsite is an excellent disaster
recovery measure. You’re assured that some sort of data is available for recovery in the event of a catastrophe. Of course, this all depends on the data that is on the tapes being usable. 3. A, C, D. All three are good answers, depending on the money you
have to spend and on your personal attitude toward the whole situation. The user is probably right that there might be users with “inherited” permissions they shouldn’t have and who could potentially view his private information. But these kinds of issues are easily controlled with NTFS if time is devoted to the problem. 4. A, B. A redundant link is a second link to the backbone, as is a resilient
link—the difference is more rhetorical than technical. A redundant power supply (RPS) is a good fault-tolerance methodology to implement as well, though it won’t help with the single uplink card. 5. B, D. RAID 0 is disk striping and isn’t fault tolerant. RAID 1 is mirror-
ing and RAID 5 is striping with parity, so both are fault tolerant. 6. B. Answer A is good but it reflects fault tolerance, not disaster recovery.
It’s critical that you have a backup system in place, that you back up your network data regularly, and that you check to make sure that the backups are correctly working. This is by far the most elemental and supreme fault-tolerance procedure that you can implement. Then, after you’re done with that, the others are great ideas as well! 7. C. The Windows 2000 IntelliMirror feature provides this function.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
253
8. C. Use group policies to make sure users can’t get to certain critical
parts of their Windows 2000 Professional computers. 9. B. Clustering is a service that’s available for you to install and con-
figure with Windows 2000 Advanced Server and Datacenter Server. 10. C, D. Firewalls are security tools, not fault-tolerance tools. Even
though you might think they’re security tools because they’re keeping hackers off of the network, they do in a fashion protect the integrity of the servers. Firewalls require their own fault tolerance to make sure they’re safely up and running at all times!
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
254
Chapter 6
Analyzing the Current Disaster Recovery Strategy
Performing a DR Test
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Current System Your boss, the CIO, has mandated that you come up with a disaster recovery methodology that can be used in the event of a catastrophic event at your company. There is no current DR methodology in place. You will be the bellwether for such an implementation at your company. The current system covers two campuses connected by T1 frame relay. You have a central server room at each campus and about 15 different servers, 10 in one server room and 5 in the other. All switch closets in each building are served with resilient links over a fiber backbone. The switches connect to RPSs in each closet. Each server room has a large, room-size UPS and power conditioner that serves the entire room. There is no backup generator at either site. Your tape backup system is one that enjoys industry-wide acceptance. You had quite the time getting it configured and running at first, but now that the bugs are worked out, you don’t seem to have many problems with it. You have four DLT tape drives that are connected to a dedicated backup server. You must come up with a complete disaster recovery plan and make a formal presentation to the CIO and his managers.
Envisioned System Overview The tape backup software you use has an optional disaster recovery module that you can buy. You propose that the company purchase the DR module as an add-on to the current tape backup system. You tell the CIO that with this new module, you can burn an entire server image to tape and keep it offsite. If that tragic day ever comes, you simply have to procure another DLT drive and the backup software (a copy of which you propose keeping offsite); you can then have the computer back in business in a matter of hours. You also propose identifying all missioncritical servers and workstations that need to be privy to the DR process.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Performing a DR Test
255
Security A team of two individuals handles the network security for the company. They say, “It’s probably advisable to password-protect the tapes before they go offsite.”
Availability Overview The CEO has told the CIO that she thinks the company would be able to get by with a week to rebuild in the event of a catastrophe. Any longer than that simply wouldn’t be tolerable in the volatile market the company plays in. CEO “Whatever system you come up with, you have to assure me that you can have us back up in one week’s time.”
Maintainability Overview It’s important that you settle on a holding place for your offsite tapes so that they’re carefully watched and maintained. You’re considering a simple bank safe-deposit box to avoid the expense of a regular company that specializes in storing offsite tapes, but you’re not sure yet. CIO “If the safe-deposit box idea will work and you can keep up with the demand, that’s fine, but we have to be able to rely on the integrity of the tapes that are stored.” CEO “The cost for the specialty company is pretty steep, but I’ll defer to your judgment. If you think we need to use them, then we need to use them.”
Performance You’re mostly concerned about the procurement of replacement servers in the event that a catastrophe takes out all of the servers. You’re not sure how to handle this situation. Suppose, for example, that you experience a disaster in which all servers are lost. You purchase upgraded computers as replacements, and you’re ready to reinstall the image onto the new computer. Will it work? The CIO’s comment is, “You’ll need to test this to make sure it works OK.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
CIO “The idea is a solid one. I want you to be sure that you set up regular tests of the system to make sure it works as advertised.”
CASE STUDY
256
Chapter 6
Analyzing the Current Disaster Recovery Strategy
Funding Overview Money’s always tight in your company of 500 users. But the CEO has been very generous to you when it comes to spending IT dollars, and you know that if you need her to commit to a big purchase, she’ll go along with it as long as the backup requirements and project documents are there. CEO “Money is no object—as long as you stay under $100. Just kidding. Let’s see what kind of budget you come up with, and we’ll go forward from there.” CIO “I have other things in my budget that I need to buy as well, so go easy if you can.”
Questions 1. What are two problems with keeping the tapes in a safe-deposit box at
a bank? A. Reliability of regular changeout of tapes. B. Tapes can potentially be in an electrically charged environment
that might accidentally erase them. C. Banks can’t be trusted to keep data. D. Tapes are not readily accessible on weekends. 2. Look at the following chart. Reorder the tasks from the right column
into the left column to make a task list in the order that you should begin working on this project. (Note: These tasks are certainly not allinclusive. In a real deployment you’d have many more tasks than this!) Tasks
Tasks Set up a safe-deposit box for offsite tape storage. Install DR agents on computers. Hire an outside company to help with offsite backup tape rotations.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Performing a DR Test
257
Obtain DR module for tape backup system. Prepare budget information for CEO and CIO. Make recommendations. Add DR rotation to the current backup calendar. Purchase a test computer that’s newer than the servers to test the DR module. Set up quarterly DR tests. 3. Why would quarterly testing be important in a DR program? Choose
all reasons that apply. A. Annual testing is too long between tests. B. Quarterly testing helps you remember what to do if a disaster ever
occurs. C. Quarterly testing helps you to figure out if the offsite vendor you’re
using is too expensive. D. Quarterly testing allows you to periodically revisit the plan to
make sure nothing’s changed or needs to be updated. 4. What other method, besides a DR module for tape backup software,
could you use? A. Image software would allow you to take an image of each
computer and burn to CD. B. Offsite service could obtain the backups for you. C. Copying the server’s files to another server’s hard drive. D. Creating a mirror, then breaking the mirror and keeping the
second hard drive offsite.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Test the DR backup to tape of a server; restore to test server.
CASE STUDY ANSWERS
258
Chapter 6
Analyzing the Current Disaster Recovery Strategy
Answers 1. A, D. The changeout of the tapes is relative to the system you set up.
When you hire a company, they deliver the tapes to you and pick up the new tapes. Banks aren’t typically accessible for safe-deposit box access on weekends. B might well be an issue, you just never know. 2. See the following chart:
Tasks Prepare budget information for CEO and CIO. Make recommendations. Obtain DR module for tape backup system. Purchase a test computer that’s newer than the servers to test the DR module. Test the DR backup to tape of a server; restore to test server. Install DR agents on computers. Add DR rotation to the current backup calendar. Set up quarterly DR tests. Hire an outside company to help with offsite backup tape rotations. Set up a safe-deposit box for offsite tape storage. You told the CEO and CIO that you’d keep costs down if you could, so you’re going to try the safe-deposit box method for awhile. If that doesn’t work, you can always try to procure the money and go with the service. 3. B, D. Remembering what to do is the hardest part of DR. Having
quarterly or semi-annual tests allows you to freshen up your documentation and remember what you’re going to do during a DR session. It’s also good for forcing you to revisit the systems and make sure everything’s being taken into consideration as it needs to be.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Performing a DR Test
259
software and using it to create images of each of the servers. The problem with this is that it’s time-intensive and you’ll need to regularly update the images. You could retain an offsite storage service to keep your tapes, but not to do backups for you. Copying the server’s files to another server’s hard drive isn’t good DR; what if the other server fails at the same time? The mirror idea is unique but fraught with problems, such as what to do if you get the hard drive back during a real disaster and find out that it too has failed.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
4. A. In smaller shops, you could get away with purchasing disk-imaging
Chapter
7
Designing a Management and Implementation Strategy for Windows 2000 Networks MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Modify and design a network topology. Design a strategy for monitoring and managing Windows 2000 network services. Services include global catalog, Lightweight Directory Access Protocol (LDAP) services, Certificate Services, DNS, DHCP, WINS, Routing and Remote Access, Proxy Server, and Dfs. Design a load-balancing strategy. Design network services that support application architecture. Design a plan for the interaction of Windows 2000 network services such as WINS, DHCP, and DNS. Design a resource strategy.
Plan for the placement and management of resources.
Plan for growth.
Plan for decentralized resources or centralized resources.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
T
he first sections of this book deal with the project management aspect of Windows 2000 design exams. Microsoft has changed its testing paradigm quite a bit from Windows NT, so a thorough analysis of project management is required for learning to deploy Windows 2000. The previous chapters didn’t really get into the meat of the operating system itself, but that’s okay. The fact is that Microsoft is now insisting that MCSEs understand the ramifications of deploying huge software operating systems and applications. It’ll produce better MCSEs, and it should help Microsoft’s code run better. Now this book moves into the actual Windows 2000 product itself. From here on out, this book will get into the meat of the Windows 2000 product, especially designing a Windows 2000 infrastructure. We’ll start by talking about the design and modification of a network topology; then we’ll shift into the technology that drives Windows 2000, predominantly TCP/IP and related services. This chapter also talks about load balancing and about designing network services that support application architecture. You’ll see how legacy clients and Windows 2000 clients interact with Windows 2000 services such as WINS, DHCP, and DNS. And finally, we’ll talk about developing a resource strategy, planning for the management of the resources on your network. (There is more information on the “Design a resource strategy” objective in Chapter 3, “Evaluating the Technical Environment,” and Chapter 5, “Analyzing Client Access Requirements.”) This is a busy chapter, so let’s get moving!
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Understanding Windows 2000 Networking Services
263
Understanding Windows 2000 Networking Services
L
et’s start with a brief overview of Windows 2000 networking services. This book assumes that you’ve been through the basic Windows 2000 training, so we’re not going to spend a lot of time on Windows 2000 networking services. But it’s good to take a moment and refresh your thinking about what is meant by the phrase “Windows 2000 networking services.”
Supporting TCP/IP in Windows 2000 Windows 2000 works best on TCP/IP. Yes, some legacy protocols are given to you for the sake of keeping older clients or applications going, but TCP/ IP is the protocol of choice in the Windows 2000 world. If you want to use Active Directory (AD), TCP/IP is required. But what does TCP/IP buy you? For starters, it’s your passport into the Internet world. Many companies are going headlong into Internet and intranet development in a big way. It’s amazing how much time and effort it takes to create a web site that runs efficiently and doesn’t interfere with internal day-to-day business. Part of this is attributable to the magic of TCP/IP, and part is attributable to the magic of routers and routing protocols. Nonetheless, TCP/IP is the protocol of the Internet, and Windows 2000 is very Internet-centric. TCP/IP also affords you vendor-independence. If you’re running TCP/IP, you can purchase gear from a wide variety of vendors and not have to worry about proprietary protocols that may not be supported in the future. TCP/IP is very scalable. It works on large networks (like the Internet) just as easily as it works on small networks with only a few hosts. Lots of networks that outgrow their Class B or Class C “official” network numbers simply purchase a firewall and install a Proxy Server; they’re using the reserved TCP/IP network numbers that are never supposed to go out onto the Internet. The Class A 10.x.y.z network number with the default eight-bit subnet mask, for example, provides a network with the capability of over 16 million hosts! The only caveat is that the machines using these numbers can never natively go out onto the Internet. They must be behind a firewall, proxy, or other translator. The Internet Assigned Numbers Authority (IANA) has reserved three network addresses for private use:
10.0.0.0–10.255.255.255/8, which provides for 16,777,214 hosts.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
264
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
172.16.0.0–172.31.255.255/16, which provides for 1,048,574 hosts.
192.168.0.0–192.168.255.255/16, which provides for 65,534 hosts.
There is one other private range of addresses that you need to be aware of: Automatic Private IP Addressing (APIPA). This IANA-assigned address range is reserved for clients to use on private, non-routed networks. If your computer is set to receive an IP address from a DHCP server but cannot contact one, your machine will get an automatic address in the 169.254.0.0– 169.254.255.255/16 range. APIPA is supported by Windows 2000 (as well as by Windows 98 and Me), but not by Windows NT. TCP/IP, while eminently hackable, has undergone some security revisions that were subsequently brought into Windows 2000. For example, Internet Protocol Security (IPSec), which is discussed in Chapter 14, “Designing for Internet Connectivity,” uses machine-based data encryption and data authentication with TCP/IP. IPSec has been integrated into Windows 2000. In fact, part of the exam you’re studying for will test you on IPSec. Furthermore, Windows 2000 Proxy Server’s capabilities include the ability to filter out unwanted traffic based on various criteria. Proxy Server is a separately purchased add-on product. Network Address Translation (NAT), which is included with Windows 2000 RRAS, does IP filtering as well. For example, you can filter out specific TCP ports, UDP ports, or even different protocols in the TCP/IP protocol suite. And within Windows 2000, Internet Connection Sharing allows users in small offices to request an Internet site from the Connection Sharing server.
Both Connection Sharing and Proxy Server are technically NAT devices because they translate IP addresses that are “legal” for the Internet to addresses destined for internal users and vice versa. Addresses that have been run through a NAT are said to be NATted.
TCP/IP, combined with multiple routers, allows you to create redundant route paths to LAN segments. Remember how we talked about redundancy being the key to network fault tolerance? Redundant route paths can help bring about such an environment. Windows 2000 uses the same sorts of TCP/IP services that Windows NT 4 used: DNS, DHCP, and WINS. There have been improvements to the code, especially with respect to DNS, but the services are essentially the same as they were in the NT 4 days. The biggest difference is increased DNS functionality and less reliance on WINS.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Understanding Windows 2000 Networking Services
265
Supporting Telecommuters Do some of your users want you to set up a virtual private network (VPN) so they can use their DSL connection from home? That would be a godsend to thousands of users who don’t really need to show up at a physical workplace each day—if only they had a solid, high-speed connection to the network from home. Windows 2000 has greatly improved the telecommuting protocols that you can use. The Extensible Authentication Protocol (EAP) is a protocol designed for clients to authenticate with servers. This protocol is designed to be used with smart cards (which use Transport Layer Security [TLS]), biometric scanners such as fingerprint or retina, the MD5-CHAP algorithm, and token cards, cards which send a password to the system for you. Another new protocol in Windows 2000 RAS is Remote Authentication Dial-In User Service (RADIUS). The diversity of hardware and operating systems has led to people trying to find a vendor-independent authentication scheme. RADIUS can validate users from a variety of computing hosts and has two components: the client and the server. When Windows 2000 is configured as a RADIUS client, it accepts the logon from the dial-in user and forwards the request to a RADIUS server for validation. Windows 2000 can also be equipped as a RADIUS server by installing and running the Internet Authentication Service (IAS). Also new to the RAS protocol roster is the Layer 2 Tunneling Protocol (L2TP). Recall from your OSI model training that layer 2 is the Data-Link layer, typically the layer that switches operate at. L2TP is somewhat similar to PPTP in that it tunnels through an untrusted network. But L2TP doesn’t encrypt data like PPTP does. Instead, you use other encryption methodologies such as IPSec to provide the encryption. L2TP can be used in a virtual circuit with a variety of network protocols such as IP, ATM, frame relay, and X.25. PPTP can only be used on IP networks. While L2TP supports layer 2 tunnel authentication, that isn’t used when IPSec is installed because IPSec handles the encryption and authentication. L2TP provides header compression, which gives you a little smaller header size (4 bytes instead of 6). Remember the Windows NT 4 PPP multilink protocol? The idea was that if you had several modems hooked to a computer running Windows NT Server, you could use multilink to trick Windows NT into thinking the separate lines were all one big chunk of bandwidth. You had to have multilink installed on both sides of the connection. Windows 2000 provides Bandwidth Allocation Protocol (BAP), which is similar to multilink but goes a
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
266
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
step beyond by adding or dropping links as needed. BAP works in harmony with multilink; PPP multilink has to be installed before you can enable BAP. Remote access policies can then be set to drop a link if the usage falls below a certain level.
Windows 2000 Routing Protocols Windows NT 3.51 and 4 support the Routing Information Protocol (RIP). This protocol is best suited for small to medium-sized networks because of the kind of routing it does. RIP is a distance vector routing protocol, meaning that it announces its distance and direction from its neighbor routers to its neighbors. These periodic announcements—every 30 seconds by default— can create lots of extra traffic on a large network and thus be unsuitable for such an environment. RIP was introduced in the Windows NT 3.51 and 4 worlds for connecting private networks with the Internet and dial-in clients and with different LAN topology types. RIP is still supported in Windows 2000 and can be used as the routing protocol on your network. Windows 2000 has also added a more sophisticated routing protocol, Open Shortest Path First (OSPF), to its suite. OSPF is a link-state routing protocol; it communicates its link status information to adjacent routers. In this way, a map of the entire network is built and paths can be calculated. OSPF and Cisco’s IGRP are probably the two most widely used routing protocols. Also included in the Windows 2000 suite are several routing augmentations that, while not truly routing protocols, are designed to assist with routing tasks on the network. Demand-dial routing, connection sharing, and multicasting—all topics in later chapters of this book—are additions to Windows 2000 routing protocols.
IP Security in the Windows 2000 Environment A newer development in the IP world, IPSec, is included in Windows 2000 and provides valuable functionality. Most network implementations of TCP/ IP allow clear, unencrypted text to flow across the network from one place to another. This may not be a big problem on a small network. However, on larger networks, where you have no idea who might be trying to watch packets, you need to assure your users that the data they send is encrypted and
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Understanding Windows 2000 Networking Services
267
safe. IPSec is designed to do this. You can use it server to workstation (or vice versa), server to server, and you can run it on an intranet, extranet, or across the network.
Managing User Internet Access Windows 2000 includes several new benefits in the Internet access arena, some of which are particularly relevant for smaller networks. Typically, hooking a small network of just a few users up to the Internet can be quite the challenge. A router and CSU/DSU might be overkill for a small office. On the other hand, it might be cost prohibitive for all the users in the office to access the Internet using a modem from each of their PCs. Microsoft’s Internet Connection Sharing (ICS) is a new Windows 2000 technology that allows you to create a server that users connect to. This server provides basic DHCP, WINS, and DNS services, and acts as a NAT device for the users, translating their internal address and port to external ones. Like Proxy Server, the connection-sharing method is also capable of filtering packets. ICS is a good solution for small numbers of users. For a larger group of users, you can employ NAT. NAT provides all the functionality of ICS, but does a better job of supporting larger numbers of users. However, if you have more than 100 or so users, you’ll need an even bigger solution. Windows 2000’s Routing and Remote Access Service (RRAS) provides routing and NAT capabilities for larger network. Though not included with Windows 2000, Microsoft Proxy Server is a product that you should consider including with your deployment. You might think of NAT as “Proxy Server Lite,” useful only in non-routed, SOHO environments, whereas Proxy Server can work with thousands of users. Proxy Server serves many functions for the network. It restricts certain users from accessing the Internet; it also acts as a packet filter, preventing unauthorized packets from being allowed onto the internal network. Proxy Server’s biggest feature is that it caches Internet pages so that the speed of Internet access appears higher to users. The things that we’ve just talked about, routing support, managing user Internet access, IPSec, and support for telecommuting users, are discussed in more detail later in this book. This overview lets you know what enhancements you can expect with Windows 2000.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
268
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Designing and Modifying a Network Topology
A topology can be defined as the way the network is wired up and the IEEE standard that it uses. But a more succinct way of putting it is that a topology is the set of rules that are made for physically connecting and then going about the business of computing on a given medium. The topology determines how the computers are going to connect to each other (the physical component) and the rules that are going to be used when they talk to each other (the logical component). When discussing network topologies, be keenly aware of the differences between physical and logical topologies. As an example, a token ring topology can be configured as a physical star (with a hub in the “center”) but it’s still a logical ring.
Microsoft Exam Objective
Modify and design a network topology.
Physical Components of a Topology There are three types of physical topologies that are important to us:
bus
star
ring
Think of the bus topology much like a string of Christmas tree lights; the wire essentially runs in a straight line and has nodes off of it that connect to the PCs or servers on the network. The old 10Base-2 network scheme used a bus topology, starting with a string of coaxial cable. At a point where you wanted to attach a PC, you simply introduced a T connector. The T connector plugged into the NIC on the back of the user’s computer, as seen in Figure 7.1. Each end of the wire had a terminator, and one of the ends needed to be grounded. The problem with the bus topology was that if any one part of the bus went out, all users on the network were out as well, and finding the problem sometimes meant that you had to go from PC to PC trying to isolate the source of the difficulty.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing and Modifying a Network Topology
FIGURE 7.1
269
A bus topology PC
PC T connectors
Coaxial cable
Terminators
In a star topology, each PC or server on the network connects to a central device such as a hub or a switch (preferably a switch). You can then hook these switches or hubs together to form a larger network. This is the standard formula for today’s Ethernet networks. The distinct advantage to a star topology is that any one computer (or port in the switch or hub) can fail and it won’t take down the entire network. Of course, if the hub or switch fails, that’s a different story. Figure 7.2 shows a typical star topology. FIGURE 7.2
A star topology 100Base-T switch
Workstation
Workstation
Server
The ring topology enjoyed a real heyday in the late 1980s and early 1990s, until Ethernet star topologies took over. But, just when it appeared that the battle had totally been won, FDDI and ATM surfaced and recaptured the ring concept, this time on a wide area network basis. A ring merely consists of devices arranged in a ring with the cable passing in one side of each device’s network card and out the other. The network has a token (or sometimes two), hence the original name token ring network. The token circles
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
270
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
around the network, in the receiving side of each NIC and out the transmit side (as illustrated in Figure 7.3), looking for a computer that has data to send. The only computer allowed to send data to another computer is the one that currently owns the token. When that computer relinquishes the token, it’s free for the next computer to grab if needed. FIGURE 7.3
A ring topology
PC Transmit side of NIC
Server Receive side of NIC
PC Token
Fault-tolerant implementations of ring topologies have two tokens counter-rotating on two different rings. If one ring breaks, the other ring is used as a fallback. This is quite common in Switched Optical Network (SONET) implementations where extremely reliable WAN connectivity is desired. The standard internal token ring network was capable of running at 4Mbps or 16Mbps; however, these days 100Mbps token ring network gear is available. Every physical topology has its advantages and disadvantages. It’s up to you to decide which topology is best for your network. Keep in mind that by far, the most common topology is the star. This is important because most hardware you purchase will easily work in a physical star environment, whereas other connectivity equipment (such as a FDDI NIC) may be harder to find and more expensive.
Logical Components of a Topology The Institute of Electrical and Electronics Engineers (IEEE) heads up standards specifications for new networking technologies. The IEEE assigns numbers to identify the different logical topologies that can be used with a
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing and Modifying a Network Topology
271
physical topology. These numbers are good to know (for cocktail parties and tests). For example, IEEE 802.5 defines the token ring topology; IEEE 802.3, 802.3u, 802.3x, and 802.3ab define Ethernet topologies, 10Base-T, 100Base-T, full-duplex Ethernet, and 1000Base-T, respectively. Note that logical topologies define more than just the speed of the network. They define characteristics like the type of switching that takes place (circuit, message, or packet), the media that they can run on, and the types of connections that can be made. The logical definition of a topology defines a set of rules about how a topology is implemented.
Think of logical topologies as rules for communication on the physical network.
Two major logical topologies you’ll encounter are Ethernet (IEEE 802.3) and token-passing ring (IEEE 802.5). Ethernet networks make up a considerable majority of all networks running today. The premise of Ethernet is based on Carrier Sense Multiple Access with Collision Detection (CSMA/ CD). The CSMA/CD standard for communication works as follows: Your computer listens on the wire and if it doesn’t hear any traffic, it sends its message. Hopefully, the message gets to the destination. If another computer sends a message at the same time, however, there will be a packet collision on the wire. The sending computers will both detect the collision, wait a random number of milliseconds, and then resend. On a network with hundreds or thousands of machines on one segment, things can quickly get bogged down. It sounds inefficient, and indeed it may be, but it works. Generally, token ring speeds are not as fast as Ethernet speeds. However, token ring does have one considerable advantage: You are guaranteed time to talk. In Ethernet, if one card becomes chatty, it can monopolize the whole network. In token ring, you are going to get the token at some point, which means you can talk. Connection speeds are generally slower, but on busy networks, communication may be more reliable. In a token ring topology, there are no collisions. Now that you know what you’re looking at, the trick for you is to figure out what kind of network you’re involved with. Chances are very, very good that you have an Ethernet network, though some token ring implementations are still out there. You have two difficulties ahead of you in figuring out what the network topology is about. First, you need to determine the physical topology. Then you need to determine its logical topology—loosely associated with the speed at which the network is supposed to operate. There is one
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
272
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
potential third challenge: figuring out whether the backbone of the network is faster than the user connections.
Identifying Backbone and User Connections Suppose that the building housing your network is fairly large. Maybe you have two or three different closets where you have network gear, hubs, or switches. Typically, these closets have a wiring rack with a patch panel and the network gear. The wires come in from one or more closets and attach to the patch panel. The wire running from closet to closet is called the backbone. Then you run jumper cables from the patch panel to the hubs or switches. The wiring that runs between closets could be fiber-optic wire, in which case you likely have a 100Base-T or 1000Base-T backbone. These speeds are 100 megabits per second (Mbps) and 1000 megabits per second, respectively (not megabytes, which would be MBps). As you might imagine, 100Base-T and 1000Base-T consist of fast collision domains. The IEEE has done some work toward trimming down the amount of collisions, but Ethernet is nonetheless still a collision-based networking environment. So you have this 100Base-T fiber-optic backbone. That means the packets are traveling at roughly 100Mbps, and you can expect fairly reasonable throughput, provided that you have ordinary users who don’t put a lot of traffic out onto the wire by generating large reports from a server, downloading huge graphics, and so forth. The next question is this: Are your users also connected at 100Base-T? If so, everybody’s data is moving at 100Mbps, trying to get onto a 100Mbps wire. It’s sort of like several cars going 60 miles per hour trying to merge onto a highway where all the other cars are also going 60, but nobody is yielding to anybody else. You’re bound to have a collision! So how do you solve this predicament? It might seem intuitive to you that the speed of the backbone should be much faster than the user connections. That’s the purpose of the uplink ports provided on the back of most switches. Users connect at a certain speed, and the switch intelligently manages the incoming and outgoing bandwidth. The data going out through the uplink card onto the backbone can travel faster than the data coming into it from users, thus reducing one bottleneck. Uplink cards are somewhat expensive, as are switches, but the gain in throughput is phenomenal and well worth the investment dollars.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing and Modifying a Network Topology
273
Just because you upgrade your network closets and backbone does not mean you’re guaranteed improved bandwidth from users or servers. You can still have a bottleneck at the user or server computer. There are several bottlenecks to consider: slow IDE or SCSI hard drives, slow processors, not enough RAM, and NICs that are set for a slow speed. You must remember that the entire path that the data travels has to be examined when you’re considering bandwidth improvements. Server NICs on 100Base-T or 1000Base-T networks should always be set at 100Base-T full duplex, as should the receiving switch port.
Dealing with Disparate Topologies What happens if your building has several floors and some of the floors are still on 16Mb token ring while others have gone through a conversion to 100Base-T Ethernet? You’ve run a fiber-optic backbone up the wiring chase to all floors, and you have a termination in the patch panel at a central wiring closet on each floor. But how do you connect an Ethernet to a token ring network? You need a token-ring-to-Ethernet topology conversion bridge. This bridge is a device that hooks in between two disparate networks, allowing for the conversion of one topology to another. Now, in this example, you might have to purchase the bridge for each floor before you can officially hook them to the Ethernet segment of your LAN. But that’s a design issue, one that needs to be solved and planned out before you move forward. Or you might choose to convert each floor to Ethernet before you implement the rest of your network upgrades. It’s up to you, but a topology conversion bridge will help you get this done. AS/400 computers from IBM work on token ring networks as well as on Ethernet networks. There are tons of AS/400s in the world, so it’s remotely feasible that you’re facing the problem of token-ring-to-Ethernet topology conversion. Maybe it has been solved for you by a previous administrator or designer (in which case the technology might be outdated), but maybe not. Nevertheless, tools have been created for you. Use your favorite Internet search engine and enter the phrase “Token Ring to Ethernet”. You’ll get lots of hits for companies that specialize in token-ring-to-Ethernet conversion bridges. Problem solved.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
274
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Dealing with Old Topologies Unless you have an office of fewer than five users, 10Base-2 coaxial networks are not going to cut it in the Windows 2000 world. You just won’t have enough bandwidth to feel like things are moving along quickly. You’ll have to resign yourself to upgrading the network cable plant and infrastructure to at least 10Base-T, and most likely to 100Base-T. Upgrading the cable plant and installing switches will mean money, and probably lots of it. That’s the commitment you’ll have to make if you’re going to go forward with Windows 2000 servers and workstations. Hub-based 10Base-T networks (called shared-10 networks because users are sharing 10 megabits of bandwidth) also need to be upgraded. Hubs were fine in the Novell NetWare 3.11 days when people were running WordPerfect 5.1 and Lotus for DOS and were using servers for files and printing. But today’s world is a large, complex client/server world that uses huge quantities of bandwidth. Your network needs to enter the switched world, where your backbone is faster than your client connections, where your servers (at the very least your big application servers) connect to high-speed ports on the switch, where routers are up-to-date, and where users have NICs that are capable of talking to the network at robust speeds. What good does it do you to install fast-processor computers on a user’s desktop and then have the user try to pull data off of a terribly slow network? For all but the smallest of networks, shared-10 networks have got to go before you enter the Windows 2000 world.
Supporting Macintoshes Macintosh services are still supported in Windows 2000. You’ll have to load the AppleTalk protocol on the servers that Macs are going to talk to. But what about those old AppleTalk or TokenTalk networks? Do you have to convert them? No, because the Macintosh is considered an independent entity to Windows 2000, an individual client. Each Mac user logs on to the network just like each Windows 2000 Professional user, so you don’t need to have your Mac administrator dismantle the network; Mac users can connect just fine as they are.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring and Managing Windows 2000 Network Services
275
Monitoring and Managing Windows 2000 Network Services
T
his section describes how to design a strategy for dealing with various Windows 2000 network services. Within this section the operative word in network services is network. For example, how do you monitor and manage the global catalog? Or LDAP? You can see the importance of why you need to monitor such services. If they crash, you need to know why they crashed and how to put things back to normal.
Microsoft Exam Objective
Design a strategy for monitoring and managing Windows 2000 network services. Services include global catalog, Lightweight Directory Access Protocol (LDAP) services, Certificate Services, DNS, DHCP, WINS, Routing and Remote Access, Proxy Server, and Dfs.
When talking about each of the Windows 2000 components in this section, their separate monitoring and managing needs, there are three things to keep in mind: Events and Alert Notification You should know what service events are important enough that you need to be alerted right away.
Windows 2000 includes System Monitor, which was called Performance Monitor in the NT 4 days. Use System Monitor and its alerting capabilities to provide specific machines with alerts that inform you of errant behavior. Alternatively, you might consider purchasing enterprise management system (EMS) software such as ManageX (an HP product found at www.hp.com) or NetIQ (found at www .netiq.com) to increase the number and detail of the alerts that you can receive.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
276
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Anticipating Design Changes Undoubtedly some systems will outgrow their initial design, or managers in your company will make a decision that changes the design somewhat. There are many conditions that might require a design change; that’s not hard to imagine. Anticipating how to react in a design change, that’s more meaningful—and spotting the design change can be very difficult. Verifying Design Compliance Is the design being used in the way that you planned and anticipated that it would? If not, why not? If not, do you need to correct people on the method used (training), or do you need to manage changes to the design so it complies with its current use (redesign)?
Global Catalog Perhaps when you begin your Windows 2000 deployment, you start out with a Windows 2000 domain controller (DC) in a single domain. After some time, study, and involvement with your one domain, you find a need for additional domains. You come up with two more domains in your Windows 2000 forest. For the sake of simplicity, let’s say that within each domain there is only one domain controller (keeping in mind that a oneDC domain is a bad idea—you should always have at least two DCs in each domain). The very first domain controller installed within your forest has the duty of being the global catalog (GC) server for the entire forest. A global catalog server is a domain controller that has a complete list of all the objects in an entire forest, but is only aware of a subset of the attributes of the objects outside its own domain. (All domain controllers are aware of all attributes for all objects within their own domain.) The advantage of this is that a user or application can search the entire forest for an object without knowing in which domain the object exists. The subset of attributes included in the global catalog are the attributes most often searched on for each type of object (name and address are included for example, but not SID or GUID). A domain controller in each domain is responsible for keeping track of changes to the replicas in the Active Directory database. If you delete a user account, that’s a replica change that must be replicated to the global catalog. The domain controller that does the replication to the global catalog is said to have the function of infrastructure master. This server forwards replica changes to the global catalog. There is only one infrastructure master per domain.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring and Managing Windows 2000 Network Services
277
The replicas that are stored from other domains are said to be partial replicas in that not all of the properties for every object are replicated and stored in the global catalog. You can adjust Windows 2000’s default settings for the kinds of replica information an infrastructure master can upload to the global catalog, but this is not recommended because it could seriously add to the bandwidth used on the network.
Unless you’re in a single domain controller environment, you should not have one domain controller serve as both the global catalog server and an infrastructure master. In this case, the infrastructure master will never receive updates (because the global catalog server is on the same box), so it won’t know about the latest and greatest changes to the objects in AD.
Multiple global catalogs are possible, depending on the size of your network, geographic complexity, and other contributing factors. While this is a great thing, it’s important to keep good design principles in mind and not just load up on global catalog servers. Recall that replication of AD object information is being performed on each global catalog server, so not only are you adding unneeded complexity to the system with excess global catalog servers, you’re also complicating any problems that arise. Like WINS servers, keep the global catalog servers to a minimum, one global catalog server in each site that doesn’t have guaranteed WAN connectivity.
Domain admins will always be able to log on to the network, even when the global catalog is not available. This is not necessarily true for regular users. If the global catalog isn’t available, they’ll probably only be able to log on to the local workstation.
You can access the location where you set the global catalog by going to the domain controller you want to configure and clicking Start Programs Administrative Tools Active Directory Sites and Services Sites name of site Servers name of server. Figure 7.4 shows this screen. From there, find the NTDS Settings item and right-click it. Select Properties and you’ll find an NTDS Site Settings properties window where you can enable the global catalog. It’s as simple as checking a box.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
278
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
FIGURE 7.4
Assigning the global catalog function to a domain controller
The following are the planning and design rules for domain controller and global catalog placement:
There should be at least one domain controller per site (or per physical location).
You can have multiple domain controllers per site.
Each site should have at least one domain controller configured as a global catalog server, especially when the sites are connected by slow links. This way, users will receive current forest information from a local domain controller.
You can adjust the replication of objects across slow links to happen during off-peak hours.
Having too many global catalog servers means too much replication and could potentially be a bottleneck for your network.
Adding replica attributes to the objects that are already being replicated can slow the network.
There are some issues that revolve around the Internet Authentication Service (IAS) and the global catalog. We’ll discuss these issues in Chapter 15, “Designing a Remote Access Solution.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring and Managing Windows 2000 Network Services
279
When thinking about event notification, you can think of alerts that you might like to get when the global catalog has a problem. For example, it would be nice to know when a global catalog server goes down. It would also help to know if one GC server is receiving too many hits, which implies that you either need a second one at that site or you need to rearrange the network somehow. Then too, it could be just that people are trying to get used to the system and are performing frequent queries against it.
Lightweight Directory Access Protocol (LDAP) Access to the global catalog and to the domain controllers running it is accomplished through the Lightweight Directory Access Protocol (LDAP version 3—RFC 2251). Active Directory clients need LDAP to access shared resources on the network. LDAP is an Internet Engineering Task Force (IETF) communications protocol that defines how directory clients access a directory service and how queries and sharing of directory data are performed. LDAP, which has been in use with Microsoft server products for several years now, is light, efficient, and preferred over other, more rotund, directory service protocols. Because LDAP is a universal standard, Active Directory can work with other directory systems via a programming interface that’s included with AD, called Active Directory Service Interfaces (ADSI). The directory is made up of objects and their attributes. LDAP uses a hierarchical structure, somewhat similar to what you may have seen in Exchange Server, to uniquely identify each object in the active directory. Object attributes can be inherited and populated by several different objects. Let’s consider an LDAP example. Suppose that you have a user named Ralph in the domain. Ralph has an LDAP common name: CN=Ralph. Since Ralph is a member of the Users container, he also has a container designator (using the same CN designation): CN=Users. Suppose that Ralph is affiliated with the Sales team that is located in the California domain, and the domain root is VeryBigCompany.com. Then, in addition to the common name and distinguished name, you also have an organizational unit (OU) and four domain components (DC): one each for the domain and the tree and two for the domain root. These are represented as DC=California and DC=VeryBigCompany,DC=com. Thus the entire distinguished name is CN=Ralph,CN=Users,OU=Sales,DC=California,DC=PaperProducts,DC= VeryBig-Company,DC=com.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
280
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
A different way to represent this name is via a canonical name. Instead of using the distinguished name CN and DC delimiters, you simply put a slash in front of the various components. Also, you start with the domain root first, then proceed down the hierarchy. So the canonical equivalent of the distinguished name here would be VeryBigCompany.com/PaperProducts/ California/Sales/Users/Ralph. Additionally, Ralph personally has what is referred to as a user principal name (UPN)—his username followed by the @ sign and the company name (just as an e-mail address might appear). So Ralph’s UPN would be
[email protected]. The UPN is automatically created by AD and isn’t something you need to worry about. Nor should you try appending an @ sign to his username in the hopes of helping create a UPN. The relative distinguished name is that part of the distinguished name that represents an attribute of an object. In the preceding example, Ralph is the relative distinguished name for the parent object Users. Figure 7.5 illustrates where Ralph might fall in a typical AD hierarchy. The cool thing about LDAP is that no name is duplicated anywhere. On top of that, users can see anybody in the catalog at a glance, providing access to what could literally be millions of objects grouped according to logical layout of your network. There are two caveats to managing AD database:
Don’t mess with the database schema. While the schema is extensible, it’s best to leave it alone and not modify it. Some applications might do that (Exchange 2000, for example, changes the schema), but you should not.
Plan, plan, plan the layout of your future Windows 2000 network, making sure you’ve designed the logical splits correctly. It’s not a bad idea to try to plan for any future changes the managers might want to incorporate that would subtly change the layout. If you could somehow anticipate those changes, you’d be light years ahead of where you need to be.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring and Managing Windows 2000 Network Services
FIGURE 7.5
281
The AD hierarchy of Ralph’s network
Forest = VeryBigCompany.com
Tree
Tree
Paper Productio
Domain
n
Domain
Domain California
Domain
OU=IT OU=Sales
California
User = Ralph
Certificate Services There are two authentication services in Windows 2000, Internet Authentication Services (IAS) and Certificate Services. IAS is used for dial-in users, and is described in Chapter 15, “Designing a Remote Access Solution.” Certificate Services is a software service used for the authentication of entities that are requesting access to the network. Certificate Services can work with secure e-mail, digital signatures, web-based authentication, and smart-card authentication.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
282
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Windows 2000 Certificate Services uses public key encryption as its method for guaranteeing the reliability of the entity that is requesting authentication. When you use Certificate Services, you create a certification authority (CA). The CA is responsible for vouching for the authenticity of the entity requesting to get onto the network. The CA receives certificate requests, verifies that the one presenting the certificate is the one entitled to use it (via the matching of the public and private keys), revokes certificates, and maintains published lists of revoked certificates (a certification revocation list or CRL). The CA acts as the holder of the public keys. When a user wishes to request a certificate, she uses either a web browser or a certificate Microsoft Management Console (MMC) snap-in to connect to the CA and request a certificate. A cryptographic service provider (CSP) software component running on her computer generates a public key and a private key. The private key stays at the computer, the public key is forwarded to the CA and, if the criteria for granting a certificate are met, she gets the certificate. If there are criteria set up to expire her certificate at some time (such as when a contractor will finish working for the company), her certificate is put on a CRL upon expiration and she no longer has access to the network. Certificates and groupings of CA servers (called a CA hierarchy) can be used in place of a username and password to gain access to the network, as in the case of users gaining access with a smart card. In large enterprises, you couldn’t get away with just one CA server (nor would it be practical from a security standpoint!), so you must include several CA servers in your design. While the reasons for using a CA server are valid, there are many things to think about when considering Certificate Services. First, does your company do work so top secret and important that it’s paramount that you keep track of who’s getting on? If so, then Certificate Services is for you. But what if you’re on an ordinary work-a-day network where that kind of security isn’t needed? Then you need to ask yourself whether it’s possible that somebody from the Internet, or a contractor, or another partner relationship of some kind could conceivably get on the network and do some damage. If so, it’s still worth your time to consider Certificate Services, because with a public and a private key (and the certificate), you’re validating that the resource requesting to get onto the network is actually that resource, not somebody spoofing as that resource. Another important consideration is that of protecting the security of the CA servers. Since they contain keys that could potentially be valuable to those who surreptitiously gain access to them, it’s critical that CA servers be strongly secured. What happens if the computer augurs in and you lose the
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring and Managing Windows 2000 Network Services
283
keys? How will you restore them? Fault tolerance becomes extremely important when discussing CA servers. Third-party certificate providers (such as VeriSign) can be used in place of Windows 2000 Certificate Services. Is it worth the money, time, and effort of putting a separate CA entity in place? If the certificates you need will be Internet-based, then you need to go with an Internet-based CA. And finally, it’s paramount that the designers and administrators of Certificate Services in Windows 2000 networks completely understand how public key encryption (PK) works and, more important, how Windows 2000 uses PK and certificates.
Name Resolution Services One of the more popular questions being asked by administrators everywhere is: What happens to WINS with Windows 2000? The question requires a dual answer. If you’re migrating a legacy Windows NT 4 network over to Windows 2000, then WINS is available and there is backward compatibility with other WINS servers. You can maintain some legacy nameserving while performing your cutover. If, on the other hand, you’re starting from scratch, you can use DNS and don’t need WINS at all. Windows 2000 is designed to work primarily with DNS and not WINS. Native Windows 2000 environments don’t need WINS to function. The Windows 2000 WINS interface (see Figure 7.6) looks remarkably different from the old NT 4 interface, but functions about the same. FIGURE 7.6
The Windows 2000 WINS interface
Like the NT 4 environment, you can establish WINS load balancing by implementing push/pull partners with other WINS servers. You can also scavenge the database, create static mappings, and import LMHosts just as you could with the old WINS.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
284
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
WINS retains the old ability to use WINS Proxy agents (agents that garner a NetBIOS name resolution from a WINS server for a non-Windows host). New to Windows 2000, WINS is the ability to use IP packet forwarding to service a name request from a WINS server across a router—thus avoiding a broadcast that the router would not forward. WINS services can now be secured across public lines either by IPSec or by VPN. Also, Windows 2000 WINS can be put on a cluster server for redundancy and fault tolerance. Windows 2000 WINS supports a burst mode capability. WINS uses this when a large influx of registrations happens. At such times, the WINS server sends an ACK with a time to live (TTL). The client must then re-register after the time expires. The theory is that by the time the client re-registers, the burst is over and the server won’t be so bogged down. The TTL is increased five minutes for each additional 100 registrations, starting at 500—that is, if the server receives 500 simultaneous registration requests, burst mode kicks in and the registration TTL is five minutes. If there are 600 requests, the TTL is set for 10 minutes instead, and so on. WINS strategies include the judicious placement of WINS servers, creating pull partners across slow WAN links and setting up push/pull times after hours for slow links. It’s important to use an alerting method to notify you when WINS has stopped working, for whatever reason. You also want to know when replication times are taking longer than expected and if the number of queries or times to resolve queries have gone up. All of these imply a heavily loaded WINS system that needs to be dealt with. DNS looks similar to the way it looked in Windows NT 4 except that, like WINS, it too uses the MMC interface. Figure 7.7 shows what the DNS screen looks like with the three computers on my mini-network: 2000guy, NT-MAN, and Barney. FIGURE 7.7
The Windows 2000 DNS screen
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring and Managing Windows 2000 Network Services
285
Several new or enhanced features of Windows 2000 DNS make it more valuable:
DNS in Windows 2000 has a load-balancing feature, where you can group several computers together that have a common name but different IP addresses under one DNS entry. When a DNS request comes in for that name, the DNS service can answer the request either via a pre-prioritized list or in round-robin fashion. You’d use this primarily with web or cluster servers that were load-balancing off one another.
Recursive forward lookups allow a DNS server to forward requests for computer records it does not have, using other WINS or DNS servers to satisfy a client’s name lookup request.
Multiple Windows 2000 DNS servers can be configured to redundantly support one DNS database (for fault tolerance) or to contain separate parts of the database.
Secure zone transfers of encrypted DNS data can be sent over public lines using IPSec or VPN technology.
Incremental zone transfers consisting of just the updated parts of the DNS database can take place. These reduce the bandwidth used by DNS servers replicating with one another.
DHCP and WINS can be used by DNS for name lookups.
If you like, you can run DNS on Windows clustering for full redundancy and fault tolerance.
Windows 2000 supports SRV records.
Windows 2000 DNS supports dynamic DNS.
Deciding how to implement DNS in the Windows 2000 site is going to be your hardest job. Chances are, unless you’re starting with a brand new installation of Windows 2000, you’ll have to pick up some legacy DNS implementation, probably based on Unix. If the BIND version of the Unix servers isn’t up to date (supporting SRV records and dynamic updates), then you may need to cut the entire DNS operation over to Windows 2000. Why? Because dynamic DNS makes your life so much easier by getting rid of the necessity of manually entering all different sorts of DNS records. If you’ve ever maintained static DNS and reverse lookup tables, you know what a monstrously great achievement this new dynamic DNS thing is.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
286
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Windows 2000 DNS can reference the Active Directory and get what it needs from there. Unix hosts still have to be manually entered (they’re not a part of AD), but your job is made much simpler. You can make use of the security and speed of zone transfers and use all of the cool AD reference functions of Windows 2000 DNS. But getting your Unix admins to part with their DNS is going to be tough; you have a political fight ahead of you. There are several good reasons for going forward with an AD-integrated zone DNS design, though:
It’s much more difficult for rogue DNS servers to impersonate others in an AD environment.
The DNS replication follows that of the AD replication.
You can perform automatic, secure, dynamic DNS updates.
There is no single point of failure in the design; because the DNS zone is a part of AD, the failure of one DNS computer would not compromise the others.
An AD-based DNS server appears to others as a primary DNS.
A second issue is the actual DNS design. You have two basic models you can draw on:
You’d use a hierarchical model in a large site with many remote locations. You set up your first DNS box as the primary zone to house all of the records for the site. Then you set up other DNS servers with secondary zones in the other areas, making them secondary to the primary zone back at HQ. As the secondary zones replicate their data upward to the primary zone, the primary zone contains a complete listing of all computers on the network, and the secondary zones only have information pertaining to their parts of the network. One potential downfall to this design is that you almost must have a DNS administrator on site at each of the secondary locations.
You could opt for a flat design with one or two DNS servers that share the DNS database. Use this design for smaller networks with fewer users, or where the name-resolution services might take place anywhere on the network and not be so geographically separated.
Managing the DNS environment is going to require some serious planning. There are several questions you have to ask yourself. For starters, how will you be notified if a DNS server goes down? Some sort of alerting methodology, such as an EMS like ManageX, NetIQ, or HP OpenView, might
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring and Managing Windows 2000 Network Services
287
help you with this. You also need to figure out whether the current DNS structure can handle the number of requests coming in. As the system grows and requests start to labor it, you need to put extra systems into place to help balance out the load. Heavy load also affects the amount of time it takes to replicate the database to other computers.
Internet and Remote Access Services The management of Remote Access Service (RAS) has gotten very sophisticated in recent years. Not only is the list much longer of network protocols that you might have to support, but you’re also faced with new technologies. RADIUS and VPN technologies are among the new concepts that are being used more and more widely in today’s networks. Planning for and managing these RAS and Internet services are an important design component of Windows 2000 networks. Your first consideration, one that your users will be asking of you, is whether you’re going to institute conventional dial-in RAS or go with a VPN solution. With conventional dial-in, you provide a bank of modems (and possibly a toll-free number or two) that users can dial to get into the system. Conventional network protocols and authentication methods are available for dial-in users and if added security is needed, you can institute a call-back methodology where the user must enter their phone number and then have the system call them back. This kind of RAS is widely in use today under Windows NT 4 and it works well. Standard telecommuting type users can benefit from a regular RAS installation. But there are questions. Can you afford to purchase the modems and pay for the additional monthly cost of the phone lines? If so, how many lines do you think you’ll need? Should you purchase a RAS server device that can use RADIUS or some other method, or should you just go with set of modems that are connected to a RAS server? With VPN connections, a user dials his or her ISP (through whatever kind of connection he or she is paying for) and then tunnels into your network over the Internet via a secure VPN protocol. With this method you have a lot more planning to do. You need a high-speed connection with an ISP that supports this kind of thing. Then you need to determine whether you want to try to accomplish this kind of telecommuting connectivity with hardware or with Windows 2000 software. If you select a hardware option, you’ll wind up purchasing special VPN switches and routers that can handle the interaction with the client.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
288
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Windows 2000 supports NWLink, TCP/IP, NetBEUI, and AppleTalk as its network protocols. It accepts a variety of authentication protocols, among them the standard MS-CHAP that has been in use for many years plus an encrypted version specifically made for Windows 2000, MS-CHAP v2. EAPTLS is an authentication protocol used for smart-card support. SPAP is an authentication method used for Shiva LAN Rovers, and PAP will work for clients who are dialing in and have no other authentication capability. RADIUS (covered in Chapter 15) allows authentication with a non-Windows 2000 methodology. You also have a choice of encryption methods such as Microsoft Point-toPoint Encryption (MPPE) for PPP or PPTP protocols. IPSec (discussed in Chapter 14) is used in conjunction with L2TP for VPN connections. Internet connections fall into three categories:
Keeping users inside and not letting them out onto the Internet
Acting as an ISP
Being a “poor man’s ISP” for employees who RAS in and use the Internet
If you have additional Internet security requirements, Proxy Server will allow you to keep users who should only be using your intranet off of the Internet. Network Load Balancing will help keep Web servers functional. Group policy objects will allow you to control who gets to do what. Event notification in RAS is easy through System Monitor. There are specific counters geared toward this function (RAS Port and RAS Total). With web servers, you also have index service counters and event log notifications.
Distributed File System Distributed File System (Dfs) has been in use for many years in the Windows NT 4 environment and has now found a permanent home in Windows 2000. Its idea is this: Instead of having users memorize tons of different shares spread across many servers, why not have one server host a program that links to the appropriate server and share when the user requests it? For example, suppose you have a server called Fred and a share on it called Files. The UNC to get to this share is \\Fred\Files. Suppose you have another server called Wilma and it has a share on it called Shared. That UNC would then be \\Wilma\Shared. How many of these specific UNCs does a user have to memorize before they’re completely confused? It depends on the user, but the more share points you create, the greater the chance of confusion.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Network Load Balancing
289
So, it’s more convenient to appoint one server as the Dfs host server and have links on it pointing to the various shares out on the network. Suppose your host server was named Dino. Now your users would point to \\Dino\Files and \\Dino\Shared for their directories, but Dfs would link them to the appropriate servers and shares. This feature spells one-stop shopping for the users, but more complicated maintenance for you. You can highly scale Dfs, creating multiple Dfs root volumes, which then replicate with one another. Since the data is published in AD, it’s available immediately after replication for all users enterprise-wide. Any one path is limited to 260 characters (a Windows 2000 limitation), the only Dfs link limitation that you’d run into. As far as managing this service, the pre-installation design of Dfs is probably the most important step you can take. Where will you place your Dfs servers, and what are the shares that they’ll link to? This is all done in a common DNS namespace so that management is easy, but it takes time to set up. Event notification would lie more within the third-party EMS realm than within the System Monitor environment, because you’ll want to specifically filter for Dfs event-log problems.
Network Load Balancing Clustering has gone through several iterations at Microsoft. In the early stages of Microsoft clustering (the WolfPack days—a code name for a product that ultimately wound up being called Microsoft Cluster Server), the product was a separate add-on of NT Enterprise Server. Then, somewhere along the line, its name was changed to Windows Load Balancing (WLB), and today in Windows 2000 it is called Network Load Balancing. You’ll still find traces of the old Windows Load Balancing terminology; in fact, the executable is still called wlbs.exe. That said, in the rest of this book, references to cluster, Windows Load Balancing (WLB), or Network Load Balancing (NLB), all refer to the same thing. There are two types of clustering:
NLB, which provides scalability and availability for IP-based services (such as web services, for example)
Server clusters, which provide high availability for applications thorough a failover mechanism
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
290
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Microsoft Exam Objective
Design a load-balancing strategy.
You use clustering for high availability, strongly fault-tolerant situations where you cannot afford for an application or service to go away for any length of time at all. You set up the application, then set up server clustering so that if the computer that the application is on fails, a failover occurs and the entire operation is transferred to another computer. If everything goes right, users should not see even a blip on their screens. Alternatively, you can set up NLB so that every server computer in the cluster runs a copy of the application simultaneously. Clusters are not suited to just any application on the network. They are especially suited for things like web sites, where you don’t have a lot of data being transferred into a system by users. If you do have a SQL Server that gets information posted to it through a web site, and you have multiple web sites on a cluster, then all web sites can post to the same web server. But the SQL Server itself is a stand-alone unit, or makes use of SQL Server replication; it does not work well in a clustered environment. Every computer in the cluster is called a node. You have to look for applications that are cluster-aware, meaning that they’ll work on a cluster—for example, some of the BackOffice products such as Exchange 2000. The Windows 2000 services—WINS, DHCP, DNS, and others—while not cluster-aware, can still work in a cluster server environment. Keep in mind that if an application requires specialized hardware or customized configurations, then for each clustered server you must duplicate that hardware or configuration component. For example, if you decide to cluster an enterprise fax system, and your first fax server has a 24-port T1 fax card in it, then each computer will have to have that same T1 fax card as well. You can’t failover to a new computer and expect it to use hardware or configurations on a dead computer! Which is why, even though Windows 2000 VPNs are cluster-aware, you must make sure you duplicate the hardware and settings required on each computer so that failover can occur. Nodes that operate simultaneously with one another in a cluster are said to be members of an active/active cluster. Nodes that are active and failover to inactive nodes are members of an active/passive cluster. After failover in
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Network Load Balancing
291
an active/passive cluster, once the problem is repaired, the application can go through a failback to put it back on the primary node.
Please keep in mind that when a node in a cluster fails, subsequently causing a failover, the failover might take anywhere between a few seconds to a few minutes, depending on the type of server gear the cluster is configured on and various other components.
There are two ways to describe client interaction with NLB, both referring to the state that the client is in when an interaction takes place. (In fact, you’ll often see this referred to as a stateful connection.) The first is an interclient state, where multiple clients are working on a system and updates are synchronized. SQL Server is good at interclient state connections. The second means of client interaction is an intraclient state, where a client is by itself but may be hitting several different connections. A famous example is when a customer buys something from a web site and uses the shopping cart metaphor. Here the client may be hitting several simultaneous sites, but there is only one client state going on. NLB is good with intraclient states but should never be used with interclient states. You install NLB from Local Area Network properties, just as you would any other network driver component. It installs over TCP/IP and no other protocol and will work on FDDI or Ethernet network segments. You have two choices for NLB installation: unicast mode or multicast mode. Multicast mode is preferred because it’s more efficient. If you’re going to use unicast mode, you must have two NICs in the cluster computer: One is used by the client in accessing the cluster computer and the other is used by the cluster computer talking to the rest of the cluster. Multicast mode doesn’t require two NICs, but it modifies the MAC address on the NIC so that it shows up as a multicast NIC. Some NICs do not allow these kinds of modifications; if yours doesn’t, you’ll have to replace the NIC with one that does. Configuration is very straightforward; Figures 7.8 and 7.9 show the initial configuration screens. (Get there by right-clicking My Network Places Properties. Right-click Local Area Network Connection Properties, then check the Network Load Balancing option.) You enter the IP address and subnet mask, then fill in a few boxes, including the Multicast Support check box. The Initial Cluster State check box allows you to make the cluster active right away and at each reboot; if it’s unchecked, you must manage the cluster through the command line. You can apply a password that allows you to connect remotely to the cluster server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
292
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
FIGURE 7.8
NLB cluster parameters
FIGURE 7.9
NLB host parameters
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Supporting Application Architectures
293
Port rules, as shown in Figure 7.10, allow you configure the way that cluster traffic is handled per port. When you configure a port, you’re said to have set up a filtering rule. FIGURE 7.10
NLB port rules
You can use the cluster administrator program, installed on every Windows 2000 or Windows NT 4 SP3 node in the cluster. Alternatively, you can use the cluster administrator from a separate computer to manage the entire cluster. To see a list of commands used in clustering, open a command prompt and type cluster /?. You can use clustering with two different design scenarios. You can choose to use two or more nodes that are hooked to a common shared storage device such as a RAID tower, or each node in the cluster can have its own disk array. Intuitively, failover on a node that has its own array takes longer than failover on a node that is hooked to a shared storage array.
Supporting Application Architectures
A
s with almost everything else you’ve learned relative to a Windows 2000 deployment, there are two things to consider when thinking about how to support application architectures: legacy applications and new
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
294
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Windows 2000 applications. But before we dive into those two things, we need to define what the term architecture might imply.
Microsoft Exam Objective
Design network services that support application architecture.
Some companies have employees that are the architects for the enterprise. That means they’re given a charge by management to find out what software and hardware can meet a company goal. You may have Windows, Unix, network, and Oracle DBA architects. Suppose that one of the mandates is that the architects have to find out what the best high-level (H.323) videoconferencing system is and then make a determination about what software and hardware is required to make the system active and viable. Network changes might need to be wrought. New computers might be to be brought in, or training might have to take place so that the stakeholders, the owners of the new system, understand how it works. Likely, several components would be involved in bringing this new system online, not just one. That’s what the framers of the Windows 2000 infrastructure test are getting at when they put up a test objective like “Design network services that support application architecture.” You need to look at the whole picture to figure out how best to support a given application. Some applications are fairly non-intrusive, meaning that they live on one box, they’re used by a handful of users, and they don’t get in the way of the enterprise, so to speak. Others are massive, requiring many hours of planning, conversation, and engineering to make sure they work correctly.
Designing Network Services to Support Legacy Applications This is most likely going to be the biggest problem for you and your stakeholders that will slow down your Windows 2000 deployment. Suppose that you have an application that’s used daily by hundreds of users. The application runs just fine on a Windows NT 4 server computer, though it has taken you a bit of fiddling to make sure it works correctly. You’ve gone through a couple of service pack installations and special registry hacks, but the application has proven to be non-error-prone and a dynamic tool for your enterprise. You can’t live without it. But now you want to introduce Windows 2000
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Supporting Application Architectures
295
to the network. What sort of reaction do you think the owners of the legacy app will have when you tell them about your plans? They’ll at least want you to set up a test environment and rigorously test the application on the new operating system before you even consider putting Windows 2000 into production. This is a good design practice when moving to the Windows 2000 network anyway. Back to the architecture drawing board. First, you have to find out whether the company that wrote the application even supports it on Windows 2000. If your in-house developers wrote it, you need to find out from them whether it has been developed transparent to the operating system, and if the code will operate on Windows 2000. There is a much higher chance that you’ll have to delay your complete Windows 2000 deployment if you have legacy apps that are complicated and used by lots of users. First, stakeholders are reluctant to migrate to a new operating system just because it’s the cool thing to have, especially when the old operating system works just fine. Second, there are millions of trails that you must go down when you’re figuring out how big applications work, and it’ll take some time to get all of the workarounds and special new methods in place before you can proceed. Moral of this story? In shops with legacy apps that are complicated to convert, plan on spending extra time re-architecting the app so it’ll work with Windows 2000 or maintaining legacy Windows NT 4 servers for the app. Now what does it mean to “Design network services to support applications”? Looking at the previous section that explained some of the network services, and thinking about enterprise applications you have in place today, can you think of network services in Windows 2000 that might give you a hard time? I can think of several, but one specific one that I have in mind is an application that needs to check the Windows NT 4 SAM for a user list. RAS server authentication software and enterprise fax software might both need to do this, right? But if you’re on Windows 2000 AD, how does this app check a user list? Answer: It doesn’t. This is the kind of thinking that you have to go through when considering legacy apps participating in a Windows 2000 network.
Designing Network Services to Support New Applications Supporting new applications is much easier because you’re starting with a known infrastructure framework—the applications have to run on Windows 2000. Exchange 2000, for example, is designed to run with the AD and,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
296
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
if you architect the computer it’s going to live on correctly, it shouldn’t give you any problems. But imagine the huge training investment companies will have to make so that developers understand how AD works and how it’s different from the old NT 4 SAM. What Kerberos is all about. How certificate services work. What role LDAP plays in a Windows 2000 environment. For independent, non-Microsoft developers, it’s going to be a big paradigm shift. Some apps might port just fine; others will need to be completely rewritten. Being aware of the core network services that Windows 2000 provides helps you know whether a new application will play nicely with the new operating system. Be very cautious of vendors who maintain that their code will live just fine on a Windows 2000 box when you can read the software package’s label and clearly see that it was written for Windows NT 4. Thoroughly test this kind of code in a lab environment before putting it into production.
The Call-Routing Application Cisco Corporation recently purchased a company called GeoTel. This company writes call-routing software. The idea behind call routing is this: In companies that have large customer service centers with thousands of people on the phones answering customer queries, you must have some intelligence built into the call router so that the system knows when a queue is empty and can route a call to it. Conceptually, if you can make intelligent decisions and get calls to customer service people faster, hold times won’t be as long and neither will hangups, the bane of the customer service industry. GeoTel runs on Windows NT 4 server computers (SP5) against a SQL Server (6.5 SP2) database. These are high-end (Tier 1), multiple-processor computers with lots of RAM. Many computers are involved in a typical call-router design, plus lots of specialized telephony circuits and cards. When you purchase a GeoTel system, a great deal of the expense goes toward hiring contract system engineers from Cisco who know how to set up the GeoTel system and make it work. These people live with you for months while the project is kicked off, tuned, and made to run.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Planning for the Interaction of Windows 2000 Networking Services
297
What do you think? Do you think you could get Cisco and GeoTel to allow you to go in with a set of Windows 2000 computers instead? When we asked them about SQL 7, we were told that we’d have to wait for the next revision of GeoTel (version 5) before we could go to that version of SQL Server. Chances are likely that you won’t be able to get GeoTel on Windows 2000 servers until version 6 or better. But that’s the idea behind these apps—you have to check them out and ask those kinds of questions. Then, if the answer from the vendor is no, you must come up with some sort of legacy contingency plan. Failure to ask the important questions can lead to a miserable Windows 2000 migration experience.
Planning for the Interaction of Windows 2000 Networking Services
The previous section leads us to the final section of this long chapter. How do you plan for the interaction of the new Windows 2000 networking services? How will AD work with the old Windows NT 4 SAM, for example?
Microsoft Exam Objective
Design a plan for the interaction of Windows 2000 network services such as WINS, DHCP, and DNS.
Questions like these are great because they force you to probe deep into applications that you have running on your enterprise—applications you may have never considered before. Once you understand an enterprise application’s functionality, especially if it’s integrated with other systems (which is frequently the case), you can make some great design decisions about how to upgrade or migrate the application to make it work better. Plus, you’re on the ball when it comes to deciding whether an upgrade of the software is necessary. Some applications don’t ever need to be upgraded (at least not according to standard software product life cycles); other applications need routine upgrade. Understanding an enterprise app helps you understand its context on your network, which in turn helps you make good Windows 2000 deployment decisions.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
298
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Backward Compatibility with NT 4 Networks and NameResolution Services NT 4 networks work just fine with Windows 2000. You can do one of two things when it comes to deciding what to do with legacy NT 4 networks: Set up a trust relationship or make the NT 4 box join the new domain. With member servers, the latter option might be the best; with PDCs and BDCs, you’ll need the trust relationship. Here’s how it works. Bring up your new Windows 2000 domain and configure it as you did in your initial Windows 2000 design. Set up AD. Now simply go into Active Directory Domains and Trusts for the domain you’re interested in participating with, right-click the domain you’re interested in, and select Properties. A window similar to the one in Figure 7.11 will show up; in this figure you can see that a trust relationship is set up with an existing Windows NT 4 domain called FREELANCE. Windows 2000 DHCP servers must be authorized for AD. Windows NT 4 DHCP servers don’t have this kind of capability, but you can monitor their scopes from within the Windows 2000 DHCP program. Figure 7.12 shows that a Windows NT 4 computer called nt-man has been added to the list of DHCP servers that is being monitored from the Windows 2000 server. Figures 7.12 and 7.13 show the differences in the properties you can adjust for the two servers. The top server, 2000guy, is the Windows 2000 DHCP server; nt-man on the bottom is the Windows NT 4 server. FIGURE 7.11
Setting up a Windows NT 4 trust relationship with a Windows 2000 server
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Planning for the Interaction of Windows 2000 Networking Services
FIGURE 7.12
Windows 2000 DHCP server adjustable properties
FIGURE 7.13
Windows NT 4 DHCP server adjustable properties
299
The same is true of WINS servers. There is some added functionality in Windows 2000 WINS, namely the burst mode feature we spoke of earlier,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
300
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
but getting NT 4 and 2000 WINS servers to talk to each other is quite easy. They can act as replication partners with one another and can be manipulated from the same Windows 2000 WINS interface (found in Control Panel Administrative Tools). Figure 7.14 shows the 2000 server (2000guy) and NT 4 server (nt-man) in the Windows 2000 WINS interface. Notice that push/pull replication is turned on between the two servers. FIGURE 7.14
Viewing Windows 2000 and Windows NT 4 WINS servers from the Windows 2000 WINS interface
The Windows 2000 DNS interface will not work with the old Windows NT 4 DNS. If you’re in an environment where Unix sources do DNS, the BIND version may need reviewed in order to support dynamic DNS. A primary zone running dynamic DNS can, however, talk to a secondary zone that isn’t doing dynamic DNS. Thus your Windows 2000 dynamic DNS servers can talk to non-dynamic-DNS-compliant BIND servers, though some re-architecting of the DNS environment may be needed. But I’d advise that if your Windows NT 4 boxes were originally doing DNS, you should either move DNS to Windows 2000 or upgrade the DNS server boxes to Windows 2000 almost before any other boxes are done. That way you can take advantage of the new DNS. While Active Directory is the new critical component of Windows 2000, DNS is the critical component for Active Directory.
Pure Windows 2000 Networks and Name Resolution Service Interaction Running name resolution services, WINS, and DNS in a pure Windows 2000 environment is easy to set up. But you can run into problems if you decide to implement some of the fault-tolerance or security features, such as encrypted zone transfer (via IPSec), for example, in the new DNS.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a Resource Strategy
301
The wisest design scenario is to bring up your new name server services, get them running, and monitor them for incongruities or weaknesses. Then, when you’re sure you have things nailed, go forward with the security measures that you’d like to implement. Especially with Windows 2000, it’s best to phase in name services solutions.
Designing a Resource Strategy
Y
ou arrive at the end of this chapter, having thought and talked about an awful lot about various network resources: WINS, DHCP, DNS, AD global catalog servers, LDAP, RAS, and Internet services, among others. Does your design plot out the various things you need to know about the resources involved in making these things happen?
Planning for Placement and Management of Resources
Microsoft Exam Objective
Design a resource strategy. Plan for the placement and management of resources.
Here are some examples of questions to think about in designing a resource strategy to adequately handle the new network:
Are the computers you intend to use for the new purpose on the Windows 2000 HCL, and are they able to adequately handle the task?
Do you have enough displacement of computers? In other words, if your enterprise covers large geographic distances, do you have redundant computers to handle things like name server services and AD? You can handle the replication issues over slow links later on at deployment time, but you need to make sure you have the enterprise covered in terms of componentry at all hot spots.
Will geographically separated sites run RAS? If so, will their RAS servers be local to them or to you? If local to you, will you have a toll-free number?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
302
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
What about the web servers? Are they on a DMZ? Is there firewall protection for them? Will they participate in Windows 2000 (thinking that perhaps because they’re in a separate domain they might not need to, if there’s a fear about moving to the new operating system)? What is the firewall protection like? If users need to use the intranet, where and how will they access it?
Will you have to support legacy applications and be backward compatible with Windows NT 4 servers for a time? If so, do you know how long? What about name server services—can you bring them up on Windows 2000 right away, or do you have to use legacy name server support for a time?
Which sites will have global catalog servers? WINS servers? DNS servers?
Will you use dynamic DNS and the various security methodologies that are supported in the new DNS?
How will you monitor events and provide alerting for yourself and other administrators when a component has a problem? Will you strictly try to use System Monitor? Will you try to implement a thirdparty EMS?
How will you handle design changes, both pre- and post-deployment? Do you think you can spot trouble spots before they become big flameouts? If so, what will your design-compliance strategy be?
All of these questions and possibly more come into play when you begin to consider the placement of network services resources on a Windows 2000 network. Making sure that the TCP/IP design works and is solid will go a long way toward helping you get the answers you need to the preceding questions. Trying to figure out something that you think is a network services problem, when in fact you have a TCP/IP issue, will not be a happy time in your deployment life. Weak WAN circuits need to somehow be dealt with. The Microsoft literature mentions ways that you can work around weak links, and that’s fine; sometimes you might have to. Companies are not often in the habit of upgrading WAN links just because you say they need to be upgraded— they’re expensive! But a Windows 2000 design, with all of this network services activity taking place across many different servers in different locations, might require that you take another look at the WAN connectivity and spruce it up before you go forward with the rollout.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a Resource Strategy
303
The people resources required to manage these various network services servers might present another problem to you. For example, you know that you’re probably going to have to place a second DNS box out in your Johannesburg, South Africa location. But you don’t have any skilled Windows NT or Windows 2000 administrators there who can help troubleshoot the computer if it has a problem. You have some junior people there whom you could work with over the phone, but they’re 10 hours away from you in Kentucky, and you’ll be working in the middle of the night!
Remote Administration Possibilities for Johannesburg In addition to connecting to the Johannesburg DNS server using the DNS MMC snap-in, there are three other methods you could use to work on the problem described in the previous paragraph. The first would be to install SMS 2 and use Remote Tools to remote into the South Africa computer. This works well over marginally slow links and you’ll have no problems with it, but SMS has a big learning curve if you haven’t used it before. Second, consider a freeware product available through AT&T called VNC (Virtual Network Computing). This handy product installs on servers and runs as a service. You then dial in to the network, open your browser, type in http://computer_name:5800 (connecting to the computer you want to connect to on port 5800), supply a password, and you have remote control. The URL for the VNC software is www.uk.research.att.com/vnc. Third, you could consider a Windows Terminal Server (WTS) computer local to the network where you want to run the admin software. You’d dial in to the network you wanted to administer, bring up the WTS client software, and away you go. The point is, don’t let potential administrative difficulties stop you from performing a good network design. If the remote site needs a DNS server, then it’s better get a DNS server. Microsoft and other companies have good products available to make remote administration an easier task.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
304
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Planning for Growth Not only do you have to plan for the initial placement of resources, you must also plan for the growth of various locations.
Microsoft Exam Objective
Design a resource strategy.
Plan for growth.
Certain locations are probably going to be more prone to growth than others. If you can somehow figure out what those locations might be ahead of time, you can allocate additional resources to those locations in anticipation of that growth.
Planning for Decentralized or Centralized Resources Decentralized resources that are geographically far away from one another present a unique challenge. You might have administrator problems (either by virtue of not having any administrators in the remote location or not being sure of who the administrator is), and you might have connectivity issues with slow or nonexistent WAN circuits. You can use Windows 2000 dial-up connections to provide RAS connectivity between locations. The more subjective problem might be pinpointing and solving the administrator issues.
Microsoft Exam Objective
Design a resource strategy.
Plan for decentralized resources or centralized resources.
Centralized resources are easier to plan and manage, but unless you have great WAN connections to outside locations, users will become frustrated with the slowness associated with trying to use the resources. A decentralized model is hard to administer but easier on users, while the opposite is true
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Summary
305
with a centralized model. This, of course, has everything to do with the speed of the connecting WAN circuits (if any). Windows Terminal Server is a great workaround to some of the problems associated with a centralized methodology, because users dial in with their own computers and run the applications they need from centralized servers. You might encounter other issues, such as the placement of DHCP and DNS servers. Slow WAN circuits, lack of administrative resources, and the need for redundancy and backups might force you to design in added servers at other locations. Then the question becomes: Who’s going to manage these new resources? In a centralized environment, you would handle that chore. In a decentralized environment, somebody else might have to.
Summary
T
here was a lot of information to cover in this chapter! Our thoughts and goals are still on the modification and design of various components of the Windows 2000 network. Specifically in this chapter, we were drilling in on Windows 2000 networking services. This chapter started by taking a quick overview of Windows 2000 networking services. TCP/IP is the major protocol in Windows 2000; AppleTalk, NetBEUI, and NWLink are still supported for RAS, but the big protocol is TCP/IP. It has to be because today Active Directory uses it, not to mention that there is so much web integration that we could not get along without it. RAS components are greatly enhanced with the addition of protocols like L2TP, EAP, and BAP. RADIUS is also supported in Windows 2000. Next up were the two routing protocols included with Windows 2000. The legacy routing protocol that started in the Windows NT 4 server world was the Routing Information Protocol (RIP), and it’s included in Windows 2000. But the more exciting inclusion (that was also supported with NT 4 RRAS) is a worldwide standard routing protocol, Open Shortest Path First (OSPF). Does this mean that smaller shops can forego the purchase of an expensive dedicated router? Maybe. This chapter also talked about a new feature with Windows 2000 Internet support, Internet Connection Sharing. Internet Connection Sharing provides very basic name server services and acts as a Network Address Translation
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
306
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
(NAT) device, translating internal IP addresses to those used on the public Internet and vice versa. Another objective was to talk about the network topology. We started by defining what is meant by a network topology, and defined the star, ring, and bus topologies. But a topology is more than its physical description; it also consists of a logical description as set down by the IEEE. IEEE 802.3, for example, describes the Ethernet standard. In talking about topologies and their support (especially when considering a new Windows 2000 deployment), we discussed the cable plant and how important it is, especially its backbone. We also discussed dealing with older topologies and with disparate topologies (such as token ring and Ethernet). This chapter then presented a discussion of designing a strategy for monitoring and managing various network services. The network services that we were interested in specifically include the AD global catalog, LDAP, Certificate Services, name-resolution services, Internet and RAS services, and Dfs. All of these services have three criteria that need watching: events and alert notification, anticipating design changes, and verifying design compliance. Next we discussed the support of application architectures. We defined what is meant by architecture: the sum total of the hardware, infrastructure, software, and management resources needed to make an application come to fruition and work well on a daily basis. We also discussed how to support legacy apps and what to think about with new apps. This chapter covered name server services and how legacy Windows NT 4 networks integrate with new Windows 2000 networks, and some ideas about managing new Windows 2000 name server services. Finally, we talked about a resource strategy and presented a list of important questions to ask when considering the inclusion of various Windows 2000 networking services in a network.
Exam Essentials Understand the implications of network topology design. The most common network topology design you will run across is the star. It’s flexible and easy to work with. However, you may need to work with a bus or a ring topology, and you’ll need to know performance traits of each.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Exam Essentials
307
Know how to monitor various network services. Microsoft’s best built-in tool for monitoring these services is Windows 2000’s System Monitor. It provides a variety of counters for monitoring hardware as well as network services. Understand load balancing. In the Windows 200 world, load balancing generally means using NLB or some sort of active clustering. The key to load balancing is to provide identical service or services from multiple machines. This is powerful in heavily utilized environments, like popular web sites. Clustering is also handy because it provides fault tolerance as well. Understand WINS, DHCP, and DNS. WINS was a critical service in Windows NT, but it is no longer required in Windows 2000. However, it’s still supported and can provide useful name resolution services. DHCP is incredibly convenient for managing IP addresses and providing clientside TCP/IP configuration information. DNS is critical to the operation of Active Directory. Not enough can be said about DNS. Understand growth potential for your company. We’ve discussed this before, but you really need to be able to handle company growth from your network’s perspective. At the same time, you can’t go overboard and purchase extraneous hardware if you will not likely ever need it. Understand centralized versus decentralized resources. Centralized resources, as the name implies, means that all resources are in one location. While this is convenient from a management perspective, users in remote locations can and will complain about slow access. Decentralized resources are common in dispersed organizations and are harder to manage as a whole. Know where to place domain controllers and global catalog servers. You should always have at least one domain controller and global catalog server at each physical location of your network. If you only have one physical location, then you should always have at least two domain controllers for fault-tolerant purposes.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
308
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Key Terms
Before you take the exam, be certain you are familiar with the following terms: active/active cluster
Internet Assigned Numbers Authority (IANA)
active/passive cluster
Internet Authentication Services (IAS)
Automatic Private IP Addressing (APIPA)
Internet Protocol Security (IPSec)
backbone
intraclient state
bus topology
Layer 2 Tunneling Protocol (L2TP)
CA hierarchy
link-state routing protocol
canonical name
Network Address Translation (NAT)
Certificate Services
Network Load Balancing (NLB)
certification authority (CA)
node
common name
Open Shortest Path First (OSPF)
Dfs host server
organizational unit (OU)
Dfs root volumes
partial replicas
distance vector routing protocol
relative distinguished name
Distributed File System (Dfs)
Remote Authentication Dial-In User Service (RADIUS)
domain controllers (DC)
ring topology
Extensible Authentication Protocol (EAP)
Routing Information Protocol (RIP)
failback
star topology
filtering rule
TCP/IP
global catalog (GC) server
token-ring-to-Ethernet topology conversion bridge
infrastructure master
topology
interclient state
user principal name (UPN)
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
309
Review Questions 1. You are the network administrator for a multinational marketing
firm. Recently, you deployed Windows 2000 company wide. Your three-domain Windows 2000 deployment has one domain controller in each domain. You use the default settings for global catalog servers. What function will the other domain controllers serve, in terms of updating the global catalog? A. Infrastructure master B. Intranet master C. Extranet master D. Partial replica 2. Recently, your web server has experienced very heavy loads. Analysis
indicates that the heavy load is projected to continue, and your one web server will not adequately handle the load. Your boss asks you to explain a topic he just heard about called clustering. More specifically, he wants to know what the structure of the cluster will be like. You know that there are two different methods of implementing a twocomputer cluster. What are they (choose two answers)? A. Shared storage B. Separate storage C. Shared network cards D. Separate network cards 3. You are upgrading your Windows NT 4 network to Windows 2000.
Currently, you are running DNS off of your NT boxes. You decide to upgrade your DNS to Windows 2000 as well. On top of that, once your domain is installed, you are going to implement Active Directoryintegrated (ADI) zones. What feature of ADI zones might have influenced you to use them instead of standard primary zones? A. Public key encryption B. Dynamic DNS C. Secure Dynamic Updates D. Recursive forward lookup
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
310
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
4. You have a group of four servers running the same applications on
your Windows 2000 network. The servers each have separate IP addresses but a common logical name. What method does DNS use for forwarding requests to such an application server setup, either with round-robin name resolution or by prioritized list? A. Cluster load balancing B. Server clustering C. DNS load balancing D. Recursive forward lookup 5. You are running a Windows 2000 network that spans three physical
locations: Boston, New York, and Philadelphia. Your headquarters are in Boston. Users in the remote offices complain of slow access speed to resources located in the home office and are also concerned about the WAN connection reliability. Your boss suggests that you upgrade your WAN connection to SONET, and she asks you if you know anything about it. First of all, what type of topology does SONET use? A. Bus B. Star C. Modified star D. Ring 6. You are the network administrator for your company. Currently, you
are setting up a secure intranet for users on the network. It will contain public information, such as phone lists and company-wide memos. Users will also be able to access an electronic time clock and access their 401(k) information from their machines. Of course, security is a concern. You decide to implement certificates. Management wants to make sure that no one will be able to hack the security and that users will only be able to access their own information. You are to give a presentation on the benefits of using a certificate authority (CA). What cryptographic methodology does this service use?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
311
A. PGP B. symmetric key encryption C. PKI D. MS-CHAP 7. You are the network administrator for your company. You have two
offices, one in Denver and one in Houston. Management wants to create a secure VPN connection between the two offices to facilitate transfer of information between locations. It is suggested that you use the most current VPN protocols that Windows 2000 provides and avoid using the proprietary PPTP. When you set up the VPN, which protocol will be used to secure the information traveling across the link? A. PPP B. L2TP C. MS-CHAPv2 D. IPSec 8. You are the de facto administrator for a small accounting firm. Your
network has about eight users. You want to set them up on the Internet. What Windows 2000 component should you use to handle name resolution and NAT services for you so you don’t need multiple computers for the job? A. Proxy server B. Internet Connection Sharing C. Internet authentication services D. CA hierarchy
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
312
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
9. You are the network administrator for an import firm. Your company
has offices in New Zealand, Hong Kong, and Los Angeles; you’re based in the L.A. office. The offices are connected together by slow WAN links. You are being asked to design an upgrade solution so your company can move to Windows 2000. What critical concept should your resource strategy focus on? A. Decentralized resources B. Centralized resources C. Connection-sharing resources D. DCOM object resources 10. You are in the process of upgrading your Windows NT 4 network to
Windows 2000. Your boss is concerned about the availability of critical network services after the upgrade is complete. What are three details you should keep in mind when planning your network services in your new Windows 2000 network (choose three)? A. Events and alert notification B. Log file settings C. Redundancy of servers D. Anticipating design changes E. Verifying design compliance F. Legacy network backward compatibility
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
313
Answers to Review Questions 1. A. A domain controller that is not designated as the global catalog
server automatically takes on the role of infrastructure master; there is only one infrastructure master per domain. They upload and download changes with the global catalog server. 2. A, B. If you set up a RAID tower that both servers hook to, you can
then set up a cluster that includes the two computers. When the primary server fails, only the server operation is failed over to the new computer. In a separate storage environment, you have two computers, each of which has its own RAID storage. When the first computer fails, all of the information on the RAID storage has to be transferred as well in order for the data to be picked up by the new computer. Much more time is used up in failover with this second method. 3. C. Secure Dynamic Updates are only available if you use Active
Directory-integrated zones. Public key encryption is used to identify users and is most commonly used in web security. Dynamic DNS is supported by Windows 2000 DNS in any form; you do not need ADI zones for DDNS. 4. B. You’re using a process called server clustering. 5. D. Switched Optical Network (SONET) is a form of ring topology. 6. C. CA servers use public key encryption. While no security is
“unhackable,” public key is quite secure if implemented properly. PGP (Pretty Good Privacy) is a publicly available security encryption mechanism, as are various symmetric key solutions. Public key encryption uses an asymmetric key pair: a public key and a private key. 7. D. While L2TP is used to set up the connection, L2TP in itself does
nothing for security. IPSec is the protocol used to secure the information. 8. B. Internet Connection Sharing acts as a NAT device and provides
elementary name server services for small networks.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
314
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
9. A. Slow WAN links mean only one thing—distributed resources.
That may open up a whole can of administrative worms, but good planning in advance can alleviate many potential problems. 10. A, D, E. The other answers certainly are good details to keep in
mind, but what to watch out for as you plan your Windows 2000 network services environment should focus on how the system will alert you with a problem, the contingency plans you’ll have for growth, and the way that the design gets deployed and is complied with after deployment. The last item—design compliance—may present the most difficult challenges.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Multinational Winery
315
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Background You work for one of the largest wineries in the world—Old Vines Wine. Old Vines has vineyards in California, Washington, Italy, France, Germany, and Argentina. In addition, the winery has wine preparation facilities in Napa Valley, California, Sonoma, California, and southern France. The vineyards have an average of five employees each, only two or three of whom use computers. Each of the wineries has about 100 employees, most of whom use computers. All computers running anything other than Windows 2000 Professional will be upgraded (or if too old, replaced and then upgraded). You had an old Invisinet network in one winery, but management has opted to scrap any old legacy network and go forward with a new network that can connect their holdings together. Your charge as a contract network architect is to create a new network that will allow, at a minimum, for the three wineries to interconnect, and ideally for the vineyards to have the capability of connecting as well. The current system consists of an old 10Base-2 Invisinet system that you’re going to scrap. You’ll rip out the old coaxial cable and replace it with Cat5 Ethernet cable.
Problem Statement The main problem is that you’ll only have one administrator working for Old Vines in their main Napa Valley office. She cannot possibly handle the network administration for the entire enterprise. A second problem is that you need to suggest to the winery some enterprise application that will allow them to track inventory and financials.
Envisioned System Overview You’ve taken your proposal to the CEO of the winery. You suggest a series of servers installed at the Napa, Sonoma, and southern
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
The Multinational Winery
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
France offices, with RAS interconnection for the vineyards. You’ll run Terminal Services in the southern France office for the European vineyards that need to connect and work on the financials software. You’ll also have a WTS box in the Napa office for the remainder of the vineyards. The users that are WAN-interconnected will be able to connect to the financials and inventorying package over the WAN. You’ll use, of course, Windows 2000 for your operating system. You present this plan to your manager.
CASE STUDY
316
CEO “I have no idea what you’re talking about. But you came highly recommended and I trust your judgment.” Manager “Looks like a good plan. I’m a little concerned about the WTS thing. Do you think it might be better to put a server at each vineyard?”
Funding The design will be expensive, especially the Napa–southern France frame relay connection. Your design includes top-quality, HCL-compatible, known good hardware for the servers. You design in several fault-tolerance measures. The CEO says, “I’m not so much interested in how much you spend as how well you design the network. Unlike a fine wine, I’m sure networks don’t get better with age. I’d rather spend a little more now to make sure it’s upgradable and enhanceable in the future.”
Security You’ll set up AD and have the Napa office be the global catalog server. You’ll train the administrator in Napa how to add users. She says, “Is this setup going to be secure so that people from the outside cannot get in and look at our data?”
Availability Because of the worldwide aspect of this deployment, you need the servers available 24×7. The CEO tells you, “Don’t forget that our people in Germany are eight hours ahead of us! This system needs to be available for them.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Multinational Winery
317
Overview The administrator has read a little bit about Windows 2000, and she’s somewhat intimidated by its size and complexity. She wants to be able to assure her boss that she can maintain any problems that occur. CEO “Make sure you train her on what you know.” Administrator “I’ll take some classes. Will you be available on a call-out basis if we need you?”
Performance Overview Your biggest concerns are the European RAS circuits. You know nothing about European telephony, and you’re not certain how reliable they are. You’ll recommend to Old Vines that they purchase as fast a WAN circuit as they can afford between their various locations, and you’re comfortable with that. But you’re not sure whether to forge ahead with the RAS/WTS solution or to consider a dedicated server at each site with a WAN connection to each. CEO “Whatever you decide, if it’s reasonable, we’ll do it. I want to be sure that my people can communicate with one another and use the applications.” Administrator “I really think we should consider dedicated circuits to each location. I know it’s more servers to maintain, but I’d feel more comfortable.”
Questions 1. Which way should you go with the deployment—RAS or dedicated
servers connected by WAN circuits? A. RAS B. WAN
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Maintainability
CASE STUDY
318
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
2. Look at the following chart. From the task lists on the right, create a
tree that includes the tasks you’ll undertake for setting up the winery servers and the vineyard RAS connections. Task Categories
Tasks
Name Server Tasks
Install and configure DNS.
Telecommuting Tasks
Configure and enable RRAS.
Windows 2000 Tasks
Purchase, configure, and install servers and RAS hardware. Provision European telephony circuits for RAS server. Provision American telephony circuits for RAS server. Install Windows 2000. Install and configure WINS. Assign global catalog. Configure Terminal Server. Procure and install inventory and financials application. Install and configure AD. Train RAS users.
3. Where should the global catalog server(s) be located? A. Napa B. Sonoma C. Southern France D. All three E. Napa and southern France
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Multinational Winery
319
VPN solution be a good alternative for setting up your vineyard users? Use the following chart to order the steps you’d take in setting up a VPN for the vineyards. Step
Step Meet with users at each vineyard; determine a viable ISP for each. Configure user computers for VPN connectivity. Provision a corporate ISP for Napa office. Test connectivity. Install and configure L2TP and IPSec on servers.
5. If you go forward with the VPN approach that you outlined in
question 4, could you use the VPN for secure DNS zone transfers? There may be more than one correct answer. A. Yes, you could, but you’d have a more difficult time setting it up. B. Yes, you could, but you’d need connectivity with the winery
offices. C. No, you could not do this because you have no DNS server. D. No, there’s really no point in doing this.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
4. OK, so you don’t like either the RAS or the WAN design. Would a
CASE STUDY ANSWERS
320
Chapter 7
Designing a Management and Implementation Strategy for Windows 2000 Networks
Answers 1. A. With only two or three users at each winery, it’s not worth your
while to put a dedicated server out in the field. You’re better off installing RAS on the main servers and having users dial in and use WTS. Yes, there’s a training component there, but if you put a dedicated server in each location, your poor administrator might have a very difficult time troubleshooting them when and if they break! 2. See the following chart:
Task Categories Name Server Tasks Install and configure DNS. Telecommuting Tasks Provision European telephony circuits for RAS server. Provision American telephony circuits for RAS server. Purchase, configure, and install servers and RAS hardware. Configure and enable RRAS. Train RAS users. Windows 2000 Tasks Install Windows 2000. Install and configure AD. Configure Terminal Server. You don’t use “Install and configure WINS.” Why not? You’re starting from a Windows 2000 baseline and don’t need WINS (though if you had legacy apps requiring WINS you may find yourself needing it). Also notice that the step to “Configure and enable RRAS” didn’t include the “Install” piece. Why? Because RRAS comes installed with Windows 2000—only configuration is necessary.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Multinational Winery
321
server in Sonoma. However, it would benefit you to have a global catalog server in both your European and Napa office. 4. See the following chart:
Step Provision a corporate ISP for Napa office. Meet with users at each vineyard; determine a viable ISP for each. Install and configure L2TP and IPSec on servers. Configure user computers for VPN connectivity. Test connectivity. 5. C, D. First, you have no DNS servers at the vineyards, so there’s no
point in trying to do secure zone transfers over VPN circuits to users. So, there’s no point in thinking about this. Use your WAN circuits for DNS zone transfers.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
3. E. With quality WAN circuits, you shouldn’t need a global catalog
Chapter
8
Designing TCP/IP into Your Network MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Design a TCP/IP networking strategy.
Analyze IP subnet requirements.
Design a TCP/IP addressing and implementation plan.
Measure and optimize a TCP/IP infrastructure design.
Integrate software routing into existing networks.
Integrate TCP/IP with existing WAN requirements.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
T
CP/IP is literally the king of the Windows 2000 world. In the Windows NT certification track, the TCP/IP exam was an elective. You could actually become an MCSE without (theoretically) knowing anything about TCP/IP. In today’s world, with the importance of the Internet and other TCP/IP related services, it seems naïve to think you could be a computer expert but know nothing of this protocol suite. Do you have a pretty thorough understanding of TCP/IP? It’s good if you do, because you’re going to need it. If you don’t, then it’s about time you get very familiar with it. This chapter is about TCP/IP—coming up with good subnet designs, knowing how your infrastructure looks, and how your network should logically be segmented. This chapter gives a brief overview of the advantages you’ll have with Windows 2000 TCP/IP; then we’ll segue into the good stuff and talk about practical applications of what you’ve learned. Once you have learned the theory behind the protocol, it’s much easier to understand and implement. But make no mistake: Properly implementing TCP/IP takes practice.
The Advantages of Windows 2000 TCP/IP
M
icrosoft has made it obvious that TCP/IP is required for the full operation of Windows 2000. In order to create a domain, you need a DNS server. DNS is a direct product of TCP/IP architecture. There are also compelling reasons to use the network services for TCP/IP that are provided with Windows 2000. Here are some features of Windows 2000 and its TCP/IP support that may influence your decision to use the operating system and the protocol:
One of the biggest changes is the introduction (beginning with Windows 98) of Automatic Private IP Addressing (APIPA, pronounced
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Advantages of Windows 2000 TCP/IP
325
“uh-peep-uh”). APIPA is somewhat similar to DCHP in that an IP address is automatically assigned. The difference is that APIPA kicks in when there are no DHCP servers to service the IP address requestor. No other configuration information, apart from the IP number and subnet mask, is supplied, so this is essentially a poor man’s DHCP, but it’ll do in a pinch. Please note that the addresses 169.254.0.1– 169.254.255.254 are used for APIPA and no others. This is completely non-configurable.
APIPA allows computers that cannot connect to a DHCP server to still acquire an IP address and theoretically communicate on the network. Keep in mind though that their address will be in the 169.254.y.z/16 range, and other computers on your network may be in whatever range you have assigned. Therefore, even though the APIPA-assigned computers have an address, it won’t likely let them talk with other machines on your network.
The handy thing about APIPA is that it always uses the same address range. Therefore, if a client complains about a connection problem, a quick ipconfig will show their APIPA-assigned address and let you know that for some reason, they couldn’t contact the DHCP server.
Windows 2000 supports filtering of specific TCP/IP protocols. For example, you can filter users from using TCP port 80.
Windows 2000 also supports encryption over TCP/IP using IPSec or Microsoft Point-to-Point Encryption (MPPE) connections.
Windows 2000 supports large TCP windows. The more packets that go out over the wire before the receiver has to send a positive acknowledgment, the faster things will move along due to increased performance. This is called TCP windows, and Windows 2000 supports larger TCP windows than earlier versions.
Another feature that wasn’t part of NT 4 is TCP Selective Acknowledgment (TCP SACK). The receiver determines which data is actually missing and requests that the sender re-send only the missing data. This saves much retransmission time.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
326
Chapter 8
Designing TCP/IP into Your Network
Windows 2000 computers running Routing and Remote Access Service (RRAS) can automatically find routers, even if they have no entry for a default gateway, by virtue of ICMP router discovery (RFC 1256). Although you’ll probably configure a default gateway with your RRAS DHCP addresses, in the event you don’t, ICMP discovery retrieves that missing information for Windows 2000 computers coming in over a RAS line.
You can disable hosting NetBIOS over TCP/IP; this is especially relevant for Proxy Servers and firewall hosts. This is a security feature because it keeps NetBIOS names from being available to edge servers that participate in internal/external Network Address Translation (NAT)-type work.
So there’s a lot that’s new in the Windows 2000 TCP/IP world and a lot that’s old—or at least old hat to people who have been around TCP/IP for a while. Whether you are experienced or new to the protocol, be sure to review the upcoming sections and make sure that your TCP/IP skills, especially in the area of subnetting, are everything they’re cracked up to be. You’ll be tested extensively on your ability to analyze a subnetting situation and make a comprehensive recommendation. Now that we’ve reviewed some neat stuff new to Windows 2000 TCP/IP, let’s see if we can put it to practical use.
Analyzing IP Subnets
What exactly is a subnet anyway? It seems that you can have awfully large subnets, even though the subnet masks that you work with sometimes only allow a few hosts. How does this whole subnetting thing work, and why is it so confusing?
Microsoft Exam Objective
Design a TCP/IP networking strategy.
Analyze IP subnet requirements.
Design a TCP/IP addressing and implementation plan.
Measure and optimize a TCP/IP infrastructure design.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IP Subnets
327
Well, first let’s start off by saying that the concept of TCP/IP subnets is pure genius. The framers of TCP/IP were brilliant mathematicians and logicians to figure this whole thing out. Perhaps the reason it’s confusing to many people is that they’re not used to dealing with binary math, which is what subnetting is based on. You would think that binary math would be easier than the base 10 system; after all, there are only two numbers to deal with, 0 and 1. Most of us are just not used to dealing with this number system, so we represent these binary numbers in decimal to make it easier for us to remember. If you understand how the binary math works, understanding how it works in decimal is infinitely easier. Let’s begin.
Subnetting Principles To use TCP/IP, you must understand its various address classes; Table 8.1 lays out the various network numbers in each class. Class A ranges from 1.x.y.z to 126.x.y.z (127 is reserved for loopback diagnostic testing and will never be given out). There is also a private reserved range, 10.x.y.z, that will never be allowed on the Internet and that you can use in your private network. The standard Class A subnet mask is 255.0.0.0. Obtaining a Class A network number from an ISP or Internet authority would provide your company with more than 16 million unique TCP/IP addresses! The problem is, there are no Class A addresses left that will work on the public Internet. So, if you need the kind of granularity that a Class A network address provides, nowadays you’re forced to use the 10.x.y.z number, which grants you the same 16 million+ IP numbers and heavyweight subnetting capabilities that you’d have with public addresses. You can dole these out as private IP numbers any way you like, as long as they never see the light of the Internet day. TABLE 8.1
Available Network Numbers by TCP/IP Class Class
Public
Private
Default Subnet Mask
A
1.x.y.z–126.x.y.z
10.x.y.z
255.0.0.0
B
128.x.y.z– 191.x.y.z
172.16.0.0– 172.31.0.0 (169.254.0.0 reserved for APIPA)
255.255.0.0
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
328
Chapter 8
Designing TCP/IP into Your Network
TABLE 8.1
Available Network Numbers by TCP/IP Class (continued) Class
Public
Private
Default Subnet Mask
C
192.x.y.z– 223.x.y.z
192.168.0.0– 192.168.255.0
255.255.255.0
Class B ranges from 128.x.y.z to 191.x.y.z. You can use 172.16.0.0– 172.31.0.0 as your private Class B range because it too will never be allowed out on the Internet. A single Class B network number provides you with 65,534 IP addresses. If you choose to use the entire private range (172.16 through 172.31, along with a standard Class B subnet mask), you’ll have more than 1 million numbers.
Remember the special Class B network number, 169.254.0.0, used for APIPA. Test questions will undoubtedly try to sneak this network number in on you.
Third is Class C, ranging from 192.x.y.z to 223.x.y.z. Each Class C network number can fit you with 254 network addresses that you can use for printers, servers, users, and other devices on your network. If you choose to use the entire private suite of Class C numbers (along with a Class C subnet mask), you’ll have 65,534 numbers at your disposal. Now the question is: What size is your company, and what size do you think it will grow to be? Do you work for a company of, say, 5,000 client computers? If you were to somehow obtain a regular Class B network number (from either your ISP or an Internet authority), you could use 65,000+ numbers. But you might tell me that you’ll never live to see the day that your company grows beyond 6,000 clients, let alone 65,000! You don’t need all those numbers—they’ll go to waste. On the other hand, at 254 numbers per Class C address, you’d need about 20 of those standard Class C network numbers to give you enough IP addresses to work with for all your users, printers, routers, switches, and other gear. They’re expensive to obtain and keep, plus they’re not widely available anymore due to the rush of people getting on the Internet these days. So, there’s got to be a better way, and there is. All you really need to put your company on the Internet is to obtain four solitary Class C addresses (not an entire range of addresses such as 192.105.33.z, but a few addresses— for example, 192.105.33.23, .24, .25, and .26) from your ISP. Your ISP’s
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IP Subnets
329
router uses these as pointers for any requests that are destined for your company. You have a router that has one of the external IP addresses you’ve been given. The router points to a firewall, which has the second address, and the firewall points to a Proxy Server with the third address. The firewall keeps out unwanted hacker traffic. The Proxy Server can filter both incoming and outgoing traffic. Figure 8.1 shows what this setup looks like. FIGURE 8.1
A conventional TCP/IP connection from an ISP to a business Request destined for you comes in to your ISP. The ISP’s DNS server has an entry that points to your router for any requests that pertain to you. Public part of network
Outsider
ISP
ISP’s router
Your router (ISP-supplied Class C number)
Private part of network
Your firewall (ISP-supplied Class C number)
Public IP address
Private IP address
Your users
Your Proxy Server (one NIC has an ISP-supplied Class C number and one has an internal number) This is where your network separates from public to private and vice versa.
Note that the router typically has an Ethernet cable coming out of it going into a hub or a switch. All requests for your network are programmed on the router to go straight through to the firewall. The firewall may or may not have two network cards in it (depending on whether it’s a hardware firewall), but it in turn points your Proxy Server. Your Proxy Server is dualhomed, with one NIC on the private network and one on the public network. The Proxy Server acts as a NAT device that can take your internal IP numbers (never ever to be put out on the Internet) and make the requests look as though they came from a public IP number. Your users are protected because
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
330
Chapter 8
Designing TCP/IP into Your Network
none of the internal IP numbers are revealed. The private part of the network stays private, and the public goes on being public. This whole setup, depending on how many NICs you’ll have in the various public devices, requires three or four IP numbers from an ISP, making it much cheaper and easier to manage than obtaining several valid Class C network ranges. You just don’t need them. Well, you have this setup working; now what about your inside users? It’s simple, really. Just pick one of the private TCP/IP network number ranges (probably the Class B range, in this company’s case) and begin to use them instead of public IP addresses. The Proxy Server and firewall will handle the security and address translation for the users, so you have that covered—but then it really gets interesting in terms of subnetting. Let’s say, just for simplicity’s sake, that you have only one geographic location and no WAN connections to other locations that you have to worry about. You have this huge private network number, 172.16.0.0–172.31.0.0, which gets you 1,048,576 IP addresses you can use any way you like. There are several ways that you can disperse these numbers in order to logically segment the users. For example, suppose that your accounting department would get one block of numbers, your sales people another, and so on, as in Table 8.2. TABLE 8.2
Sample IP Segments Group
Network Number
Servers/Printers
172.16.1.z
Marketing
172.17.1.z
Sales
172.17.2.z–172.17.4.z
IT
172.17.5.z–172.17.6.z
Accounting
172.18.1.z–172.18.2.z
Assembly/Manufacturing
172.19.1.z–172.19.4.z
You’re assuming in this example that the subnet mask is 255.255.0.0 for all users, making it a nice, flat TCP/IP implementation. You’re also assuming
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IP Subnets
331
that you have a router serving as an intermediary between these networks. (Without a router, none of the networks could communicate with one another.) In this example, you’ve allocated 254 IP addresses for servers and printers, another 254 for your marketing folks, about 750 for the sales people, about 500 for the IT people, and so on. It doesn’t take much to extrapolate how you’d fit in the rest of your company into this design. You’ve done some rudimentary subnetting. If you were to add a second network on the other side of a WAN connection, your drawing wouldn’t differ much from Figure 8.1. You’d have to add a second router (all WAN connections require two routers, one on each side), but you’d probably divvy up the network numbers in much the same way as in Table 8.2. Figure 8.2 shows what this network might look like; here you can see that users in Network B have to pass through two routers to Network A, then through the Proxy Server and the firewall if they need to get out onto the Internet. That sounds like a lot of traveling, but if the WAN connections are OK, it’s really no big deal. Thousands of networks are set up exactly like this. FIGURE 8.2
Adding a second network to the system Public part of network
Outsider
ISP
ISP’s router
Your router
Firewall Public IP address
Private part of network Private IP address
Your Proxy Server
Your users Network A
Your users Network B
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
332
Chapter 8
Designing TCP/IP into Your Network
The problem with either of these setups is that they’re too flat. Everybody’s on one big, flat network. There’s a lot of broadcasting going on, and though most internetworking specialists don’t allow routers to forward broadcasts, there’s still a lot going on within either network. So what do you do about this? Or do you actually need to do anything about it? You probably do need to attend to this situation, trying to reduce the number of broadcasts. You can do this by using subnet masks to logically segment your network in a more granular fashion. Suppose that you’re going to use the same Class B private network numbers, but you’re going apply some unique subnet masks. You settle on 172.20.y.z as the network number of choice. If you choose not to apply the 255.255.0.0 subnet mask and instead opt to apply 255.255.240.0, you’ll only be allowed a range of 16 network numbers with your starting point number. Table 8.3 illustrates what your network addresses and available IP address ranges would look like with the preceding setup. TABLE 8.3
Customized 172.20.y.z Network Network Address
IP Address Range
172.20.0.0
172.20.0.1–172.20.15.254
172.20.16.0
172.20.16.1–172.20.31.254
172.20.32.0
172.20.32.1–172.20.47.254
172.20.48.0
172.20.48.1–172.20.63.254
172.20.64.0
172.20.64.1–172.20.79.254
172.20.224.0
172.20.224.1–172.20.239.254
You could put Network A in the first network range and Network B in the second. You’ve logically segmented your users into categorical groups: subnets. When broadcasting goes on within a subnet, it doesn’t leave that subnet. Because routers don’t forward broadcasts by default, you’re effectively keeping the network traffic within a specific group isolated from another group. You could apply even more granularity than this—putting servers and printers in the 172.20.0.1–172.20.15.254 subnet, marketing in the 172.20.16.1– 172.20.31.254 subnet, and so on, effectively isolating individual groups from
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IP Subnets
333
one another’s broadcast traffic. This is provided, of course, that you’re using the 255.255.240.0 subnet mask. You have a problem with all this special subnetting, though. DHCP is broadcast-based. If you have a DHCP server on the 172.20.16.0 subnet and a marketing person trying to get a DHCP lease from the 172.20.32.0 subnet, it won’t happen! The 255.255.240.0 subnet mask keeps the marketing folks from broadcasting to the servers. How can you counteract this? You resolve this with a DHCP relay agent computer on each subnet that needed to participate in DHCP.
Alternatively, you simply set up a private Class A network, using a separate number for each physical network and a 255.255.0.0 mask. This would also effectively isolate each network from the other. It’s easier to set up and much neater to implement.
Advanced Subnetting In the early days of TCP/IP, a router wouldn’t support an unusual subnet mask like 255.255.240.0. You had to go with standard flat masks. But then came along the advent of Classless Inter-Domain Routing (CIDR) and Variable Length Subnet Masks (VLSM) for routers. Single subnet mask networks are called class-based networks. In a class-based network, you can only run one subnet mask on the network, as in the example in the previous section.
RFCs 1518, 1519, and 1878 provide more information on CIDR (pronounced just like the autumn drink—cider) and VLSM.
But suppose you want to use the 255.255.240.0 subnet mask on one network and 255.255.192.0 on the other? Older router protocols cannot support multiple subnets. The Routing Information Protocol (RIP) version 1 is an example of an older routing protocol that can’t support multiple subnet masks and hence wouldn’t be useful in today’s complex IP environment. Routers that support CIDR or VLSM—those running RIP version 2, Border Gateway Protocol (BGP), or Open Shortest Path First (OSPF)—allow you to run multiple subnet masks on a network. Why would this be useful? Well, to see that, you need to take a look at what I call the “subnet mask ruler,” illustrated in Figure 8.3.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
334
Chapter 8
Designing TCP/IP into Your Network
FIGURE 8.3
The subnet mask ruler More hosts
255
.
More subnets
0
.
0
.
0
You can see that there is some sort of TCP/IP axiom at work in this illustration. If your network were to use the 10.x.y.z reserved network number (the one that’s not allowed out to the Internet), you’d have a wide variety of choices for subnet masks. The farther to the left of the ruler you go, the more hosts you add; the farther to the right, the more subnets you create. Suppose that, as in Figure 8.2, you have a couple of networks connected by a WAN circuit. Let’s now further assume that 4,300 of your 5,000 users are in Network A and the remaining 700 users are in Network B. Looking at the subnet mask ruler, you can see that if you choose a subnet mask using fewer bits (subnetted on the first or second octets), something like 255.255.0.0, you’ll get more hosts per network. But if you want more subnets, you should use a subnet mask that’s farther to the right of the ruler (subnetted on the second or third octet) and generate more subnets. Use lots of subnets where you need to distinguish between various entities, and lots of hosts where you don’t particularly care about geographic or business class segmentation and where you’re more interested in keeping everybody within the same TCP/IP pool.
Keep in mind that your subnet mask does not determine your network class. The class of address is always determined by the first octet of your IP address. The class also tells you what the default mask is.
Designing a TCP/IP Implementation When we talk about TCP/IP implementations, generally we’re talking about something more than a flat little network with a few hundred hosts. In a situation like that, you can simply use one or two of the reserved Class C network numbers with a vanilla Class C subnet mask. But what about a more complicated site, something on the order of the site in Figure 8.2, only maybe with one or two more networks connected to it? Take a look at Figure 8.4 to see an example.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Analyzing IP Subnets
FIGURE 8.4
335
Networking four geographic regions
ISP
Site A 2,000 users
Site B 500 users
Site C 750 users
Site D 1,750 users
Figure 8.4 shows four sites separated by routers. The router at Network A has three ports and accepts input from Networks B, C, and D; the other networks each have a single port router that connects to Network A. Note the number of hosts (here, users) on each network. Network A also has a Proxy Server, a firewall, and a link to the company’s ISP. Now suppose that you’re going to use the reserved Class A 10.x.y.z network for your users. What is the best way to apply subnetting so that your users are logically segmented and yet able to effectively work? Let’s start by making things fairly easy. Let’s select 10.1.y.z for Network A, 10.2.y.z for Network B, 10.3.y.z for Network C, and 10.4.y.z for Network D. You could plan on having a DHCP server in each location, but that may become cost prohibitive, so for this illustration, let’s plan on only having one DHCP server, in Network A. That means that you’ll have to install the DHCP relay agent on a computer in each of the other three networks and, if you decide to break the networks up any further, one for each segment. The largest network is Network A with 2,000 users. You could opt to use the 255.255.0.0 subnet mask and have enough IP addresses to handle all of Network A. That mask will give you 254 networks to play with, and each network will support 65,534 hosts. Those numbers should be sufficient. In order to support those 2000 users, you could use a mask up to 255.255.248.0, which would allow for 8,192 networks with 2,046 hosts each. The problem with this mask is you don’t have a lot of room for growth on your 2,000-user network.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
336
Chapter 8
Designing TCP/IP into Your Network
As you can see from this example, the Class A private addressing should provide you with ample room for designing in the required number of networks and hosts for your network. You could also use the Class B private addressing. In the preceding example, you need to support 2,000 hosts, which means a mask of 255.255.248.0. In the case of Class B 172.16.0.0 networks though, that mask would only give you 32 distinct network addresses to use. For most networks, 32 subnets should be plenty, but Class B certainly does not give you the flexibility that Class A does.
Question: In either case, would you have to have a DHCP relay agent on the segment that doesn’t have a DHCP server? No! Why? Because all eight segments (in the case of the former example) or both segments (in the case of the latter example) are in the same network behind a router. They’re not traversing routers; that’s the key. You need to have a DHCP relay agent whenever a network is behind a router and the DHCP server is on the other side of the WAN.
You should plan your subnets with growth in mind. Restructuring your network’s logical address structure is going to be painful even in the best-case scenarios. Plan ahead, and plan for more subnets and more hosts per subnet than you currently need. That breathing room may save you large amounts of stress in the long run.
Designing Remote Subnets Remote subnets are somewhat different to design than regular LAN/WANbased networks. There are three categories of remote subnets to worry about: Point-to-Point and Multi-Point Connections Standard 56K and fractional T1 or full T1 frame relay connections each require their own dedicated subnet. Each router connecting the points must, of course, have its own static IP address. These circuits cannot be seen on public networks. X.25 Networks X.25 networks, which use packet-switching and multiple points, only require one subnet. Virtual Private Network Connections VPN connections are not entirely “private,” although of course one side of the connection is definitely private. The other side is very public, typically being connected to an ISP.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Choosing Software Routing
337
Quality of Service Circuits Windows 2000 supports quality of service (QoS). This long-time bastion of ATM networks has finally been implemented in a Windows environment. What is QoS? It’s a networking standard made up of a couple of different services, a protocol, and a tuning mechanism. You have the QoS Admission Control Service (QoS ACS), a service that manages subnet bandwidth resources in order to maximize QoS throughput to a server. Subnet Bandwidth Management (SBM) is a service that manages segment bandwidth. There is also a special protocol, the Resource Reservation Protocol (RSVP), that is used by senders and receivers to set up a QoS circuit. Note that you must have RSVP-aware routers in order to use this protocol (and hence to use QoS). Finally, Traffic Control is a set of two services:
The Packet Classifier, which manages which packets are destined for the QoS queue and which are not
The Packet Scheduler, which sends the packets out to the QoS queue
Installing QoS is easy. Navigate to Control Panel Add/Remove Programs Add/Remove Windows Components Components Networking Services and click the Details button. Select QoS Admission Control Service, then click OK. Finally, click Finish. Configure as needed. Don’t use QoS unless you need to and you have the routers that can support this feature. Network services such as desktop videoconferencing, streaming video, and VoIP might be able to make use of QoS circuits.
Choosing Software Routing
T
his section is about an amazing Windows 2000 capability. Were you aware that Windows 2000 can be a router? If you are in an environment where you can’t afford a router, or you don’t want to mess with the overhead that comes with routers (things like paying for the time and expertise of an internetworking expert to set up your routing), you can easily install Windows 2000 RRAS on a computer with a couple of NICs in it and you’ll have yourself a router. And it will work just fine.
Microsoft Exam Objective
Design a TCP/IP networking strategy.
Integrate software routing into existing networks.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
338
Chapter 8
Designing TCP/IP into Your Network
Pay attention to the differences between a routing protocol and a routed protocol. Routing protocols are the ones that actually handle the routing, like Routing Information Protocol (RIP) and OSPF. Routed protocols are regular network protocols that can pass through a router, like TCP/IP and IPX/SPX.
RRAS can be used for more than setting up VPN connections to the network. A VPN connection, of course, is one where you as a potential telecommuter connect with your ISP and then use a secure tunnel to log on to your corporate network so you can work remotely. Using the older VPN protocol, the Point-to-Point Tunneling Protocol (PPTP), or the newer L2TP, you can set up a VPN using RRAS. You can use RRAS to set up several different kinds of routers using different routing protocols:
Routing Information Protocol (RIP) is very old and has been in wide use for 20 years. It’s simplistic and meant for only the most basic of networks. Windows 2000 supports both versions 1 and 2. RIP for IP and RIP for IPX are both supported in Windows 2000 RRAS.
Border Gateway Protocol (BGP) was designed for use within autonomous systems, which are (according to RFC 2328) a “group of routers exchanging routing information via a common routing protocol.” Although Microsoft does not natively support BGP, third-party vendors can create RRAS-compatible products that use the BGP protocol.
A much more efficient protocol than RIP, Open Shortest Path First (OSPF) was designed by the Internet Engineering Task Force (IETF) for the purpose of routing over the Internet. This is one of the two most widely used routing protocols around today, the other one being Cisco’s proprietary Interior Gateway Routing Protocol (IGRP). IGRP isn’t supported by RRAS, but according to the Windows 2000 help files, because RRAS is extensible, “other vendors can create additional IP routing protocols such as” IGRP and BGP.
Use Internet Group Management Protocol (IGMP) when you need to do some multicasting, as in setting up NetMeeting connections or Windows Media Viewer applications. IGMP is designed strictly for use with multicasting applications.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Choosing Software Routing
339
Service Advertisement Protocol (SAP) is used on IPX-based networks.
Network Address Translation (NAT) hides internal addresses from external networks by translating internal addresses to public external ones.
But with all these choices, you’re probably going to only need to use either RIP or OSPF, depending on the size of your network. RIP generally is best used in smaller networks because it’s a point-to-point routing protocol. RIP knows about its neighbors but doesn’t know anything else beyond that. OSPF, on the other hand, has the ability to “learn” about other routers that are not next-door neighbors to itself, making it more dynamic and useful in larger networks. Generally, OSPF is also more efficient and consumes less bandwidth for its own overhead. This is because when updating neighboring routers, OSPF routers just notify neighbors about changes, whereas RIPbased routers broadcast their entire table every 30 seconds.
Routing Methods Windows 2000 has many improvements over Windows NT when it comes to routing. We discussed some of these improvements earlier in this chapter, like new protocol support. Windows 2000 also supports a variety of routing methods. There are four kinds of routing methods at your disposal with RRAS: Static Routing Within this method, you actually specify the routes to the other routers on the network. This works fine for routers and routes that aren’t updated very frequently, but it wouldn’t be at all useful in large, dynamic networks. Auto-Static Routing This rather bizarre feature is available to you in RIP for IP, RIP for IPX, and SAP for IPX. You set up your routers to perform a periodic request for an update to their route tables. You’d do this if you were using expensive dial-up lines that were connecting the two routers. This, too, would be useful for smaller networks or home offices. These types of clients are usually grouped together under the phrase small office/home office (SOHO). Dynamic Routing Routers that use dynamic routing have algorithms that detect changes to the network environment and update themselves. This is handy for times when the link arbitrarily goes down for some reason, for additions or deletions to the network, and so on. Dynamic routing is useful for larger networks.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
340
Chapter 8
Designing TCP/IP into Your Network
Demand-Dial Routing When the links are expensive and you would rather have the routers dial up the connection on the other side only when needed, it’s better to use demand-dial routing. Small offices can use this kind of connection for times when they want to send e-mail or connect to the Internet.
Routing Protocols When you work with RRAS, you work with both the supported network protocols and the protocols that are used to connect to RRAS (called access protocols). Of course, you know that network protocols are used for computers to communicate with each other. When you are using remote access, however, you need an additional protocol (the access protocol) to talk to the RRAS server itself. Once you are connected to the RRAS server, your network protocol is encapsulated within the access protocol. The RRAS-supported network protocols are TCP/IP, IPX/SPX, NetBEUI, and AppleTalk. While you might want to support IPX if you had a legacy NetWare network that dial-in users needed in order to hit NetWare servers, you probably don’t want to use this protocol in native Windows 2000 or Windows NT environments. Ditto for AppleTalk, a protocol you’d only use for your Macintosh users. NetBEUI is a protocol that needs to go away, so I’m not convinced you’d want to support it either. For dial-in clients, you’d probably want to use TCP/IP. Fortunately, RRAS supports DHCP, so when you set it up, you can give it a range of IP addresses that your dial-in users can use. RRAS is installed automatically with the normal installation of Windows 2000 Server, but in a disabled state. You may need to install a modem, a multi-port serial adapter, a WAN connection, or some other external connection before you are ready for RRAS to work. When you get ready to configure RRAS, simply open Control Panel Administrative Tools Routing and Remote Access and the initial RRAS screen appears. Select the server you want to configure, click the Action button, and select Configure and Enable Routing and Remote Access. A wizard appears to walk you through the configuration of RRAS for the type of activity you’d like to do, as illustrated in Figures 8.5 and 8.6. Note that you can opt to configure this server as an Internet connection server, a RAS server, a VPN server, or a network router, or you can simply turn the service on and come back to enable it later.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Choosing Software Routing
FIGURE 8.5
The opening RRAS configuration wizard screen
FIGURE 8.6
Configuration options within the RRAS configuration wizard
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
341
342
Chapter 8
Designing TCP/IP into Your Network
If you want to configure this server as a router, select the network router option shown in Figure 8.6. A list of network protocols that are currently installed on this box is displayed; if you require a protocol that isn’t on the list, you can add it at this time. Next, you’re asked whether you’d like to configure demand-dial connections for connecting with remote networks (see Figure 8.7). Note that you can opt to configure demand-dial connections later. Finally, the Finish box appears. Note that at this point you’ll want to install and configure the appropriate routing protocols on each interface. FIGURE 8.7
Choosing whether to set up demand-dial connections
After finishing the initial setup, the next RRAS screen looks like Figure 8.8. After right-clicking one of the objects, you can now enter static routes, configure remote access policies, and perform other RRAS functions. FIGURE 8.8
The finished RRAS screen, ready for configuration
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Choosing Software Routing
343
Supported RRAS access protocols are the industry standards, Point-to-Point Protocol (PPP) and Serial Line Internet Protocol (SLIP), and several others:
Point-to-Point Protocol (PPP) is actually a suite of protocols that provide services such as encapsulation of the data, compression, multilinking of two or more WAN links, and other features.
Point-to-Point Tunneling Protocol (PPTP) is also a set of protocols designed to allow telecommuters to access their local networks via an encapsulated secure Internet connection with a local ISP (a VPN circuit).
Layer 2 Tunneling Protocol (L2TP), used in conjunction with IPSec (covered in more detail in Chapter 17, “Planning a Virtual Private Network (VPN) Implementation”), is designed more for dial-up connections than site-to-site connections. L2TP has wide, standardized acceptance among vendors.
Serial Line Internet Protocol (SLIP) is an older encapsulation protocol included for backward compatibility with older systems. It provides no password-authentication security, and as such is only supported as a client-side protocol in Windows 2000.
In addition to knowing the supported network protocols and access protocols, it’s important to know what authentication methods RRAS supports (see Figure 8.9). You arrive at these methods through the Security tab of the Properties for the server in question. RRAS servers authenticate remote systems using these methods, in the preferred order Microsoft would like to see you use authentication methods:
Extensible Authentication Protocol (EAP) allows for authentication by smart cards, certificates, one-time passwords, and token cards. Click EAP Methods for the details on the various authentication methods in use with EAP. EAP-Message Digest 5 (MD5) CHAP works much like CHAP but sends the challenges and responses as EAP messages. EAP-Transport Level Security (TLS) is the most secure of the authentication methods and is required for smart cards. EAP also allows the client and server to negotiate security arrangements.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) v2. This and its older version, MS-CHAP, expect to see a valid Windows 2000 username and password. Both are selected by default. All three (MSCHAP v2, MS-CHAP, and CHAP) use an encrypted password.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
344
Chapter 8
Designing TCP/IP into Your Network
FIGURE 8.9
MS-CHAP, the other default, is for backward compatibility with older NT systems.
Encrypted authentication (CHAP).
Shiva Password Authentication Protocol (SPAP), used with Shiva RAS systems.
Unencrypted password, Password Authentication Protocol (PAP).
No authentication required.
The supported Windows 2000 authentication methods
It’s never a good idea to allow people to dial in without requiring authentication. That’s a security breach waiting to happen.
You can view the authentication methods by going to the RRAS screen, right-clicking the server you want to configure, choosing Properties Security, and then clicking the Authentication Methods button.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Choosing Software Routing
345
Once everything is installed, you can view and modify your RRAS settings at any time. Simply open the Routing and Remote Access program from Start Programs Administrative Tools (or alternately from Control Panel Administrative Tools). Find the server you want to modify, right-click it, and select Properties. General Tab Illustrated in Figure 8.10, the General tab shows you how an RRAS server is currently configured. The server can act as a router or a RAS server or both. If you’ve chosen for a server to act as a router, then you can choose whether the router will do only LAN routing or will also act as a demand-dial router. Recall that demand-dial routing simply means that when a router needs a connection refreshment or when a host is connecting to an outside source, the router dials the number needed to connect to another router. This cuts down on the costs of circuit connectivity. However, it’s safe to say that, with the exception of SOHOs or smaller networks, you probably won’t be using Windows 2000 as a router. FIGURE 8.10
The General tab of the RRAS configuration window
Security Tab The Security tab (Figure 8.11) is where you select the authentication method you’d like to use, the authentication provider (there is also a RADIUS choice here), and the type of accounting you’d like to do.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
346
Chapter 8
Designing TCP/IP into Your Network
FIGURE 8.11
The Security tab of the RRAS configuration window
IP Tab The IP tab of the RRAS Properties window (Figure 8.12) allows you to enable IP routing. You can tell the system that IP can be used for both incoming RAS and demand-dial connections, and you’re given a choice of using DHCP for your IP pool or typing in a pool of static addresses. FIGURE 8.12
The IP tab of the RRAS configuration window
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Choosing Software Routing
347
AppleTalk Tab If you have Macintosh computers that need to dial in and connect to the network (and you have the AppleTalk protocol loaded on the server), the AppleTalk tab (Figure 8.13) is where you enable those clients. By default, the Enable AppleTalk Remote Access check box is enabled. FIGURE 8.13
The AppleTalk tab of the RRAS configuration window
PPP Tab The PPP tab (Figure 8.14) is where you configure the types of PPP connections you’ll use or that you’re going to allow. Check Multilink Connections to allow several like circuits to make a connection, thus fooling the system into thinking you have more bandwidth than you actually do. It’s the coagulate of several connections. Bandwidth Allocation Protocol (BAP) and the Bandwidth Allocation Control Protocol (BACP) are used for more effective management of multilink bandwidth. Prior to BAP, you had a large pool of bandwidth and no way to manage it when a link dropped off or a new one was added. Link Control Protocol (LCP) is used to establish a PPP connection with another entity. Here you’re enabling the extensions to PPP, not PPP itself. You can apply software compression in addition to NCP by selecting the Software Compression check box. By default, all of these check boxes are enabled.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
348
Chapter 8
Designing TCP/IP into Your Network
FIGURE 8.14
The PPP tab of the RRAS configuration window
Not included in this configuration box is the other strong arm of the PPP suite, the Network Control Protocol (NCP). While LCPs handle the connectivity with a PPP receiver, NCP sets up the network parameters such as encapsulation and compression.
Internet Connection Sharing A new, invaluable feature in Windows 2000 is Internet Connection Sharing (ICS). This will turn out to be an extremely handy utility for SOHOs. With ICS enabled, you can set up a Windows 2000 server so that all machines connecting to that server can go out to the Internet through it. This way, you can share one inexpensive ISP connection among several computers. This feature is ideal for SOHOs that have two or three computers that need to get to the Internet, but don’t want to pay for several connections.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Choosing Software Routing
349
The obvious drawback is that when the connection is being shared, throughput is going to be much slower than if you were using it by yourself. ICS is easy to set up. From the Network and Dial-Up Connections window, simply right-click the dial-up connection you have configured and select Properties; then select the Sharing tab. Check Enable Internet Connection Sharing for This Connection and you’re all done. Next, set up your ISP phonebook connection so that it dials on demand and then, when anyone connected to the network requests a web page, the ICS connection handles the rest. ICS would handily run within the context of NAT or Proxy Server. Watch out, dentist offices, hair salons, three-person tax preparation offices, and all the rest of you SOHO types! ICS is going to make your life much easier. It’s a quick, easy, and cheap way to set up an Internet connection for multiple users, and just pay for one.
Event Logging Tab The Event Logging tab (shown in Figure 8.15) is where you select how much logging you’d like the system to do. Here, too, you can turn on PPP logging. You’d use PPP logging for troubleshooting connections you were having a problem with. FIGURE 8.15
The Event Logging tab of the RRAS configuration window
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
350
Chapter 8
Designing TCP/IP into Your Network
Integrating TCP/IP into Existing WAN Environments
D
epending on the size, legacy environments are very likely to have many installed routers and some full-time internetworking experts to handle the routing. Windows 2000 routing fits very well into SOHO environments and smaller offices that cannot afford a router (although, to be fair, today’s routers with embedded CSU/DSUs can cost less than $2,000). A possible SOHO scenario would be one with a remote location that you’ve always wanted to connect to the rest of your network. You set up a Windows 2000 server for the users in this location and make it a Windows 2000 router, in addition to the other server duties that it performs. Then you connect it with the other routers in your community, providing server services for these users and a connection to the rest of the network.
Microsoft Exam Objective
Design a TCP/IP networking strategy.
Integrate TCP/IP with existing WAN requirements.
Microsoft has done a wonderful job of including backward compatibility for legacy systems, including the (probably unnecessary) inclusion of SLIP as an access protocol. PPP is the universal standard, so there will not likely be too much need to support SLIP clients, though undoubtedly some installations out there will need to make use of this. Note that RIP version 1 is the default routing protocol installation; if you want to use the enhanced capabilities of RIP version 2, you’ll have to add it to the list. OSPF is in wide use, so it’s wonderful that Windows 2000 includes it. Probably the biggest legacy compatibility issue you’ll run into will be with your authentication protocols. I’ve fiddled with these things for hours in the Windows NT 4 environment, and I’ve often found that whether the RAS client was a Windows client or not, MS-CHAP authentication was difficult to establish; I had to backpedal into clear-text authentication. With the new client software such as Dial-Up Networking (DUN) 1.3, maybe those problems have gone away. At any rate, MS-CHAP and MSCHAP v2 are the automatically enabled authentication methods. I recommend that you do lots of testing with the various flavors of clients that you’ll have
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Summary
351
connecting to you (and that you’ll be connecting to in a routing environment) to make sure that these methods will work. If you’re nailing up any VPN circuits, suffice to say that additional testing will be required for the advanced authentication methods used with those circuits.
Summary
This chapter talked about subnets and subnetting, how Windows 2000 does routing, and how it might incorporate into legacy networks. When you set up subnets, it’s important to figure out how many hosts you’re going to have per subnet, then set up your IP addressing and subnet masking accordingly. It used to be that you could request a Class A, B, or C network address from an Internet authority and use that on your network. Today you’re better off just using the reserved IP numbers for your network and then relying on a Proxy Server and firewall to provide IP address translating with the Internet community. This saves you money and gives you millions of IP numbers to work with. The subnet mask is critical to your TCP/IP subnet design. The farther to the left of the mask you go, the more hosts you add; the farther to the right you go, the more subnets. Variable-length subnet masks (VLSMs) give you the ability to customize the number of subnets and hosts you have on a network, but you must have routers that support VLSM or CIDR (most of today’s routers do). Good subnet design means there are ample numbers for all hosts on the network and that you plan for growth. Software routing is a very viable alternative with Windows 2000 computers. Windows 2000 supports RIP v1, OSPF, and BGP, and presumably there will be third-party support for IGRP and other routing protocols at some point in the future. You can use software routing to set up an internal network of routers that communicate with one another, or you can set some routers to also communicate with the Internet. You also have the ability to set up demanddial routing, where a distant router isn’t dialed into until it is required to do so. Supported routed protocols include TCP/IP, AppleTalk, and IPX. Microsoft has provided backward compatibility with most of the things you might be using in your Windows NT 4 network, things like MS-CHAP and RIP version 1 support. Chances are that you probably won’t implement software routing in a legacy environment because hardware routing is in place already, though there may be some opportunity to leverage software routing in those remote locations that don’t merit the full WAN complement of a router and server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
352
Chapter 8
Designing TCP/IP into Your Network
Exam Essentials Understand TCP/IP subnetting. Unfortunately, this is not an essential that can be summed up in one small succinct paragraph. It’s important that before you take this exam, you know how to subnet. This involves knowing the default subnet masks, as well as being able to create custom subnet masks for various networking scenarios. Know how many additional networks a custom subnet mask allows. The way to figure it out is to take the number of additional bits used in the mask, (n), and take 2 to that power(2n). For example, if you have a mask of 255.240.0.0, you have used an additional four bits beyond the Class A default. Therefore, you would have 16 (24) network addresses. Based on a custom subnet mask, know how many hosts you can support per network. This is a continuation of subnetting, which is a critical skill for this exam. To calculate the number of hosts per network, figure out how many bits are not masked. In the preceding example, 255.240.0.0, 20 bits are not masked. The formula to use is 2n–2. Therefore, in that example, you could have 1,048,574 (220–2) hosts per network. Know how to implement Windows 2000 as a software router. Windows 2000 comes with the Routing and Remote Access Service (RRAS), which provides router functionality. It is built in, but disabled by default. At the very least, you need two network connections to be a router. Know which routing protocols are supported by Windows 2000. Windows 2000 supports RIP (versions 1 and 2) and the OSPF routing protocols. Know the RRAS authentication methods. Authentication choices include EAP, MS-CHAP v2, MS-CHAP, CHAP, SPAP, PAP, and unauthenticated access.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
353
Key Terms
Before you take the exam, be certain you are familiar with the following terms: access protocols
quality of service (QoS)
Automatic Private IP Addressing (APIPA) Resource Reservation Protocol (RSVP) Border Gateway Protocol (BGP)
Routing Information Protocol (RIP)
class-based networks
Routing and Remote Access Service (RRAS)
Classless Inter-Domain Routing (CIDR)
Serial Line Internet Protocol (SLIP)
Interior Gateway Routing Protocol (IGRP)
Service Advertisement Protocol (SAP)
Link Control Protocol (LCP)
Shiva
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) v2
Shiva Password Authentication Protocol (SPAP)
Network Address Translation (NAT)
small office/home office (SOHO)
Network Control Protocol (NCP)
subnet
Open Shortest Path First (OSPF)
TCP Selective Acknowledgment (TCP SACK)
Password Authentication Protocol (PAP) TCP windows Point-to-Point Protocol (PPP)
Variable-length subnet masks (VLSM)
private reserved range
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
354
Chapter 8
Designing TCP/IP into Your Network
Review Questions 1. You are the network administrator for your company. Your boss
instructs you to implement a router at the lowest possible cost for the company. When you suggest installing Windows 2000 routers, she asks which routing protocols the operating system supports. Which two routing protocols are installed by default with Windows 2000 RRAS? A. IGMP B. RIP C. IGRP D. OSPF 2. You are the network administrator for a medium-sized insurance firm.
All employees will get their TCP/IP configuration from a DHCP server that you have installed. There is only one subnet on your network. Late one afternoon, three users contact you stating that they cannot contact the server. When you tell one of them to run an ipconfig, they report an IP address of 169.254.221.16. What could be the problem? A. The DHCP server assigned the wrong default gateway to the client
computer. B. The DHCP server assigned the wrong DNS server address to the
client computer. C. The client computer cannot contact the DHCP server. D. You need to install a DHCP relay agent on the subnet. 3. You have decided to subnet your company’s network. Currently, there
are six buildings at your organization’s location. Future company plans call for the potential addition of two more buildings if necessary. You decide to use the reserved Class A network address in your new network. What subnet mask will give you the required number of subnets while providing for the largest number of clients possible?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
355
A. 255.255.248.0 B. 255.255.224.0 C. 255.248.0.0 D. 255.224.0.0 4. You are the network administrator for your company. You have
decided to subnet your network, and your company is going to use an old router that was donated from your parent company. You're going to use the reserved Class A network address in your new network. You wind up using a unique subnet mask, 255.224.0.0, but users at one location cannot communicate with users in another. What could be the problem? A. The routers don’t support VLSM. B. The routers don’t support IGRP. C. The routers don’t support BGP. D. The routers don’t support EAP. 5. You are in the process of restructuring your TCP/IP infrastructure. In
order to save your company money, you decide to use private IP addressing instead of the public system currently in place. While management is excited about the possibility of lower costs, they are concerned that private IP addressing will limit the company’s Internet capabilities. What other benefits, besides cost, does using private IP addressing provide your company? Choose all that apply. A. Security—external networks cannot “see” internal clients B. Lack of availability of valid IP network numbers C. Scalability D. Can’t use Proxy Servers without using reserved network addresses
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
356
Chapter 8
Designing TCP/IP into Your Network
6. You are in the process of implementing a Windows 2000 router on
your two-subnet network. Your boss wants to make sure that communication through the router, which will also be attached to the Internet, is secure. He suggests using the EAP protocol for the router. What comment might you have about his proposed solution to your routing situation? A. EAP is a good choice because it provides optimum security. B. EAP is a good choice because it is used for smart cards. C. EAP is one of the default routing protocols and is widely sup-
ported. D. EAP should not be used because is not a routing protocol. 7. You are setting up a RAS server for your company’s traveling sales
force. They need to be able to dial in to receive product information and their e-mail. Management has decided to use the PAP protocol because it’s designed to require a password from the user. You suggest MS-CHAP, but management is unsure. What reason should you give for using MS-CHAP instead of the PAP protocol? A. With PAP, the username is clear text; the password is encrypted. B. With PAP, the password is clear text; the username is encrypted. C. With PAP, both the username and password are encrypted, but
they are not validated against a Windows 2000 list of valid users. D. With PAP, both the username and password are clear text. 8. You are the infrastructure engineer for your company. Recently, your
company decided to upgrade from Windows NT 3.51 to Windows 2000. In the process, they decided to redesign the IP infrastructure, which has been haphazardly thrown together. When planning your subnetting strategy, which two things are you most concerned about? A. An ample number of subnet masks B. An ample number of network numbers C. An ample number of host IP addresses D. An ample number of proxy servers
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
357
9. You have a DHCP server on one side of your two-sided network that’s
connected by routers that don’t forward broadcasts. You want all users on both sides of the network to automatically receive an IP address from the DHCP server. Therefore, you install a DHCP proxy agent on a Windows 2000 computer on the network that doesn’t have the DHCP server. What type of protocol is this agent functioning as? A. Authentication method B. Routing protocol C. Network protocol D. WAN (access) protocol 10. You are the network administrator for a company of 20 users. You
want to give your users access to the Internet, and you want your Windows 2000 server to act as a router in the connection to your ISP as well. You also want to be able to choose the IP address range for internal clients. What RRAS feature will you use? A. NAT B. ICS C. Proxy Server D. Demand-dial routing
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
358
Chapter 8
Designing TCP/IP into Your Network
Answers to Review Questions 1. B, D. Windows 2000 provides support for IGMP, but it is not loaded
by default. RIP (version 1) and OSPF are the two default protocols. You’ll have to get third-party support for IGRP. 2. C. The address that the client received is an APIPA address. Therefore,
it is assumed that the client computer cannot contact the DHCP server. If it is only one person, it may be their NIC or cable. If multiple people are having the problem, it could be a hub, or possibly a problem with the DHCP server. 3. D. The class A default subnet mask is 255.0.0.0, so you need to
expand it from there. The mask of 255.240.0.0 gives you an additional 16 networks to work with and allows for the most possible client addresses. Technically, the mask of 255.224.0.0 is an even better fit, but that is not one of your available answers. 4. A. Routers need to support variable-length subnet masks (VLSM) in
order for “unusual” subnet masks like this one to be valid across the network. 5. A, B, C. By using the reserved network numbers, you gain security and
scalability. It’s true that there probably aren’t many Class A or Class B addresses left, though you might be able to pick up a few Class C addresses. But why go through the headaches and expense when you can just as easily set up a reserved network number for your internal network and then use a Proxy Server and firewall for access to the Internet? This is becoming more and more common on networks today. 6. D. EAP isn’t a routing protocol. It’s an authentication protocol for a
variety of purposes, most notably for smart-card access. 7. D. The only thing that’s remotely secure about the PAP method is
that you’re required to supply a password. But everything is in clear text, and a sniffer could easily pick up and allow you to read both.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
359
8. B, C. First of all, you need to make sure that every device on your net-
work has an available IP address. Also, you need to make sure there are enough networks available to properly divide your network as necessary. For both networks and hosts, you need to make sure to account for future growth as well. 9. B. Microsoft thinks of the DHCP relay agent as a routing protocol.
To see this, go into the RRAS window. Highlight the General tab, right-click and select New Routing Protocol; there it is. 10. A. The NAT provides both routing and internal client Internet access
capabilities. It acts as sort of a poor man’s Proxy Server and router all in one. You install the NAT as a routing protocol within RRAS. ICS is used strictly for sharing of an Internet connection, and ICS automatically uses the 192.168.y.z addressing scheme. Demand-dial routing is for router-to-router dial-up connectivity in order to cut costs.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
360
Chapter 8
Designing TCP/IP into Your Network
The New Network Subnet Design
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Background You’ve been hired as the network architect for a new Internet startup company. It’s a fairly large company even though it hasn’t made a nickel yet. Although nobody has started to work yet, there are plans for about 700 users spread out over three campuses. Since good Internet developers are so hard to find, the company has had to resort to hiring people who insist on telecommuting, so providing a VPN connection for these people is very important. You don’t know anything about routers and have no internetworking background. Your biggest challenge is going to be setting up a routed network without having to resort to outsourced consulting help, for which no funding is authorized.
Envisioned System Overview The envisioned system includes a campus in La Jolla, California, one in Boulder, Colorado, and one in Philadelphia. You’ll use a common carrier to provision the WAN circuits. You’ll select an international carrier that also acts as an ISP so that your Internet connectivity will be incorporated with your telephony and WAN circuits. You’ll need to provide some VPNs for telecommuters from places such as Delhi, Vancouver, Miami, and Charlotte, North Carolina. You develop an initial circuit plan with a 256K fractional T1 circuit between the Boulder and La Jolla offices and a 128K fractional T1 circuit between the Boulder and Charlotte offices. You also obtain 10 Class C IP addresses from your ISP. Boulder will be the headquarters office. All servers are from a tier 1 vendor, and all will be running Windows 2000 server. All users will be running Windows 2000 Professional. Your intent is to use the reserved network addresses for your internal clients.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The New Network Subnet Design
361
Security Overview Security is of great importance in this environment. You have a hot new Internet service that you’re going to roll out, and you don’t want scurrilous spies stealing things like new ideas or designs! CEO “This company is founded on ideas. It’s important that you carefully manage the security of the network at all times.” Operations Manager “Our international developers who will be coming in through the VPN aren’t allowed to use anything stronger than 40-bit security. Nevertheless, I want to make sure that all people connecting to this network are valid. We don’t want outsiders managing to hack in.”
Availability Availability is important because of the telecommuting developers. Since some of the developers are internationally based, it’s important that the network be consistently up and running. The operations manager reminds you, “Some of the developers are going to be working while the rest of us are in bed. For example, the woman who’s going to be doing some of our web page development is in Delhi. It’s important that the network be up at all times.”
Performance Overview Your biggest concerns are the VPN circuits. Should you put in a DSL connection, ISDN, or some other connection? And what about the developers who will be connecting over slow ISPs? You decide that while there’s little you can do about them, you can certainly make sure that the network is well designed and functional. Operations Manager “Every component of this design must be well thought out. For example, if we’re going to grow as fast as I think we’re going to, the IP design will have to be large enough to accommodate everybody.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
CEO “It’s important that we get going as quickly as possible. I want to use state-of-the-art equipment and software. In the same breath, I need to tell you that whatever you do is funded at this time by venture capitalists, so we have to carefully watch our dollars!”
CASE STUDY
362
Chapter 8
Designing TCP/IP into Your Network
Questions 1. In terms of anticipated growth, what reserved network address would
work the best, based on the number of users you have at each campus? A. Class A: 10.x.y.z B. Class B: 172.16.y.z–172.31.y.z C. Class B: 169.254.y.z D. Class C: 192.168.0.z–192.168.255.z 2. What will you use for routers? A. Purchase some routers and hope to figure out how they work by
reading the manuals. B. Hire a consultant to install and configure the routers. C. Use a Windows 2000 server at each campus for routing. D. Routers are not needed since the carrier provisioned the frame
relay connections. 3. Are the carrier-provisioned frame relay circuits between the campuses
necessary? A. No B. Yes C. Maybe 4. You need to set up the VPN circuits. In the following table, reorder the
tasks from the right column into the left column in the logical order that they should take place to configure a VPN. Task Order
Tasks Install VPN software on client computers. Configure IPSec. Configure an IP tunnel. Configure RRAS.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The New Network Subnet Design
363
Choose all that apply. A. OSPF B. RIP version 1 C. RIP version 2 D. EAP
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
5. What routing protocols should be used for your routing connections?
CASE STUDY ANSWERS
364
Chapter 8
Designing TCP/IP into Your Network
Answers 1. B. The Class A address will work fine and it’s easy to manage, but in
terms of size, the Class B address (172.16.y.z–172.31.y.z) is adjustable by subnet mask and probably makes the most sense. The Class B address in option C is reserved for APIPA. You’d need too many separate Class C networks with option D. 2. C. The business rules stipulate that you’re not allowed to use con-
sultants. And we’ve already said that you don’t know anything about routing. The best bet here would be to set up three Windows 2000 servers, one each in La Jolla, Boulder, and Charlotte. Since RRAS and OSPF are already installed on all servers by default, it’s a simple thing to enable the routers and statically point them at each other: La Jolla to Boulder, Boulder to Charlotte, and so forth. The Boulder server would have to have three frame relay interface cards in it: one for the route to La Jolla, one for the route to Charlotte, and one for the route to the ISP. The other two would only need one frame relay interface card apiece. This does not necessarily imply that these are the only servers on the network. Indeed, it would be foolish to have one server doing routing and all of the other functions of the network such as e-mail, file and print services, and application serving. But in this example, we’re only talking about the routing servers. 3. A. With Windows 2000–based routers, you could simply set up a
demand-dial connection (that is, a regular phone line) with the other routers in the network. You won’t get the performance you need, but the option is definitely there.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The New Network Subnet Design
365
Task Order Configure an IP tunnel. Configure IPSec. Configure RRAS. Install VPN software on client computers. First, configure an IP tunnel, then set up IPSec. RRAS is not enabled or configured, so you have to do that step. Finally, you’re ready to install VPN software (such as DUN 1.3 on Windows 9x clients), and you’re done. Note that you don’t need extra extravagances such as VPN switch gear or notification to your ISP that you’re doing VPN. Windows 2000 makes it super simple. 5. A, C. While B is a valid answer and is installed with RRAS, it is more
primitive than RIP version 2. Both versions of RIP are static address– based, which works fine in smaller networks but wouldn’t work well in a large network. EAP is only used for things like smart cards, onetime password logons, and so forth.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
4. See the following table:
Chapter
9
Building a Multi-Protocol Strategy MICROSOFT EXAM OBJECTIVE COVERED IN THIS CHAPTER: Design a multi-protocol strategy. Protocols include IPX/SPX and SNA.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
I
t may be hard to imagine, but not all networks use TCP/IP. This chapter talks about systems that use protocols other than the standard TCP/ IP. Many networks need to communicate with other platforms and other systems; Windows 2000’s ability to cooperate in this process will be important. Interoperation was critical for Windows NT as well, and many of the techniques that were developed in NT have been enhanced and brought forward in Windows 2000. This chapter describes three different platforms that require support: Novell NetWare, Apple Macintosh, and Unix-based systems. We’ll also talk briefly about support for SNA Server.
NetWare Systems
N
ovell NetWare was a huge presence in the late 1980s and early 1990s, until Windows NT got a foothold in the industry. Microsoft has cut considerably into Novell’s market share, but NetWare still enjoys a solid following. In today’s networks, many legacy NetWare 3.11 and 3.12 servers are still running in corporations all over the world, and there’s a good deal of NetWare 4.x and 5.x as well. NetWare servers are highly reliable file and print servers, though from an applications standpoint some may argue that they lack the functionality that Windows NT and Windows 2000 servers provide. Because of NetWare’s popularity, Windows 2000 support for NetWare systems is crucial. There are two types of NetWare security models: the older Bindery mode and the new NetWare Directory Services (NDS) system. You’ll find NDS running on NetWare 4.x and 5.x systems, while Bindery-mode systems are primarily NetWare 3.x and some 4.x systems.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
NetWare Systems
369
The Bindery structure was very similar in functionality to Windows NT’s flat domain model. NDS may look familiar to you because of your Active Directory (AD) knowledge. AD is based, in part, on Novell’s NDS code.
It is vital that Windows 2000 supports both types of security models, and it does. Moreover, it’s important that you understand what implementation of NetWare server you are dealing with when you get ready to set up your connectivity options with the server.
Microsoft Exam Objective
Design a multi-protocol strategy. Protocols include IPX/SPX and SNA.
Early installations of NetWare used a protocol called Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), although NetWare 5.0 incorporated TCP/IP as its default protocol. Microsoft wrote an IPX/SPX protocol implementation called NWLink in order to provide connectivity with NetWare servers running the IPX/SPX protocol. This protocol is available in Windows 2000 as an add-on protocol, but you should convert any old NetWare IPX/SPX installations over to TCP/IP instead. When installing NWLink, you need to supply two pieces of information: the network number (available through the administrative interfaces) and the frame type. Windows 2000 can be configured to auto-detect the frame type, which is recommended.
If you set your computer to auto-detect the frame type, it will detect only one. Therefore, if your network is running multiple frame types (which happens occasionally with multiple NetWare versions), you’ll need to manually configure the frame types on your Windows machines.
NetWare clients use a protocol called NetWare Core Protocol (NCP) to request services from NetWare Servers; NCP runs over IPX/SPX and over TCP/IP. On the other hand, Windows clients have traditionally used Server Message Blocks (SMBs) to communicate with servers. Windows 2000 clients use the new Common Internet File System (CIFS) protocol instead of
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
370
Chapter 9
Building a Multi-Protocol Strategy
SMB; CIFS is an enhanced version of SMB. Since the Microsoft and Novell ways of doing things are not compatible, we must account for the discrepancy when we try to make Windows 2000 computers talk to NetWare servers or have clients obtain data from either server. There are three critical services in Windows 2000 that provide Microsoft/ Novell communication: Gateway Service for NetWare (GSNW) Installed on a server, this service allows Windows-based clients to access NetWare resources through one Windows 2000 machine, known as the gateway server. Client Service for NetWare (CSNW) This component is installed on Windows 2000 Professional computers and acts as a NetWare client. File and Print Services for NetWare (FPNW) This is an optional purchase for Windows 2000. Running FPNW allows your machine to act as a NetWare server. All three of these services require that the NWLink protocol be installed on the computer they’re running on. If NWLink isn’t installed at the time the service is installed, Windows 2000 goes ahead and installs it with the service. Even though NetWare 5 supports TCP/IP as its default protocol, the NWLink protocol is installed every time you install CSNW or GSNW. CSNW and GSNW do not support NetWare 5’s version of TCP/IP.
Gateway Service for NetWare Microsoft’s Gateway Service for NetWare (GSNW) provides an access point to your NetWare server from Microsoft clients. Once installed on a Windows 2000 server, GSNW acts as a gateway for your Microsoft-based clients. Windows 9x, NT, and 2000 machines can all access NetWare-based resources through one central share point. Here are the steps you take to configure GSNW: 1. Set up a group on the NetWare server called NTGATEWAY. 2. Create a user with the appropriate permissions to the NetWare
resources you want users to access and make that user a member of the NTGATEWAY group. (The name NTGATEWAY cannot be changed, by the way. This is a hard-wired name that Windows 2000 is looking for.) 3. Create shares on the Windows 2000 server that point to the NetWare
resources you want people to be able to access.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
NetWare Systems
371
There are two disadvantages to using GSNW:
Everyone who accesses NetWare resources does so from the same user account. Therefore, you can’t realistically give the accountants and engineers different permissions unless you create multiple gateways, thus creating a lot more work for yourself.
There can be a problem with speed. You may have 50, 100, or more users accessing NetWare resources through one central point. This can definitely cause a bottleneck. Because of the speed issue, GSNW is best for limited-access situations.
Using GSNW, users never really actually hit the NetWare server. Your clients will access the GSNW server’s shares, which map to NetWare resources. The GSNW server is then responsible for retrieving the information.
Of course, if there weren’t advantages to the product, you’d never use it. The advantages of GSNW are:
Centralization of resource access. Everyone can go to one central point to locate NetWare resources.
Licensing. By making a GSNW connection to the NetWare server, you make one connection. Then, you can have as many users as you want hitting the gateway server, essentially accessing NetWare resources. But, since you have only made one physical connection, you only need one license. Hundreds of users can use it, but you only need one NetWare license. This can save you a lot of licensing money.
You install GSNW through the Local Area Connection Properties window. Choose Client, and then select the appropriate service.
Client Service for NetWare For Windows 2000 Professional users who need frequent access to NetWare servers, install CSNW on their local machines. CSNW allows the user to log in directly to the NetWare server, meaning that you as the administrator can customize NetWare access for all users on your network. Of course, since the users are logging in to a NetWare server, they need to have user accounts on that server (as well as appropriate licensing). However, creating NetWare user accounts is a subject for another book.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
372
Chapter 9
Building a Multi-Protocol Strategy
By default, Windows 2000 computers have Client for Microsoft Networks installed. This service allows the machine to participate as a client to a Microsoft server. CSNW allows you to be a client to a NetWare server. When the client is installed on the Windows 2000 computer, go to Control Panel CSNW and configure the client in much the same way that you initially configured the GSNW client, by entering the preferred server or the default tree and context. The user is then prompted, at next logon, for the information needed to access the NetWare server.
If your NetWare server is running in Bindery mode, you need to provide a preferred server name, username, and password. If the NetWare server is running NDS, you need to provide the default tree and context, as well as a username and password.
File and Print Services for NetWare This optional, separately purchased component fools NetWare clients into thinking they’re connecting to a NetWare 3.12 server. The client can then interact with the Windows 2000 server as though it is a NetWare server. Keep in mind that NetWare 3.12 servers are Bindery servers, not NDS. This generally doesn’t matter to client computers, but it may crop up in troubleshooting calls with clients. The main thing to watch out for is that clients are set to log in to a preferred server, not a default tree and context.
Microsoft Directory Synchronization Services Microsoft provides a service called Microsoft Directory Synchronization Services (MSDSS). This service allows you to manipulate NetWare NDS trees and AD forests at the same time. Independently, NetWare administrators can also manage the NDS trees as well. After installing NetWare components, MSDSS can be added and managed through the Microsoft Management Console (MMC). This service is considered to be a metadirectory service, because of its ability to manage two different directory services within the same console. MSDSS is an add-on product that must be purchased separately.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Macintosh Systems
373
Macintosh Systems
In every company, it seems that at least a handful of people require Macintosh computers. These people are typically in the graphic art areas of the company, such as marketing departments or publishing areas; Macs are fine computers for work such as this. But for the network administrator or designer who has to support thousands of PCs and servers, supporting Macintoshes can produce headaches. For example, when graphic artists create files, they’re usually quite large. Since you suggest that all users save important files to servers (so that the administrators can back them up), and Mac users are people too, you need to find disk space for their gigantic files. Of course, before the Mac clients can store files on a Windows 2000 server, you need to be able to make the two systems talk to each other.
Microsoft Exam Objective
Design a multi-protocol strategy. Protocols include IPX/SPX and SNA.
Macintosh computers are designed, out of the box, to work on a network, but the network they were originally designed for is a proprietary one called a LocalTalk network. Macintoshes natively use the AppleTalk protocol when connected to a LocalTalk network. In the last few years Macintosh experts have modified and improved this design, so today you also have the TokenTalk and EtherTalk protocols in addition to LocalTalk. Macintosh computers can dial in to Windows 2000 RRAS servers using AppleTalk Control Protocol (ATCP). ATCP is a connection protocol that uses AppleTalk–based PPP connections. With ATCP, a remote user can access web pages over TCP/IP, print to an AppleTalk printer, and connect to an AppleTalk server, either through TCP/IP or AppleTalk, all while using the same dial-up connection over PPP. While it’s possible for you to run Windows 2000 on a native LocalTalk network, you probably don’t want to do this. Instead, you have to find a way for the Macintosh machines to communicate with the machines on the Windows 2000.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
374
Chapter 9
Building a Multi-Protocol Strategy
This is done with an Ethernet adapter for the Macintosh computer, which most Macs have built in. Macs plug into a switch or hub in a switch closet, just like any other computer on the network. But how will you support your Mac users when they begin looking for a file server to store their files on? Your Windows 2000 computers won’t recognize Macintosh computers until you prepare them to do so. It’s easy to install the Services for Macintosh (SFM), which installs the AppleTalk protocol if it’s not already on the system; do this through the Network and Dial-Up Connections window by editing the properties of the Local Area Connection.
Most Macintosh machines can support the standard TCP/IP protocol, which means you can avoid AppleTalk all together. However, for purposes of this test, you need AppleTalk and SFM to support Macintosh clients.
AppleTalk Zones If you have several groups of Macintoshes, you may want to enable AppleTalk routing and then set up AppleTalk zones. Zones are analogous to subnets in the TCP/IP world. You seed zones with multiples of 253 nodes. You supply some simple information, the zone name, and the seed range, and the zone then becomes visible in the Macintosh user’s Chooser screen. Configure an AppleTalk zone under Administrative Tools Routing and Remote Access.
Enabling Macintosh RAS Usage Enabling Macintosh users for Remote Access Service (RAS) usage is straightforward. After you’ve installed and enabled the AppleTalk Protocol, go to the RRAS Properties window and enable AppleTalk Remote Access. Macintosh users use ATCP to access RAS servers. ATCP works hand in hand with PPP to negotiate a connection for the Mac user. RFC 1378 has more information on how ATCP is implemented.
Macintosh User Authentication Methods After you’ve installed the SFM, you’ll notice a new volume called UAM. UAM stands for User Authentication Module. Installing File Services for Macintosh automatically creates a UAM volume that’s available to Macintosh users.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Macintosh Systems
375
When Macintosh users log on, they open the Chooser, click the AppleShare icon, and select the zone that you configured previously. Macintosh users can log on as one of three different users: Guest The Guest account allows basic users without proper credentials to log on, but with limited privileges. Macintosh Authentication The user enters a valid username and password, which are both passed across the wire as clear text. Note that Windows 2000 doesn’t support the built-in Random Number Exchange security paradigm. Microsoft UAM Authentication Windows 2000 provides a more secure authentication method for Macintosh users through its UAM. If a Macintosh client is running the AppleShare Client 3.8 or greater, or the MacOS version is 8.5 or greater, the new Microsoft UAM version 5 is used. If the Mac user’s software doesn’t fit these criteria, the older Microsoft UAM version, version 1, is used; both UAM versions are included with Windows 2000. Macintosh users will have to open the Microsoft UAM Installer to install the UAM software for this purpose. Installing File Services for Macintosh is a different operation than installing the AppleTalk protocol. Open the Control Panel and double-click the Add/Remove Programs applet. Click the Add/Remove Windows Components icon on the left side of the screen shown in Figure 9.1. FIGURE 9.1
The Add/Remove Programs window
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
376
Chapter 9
Building a Multi-Protocol Strategy
Once in Add/Remove Windows Components, click the Other Network File and Print Services item, and then click the Details button. In the next window (illustrated in Figure 9.2), check File Services for Macintosh and click OK. FIGURE 9.2
Adding File Services for Macintosh
Using the Computer Management Program You will no longer use the File Manager or Explorer to view or modify File Services for Macintosh. Instead, you’ll use a new Windows 2000 program called Computer Management. It’s easy to get to: Choose Start Programs Administrative Tools Computer Management. Highlight the Shares node, and you’ll see the Microsoft UAM volume show up in the Details pane on the right side of the window illustrated in Figure 9.3. By highlighting the UAM volume and clicking Properties, its properties sheet appears, which has two tabs, General and Security (shown in Figure 9.4 and Figure 9.5, respectively). You can apply a security password for the UAM volume and set permissions to the folder. Security is very robust for Macintosh UAM volumes.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Macintosh Systems
FIGURE 9.3
Viewing the File Services for Macintosh UAM volume
FIGURE 9.4
General properties of the Macintosh UAM volume
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
377
378
Chapter 9
Building a Multi-Protocol Strategy
FIGURE 9.5
Security properties of the Macintosh UAM volume
You can use the Computer Management program to adjust the Macintosh file server’s settings. Right-click the Shared Folders node and select Configure File Server for Macintosh to access the three Properties tabs shown in Figures 9.6, 9.7, and 9.8. Unless you have some highly specialized implementations, you’ll probably use this program to
Set up a logon message for Macintosh users logging on to the system (using the Configuration tab)
Select an authentication method (using the Configuration tab)
Send a message to all logged on Macintosh clients (using the Sessions tab)
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Macintosh Systems
FIGURE 9.6
Configuration properties of File Server for Macintosh
FIGURE 9.7
File Association properties of File Server for Macintosh
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
379
380
Chapter 9
Building a Multi-Protocol Strategy
FIGURE 9.8
Sessions properties of File Server for Macintosh
You can create additional Macintosh shares by using the Computer Management program. In Computer Management, highlight the Shared Folders node, right-click the Shares icon in the right pane, and select New File Share. A Create Shared Folder wizard appears and you then browse to the folder that you’d like to share. Type a share name and description and apply a Macintosh name for the share. The wizard will also prompt you to apply the appropriate permissions to the share.
When using SFM, you cannot nest shares. For example, if you create a share at the root of the SFM volume, you cannot create an additional share in an individual folder within that root.
Unix Systems
T
he Unix world has used TCP/IP for decades, so you can at least be assured that your Unix boxes and your Windows 2000 domain are speaking the same networking language. However, Unix computers use the Network
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Unix Systems
381
File System (NFS) method of posting files to computers instead of SMBs or CIFS. So, you once again need a translation mechanism to allow the two to communicate. Fortunately, lots of third-party work has been done along this line. Samba, an SMB client software program available at samba.anu.edu.au/ samba, is available for Unix computers that need to mount Samba volumes for NT and Windows 2000 computers. Other companies, such as Hummingbird, manufacture NFS software for Windows servers in order to mount an NFS volume that Unix users can post their files to.
Services for Unix includes a full NFS client.
Printing Unix computers can print to Windows 2000 printers and vice versa. It’s a two-part process. First, you install Print Services for Unix using Control Panel Add/Remove Programs. Then you configure a printer that’s on your network with an additional port, a line printer port. When Unix computers send a print job to a computer, they contact a line printer port. When they’re set up to receive a print job, they use the Line Print Daemon (LPD). To create an LPR port, click Start Settings Printers. Double-click the Add Printer icon to call up a wizard. The Add Printer wizard allows you to define the printer as Local or Network and select an LPR port and IP address. Windows-based clients can print to Unix LPD print servers as long as the Windows client has LPR installed. The three major components to Unixbased TCP/IP printing are
Line Print Daemon (LPD), which is the print server service
Line Printer (LPR), which is used by the client to send print jobs to the LPD server
Line Print Queue (LPQ), which is used to check the queue and is a diagnostic utility
File Sharing Unix users sometimes need to pull files off of Windows servers and vice versa. For example, consider an enterprise fax system. When you send faxes, sometimes they come from work orders that are generated from an Oracle
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
382
Chapter 9
Building a Multi-Protocol Strategy
database system residing on a Unix box. It’s an interesting paradigm, if you think about it. A worker sitting at a Windows 9x computer enters an order that posts to an Oracle database. The database spits out a text file that “prints” to an LPD port destined for an NT fax server, where the order is faxed out. It sounds like a complex system, and it is. But the point is, it works.
Telnet Telnet, while inherently popular in the Unix world, does not have nearly the support in the Windows world. This service isn’t started automatically in Windows 2000, but it is installed and allows you to open a secure Telnet session to Windows 2000 computers. After starting the Telnet service, simply open a command prompt and type Telnet computer_name to connect to the Windows 2000 computer with which you’d like to open a Telnet session. If you know the IP address of your Telnet server, you can also type Telnet IP_ address.
Remote Execute Windows 2000 does not come with a remote execute tool by default. However, you can obtain a Remote Execute executable (REXEC) from the Windows 2000 Server Resource Kit.
Remote Access Services The Internet browser has revolutionized RAS for Unix users. Now they can dial in to Windows servers, open a browser, and retrieve their Exchange Server e-mail. As long as a browser is available and the applications that Unix users need to run on Windows servers are web-enabled, there is no longer a cross-platform issue. Perhaps the most important job that an administrator in a platform-disparate shop faces is the interaction between Unix servers and Windows servers. Fortunately, third-party vendors and the advent of Windows 2000 have made this cross-platform work much easier. Windows 2000 now has native (and improved over NT) support for TCP/IP, and many vendors are creating products to ease management differences between platforms.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Third-Party Protocols
383
SNA Support
The Systems Network Architecture (SNA) protocol, invented by IBM in the early 1970s, was originally used to connect to Multiple Virtual Session (MVS) mainframe processors. Since then, the protocol has been ported to AS/ 400 and OS/2 servers. While some mainframes have converted to the mainframe version of TCP/IP (IBM 3270-E), lots of companies are still running native SNA. Since it’s important to be able to fetch data from these servers using SNA, there had to be some sort of methodology for this. Microsoft’s implementation of SNA server has been around for years. It’s a highly technical and specialized software component that doesn’t exactly occupy top drawer in the minds of most MCSE candidates, but there’s still a huge demand for people that are “SNA server–aware,” and it’s a very good product to know about. It’s important for you to understand one new jargon phrase that might confuse you if you hear it used the wrong way. If you’re talking in TCP/IP terms, a host is any computer that’s out on the Internet (or TCP/IP network anywhere in your company). For example, any Windows 98 user on your network that has an IP address is said to be “a host.” But when talking about a mainframe, people often call it “the host.” It’s important that you can differentiate between a TCP/IP host and “the host.” Generally, the context of your conversation will let you differentiate. Microsoft has been working feverishly in the background to prepare a brand new SNA server that is both Windows 2000– and Windows NT 4– compliant. Code-named Babylon, this brand new version of SNA server, now called Host Integration Server 2000, is now ready for prime time. Visit Microsoft’s SNA server web site at www.microsoft.com/sna.
Third-Party Protocols
S
oftware developers have written literally hundreds of protocols so that computers, devices, programs, and people can communicate. Most of the protocols are highly proprietary, and you’ll never see them. Nevertheless, if you’re running a program that requires a strange protocol—one that’s not in the usual administrator dialog—you need it to make your application run correctly.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
384
Chapter 9
Building a Multi-Protocol Strategy
One such protocol that comes to mind is the one that used to run on Banyan VINES servers, the VINES protocol. Microsoft doesn’t provide native support for this in Windows 2000, so if you had to integrate your Windows 2000 servers with VINES, you’d have to try going to Banyan to see if you could get some support for the protocol there. The story with non-standardized protocols that are somewhat proprietary or specialized is this: Microsoft depends on the vendor of that protocol to supply updates to Windows 2000. Expect native support for TCP/IP, IPX, and AppleTalk; don’t expect support for exotic protocols that aren’t in use much.
Summary
T
his chapter has been about foreign-protocol integration into Windows 2000 servers. Two important computer systems that use protocols foreign to Windows are Novell NetWare and Apple Macintosh. In the older NetWare days, the only standard protocol was IPX/SPX. Microsoft, ever vigilant about maintaining interoperability support with NetWare servers, developed its own version of the IPX/SPX protocol, NWLink. NWLink is included with Windows 2000 for compatibility with legacy NetWare systems. You have three additional services that you can use with Windows 2000 for interoperability with NetWare:
Gateway Service for NetWare (GSNW), a pipe that allows for a connection with either a bindery or NDS NetWare server
Client Service for NetWare (CSNW), a client component for Windows 2000 Professional computers, allowing them to connect to NetWare servers running in either bindery or NDS mode
File and Print Services for NetWare (FPNW), a separately purchased option that allows Windows 2000 servers to emulate NetWare 3.12 servers
Macintosh computers use the AppleTalk protocol. You can install the Services for Macintosh (SFM) on a Windows 2000 server. Doing so automatically installs the AppleTalk protocol as well. You can seed a zone in the newly installed SFM volume, thus giving Mac users a zone to connect to from Chooser. Mac users have the choice of guest, AppleShare authentication, or Microsoft UAM authentication. Mac users can dial in to Windows 2000 networks equipped with the AppleTalk Control Protocol (ATCP).
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Exam Essentials
385
Samba is Unix software that allows Windows users to put files on Unix servers; NFS is a Unix file-mounting software system. Windows 2000 includes a full NFS client. You can set up LPR ports for Unix users to print to Windows 2000 printers and for Windows 2000 users to print to Unix printers. LPD is the Unix-based print server service. Since TCP/IP is the Unix protocol (there are no others), Unix interoperability will be the easiest (and most in demand) of all of the Windows 2000 cross-platform needs. Microsoft has written a brand new SNA server implementation called Host Integration Server 2000. This software runs the SNA protocol for interoperation with MVS mainframes, AS/400, and OS/2 servers. Other specialized protocols, such as Banyan VINES, require third-party support.
Exam Essentials Know how to make Microsoft operating systems work with Novell networks. The most important factor is to use the right protocol. Until NetWare 5, Novell’s default protocol was IPX/SPX, implemented in some Microsoft operating systems (Windows NT and 2000) as NWLink. If you want Microsoft clients to be able to access NetWare resources, you’ll also need an appropriate client, like CSNW or GSNW. Understand Macintosh connectivity. Macintosh machines have built-in network cards, so that part is easy. Most current Macintoshes also support TCP/IP, which makes life easy. In some cases, you’ll need to install the AppleTalk protocol, which is part of Services for Macintosh in Windows 2000. You can also create Macintosh-accessible volumes on Windows 2000 servers for Mac users to store files. Know some aspects of Unix connectivity. Fortunately, Unix and TCP/IP have been married to each other for quite some time. Getting Windowsbased computers to use Unix-based services like DNS simply requires correct IP configurations on both machines. Unix printing uses the LPR, LPD, and LPQ utilities. Other Unix-based utilities will not be tested heavily. If they are mentioned on the test, and you are unfamiliar with them, don’t stress. Just remember your TCP/IP connectivity basics and you’ll be able to answer any question.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
386
Chapter 9
Building a Multi-Protocol Strategy
Key Terms
Since they are foreign to the Microsoft world, the NetWare, Unix, and Macintosh scenes provide a new set of terms to remember. Probably the most exotic set of terms will come from the mainframe terminology associated with SNA Server (now called Host Integration Server 2000). 3270
LocalTalk
AppleShare
Microsoft Directory Synchronization Services (MSDSS)
AppleTalk
NetWare Core Protocol (NCP)
AppleTalk Control Protocol (ATCP)
Network File System (NFS)
AppleTalk zone
Samba
Chooser
seed
Common Internet File System (CIFS)
Server Message Block (SMB)
EtherTalk
Services for Macintosh (SFM)
gateway server
Systems Network Architecture (SNA)
host
Telnet
Host Integration Server 2000
TokenTalk
Internetwork Packet Exchange/ User Authentication Module Sequenced Packet Exchange (IPX/SPX) (UAM)
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
387
Review Questions 1. You are the network administrator for your company. Recently, 20
Macintosh computers were added to your network to assist the graphic artists. You are attempting to integrate them into your existing Windows 2000 network. You begin to populate your Macintosh zone with node numbers. What is this technique called? A. Populating a zone B. Seeding a zone C. Perpetuating a zone D. Creating a zone 2. You have recently added 20 Macintosh clients to your Windows 2000–
based network. Management has heard that Macintosh computers use different security mechanisms than Windows and is concerned that the Macintosh clients will compromise your network security. What is the most secure authentication method that the Macintosh machines can use once you get everything set up? A. Guest B. MS-CHAP C. AppleTalk Authentication D. User Authentication Method 3. Your network is a mixture of Unix servers and Windows 2000 servers.
Most of your clients run Windows 98, but about a dozen of your engineering machines run Windows 2000 Professional. You’d like to set up a volume on a Unix server where Windows users can place files for collaboration on projects. These files need to be managed by the Unix administrators. What software will you need for this? A. NFS B. File sharing for Unix C. Samba D. Interix
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
388
Chapter 9
Building a Multi-Protocol Strategy
4. You are the network administrator for your company. You have several
NetWare 4.11 servers that are running file and print services. All of your client machines have recently been upgraded from Windows 98 to Windows 2000 Professional. You also have four Windows 2000 Server machines, two of which act as domain controllers. What do you need to install in order to allow your clients to use the NetWare servers yet maintain individual security? Select the best answer. A. Client Service for NetWare B. Gateway Service for NetWare C. File and Print Services for NetWare D. Latest client downloaded from the Novell site 5. You are running a Windows 2000 network for a startup advertising
company. One of the owners came from a network that ran Novell NetWare, and the owner swears by the product. To placate the owner, you are going to install a NetWare 5 server to act as a file server for your artists. One of your other network administrators is concerned because running a NetWare server requires additional protocols, which creates excess network traffic. What do you tell the network administrator? A. TCP/IP is the default protocol with NetWare 5. B. RPC is the default protocol with NetWare 5 and has little overhead. C. IPX/SPX has virtually no overhead so it’s not a big deal. D. Extensible NetWare Protocol (ENP) is the default protocol with
NetWare 5 and has little overhead. 6. You are the network administrator for your company. Some of your
home users need to dial in to your network to check their e-mail, and occasionally they work from home. About half of these home users have Macintosh computers. In order to support Macintosh dial-up connections, which two protocols can your RAS server support? A. ATCP B. AppleTalk C. TCP/IP D. PPP
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
389
7. You are the administrator of your Windows 2000 domain. You also
have one NetWare server that acts as a file server for the engineering department. Your network has a mix of clients, including Windows 95, Windows 98, and Windows 2000 Professional. The engineering department is the only department that accesses the NetWare server, and the server is primarily used for storage of collaborative project files. What should you implement on your network to continue to allow the engineers to access the required files on the NetWare server? A. GSNW B. CSNW C. FPNW D. NWLink 8. By installing Print Services for Unix, which three services and utilities
are installed? A. PRN B. LPR C. LPQ D. LPD 9. You have just been hired to administrate the network for a local market-
ing firm. They have just started to implement a Windows 2000 domain, and the previous network administrator quit. You have a legacy Token Ring network, and there are several Macintosh computers hooked to this network that you did not set up. What topology are they likely using? A. LocalTalk B. EtherTalk C. TokenTalk D. AppleTalk
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
390
Chapter 9
Building a Multi-Protocol Strategy
10. You are the network administrator for your company. You have a
mixture of Windows 2000 servers and Unix servers, as well as Windows 2000 Professional clients and Unix-based clients. You want the Unix users to be able to print to Windows 2000 printers. What do you have to install for them to do this? A. Print Services for Unix B. LPD C. LPR D. NFS
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
391
Answers to Review Questions 1. B. To populate a zone with node numbers is to seed a zone. 2. D. Microsoft’s User Authentication Method (UAM) is the most
secure method of authenticating in the Windows 2000 system. 3. C. Samba, a freeware third-party application, is required for mounting
an SMB volume on Unix servers that can be seen by Windows users. 4. A. Answers A and D will get the job done, but since this a Microsoft
test, you want to go with the best Microsoft answer. Since all clients are running Windows 2000 Professional, you can install CSNW on each of them, and then let the users log on to the NetWare server as well as the Windows 2000 domain. GSNW doesn’t work because you need to maintain individual security. As a side note, if you want to run NetWare administration tools (like NWAdmin) from your Windows 2000 Pro machine, you must get the Novell client from Novell’s web site; CSNW will not work with NWAdmin. 5. A. NetWare 5 is completely TCP/IP-oriented. This is useful because you
should already be running the protocol if you have Active Directory. 6. A, D. The protocol that Macintosh users use to access RAS is the
AppleTalk Control Protocol (ATCP), but ATCP works through a PPP link to get the user connected. 7. A. If all engineering computers were running Windows 2000 Professional
or Windows NT Workstation, you could install CSNW on each machine and have it work. However, since you have a mix of clients, it’s best in this case to implement GSNW on one of your Windows 2000 servers. 8. B, C, D. Print Services for Unix installs LPR (Line printer), LPD
(Line Print Daemon), and LPQ (Line Print Queue).
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
392
Chapter 9
Building a Multi-Protocol Strategy
9. C. While LocalTalk is the default for Macintoshes (they’re prepared
to do networking right out of the box using LocalTalk), in a Token Ring environment it’s highly probable that whoever set up the network set up TokenTalk for these users. 10. A. Installing Print Services for Unix will allow them to print to your
Windows 2000 printer. Remember that you will also need to create an LPR port on the Windows 2000 print server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Multi-Platform Network
393
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Background You’re the network administrator for a small network of about 500 users. This network has been around a while, and it started out on Novell NetWare 3.11. Your predecessor was hired several years earlier as a NetWare administrator and left the job about a year ago, leaving the network in the middle of a NetWare-to-Windows NT conversion. You were hired for your NT knowledge, not necessarily for your NetWare expertise (which is fairly minimal), and you’ve been assigned to convert the network. Windows 2000 is now out, so your conversion will not only include finishing up the NetWare conversion, but also converting all Windows NT computers to Windows 2000.
Current System The current system consists of three NetWare 4.x file and print servers. You have five Windows NT servers in one domain, one of which is running Exchange Server 5.5. The PDC runs WINS and DHCP, and a BDC shares those responsibilities. The rest of the servers are either running applications or performing file and print duties. Two of the file servers that you intend to use are not nearly up to date enough to handle Windows 2000 and the extended duties that they’d inherit from the NetWare servers going away, so you have to do something about that problem. The applications you run are certified for Windows NT 4 and are specific to your company’s line of business. You’ve checked with the vendors of these software applications, and you don’t think you have anything to worry about by migrating to Windows 2000. You also have about six Macintosh users who work in the desktop publishing unit of your company. You have no Unix equipment, but the company does keep most of its important databases on an AS/400; a couple dozen people use host emulation software running over SNA Server to access these databases.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
The Multi-Platform Network
CASE STUDY
394
Chapter 9
Building a Multi-Protocol Strategy
Envisioned System Overview You need to maintain connectivity with the files and printers on the NetWare servers until such time as your conversion is complete. Users need to be able to access these servers up to the bitter end. Also, you’re sure you have way too many protocols running on this network and would like to get rid of one or two, if possible. The envisioned system has five Windows 2000 servers and all users running Windows 2000 Professional. You’ll continue to run Exchange Server 5.5 for the time being. You want to simply power down and re-deploy the old NetWare servers because they’re on such marginal equipment by today’s standards that they wouldn’t even make good desktops. You want to take this opportunity to upgrade the servers that need to be improved and to consolidate your file and print services so that they’re more centralized, not so spread out across many servers. You discuss the plan with your boss, the IT manager. IT Manager “Looks like a pretty good plan. We need to be sure that we provide connectivity for the users who still need files from the NetWare boxes as long as they’re around. Make sure you coordinate with the AS/400 administrators so that host users don’t lose their connectivity. By the way, I like the increased security of Windows 2000. Is there a way that we can identify which Mac users are logged on?” AS/400 Administrator “It took us a long time to get SNA Server tweaked and working correctly. I don’t care what you do with the network as long as you don’t break the work we’ve done in getting our users communicating with the host!”
Availability Overview The company is a basic 8-to-5 corporation with very few people working after regular hours. The NetWare servers have been reliable with remarkable uptime statistics. The NT boxes have not fared so well, but you believe that’s because of all the different applications that have been loaded on them over the years. IT Manager “I’d like to see much more reliability out of the Windows 2000 servers. NetWare doesn’t work very well as an application server, but it’s sure reliable for file and print services!”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Multi-Platform Network
395
Overview Standardization and trimming down to only one NOS is a big plus. Care needs to be taken to make sure that you don’t run into any gotchas as you get ready to take your old NetWare network down and replace it with Windows 2000 servers. IT Manager “It’ll be great to not have to figure out when we have to update an NLM and when we need to start a service! Keeping up with multiple NOSs is a pain.”
Performance One of your concerns is the Windows 2000 GUI, which brings a lot of added freight to haul in terms of server load. NetWare servers run fast and economically. You want to make sure that you visit each server, ascertain whether it’s on the Windows 2000 HCL, and then make a determination as to its ability to play well in the Windows 2000 sandbox, in terms of performance.
Questions 1. Using the following chart, order the steps that you’ll have to take to
provide continuous support for your Macintosh computers as you go through your migration. Step
Step Uninstall SFM from NT servers. Prepare Mac clients with pointer to new zone. Seed new SFM zone. Install SFM on Windows 2000 server. Install AppleTalk protocol on Windows 2000 server. Copy files from old UAM volume to new one.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Maintainability
CASE STUDY
396
Chapter 9
Building a Multi-Protocol Strategy
2. What two things are you required to set up on the NetWare server
before you install GSNW? A. IPX Network number. B. Update CLIB.NLM. C. Create an NTGATEWAY group. D. Create a user that has rights to the directories you’re sharing. 3. What will you recommend for the SNA Server component of this
upgrade? A. Immediately purchase Host Integration Server 2000 as a replacement. B. Keep the legacy installation, initiate a study on migrating to Host
Integration Server 2000. C. Keep the legacy installation as long as possible. D. Migrate the AS/400 to TCP/IP and forget SNA. 4. What two pieces of information will you need when validating
through CSNW with a NetWare NDS server? A. Default gateway B. Context C. Network number D. Tree
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Multi-Platform Network
397
1. See the following table:
Step Install SFM on Windows 2000 server. Seed new SFM zone. Prepare Mac clients with pointer to new zone. Copy files from old UAM volume to new one. Uninstall SFM from NT servers. Note that you don’t have to install the AppleTalk protocol because it’s installed automatically when you install SFM on the new server. Your last step will be to uninstall SFM from the old server. 2. C, D. You have to create an NTGATEWAY group, then create a user
who is a member of this group and who has rights to the directories you’re going to share out in GSNW. 3. B. A isn’t correct, though it sounds like it might be. Migrating to any
new program requires testing and project management. In this, you’ll have to work carefully through issues right alongside the AS/400 manager. Production systems should not migrate to new code until you’re sure the new code works and has a bit of a track record that you can be comfortable with. 4. B, D. The context and tree of your login are required.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
Answers
Chapter
10
Designing a DHCP Solution MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Design a DHCP strategy.
Integrate DHCP into a routed environment.
Integrate DHCP with Windows 2000.
Design a DHCP service for remote locations.
Measure and optimize a DHCP infrastructure design.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
W
hat once was merely a proposed addition to the original concepts behind the design of TCP/IP, Dynamic Host Configuration Protocol (DHCP) is now a must-have in most networks. DHCP allows you to set up a range of IP addresses, called a scope, and supply an IP address and other configuration items that are necessary for clients to have—things like router info, DNS, and WINS pointers. Then, during the boot process, the TCP/IP software goes in search of a DHCP server and obtains an IP address and all of the add-on information that was applied. Why is DHCP so valuable? Because if you didn’t have DHCP, you’d have to go to each PC on your network and enter a static IP address, plus all of the associated default gateway, DNS, and WINS information. On top of that, when anything changed (such as a new WINS server), you’d have to go back around and update that information. DHCP is the singular TCP/IP service that makes network administrators’ lives drastically easier. This chapter describes how to come up with a good DHCP design, the additions that come with Windows 2000 DHCP, and how DHCP should be set up in a routed environment.
Introduction to DHCP
You’ve probably had training in DHCP already, either through your NT experience, Windows 2000 classes, or third-party books like this one. Therefore, a complete explanation from the ground up on DHCP is probably not necessary. However, since DHCP is a critical service that’s heavily tested, we will touch on some issues that are important to you as you consider the DHCP objectives outlined for the test.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to DHCP
401
DHCP Is a Message-Based System Chances are you might not think about DHCP in this way, but it’s truly a client/ server system. When you install the TCP/IP protocol on a Windows client computer, the client component is smart enough to know how to go looking for a DHCP server and obtain its IP address, unless you configure it statically. The client broadcasts, looking for a DHCP server that can fulfill its needs; this step is called DHCPDISCOVER. DHCP is a message-based system that involves the sending of messages back and forth between the client and the server, and DHCPDISCOVER is only one of several transactional messages that might take place. When a DHCP server answers the client’s request, it offers the client an IP address (and associated configuration information); this step is called DHCPOFFER. If the DHCP server’s scope is all used up and it can’t supply the client with an IP address, it will send a DHCPNAK (NAK is an abbreviation for “negative acknowledgement”) instead of an offer. Multiple DHCP servers may acknowledge the client and offer an address. The DHCP client accepts the first offer that it receives.
To remember the DHCP lease order, remember the acronym DORA. DORA stands for Discover, Offer, Request, Acknowledgement.
Once the client has accepted an offered IP address, the DHCP server sends a DHCPACK back to the client so that the client knows the server has acknowledged it. A couple of special DHCP messages are sent when certain circumstances occur:
DHCPREQUEST is used by client computers to request or renew a lease. It is used to request a lease from one DHCP server, when two or more have offered a lease, to renew a already-owned lease at system startup or to extend a currently held lease. DHCPREQUEST does this every time the client reboots after already being assigned a nonreserved address.
DHCPRELEASE is used by client computers to release a currently held IP address.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
402
Chapter 10
Designing a DHCP Solution
Changes to Windows 2000 DHCP Some subtle changes have been made to DHCP in Windows 2000. If you’re coming from an NT 4 environment, it’s important for you to understand the updates that have been made.
Manual Allocation of IP Addresses In the Windows NT 4 world, if you had a diskless workstation (sometimes called a NetPC), you had to install the BootP protocol on one or more of the NT boxes in order to answer BootP requests. Recall that BootP, a predecessor to DHCP, is a method whereby client computers request an IP address. BootP does not provide for renewal of the IP address at regular intervals the way DHCP does. Instead, the NT 4 administrator has to enter the IP data for his BootP machines on the server. This way, each requesting computer can obtain a unique IP address and associated configuration information.
DHCP Integrated into DNS Since Windows 2000 is very DNS-oriented, DHCP was modified so that it now notifies DNS of its registered clients. This feature is enormously handy for non-Windows 2000 computers participating in DHCP. Prior to Windows 2000, if you had a Windows 95 computer that was participating in DHCP and you had DNS running, you’d have to manually enter the DNS information for that client. Today, if your DHCP server is so configured (the feature doesn’t automatically turn itself on—you have to enable and configure it), when a non-Windows 2000 client receives an IP lease from the DHCP server, a DNS record is created as well. This is a revolutionary feature that’s going to put to rest the common argument, “We can’t use DHCP because we’ve got DNS.” Now the two can interoperate just fine.
DHCP Integrated into RRAS Suppose that you set up a Routing and Remote Access Services (RRAS) server with several modems and phone lines. You want to give your telecommuters automatic IP address information. DHCP and RRAS are now integrated in such a way that the RRAS server merely requests a block of IP addresses and is given 11 addresses, one for itself and 10 for clients! Then, if all 10 IP addresses are given out by the RRAS server, it merely requests another block of 10 addresses so it can handle additional RAS clients. In the NT 4 world, you would’ve had to configure a range of addresses for the RAS server to use. In the Windows 2000 world, you don’t have to go through this step.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to DHCP
403
You’ll need to take an important extra step, however. If you install the DHCP relay agent service on your RRAS servers, your telecommuting clients are given the full cadre of configuration information that you set up when you configured your DHCP server. But if you don’t install the DHCP relay agent, your telecommuting users will only get the IP address and subnet mask as provided by DHCP. I recommend that you use the DHCP relay agent configuration so that your clients are equipped with the full name resolution information they need to work.
DHCP Integrated into Active Directory What if another administrator sets up a test DHCP server on the network, configures it with a scope of bogus addresses, and activates it? Clients on your network won’t know the difference between the fake DHCP server and the real one. They might get the wrong configuration, and there would be many connectivity problems. To combat this problem, Microsoft has set Windows 2000 DHCP server service up so that it has to be authorized within Active Directory (AD) in order to work. The purpose of this is to keep rogue DHCP servers off the network. The caveat here is that if you’ve installed DHCP server and you think your job is done, it’s not! You have to then authorize in AD each DHCP server you set up.
DHCP Server has to be installed on at least one Windows 2000 server (either domain controller or member) in order for DHCP to work in AD.
The SMS 2 Network Monitor program has a monitor object that can watch for rogue DHCP servers coming on line on the network.
If you know the IP address of a rogue DHCP server on your network, you can find out its NetBIOS name by using the nbtstat command. From a command prompt, type nbtstat
, and the command will return the server’s name.
Support for Multicast One of your charges is to set up a training web server, where users from various geographic locations within your company can download a training class that
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
404
Chapter 10
Designing a DHCP Solution
consists of heavy multimedia content. Some of these programs are set up to use IP multicasting as opposed to the much more bandwidth-intensive model of IP broadcasting. In other words, the program knows that it’s sending data only to a list of requesting stations, and therefore it’s not broadcasting to every station on the network. It’s multicasting, but the targets it is sending the data to are known. The new Windows 2000 DHCP server service provides support for the Multicast Address Dynamic Client Allocation Protocol (MADCAP). MADCAP allows multicast clients to join multicast groups and is an independent service of DHCP. Some special IP ranges are used by this service: 239.253.0.0–239.253.255.255 239.254.0.0–239.254.255.255 239.255.0.0–239.255.255.255
In the throes of a Windows 2000 design, determining the needs of the various departments in the corporation for this kind of technology will greatly assist you in the planning, placement, and configuration of your DHCP services.
RFC 2132 Support RFC 2132 provides for so-called vendor-specific options. Microsoft has provided support for RFC 2132 in Windows 2000 DHCP. These are the features that RFC 2132 brings to Windows 2000 DHCP server service:
The ability to disable NetBIOS over TCP/IP (NetBT). While you can’t do this on your Windows 9x and 3.x clients, you can with your Windows 2000 clients. If your network is running all Windows 2000 machines, and you don’t have any applications that depend on NetBIOS (and not many do), disable this interface. Doing so will reduce the amount of network traffic. However, be aware that if you disable this interface, the Windows 2000 machines will have a difficult, if not impossible, time trying to communicate with NT or 9x boxes.
The ability to force clients to release their DHCP lease on shutdown. This is very “BootP-like” and is handy for regular automatic cleanup and maintenance of the DHCP database. It’s especially valuable for dispensing with leases held by telecommuters.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to DHCP
405
Supplying clients with a default router metric base. You supply a number (in hexadecimal) that represents the optimal router hop count to get to default gateways. This provides a method for calculating the fastest, most reliable, least expensive route to DHCP servers. Values are 1–9,999 (the default is 1).
To apply these attributes, simply click Start Programs Computer Management. When the Computer Management screen comes up, navigate to Services and Applications. Open DHCP; right-click Server Options and highlight Properties. The window shown in Figure 10.1 appears. Note that in this figure, you’re looking at the Router Metric Base setting, and all of the configuration options are listed in the Available Options drop-down menu as well. FIGURE 10.1
Setting the router metric within the Server Options for DHCP servers
Cluster Server Support When DHCP goes down or runs out of available addresses to give out as leases, it creates havoc all over the network. It’s important to come up with some kind of fault-tolerance mechanism to cover these potential problems. Windows 2000 DHCP will work with a cluster server in order to provide
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
406
Chapter 10
Designing a DHCP Solution
failover fault tolerance for the DHCP scopes. But the caveat is that it works with Windows 2000 Advanced or Datacenter Servers only, not with regular Windows 2000 Server. Providing fault tolerance on DHCP servers is described in more detail later in this chapter.
Enhanced Security Windows 2000 provides enhanced security. Not just any administrator can go in and manage the DHCP scopes. They have to be made a member of the DHCP Administrators local group (created at DHCP installation time) in order to have this privilege. Note that a person must be a member of the Enterprise Admins group in order to authorize DHCP servers, but only a member of DHCP Admins to make changes to DHCP settings.
Superscopes A superscope is a grouping of scopes that support multiple logical IP subnets on the same physical subnet. Suppose you know that a given network segment will have a large number of users added to it. Several disparate subnets are currently free that you could use for these new users. Simply create several scopes—one for each of the unused logical subnets—then create a superscope that includes all of these scopes and apply your scope and global attributes to the physical subnet being used.
Other Changes The default lease expiration time in Windows NT 4 was three days; in Windows 2000, it’s eight days. If you’re an NT 4 administrator considering a Windows 2000 upgrade, this information is important to know. Also, it’s important to understand that BootP is supported with Windows 2000 DHCP server, but the pool of addresses they use must be separately configured from the standard DHCP database. This is good news for administrators who have RFC 951–compliant BootP hosts on their network.
Methods of Allocating IP Addresses Windows 2000 DHCP has many more options for allocating IP addresses than Windows NT did. They are as follows:
Manually allocating an IP address range. You use manual allocation for your BootP client by designating a pool of addresses designed specifically
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to DHCP
407
for your BootP clients. Note that even though you manually configure the pool, once you’ve done so, BootP clients compliant with RFC 951 can obtain IP configuration information from the DHCP server and reclaim the address at each new boot. You have to enter the range of addresses and configuration information that’s going to be used by BootP stations; this information is subsequently stored on the DHCP server.
Automatically allocating a range. Automatic allocation happens when you enter a static pool that’s going to be used by servers. Just as with manual allocation, you enter a range of addresses and configuration information for use by the servers. (Note that the servers might already possess this information, and you’re merely moving the information from a statically entered address to a Windows 2000 DHCP address that never expires.)
Allocating dynamically. The standard DHCP method—the one that you’re accustomed to if you’ve used NT 4 DHCP—is called dynamic allocation. Client computers use the DHCP message system to retrieve dynamic IP addresses and configuration information.
APIPA and DHCP You’re an administrator for a medium-sized network. You’ve already installed Windows 2000 Professional on the majority of your client computers, and now you’re ready to get the new Windows 2000 DHCP server services going. When you bring up your new DHCP server, you start getting calls from your help-desk support people saying that clients on one particular subnet aren’t acting correctly. They can’t connect to resources. But when your help-desk staff has the client run IPconfig, it appears that they have a valid IP address. What is going on? If for some reason you improperly configured DHCP, Windows 2000 tries to compensate automatically. What happened was, since the clients were not able to connect to the DHCP server, Automatic Private IP Addressing (APIPA) kicked in and gave the clients an IP address. It didn’t seem to matter that the address it gave the clients was part of the reserved APIPA address range; the client got an IP address!
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
408
Chapter 10
Designing a DHCP Solution
If you don’t properly plan or implement your DHCP design, it’s very possible that APIPA could sneak up and misconfigure your network clients. You might not even know this had happened for a while, until clients start calling up with connectivity issues. It’s no longer important just to run an IPconfig and make sure that there is an address. Check to make sure the address isn’t part of the 169.254.y.z range.
You can turn off this automatic client-configuration feature by adding a new value to the DHCP client’s registry. Bring up the registry editor with the REGEDT32 command. Navigate to HKEY_Local_Machine\System\CurrentControlSet\ Services\Tcpip\Parameters\Interfaces\network_adapter. Add the Reg_DWORD value IPAutoConfigurationEnabled and set it to 0. In a machine with multiple NICs, this value can be added to ...\Tcpip\Parameters to disable on all NICs.
Interoperability with Routers
I
n networks with WAN links going across routers, you might run into some difficulties when designing your DHCP implementation.
Microsoft Exam Objective
Design a DHCP strategy.
Integrate DHCP into a routed environment.
Both DHCP and BootP have the ability to operate across routers, but the majority of the world’s routers have this capability turned off. Remember that DHCP and BootP are broadcast-based, message-oriented protocols. Suppose that you have a bunch of computers on a subnet in a remote office, all of whose leases expire at the same time. That kind of broadcast traffic could quickly saturate a router and create a lot of trouble on the network. Though the problem might be short-lived, internetworking experts are not going to be inclined to support the forwarding of DHCP or BootP requests because of this potential for problems. Internetworking experts have enough problems as it is!
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing and Placing Servers
409
Routers aren’t the only devices that could create problems for you in terms of not passing DHCP or BootP requests. International Standards Organization (ISO) Layer 2 switches have the capability to rule out these requests as well. If you’re not the infrastructure/internetworking person for the network, you need to set up a meeting with that person or persons and find out if these situations could exist.
So what do you do with a router that doesn’t pass DHCP and BootP requests? You have two choices: You can either set up multiple DHCP servers, or you can install the DHCP relay agent on Windows 2000 computers in each subnet. Either way will work, and there are pros and cons to both.
Designing and Placing Servers
K
nowing that you have this routing issue—that is, that you’re generally not allowed to route DHCP or BootP requests—how can you handle this situation? You have two choices at your disposal, and the decision that you make will revolve around issues of money, connectivity, and configuration. In fact, this is describing a much larger design issue, that of adequate DHCP server placement. Look at Figure 10.2. In this figure, you see a location that consists of four geographically separated campuses connected by a 128K frame relay circuit. Note that you’ve used the reserved Class A network with a 16-bit subnet mask to effectively segment the subnets within each campus. FIGURE 10.2
A simple network layout configured with DHCP Site A (HQ) 10.1.0.0 255.255.0.0 1,500 users
Site B 10.2.0.0 255.255.0.0 1,200 users
128K frame relay circuits
Site C 10.3.0.0 255.255.0.0 1,750 users
Copyright ©2002 SYBEX, Inc., Alameda, CA
Site D 10.4.0.0 255.255.0.0 1,300 users
www.sybex.com
410
Chapter 10
Designing a DHCP Solution
Now that you have your locations set up, you want to begin doing some DHCP service within the network. This is a large network, with 5,750 users and an equal distribution of users across the campuses. So if the routers were configured to pass DHCP requests, then even though a well-equipped single DHCP server could handle the load, it may not be realistic to have all of the DHCP requests coming across relatively slow wires to a single point. Never mind the lack of fault tolerance; that will be covered a little later. For now, just look at the issue of thousands of users crossing routers to obtain or renew their IP lease. That sets up a problematic amount of router traffic, something that you may not want and the reason that this capability is normally turned off on the routers.
Microsoft Exam Objective
Design a DHCP strategy.
Design a DHCP service for remote locations.
There are two ways to counter this difficulty: You can set up more than one DHCP server and do some scope-splitting for fault tolerance, or you can set up a DHCP relay agent. Let’s examine both methods to see the pros and cons.
Multiple DHCP Servers and Scope-Splitting In large networks, it might not be a bad idea to provide a localized DHCP server at each location. You could handle this in a couple of different ways. For example, working from Figure 10.2, couldn’t you place a DHCP server at each location and simply make the scope the appropriate subnet for each campus, as shown in Figure 10.3? In Campus A, for example, your scope would be 10.1.0.0–10.1.255.255 with a subnet mask of 255.255.0.0. In Campus B, your scope would be 10.2.0.0-10.2.255.255 with the same subnet mask, and so on. This effectively rules out the possibility of one subnet running out of leases to give out (though with the Class A design you won’t run into that problem anyway). It also provides faster lease renewal times for clients on the subnet because they don’t have to go across a slow wire to get the new lease. Multiple subnets and DHCP servers are good ideas in a big environment, especially one with slow WAN links.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing and Placing Servers
FIGURE 10.3
411
Multiple DHCP servers in a network Site A (HQ) 10.1.0.0 255.255.0.0 1,500 users
Site B 10.2.0.0 255.255.0.0 1,200 users DHCP server
DHCP server
128K frame relay circuits
Site C 10.3.0.0 255.255.0.0 1,750 users
Site D 10.4.0.0 255.255.0.0 1,300 users DHCP server
DHCP server
The downside is that using multiple DHCP servers presents an administrative hassle, not so much because of the management of the scopes (DHCP is surprisingly hands off in terms of its day-to-day administration—it’s very much a set-it-and-forget-it service) but because if the computer crashes, you have to send someone out to work on it (or rely on somebody there). With a localized DHCP server, you only have one problem to worry about. Alternatively, if money was an issue or you didn’t want to populate the world with DHCP servers, you could also place only two servers in your location—one at Campus A, for example, and one at Campus D. Then you’d split up the scopes so that one DHCP server handled half of the subnets (10.1.0.0–10.2.255.255) and another one handled the other half (10.3.0.0– 10.4.255.255). That could work very efficiently. If you think about it, that strategy might not work after all. Why not? Well, it’s not stipulated in Figure 10.3, but it’s very possible that the internetworking folks don’t allow DHCP and BootP requests to go across the routers. Campuses B and C would be shut out from DHCP in a case like that, wouldn’t they? They’d diligently send out DHCPDISCOVER messages, but they’d never get an answer back. So instead, if they were Windows 2000 clients, they’d resort to APIPA, and if they weren’t, they’d be totally out of luck as far as IP addresses are concerned.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
412
Chapter 10
Designing a DHCP Solution
DHCP Relay Agents If you had the need to avoid placing so many DHCP servers, due to costs or manageability, you could install the DHCP relay agent instead. In the prior sample network with four campuses, you could install the DHCP relay agent on Windows 2000 Server computers in Campuses B and C, and then configure the services so that their scope falls within the scope of their associated DHCP servers (Campus B would use Campus A’s scope, and so forth). Figure 10.4 illustrates this new setup. FIGURE 10.4
Two DHCP servers and two DHCP relay agent computers in a network Site A (HQ) 10.1.0.0 255.255.0.0 1,500 users
Site B 10.2.0.0 255.255.0.0 1,200 users DHCP server
DHCP relay agent
128K frame relay circuits
Site C 10.3.0.0 255.255.0.0 1,750 users
Site D 10.4.0.0 255.255.0.0 1,300 users
DHCP relay agent
DHCP server
The DHCP relay agent isn’t a full-blown DHCP server, but it does have to be configured with a pointer to its DHCP server. The DHCP relay agent’s job is to request a DHCP lease on a client’s behalf by sending a unicast message across a router to a DHCP server on the other side. Relay agents can be configured to talk to multiple DHCP servers or single servers. If relay agents are configured to talk to multiple DHCP servers, you can set up a delay so that multiple DHCP serves aren’t simultaneously hit with the same requests for a lease.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
DHCP Server Security
413
Handling Multiple Class C Addresses You work for a company that fortuitously purchased several Class C network numbers from the InterNIC several years ago. Now, your company has now grown beyond the proportions of one, or even two, Class C addresses. You’re still in the same building you were always in, and you have no further geographic segmentations, but you’ve added a ton of users to the list. Now you’re considering a Windows 2000 upgrade. What one Windows 2000 DHCP feature will really augment DHCP for you? Superscopes, of course. When you get ready to implement your Windows 2000 rollout, you simply add in all of the Class C addresses you have to the DHCP server and create one superscope. You can also add appropriate reservations for static IP addresses as well. How do superscopes work? Well, as users draw leases, they begin filling up the first designated network number, then they move on to the second, and so on. DHCP is very linear in the way it draws the number out of the pool. This would be a fabulous way to combine lots of Class C network numbers into one valid pool of IP addresses, forgetting for now that you have security issues to deal with in terms of legitimate Class C addresses somehow getting out onto the Internet.
DHCP Server Security
M
icrosoft has done lots of work with regard to DHCP security. Doubtless you’ll be asked numerous questions on the test relative to these new features. Of course, it’s not only important to know these features for the test, but they are good facts for your real-world implementation as well.
Microsoft Exam Objective
Design a DHCP strategy.
Integrate DHCP with Windows 2000.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
414
Chapter 10
Designing a DHCP Solution
Specialized DHCP Groups Windows 2000 contains a special local group, DHCP Administrators, created specifically for the purpose of allowing only certain individuals the ability to administer the DHCP scopes. This allows you to customize the administrators who have responsibility for managing scopes. You wouldn’t want an inexperienced administrator rummaging through the configuration blindly. But there is also a second group called DHCP Users. This group will be populated with the user accounts of those who need read access to the DHCP scopes, such as your junior administrators. They can read all about how the scopes are set up, but they can’t go in and mess them up. But there’s more. Remember the set of DHCP messages spelled out earlier in this chapter? There’s a new message, one that’s unique to Windows 2000 DHCP servers: DHCPINFORM. You’ll have special need for this message, and you’ll understand why in just a few more sentences.
Active Directory and DHCP Integration Working with AD presents some new challenges with DHCP. We’ve already said that Windows 2000 DHCP servers must be authorized in AD to be considered a valid DHCP server. This prevents rogue DHCP servers from coming online and giving out invalid DHCP addresses to users. A special object is created in Active Directory at its creation time. The object, DHCPServer, contains the list of all authorized DHCP servers in the forest. Any server that you authorize within AD shows up in this object.
If you’re planning to use the authorization security technique, you need to plan on upgrading your DHCP servers to Windows 2000. Once upgraded, you can authorize the DHCP servers in AD. Other versions of DHCP, like Windows NT 4, don’t care one way or the other about authorization in AD.
There’s a little more to this story, though, and you’ll make mistakes if you don’t understand what’s required. These two very special rules need to be followed when setting up Windows 2000 DHCP:
Rule 1: The very first DHCP server you set up must be on a Windows 2000 DC or member server. At least one of the DHCP servers must be able to communicate with AD so it can read the list of authorized DHCP servers. This implies that you can have NT 4 DHCP servers on the network. This is not a valid implication because they cannot participate in AD, nor can they use the new DHCPINFORM message.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
DHCP Server Security
415
Rule 2: The DHCP relay agent must be able to pass the DHCPINFORM message to the DHCP server on the other side of the network. This means that all relay agent computers must be Windows 2000–based.
Both of these rules apply whether you’re in mixed or native mode. It should be apparent that Microsoft has designed it so that on a Windows 2000 network, you only run Windows 2000 DHCP servers. This rules out third-party implementations of DHCP (such as on routers or switches), Unix DHCP, NetWare DHCP, or any other form of DHCP. Since none of these implementations can communicate through the Active Directory Services Interface (ADSI), they cannot query the DHCPServer object, nor can they become an authorized DHCP server. This will undoubtedly present some unusual design challenges for people as they try to work out conversion scenarios.
High-Availability Scenarios Unlike WINS, there is no backup server for a DHCP server. If a DHCP server crashes, users that are up for lease renewal are not going to get a new lease. There are two workarounds for this unpleasant situation: one that won’t work very well and another that will work well but will require lots of extra configuration.
Splitting Scopes Splitting scopes requires that you have at least two DHCP servers running in your environment. For example, suppose that you have a large single location of 2,500 users. You could set up two DHCP servers in this singular environment. Then you’d have the choice of setting up two different scopes: one for each server or setting up a single scope. If you were to set up a single scope and split it, on the first DHCP server, you’d put half of the available addresses in the scope. Let’s say, for example, that you decide to use 172.20.y.z with a subnet mask of 255.255.0.0. You might go to the first DHCP server and set up the scope with 172.20.1.0– 172.20.7.255. This way, the first DHCP server would only use the first half of the scope. Then you’d go to the second DHCP server and configure the scope with the second half of the available addresses, 172.20.8.0–172.20.15.255. If the first DHCP server goes down, the second DHCP server can begin picking up the slack. Note that users who were trying to renew their lease when the first server went out would now have an address from the second server’s valid pool, but that’s OK because they could continue to work.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
416
Chapter 10
Designing a DHCP Solution
One thing to remember is that clients broadcast to receive IP addresses from DHCP. That means that the first server to answer the broadcast is the one that winds up giving the user their IP address. So in the scenario described in the preceding paragraph, your users are just as likely to have an IP address from the second server as they are from the first server. It’s all a matter of the health of the servers and the amount of work that they’re doing at the time they get the IP address request from a client. If they can’t answer as fast as the other server can, the client will get the second server’s response to the request.
Whenever setting up multiple scopes, never create scopes that have overlapping address ranges.
What happens if the first server’s scope is completely used up and there are zero available IP addresses? If this server were the first one to answer the client’s request for an IP address, it would send a DHCPNAK. The second server would eventually reply with an offer, and the client would get an address. The tactic of splitting scopes also works well across WAN links, as long as the routers are forwarding broadcasts or there is a DHCP relay agent present to forward requests to a DHCP server. But in situations like these, Microsoft recommends that you may not want to do a full 50/50 split on the scopes. You might instead want to do an 80/20 split, with 80% being on the network that’s more heavily loaded. The goal here is to whittle down the number of requests that have to go across a slow WAN link.
Cluster Server The concept with Windows 2000 Cluster Server is fairly straightforward: You provide two servers that are both dedicated to a single server’s function so that if the first server goes away for any reason, the second server sees the fault and performs a failover. Users aren’t supposed to even see a flicker when the failover occurs; they can keep working. You can set up a cluster server in many ways, but all the methods are fairly hardware-intensive. For example, in most cluster server implementations, there is some sort of “heartbeat” monitor—typically a dedicated switch of some kind that has its own connections to each server—to watch the heartbeat of the currently operational server and to trigger a failover should something happen. This is the stuff of fiber channel cards and dedicated cluster server gear. You can have two servers that talk to one RAID array cabinet
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Optimizing and Tuning DHCP
417
(thus making the array the SPOF), or you can have two separate servers, each with their own disk arrays. Your DHCP server will work with a cluster server. But you’re probably not going to be inclined to set up a cluster server simply for DHCP. More likely, you’ll set up a cluster server for other critical apps that you have running on the network (they have to be cluster-aware apps or they won’t failover correctly) and then decide to add DHCP as well. DHCP isn’t a heavily intensive process, so designing it into your cluster server isn’t a problem, as long as you are careful to over-engineer the box with CPU, disk, and RAM enough to handle everything expected of it. Then, of course, with a cluster server, you duplicate the scenario with a second box configured exactly the same way. This is a very expensive proposition, and one that’s going to take extra design time and decision-making on your part. The point is, you probably won’t want to design a cluster server just for DHCP.
Optimizing and Tuning DHCP
T
here are three different methods for optimizing and tuning your DHCP configuration, the first of which has to do with tuning a single DHCP server. The other two methods have to do with steps that you can take across your entire DHCP implementation.
Microsoft Exam Objective
Design a DHCP strategy.
Measure and optimize a DHCP infrastructure design.
Single-Server Optimization Single DHCP servers can handle thousands of DHCP lease requests. You can measure this using a “poor man’s measure” by going to a client computer with a stopwatch. Bring up WINIPCFG by clicking Start Run and then typing WINIPCFG /ALL for Windows 9x or 3.x computers. Alternatively, for NT and 2000 computers, bring up a command prompt. In the WINIPCFG screen, click the Release All button. The IP address goes away. Now, get
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
418
Chapter 10
Designing a DHCP Solution
ready to start your stopwatch and see how fast the IP address gets renewed. Ready? Click the Renew All button. This is the time that it takes for your client computer to renew its lease with the DHCP server. Generally, this kind of activity goes very fast, and you won’t have problems with the renewal of your lease. You can do the same thing with NT or 2000 computers by entering the command IPCONFIG /RELEASE and then IPCONFIG /RENEW. Note that this works for NT and 2000 computers that are participating in DHCP and don’t have statically assigned IP addresses. Slow response from a DHCP server might be the server’s problem or it might be the network’s problem. Since DHCP is message-based and the messages are tiny, there’s a good chance that unless the network is absolutely saturated, it’s not going to be the slow part of this process. DHCP servers involved with other activities, such as Exchange, SQL Server, or file or print serving, can drastically slow down the response time of the server giving out a lease to a client. Here are some ideas you can use to spruce up your DHCP server’s capabilities:
Offload any other activities from your DHCP server other than providing DHCP.
In multiple-subnet environments, multi-home your DHCP server by installing two or more network interface cards (NICs) and pointing each to a different subnet.
Since Windows 2000 DHCP is multithreaded, it can use multiple CPUs. Add a second CPU to your DHCP server.
Change out those old 7,500rpm SCSI hard drives for 10,000rpm drives running on a hardware RAID adapter.
If you have a gigabit backbone, add a gigabit-rated NIC to the DHCP server and put it on the backbone.
Steps like these will greatly increase the efficiency and throughput of your DHCP computer.
You can use System Management Server’s Network Monitor 2 to monitor DHCP traffic across your network.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Optimizing and Tuning DHCP
419
Lease Length Perhaps the biggest facet of DHCP that administrators neglect to think about when designing DHCP deployments is the lease renewal time. Some time should be spent on deciding what the scope should be and its associated reservation(s). But what about that eight-day lease expiration time? DHCP clients don’t begin renegotiating their leases as they expire. Instead, clients negotiate a renewal on the lease at 50% expiration time. So by default, at day four, clients try to renegotiate their lease. In the days of cluttered networks (prior to sophisticated firewalls and Proxy Servers), lease expiration times had to be short. But today you can set up huge pools of reserved IP addresses for your scopes, and you don’t have to worry so much about the expiration of leases. Perhaps one of the best tuning steps you can take with DHCP is to create long lease durations for your clients. The one time in which you will want very short lease durations is when you have more clients than available IP addresses. Since many of today’s networks use the private addressing schemes, this shouldn’t be an issue, but it might be anyway. Suppose that you have 300 clients, but only 254 addresses (a standard Class C network). Not all of your clients are online at once since you run multiple shifts at your work. When clients power off, they do not immediately release their lease. Therefore, they may be off, but they’d still be holding on to the IP address according to the DHCP server. Shorter lease durations would indeed increase network traffic, but they would also prevent you from running out of available IP addresses in this case.
Windows 2000 machines can be configured to release their leases automatically at shutdown, but pre-Windows 2000 clients do not possess this ability.
Setting Up Multiple DHCP Servers By setting up more than one DHCP server, you do two things:
You offload each of your servers from having to work so much.
You keep DHCP traffic from crossing slow WAN links.
DHCP isn’t necessarily a heavily computing-intensive operation, so if you decide to put a dedicated DHCP server out in each of your remote locations,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
420
Chapter 10
Designing a DHCP Solution
you don’t need to go overboard with the hardware (unless, of course you have 10,000 clients at a single location!). But it’s still recommended that DHCP live on a computer all by itself, dedicated to the process. You could also have WINS occupy the same server (while in transition from a Windows 9x/NT network to a native Windows 2000 network), but that’s about it. It’s important in a setting with more than one DHCP server to make sure that you provide an ample supply of IP numbers in your scope so that no one is in danger of their lease expiring and not being able to get new one.
Summary
This chapter discussed some interesting topics relative to Windows 2000 DHCP. If you’ve used Windows NT 4 DHCP, you might be surprised (in a good way) at the additions that have been made to this extremely useful protocol. DHCP provides IP address information to clients that log on to the network. It is a message-based system wherein the client requests an IP address at startup, and any DHCP server capable of responding replies with an IP address. The client accepts the first DHCPOFFER (in the form of a DHCPREQUEST packet); any subsequent DHCP servers that send DHCPOFFER receive no reply. DHCP’s predecessor was BootP, a protocol that doesn’t have as many features as DHCP. DHCP clients have a lease on their IP address (the default being eight days for Windows 2000 vs. three days for Windows NT 4). Unless configured to do so, DHCP clients do not give up their lease (called releasing the lease) at shutdown, but BootP clients do. BootP is useful for diskless workstations (so-called NetPCs) that need to boot from the network; DHCP can be used for almost any device capable of sending DHCP messages. For example, today’s printers and CD towers are also capable of grabbing a DHCP lease—something to watch for! Both DHCP and BootP are supported in Windows 2000 DHCP Server. In Windows NT 4 Server, you had to install and configure the BootP service. Windows NT 4 SP2 DHCP servers provided some support for BootP clients, but they required more configuration than Windows 2000 DHCP servers. Windows 2000 DHCP provides some exciting new features. It supports a new multicast protocol, MADCAP, with a special IP range for multicast devices. You also now have the ability to provide a range of static IP addresses that DHCP can manage for devices that require a static address,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Summary
421
such as servers. One problem to watch for is if a Windows 2000 client cannot obtain a DHCP lease, it will use APIPA and possibly fall outside the valid range of IP addresses you have set up in DHCP! Some new client configuration options have been added as well. A default router metric base can be configured for clients so that a cost, in terms of router hops, can be allocated for finding default gateways across routers. This feature is used for calculating the fastest, most reliable, and least expensive router. You can configure clients so that their DHCP lease is released at shutdown. You have the ability to disable NetBIOS over TCP/IP (NetBT) for DHCP clients. You would only disable in a complete Windows 2000–based environment because Windows 2000 computers are the only Windowsbased computers that can function without NetBIOS. DHCP and BootP are typically not allowed to cross routers because of their broadcast nature, an internetworking configuration that is set when someone configures a router. For that reason, in your Windows 2000 DHCP design, you’ll have to make some arrangement for users on the other side of a router to be able to obtain an IP lease from a DHCP server. There are two different methods for doing this. The first, most expensive, method is to provide a DHCP server on every subnet. The second method involves setting up a DHCP relay agent on a Windows 2000 computer on the subnet that does not have a DHCP server. (You cannot set up DHCP server and a relay agent on the same computer because they use the same UDP port.) The DHCP relay agent takes a DHCP request from a client computer and passes it in a unicast fashion across the router to the DHCP server on the other side. The DHCP server responds with an IP address, sending it back to the DHCP relay agent that, in turn, passes the address to the client. This process describes some potential for latency, and you should be aware that slow WAN links can create poor DHCP lease-renewal performance. In situations like this, you’re better off providing a DHCP server at each location. DHCP relay agents can point to more than one DHCP server in their configuration. You can increase a DHCP server’s availability by setting up an additional DHCP server and splitting the scope. Single DHCP servers can be optimized by multi-homing them, providing faster disks, CPUs, and more memory for them. You can provide fault tolerance for DHCP servers either by splitting the scope or by putting them on a cluster server. Windows 2000 DHCP servers must be authorized within the DHCPServer object in Active Directory to be able to provide leases. As a result of this, all DHCP servers in a Windows 2000 environment must be Windows 2000–based, and at least one Windows 2000 DHCP server must be participating in Active Directory in order to provide the list of DHCP servers to the other DHCP servers on the network.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
422
Chapter 10
Designing a DHCP Solution
Exam Essentials Know how to integrate DHCP into a Windows 2000 environment. Windows 2000 DHCP has many features new to the service for Windows 2000. Microsoft recommends using Windows 2000 DHCP on Windows 2000 networks. One of the primary reasons is that Windows 2000 DHCP can be part of Active Directory. You must authorize your Windows 2000 DHCP servers in AD before they can give out addresses. Understand how routing affects DHCP. DHCP requests are broadcast messages. Since broadcasts do not pass through most routers by default, you’ll need to implement a solution like DHCP relay agents or employ an RFC 1542–compliant router. Know how to design DHCP for remote locations. Remote locations on a network and routers are common companions. Once again, the problem of DHCP getting through the router exists. You have a few choices:
You can use DHCP relay agents on remote subnets.
You can place DHCP servers at each location.
You can implement RFC 1543–complaint routers that will forward BootP messages and let DHCP packets get through the router.
Know how to optimize DHCP for your network. Perhaps the simplest way to optimize DHCP is to ensure that DHCP is the only major service running on that server. Although DHCP is not incredibly resource-intensive, other services may be, and they can slow down DHCP response time. In addition, monitor your DHCP server to see if it’s too busy. If it is, you may want to add a second processor to the machine or implement a multiple-server solution.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
423
Key Terms
There are many terms that are unique to DHCP server language. Before you take the exam, be certain you are familiar with the following terms: automatic allocation
Dynamic Host Configuration Protocol (DHCP)
default router metric base
IPconfig
DHCP relay agent
manual allocation
DHCPACK
multicast
DHCPDISCOVER
Multicast Address Dynamic Client Allocation Protocol (MADCAP)
DHCPINFORM
NetBT
DHCPNAK
NetPC
DHCPOFFER
router hop
DHCPRELEASE
superscope
DHCPREQUEST
unicast
DHCPServer object
WINIPCFG
dynamic allocation
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
424
Chapter 10
Designing a DHCP Solution
Review Questions 1. You are the network administrator for a Windows 2000 domain run-
ning in native mode. You have three domain controllers, one of which you recently installed DHCP on. You activate your scope on the weekend, figuring that when workers came in on Monday, they can boot up their systems and receive IP addresses automatically. Monday morning, you receive calls from users stating that they cannot access any network services. You have them run IPconfig, and they report that they do have an address. What could be the problem? A. You must enumerate the DHCP server in Active Directory. B. You must declare the DHCP server in Active Directory. C. You must authorize the DHCP server in Active Directory. D. You must populate the DHCP server scope with valid IP addresses first. 2. You’ve been given a requirement to set up some training servers that
will have computer-based training (CBT) software on them that streams multimedia content over the intranet to students who request it. What DHCP protocol will the DHCP servers need to be configured with to use a correct delivery method? A. MADCAP B. MS-CHAP C. Unicast D. ADCAST 3. You are the DHCP administrator for your network. Recently, you were
assigned to upgrade all of your DHCP servers from Windows NT 4 to Windows 2000. Among the features you decide to implement are superscopes. Your manager asks you what a superscope is. What do you tell them?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
425
A. A superscope is a collection of many subnets combined into
one scope. B. A superscope is a collection of many scopes combined into
one scope. C. A superscope is a collection of many DHCP servers’ scopes
combined into one scope. D. A superscope is a collection of Windows NT 4 and Windows 2000
servers’ scopes combined into one scope. 4. You are the network administrator for your company. You have a
network that is made up of two campuses separated by a geographic distance. There are two Cisco 1000 routers connecting the WAN circuit. Clients currently use statically entered addresses, but to decrease network administration you decide to implement DHCP. However, when you set up your Windows 2000 DHCP server, clients in the other campus can’t seem to negotiate a new IP lease. Clients at your campus report no problems. What could be the problem? A. You need to add the new DHCP server to the LMHOSTS file on each
client machine. B. Clients must be Windows 2000 Professional workstations to
participate in Windows 2000 DHCP. C. The routers are not configured to pass DHCP or BootP requests. D. The DHCP server must be authorized in Active Directory. 5. Which benefits can Windows 2000 Professional workstations partake
of with Windows 2000 DHCP? (Choose two.) A. Obtain an IP address from a Unix Samba server. B. Disable NetBIOS over TCP/IP (NetBT). C. Obtain automatic logon information. D. Release DHCP lease on shutdown.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
426
Chapter 10
Designing a DHCP Solution
6. You are the network administrator for your company. You have a
Windows 2000 domain with two domain controllers. The domain is running in mixed mode. Your network also has WINS, DNS, RRAS, and DHCP servers. After booting up all of your servers, you notice that 11 addresses are taken that you had not anticipated. What is responsible for this? A. The domain controllers B. RRAS C. WINS D. DNS 7. You are a network administrator for a large insurance firm. Your net-
work has three locations connected by routers. Two of the locations have Windows 2000 DHCP servers in them, but the third location does not. In order to facilitate DHCP in the third location, you install the DHCP relay agent on one of your DHCP servers, but users at the third location still cannot obtain an IP lease from the server. What could be the problem or problems? (Choose all that apply.) A. You cannot have the DHCP relay agent and DHCP server on the
same server. B. Routers are not configured to pass DHCP or BootP requests. C. DHCP server or DHCP relay agent isn’t installed on the correct
side of the router. D. Routers won’t forward UDP broadcasts. 8. You are the network administrator for your company. Recently, you
upgraded your DHCP from Windows NT 4 to Windows 2000. Management is concerned that if the DHCP server crashes, communication problems may result on the network. What fault-tolerance methods can you apply to a Windows 2000 DHCP server? (Choose all that apply.) A. Multi-home it. B. Put it on a cluster server. C. Split the scope with a second DHCP server. D. Back up its databases.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
427
9. You have just installed two DHCP servers on your Windows 2000 net-
work. Both servers are stand-alone servers running Windows 2000 Server. You are trying to authorize both of your Windows 2000 DHCP servers but you can’t seem to figure out how to make this happen. What’s the most likely cause of the problem? A. Neither DHCP server is participating in Active Directory. B. Neither DHCP server is a domain controller. C. Neither DHCP server is in the correct AD TCP/IP boundary. D. Neither DHCP server is running TCP/IP. 10. You are the IT manager for your company. You have instructed Sarah,
one of your domain administrators, to modify a Windows 2000 DHCP scope, but for some reason she isn’t allowed to. What could be the problem? A. She’s not a member of the DHCP Users local group. B. She’s not a member of the Schema Admins global group. C. Her group policy object does not allow her to manipulate DHCP
scopes. D. She’s not a member of the DHCP Administrators local group.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
428
Chapter 10
Designing a DHCP Solution
Answers to Review Questions 1. C. In order to prevent rogue DHCP servers from giving out IP
addresses to clients, you must authorize all DHCP servers in Active Directory. 2. A. The Multicast Address Dynamic Client Authentication Protocol
(MADCAP) is used by DHCP servers configured to provide multicast support. Remember that MADCAP uses a special set of subnets, 239.253.0.0–239.255.255.255, for this work. 3. B. A feature of Windows 2000 DHCP server is the concept of the
superscope. Using this technique, you combine many scopes into one. 4. C. Routers generally are configured to not allow the passage of DHCP
or BootP broadcast requests, but some routers can be configured to do so if they are RFC 1542–compliant. D may be tempting, but if clients on the local subnet are getting leases, then the DHCP server is authorized. 5. B, D. New to Windows-based DHCP are the ideas of disabling
NetBIOS over TCP/IP (NetBT) and releasing a held DHCP lease on computer shutdown. B benefits you because you get rid of the overhead of NetBIOS and go to native TCP/IP, but only Windows 2000 Professional workstations can participate in this process. D is useful for grooming the DHCP database from leases that are held. 6. B. The RRAS server is given 11 addresses: 10 for clients and 1 for
itself. As clients use up the addresses, the DHCP server will supply 10 more at a time. 7. A, B, C. First, you cannot have both the DHCP server service and
the DHCP relay agent service installed on the same server. These services both use the same UDP port, and the server will get very confused. Second, the routers are probably configured to not allow the passage of DHCP and BootP requests across them. Finally, in order to facilitate DHCP at the third location, you need to either install a DHCP server or the DHCP relay agent on that side of the router, not the other! Note that the DHCP relay agent uses unicast and doesn’t require broadcasts to be configured on the routers.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
429
8. B, C. Backups are not considered to be fault-tolerance measures;
they’re disaster-recovery steps. Multi-homing a DHCP server will allow you to address more subnets, but doesn’t have anything to do with fault tolerance. B and C are correct. 9. A. In order for the DHCP servers to be authorized, at least one of
them must be a domain controller or server that’s participating in the Active Directory process for the network. 10. D. Even though she’s a member of the Domain Admins group (which you
know because the question told you so), she still cannot control DHCP scopes until she’s made a member of the DHCP Administrators group.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
430
Chapter 10
Designing a DHCP Solution
Building a New DHCP Infrastructure from an Old One
Y
ou should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Background You work for VeryLargeNetworks.com, a business-to-business (B2B) web integration company that specializes in helping businesses work with one another through web site connections. The company is about a year old, large, and growing larger, thanks to the phenomenal growth of the B2B business. The company has facilities in Chicago, New York, Miami, and Denver, with a new location being planned in Los Angeles very soon. (The Los Angeles office will not be very big at startup—only about a dozen users—but the anticipation is that it’ll grow to roughly the size of the others over time: 200–300 users.) The headquarters office is in Denver, and the other locations are connected to it by T1 frame relay. You have several Windows NT 4 servers at each location, some of which are involved with core business application, print, and file serving, others of which are performing web activities. Currently, there is only one DHCP server; the rest of the locations are using a DHCP relay agent server. You’re using the reserved 10.x.y.z network number. You have about 200 users in Chicago, 250 in New York, 200 in Miami, and 300 in Denver.
Problem Statement Your boss, the chief technology officer (CTO), has told you that he wants to convert the network to Windows 2000 as soon as possible. There are some huge benefits to be gained from Windows 2000 Server in a web environment, and this is seen as a solid business decision, based on the kind of work the company is involved with. You’re told that you’ll also need to figure out an IP address allocation system for the Los Angeles office and to come up with a reliable, fault-tolerant allocation system for the users on the network. Users cannot, under any circumstances, experience outages due to not being able to obtain an IP lease. Servers, printers, routers, and associated LAN gear will continue to use static IP addresses.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Building a New DHCP Infrastructure from an Old One
431
You design a system that uses a DHCP server at each location, including the Los Angeles location. The CTO isn’t happy and wants you to come up with other recommendations, saying, “While it’s important that we spend the money, we need to spend to acquire good resources to handle our B2B infrastructure. I just can’t justify spending the $8,000 it’s going to take to provide a DHCP server in L.A.”
Security Overview Because of the competitive nature of the B2B business, security is of great importance in this environment. CTO “I want you to make sure that no other servers can participate in the DHCP process.” Security Admins “We’ll need to be able to modify DHCP administrative rights as necessary. This should be an ongoing administrative task that we handle.” Internetwork Team “We’re sorry, but we do not allow DHCP or BootP requests across the routers.”
Availability Availability is important because of the nature of the business. Since it’s not known when a user might come in, whether at night or on a weekend, plus the fact that the locations cross time zones, the DHCP servers (more accurately, the DHCP scopes) need to be reliably available at all times. The CTO tells you, “The system needs to have 24×7×365 availability.”
Performance Overview Since your design calls for mostly local DHCP hosting, you expect that the relatively small WAN circuit sizes won’t impact the business. CTO “Keep in mind that we only have T1 frame relay circuits between our locations. I have the internetwork team working on beefing up those circuits, but that upgrade won’t happen for a few months. In the meantime, anything we do cannot put a strain on circuits that are already heavily loaded.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Envisioned System
CASE STUDY
432
Chapter 10
Designing a DHCP Solution
Questions 1. Which two design alternatives would work the best in this situation at
the Los Angeles location? A. Set up a DHCP relay agent for now; provide a DHCP server later. B. Set up a DHCP server immediately. C. Set up a DHCP relay agent immediately; do not plan for a DHCP
server later. D. No need for either a DHCP relay agent or a DHCP server at this
location. 2. In order to accomplish a good fault-tolerance model, consider using
the splitting scopes method so that any one DHCP server going down doesn’t affect any users. While this might mean that users have to come across the WAN link to renew their lease, at least they won’t experience a denial because of unavailability. In the following diagram, connect each location to another location that that will devote a scope to backup IP addresses for it. Los Angeles
Connection Types: Backed up by
Denver
Chicago
New York
Miami
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Building a New DHCP Infrastructure from an Old One
433
A. Yes B. No C. Not enough information to make this determination 4. Would a cluster server environment provide additional fault tolerance
in this scenario? A. No B. Yes C. Maybe 5. In order to provide greater security for the setup, you want to use
AD for your DHCP installation. Which location or locations should contain a member server? Choose all that apply. A. Chicago B. Denver C. Los Angeles D. Miami E. New York 6. How do you set it up so that the Security Team can administer
the scopes? A. The Security Team doesn’t need to administer the scopes. B. Add the Security Team group to the DHCP Administrators group. C. Add the Security Team group to the DHCP Users group. D. Add each Security Team member’s account to the DHCP Adminis-
trator’s group one at a time.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
3. Can you disable NetBT?
CASE STUDY ANSWERS
434
Chapter 10
Designing a DHCP Solution
Answers 1. A, B. Potentially, the most cost-effective method would be to set up
a DHCP relay agent for now, then provide a full-blown DHCP server later if needed. Since the other WAN circuits are T1 frame relay circuits, you have no reason to believe that the Los Angeles circuit will be anything less, and a dozen or so initial users won’t kill a wire like that by requesting DHCP addresses from a host in another campus. On the other hand, since you know that the location will eventually have 200–300 users and the time frame for that is relatively quick, there might be ample justification for providing a DHCP server right away. The only problem with this justification is that you might be tempted to put other applications or services on it as well, just because it is so lightly loaded. While this server could easily host WINS or something like that, putting SQL Server on a box that is lightly loaded today but will be far more loaded later isn’t wise. On top of that, if you put a DHCP server out on your network and the only thing it does is DHCP serving, you don’t need a powerhouse computer, so you save some money. There are many considerations relative to this question. 2. Los Angeles
Chicago
Backed up by
Backed up by
Backed up by
Denver
Backed up by
New York
Copyright ©2002 SYBEX, Inc., Alameda, CA
Backed up by
www.sybex.com
Miami
Building a New DHCP Infrastructure from an Old One
435
Thus, you design your scope so that 80% of the IP addresses are used by the local net, and the other 20% are fallback for the remote users. Chicago and New York have two scopes, and each devotes 20% of its addresses to the other. In Denver, since you have not one but two fault-tolerance servers, you have to split up your Denver scopes more finely (which means you’ll have to have a much larger scope than the other locations). The good side of this arrangement is that only one of the locations, either Miami or Los Angeles, needs to provide the 20% backup. You could opt for both Miami and Los Angeles to provide 20%, giving Denver double coverage, or—since Los Angeles is newer and less populated (for now)—you could simply set it up as the fault-tolerance location for Denver. Now, why two scopes? Well, let’s suppose for a minute that Denver’s scope is 10.1.0.0 and Los Angeles’ is 10.2.0.0. You don’t want Denver to get 10.2.0.0 addresses, so you create a scope for Denver and a scope for Los Angeles on the Denver server. Then you do the same thing on the Los Angeles server. When you set up the DHCP relay agent, you point it to the Denver server. 3. C. Since the disabling of NetBT is only the stuff of Windows 2000
computers and you’re not told what the client computers are in the text, you can only say that you don’t have enough information to make that determination. 4. B. The answer is a definitive yes. Of course, you could set up cluster
servers at each location for the purpose of providing a DHCP failover. But the cost would be enormous, the added advantage would be small, and the decision just does not make practical sense.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
What’s the deal with the 80/20 rule anyway? Well, you can anticipate that in a network with mature DHCP usage (i.e., people have been using DHCP for a long time), you won’t have everyone coming to the trough for an IP address renewal all at once; users go away on vacation and shut their machines down, or a machine is out of commission for a day or two. In any case, sooner or later the renewals get spread out. So it’s safe to imagine that only 20% of your users might renew their lease at any one time.
CASE STUDY ANSWERS
436
Chapter 10
Designing a DHCP Solution
5. A, C, D, E. You’re not told what the domain layout is, but it doesn’t
really matter all that much because of the nature of AD. What you do know is that there must be at least one DC or member server participating in AD. Since Denver is the HQ, you should assume that the Denver server is the likely candidate for this duty. The other servers do not necessarily have to participate in AD in order to be authorized. But all Windows 2000 DHCP servers must be authorized. If they’re not, their service is shut down. 6. A. Since the Security Team doesn’t need to administer the scopes, they
don’t need to be added to either one of the special DHCP groups. All they need to do is add DHCP administrators to those groups, which does not require DHCP administrative rights. On the other hand, when you’re set to give DHCP administrative privileges to other administrators, you’ll ask the Security Team to add that person’s account to the DHCP Administrators group. You can add groups to the DHCP Administrators group—there is no need to add one account at a time.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
11
Planning a DNS Implementation MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Design name resolution services.
Create an integrated DNS design.
Create a secure DNS design.
Create a highly available DNS design.
Measure and optimize a DNS infrastructure design.
Design a DNS deployment strategy.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
D
omain Name Service (DNS) has been around for quite some time. It plays a critical role in name resolution on the Internet, as well as on networks based around Unix. For all of its popularity, however, Microsoft has been a bit slow to totally embrace the DNS standard. While Windows NT supported DNS, Microsoft steadfastly held to its own name resolution service, WINS. In the Windows NT world, WINS had some advantages over DNS, most notably that it was a dynamic service and DNS was not. With the introduction of Windows 2000, Microsoft succumbed to a major change in philosophy. No longer was WINS going to be the primary name resolution method. Active Directory (AD) was to require the services of DNS. Along the same line, since DNS was going to be the primary name resolution service, enhancements needed to be made. And they were. In a Windows 2000 network, the computer name is based on a fully qualified domain name (FQDN), and DNS is referenced heavily. If you’re fairly new to DNS, now’s the time to really get a good solid overview of what it’s about. This book assumes that you’ve gone through some DNS training and that you know the basics of DNS. Also, the Windows 2000 Resource Kit has an excellent chapter on the inner workings of DNS. If you’re not new to DNS, you may still have some things to learn. Windows 2000 DNS has added new features over its NT counterpart that you need to know about.
More exam subobjectives are listed under “Design name resolution services” than just what you see here. The remaining objectives are covered in Chapter 12, “Designing a WINS Implementation.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Understanding DNS
439
Understanding DNS
DNS is an Internet and intranet standard because it works seamlessly with TCP/IP. The purpose of DNS, like WINS, is to resolve names to IP addresses and vice versa. WINS resolves NetBIOS names to IP address; DNS resolves FQDNs or host names to IP addresses. DNS uses the concept of a zone for its IP address mapping. A zone, also called a namespace (not to be confused with an Active Directory name– space), is a collection of records that have been entered into a DNS database. A zone can contain a partial domain, a complete domain, or a combination of domains. Each host in a zone has an IP address plus a host name that describes the host’s identity. The basic difference between DNS and WINS (besides the fact that WINS resolves NetBIOS names and DNS resolves TCP/IP) is that FQDNs include a hierarchical name that pinpoints the host right down to the organizational unit (OU) and host name. Computer_name.company_name.com is the format of an FQDN. You’re probably familiar with this if you’ve entered host and domain names in the DNS dialog of a Windows 9x or NT computer. In DNS there are two major types of zones you will typically deal with: a forward lookup zone and a reverse lookup zone. Suppose you’re performing a ping test. In a forward lookup, you pass the name of the host you’re looking for and get back the host’s IP address. For example, suppose you want to ping a host named mycomputer in the domain mycompany.com. You’d type the command ping mycomputer.mycompany.com. That’s a forward lookup. Reverse lookups are built from PTR (pointer) records and a special table (named in-addr.arpa) in the DNS database; they allow you to use the NSLOOKUP command to find an FQDN if you know the IP address. In the old days of DNS, you had to manually enter both the forward lookup table and the reverse lookup table in order for the system to work correctly. Today, Windows 2000 populates most of this information into the database automatically. Since Windows 2000 DNS is compliant with TCP/IP RFCs, it is computer platform–independent and thus very suitable for Internet and intranet work. Windows 2000 contains updates that reflect the attention that Microsoft paid to the recent RFCs on DNS. Windows 2000 DNS has many new features that add versatility. For example, a Windows 2000 computer can automatically report its DNS information (IP address and FQDN) to DNS servers instead of to the administrator having to enter the data, as they would with older versions of DNS. Also,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
440
Chapter 11
Planning a DNS Implementation
as in Windows NT 4 DNS servers, the reverse lookup table is automatically created when the forward lookup zone is created. Windows 2000 DNS also supports incremental zone transfers. Instead of having to fully copy the DNS zone databases to secondary DNS servers as earlier DNS versions had to, incremental zone transfers simply replicate new zone information. Support for the SRV resource record, somewhat analogous to the MX record, allows a single DNS record to list multiple servers that offer similar TCP/IP services. SRV records are important in a Windows 2000 environment because they are pointers to the servers that provide crucial networking services such as Active Directory (for the LDAP service), Kerberos, the global catalog, and others. Other new record types include the AAAA record, similar to an A record but used for IPv6 IP addresses. The WINS and WINS-R records are provided for WINS lookups, and the ATMA record is included for the ability to reference ATM addresses. Windows 2000 DNS is a highly robust service that is compliant with Berkeley Internet Name Domain (BIND) versions up to and including 8.2.2.
Key Sub-Zones Key sub-zones are required for the support of AD. These sub-zones are automatically created and populated when you run DCPROMO to promote a Windows 2000 Server to a domain controller and you choose to install DNS. The SRV records for the following sub-zones need to be included:
_msdcs.ADDomainName.suffix
_sites.ADDomainName.suffix
_tcp.ADDomainName.suffix
_udp.ADDomainName.suffix
Windows 2000 Dynamic DNS (DDNS) can be integrated into Active Directory and can allow DHCP, domain controllers, DNS servers, and client computers to update it automatically.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating an Integrated DNS Design
441
Some new and terrific features of Windows 2000 DNS include
The ability to scavenge old DNS records from the database and to age them out.
A monitor tool in the Windows 2000 DNS interface so you can test your zone configurations.
Negative caching. The DNS server remembers host names that are invalid so as not to waste time searching for them.
And speaking of the Window 2000 Resource Kit, a utility called DNSCMD is available that provides you a nice command-line utility for the purpose of configuring DNS servers.
If you are providing your own public DNS, you are required to provide two DNS servers for redundancy.
Creating an Integrated DNS Design
Up until now, the majority of DNS servers in large enterprises ran on Unix computers. However, Windows 2000 DNS has enough functionality that it’s possible that many administrators will want to move their main DNS server services to their Windows 2000 servers. There are many advantages to this, the most obvious of which is the integration with AD. Wherever your AD database winds up getting replicated to, your DNS records will be there as well. This means you no longer have to cross slow WAN links for DNS services as you might’ve had to do before. AD-integrated (ADI) DNS also means that you have the ability to provide secure control over which client computers can update the DNS database for that zone. Furthermore, you no longer have an SPOF in your primary zone database. Since the DNS database is replicated to all AD servers, each DC has an active copy of the DNS database, one that you can edit at will.
Microsoft Exam Objective
Design name resolution services.
Create an integrated DNS design.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
442
Chapter 11
Planning a DNS Implementation
But there’s more to it than that, especially if you have Windows 2000 clients throughout your enterprise. You save yourself tons of work by not having to maintain a manually edited DNS database. Any non-Windows 2000 clients might require that you create a manual entry in the DNS system for them, depending on whether you’ve enabled your Windows 2000 DHCP servers to automatically update DNS at lease-renewal time. You create a manual entry by clicking Start Programs Administrative Tools DHCP, right-clicking the DHCP server you’re interested in configuring, and selecting Properties. Click the DNS tab (shown in Figure 11.1) and check the Enable Updates for DNS Clients That Do Not Support Dynamic Update option. (Clients that do not support dynamic update would be any non-Windows 2000 clients.) This change requires that dynamic updating be turned on.
Microsoft often refers to non-Windows 2000 clients as downlevel clients.
FIGURE 11.1
Updating a DHCP server
It’s a fairly safe bet that your migration to Windows 2000 is going to take a long time in a large, disparate environment. Therefore, a pragmatic design
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating an Integrated DNS Design
443
alternative would be to make a Windows 2000 server running DNS a secondary server to the Unix BIND servers in the network. (Unix BIND servers must be running, at a minimum, BIND 4.9.6, and the preferred BIND version is 8.2.2.) Recall from your previous DNS studies that secondary servers obtain read-only copies of the DNS databases, and they know they’re supposed to pull down a new copy by comparing their serial number to the primary server’s serial number. If their serial number is less than the primary server’s serial number, they know an update has occurred and they copy the primary’s database. This is not an incremental download as other Windows 2000 DNS servers would obtain (i.e., only the changes that have been made are downloaded), but it would provide a method for you to maintain your Unix DNS servers until such time as you’re ready to switch over to Windows 2000.
A Windows 2000 DNS server can host several different types of zones: ADintegrated, primary, or secondary. In the case of an AD-integrated zone—one that replicates its DNS information to other DCs—that zone can also act as a primary zone to other non-integrated zones being hosted on non-Windows 2000 servers. This is how a design (albeit a complex design) that included Unix BIND, Windows NT, and Windows 2000 servers could interoperate with one another.
To create a new Windows 2000 AD-integrated DNS zone, click Start Programs Administrative Tools DNS. Right-click the DNS server you’re interested in adding to and select New Zone. The DNS New Zone Wizard appears, shown in Figure 11.2, that will guide you through creating an ADintegrated, a standard primary zone, or a standard secondary zone. You don’t have to have Unix servers to be facing the need to work with a combination of older DNS servers and new AD-integrated servers. Windows NT 4 DNS servers cannot integrate with AD, but they can participate as a secondary zone to a Windows 2000 DNS server. So your plans for older NT DNS boxes would be identical to the Unix computers: Make your primary DNS servers the AD-integrated ones and your NT servers the secondary. Windows 2000 DNS AD-integrated servers can work in mixed-mode environments and can act as primary servers to Windows NT 4 secondaries.
When setting up Windows 2000 AD-integrated zones, at least one of the DNS servers must be a Windows 2000 DC.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
444
Chapter 11
Planning a DNS Implementation
FIGURE 11.2
Adding an Active Directory-integrated zone using the DNS New Zone Wizard
Creating a Secure DNS Design
W
indows 2000 DNS permits fine distinctions of who is allowed to manage the DNS database.
Microsoft Exam Objective
Design name resolution services.
Create a secure DNS design.
In the Administrative Tools DNS window, right-click the server whose properties you want to view and select Properties. Select the Security tab and you’ll see a window similar to the one in Figure 11.3.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating a Secure DNS Design
FIGURE 11.3
445
Viewing the Security properties for a given DNS server
Certain groups are automatically given administrative authority over the DNS servers, among them Domain Admins, Enterprise Admins, DNS Admins, and the Administrators group. The Administrators group lacks Full Control and Delete All Child Objects rights, but retains great control over the DNS databases. You can opt for more security by tightening up on the rights that some of the groups have, but be careful not to take rights away from the DNS Admins group.
The DNS Admins group, by default, is empty. If you’re going to use it to tighten the security and control over who can maintain your Windows 2000 DNS implementation, be sure you add the appropriate users to this group.
Furthermore, you can click the Advanced button from within this Properties window and configure properties such as Permissions, Auditing, and Owner. The Permissions tab (Figure 11.4) lists the users and groups who have permissions to the object that’s being viewed at the time. The Auditing tab (Figure 11.5) lists the users or groups who are being audited. The Owner tab (Figure 11.6) lists the users or groups who own the object.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
446
Chapter 11
Planning a DNS Implementation
FIGURE 11.4
The Permissions tab of the Advanced Control Settings window of the DNS Properties box
FIGURE 11.5
The Auditing tab of the Advanced Control Settings window of the DNS Properties box
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating a Secure DNS Design
FIGURE 11.6
447
The Owner tab of the Advanced Control Settings window of the DNS Properties box
The main decision you’ll have to make when setting up security for DNS is who you want to be able to administer the DNS database. There’s not a lot of manual entry to be done to the database, especially if you’ve set DHCP to forward client information to DNS. But realize that there are several places where you can add permissions. You can set the permissions in the screen shown in Figure 11.4. Using this method allows you to apply permissions to a user, to a group, or to a computer. You can also use the DNS program in Administrative Tools to update permissions for an entire zone or for a single entry. You can manage permissions on a zone and its individual records only if the zone is AD-integrated. A second important decision is whether to allow dynamic updates to the DNS database. If you’ve enabled dynamic update of DNS, then Windows 2000 clients can update the DNS database, as can DHCP. You’ll find that you need to make very few specific entries in the DNS databases. If you’re going to use ADintegrated DNS, you have to install DNS on at least one Windows 2000 DC, and you must purposely set the dynamic updating of the database to Yes. To do this, navigate to the zone you’re interested in updating, right-click it, and select Properties. Under the General tab, set the Allow Dynamic Updates option to Yes.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
448
Chapter 11
Planning a DNS Implementation
In order to use secure dynamic updates, you must be using an AD-integrated zone. A standard primary zone will allow you to perform dynamic updates, just not secure ones.
Do not set up DHCP and DNS on the same computer if using the Only Secure Updates option. This could cause a security compromise if DHCP is updating DNS on behalf of the clients.
Secure Zone Transfers You can set up your DNS zones so they only transfer information to DNS servers that you designate. There are a few different options for this. To view them, navigate to the zone that you’re interested in working with, right-click it, and select Properties. Click the Zone Transfers tab, illustrated in Figure 11.7. You can choose to transfer to any server in the domain (probably not a great idea for security reasons); you can choose to transfer to servers that are entered in the Name Servers list found on the Name Servers tab of this same Properties sheet. Alternatively, you can set it up so that zones are transferred to only those servers that you list. Note that you can click the Notify button to notify secondary servers of a zone change. Again, the secondary servers you can choose to notify of zone updates can be entered in the Name Servers section of the Properties sheet, or you can enter specific IP addresses for DNS servers. When setting up zone transfers across the Internet, use either a VPN or IPSec to encrypt and secure the traffic. A screened subnet is one that lies between two firewalls—the private network is on one side of a firewall, the screened subnet is in the middle, and the public (Internet) network is on the other side of the second firewall (see Figure 11.8 for an illustration of this configuration). You’ll encounter this kind of situation if you have a set of web servers out in a demilitarized zone (DMZ), a semi-public, semi-private zone where web servers can reside to provide web services to Internet viewers but prevent access to internal networks. In a DMZ, you need more public access than your private network allows. In a case such as this, you would configure the outside firewall (Firewall B) to allow incoming DNS queries from the Internet. You’d configure DNS replication from the private network to go only one way, from inside to the DMZ, and you’d not allow any DNS queries past Firewall A.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating a Secure DNS Design
FIGURE 11.7
449
Setting up zone transfers
Some of today’s firewall products allow for only one firewall on a screened subnet. Traffic bound for the screened subnet is routed differently than traffic bound for the private network.
FIGURE 11.8
Zone transfers in a screened subnet Private network
Public network
Screened subnet
Firewall A
Firewall B
Screened subnets should contain only secondary DNS data, never primary data. Active Directory integration allows you to apply additional security to the zone transfers between the internal and the screened subnet. Encryption can be provided with a VPN or IPSec. Since a secondary DNS server contains a replica of its primary, your DMZ secondary would contain references to
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
450
Chapter 11
Planning a DNS Implementation
internal computers, something you may not want. An optional, more secure configuration, might be to create a primary DNS zone on your DNS server in the DMZ, thus assuring yourself that the DMZ DNS server doesn’t contain records that reference internal computers.
If you have publicly available DNS servers, never include private computer information in the public DNS database. This could be a major security breach.
Redundancy of DNS Servers
I
n the old days of DNS, when you had to statically enter all of records into the DNS database, redundancy was highly important. In a case like that, you set up a primary DNS server and then had at least one, if not more, secondary DNS servers throughout your enterprise.
Microsoft Exam Objective
Design name resolution services.
Create a highly available DNS design.
Active Directory integration creates an environment where you don’t have as much to worry about in terms of DNS availability (because DNS information is integrated into the directory). But what happens if a WAN circuit goes down for an extended time? You’ll not only have problems getting AD replicated to outlying locations, but your DNS will falter as well. For this reason, it’s crucial that you target the weak points in your infrastructure that may require a second DNS server and then set up servers at those points. You have two choices for the way in which you set these up: You can create AD-integrated zones between these servers, or you can set up a primary/secondary zone replication scheme. Microsoft often recommends placing at least one DNS server at every location. In locations where you have slow or troublesome WAN links, a second DNS server is a great idea. But for locations where the WAN link is robust and not overcrowded, this solution may be overkill.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Redundancy of DNS Servers
451
Delegated Domains A second redundancy technique—one that might work well for you—is the concept of delegated domains. Here’s how the concept works. Suppose that you’re an administrator for a company, LargeCompany, with a couple of different locations; let’s call them LocationA and LocationB just to be clever. LocationA is pretty large and might very well merit its own domain: LocationA .LargeCompany.com. Ditto for LocationB: LocationB.LargeCompany.com. What you can do is set up two DNS servers: one at LocationA, one at LocationB. LocationA will have as its primary zone LocationA.LargeCompany .com, while LocationB will have as its primary zone LocationB.LargeCompany.com. LocationA will have an NS and an A record for LocationB; LocationB will have an NS and an A record for LocationA. In a case like this, you’ve delegated the domain for LocationA to the DNS server at LocationA and vice versa for LocationB. Users at LocationA requesting name server services for a host in LocationB will reference LocationB’s DNS, which then points them to LocationA for the final lookup. Note that this kind of DNS setup doesn’t have anything to do with Active Directory, though each of these DNS servers could very well forward their incremental zone updates to an AD-integrated server. Suppose that what you’re striving for isn’t necessarily a delegated domain situation, but a redundancy environment where you provide a modicum of fault tolerance without having to go to AD-integrated zones. What you can do in a situation like this is set up two DNS servers: one at LocationA and one at LocationB. LocationA will have as its primary zone LocationA.LargeCompany.com, while LocationB will have as its primary zone LocationB .LargeCompany.com. Then, each server will have the opposite server as its secondary zone. In a case like this, you’ve delegated the domain for LocationA to the DNS server at LocationA and vice versa for LocationB. You have redundancy built into the mix because each location replicates its data to the other location, but you don’t kill your WAN circuits, because the primary zone lives in the location that it’s serving.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
452
Chapter 11
Planning a DNS Implementation
Designing a DNS Implementation
Now it’s time to take a look at the various circumstances you might run into as you finalize your Windows 2000 DNS design. One important component to keep in mind, one that’s often overlooked, is the capacity for growth in a given design. In the DNS sense, not only do you need to keep an eye on today, but you also need to think about tomorrow
Microsoft Exam Objective
Design name resolution services.
Measure and optimize a DNS infrastructure design.
Design a DNS deployment strategy.
Selecting the Correct DNS Infrastructure for Your Network Several critical components need to be examined when considering the correct DNS infrastructure for your design. Perhaps the most key question you’ll have to ask yourself is whether it’s desirable to replace the BIND (Unix) DNS servers running in your Windows 2000 environment. This decision will drive everything else in your project. If it’s not acceptable for Windows 2000 to do the DNS work, that’s no big deal. The BIND servers will be the primary DNS servers and your Windows 2000 DNS boxes will be the secondary DNS servers. Note that the BIND servers must support SRV records (BIND 4.9.6) and should support dynamic updates (BIND 8.1.2). On the other hand, some functions aren’t supported in BIND and/or in Windows NT 4 DNS that are supported in Windows 2000 DNS—functions like forwarding to WINS for name resolution and DHCP dynamically updating DNS—so you might want to consider a completely Windows 2000–based set of DNS servers. Table 11.1 shows some common BIND versions and the updated support they provide.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a DNS Implementation
TABLE 11.1
453
Key BIND Version Features BIND Version
Supplies
4.9.6 or later
Support for SRV records
8.1.2 or later
Support for dynamically updated DNS zone database
8.2.1 or later
Support for incremental zone updates
8.2.2
Additional DNS features like negative caching
The main point here is that you’ll have to assess your legacy DNS environment, make sure you talk with the people who are running the current DNS implementation, and come up with a design that everyone likes.
DNS in a Routed Environment You have two potential issues here. The first issue we’ve already discussed: slow WAN links. The solution for that is a DNS server at each location. The second issue is Internet users being able to get into your DNS servers and update records that they find. How would they be able to do that? If a DNS server is a standard primary server and it is out on the DMZ (the administrators term for the screened subnet described earlier in this chapter), then it might be possible for someone to hack in and update or change the DNS tables, which would subsequently replicate to the secondary servers. You fight this problem by keeping your primary DNS server in the private network, replicating only certain zones to the secondary DNS server in the DMZ. Since secondary DNS servers have read-only databases, they can’t be as easily hacked. In either of these cases, the router is going to pass the name lookup request to a DNS server. If the local DNS server doesn’t know the information requested, the name resolution request is passed to the DNS forwarder (if one has been provided), a DNS server typically out on your ISP’s network that then takes a stab at the lookup. If the information is unknown there, the request is passed upward to a higher level DNS server, and so on. If no DNS forwarder exists, the name lookup stops at the root DNS server in your network.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
454
Chapter 11
Planning a DNS Implementation
Routers are typically configured to pass all DNS requests and clients are usually configured with the network’s valid DNS IP addresses.
Zone-Replication Security You can handle zone-replication security in several ways. Perhaps the greatest risk when transferring zone information is when you’re passing it across the Internet from one of your DNS servers to another. Microsoft recommends that you set up a VPN when sending data of this sort over the Internet and that you encrypt the data either through IPSec or VPN technology. On zone replications that take place inside the internal network, the best and easiest way to secure the replication is to set up AD-integrated zones. This data is encrypted as it’s passed along and is highly secure.
High-Availability Scenarios You have several options for providing highly available DNS servers. The easiest method is to provide lots of redundancy in your DNS design. This technique requires that you sit down and think hard about your delegated domains, how you’re going to split things out among several DNS servers. A second question is whether you provide a backup DNS server at each location. You can see how you can get into some expensive scenarios when you begin to dedicate computers strictly to managing DNS. Since DNS servers are referenced quite often by computers performing name lookup tasks, you shouldn’t be stingy with the hardware configuration of the computers. You’ll want to provide ample CPU power, plenty of RAM, and enough disk space to make sure that as the network grows, so can the DNS database on the computer. A 100Base-T full-duplex network link would be extremely helpful as well. For really important locations that require very fault-tolerant installations, consider a cluster server for your DNS installations. When implementing a cluster server, your setup and installation times increase, your administrative tasks become much more complex (due to the complex nature of clustering), and costs soar. But in a server outage, that failover will pay for itself the very first time it’s needed. It’s not often that corporations will need or want to use cluster server for their DNS environments, but it is an option. Windows 2000 DNS server is not cluster-aware, but it will work in a cluster server setting. You won’t be able to justify cluster server for DNS strictly
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a DNS Implementation
455
for DNS’ sake. You’ll probably want to have other cluster-aware apps that can make good use of a cluster—such as Exchange 2000—to justify such an implementation.
Optimization and Tuning of DNS The most basic technique you can use for testing how well DNS is doing is to open a command prompt, get your stopwatch out, and ping an FQDN to see what kinds of response times you’re getting out of the system. You’ll also want to time reverse name lookups with NSLOOKUP so you have a feel for how fast the DNS box can respond to those kinds of queries as well. The question then becomes, what’s acceptable to you? This is a purely subjective call, but one that will be driven by users complaining about the slowness of the network. You can also use System Monitor to evaluate the performance of your DNS servers. A DNS object and several DNS-related counters are provided with System Monitor as soon as you install DNS on a Windows 2000 computer.
In a setting where the network is really fast but users are complaining about slow DNS response times, take a look at the DNS server itself to make sure it’s capable of performing well in the environment it’s expected to work in. Also check to see whether the LMHOSTS or HOSTS files aren’t being referenced before DNS gets a chance to answer.
You can set Windows 2000 DNS Servers up for fast replication, which should provide you with better performance. Make sure that the overall network infrastructure can handle what’s being asked of it. Routers with 10Mbps uplink ports cannot possibly perform well in 100Base-T networks that deliver the data faster than they can take it in. These are all common-sense techniques, but they’re often overlooked. Finally, to speed up DNS requests across slow WAN links, consider setting up a DNS server to act strictly as a caching-only server. Caching-only DNS servers do not host any zones of their own, but cache all lookup requests forwarded to DNS servers that do have valid zones. If the requested entry is in the cache, the cache responds before the request is sent across the wire to be resolved. If the DNS information doesn’t change very frequently or if you have slow or saturated WAN links, this is the ticket for speeding up those name resolution requests.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
456
Chapter 11
Planning a DNS Implementation
Backward Compatibility Issues Certain important benefits from Windows 2000 DNS are not supported in older versions of BIND. For example, the SRV resource record wasn’t supported until BIND version 4.9.6 or later. Support for dynamically updated BIND databases wasn’t provided until BIND version 8.1.2. Incremental zone updates wasn’t provided until BIND 8.2.1. A visit with your Unix DNS administrator is in order so that you determine exactly where you’re at in terms of BIND versions. Windows NT 4 DNS servers don’t support dynamic DNS updates, period, so in terms of backward compatibility with them, make sure that they’re always a secondary to your Windows 2000 primary DNS server. Neither BIND nor Windows NT 4 DNS servers support Unicode character sets, only ANSI. This could be a problem with foreign-language DNS implementations that use characters not found in the ANSI character set. If the chances are that you’ll encounter such sets, you’ll have to set your Windows 2000 DNS servers for RFC-compliance (ANSI) and avoid the Unicode issue. Some vendors supply non-RFC–compliant resource records in DNS. For example, suppose that a manufacturer of a voice card for fax systems decides to include a record such as DSP in the DNS database. This is not a recognized record type. In BIND and Windows NT 4 implementations, zone replication would cease. But, in Windows 2000 DNS, you can instruct the DNS server to simply ignore strange resource records such as this. If you’re using BIND DNS servers and you decide to set up WINS forward lookup zones, your BIND servers will choke on the WINS and WINS-R records. The decision to use WINS as a forward lookup zone with Windows 2000 or Windows NT 4 DNS automatically indicates that BIND DNS drops out of the picture.
Summary
Domain Name Service (DNS) provides an IP address when it is given an FQDN. Windows 2000 DNS server has many improved features over Windows NT 4 DNS. For example, you can choose three different types of DNS zones when setting up a DNS server in a Windows 2000 environment: standard primary zone, standard secondary zone, and Active Directory-integrated zone. Standard primary and standard secondary zones are compatible with BIND or Windows NT 4 servers.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Summary
457
Windows 2000 DNS supports new record types such as the SRV record (actually not a new type but new to Windows DNS), the WINS and WINS-R records, the AAAA record, and the ATMA record. Since BIND servers can’t deal with records they don’t understand (replication stops when these are encountered), make sure you don’t have those kinds of compatibility issues before forging ahead. You can prevent records that are not supported by BIND-based secondaries from being transferred to them by choosing the Do Not Replicate This Record option when setting up the WINS properties for a zone. Windows 2000 DNS supports incremental (partial) zone transfers, which Windows NT 4 does not, so if you have a design that includes backward compatibility with old NT 4 DNS, you’ll have to work with full zone replication. Neither BIND servers earlier than version 4.9.6 nor NT DNS servers support fast replication. The good news is that you can support a legacy environment and have a Windows 2000 AD-integrated DNS server. AD-integrated servers must be on at least one domain controller, and you must configure that server so it uses an AD-integrated zone. With Windows 2000 DNS, you gain several important features. DHCP can automatically update DNS (this feature is configurable by administrators), and DNS can forward unresolved queries to WINS for further resolution work. Windows 2000 Professional computers can automatically register their information with DNS, while non-Windows 2000 computers require Windows 2000 DHCP to do so. Windows 2000 supports redundancy of DNS servers and clustering, though DNS is not a cluster-aware application. Microsoft recommends that you place a DNS server at each remote location. You can provide secondary servers as well for backup and redundancy. Delegated domains are DNS servers that are authoritative for a given sub-domain; in other words, the primary DNS server contains an NS and an A record that points to the sub-domain DNS server. Using this technique, you can set up a DNS server to host one domain and a second DNS server to host another domain, then have the two domains use each other as secondaries for their zone information. This is a clever way of providing redundancy and segmentation. A screened subnet, sometimes called a DMZ, is one that lives between two firewalls, typically used for web servers that the Internet public will access. A DMZ DNS server should not be set up as a primary server because the data will be write-accessible by people from the outside. Instead, make it a secondary server so its data is read-only. You can set up caching-only DNS servers so that resolution requests are cached, speeding up name resolution requests
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
458
Chapter 11
Planning a DNS Implementation
across slow WAN links. Alternatively, to prevent outsiders from seeing private network DNS records, simply make your DMZ DNS server a primary for its own zone.
Exam Essentials Know how to integrate DNS with Active Directory. Windows 2000 DNS allows for the creation of AD-integrated (ADI) zones. If you use ADI zones, DNS replication is secured along with regular AD replication. ADI zones also work as a multiple-master system, eliminating the single point of failure. Know how to integrate Windows 2000 DNS with other DNS implementations and Active Directory. If you are running a Windows 2000 domain, Windows 2000 DNS is the best solution. However, BIND versions 4.9.6 and newer can be used, although BIND versions 8.1.2 and newer are strongly recommended. Windows NT DNS cannot support Active Directory, but it can be a secondary DNS server to a Windows 2000 primary DNS server. Know how to secure your DNS implementation. The most important group for delegating administrative control to DNS servers is the DNS Admins group. By default, the group has no members. Understand DNS and fault tolerance. DNS should never have a catastrophic failure on your network. Always install at least two DNS servers. If need be, you can install a primary server and a secondary server, or you can use AD-integrated zones. An expensive solution would be to put DNS on clustered servers. Know how to optimize the DNS service. Windows 2000 has some built-in features to help you optimize DNS. One is the scavenging of stale resource records. Old, unused records can be removed automatically. Another incredibly handy DNS tool is the NSLOOKUP utility. Know how to design a DNS deployment strategy. For a Windows 2000 network, Windows 2000 DNS is the best choice. Windows NT DNS servers cannot act as the primary server for a Windows 2000 domain because they do not support SRV record types. If you are running a BIND DNS server, you need to have at least version 4.9.6, but it’s recommended to go with at least version 8.1.2.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
459
Key Terms
DNS has several important terms that you should be familiar with. Before you take the exam, be certain you are familiar with the following terms: AAAA
resource record
ATMA
reverse lookup
Berkeley Internet Name Domain (BIND)
reverse lookup zone
delegated domains
screened subnet
demilitarized zone (DMZ)
SRV
DNSCMD
standard primary zone
forward lookup
standard secondary zone
forward lookup zone
Unicode
namespace
WINS
negative caching
WINS-R
NSLOOKUP
zone
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
460
Chapter 11
Planning a DNS Implementation
Review Questions 1. You are the network administrator for your company. Even though you
have just upgraded your network to Windows 2000, corporate management has mandated that DNS services must continue to be hosted on BIND servers. The BIND DNS servers cannot be decommissioned. How do you implement this strategy? Select two answers. A. Install a Windows 2000 DNS server as a secondary server to your
BIND server. B. Install a Windows 2000 AD-integrated zone. C. Configure your BIND 4.9.4 server as a primary server for your
Active Directory domain. D. Make sure that your version of BIND is compatible with Win-
dows 2000, and make the server a secondary server to your Windows 2000 DNS server. 2. You have just installed Windows 2000 DNS and configured an AD-
integrated zone. You are now populating static entries in the database, and a co-worker asks you what the WINS records are for. For what purpose would you use the WINS and WINS-R source records? A. For WINS integration B. To offload name resolution to the network’s WINS servers C. For WINS integration into BIND DNS D. So Windows 2000 WINS servers act as the DNS servers for the
network 3. You have a single namespace on your BIND DNS server; the domain is
called mycompany.com. Your company has recently purchased an engineering firm that’s going to act as the R&D wing of your corporation. In an effort to move toward Windows 2000 DNS integration with the BIND servers, you’re instructed to set up a private namespace called engineering.mycompany.com. How would you handle this situation with Windows 2000 DNS?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
461
A. Install a Windows 2000 AD-integrated DNS server and set up a
zone strictly for the engineers. B. Get rid of all BIND servers and upgrade to Windows 2000 DNS
for your name-serving needs. C. Set up a Windows 2000 DNS server that acts as a delegated
domain server for the engineering group. D. This cannot be done. 4. You are the DNS administrator for an ISP that requires a very fault-
tolerant DNS implementation so that its customers will never go without name resolution services. What method would be the most costeffective to apply when using Windows 2000 DNS? A. Configure the DNS server so it’s on two different switch ports. B. Configure at least one additional standard primary DNS server
with a duplicate zone. C. Configure the DNS services on a cluster server. D. Use AD-integrated zones with your Windows 2000 DNS servers. 5. You are the DNS administrator for your company. Recently, clients
have been complaining about slow Internet access times. Running Network Monitor reveals no network bottlenecks. You suspect that it may be the DNS server. How can you measure the performance of your DNS server? Choose all that apply. A. System Monitor B. DNSCMD C. NSLOOKUP D. PING
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
462
Chapter 11
Planning a DNS Implementation
6. You are in the process of upgrading your network to Windows 2000.
Currently, all servers have been upgraded, and DNS is running in an AD-integrated zone. Half of your client machines are running versions of Windows other than Windows 2000 Professional. Regarding dynamic updates and DNS, which statement is true regarding your current configuration? A. DHCP updates the DNS database with both an A and a PTR record. B. Windows 2000 DNS clients update the DNS database with both
an A and a PTR record. C. The DHCP update is unsecure. D. The Windows 2000 update is unsecure. 7. Your enterprise network consists of two locations: Chicago and
Houston. At the corporate headquarters, located in Chicago, a Windows 2000 DNS server provides name resolution to client computers in both Chicago and Houston. Users in Houston are complaining that Internet access is very slow. Users in Chicago report no delays. Management has authorized you to fix the problem. However, no additional network traffic can be created by your solution. What should you do? A. Install a master server in Houston. Have the Chicago DNS server
report to the Houston DNS server. B. Install a caching-only server in Houston as a part of the current
DNS domain. C. Install a secondary name server in Houston as part of the current
DNS domain. D. Install a second primary name server in Houston as part of the
current DNS domain. 8. You are configuring a Windows 2000 DNS server on your company’s
network. The network consists of one Windows NT domain. You already have DNS installed on a Windows NT Server computer on the Windows NT domain. You want to use dynamic updates on the DNS database, but company management will not allow you to upgrade or decommission the Windows NT DNS server. All DNS information must be synchronized between the DNS servers. What three actions should you take?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
463
A. Create a standard primary zone on the Windows 2000 DNS server
and import the existing zone file. B. Create a standard secondary zone on the Windows 2000 DNS server. C. Delete and recreate the primary zone on the Windows NT DNS server. D. Delete the existing zone and create a new secondary zone on the
Windows NT DNS server. E. Configure the primary zone on the Windows NT DNS server as the
master zone for the secondary zone on the Windows 2000 DNS server. F. Configure the secondary zone on the Windows NT DNS server to
use the Windows 2000 standard primary zone as its master zone. 9. You are the network administrator for a small legal firm. The com-
pany is in the process of upgrading its Windows NT 4.0 network to Windows 2000. One of the concerns that the company has is the security of information on the network, due to client confidentiality. What is the single best method for creating a secure DNS environment? A. Set up password protection on all DNS databases. B. Set up Windows 2000 AD-integrated DNS for the entire network. C. Require BIND servers to log on to Windows 2000 servers. D. Disable Windows NT 4 DNS servers. 10. You are the network manager for your company. One of your admin-
istrators, Sarah, who is a member of the Domain Administrators group, is trying to modify a Windows 2000 DNS server zone, but for some reason she isn’t allowed to. What could be the problem? A. She’s not a member of the DNS Admins group. B. She’s not a member of the Schema Admins global group. C. Her group policy object does not allow her to manipulate DNS zones. D. The Domain Administrators group has been removed from the
security permissions for DNS.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
464
Chapter 11
Planning a DNS Implementation
Answers to Review Questions 1. B, D. Thankfully, Windows 2000 DNS servers can interoperate with
legacy BIND servers. So although the corporate direction is to continue with BIND DNS, you can supply AD integration with DNS by simply installing a Windows 2000 AD-integrated DNS server and making it a primary for the BIND servers. 2. A. Once a Windows 2000 server has been converted to a domain
controller and DNS has been installed on it (which happens automatically when using the wizard associated with DCPROMO), you can configure DNS so it forwards name resolution requests that it cannot resolve to the network’s WINS computers. The WINS record is the forward lookup record for the WINS servers; the WINS-R record is the reverse lookup record. 3. C. On the Windows 2000 DNS server, set up a zone called engineer-
ing.mycompany.com. On the BIND server, set up NS and A records pointing to the Windows 2000 box as the authority for this subdomain. Queries sent to the BIND server for mycompany.com will be answered by the BIND server. Queries for engineering.mycompany .com will be forwarded to the Windows 2000 machine. 4. D. Since all DCs will subsequently have a copy of the zone data,
you’ll provide inherent fault tolerance. 5. A, C, D. There are several System Monitor counters you can use for
evaluating the performance of your DNS servers. PING and NSLOOKUP are useful utilities for timing the response of DNS servers. Ping an FQDN and see how long it takes to respond. Do the same with a reverse lookup using NSLOOKUP. The DNSCMD utility is found in the Windows 2000 Resource Kit and is used for configuring new DNS servers. 6. B. If a Windows 2000–based DNS client updates the DNS database,
both an A and a PTR record are supplied, whereas DHCP only supplies a PTR record.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
465
7. B. Caching-only servers provide name resolution to clients, with no
extra network traffic. Caching-only servers do not perform zone transfers, whereas secondary servers need to get zone information from a master DNS server, causing additional network traffic. 8. A, D, F. Because Windows NT’s implementation of DNS does not
support dynamic updates, you must use the Windows 2000 DNS server as the primary DNS server for the zone. You can do so by creating a new zone on the Windows 2000 server and importing the existing zone from the Windows NT DNS server, thus avoiding the headache of recreating all zone files. Once it is imported, delete the NT server’s zone file and recreate it as a secondary zone of the Windows 2000 DNS server. Management’s mandate that the Windows NT server not be decommissioned would still be met. 9. B. The best and most secure method you can use is to set up Win-
dows 2000 AD-integrated DNS service on your network. You’ll gain faster replication times across the network because of AD’s ability to replicate the zone data, the database will be far less hackable because it’s not text-based, and DHCP servers will require permissions to update the database. 10. D. By default, the Domain Administrators group is allowed to
administer DNS. But if somebody removes that group by modifying the security properties of a DNS server, she could lose her ability to manage the DNS zones. That may be a good or a bad thing, depending on your DNS design.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
466
Chapter 11
Planning a DNS Implementation
Integrating Windows 2000 DNS into a Legacy Environment
Y
ou should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Background You’ve been hired as a consultant to work for a medium-sized business, Acme Shoelaces; their motto is “We have our competitors all tied up.” Acme is converting its network from a combination of Windows NT, NetWare, and Unix to Windows 2000. Your job is to design this entire integration project. You’re now on the DNS design component of this project.
Current System Overview The company is situated in a single city but has two locations, one that houses the actual manufacturing plant and the other for the corporate offices. The Unix servers provide the manufacturing and financials for the company, but you’ve come up with a Windows 2000–based solution that’ll provide both environments on Windows 2000, allowing you to get off the Unix servers. NetWare, which was providing simple file and print services, will be dismantled first, leaving you with Unix for a time. The goal is to get to native Windows 2000 throughout the company. Problem Statement The Unix administrators want to retain DNS on their BIND 4.9.6 servers.
Envisioned System Overview You report directly to the CIO of the company. The plan you create is to set up a Windows 2000 DNS server at both locations, make them secondary to the BIND servers for the interim period that you’re involved with converting off of Unix to Windows 2000 for the financials and manufacturing side, and then migrate to an AD-integrated DNS plan. CIO “I like the idea very much. Go forward and implement.” Unix Admins “What’s wrong with the legacy system?”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Integrating Windows 2000 DNS into a Legacy Environment
467
Overview Security will be somewhat limited until you migrate to ADintegrated DNS. CIO “The Unix admins will be phased out as we go forward with this project. I need you to make very sure that the new system is secure from potential disgruntled admin intervention.” Security Admins “What modifications will have to be made for us to be able to say who is allowed to administer DNS?” Unix Admins “No, you cannot be given root access to the servers!”
Availability DNS resolution has never been an issue with the legacy BIND servers. They run just fine. The CIO asks, “Will Windows 2000 AD-integrated DNS be as reliable as the Unix DNS servers have been?”
Maintainability You inform the CIO of the capability of DHCP interacting with Windows 2000 DNS so that it’s more dynamic, plus you talk about the capability of forwarding unresolved names to WINS. She thinks this is fantastic, saying, “The less intervention we have to do, the better. Will WINS be going away when we cut over to Windows 2000?”
Performance The two sites are connected by a 256K frame relay WAN link; you’ve had this link evaluated and it’s highly underutilized. You don’t think that the link will take a performance hit by adding DNS. The CIO’s response is, “If you need to upgrade the circuit speed, now is the time!”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Security
CASE STUDY
468
Chapter 11
Planning a DNS Implementation
Questions 1. What’s the first step that needs to be taken in this DNS upgrade project? A. Set up a Windows 2000 DNS server on one of the Windows 2000 DCs. B. Upgrade the BIND servers to 8.2.2. C. Dismantle Windows NT 4 DNS. D. Detail on paper how the current zone structure is set up. 2. What can you do to make sure that the Unix admins are not allowed
to administer the Windows 2000 DNS servers and are still allowed to administer the Windows NT 4 DNS boxes? A. Take the Unix admins out of the Domain Admins group (if they’re
a member). B. Remove Domain Admins from the list of valid administrators in
the Windows 2000 DNS settings. C. Unix admins shouldn’t have NT or 2000 admin privileges. D. Set the NTFS permissions on the Windows 2000 DNS databases so
they restrict the Unix admins from modifying them. 3. Is there any advantage to getting off the old DNS servers and onto the
Windows 2000 servers? A. Yes B. No C. Maybe 4. Would a cluster server environment provide additional fault tolerance
in this scenario? A. No B. Yes C. Maybe
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Integrating Windows 2000 DNS into a Legacy Environment
469
and place them in the left column in the order they should be deployed so that you come up with a completed DNS installation. Tasks
Tasks Point the DHCP scope’s DNS properties to the new servers. Create Windows 2000 DNS zones to act as a secondary to BIND servers. Disable Windows NT 4 DNS services on all NT 4 DNS servers. Set up permissions on Windows 2000 secondary DNS Servers. Change Windows 2000 secondary DNS zones to AD-integrated. Dismantle BIND servers. Update BIND version on legacy Unix servers. Await completion of Windows 2000 upgrade. Obtain a schema of current zone layout.
6. Will WINS be required once the network is completely cut over to
Windows 2000? A. Yes, WINS will always be required. B. No, WINS will not be required. C. We don’t have enough information to make a determination.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
5. Looking at the following chart, choose tasks from the right column
CASE STUDY ANSWERS
470
Chapter 11
Planning a DNS Implementation
Answers 1. D. In an integration situation such as this, the first thing you need to do
is examine the DNS databases and see how the zones are currently configured. Then you might have to make decisions about the namespaces, especially if you’re going to support some clients on Windows 2000 DNS and some on the BIND servers. The second step will be to upgrade the version of BIND on the Unix boxes so they can interact with Windows 2000. 2. B. The quickest and easiest method is to simply remove the Domain
Admins group from the list of users qualified to administer the Windows 2000 DNS database. This keeps the Unix admins from being able to administer the new DNS servers but continues to allow them the capability to administer the NT 4 DNS servers. Of course, since they’re domain admins, there’s not much keeping them from granting themselves this right again whenever they like. 3. C. Dynamic DNS means that servers (DHCP, DC, and DNS) and cli-
ent computers have the ability to update resource records in DNS databases automatically. And while BIND 8.1.2 DNS can support dynamic updates, maybe it’s better to move DNS to Windows 2000. The AD-integration component is wonderfully helpful because you have built-in fault tolerance due to AD’s inherent replication to all DCs. Nevertheless, neither of these reasons give you the clout you need to go in and demand that the company immediately dismantle its BIND DNS and go forward with Windows 2000. More realistically, your Windows 2000 DNS servers will probably play some hybrid role in the overall DNS environment. Delegated domains—designating your Windows 2000 servers to act as DNS servers for a subdomain— will most likely be the solution. 4. A. The company is not in the kind of situation where immediate name
resolution services are required and would crater the business if they went away for a brief time. You’re going to install a second DNS box on the other side of the WAN link so you have redundancy built in; a cluster server isn’t needed and would waste the company’s money.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Integrating Windows 2000 DNS into a Legacy Environment
471
Tasks Obtain a schema of current zone layout. Update BIND version on legacy Unix servers. Create Windows 2000 DNS zones to act as a secondary to BIND servers. Set up permissions on Windows 2000 secondary DNS servers. Point the DHCP scope’s DNS properties to the new servers. Disable Windows NT 4 DNS services on all NT 4 DNS servers. Await completion of Windows 2000 upgrade. Change Windows 2000 secondary DNS zones to AD-integrated. Dismantle BIND servers. 6. C. You’re told that the servers will all be migrated to Windows 2000.
You’re not told whether the users will be brought up on Windows 2000 Professional workstations or not. Thus you don’t know if WINS will be able to go away or not. In a truly native Windows 2000 environment, there is no need for WINS because it is used for the purposes of NetBIOS name resolution, and in native Windows 2000 networks you’re using DNS instead.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
5. See the following chart:
Chapter
12
Designing a WINS Implementation MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Design name resolution services.
Create a WINS design.
Create a secure WINS design.
Measure and optimize a WINS infrastructure design.
Design a WINS deployment strategy.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
T
he purpose for using Windows Internet Name Server (WINS) on a network is to resolve NetBIOS names to IP addresses. Note that in contrast, DNS resolves host names to IP addresses. In the Microsoft world, your computer’s host name and NetBIOS name are often (and by default) the same. The major difference comes when you deal with non-Microsoft networks. DNS is an industry standard, where WINS is Microsoft-only. There are some very explicit guidelines for WINS, and not much has changed with the Windows 2000 implementation of WINS over Windows NT 4. If you’re careful to follow some basic instructions, WINS can be an extremely reliable tool for your network. The exam objective “Design name resolution services” includes more subobjectives than the ones listed here. The remaining objectives are discussed in Chapter 11, “Planning a DNS Implementation.”
Creating a WINS Design
If you started a network from scratch with new applications and Windows 2000 Professional workstations for the users and Windows 2000 servers for your server farm, you’d never have to use WINS on the network. It’s when you have legacy applications requiring NetBIOS name resolution, or legacy Windows computers on the network (and Windows NT servers), that WINS must be involved. If you’re working in that kind of environment and you’re planning a Windows 2000 upgrade, you’ve almost undoubtedly got a WINS server or two.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating a WINS Design
Microsoft Exam Objective
475
Design name resolution services. Create a WINS design.
The whole purpose of WINS is to resolve NetBIOS names to IP addresses by sending unicast messages across routers. In other words, WINS is designed to work with the shortcomings of broadcasting across a router, just as DNS does. So on a small network where you don’t have any routers to cross, you may not need WINS at all. However, on larger networks, WINS can be a bandwidth saver. WINS clients will send a message directly to the WINS server asking it to resolve the NetBIOS name instead of broadcasting for a resolution. Any time you can cut down on broadcasts on your network, it’s a good thing. WINS servers provide two major benefits on a network:
They resolve NetBIOS names to IP addresses. While resolving names, WINS servers help reduce network broadcast traffic.
WINS servers on a network can easily handle name registrations and name resolution requests for 10,000 client computers.
When you design WINS servers, there are several concepts you need to be familiar with. They are described in the following sections.
Pushing and Pulling If you have multiple WINS servers on a network, you should synchronize their databases with each other. To do this, you set up what is called a push/ pull partner relationship. If the first server sends its contents to the second, that’s called a push. If the first server obtains the contents of the second server on its own, it’s called a pull. You can (and should) set up WINS servers so they update one another’s database regularly. WINS servers can be push partners, pull partners, or push/pull partners. Pushes are based on a certain number of database updates, and pulls are based on time interval. If your WINS servers have a slow WAN link between them, Microsoft recommends making them pull partners only.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
476
Chapter 12
Designing a WINS Implementation
WINS Proxy Agents Some (non-Microsoft) NetBIOS clients are not able to work with WINS servers, but they need to be able to perform NetBIOS name resolution. A good example of such a client is a CD tower that uses NetBIOS but is not a WINS participant. Since the tower cannot use WINS, it resorts to broadcasting to resolve names. But what happens if the client in question is on the other side of a router? In such a case, you’d have to set up a WINS proxy agent that would resolve names on behalf of this client. The WINS proxy agent intercepts the broadcast and forwards the request to the WINS server for resolution. WINS proxy agents are very similar in theory to DHCP relay agents.
Multicast WINS Server Discovery Windows 2000 computers have the capability to discover new WINS server partners via multicast on 224.0.1.24. The default time delay between multicasts is two hours.
Name Resolution Order WINS uses the concept of a node type. Node types are hexadecimal numbers that you enter in DHCP scopes (or in a client’s registry if it doesn’t use DHCP) and that tell the WINS client the order of name resolution to use. The default type, node type H or hybrid node, checks a WINS server first, then broadcasts for the name, and then checks the local LMHOSTS file (discussed in the next section). Other node types are
M (mixed): M-node is the opposite of hybrid node in that it broadcasts first and then tries the WINS server.
P (peer): P-node clients only try the WINS server (no broadcasting).
B (broadcast): B-node clients broadcast only.
Here is the default order for NetBIOS name resolution, which you should commit to memory: H-Node Search Order NetBIOS cache on client computer WINS
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating a WINS Design
477
Broadcast LMHOSTS file Hosts file DNS
A helpful mnemonic device to remember the order is “Can We Buy Large Hard Drives” (or, alternately, “Cows With Big Lips Have Drool”).
Note that a client computer trying to resolve a computer name first checks its cache to see if the name is listed there. You can check the current listings in your cache, plus obtain the time to live for cache entries, by simply going to a command prompt and entering the command NBTSTAT -c | more. If the cache can’t resolve the request, WINS is checked next. If WINS can’t resolve it (which should not be the case very often), a broadcast is made for this host. If you’re broadcasting for a host, generally you’re going to find it unless it’s offline or unavailable in some other way. If broadcasts don’t work, the client checks the local LMHOSTS file, then the Hosts file (if it exists— Hosts files are used for FQDN-to-IP address resolution and aren’t often used in the Windows world), then finally DNS. By the time you get to DNS, it’s highly unlikely you’ll find this host because you’ve already attempted a broadcast for it. Since the Hosts file and DNS were designed for host names and you are dealing with NetBIOS names, chances are that if you get through the LMHOSTS file with no resolution, you are out of luck.
LMHOSTS File In the \Windows directory of Windows 3.x or 9x computers and the %systemroot%\System32\Drivers\Etc directory of NT computers, you’ll find a file called LMHOSTS. The file is very easy to use: Each line includes the IP address of a computer that the client may need to connect to, a tab, and then the computer’s NetBIOS name. You can include keywords such as
#PRE, which loads the entry into memory for dynamic cache allocation
#DOM, which designates that computer as a domain controller
#INCLUDE, which references a global LMHOSTS file on a remote machine.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
478
Chapter 12
Designing a WINS Implementation
The LMHOSTS file is easy to set up but difficult to maintain, especially if you have many users referencing it or you have a dynamic IP environment (like when using DHCP). The most effective way to use LMHOSTS is to have one master LMHOSTS file on a shared directory on a server—one with sufficient rights so that all computers can access it. Then, in the logon script for the clients, you simply download a copy of LMHOSTS at logon. You can put some logic in to do some date checking on the client’s LMHOSTS file compared to the server file, but that’s not usually necessary since these are mostly tiny files. Optionally, you can use the #INCLUDE keyword to reference the server file from the client’s file. Instructions for using LMHOSTS can be read by directly editing the file. You edit LMHOSTS.SAM and then rename it to LMHOSTS (with no extension) on most clients. Note that LMHOSTS is similar to Hosts——where the Hosts file is used for host names, the LMHOSTS file is used for NetBIOS names. You can install the WINS Server service on Windows 2000 domain controllers, member servers, or stand-alone servers. These WINS servers are backward compatible with any Windows NT 4 WINS servers you currently have in your network, and they can act as push/pull partners with Windows 2000 servers.
Creating a Secure WINS Design
Y
ou can secure WINS servers in much the same way that you secure DNS servers. If you have WINS traffic crossing the Internet, remember that the data is ASCII text and fully readable—probably not a good thing to have going out over a public network. You can get around this problem by setting up a VPN between your sites or by using IPSec to encrypt the data and then send it out. Tunneling the data via VPN or IPSec makes it much more secure.
Microsoft Exam Objective
Design name resolution services.
Create a secure WINS design.
In a screened subnet design, where you want Internet clients to be able to reference names registered with corporate WINS servers, consider making
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Tuning and Optimizing WINS
479
the WINS server in the screened subnet a pull partner with the corporate WINS server on the other side of the firewall, as illustrated in Figure 12.1. FIGURE 12.1
WINS servers on a screened subnet Screened subnet (DMZ)
Private network
Web server
Internet
Firewall
WINS server
Firewall
WINS server
You’ll need to open TCP ports 137 and 139 and UDP ports 137 and 138 in order to facilitate any WINS traffic between firewalls.
WINS servers can be put on a cluster for fault-tolerance purposes.
Tuning and Optimizing WINS
M
icrosoft provides several features for tuning and optimizing WINS deployments. While in Windows 2000 WINS isn’t the primary name resolution service that it once was in the Windows genre, it is still required for backward compatibility. Therefore, there is still a need to make sure that adequate performance-tuning techniques are available for administrators who need to use this system.
Microsoft Exam Objective
Design name resolution services.
Measure and optimize a WINS infrastructure design.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
480
Chapter 12
Designing a WINS Implementation
Server Optimization Techniques One of the biggest changes from NT to Windows 2000 is that WINS is now multiprocessor-aware. This means that you can either purchase a dual-processor system for each of your WINS server computers or, if possible, you can upgrade your current WINS servers to dual-CPU. Dual-CPU computers running symmetric multiprocessing (SMP)-aware applications can improve the performance and throughput of your servers. If you have multiple hundreds or thousands of users hitting your WINS servers daily, consider upgrading the servers to dual-CPU boxes. Four processors may be overkill, but two-way computers can really improve performance. WINS is a memory-intensive service. It’s safe to say that RAM on a WINS server is more important than processor speed. Monitor your WINS server to see how much memory is consistently available. If it’s low or you have excessive paging, definitely add more RAM. There is no such thing as too much RAM in a Windows 2000 server. If your WINS box is old, then you’ve probably got some old SCSI drives running at 7,500rpm. You can do your system a big favor by replacing them with 10,000rpm SCSI drives. If you don’t have SCSI, now is a good time to upgrade your WINS servers with appropriate technology. Servers don’t work very well with IDE drives; IDE is a standard made for desktop computers, not servers. If your network infrastructure can support it, set the network card to 100Base-T full duplex. Make sure the switch port is set for 100-Full as well. Don’t trust auto-negotiation of these ports! Verify with your own two eyes that the switch port and the NIC port are set at 100-Full. If your NIC doesn’t support 100-Full but your network infrastructure does, upgrade the NIC and get it to 100-Full. If your infrastructure doesn’t support it, you need to go back a few chapters and get the network infrastructure fixed first. Windows 2000 WINS servers support a new concept called burst-mode name registration. Suppose that you have a few thousand users who log on Monday morning, and they all need to reference some computers from the WINS server. The WINS server gets really backed up and can’t handle the load. Burst-mode name registration has the WINS server count how many requests the WINS server component is getting and, when the number exceeds 500, sets the time to live (TTL) for the clients making and caching the request to 5 minutes. For every 100 client registration requests over 500, the TTL has 5 minutes added to it. For example, for 600 clients the TTL is 10 minutes; for 700 clients the TTL is 15 minutes. This is a smart way to make sure that bursting
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Tuning and Optimizing WINS
481
doesn’t slow down the WINS server again very soon. (Burst handling is available in NT 4 WINS with current service packs.) Supply enough servers for the network to support all of its users without going overboard on the number of WINS servers you have installed. Too many WINS servers can create as many problems as not enough WINS servers. For fault-tolerance purposes, figure out where your WAN SPOFs are and place a WINS server at each location. For instance, if you have three locations separated by three routers, for fault tolerance you’ll need three WINS servers. That way, if one of the WAN links crashes, users can fall back on the local WINS server—not to mention that users will consult their local WINS server for name resolution before they ever cross the network.
Another way to optimize servers is to take advantage of persistent connections for push partners. This cuts down on network traffic by cutting out the sessioncreation traffic on each push replication event.
Client Optimization Techniques There is one crucial thing you can do in order to increase the client’s performance. When a client registers with a WINS server, WINS waits a certain time (which is configurable); if a computer name doesn’t renew its WINS entry within that time, the entry is tombstoned. Tombstoning allows the entry to live for a little longer, but it’s practically, officially dead and will be removed from the database very soon. If the client renews before the renewal time, the WINS server retains the client information in the database. In Windows NT 4 WINS and Windows 2000 servers, the renewal interval is six days. Figures 12.2 and 12.3 illustrate what this screen looks like when editing a WINS server’s properties in Windows NT 4 and Windows 2000 respectively. It’s important for you to understand that WINS clients act just like DHCP clients: At 50 percent of the renewal period, the WINS client contacts the WINS server and reregisters its name. This, as you might imagine, creates network activity. If you extend this renewal period, you’ll do your network a favor by not hammering it so often with WINS renewals, although Microsoft estimates that only about one percent of the traffic on a typical network is taken up by WINS. Lengthening this renewal period will likely not produce noticeable results unless you’re on an already overloaded network, in which case you need to review your infrastructure.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
482
Chapter 12
Designing a WINS Implementation
FIGURE 12.2
The Windows NT 4 Renewal Interval setting
FIGURE 12.3
The Windows 2000 Renew Interval setting
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Tuning and Optimizing WINS
483
You can also provide multiple WINS servers for redundancy. Suppose that WINS server A is down when the client renews. WINS server B will pick up the renewal request and register the client’s name in WINS. Then, when WINS server A comes back online and a push/pull happens, WINS server A will also know about the client computer. Check the DHCP scope settings on your DHCP server to make sure the node type for NBNS (NetBIOS Name Server, another name for WINS) is set to 0x8, h-node. If it’s set to some other value, change it back. You want your clients referencing WINS first, broadcasts second, LMHOSTS last. If need be, make sure clients have an updated LMHOSTS file on their local machines.
Windows 2000 clients can reference to up to 12 WINS servers, where older Windows 3.x, 9x, and NT computers could only use two.
Measuring WINS Server Name Resolution Performance When WINS is installed on a computer, a System Monitor object is added, and there are several counters that you can use to measure the performance of your WINS servers. This is probably the best and most factual way of determining how busy your WINS boxes are. Both Windows NT 4 and Windows 2000 have this feature. You can also do a quick test simply by measuring ping times. Ping a NetBIOS name and time how long it takes to return the reply. The <10ms figure that a typical ping returns is usually fine; if your ping time is too long, it might indicate a problem. Long ping times imply either name resolution issues (busy WINS server or not enough hardware), or you need to upgrade your infrastructure. A second important thing to monitor is the convergence time. The WINS convergence time is the time it takes for a new entry in one WINS server to replicate to a second WINS server. Type an entry for a bogus server into the first WINS server. See how long it takes to replicate this info to the second WINS server. This is the convergence time. If it’s too long, adjust down the amount of time between database replications.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
484
Chapter 12
Designing a WINS Implementation
Designing a WINS Implementation
WINS implementations are fairly straightforward, even in a setting where you’ve already got some NT 4 WINS servers and you’re going to add some Windows 2000 WINS servers.
Microsoft Exam Objective
Design name resolution services.
Design a WINS deployment strategy.
First, determine the number of clients you have to support. Also determine whether that number is expected to grow appreciably. If it’s not, and you currently have some Windows NT 4 servers that are running WINS, upgrade them to Windows 2000, being careful to check their performance after they’ve been upgraded. (You may need to add some hardware to a server that was marginally acceptable under Windows NT 4 but isn’t working very well under Windows 2000.) If you expect a surge in client growth, now’s the time to add more WINS servers. Always evaluate the placement of the WINS servers—the current ones in a legacy situation or where you’re going to place your new servers if you’re building a new deployment. Remember that if Windows 3.x, 9x, and NT clients can’t resolve a NetBIOS name, they aren’t going to work very well, so make sure you have redundancy and ample coverage. The most difficult challenge with this is going to be making sure that your push/pull partners are planned out well and that the length of time between replications is sufficient to keep all of the servers up to date with current data, but not so frequent as to burden the network. Generally speaking, if you have a large body of clients on a remote network connected by a known slow WAN link, put a WINS server out there. Networks that don’t experience voluminous server expansion can also get by with a local LMHOSTS file on each client as a backup instead of a remote WINS server.
You’ll have to take into account time-zone differences between your locations and adjust your replication times accordingly.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a WINS Implementation
485
In a DMZ environment, if you opt to put a WINS server out with the web servers (you’d only do this for applications that required it), make sure that this server is a pull partner, not a push partner, with other WINS servers on the private network. Non-WINS NetBIOS clients can make use of a WINS proxy agent on the same subnet for name server services. The WINS proxy agent sends a name resolution request to a valid WINS server and then returns the results back to the client. On Windows 2000 servers, adjust the WINS server properties and turn on Database Consistency checking so that it runs regularly. The default is once a day.
Whither WINS? Sammy is an NT administrator who’s now in the throes of designing a new Windows 2000 rollout. He has three WINS servers on a network of three large campuses (one per campus network), separated by high-quality frame relay circuits and nice new routers. The two remote WINS servers are push/ pull partners with the central WINS server at Sammy’s headquarters office. The servers are running on old Dell desktop computers, and while their performance isn’t exactly stunning, users don’t complain very often. But Sammy’s puzzled. He’s been reading that Windows 2000 doesn’t need WINS, that Microsoft wants to reduce the size of the data crossing the network by slimming down the NetBIOS traffic, especially NetBT. Nevertheless, here he is with three WINS servers, and he knows that it’s going to take a remarkable amount of time to convert all the users to Windows 2000 Professional workstations so they don’t need WINS. He’s not sure how to get this task done. He starts by deciding that the WINS servers are going to be around for at least another year while he goes through the motions of rolling out the new Windows 2000 deployment. But he’s not sure whether to leave these servers all running Windows NT 4 and cope with their slowness, or upgrade them to new computers, install Windows 2000 Server with WINS, and reap the benefits of updated hardware and longer renewal times.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
486
Chapter 12
Designing a WINS Implementation
Then it occurs to him: He can increase the memory in the current WINS servers and add a better, faster NIC. He can even update the processor on a couple of the servers. After all, these boxes are dedicated to WINS. There’s nothing stopping him from extending the client renewal time out beyond the six-day limit, especially since his network isn’t expanding. So Sammy makes a decision. He’s going to keep his legacy Windows NT 4 WINS servers, spruce them up a bit, and bide his time with them until he gets all clients weaned off of Windows NT 4 and onto Windows 2000. Then he’s going to remove the WINS servers from the network and donate them to a school.
Summary
W
INS resolves NetBIOS names to IP addresses. WINS is not a required service for the Windows 2000 operating system but it comes with Windows 2000 Server because there are still a great number of clients on many networks that require WINS services. If you already have WINS, figure out if the WINS server is (literally) up to speed with the current network. Run a System Monitor session to see if they’re bogged down anywhere. If need be, add a CPU, a high-speed disk, and RAM to servers that require upgrades. Or replace the box altogether, keeping in mind that Windows 2000 WINS servers are SMP-aware. Assess how many users you have on the network and where they’re placed. Determine if you have adequate NetBIOS name resolution coverage in every location. Place a WINS server in locations where you think one’s needed, but don’t go overboard; you can easily get too much of a good thing. Examine the push/pull relationship of the various servers to make sure that the setup is correct. Examine whether you can increase the renewal times to cut down on network traffic. Be sure to plan for time zones when figuring out the database replication schedules, tuning until all servers routinely have a fresh database copy and the databases in remote locations aren’t so old that clients can’t resolve names quickly. Leave clients set at H-node for optimum efficiency— H-node clients use WINS first, and then broadcast for name resolutions. For locations that require complete fault tolerance, consider putting your WINS server service on a cluster—Windows 2000 WINS Server will work on
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Exam Essentials
487
a clustered server. Consider placing the local LMHOSTS file on NetBIOS clients as a fallback in case a WINS server fails. Note that this might be a highly acceptable workaround to placing a full-blown WINS server in a remote location, and you can handle the whole thing with logon scripts. WINS proxy agents allow non-WINS clients to obtain a name resolution from a WINS server. Windows 2000 WINS computers support burst-mode name registration, meaning that they automatically take care of setting different TTLs on name registration requests that they hand out so that all of the computers don’t come back to the WINS server at the same time the next time they need to make a request. Once your network is completely Windows 2000–based, you can pull the WINS servers off of the network and reduce your administrative burden. Don’t forget that Windows 2000 DNS can be configured to forward unresolved names to WINS for further resolution attempts.
Exam Essentials Know when to use WINS. WINS is needed on your network when you have downlevel clients (pre-Windows 2000) or an application that uses the NetBIOS naming convention. Know when to not use WINS. If your network will be running all Windows 2000-based computers and you have no applications that require NetBIOS naming, you do not need WINS. In cases like these, you can also reduce network traffic by disabling the NetBIOS interface on your Windows 2000 computers. Know how to secure WINS. WINS servers are capable of replicating with each other as push/pull partners. If this replication traffic is traversing public networks, you may want to use a VPN and/or IPSec. Understand WINS monitoring and optimization. System Monitor is the primary tool used for WINS monitoring. When WINS is installed, a WINS object and several counters are added to System Monitor. WINS is somewhat processor-intensive, but RAM is more important for its proper operation.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
488
Chapter 12
Designing a WINS Implementation
Know how to deploy WINS properly. Two WINS servers can easily handle 10,000 client computers. However, if you have remote locations, it’s a good idea to have a WINS server at each physical location. If you are using multiple WINS servers, configure them as push, pull, or push/pull replication partners to ensure database consistency.
Key Terms
T
here aren’t a lot of terms associated with WINS, and you’ve probably encountered them in your earlier NT 4 or Windows 2000 studies, but they’re included here to refresh your memory. Before you take the exam, be certain you are familiar with these terms: burst-mode name registration
node type
convergence time
push/pull partner
hybrid node (H-node)
Windows Internet Name Service (WINS)
LMHOSTS
WINS proxy agent
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
489
Review Questions 1. You are the network administrator for your company. When you
begin to install Windows 2000 WINS, your boss asks you about the new burst-mode feature that they heard about. What does the burstmode feature in the Windows 2000 WINS server service do? A. Keeps WINS servers from being inundated with name registration
requests. B. Forwards multiple name resolution requests to other WINS servers. C. Forwards name resolution requests to DNS servers. D. Shuts down broadcast storms on the network. 2. You are planning a WINS implementation for your company’s
Windows NT and Windows 2000 network. There will be two WINS servers installed on your network. Your network has 750 client machines, which all run some form of Windows. What type of replication, if any, should you set up for your WINS servers? A. Push partners only B. Pull partners only C. Push/pull partners D. No replication is required between the servers. 3. You are the network administrator for your company. You have 350
client machines and five servers. There is a mixture of Windows NT Workstation and Windows 2000 Professional clients on your network. Your one WINS server seems to occasionally take a long time to respond to client requests. What are some ways that you can improve the performance of your WINS server? Choose all that apply. A. Add a second processor. B. Add a redundant WINS server. C. Upgrade to faster disks. D. Add RAM.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
490
Chapter 12
Designing a WINS Implementation
4. You are the network administrator for your company. You have only
one WINS server on your network of two campuses. The campuses are separated by a slow WAN link and routers. How does WINS work across this link so that clients on the opposite site of the network to the WINS server are able to resolve names? A. The router needs to have a helper address configured. B. The WINS protocol can tunnel within TCP/IP so it can get across
routers. C. The WINS clients know the address of the WINS server, which
allows them to send direct messages through the router. D. You must have a WINS proxy agent on that side of the network
and your clients aren’t aware of it. 5. You have recently been hired as a network administrator for a
medium-sized insurance firm. One of your first tasks is to monitor the WINS server because people often complain that locating network resources is slow. What can you use to look at WINS performance? Choose all that apply. A. System Monitor B. PING C. Convergence times D. WINSADMIN 6. You are the network administrator for your company, which has an
office in Houston and an office in Chicago. Recently, your WINS server crashed. Users were not able to locate Windows NT–based resources, and production nearly came to a halt. To prevent this from happening again, you need to make the WINS servers fault tolerant so that clients are always able to perform name resolution lookups. Select the best two methods. A. Put the WINS database on a RAID 5 array. B. Put a redundant WINS server on each remote segment of your network. C. Set the database replication times so they’re very quick. D. Put your WINS server service on a cluster server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
491
7. Your network consists of two Windows NT Server computers, three
Windows 2000 Servers, and 200 client computers, all running various versions of Windows. Network bandwidth is at a premium, and management is worried that WINS is causing excess network traffic. What’s a good way to cut down on the amount of network traffic that clients create when using WINS services? A. Put a WINS server on each remote segment of the network. B. Enable the forwarding of unresolved requests from DNS to WINS. C. Set the client renewal time longer than the six-day default. D. Install a local LMHOSTS file on each client. 8. You are the administrator for your network. You have recently set up
two WINS servers but you haven’t configured them as replication partners. You have heard that WINS servers can multicast to find other WINS servers on the network. How often does automatic partner discovery take place in Windows 2000 WINS servers? A. Every two hours B. Every four hours C. Every six hours D. Every eight hours 9. You have a WINS server in Tokyo and one in New York. You have no
permanent WAN connectivity between the two locations. How can you connect the two WINS servers together in a secure fashion? Choose all correct answers. A. Over a VPN B. By using dial-up networking C. By using RADIUS D. Through a secure connection using IPSec
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
492
Chapter 12
Designing a WINS Implementation
10. You are upgrading your Windows NT domain to Windows 2000.
Currently, you have two Windows NT WINS servers running. One of your objectives is to assess the viability of Windows NT WINS servers in a Windows 2000 domain. Can you have Windows NT 4 WINS servers working with Windows 2000 WINS servers? A. No, that’s not possible due to the enhanced features of Win-
dows 2000 WINS. B. No, you can’t because of the increased default renewal times of
Windows 2000 WINS servers. C. Yes, but you’ll have to carefully watch convergence times to make
sure things are operating correctly. D. Of course you can, but you’ll want to make sure the settings are
identical and the push/pull partners are correct.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
493
Answers to Review Questions 1. A. If a Windows 2000 WINS server gets hit with more than 500
simultaneous name registration requests, it kicks into burst mode. This doesn’t help the initial problem, but it prevents it from happening again because the WINS server gives different clients different TTL times, so they don’t all expire at once and go looking for a refreshed name resolution all at the same time. 2. C. If your WINS servers are connected with a high-speed connection,
it’s best to set them up as push/pull partners. This configuration ensures the best database congruity. If you have a slow WAN link connecting your WINS servers, make them pull partners only so you can control the times at which they replicate with each other. 3. A, C, D. Windows 2000 WINS servers support multiple processors.
RAM is always a good component for WINS, as are fast hard drives. 4. C. WINS clients are configured with the address of a WINS server,
which means they ask the server directly. WINS is not a broadcastbased service like DHCP. 5. A, B, C. There are several System Monitor counters you can use for
evaluating the performance of your WINS servers. PING is a useful utility for timing the response of your WINS servers. Ping a NetBIOS name and see how long it takes to respond. You can time how long it takes a new entry in WINS to be replicated to a second WINS server; this is the convergence time. Adjust the database replication period according to whether you need replications to happen sooner or later. 6. B, D. By placing a WINS server on each remote segment of your net-
work, you maximize the probability that clients will be able to resolve names even if the WAN circuit goes down. You have to pay attention to your push/pull partner relationships so that you’re sure that a remote WINS server is getting an updated database. You can also place your WINS server service on a cluster server, making it capable of failing over in the event of a failure. Answer A sounds like a good answer, but it doesn’t help clients on the other side of a WAN circuit that are left unprotected if the circuit goes out.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
494
Chapter 12
Designing a WINS Implementation
7. C. The most important thing to remember with WINS clients is that
they renew their name registration at 50 percent of the time they’ve been given for renewal (the so-called half-life). That means that if you have the renewal period set for six days, clients will try to re-register with WINS in three days, which could potentially slow the network. Extend that period much further so you trim down on the amount of network activity going over the wire. 8. A. Windows 2000 WINS servers will go out and attempt to find other
WINS servers every two hours. Remember that this is done with multicast (in multicast group 224.0.1.24) and that routers don’t typically forward multicast requests. So for all intents and purposes, the WINS server will never find remote WINS servers to share their data with. 9. A, D. You can secure WINS database replications over a VPN or an
IPSec connection. Tokyo can use a cheap connection to its ISP and you to yours, thus saving money, using the Internet’s backbone and making sure the data’s secure all at the same time. 10. D. Windows NT 4 WINS and Windows 2000 WINS will cooperate
nicely together. Just make sure you look at client renewal and database replication times. You can manage all of your WINS servers from a Windows 2000 WINS interface, but you cannot manage Windows 2000 WINS servers from the old Windows NT 4 WINS Administrator tool.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Integrating Windows 2000 WINS into a Legacy Environment
495
Y
ou should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Current System You’re the system administrator for a network of 500 users. Your supervisor, the chief information officer (CIO), has assigned you, to upgrade the network to Windows 2000 servers and workstations. Your network is spread out over three buildings in a warehouse park. The buildings are very close together and are connected by fiber-optic cables from building to building in a triangular fashion so that if any one cable goes bad, you have a redundant path. We’ll call the buildings Building 1, Building 2, and Building 3. The user base is split roughly in thirds, with about 200 users in Building A, 150 users in Building B, and another 150 users in Building C. Most of the users are on Windows NT Workstation 4 with SP5 applied. The majority of your servers are in a nice server room in Building A. There you have a PDC, BDC, some applications servers, and a server that is running WINS and acting as a print server for the entire network. The other two buildings have no servers.
Envisioned System Your current problem is to come up with a fault-tolerant WINS design. You’ve had problems with the WINS server before, or more appropriately, with name resolution. During those times when users couldn’t access a resource because their client software couldn’t resolve a name, you sometimes wound up having to delete the old WINS database and rebuild it anew. You’re not happy with the current fault tolerance of the system, and you’d get more sleep knowing that the system won’t go down as often. Also, you aren’t sure that the WINS server should be hosting print services as well, since you have about 20 printers.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Integrating Windows 2000 WINS into a Legacy Environment
CASE STUDY
496
Chapter 12
Designing a WINS Implementation
Availability You’ve come to realize that the availability of name resolution services is one of the most important products you can provide on your network. The CIO tells you, “Name resolution issues have killed us in the past, and I want to put them to an end!”
Maintainability Overview While you’re not ecstatic about maintaining more systems, the redundancy that a second WINS server provides is very appealing to you. CFO “You know what? If it takes a second or even a third server to do what you think needs to be done to avoid the problems we’ve had in the past, then I’m OK with it.”
Performance Overview The fiber-optic connections between the buildings terminate into some uplink cards on switches. You have no routers. The speed is very good, and you have no complaints. You wonder about the added load of a redundant WINS server. CFO “I’d rather not have to update the connections between our buildings.”
Funding Funding is not an issue, within reason. Your boss, the CFO, says, “We’ve talked about the previous Windows 2000 design, and I like what you’ve come up with so far. Is there a way that you can use a couple of desktop computers for this new service you want to install?”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Integrating Windows 2000 WINS into a Legacy Environment
497
1. What’s the first step that needs to be taken in this WINS upgrade
project? A. Install Windows 2000 on the first WINS server and make it a Win-
dows 2000 DC. B. Prepare a server that acts as a dedicated WINS server and move
WINS off of the print server. C. Purchase a second WINS server computer. D. Install NT 4 and WINS on a desktop computer. 2. Do you require a second WINS server? A. No, because you can put a WINS proxy agent on computers in
each of the other two buildings. B. No, because a second WINS server in a small network like this
would be overkill. C. You could go either way on a decision like this. D. Yes, because you don’t currently have any backup or fault tolerance
for your WINS environment. 3. Suppose that you continue to have some speed problems with WINS
name resolution requests. Where should you begin to look for ways you can optimize the system? Choose all that apply. A. Add RAM to the old WINS server. B. Add a CPU to the old WINS server. C. Update the disk on the old WINS server to a faster one. D. Install a second WINS server in Building B.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Questions
CASE STUDY
498
Chapter 12
Designing a WINS Implementation
4. Would a cluster server environment work in this case-study scenario
for additional fault tolerance? A. No B. Yes C. Maybe 5. Looking at the following chart, choose tasks from the right column
and place them in order in the left column so that you come up with a completed WINS installation. Task Order
Tasks Run System Monitor on the old WINS server to identify its performance characteristics. Install Windows 2000 on the old WINS server and make it a domain controller. Purchase a second WINS server. Move the print server services off the old WINS server to a new Windows 2000 member server. Explain to your boss why desktop computers should not be used as servers. Set up a push/pull relationship between the two new WINS servers. Install Windows 2000 on the second WINS server and make it a member server.
6. Is the six-day WINS client renewal period sufficient for this design? A. Yes, it’s acceptable. B. No, it should be lengthened. C. No, it should be shortened.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Integrating Windows 2000 WINS into a Legacy Environment
499
1. B. You already suspect that your current WINS server is overloaded
by hosting print services as well. WINS services in a 500-node network isn’t going to take a killer computer. Buy another server and offload the print services, which will benefit from the augmented CPU speed, additional RAM, and offloading of the WINS service. 2. D. The second WINS server is absolutely mandatory, even in this
small network. You know that you’ve had problems previously with only one WINS server and it should be obvious to you that you need to add some level of fault tolerance to the current system. It’s amazing how a small thing such as name resolution can create so many user problems! Install a second WINS server in the computer room and set it up as a push/pull partner with the old WINS server. 3. A, B, C. WINS servers, like any other server, are basic in their I/O
needs. Typical scenarios that you’ll find, especially in older servers, include a RAM-starved situation. A distant second is an overtaxed CPU. The higher speed disks will definitely make a difference, but not nearly as much as an adequate amount of RAM for the task the server is trying to perform. 4. B. Yes, but the solution would be a case of complete overkill. Adding
a redundant WINS server will provide plenty of fault tolerance for this smaller environment.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
Answers
CASE STUDY ANSWERS
500
Chapter 12
Designing a WINS Implementation
5. See the following chart:
Task Order Explain to your boss why desktop computers should not be used as servers. Run System Monitor on the old WINS server to identify its performance characteristics. Move the print server services off the old WINS server to a new Windows 2000 member server. Purchase a second WINS server. Install Windows 2000 on the old WINS server and make it a domain controller. Install Windows 2000 on the second WINS server and make it a member server. Set up a push/pull relationship between the two new WINS servers. Probably the most important problem here is to make sure your boss understands why desktop computers aren’t good choices for servers! He’s telling you that he wants to calm his irate user base down and then asking you if you can use inexpensive desktops. You need to sit him down and explain how this whole thing works. 6. B. This is a small enough network in which you can anticipate marginal
changes, which implies that a six-day client renewal period is entirely too short. You can adjust this number way out there, say 30 days, so that you don’t have to clog the network with unnecessary client renewals.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
13
Building a Distributed File System Strategy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Design a Distributed File System (Dfs) strategy.
Design the placement of a Dfs root.
Design a Dfs root replica strategy.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
D
istributed File System (Dfs) was introduced by Microsoft back in the Windows NT 4 days as an optional add-on component. Dfs allows you to set up one place where users can map a network drive, fooling the users into thinking that one server is supporting all of the shares on the entire network. But behind the scenes, Windows 2000 is redirecting the client to the actual server and share that hold the requested data. You can think of Dfs as a share of shares. Dfs saves user confusion, creates a centralized network share environment for you to manage and, in general, is designed to make things easier for you and your users. A good analogy for understanding Dfs is that of a web site. All the information you need is located on that one site. However, the information you are actually accessing may be on any number of servers. The physical number of servers is unimportant to you, but being able to find the information you want is definitely important. As with any service designed to simplify, if it’s not implemented well it won’t make your life easier; it’ll make it harder. As simple as Dfs sounds, it still takes planning and a pragmatic methodology.
You’re probably wondering why the acronym Dfs isn’t in all caps. This is because another file system product is already out with the acronym DFS. DFS is written by Transarc, a wholly owned subsidiary of IBM. Since the acronym was taken, Microsoft had to resort to using two lowercase letters in the acronym instead of all capitals.
Before diving into the intricacies of Dfs, it’s important to point out a couple of subtleties that will potentially make a difference in your design decision about whether to deploy Dfs:
Windows 2000 comes with a little utility called DFSCMD that allows you to script Dfs commands for ease of administration.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Dfs Structure
TABLE 13.1
503
Certain Windows 9x clients are not Dfs-aware without benefit of a downloadable and installable client. Windows 98 clients come with the capacity to see stand-alone Dfs (described later in this chapter) only; you’ll need to download and updated client to see domain-based Dfs. Windows NT 4 clients, post-SP3, are similar. If your shop is predominantly old Windows 95 or pre-Windows 98 SE, you’ll have to upgrade your clients in order for them to see Dfs. Table 13.1 shows what Windows 2000 Help has to say about platform compatibility for Dfs clients and roots.
Platform Compatibility for Dfs Clients and Roots Platform
Host Dfs Client
Host Dfs Root
DOS, Windows 3.x, Windows for Workgroups, and NetWare servers
No
No
Windows 95
Yes, download client for Dfs 4.x and 5
No
Windows 98
Yes, Dfs 4.x and 5 (stand-alone) client included; download client for Dfs 5 (domain-based)
No
Windows NT 4 and Service Pack 3
Yes, Dfs 4.x and 5 (stand-alone) client included
Yes, stand-alone server only
Windows 2000
Dfs 5 client included
Yes, stand-alone and domain-based server or domain controller
Dfs Structure
Dfs is a straightforward feature to implement in your network, and it’s going to make your life much easier in terms of having to manage disparate shares. You personally (and your co-administrators) still have to know the
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
504
Chapter 13
Building a Distributed File System Strategy
physical location of the various files, the share names, and how the permissions are set up. But when you point to these shares in Dfs, users think that the server to which they’re pointing is the one that’s doling the files out to them. Here are some of the advantages of Dfs:
You can move the files to a different physical share and not affect the user.
You can replicate the files to another share so that you have a backup for load balancing.
You can take the sharepoint offline while you work on it (moving the share to a different location).
You can manage files much more effectively.
Share management is easier because you won’t be disrupting user access when working on a server hosting some shares.
Microsoft Exam Objective
Design a Distributed File System (Dfs) strategy.
Design the placement of a Dfs root.
Creating the Dfs Root The first thing you do when you set up Dfs is create a new Dfs root. The Dfs root is nothing more than a starting point for the share you’re going to point to, called a link. Dfs is automatically installed with Windows 2000 Server (all three levels: Server, Advanced, and Datacenter), and it’s ready for you to start setting things up. First, you click Start Programs Administrative Tools Distributed File System; the Dfs MMC comes up. Right-click the Distributed File System icon and select New Dfs Root (or optionally, click Action New Dfs Root). A New Dfs Root Wizard appears to help you create the root. At this point you must decide whether you want a stand-alone root or a domain-based root. A stand-alone root is put on the computer that you specify; a domain-based root is put into Active Directory (AD) and is automatically replicated to all domain controllers participating in AD. Stand-alone roots do not participate in AD replication, but there are some other load-balancing methods you can employ that are discussed in the section “Setting Up Replicas”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Dfs Structure
505
later in this chapter. The second screen of the New Dfs Root Wizard, illustrated in Figure 13.1, explains the choice between the two types of roots. FIGURE 13.1
Deciding between a stand-alone or a domain-based root
For a stand-alone root, you next browse to the server where you’re going to place the root; this server must be Windows 2000 or above.
You’re only allowed one root (of either kind) per server.
The next step is either to select an existing share that you want to have act as the root or to specify a new share. If you specify a new share and the folder has not yet been created, Windows 2000 will create the folder for you. Figure 13.2 illustrates this screen. In this example, the share is called CorpFiles. When you click Next, you’re allowed to add a comment to the share. If you designate an existing share, the permissions remain as they were for the original share. If you define a new share, the folder is automatically shared out with Everyone having Full Control permissions—probably something you’ll want to go back and change later on. It’s not a stretch of the imagination to assume that you’ll have one Dfs root for a certain group of people, a different Dfs root for another group, and so on. Just remember that a server can only host one Dfs root.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
506
Chapter 13
Building a Distributed File System Strategy
The steps for creating a domain-based root are similar. You right-click the Distributed File System icon and select New Dfs Root, but this time you select the Create a Domain Dfs Root radio button, shown in Figure 13.1. Next, select the domain to host this root. If there are more domains than yours, all trusting domains will be listed, so you can select the one you want to host the root. The rest of the steps are exactly the same as the steps for creating a stand-alone root. FIGURE 13.2
Choosing an existing share or creating a new one
Creating Links At first you might think that the one-root limit is a pretty severe restriction. But within that one root, you can have many pointers to shares on the network.
Some of Microsoft’s literature refers to a junction, meaning the place where a link is created from a root.
The assumption is that you already have directories out there that you’re going to want to link to this new Dfs root. Suppose, for example, that you have a group of accountants who have shares spread out all over the network that you want to link into one Dfs root. You create the root on a Windows 2000
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Dfs Structure
507
server. (You’ll probably opt to create it as a domain-based root so that it uses AD replication.) Now you want to link up those shares so that when users map to \\Computer_Name\ShareName, they see the share they previously saw by mapping to a completely different server. They also see other shares that used to have a separate drive letter mapped, and another and another. This is where the really big payoff comes in with Dfs: It is incredibly useful for users. They only have to go to one place for the folders and files they use on a daily basis. Look at Table 13.2 for an example of how you might opt to leverage a Dfs root and many links. TABLE 13.2
An Example of How Dfs Maps to Corporate Shares UNC Name
Maps To
Description
\\CorpServer\Corp
\\CorpServer\Corp
This is the Dfs root.
\\CorpServer\Corp\ Intranet
\\WebServ\WWWroot
This mapping points users to the intranet home drive.
\\CorpServer\Corp\ Financials
\\OracleNT\Finance
The finance team can use this share.
\\CorpServer\Corp\ ArtWork
\\Marketing\ArtWork
Drawings created by the marketing team are kept here.
\\CorpServer\Corp\IT
\\ITServ\Files
This provides mapping to the IT admins’ important information.
Once you’ve created a root, simply right-click it and select New Dfs Link from the resulting menu. Enter a meaningful name for the link (remembering that this is going to show up as a folder name that the user will see when mapping to the Dfs root). Next, browse the network and select the share you’d like to point to, and enter an optional comment, as illustrated in Figure 13.3. Note that the client cache timeout defaults to 1,800 seconds (30 minutes); this number specifies how long a client will stay pointed to a network location for a particular Dfs link.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
508
Chapter 13
Building a Distributed File System Strategy
FIGURE 13.3
Setting up a new link
In addition to regular shares that were created, you can also pick administrative shares (C$, D$, etc.) for your links. Use some discretion in selecting administrative shares as links in Dfs roots.
Note that if you select a link that’s not on a Windows 2000 NTFS server, the links will not be subject to automatic replication. Only those links that are on Windows 2000 servers with NTFS partitions will be replicated.
The current maximum number of links per root that can be created is 1,000.
Setting Up Replicas Replicas provide a way for you to duplicate your Dfs shared data across different servers. This provides both redundancy and fault tolerance for your shares.
Root Replicas Suppose you want to set up an additional root on a different server that you’ll use to point to exactly the same links as your original root. In other words, you’ll be configuring some redundancy into the system so that if one server goes down that’s hosting an important root, you have another to fall
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Dfs Structure
509
back on. Note that users would have to map to the new server name, but the share name would be the same. This second root is called a root replica. You create a root replica by right-clicking the newly created primary root and then selecting New Root Replica from the resulting menu. When you’ve created the root replica, right-click the root again and select Replication Policy so you can adjust the replication settings, which are discussed in detail in the section “Replicating Dfs” later in this chapter. Root replicas can only be set up in domain-based Dfs.
Link Replicas Suppose that you want to load-balance a heavily hit share. You can set up a duplicate folder and files on a separate server (even in a different location) and then create a link replica to that folder. You do this by right-clicking the link you want to duplicate and then selecting New Replica from the resulting menu. If both folders are on Windows 2000 server NTFS partitions, automatic replication will keep the folders identical to one another. Again, you’ll want to adjust their replication policy to your liking. Link replicas can only be set up in domain-based Dfs. Pay attention to the sharepoints that you have set up. Dfs does not manage access control lists (ACLs) because of the complexity this would bring to the system. Instead, Dfs relies on share and NTFS permissions for ACLs. This means that if a user can surf into a share with the Net Use command and do some damage, your Dfs links and link replicas are also vulnerable. It’s up to you to manage these permissions before you set up Dfs.
Inter-Dfs Links An interesting alternative to the conventional Dfs methodologies discussed so far is the idea of inter-Dfs linking. In this scenario, you first set up your root and Dfs link on one server. Then, you go to another server and set up a root and link, but the second link points to the first server’s Dfs link. You’ve created a share pointing to a share pointing to a share. This might be a good methodology for getting at files that are hosted by a different entity within a corporation but that are needed by a user group that you support. There would, of course, be some latency in this scenario, because the user requesting the connection to the share would have to go to three different sources before they could get files.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
510
Chapter 13
Building a Distributed File System Strategy
The Company-Wide “Shared” Folder You’re a Windows consultant with a broad base of experience. You’ve traveled far and wide, and everywhere you’ve gone you’ve run into a common phenomenon: the shared folder. For some reason, some corporate people working on networks seem to think that they need a central repository on a server for all of their e-junk so that their friend across the hall can look at the files—even when that friend is in a totally different department. Unfortunately, this shared folder—known variously as “global,” “corp,” etc.—winds up being the network’s trash can. It contains everything: downloaded web bitmaps (often distasteful), hard drive backups of user computers, highly important files that have no business being shared, and all manner of other debris. The idea is good but in reality, company-wide shares end up in all manners of disarray. It’s as though the law of entropy has a special love for the virtual world; shares just get totally out of hand. After a few months of being at a site, you get an irate call from a manager. She tells you that someone has been into highly private files on her S drive. You investigate the logon scripts to see where her S drive points and, sure enough, it points to the Shared folder. You grimace at the acid that immediately flows into your stomach and go out to take a look at this folder’s permissions. You find that the share permissions for this folder (and its files) are set to Everyone with Full Control. You’re quite surprised that the folder wasn’t created on a FAT partition on top of everything else. Anyone with some spare time on their hands could open up Network Neighborhood, browse to the Shared folder, see a juicy subfolder such as Sales Commissions, and just have a great afternoon opening up file after file, getting confidential corporate dirt. So the question is: How are you going to fix this problem? Conveniently, you have a Windows 2000 Server running in the domain, as part of your Windows 2000 upgrade (the project you were originally hired to work on), and you go to work, explaining to the manager what you’re about to do. You create a stand-alone root on the Windows 2000 computer and modify the share’s permissions so that only Domain Admins and the group that’s supposed to be viewing these files are allowed into it.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Replicating Dfs
511
You kick everyone off the Shared folder for a bit and set the NTFS permissions on that folder and all folders below it to Domain Admins, Full Control—taking permissions away from all other entities. You copy the contents of this folder to a different place on the network, preferably a Windows NT Server computer with an NTFS partition. You adjust the NTFS permissions on the new folder destination so that they’re identical to the share permissions you just set up for the Dfs root. You share out this folder with a hidden share name and with the same permissions you gave the root folder and the NTFS partition. You then set up a link to this new folder. Note that the new folder and link can be on a Windows NT 4 server or workstation or even a Windows 98 computer. Windows 98 doesn’t support NTFS, so this would be a bad place for a share and link in the first place, but stranger things have happened. Finally, you set up the logon scripts so that a new drive letter is mapped for this group, pointing to the newly created Dfs root. You advise the manager that at next logon, people will be able to work securely from the new location. When you’re sure all is working as planned and you’ve tested thoroughly, you go back and erase the folder from the Shared directory, then go on about your business. Other administrators might have to repeat as needed until all important files are cleaned off of the Shared folder.
Incidentally, a really great add-on component to this might be to investigate implementing quotas on these newly groomed shares so that they don’t get out of hand like the old Shared folder did.
Replicating Dfs
Replication of the Dfs objects takes several forms and depends on whether you’re talking about the root or a replica (shared folder) under the root. You can replicate both, but some rules are applied to each before you can ensure that replication can take place.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
512
Chapter 13
Building a Distributed File System Strategy
Microsoft Exam Objective
Design a Distributed File System (Dfs) strategy.
Design a Dfs root replica strategy.
Replicating the Root You already know that domain-based roots can be replicated throughout the Active Directory and consequently, they can be made available to all users on the network. Domain-based root replication does not require configuration by an administrator because it happens automatically. However, you can customize replication if you choose to do so. Domain-based roots are replicated by setting up a second root on a different Windows 2000 server running NTFS; then, using the Replication Policy window of the Distributed File System MMC, you set up replication between the two.
With stand-alone Dfs roots, only manual replication is available.
Note that the requirements for this kind of replication are that both roots reside on an NTFS partition of a Windows 2000 server. You can set up both from the same MMC console. When you’re done setting up the roots, rightclick the first one and select Replication Policy to set up the replication. The root that contains the information to be replicated to the other root is called the initial master; once you set this initial master, you cannot reverse the order. There is a Windows 2000 service, hidden from both users and administrators, called the File Replication Service (FRS). FRS handles the job of replicating roots and links. By turning replication on and off from within the Replication Policy window, you control whether you’ll allow FRS to automatically replicate the contents of the master root to the secondary root. If replication is turned off, you get to manually maintain the replication from root to root. FRS replicates, by default, every 15 minutes. Saying that FRS is hidden is actually somewhat of a misstatement. It’s not hidden, but it’s purposely made difficult to view. However, you can view FRS settings by going to Active Directory Users and Computers View Advanced Features. Expand the System icon, then expand File Replication Service, and finally expand Dfs Volumes. This object will not be created or populated until you’ve set up replication between stand-alone roots.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Replicating Dfs
513
Replicating the Links Replicating the links you set up beneath a root works about the same as replicating a root, except that you can adjust the replication policy as you’re setting up the replicated link. The link that receives the contents of the original link is called a link replica, described earlier in this chapter. To create a link replica, go into the Distributed File System MMC console, highlight the link you’d like to replicate, right-click, and select New Replica from the shortcut menu. The Add a New Replica window appears, as shown in Figure 13.4. FIGURE 13.4
Setting up a link replica
Note that you immediately configure the replication for link replicas as you’re creating them. You have one of two choices: manual or automatic replication. This replication uses the same FRS as root replication, and the 15-minute period between replications stays the same.
Write-Intensive Volumes Sharepoint volumes that get a lot of use—in other words, that are heavily written to—present unusual problems with Dfs. FRS uses an algorithm called Last Writer Wins to manage volumes. This means that the last person to write to a file is the “winner” in the sense that their version is replicated and displayed to others. In heavily write-intensive volumes, this could be a big problem. The workaround for this is to use one volume that’s read-only and then replicate to it. While users only have one volume they can write to, you can provide fault tolerance to this volume anyway. (Remember that stand-alone roots can only be manually replicated.)
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
514
Chapter 13
Building a Distributed File System Strategy
Dfs-Aware Backup Software Not all enterprise tape backup software is Dfs-aware. It’s advisable to ask the vendor of your backup software whether it can see Dfs trees. Most tape backup software that’s Windows 2000–compliant should work just fine with Dfs, but double-check with the vendor just to make sure. Keep in mind that even if you can’t back up a Dfs tree, you really haven’t lost anything other than simplicity, because you can still back up the actual folders where the sharepoints actually reside.
Summary
D
fs is quite simple to understand, set up, and maintain. The goal with Dfs is to provide a uniform sharepoint where users can map to shares, not realizing that the shares are actually on different servers elsewhere in the network. Dfs simplifies users’ lives and, while you might at first think that your work is increased by designing a Dfs implementation, the opposite is true: Dfs helps you with your administrative chores. For example, suppose that you want to take down a server for maintenance, typically an after-hours task because users are hitting it during the day. But with Dfs link replicas, you simply change the point of origin for the files, users don’t notice the difference, and you can go on about your work. Users never have to change program shortcuts even though you change the source file location. There are two basic units of work involved with Dfs: a root and a link. You begin by creating a new root. The root doesn’t have to point to a folder on the server you’re working on; you can create roots on any Windows 2000 server. While you can create roots on FAT partitions, you’re better off creating them on NTFS partitions, mostly because only NTFS can participate in replication. A root is the folder that’s going to contain a pointer to a share somewhere on the network, called a link. There are two kinds of roots: stand-alone and domainbased. Stand-alone roots are created on a Windows 2000 server; domain-based roots are contained in and replicated by Active Directory. Next, you create a link within the root. The link points to the share that you want to present to the users. If you want redundancy with this link, you set up a link replica. By setting up link replicas, the contents of the link are copied to a second server, thus adding fault tolerance and load-balancing to the link you just created.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
515
You use the Distributed File System MMC to manage both your roots and your links. Root replication can be managed by the Replication Policy window of the Distributed File System MMC. The root that contains the data to be replicated is called the initial master. Link replication is managed when you set up a link replica and determine whether you want to manually replicate or have the File Replication Service (FRS) replicate for you every 15 minutes.
Exam Essentials Know where to place your Dfs root. The Dfs root needs to be placed on a server that has a good connection and is not overloaded with too many other services. The root server will direct traffic. Users will attempt to hit the share, and Dfs will take them to where it’s physically located. Understand Dfs replication. Domain-based Dfs roots are the best choice for replication. Also, keep in mind that Dfs servers can only have one root. Because of this, if a server already has a root, that server cannot hold a replica of another root.
Key Terms
D
fs has a handful of unique terms associated with it. Before you take the exam, be certain you are familiar with these terms: Dfs root
link
domain root
link replica
File Replication Service (FRS)
root replica
initial master
stand-alone root
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
516
Chapter 13
Building a Distributed File System Strategy
Review Questions 1. You are the Windows 2000 administrator for your company. The cur-
rent share model employed by your organization is becoming cumbersome for the users. You decide to implement Dfs. What two types of Dfs roots can you create in your native-mode Windows 2000 domain? A. Active Directory–enabled B. Interlink C. Stand-alone D. Domain-based 2. You are the network administrator for your company. One of your
department managers, Jane, would like to set up a root on her Windows 2000 Professional workstation for her employees to access. However, she can’t seem to find the Distributed File System administrator console under Programs Administrative Tools. What could be the problem? A. Dfs has not yet been installed as a service on her workstation. B. Windows 2000 Professional workstations cannot act as a Dfs root. C. Jane is not a member of the local Administrators on her computer. D. Jane’s Windows 2000 Professional installation is on a FAT partition. 3. What service is responsible for the replication of Dfs information? A. Dfs-Configuration B. AdminSDHolder C. File Manager D. File Replication Service 4. You have set up a domain-based Dfs root. For fault-tolerance
purposes, you’ve also set up a replica. By default, how often do Dfs replications occur?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
517
A. Every 15 minutes B. Every 30 minutes C. Every hour D. Every 4 hours 5. You are the network administrator for your company. You are in the
process of setting up a Dfs solution on your network. How can you set up two locations for the same Dfs? A. Create a link replica. B. Create a root replica. C. Create an interlink. D. Set up replication between links. 6. Bob is trying to set up a link replica on a server in his domain that con-
tains the exact same data as his original Dfs link, but for some reason the link replica operation isn’t working. What could be the problem? Choose all that apply. A. The second server is a Windows NT 4 server. B. The second server is in a different domain in the forest. C. The second server doesn’t have any NTFS partitions. D. The FRS service isn’t installed on the second server. 7. You are the infrastructure manager for your network. You have
already implemented Dfs to ease the administration of shared resources. You have two roots set up as root replicas. Right now, the replication is going the wrong way, from server A to server B. You’d like to switch these roles. How do you do this? A. Delete the roots and recreate them, this time in reverse order. B. From the Replication Policy Properties in Dfs, use the Set
Master option. C. From the Replication Policy Properties in FRS, use the Set
Master option. D. This cannot be done.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
518
Chapter 13
Building a Distributed File System Strategy
8. You want to script some automatic Dfs link creations for a new Win-
dows 2000 server. What utility will you use for this? A. Dfsadmin.exe B. Dfsadmin.msc C. Dfsutil.bat D. Dfscmd.exe 9. You are the network administrator for your company. You are in the
process of planning a Dfs implementation. Your manager is interested in advantages of using Dfs over the traditional share model. Select two network administration advantages you would obtain by configuring Windows 2000 Dfs. A. Sets up a tree that includes multiple folders across many servers
and using conventional server backup software, backs up the tree. B. Sets up a tree that includes multiple folders across many servers
and using conventional server virus scan software, scans the tree. C. Sets up a tree that includes multiple folders across many servers
and allows Unix access to only this tree. D. Sets up a tree that includes multiple folders across many servers
and using Gateway Services for NetWare, allows access to this tree for NetWare users. 10. You are the network administrator for your company. Your network
has four Windows 2000 servers, one of which is configured as a Dfs root. The domain is running in native mode. On your network, client computers run either Windows 98 or Windows 2000 Professional. Renee is a Windows 98 user trying to access a Dfs share, but she cannot. What could be the problem? A. Renee’s operating system installation is a Windows 98 pre-Dfs
copy. She’ll need a Windows 98 client installation. B. Only Windows 2000 computers can participate in Windows 2000 Dfs. C. She does not have the necessary permissions to access the share. D. She is in the incorrect domain.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
519
Answers to Review Questions 1. C, D. A stand-alone root is hosted on the local Dfs server. A domain-
based root is part of AD and is replicated throughout the network using the standard AD replication schedule. 2. B. Windows 2000 Professional workstations do not have Dfs; only
servers do. Answer A isn’t true because Dfs is automatically installed. Answer C is nullified by Answer B, and Answer D just isn’t true. 3. D. The File Replication Service (FRS) is used for replicating the AD
SYSVOL as well as Dfs information. You can view FRS’s properties by viewing the Advanced System menu of Active Directory Users and Computers. 4. A. Dfs replication happens through the File Replication System (FRS),
also responsible for handling the replication of the AD SYSVOL. The default schedule is every 15 minutes. The schedule for these replications can be changed; the time duration between replications cannot. 5. A. Link replicas are redundant locations for the same share data. In
other words, you have a share on server A that contains some files and a share on server B that contains the same files. You can set up a link replica in Dfs that points to the second sharepoint and use this as a redundancy and load-balancing link. Keep in mind that this technique is generally best when the data doesn’t change. The best option is not to put frequently written-to data on Dfs link replicas. 6. A, C. Link replicas require two things: Windows 2000 Server and
NTFS partitions. Don’t have one or the other? Then you’re not going to get link replicas installed on the designated server. You can set up replicas on FAT partitions, but you can’t set up automatic replication to a FAT partition. 7. D. Once you’ve set up a master for replication, the Initial Master button
goes away and you cannot reverse the order.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
520
Chapter 13
Building a Distributed File System Strategy
8. D. A utility that comes with Windows 2000 Server, called DFSCMD,
allows you to script Dfs operations. 9. A, B. Two convenient uses for Windows 2000–based Dfs include the
ability to set up large trees, then back them up or run a virus scan on them. Unix has no Dfs client, so it can’t use Dfs. Answer D has the GSNW roles reversed. 10. A. Certain versions of Windows 9x were not Dfs-aware and required
the download and installation of a Dfs client. Most newer versions are Dfs-aware and will work transparently with Dfs server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Problems with Shares and Share Names
521
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Background You’re a system administrator for a medium-sized network of 1,500 users. You’ve already gone through a successful Windows 2000 installation, and everything is working OK. There is one nagging problem you’d like to deal with that you’ve postponed up to now: the number of calls that your helpdesk people get from users who don’t understand about shares and share names. The help desk has to field calls regarding how to map to new shares and how to recreate those shares that a user accidentally deletes. It’s difficult to talk over the phone with people who have no real sense of computing about how to navigate to the Explorer and map a network drive. The whole concept, for some reason, seems completely incomprehensible to many users. On top of all that, your network has a legacy that goes back far enough to have generated numerous shares of high criticality to various departments within your organization. Your help-desk people are just about completely fed up with the whole thing. You’ve got to figure out a way to help your help-desk people and your users find an easier way to map shares.
Current System You have 15 servers, all of which run Windows 2000 Server and were upgraded to Windows 2000 from Windows NT 4. You are running Exchange on one server, SMS 2 and SQL Server 7 on another, and various applications on three others. One server is dedicated to printing, and two servers are dedicated to WINS and DNS. That leaves seven servers that were used for file and print and shares in their previous lives and are now available as test servers. You want to take two of these servers and turn them into Dfs servers. Before updating your servers, you went through each server and updated the hardware as needed. All of the servers are a tier 1 name brand, all have hardware RAID array controller cards, and all have adequate CPU, RAM, and disk space.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Problems with Shares and Share Names
CASE STUDY
522
Chapter 13
Building a Distributed File System Strategy
The majority of your clients are Windows 9x, though you have a smattering of Windows NT Workstation and Windows 2000 Professional users.
Envisioned System Overview You envision that two of your Windows 2000 Servers will be dedicated to the Dfs process in a domain-based root. Each of these servers has its operating system installed on a 4GB OS partition with a separate data partition of 205GB (12 19GB hard drives in a RAID 5 array managed by a hardware RAID array controller card). You will make a map of the shares that are important to each group and then control the shares with a Dfs link and NTFS permissions. You’ll provide redundancy by creating link replicas on the opposite server, and you’ll have a domain-based root for your basic root structure. In addition, in order to clean up shares that have gone through years of accumulating data, you’ll run one backup groom job that will copy to tape and then delete any files that haven’t been used in the last year, and you’ll manually get rid of any miscellaneous files that shouldn’t be on the servers. You present this plan to your boss, the operations manager, and she gives you input on the project. Operations Manager “The only thing I’m concerned about is that you’ll manually delete any files you don’t think belong on the servers. Is there a way to validate who owns the files that you suggest we delete and why they’re out there?” Help Desk “A one-stop-shopping approach to all of the shares we have out there would be very helpful! How soon can you have it done?”
Security Overview Security is one of the reasons you want to go forward with this project. People who shouldn’t have access to some folders do, and they have been able to get in and look at information that doesn’t pertain to their area of business within the company. You can’t do anything to control people with too much time on their hands, but you can control who’s allowed into certain folders, and that’s one of the goals of this current project. You meet with the security team to let them know about your plans.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Problems with Shares and Share Names
523
Availability Overview Some people work on weekends and nights, so availability is also an important objective of this project. You’re thinking that Dfs replicas will help solve this problem, but it won’t be a complete solution because of the replication scheme used by Windows 2000. For those folders that are not put on link replicas, you still feel that, with ordinary backups and the new RAID controller cards on these servers, you have plenty of fault tolerance. Operations Manager “Understanding the Last Writer Wins algorithm as you’ve explained it to me, we need to be careful about what links are replicated.”
Maintainability Overview You believe that Dfs will be a godsend for the network. You try to imagine some scenarios where there may be a problem. Overall, the system will be far easier for help-desk personnel to assist users with troubleshooting problems than before. On second thought, the shares are now well known by users and everybody knows where they’re at until they’re deleted. New users have a hard time navigating at first. You hear users talking about “going to the S drive,” meaning that they clearly don’t understand that they have a place where resources are stored and the logical drive letter could easily change, leaving them completely without the ability to understand where their data went. You conference with several of the managers for different business units to explain the concept to them and get input. Business Unit Managers “We would be amenable to the idea, as long as you keep it simple for us and try to keep the same drive letters that we currently have when we log on. You’ve explained to us that we’ll gain a drive letter that will point to our departmental piece of the server; we’ll get that information to our people.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Security Team “We like the idea, but our plates are full just running the day-to-day business. We’ll try to help you find folders that are owned by people who are no longer with the company, but you have to handle the rest yourself.”
CASE STUDY
524
Chapter 13
Building a Distributed File System Strategy
Performance Overview Performance would be a worry if you were pointing to shares across a WAN link. Since you’re all in the same building and you’re only using two servers for Dfs, this should not be an issue. Besides that, providing Dfs redundancy on two servers (for some folders—remember that not all folders participate well in link replication because of the Last Writer Wins algorithm) will provide a modicum of load-balancing. Operations Manager “Ask the network guy to make sure that the infrastructure can handle the load.”
Questions 1. Which SPOF will have the most impact on this project? A. Single RAID array controller in each server B. Single NIC in each server C. Single link for shares that are frequently written to D. Single CPU in servers 2. Will Dfs be useful in a two-server scenario such as this? Isn’t it just as
easy to set users up to one sharepoint or another on either server? Choose some arguments you would put forth to explain why these questions are valid but misinformed. (Select all that apply.) A. Dfs link and root replicas provide fault tolerance and load-balancing
that are not available otherwise. B. You can tie in to other sharepoints that might be created elsewhere
in the network as well. C. Taking one server offline for service will be much easier with this
new methodology. D. Maintenance of this new setup will be harder than with the
previous system.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Problems with Shares and Share Names
525
software won’t back up the Dfs tree. What could be the problem? A. You need to span multiple tapes because of its size. B. You need a Dfs backup agent on the servers. C. The backup software needs to be Dfs-aware. D. The volume size too large for the software—there are problems
enumerating all the files. 4. In this case-study scenario, wouldn’t a cluster server environment
work better for additional fault tolerance than a Dfs solution? A. No, because you’re also interested in providing one-stop shopping
for sharepoints and in cleaning up the Global directory. B. No, because Dfs isn’t cluster-aware. C. Yes, it would, but it would be hard to manage. D. Yes, but it would be much more expensive. 5. Looking at the following chart, choose tasks from the right column
and place them in the left column so that you come up with a completed Dfs installation. Task Categories
Tasks
Testing
Test Win9x clients to make sure they can access Dfs shares; add client component to non-Dfs-compliant computers.
Implementing
Set up a Dfs domain-based root; establish replication.
Fault Tolerance
Modify the logon scripts to point to new departmental drive. Analyze the files and folders that have not been touched in the last year, determine their usefulness, and archive them to tape as needed. Check to make sure replication is working.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
3. Once you get the new setup running, you find that your current backup
Chapter 13
Building a Distributed File System Strategy
CASE STUDY
526
Analyze existing shares, making sure you know what their names, group memberships, and permissions are. Analyze the files and folders that don’t have an owner, determine their usefulness, and archive them to tape as needed. Make sure the Dfs system is running properly by checking access to shares from some user computers. Set up link replicas. Run tape-backup groom job. 6. What are the two things that this Dfs project will not accomplish
for you? A. Fault tolerance for a domain-based root B. Compression of files and folders C. Management of ACLs D. Quota management
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Problems with Shares and Share Names
527
1. C. Answers A, B, and D, while potentially worrisome, are not even
within radar range of the problem that might be created with a single sharepoint for your heavily written-to shares. But you can’t take the chance of having users write to duplicate shares and then hope that Windows 2000 FRS will get all updates posted correctly. Remember that the Last Writer Wins algorithm used by FRS means that the last person to write something to a file is the winner. Here’s the workaround for this major SPOF: Set up a read-only hidden share that FRS can replicate to. Users won’t be able to see it, but it will be there in case the first share has a problem. 2. A, B, C. Using Dfs will provide fault tolerance and load-balancing.
You can definitely tie in all the sharepoints on the network, and you’ll undoubtedly find this useful for yourself and the rest of the admin team that needs network-wide access to certain files (Internet Explorer setup comes to mind). Taking a server offline is a tad more difficult and requires some extra planning because of some of the write-intensive volumes, but it’s still something that can be made easier with Dfs. Maintenance will not be harder, provided you do your homework and design the shares correctly. 3. C. The main problem you might run into with your enterprise backup
software is that it isn’t Dfs-aware. Check with the vendor of the software to see if it can hang in there with the Dfs environment. If your backup software is Windows 2000–certified, then it’s probably good to go. 4. D. Clustering is certainly an option, and you’re highly interested in
providing a fault-tolerant Dfs approach. But clustering your Dfs solution isn’t really necessary, and it’s expensive. Maybe rather than just using link replicas, you’d be better off putting the two servers you’re intending to dedicate to Dfs onto a cluster. You’d want to investigate other critical software components of your network to see whether they could share the cluster as well, and that would probably cause you to investigate whether you had enough hardware (including fiber-channel heartbeat connections between the two Dfs servers). But clustering is definitely an option.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
Answers
CASE STUDY ANSWERS
528
Chapter 13
Building a Distributed File System Strategy
5. See the following chart:
Task Categories Testing Test Win9x clients to make sure they can access Dfs shares; add client component to non-Dfs-compliant computers. Make sure the Dfs system is running properly by checking access to shares from some user computers. Check to make sure replication is working. Implementing Analyze the files and folders that have not been touched in the last year, determine their usefulness, and archive them to tape as needed. Analyze the files and folders that don’t have an owner, determine their usefulness, and archive them to tape as needed. Run tape-backup groom job. Analyze existing shares, making sure you know what their names, group memberships, and permissions are. Set up a Dfs domain-based root; establish replication. Modify the logon scripts to point to new departmental drive. Fault Tolerance Set up link replicas. If you have Windows 9x clients that have earlier versions of the operating system, you’ll need to download and apply a Dfs client to these workstations. That has to happen first before you can go forward with your Dfs project. Hopefully, users are up on Windows 98 SE, which provides seamless Dfs integration.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Problems with Shares and Share Names
529
share and NTFS permissions, not by Dfs. The designers of Dfs did not think it was prudent to have Dfs manage ACLs; this could present a security leak to you if a user tried to connect to a sharepoint he was not supposed to be able to get to. You’ll have to use NTFS and share permissions to manage this problem. Also, the case study didn’t stipulate that quota management should be turned on. It’s possible to use quota management with Dfs, but you’ll have to remember that the sum total of a user’s quota is managed, not just one share. This feature could present quota management issues to you if you don’t carefully plan it.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
6. C, D. Remember that access control lists (ACLs) are handled by
Chapter
14
Designing for Internet Connectivity MICROSOFT EXAM OBJECTIVE COVERED IN THIS CHAPTER: Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
W
indows 2000 was designed to fit many different needs, from conventional networking to remote access to full-bodied web services. The Windows 2000 developers wanted you to be able to use this operating system to improve your business. Whether you’re involved with a conventional business or a far-out high-tech company, Windows 2000 has something for you. Microsoft has been concentrating its efforts on the Internet for several years now. With the popularity of the Internet, Microsoft’s aggressive positioning seems to be a good move. When discussing Internet functionality, it seems that as soon as one plateau has been reached, a new use or feature springs up. Microsoft has been there to try to help facilitate those jumps. This chapter is about taking advantage of your Windows 2000 server in an Internet and extranet environment. We’ll talk about Internet and extranet access solutions in this chapter, and the various components of these solutions, like Proxy Server, firewalls, IP routing, NAT, and others. Before we progress further, let’s clear up the meaning of a fairly innocuous term: extranet. An extranet generally means a corporate presence that allows outside users to connect to the internal private network in a secure fashion in order to provide information to the company or to gather information from it. This access can include a company’s intranet, its applications and file servers, or any of a myriad of other computing environments. The emphasis of an extranet is on its privacy (so that not just anyone can gain access to the private network) and the security required to make it so. Two examples might help you understand the extranet concept. If you’ve worked with Exchange Server before, you might know that it allows users to read their e-mail via a web page. This service is called Outlook Web Access (OWA) and is a real bonus for dial-up users. However, OWA can also be leveraged for extranet use by providing a web server on the DMZ that can talk to the Exchange Server. The Federal Express site, www.fedex.com,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a Proxy Server Implementation
533
allows users to hit their site, enter a tracking code, and find out the status of a package that they’ve sent. Both of these examples represent a wonderful use of extranet technology. This chapter isn’t intended to be an elementary primer on Internet connectivity; it’s assumed that you have some background in these topics. This chapter focuses on how Windows 2000 provides tools that help facilitate the kinds of services that you used to have to obtain through third-party sources.
Designing a Proxy Server Implementation
M
icrosoft Proxy Server 2 is not included with Windows 2000, but it is part of the Microsoft Back Office Suite. It is a separate add-on product that you’ll need to buy, but its importance in large networks that connect to the Internet is very high. If you do not now have a Proxy Server implementation and you’re a Microsoft shop, I recommend investigating the features that Proxy Server 2 can provide to enhance your control over your network.
Microsoft Exam Objective
Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server.
Proxy Server allows you to connect your private network to the Internet. The Proxy Server acts as an Internet go-between for your users. When a network user with a private IP address points their browser to an Internet site, Proxy Server goes to the URL, retrieves the page, and returns it back to the user. The Proxy Server has two network interfaces: one that points to your ISP (which we’ll call the “public network”) and one that points to your private network. So the Proxy Server is acting as a larger scale network address translator (NAT). But it’s more than that. A proxy allows you to ban certain incoming protocols. We talked in Chapter 3, “Evaluating the Technical Environment,” about the infamous ICMP attack that Microsoft experienced a couple of years ago. You could filter ICMP (ping) requests coming to your server using Proxy
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
534
Chapter 14
Designing for Internet Connectivity
Server. When an outside host tried to ping your proxy box, they’d get no answer. If a ping can’t get through your proxy, neither can bad ICMP packets. You can also add what are called custom filters, known as Internet Service API (ISAPI) filters. Secure Computing’s SmartFilter bundles itself into Proxy Server as an ISAPI filter; SmartFilter allows you to control which users are allowed out onto the Internet and what kind of content that they’ll be allowed to surf. You can turn off the ability to browse sex, gambling, sports, illegal activities, hate speech, and other kinds of web sites using this product. SmartFilter works through a custom ISAPI filter that the company wrote to specifically work with Proxy Server. You can restrict who’s allowed onto the Internet on a user-by-user or resource-by-resource basis. Proxy Server works in routed and non-routed environments because it basically acts as a router when connecting to the Internet. Proxy Server works well with third-party hardware firewalls, such as Cisco PIX, or with software firewalls. Proxy Server 2 is fully Windows 2000– compliant and can be used in conjunction with IPSec, demand dialing, VPNs, and Active Directory (AD) user authentication. Proxy Server supports a few proxy protocols: Web Proxy, Winsock, and SOCKS. One of Proxy Server’s biggest features is that it caches web page requests so that, over slow ISP connections, web access appears much faster than it actually is. You can configure the cache to your liking. You can configure and deploy a Proxy Server client component to users, allowing you finer control in categorizing users. You can use the Internet Explorer Administration Kit (IEAK) to customize and deploy a Proxy Server ASP page that provides users with the settings they need to access the Internet through the Proxy Server. Finally, Proxy Server has the unique capability of being set up in a proxy array. A proxy array is a group of Proxy Servers that collectively forward their requests to a main Proxy Server that interfaces with the Internet. If your network has several geographically separated locations but only one ISP connection, you can set up a Proxy Server at each location (for URL caching), which in turn talks to the main Proxy Server that has the linkage with the Internet. Figure 14.1 illustrates this setup. In this figure, Chicago and Atlanta have Proxy Servers that talk to the main Proxy Server in Denver, which in turn does all of the communicating with the Internet. This design, of course, implies that you correctly size the computers in such a way that
They are compatible with the number of users you anticipate on each (the biggest of the three would be the Denver box).
The WAN circuits are robust enough to handle the load.
You’ve correctly configured all three boxes to talk to each other
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a Proxy Server Implementation
FIGURE 14.1
535
An example of a Proxy Server array Chicago Atlanta
Proxy Server
Denver Proxy Server
Proxy Server
Internet
You need to consider several things when designing a Microsoft Proxy Server implementation:
Correct sizing of Proxy Server(s)
Whether the Proxy Server will be in the DMZ or on the edge of the network
What type of firewall the Proxy Server will interface with and any integration constraints you might face
You should not use Proxy Server without benefit of a firewall, even though Microsoft says that Proxy Server can act as a suitable firewall. Microsoft has finally released an enterprise Internet firewall product called Internet Security and Acceleration (ISA) Server 2000. You can read more about this new product at www.microsoft.com/isaserver.
WAN circuitry and its characteristics
Who will be allowed to use Proxy Server and who will not
Whether you’ll integrate third-party software with Proxy Server for more robust web monitoring and reporting capabilities (highly recommended)
Pick up a good third-party book on Microsoft Proxy Server. It is an application unto itself and merits some additional time and study so that you’re comfortable with it.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
536
Chapter 14
Designing for Internet Connectivity
The recommended book, of course, is MCSE: Proxy Server 2 Study Guide by Erik Rozell and Todd Lammle. While shopping at your favorite Internet book site, also look for IIS 4 and Proxy Server 2 24seven by Stigler and Linsenbardt.
Designing Firewalls The Microsoft test objective mentions firewalls, but within that one tiny little word lies a vast specialty in the realm of computerdom. Many fine vendors sell good-quality firewall products, both hardware- and software-based.
Microsoft Exam Objective
Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server.
A firewall allows you to explicitly restrict IP addresses, protocols, and ports from entering (or exiting) your network. You can nail down access as tightly as you wish, restricting all but a handful of IP addresses, or you can open the doors wide. Most companies allow firewalls to pass outgoing SMTP (Internet e-mail) traffic to the public network, but that’s about it. Some companies prevent incoming ICMP (ping) requests from hitting the network, as well as denial of service (DoS) traffic, the anomaly recently generated by a 15-year-old hacker in Canada and directed against some of the busiest servers on earth. While the literature for Microsoft Proxy Server says that it is a firewall (due to its ability to restrict incoming and outgoing traffic), in larger enterprises, Proxy Server alone might not provide the level of control that you require. If you do not possess a highly technical background in firewalls and the art of security, you may want to outsource this need to a reliable security consultant. You should place Proxy Server ahead of your private network but behind a firewall.
BindView Corporation’s HackerShield 2 allows administrators to get a thorough, yet easy-to-read, picture of the security holes in their network. Their web site is at www.bindview.com.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a Proxy Server Implementation
537
Exchange Servers behind a Proxy Server If you’re putting up a Proxy Server installation, generally you’ll be putting it at the edge of your network, the place where the network connects to the Internet. But back in the private network, you probably have at least one if not many Exchange Servers. You’ll be very surprised as soon as you enable Proxy Server and find that Internet e-mail no longer flows into the network as it once did! You have to do some special workarounds when you have Exchange Servers sitting behind a Proxy Server box. First, you have to install the Microsoft Proxy Server client on the Exchange Server. You also have to place a couple of INI files in certain directories on the Exchange Server. Then you reboot the Exchange computer. Once this work is done, you’ll see, by observing the Winsock Proxy properties, that the Exchange Server has connected to the Proxy Server and can receive Internet e-mail once again. You can test this whole thing while you’re configuring it by creating a new Hotmail account (or other Internet-based e-mail account) and testing the e-mail transactions between your Outlook inbox and your Hotmail account. Since Proxy Server is presumably passing web traffic and you can use your browser, you can go to Hotmail.com to check incoming messages and to send outgoing ones. One thing to keep an eye on is if you have packet filtering enabled. Disabling packet filtering may relieve connectivity problems between your Exchange Servers and the Internet. Proxy Server is designed to limit access to certain ports or web sites, and limit who can do what through your Internet connection. Most of the time, if your planning is good, you will have very few problems. However, incorrect configurations (or simple oversights) can keep your network from working like you’d like it to.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
538
Chapter 14
Designing for Internet Connectivity
Implementing Internet Connection Sharing and Network Address Translation
I
t used to be that small networks had a big problem getting connected to the Internet. If you had, say, a dentist’s office with three or four clerical personnel, you probably wouldn’t get very far trying to convince the dentist to purchase an expensive router, a high-speed connection to the Internet, and a server (or servers) to handle all of the processing. It wasn’t until a few years ago that this setup was even possible in a small office. If users wanted Internet access, they would set up a modem on their PC, obtain separate ISP accounts for each person desiring a connection, and then separately dial out to the Internet. Not only is this method expensive, it’s tough to troubleshoot and inconvenient for the client.
Microsoft Exam Objective
Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server.
With Windows 2000 Network Address Translation (NAT), all of that has changed. By setting up a Windows 2000 server and enabling NAT, users on a private network can connect to the Internet, you provide a DNS name resolution server, and you have a service that acts like DHCP in the sense that it gives IP addresses to client computers. NAT is a multifunction service for smaller networks; it’s not intended for large enterprises that need the robustness of Proxy Server and other Windows 2000 features. NAT is useful for
Connecting private networks to public ones
Connecting disparate types of network segments such as Ethernet to ISDN
Creating a screened subnet (a DMZ) for your web servers
NAT needs to use the reserved private IP address ranges internally (see Chapter 8, “Designing TCP/IP into Your Network,” for a review of the ranges), and cannot use public IP numbers for the internal network. If you
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Implementing Internet Connection Sharing and Network Address Translation 539
can’t use this kind of setup, you’ll have to go with Microsoft Proxy Server instead. NAT simply serves as an address-translation protocol; it allows private users onto the Internet by converting private addresses into public ones. There are many limitations to NAT, mostly in the types of protocols that it is not allowed to pass. Among the restrictions are:
No Simple Network Management Protocol (SNMP).
No Lightweight Directory Access Protocol (LDAP).
No Component Object Model (COM) or Distributed Component Object Model (DCOM). (Both of these are used extensively by thirdparty applications such as quota management software and others. COM and DCOM are the Microsoft-based heart and soul of client/ server applications.)
No Kerberos v. 5. (Kerberos v. 5 is used by Active Directory (AD), which means that you can’t use NAT to replicate AD.)
No Microsoft Remote Procedure Call (RPC). (Unfortunately, Exchange versions earlier than Exchange 2000 heavily use RPC. On top of that, lots of the MMC consoles use RPC to communicate in a client/server environment.)
The new Microsoft IP Security protocol (IPSec) cannot be used over NAT.
The bad news is that Automatic Private IP Addressing (APIPA) for Windows 2000 and Windows 98 computers cannot be used to talk to NAT because APIPA uses 169.254.0.1–169.254.255.254, whereas NAT uses other reserved private addresses. NAT acts as a “mini-DHCP” server for clients, handing out addresses within its range. Windows 98 or 2000 users who get an APIPA-assigned IP address will not be able to get onto the network. Figure 14.2 illustrates the basic concept behind NAT, how it connects two dissimilar networks together. FIGURE 14.2
An example of an NAT server
Private network e.g., 192.168.0.0
Ethernet
DSL
Public network (the Internet) or VPN connection
NAT server Example address: 192.168.10.30. going into NAT on private side
Copyright ©2002 SYBEX, Inc., Alameda, CA
Example address: 167.26.30.33. coming out of NAT on public side
www.sybex.com
540
Chapter 14
Designing for Internet Connectivity
Using an RRAS Demand-Dial Interface Using Routing and Remote Access Service (RRAS) to get to the Internet is a fruitful endeavor, especially on smaller networks that don’t have the luxury of a fast, dedicated Internet connection. As you might imagine, Internet connectivity scenarios can get highly complicated with determining redundancy characteristics, planning for disaster recovery, and so much more. But with some networks the most important objective is simply to get connected in the first place. Windows 2000 RRAS, covered in depth in Chapter 15, “Designing a Remote Access Solution,” provides many ways that an administrator or designer can use telephony solutions to connect the network’s users to the Internet.
Microsoft Exam Objective
Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server.
One of the design elements that you’ll need to pay attention to is whether to use a demand-dial connection on the public side of your NAT. Suppose that you’re dealing with a small company that currently has users who dial in to their respective ISPs using the telephone lines on their desks. You want to set up an inexpensive high-speed link to an ISP, then provide connectivity to your users. NAT is perfect for this because it can use multiple interfaces on the public side. But suppose you’re charged for each minute that you’re connected with the ISP, as is the case with an ISDN line. If you were connected 24×7, this could cost far more than your use justifies. So you set up a demand-dial connection through RRAS, Then, when users access NAT, the connection is dialed and they can do their work. Demand-dial is also useful when you need to pass connection information over the wire—for example, when you set up a VPN connection that requires authentication. Connections that are full-time, such as DSL or asynchronous, are called persistent connections. NAT can use persistent connections as well. In your NAT server configuration, the internal server NIC might have an IP address of 192.168.0.1, and the external connector would be some kind of dial-up connection that contained the various information needed for connectivity to your ISP’s source (or for another network in the case of a VPN).
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Implementing Internet Connection Sharing and Network Address Translation 541
NAT Security NAT security is generally good, although you can augment it by setting up RRAS IP filters that restrict incoming or outgoing IP address ranges by protocol (e.g., FTP). You can also set up IP address pools. Use a pool when you want to allow Internet or VPN users to be able to access resources on the private network, as you might in a business-partner relationship. The IP address pool methodology has some basic rules. For starters, you must provide, in your pool, the private-network IP addresses of servers that NAT is allowed to connect users to; it’s not a carte-blanche deal where those in the pool can access any privatenetwork resource they’d like to. Next, you have to realize that all IP ports are allowed access to the private network. You can do some port restricting if you’d like to narrow down what’s allowed to pass through to the private network. Realize that the NAT computer is doing all of this work and could potentially be both a bottleneck and a SPOF if it’s not designed well. You can use VPNs to restrict private-network access by user. Note that since IPSec isn’t allowed through NAT, you can’t use L2TP for your VPN connection; you must rely instead on PPTP and PPP connections. This adds security to the NAT configuration because users connecting to NAT are required to authenticate and their data is encrypted as it crosses the wire.
Internet Connection Sharing NAT provides a one-server solution that users can go to for their IP address, name resolution, connectivity to the Internet, and basic firewall services. But what about small offices that don’t need all that firepower? Is there a way that they can perform basic NAT services without the full-blown features of NAT? Sure: Internet Connection Sharing (ICS). You still have to provide a Windows 2000 computer (Windows 2000 Professional machines can use NAT, too) in order to enable this feature, but it’s much less intense than the services used by NAT. In fact, from the most sophisticated method to the least you’d have:
Proxy Server (which does not provide its own name resolution or DHCP services)
NAT (which uses DHCP and DNS proxy)
ICS (which also uses DHCP and DNS proxy)
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
542
Chapter 14
Designing for Internet Connectivity
Microsoft Exam Objective
Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server.
You enable Internet Connection Sharing by setting up a Windows 2000 Server computer that has a network card that can talk to the private network and a modem (or similar connectivity device) that can talk to the public network. Don’t install DHCP or DNS at this time! When the server is ready, go into Network and Dial-Up Connections by right-clicking My Network Places and selecting Properties from the shortcut menu. (Optionally, you can click Start Control Panel Network and Dial-Up Connections). Create a new dial-up to your ISP, then right-click it and select Properties. Navigate to the Sharing tab and check Enable Internet Connection Sharing for This Connection. You can also enable on-demand dialing by simply checking the box for this feature (this is recommended).
You’ll probably want to verify that the network adapter settings for the private network are the correct settings needed for ICS.
Once this feature is enabled, ICS assigns the 192.168.0.1 address to the internal NIC and uses the 192.168.0.2/24-192.168.0.254/24 range to hand out IP addresses to client computers. The ICS server functions as DHCP and DNS for its client computers. Note that you cannot have computers on your internal network that are configured with a static IP address. All addresses, other than the Internet Connection Sharing server itself, must obtain their IP information from DHCP. To configure the client, simply open Internet Explorer or another browser that supports Proxy Servers and type the private address of the Internet connection server into the area provided for the Proxy Server address. You’ll use port 80 for this connectivity. That’s all there is to it.
Using Connection Sharing to Share Applications and Services Suppose that you use ICS for a VPN that talks to another network, and you’d like to set up application sharing on a server in that remote network so that you can use the application from your home office.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Implementing Internet Connection Sharing and Network Address Translation 543
Before proceeding with this discussion, note that there are two other kinds of dial-up connections you can create:
A VPN dial-up connection means that you’re setting up a VPN with another network somewhere, one that’s equally equipped to receive VPN calls. Use a VPN when you want a secure, encrypted tunnel from one point to another, typically server to server, or when you want to allow users to connect to your private network using a secure tunnel through the Internet.
A dial-in connection is much more simplistic. It merely allows a user to connect to and work on your network using a conventional modem. You can add authentication and encryption to dial-in connections, but the security that a VPN provides, not to mention leveraging the ISP’s bandwidth as opposed to yours or your users’, is very useful.
You can construct either of these dial-up connection types for application sharing as follows. Start by setting up the VPN connection and verifying that the Enable Internet Connection Sharing for This Connection check box is selected in the Sharing tab of the connection’s Properties sheet; then click Settings. Go to the Applications tab and select Add. You’ll be prompted for the name of the application and the remote server’s port number. The latter setting is tricky: You first must know the port number (either TCP or UDP) that this application uses. The port number tells you whether the application must use TCP/IP ports; if it doesn’t, the application can’t work with ICS. It would be wise to ascertain this information prior to setting up application sharing. You can set up ICS dial-up connections in such a way that users can dial into your network and run applications. In this case, instead of a VPN dialup connection, you set up an incoming connection. Then you modify its properties by navigating to the Sharing Settings Applications tab, adding a name for the service you want to share out and, in the Service port number box, entering the port number of the application on your local network that you’re going to share with users dialing into your network. This, of course, implies that you have an application that actually uses a TCP/IP port number and that it’s okay that the application resides on a box using DHCP (if the computer you’re pointing to isn’t the ICS computer). Note that you can only use ICS for incoming connections on a stand-alone server. If the server is a member of a domain, you will be prompted to use RRAS for this instead.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
544
Chapter 14
Designing for Internet Connectivity
Designing a Web Server Access Solution
W
e’ve talked a lot about getting users onto the Internet through various means: Proxy Server, NAT, or ICS. All of these techniques imply that you have a server running at your site. Furthermore, this server must be connected with the outside world, whether via a conventional hardware router or a software router. Since Proxy Server, NAT, and ICS can use a dial-up connection as the public half of their network connectivity, smaller networks may not need to own a router to get Internet connectivity.
Microsoft Exam Objective
Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server.
But what about the idea of a company creating its own web servers and then putting them out on the Internet? Is there a way that Windows 2000 Server can help? Proxy Server 2 can be configured to allow users coming in from the Internet to hit an internal web server. This technique, called reverse hosting, might not be desirable for larger enterprises that have dozens of web servers to maintain. The concept of users coming inside a corporate network to view web documents might strike fear into the hearts of security administrators, but the possibility certainly exists. Figure 14.3 shows what this scenario might look like; it’s a fairly easy configuration to set up and one that would work well. Note that the figure shows a hardware router and firewall, but you could just as easily configure a Windows 2000 computer to act as a router and an additional server loaded with firewall software. This would be the software equivalent of an ordinarily hardware-based solution. But what about the corporation that doesn’t want anything to do with users coming inside the corporate network? The corporate managers want to keep users out of their internal workings—put them on the fringe of the network where they can view web pages but where they can’t create too much trouble if they do manage to hack in to one of the servers. It’s a reasonable and a very common request. A screened subnet, also known as a demilitarized zone (DMZ), is called for in such a circumstance. A lot more configuration has to go on in such a situation. For example, what protocols should be allowed from
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a Web Server Access Solution
545
the DMZ into the internal network? Obviously, the Hypertext Transfer Protocol (HTTP) normally used for web pages is probably off limits, but what about SMTP for Internet e-mail? You probably would allow SMTP traffic in, because people on your internal network need e-mail. If you were being spammed by somebody, you could turn that off at the Exchange Server. FIGURE 14.3
Setting up a web server inside the corporate network behind a Proxy Server
Internet
Router
User surfing web
Firewall
Corporate office Proxy Server
There are more questions with a DMZ. How about DNS or WINS? We talked about this Chapter 11, “Planning a DNS Implementation,” and Chapter 12, “Designing a WINS Implementation,” but basically you want to configure a one-way pull scenario in the DMZ so that users can’t modify WINS or DNS entries in the DMZ. Databases should reside on a server inside the network, but still be able to communicate with the DMZ. Never should database servers live outside the network on the DMZ. Keep your database servers inside the corporate network where they’re nice and safe, and then poke a hole in the firewall that allows the web servers sitting out on the DMZ to talk to the database servers on the inside. Figure 14.4 illustrates this DMZ scenario. Designing a corporate web presence with a DMZ indicates that low-power services such as NAT and ICS would not be advisable, unless, of course, you’re working with a small SOHO presence and experimenting with the setup. There are other considerations with a DMZ as well. For example, what about Network Load Balancing (NLB), a feature incorporated in Windows 2000 and available for Windows NT 4? You want fault tolerance and load-balancing on your web servers so that when one is being hit exceptionally hard, another can
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
546
Chapter 14
Designing for Internet Connectivity
help ease the load. You might want to consider more formal products such as Site Server and Commerce Server as well, not to mention the whole plethora of web development products that have come out lately to help the Windows web administrative professional deploy a web presence. FIGURE 14.4
Setting up a web server outside the corporate network on the DMZ (screened subnet)
Firewall
Internet Router
DMZ Web server Web server Web server Web server Web server
Corporate network
Firewall Proxy Server
Database server
Database server
Designing a Mail Server Access Solution
E
-mail servers are not something that you would normally put out on a DMZ. For starters, they usually have large databases on them and, because of that, they are awfully tempting for hackers. Putting databases out on a DMZ is a bad idea. Besides database hackability, most corporate networks keep e-mail servers inside because they allow SMTP traffic through their firewalls and into the e-mail servers. After all, the internal users need to receive e-mail from outside sources. No telling how many users might be disappointed if they didn’t get their daily ration of e-mail jokes, right?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a Mail Server Access Solution
Microsoft Exam Objective
547
Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server. You can configure Exchange Servers to allow them to be friendlier with users coming in from the Internet. We already mentioned workarounds for getting internal Exchange Servers to talk to Proxy Server. This setup works very well, and it gives you the kind of control you want over your users’ Internet destinations, but keeps your Exchange Servers internal to the business. Figure 14.5 illustrates this setup. It is quite possible, using Windows 2000 VPN or dial-in connections, to allow off-site users to access your internal mail servers. You might consider doing this with a business partner entity that needs to use those servers (for things like setting up calendar appointments or running custom forms).
FIGURE 14.5
Setting up an Exchange Server inside the corporate network but behind a Proxy Server (screened subnet)
SMTP, port 25, WebProxy Exchange Server
Internet Proxy Server
Regular user
Exchange Server behind a Proxy Server You’re messing around with this concept of putting some INI files on the Exchange Server, installing the Microsoft Proxy Server client and thus getting your Exchange Server to talk to the Proxy Server and vice versa. You have Proxy Server installed, but it is not behind a firewall because you don’t think you need a firewall.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
548
Chapter 14
Designing for Internet Connectivity
You’re having problems—you can’t seem to get the connectivity between Exchange Server and Proxy Server to work. So you call Microsoft. You get an amiable young man (in this case) on the line to help you solve the problem. You’re amazed to find that the tech support rep from Microsoft is able to launch a freeware port sniffer that he downloaded from the Internet and scan the ports of your Proxy Server just as nice as you please! He can tell which ports are active and which ones aren’t receiving any data—which is how he helps you diagnose the nature of the problem. Remember? It was the fact that you had packet filtering turned on. You’re amazed at how quickly he was able to get to your computers, scan to see what you have, and launch an SMTP session to port 25. He could’ve sent a bogus e-mail to anyone he wanted to simply by attacking your e-mail server, but he was there to see if he could help you diagnose the problem. You make a note to check into a firewall product that will allow SMTP packets to pass into your Proxy/Exchange Servers but won’t allow hackers to commandeer the port the way he did tonight.
Summary
T
his chapter has been about Internet and extranet access. We talked about Microsoft Proxy Server, which acts as a proxy between your users on the private network and the Internet. You can control who is allowed out to which web sites and when. You can set up custom ISAPI filters. You can filter out certain packets such as ICMP. You can buy third-party products such as SmartFilter, SurfWatch, and ProxyReporter that bundle with Proxy Server to provide added security and control to your deployment. Exchange Servers sitting behind a Proxy Server require special configuration to make them able to continue to receive Internet e-mail. NAT (Network Address Translation) is a Windows 2000 protocol that allows you to set up a connection to the Internet through a Windows 2000 Server so that users inside the network hit NAT, and NAT handles the connectivity to the Internet. The NAT translates your users’ private IP addresses to ones that are usable on the public Internet. With NAT you get both a DNS and DHCP proxy, allowing users to do regular name resolution and to obtain a valid private IP address. You can use any form of dial-up connection
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Exam Essentials
549
you like to get your users to the Internet: ISDN, DSL, asynchronous, or others. When setting up your dial-up connection, you have a choice of going with a demand-dial approach, where the system calls when requested to, or a persistent connection that’s live 24×7. You’d choose a demand-dial connection when you’re being charged by the minute, as in the case of ISDN. A DSL connection would be a persistent connection and is a good choice for small businesses and home offices. The Internet Connection Sharing (ICS) dial-up component is useful for very small networks. It too provides basic DNS and DHCP. ICS cannot be used with the quantity of users that NAT can. You can share applications with the outside world using ICS, or you can set up a VPN to a remote network and use application sharing to run an application on that network. ICS is also limited to using the 192.168.0.z private addressing scheme internally, and all internal clients must get their IP address from the ICS server. When you’d like people to be able to surf to your web servers, you have two choices: place the servers inside the corporate network behind a Proxy Server and firewall, or place them on the DMZ. (You actually have a third option—you could have an ISP host your web site—but that’s a different story.) Setting up a DMZ requires that you pay very close attention to the holes you’re poking in the firewall to allow access in and out. The configuration work is doubled, because you also want to make sure that the Proxy Server is adequately configured as well. In addition to all that, you have to make sure that the databases you use in your e-commerce solutions are consulted, not hacked.
Exam Essentials Know what Proxy Servers are used for. Proxy Servers have a variety of functions. Their primary purpose is to block users from getting to certain web sites or to block certain people from getting into your network. Proxy Servers can also perform port-filtering and web-auditing services. Understand the difference between a Proxy Server and a firewall. Firewalls are true security devices that allow for rigid port-filtering and access-blocking schemes. Specific services that are provided by Proxy Servers and/or firewalls depend on the proxy or firewall vendor. Know how to provide Internet access for small groups of users. If you have a very small office, then Internet Connection Sharing (ICS) is an
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
550
Chapter 14
Designing for Internet Connectivity
inexpensive solution. For networks that are slightly larger, Network Address Translation (NAT) is a good option. Know how Internet Connection Sharing works. The ICS server needs two interfaces: an internal (LAN) and external (WAN or Internet). The internal NIC will have an IP address of 192.168.0.1/24, and the external connection will have a publicly available IP address (usually provided by an ISP). The ICS server will function as the default gateway, DHCP, and DNS server for clients on the LAN. Clients on the LAN side must be configured to use DHCP, and they will have an address in the 192.168.0.2/ 24-192.168.0.254/24 range. Know how Network Address Translation works. NAT allows for more flexibility than does ICS. With NAT, you can have separate DHCP and DNS servers if you choose. Also, the internal addresses are not limited to just the 192.168.y.z range, and internal clients may be statically configured. However, internal addresses must be private addresses. Know the limitations of using NAT. Many protocols cannot go through the NAT server (these protocols cannot be “NAT-ted”). They include SMTP, LDAP, Kerberos, and IPSec.
Key Terms
A lot of these connectivity terms may be familiar to you, so there aren’t a lot of new terms in this chapter. Here are the new ones. Be certain you are familiar with them for the exam. demilitarized zone (DMZ)
persistent connections
denial of service (DoS)
proxy array
extranet
reverse hosting
Hypertext Transfer Protocol (HTTP)
screened subnet
Internet Connection Sharing (ICS)
SOCKS
Internet Service API (ISAPI)
Web Proxy
Network Address Translation (NAT)
Winsock
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
551
Review Questions 1. You are an independent networking consultant specializing in small
office environments. A law firm you’re working for wants to save costs on Internet connectivity. They want all five employees to be able to access the Internet through one modem connection. You decide to implement Internet Connection Sharing as the most cost-effective solution. What IP range does ICS use for its DHCP proxy service? A. 192.168.0.1–192.168.0.254 B. 192.168.0.1–192.168.48.254 C. 192.168.0.1–192.168.126.254 D. 192.168.0.1–192.168.255.254 2. You are setting up Internet Connection Sharing for a small law firm.
The partners in the firm are interested to know what types of connections are supported by ICS. What dial-up options are you provided with when setting up Internet Connection Sharing? Choose all that apply. A. Demand-dial B. Dial-up C. VPN D. Dial-in 3. You are the security analyst for your company. You’ve configured an
external firewall, and you’ve set up Microsoft Proxy Server 2.0 behind the firewall. Your network is a Windows 2000 domain running in native mode, and you have one Exchange 2000 Server. When configuring Exchange Servers behind a Proxy Server, what two things do you need to do to the Exchange Server? A. Install the MSProxy connector. B. Add two INI files. C. Stop and start the MTA. D. Install the Microsoft Proxy Agent software.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
552
Chapter 14
Designing for Internet Connectivity
4. Your network has three separate locations, but only one Internet con-
nection to your ISP. Although you have tried to get management to pay for independent connections at all locations, they mandate that all Internet traffic must pass through a central point for auditing purposes. Your company has a zero-tolerance Internet access policy regarding pornographic or hate materials. You want to provide your users with fast Internet access while maintaining control over usage of the Internet connection. What feature would work well in a situation such as this? A. Internet Connection Sharing B. NAT C. Commercial firewall D. Proxy array 5. You are the network manager for your company. One of your LAN
administrators, Sarah, is trying to set up an Internet Connection Sharing VPN connection, but she’s having trouble getting it to work. Pick two possible things to look for. A. She’s trying to set up the VPN using L2TP and IPSec. B. She’s trying to set up the VPN using PPTP. C. She’s using invalid credentials in the VPN setup. D. She’s using too strong of an authentication protocol when setting
up the VPN. 6. You are the security administrator for a large marketing firm. In order to
facilitate proper web access for your users, you have deployed Microsoft Proxy Server 2.0 on your network. You have heard that Microsoft Proxy Server supports the use of third-party add-ons for enhanced reporting, filtering, and monitoring capabilities. What methodology are vendors required to use in order to bundle in with Proxy Server? A. Winsock Proxy B. SOCKS C. ISAPI D. Web Proxy
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
553
7. You are the network consultant for a small, independent insurance
organization. To provide Internet access, you have installed Internet Connection Sharing on one of the machines. The ICS machine has a persistent DSL connection to the Internet. The 10 users in the office have accessed the Internet many times, and they like the configuration. However, one day you get a call from a user who cannot access the Internet or the company’s server. When the user runs IPconfig, they report an IP address of 169.254.18.221. What could be the problem? A. The user is not getting an IP address from the DHCP server. B. The user is not getting an IP address from the ICS server. C. The user is not getting an IP address from the DNS server. D. The pool of available IP addresses for clients has been exhausted. E. The client has a statically assigned IP address. F. There is not enough information provided to accurately assess the
situation. 8. You are the network administrator for your company. Recently, you
have deployed a NAT server for Internet access. Users are complaining that Internet access is unacceptably slow. What are two ways that you can enhance the performance of a NAT server? A. Add a second NAT server for redundancy. B. Make sure the Internet connections are persistent connections. C. Add a router to the public side. D. Provide multiple Internet connections. 9. You are the network administrator for your company. For secure
Internet access, you have deployed a hardware firewall and router. You have employed port-filtering on the firewall. Now, you’re considering adding Microsoft Proxy server to the mix. Why would a Proxy Server be useful on the corporate (private) side of a DMZ if there is a router and firewall on the public side? A. To keep hackers from coming into the network B. To restrict and control Internet usage from users on the private side C. To maintain a list of everyone who hits the web servers D. To provide packet-filtering services
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
554
Chapter 14
Designing for Internet Connectivity
10. You are the network manager for your company. One of your admin-
istrators, Ricardo, is finalizing a Proxy Server installation. However, users are not getting IP addresses from the server. What could be the problem? A. Proxy Server doesn’t do DHCP server work. B. The DHCP Server service has been stopped. C. The DHCP scope isn’t correctly configured. D. The Proxy Server’s private NIC isn’t in the correct subnet.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
555
Answers to Review Questions 1. A. A is the correct answer for a Class C subnet mask. 2. B, C, D. You have the ability to create a dial-up, VPN, or dial-in connec-
tion. Then, when you’ve created the connection, you also have the ability to tell the system whether it’s a persistent or a demand-dial connection. 3. B, D. You first copy the INI files (found on the Proxy Server CD or
at the Microsoft web site) to certain places on the Exchange Server. Then you install the Proxy Server client agent software and reboot the Exchange Server. When this is all done, you should be talking to the Proxy Server through the Winsock Proxy service. 4. D. A Proxy Server array—a set of Proxy Server computers that trickle
their Internet requests upward to the main Proxy Server that’s connected to the Internet—would be a practical approach to this problem. You’d set up a Proxy Server at each of the outlying locations, then have them send their Internet requests to the main Proxy Server. In this way, the outlying Proxy Servers would cache the URL requests that users made and make a faster surfing experience for users. 5. A, C. The most likely candidates that will give Sarah trouble with a
configuration like this are: trying to use IPSec, which Internet Connection Sharing does not support, and using invalid credentials when setting up her VPN. ICS supports PPTP, so that’s probably not the difficulty, which is why B is wrong. While D could be possible, it’s not likely, especially with Windows 98 or newer clients. See Chapter 15 for more details on authentication. 6. C. ISAPI filters are custom filters that third-party vendors create to
work with Proxy Server. The other three choices are protocols that Proxy Server works with. 7. B. Although answer A is tempting, remember that when using ICS,
the ICS server is the DHCP server. There can be no separate DHCP server on the network. Answer E may be tempting as well. However, since the IP address that the client is reporting is within the APIPA range, answer B makes the most sense.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
556
Chapter 14
Designing for Internet Connectivity
8. B, D. The best things you can do to enhance NAT performance,
besides dedicating a computer specifically to NAT, is to make sure that the Internet connections are persistent rather than demand-dial and to provide multiple Internet connections if possible. At some point, though, you’ll reach a place where the network has grown to full-blown router, firewall, Proxy Server size. 9. B. While you could very easily provide packet-filtering services using
Proxy Server, you’ll probably have the firewall configured for that kind of activity long before anything gets to the Proxy Server. You want the Proxy Server in place so you have control over your privatenetwork users and their usage of the Internet. 10. A. Microsoft Proxy Server doesn’t do DHCP work like NAT and ICS
do. You’ll have to have a separate DHCP server for that kind of work. In addition, it’s not a good idea to run DHCP server on the same server as Proxy Server. Proxy Server stays very busy in the course of a workday when many users are surfing to web sites they need for business-related purposes.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Smallish Multinational Network
557
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Current and Envisioned System You’re a system administrator for a small network of about 300 users, split evenly in three separate geographic regions: London, Denver, and Montreal. Up to now, the three entities could not communicate with one another because you hadn’t yet been allowed to set up interconnectivity among the three locations. Everything has been done by phone and fax. Now it’s obvious that e-mail and other network services would be very useful to this growing company. How do you use Windows 2000 to set up inexpensive interconnectivity between the three locations? You think it would be best to provision a high-speed DSL connection to an ISP local to each location. Then you’ll use Windows 2000 servers to use NAT and a VPN connection that connects the locations together.
Security Any time you run data across the Internet, security needs to be a factor. You want to use L2TP and IPSec for your VPN configuration. You don’t think you need to implement any RRAS IP filtering at this time since you’re using VPNs for this work.
Availability You’ve decided that demand-dial just won’t work for the number of users who will be using the system at any one time.
Maintainability Because of the multinational aspect of this setup, you need to be able to rely on administrators in the other locations to help maintain the linkages should there be a problem.
Funding Expensive routers and high-end technology are not feasible for this project.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
The Smallish Multinational Network
CASE STUDY
558
Chapter 14
Designing for Internet Connectivity
Questions 1. Is the technology that’s going to be used for the project feasible? A. Yes, this solution will work fine and is appropriate. B. Yes, but there are better solutions that cost about the same. C. No, because of the complexity of the setup. D. No, because a router’s not being used. 2. Will any reconfiguration of the current user base be necessary? A. No, nothing on the user side needs reconfiguring. B. There’s not enough information in this case study to decide. C. Yes, because NAT uses a special IP range of addresses. D. Yes, because the existing DHCP servers will have to be eliminated. 3. What security problem exists with the proposed project? A. Encryption of data over the VPNs is not mentioned as a necessity. B. RRAS IP filtering should be enabled for ICMP and FTP traffic. C. L2TP and IPSec are not allowed in NAT configurations. D. Too many administrators have control over the network. 4. You can’t provision a DSL line for the London office (too far away
from the central office), but you can easily obtain a 128K ISDN line. Will this work in the proposed solution? A. No, it will not. All data circuits must use the same technology. B. No, because you’ll need a special ISDN adapter in your other NAT
servers. C. Yes, it will work just fine—slower than you desired, but fine
nonetheless. D. There’s not enough information in the case study.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Smallish Multinational Network
will need.
London
RRAS
Montreal
DC
Denver
Proxy Server
Connection Types: ISDN DSL L2TP PPTP Dial-In On Site
Internet (via ISP)
NAT
6. What will this NAT project not accomplish for you? A. Users will be able to get to the Internet. B. Users will be able to send e-mail to one another. C. Users will be able to transfer files to one another. D. The network can be expanded as locations are added.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
5. Connect each location to the network element(s) you know it
559
CASE STUDY ANSWERS
560
Chapter 14
Designing for Internet Connectivity
Answers 1. A. The number of users is approaching the high-water mark for a
solution like NAT. But, figuring in cost effectiveness, the ability of NAT to work with VPNs and the fact that you don’t have to buy extra networking gear make this a good solution. 2. B. You’re not told what current IP ranges are in use on the network,
nor are you told whether there are DHCP servers currently running. Both of these determinations would have to be made and addressed before you could go forward with the project. Remember that there can be no other DHCP servers on the network (because of the potential of using an invalid range) and that the IP range for NAT is very specific. 3. C. The fact that you’re using a VPN automatically implies that the
data will be encrypted. There’s no need to do any IP filtering because you’re tunneling through the Internet, not going over it. One administrator per location isn’t overkill. Also, you cannot use IPSec over L2TP with NAT; although NAT supports VPNs, it does not support this particular implementation of a VPN. 4. C. NAT doesn’t care about the endpoint connectors. As long as you
can set up a VPN circuit off of your Windows 2000 computers on each side and validate with accurate credentials, the system will work.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Smallish Multinational Network
561
Montreal
DSL
On Site DSL
Denver
London On Site
On Site
Proxy Server
DC
Internet (via ISP)
DSL
RRAS
NAT
The most serious limitation of this design, and one that you might overlook until you dig into it, is the fact that NAT doesn’t support configuration of the DHCP scope. You’re stuck with the numbers provided. Note that it’s probably important for you to verify for sure that you can obtain an ISP and a high-speed DSL connection to each location before you move forward with the rest of the project. 6. A. Since you’re simply talking to each of the locations via VPN, there is
no room to get out to the Internet. This setup is all network-to-network and includes no room for Internet activity, which may be a fine objective of the stakeholders who mandated the system.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
5.
Chapter
15
Designing a Remote Access Solution MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Design an implementation strategy for dial-up remote access.
Design a remote access solution that uses Routing and Remote Access.
Integrate authentication with Remote Authentication Dial-In User Service (RADIUS).
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
E
ven though there have been many enhancements to Windows 2000, its functionality is quite similar to NT 4’s. You still have users, groups, and domains, and WINS, DHCP, and DNS. All that stuff hasn’t changed; it has just grown larger and more detailed. Routing and Remote Access Service (RRAS) happens to be the exception to this consistency. Sure, Windows NT 4 did have Remote Access Services (RAS), and in its later development stages you could implement a kind of RRAS, but it was nothing like this tool that you have with Windows 2000. The majority of changes that were made coming from Windows NT 4 focus on Active Directory (AD) and RRAS. There’s a lot to know about RRAS, a lot that’s been made simpler, and a lot that leverages the Internet. So this is an important chapter, one that has a lot of detail to it. In the future, you are likely to see Microsoft literature that emphasizes how to leverage RRAS as a way of connecting networks together—doing it cheaply, securely, and efficiently.
Designing an RRAS Implementation
W
hen you design an RRAS implementation, you begin by asking yourself a very basic question: What is my goal for this RRAS solution? You have three choices when answering this question:
You’re designing this implementation for a server-to-server connection.
You’re designing this implementation for a telecommuting usage, where people dial into the system to access resources (more colloquially known as Remote Access Services (RAS)—users are said to be “RASing” or dialing in to your system when they gain access to corporate resources via phone lines).
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing an RRAS Implementation
565
You’re setting up a demand-dial connection so that internal users can access the Internet.
All three of these needs are adequately addressed by RRAS.
Microsoft Exam Objective
Design an implementation strategy for dial-up remote access.
Design a remote access solution that uses Routing and Remote Access.
Integrate authentication with Remote Authentication Dial-In User Service (RADIUS).
Once you know whether you’re talking about a server-to-server, telecommuting, or demand-dial solution, then you can figure out what sort of connectivity to provision, what method(s) of authentication you’ll use, what security you’ll apply, and whether you’ll go with a straight RAS-based solution or with a virtual private network (VPN).
Choosing the Correct Type of Remote Access Provision When you request a data or phone circuit from a carrier, you’re said to be provisioning that circuit. Provisioning a circuit often lies within the realm of a corporate administrator’s work, though large enterprises have dedicated areas that handle the provisioning and setup of data and telephony circuits. Today’s telephony carriers have a plethora of options they can offer to provide just the speed and number of concurrent connections you need for a given RRAS design. Suppose that you require a simple dial-in solution where users RAS in to your servers through conventional phone lines. Suppose that your design calls for 24 total connections; that’s one T1 telephony circuit. So if your company maintains its own PBX gear, maybe your next approach would be to request from the telephony department a dedicated T1 line so that you have a total of 24 phone lines for your RRAS solution. Or, optionally, you can provision a dedicated T1 from your carrier and use the circuits that way. In either case, the identification of 24 phone lines precipitates the decision about what sort of provisioning you require.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
566
Chapter 15
Designing a Remote Access Solution
Note that once you receive this T1 circuit at the place where the phone company delivers it, called the demarcation point (d-mark), it’s up to you to figure out how to transport it to your servers. In a corporate network where you have a telephony group that can run their own T1s to private PBXs, it’s possible they might just throw you what looks like an Ethernet cable. In any case, you’ll have to find a way to get the T1 split out and into the server, whether an onboard device in your server can divide a T1 into 24 logical channels or you have 24 individual phone lines given to you. Provisioning a circuit brings the circuit to your door; it doesn’t tell you how to use it.
Suppose that you want users to be able to use their home cable modem, DSL, or ISDN high-speed connections to the Internet to access corporate servers through a VPN. Does this mean that you’ll have to provide cable, DSL, and ISDN services so that you can support each of the three different kinds of users? It does not. What it really means is that you have a high-speed connection to your corporate ISP (one that can grow because VPNs will place some load on the system), and that you set up a VPN that these users can come in through. You’ll probably need to help configure the users so that their machines are able to successfully connect to your corporate VPN. The point here is, you do not need to provision each different kind of line. RRAS supports conventional asynchronous (regular telephone line) circuits, ISDN (Basic Rate Interface [BRI], not Primary Rate Interface [PRI]), and X.25, either through a packet assembler/disassembler (PAD) or via a direct connection. With telecommuting users and demand-dial setups, you have these three choices and no others. Your provisioning options are going to revolve around one of these three choices for RAS or demand-dial (nonVPN) connections. Figure 15.1 shows what each of these connections might look like. Note that at the corporate interface or d-mark, you might not have an ISDN adapter; you may have a different kind of ISDN device. The same is true for X.25. But an X.25 user trying to connect to you via a PAD expects to see an X.25 connection on your side.
A telephone company is often called a public switched telephone network (PSTN). Another term you might hear used for the phone company is a carrier. A regular telephone line, such as the one in your house, is called a plain old telephone service (POTS) line and is synonymous with the technical phrase asynchronous line.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing an RRAS Implementation
FIGURE 15.1
567
The three flavors of Windows 2000 RRAS X.25 user
ISDN user
Standard phone line user
X.25PAD
ISDN modem
Analog modem
ISDN connection
X.25 cloud provided by carrier X.25 connection
Modem(s) Your network
VPN telecommuters and VPN server-to-server connections allow you to figure out how you’re going to get from point A to point B. For example, suppose you have a Digital Services-3 (DS3—runs at 44Mbps) connection to your ISP. You have a server in Sydney with the same kind of ISP connection. Your provisioning is already done. You have circuitry to the Internet and so does the Sydney office. What you do now is set up the VPN circuits, a task that assumes the provisioning part is concluded. Figure 15.2 shows a diagram where you can see how the VPN setup works. You select a method to connect your corporate presence to the Internet via an ISP. The telecommuting user also has some sort of connection to his or her ISP. You set up some additional Windows 2000 software so that a VPN is created and the user can tunnel into the network using the Internet as the backbone. Figure 15.3 illustrates a situation where, instead of a user on the other end of the line, you’re connecting to another network—perhaps one that’s within your company but separated by a geographic distance (as in the Sydney example). You could also be connecting to a network that’s not part of your corporation, perhaps as in a business partner relationship of some kind.
Chapter 17, “Planning a Virtual Private Network (VPN) Implementation,” talks in more detail about VPNs.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
568
Chapter 15
Designing a Remote Access Solution
FIGURE 15.2
Standard VPN setups, with a user on one end of the connection Corporate user telecommuting in User’s ISP Internet
Corporate ISP
ISDN connection T-1, T-3, DS-3, etc. RI
1
2
3
4
5
6
7
8
Modem(s)
OC3, OC12, etc.
RO
Your network
FIGURE 15.3
Standard VPN setups, with another network on one end of the connection Corporate ISP2 Second network
Internet
Corporate ISP1
ISDN connection T-1, T-3, DS-3, etc. RI
1
2
3
4
5
6
7
8
Modem(s)
OC3, OC12, etc.
RO
Your network
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing an RRAS Implementation
569
The second corporate network shown in Figure 15.3 connecting to the first network could be your own SOHO network. You can easily set up a Windows 2000 Server computer at your house, connect it to the Internet with DSL, cable modem, or ISDN, and then set up a VPN at your corporate HQ so that you can access the corporate network and remotely troubleshoot problems from home. This is a common use of VPNs by corporate administrators, one that works well.
The single most important design question you can ask yourself, from a provisioning perspective, is: How many users do you think will be on the system once it’s made ready? A second question is: How large do you think the system will grow? The provisioning you do depends on the anticipated initial load and the projected future load of the system. If you think you can add on at any time, then future load doesn’t play nearly as important a role. But if you think you need a partial T1 of 16 or 17 circuits, it might make sense to go ahead and order a full T1 in anticipation of future growth of the system. You save yourself the trouble of ordering a fractional T1, and you have some room to grow.
Remote Access in a Routed Environment When users telecommute in to your network, will they have access to the entire network, including any locations that you have connected by WAN links, or will they only be connecting to the local network and no other? In a routed environment, if a user connects to or requests resources from a segment other than the one connected to, it follows that the data path is through the RAS server’s interface out to the user. While the user may have fairly decent throughput (56K, for example), the fact that the resources were requested from a remote segment may have an impact on the total I/O the user realizes; it may also have an aggregate affect on the total throughput of the RAS interface, possibly making other users wait longer while a resource is requested. You can restrict the places a user can go in one of three ways:
By allowing access to only those resources that are on the remote access server. You have to set this option individually on each server you configure, and the option applies to all users connecting to the server (both of which could present problems).
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
570
Chapter 15
Designing a Remote Access Solution
By controlling access to other subnets through router configurations that prohibit the user from going any farther than the local subnet.
By defining static routes to subnets that the user is permitted to go to.
Routed Networks The key to this kind of situation is to put the RRAS servers on the segment where the most activity is likely. Suppose you have two campuses connected by moderate-speed WAN links and separated by hundreds of miles. You may be able to provision cheaper connections through one of the campuses, but if that campus isn’t the one that users will be going to for most of their resources, then it’s the wrong choice for the RRAS location. It’s great that you’re getting a deal on phone lines at the remote location, but your users will pay for it because of the slowed speed of crossing the WAN link to access common resources.
Switched, Non-Routed Networks In a flat, non-routed network where you’re only using switches, place the RRAS servers on the same switch as the other servers where users are likely to try to access resources. This prevents the switch from having to send data to other switches, keeping the design localized to some extent. The more you can keep the activity within the switch fabric of the switch that the majority of the servers are tied to, the faster your remote users will be able to access resources.
Placing RRAS Servers in the DMZ There may be a time when you’d want to position an RRAS server in the DMZ, or a screened subnet. You might want to do this so that telecommuting clients are authenticated by a firewall or by some kind of filtering instead of simply relying on the RRAS security to handle authentication. Another reason you might do this is if the RRAS server also has public files on it. Furthermore, you might choose to go this route if the resources that clients need are on the screened subnet, not on private subnets. In any of these circumstances, consider placing your RRAS server in the DMZ, not in the private network.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing an RRAS Implementation
571
The RRAS User Aggregate Effect The aggregate effect of multiple RAS users dialing in can surface in a few different ways, one of which was already mentioned. Suppose that you have a 10MBps Ethernet network—that is, the backbone is running at 10 megabytes, as are the servers and client computers. Now suppose that you have 100 accounting users who need to RAS in to access a corporate accounting package. These users RAS in daily and access the package for the majority of the day, each of them connecting at 56Kbps. The network runs terribly slowly, and you’re wondering why. You consult with your internetworking expert, who runs a sniffer trace, and you find that each RAS connection uses about 30Kbps of the total pipe. When you calculate your aggregate bandwidth: 100 users × 30Kbps = 3000Kbps, that could be a fairly significant chunk (about 30%) of the total bandwidth available for the entire network. The user’s interface can handle the throughput at the connected speed, as can the RAS interfaces, but the network bogs down because so many users are drawing on common resources over a slow backbone. Infrastructure is everything. Ethernet is a terribly inefficient topology to begin with; there’s no sense in hampering it any more.
Security Scenarios One argument that managers will put forward for not implementing an RRAS solution (apart from the fear that telecommuters aren’t really doing their job when working from home) is that RRAS servers might not be very secure. After all, isn’t it possible that some 15-year-old hacker could obtain some freeware phone-dialing software and start dialing around until he hit a RAS server? Then, if he happened to hit your RAS box, isn’t it entirely feasible that he’d simply whip out his freeware account-breaking software and run it until he got access to the network? Then who knows what kind of chaos he could create once he was inside and had the administrator username and password? As illogical as this argument might seem, there are managers who think this way. So you have to be prepared with arguments that stipulate what kind of security is available when setting up and using RRAS and what sorts of “holes” the creation of an RRAS server might make in your network.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
572
Chapter 15
Designing a Remote Access Solution
Protocol Choices Windows 2000 RRAS supports four different network protocols:
TCP/IP
NWLink (IPX/SPX)
NetBEUI
AppleTalk
The protocols you’ll pick for your RRAS implementation are determined by the clients that will be dialing in and the resources they’ll be connecting to. For example, if you have Macintosh users dialing in, they will likely use AppleTalk to connect to the RAS system (although Macintoshes can use TCP/IP as well). Since any of these protocols can be enabled by the administrator, part of your RRAS security design should include determining which protocols may run on the system and which ones should not be allowed because they’re not needed. NetBEUI, while fast, isn’t necessary in today’s networks and should be immediately struck. If you don’t have NetWare servers to worry about connecting to, don’t use NWLink. Try to get your protocol list down to the bare minimum needed for users to connect.
A product for the Macintosh, called Dave, allows Macintosh computers to log in to Windows NT servers and act as NetBIOS clients, eliminating the need to run the AppleTalk protocol and having to install SFM on servers. Dave would be a boon to administrators who have Macs that need to RAS in and connect to corporate resources because you could get one (chatty) protocol out of the telecommuting picture.
Authentication Protocols Far more important than your protocol choice is the method that you use for the authentication of users—how the client and the server are going to agree on a user’s credentials when that user is requesting access to the network. Several different authentication methods are supported in Windows 2000 RRAS, as shown in the following list from most secure to least secure:
Extensible Authentication Protocol-Transport Level Security (EAP-TLS). A certificate-based security environment that would be predominantly used by smart card–enabled computers accessing resources via RRAS.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing an RRAS Implementation
573
Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP v2). Same methodology as MS-CHAP (next bullet), but with enhancements such as two-way authentication. Also, MS-CHAP v2 introduced some changes to the way that the cryptographic key is analyzed, and MS-CHAP v2 no longer accepts LanMan-encoded password changes.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). Works on PPP, PPTP, or L2TP connections. A server running MSCHAP sends the requestor (RAS user) a session identifier and an arbitrary challenge string. The requestor enters their username and password and sends back the username, password, encrypted challenge string, and session ID. The server checks everything and, if it’s valid, allows the user on.
Challenge Handshake Authentication Protocol (CHAP). Similar to MS-CHAP but supports non-Microsoft remote access clients; disabled by default.
Shiva Password Authentication Protocol (SPAP). Used with Shiva LAN Rover remote access servers. Windows 2000 computers connecting to Shiva LAN Rovers use SPAP.
Password Authentication Protocol (PAP). This protocol examines only plain-text passwords and is only slightly more secure than no authentication method at all.
Unauthenticated access. You don’t ask for, nor do you receive, user validation credentials.
As you configure an RRAS protocol, you also configure authentication choices. Given the seriousness of providing a user with the capability of dialing into corporate servers, it’s not a good idea to use PAP or unauthenticated access. You should start with MS-CHAP v2 (provided RRAS is running on Windows 2000 computers—version 2 isn’t supported in Windows NT 4 until SP4) and then, if needed, work your way down. If your network is using smart card technology, then EAP is your only choice.
Encryption Choices You have two encryption choices at your disposal with RRAS (and RADIUS): Microsoft Point-to-Point Encryption (MPPE) or L2TP over IPSec.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
574
Chapter 15
Designing a Remote Access Solution
MPPE uses the RAS’s RC4 stream cipher and works with either PPP or PPTP. You can set it for 40-bit or 128-bit in the U.S. and Canada or for just 40-bit in international locations. MPPE works with all of the authentication protocols except unauthenticated access, and with MS-CHAP, MS-CHAP v2, and EAP-TLS, you can force encryption. If the client refuses encryption, it’s dropped! Remember that MPPE is Microsoft proprietary. L2TP is used in VPN setups with IPSec. L2TP works with CHAP, MSCHAP, MS-CHAP v2, and EAP-TLS. Because L2TP uses certificates, a public CA (certification authority) server must be present for it to work. There’s more information on L2TP in Chapter 17.
Server Integration RRAS also integrates nicely with third-party remote access servers, such as a Shiva LAN Rover. You would, of course, use SPAP for your authentication protocol when contacting a Shiva product. RRAS integrates with NetWare Connect, Unix-based SLIP or PPP, and any other PPP-based RAS servers that might be out in network-land. Keep in mind that other communications servers might have much less stringent authentication paradigms than what Windows 2000 provides, and you might wind up easing up on the security model if you need to integrate with other RAS boxes. In such a case, maybe it would be time to revisit the RAS scenario to see whether a Windows 2000 solution wouldn’t be a suitable replacement for old, outdated methods.
Serial Line Internet Protocol (SLIP) is an old precursor to PPP. It’s not as secure, fast, or robust as PPP, and it’s not used much anymore. Because of SLIP’s lack of security, Windows 2000 can only use it as a client, not as a server.
Active Directory Integration Perhaps the most secure thing you can do for an RRAS implementation is to integrate it into AD native mode. With AD in native mode, you can set up remote access policies that strictly control who is allowed to connect to the network, in whatever method you use (dial-in, VPN, etc.). With AD set to native mode, you not only have the centralized administrative capabilities of the MMC, but you also have the ability to control permissions through remote access policies.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing an RRAS Implementation
575
In either native mode or mixed mode, you can still control individual access to the RRAS servers through domain group policies.
Whether working with policies or not, you still have some control over the permissions that you grant to users. For example, there’s nothing stopping you, regardless of mode, from setting NTFS permissions for various resources that you either want or do not want RAS users to have access to. You can also set, through the RAS permissions themselves, whether users are allowed access to resources only on the connected RAS server, or to the entire network’s resources. The domain must be in native mode for you to be able to control access through remote access policies. You also have the option of setting the time of day when access is allowed. Remote access policies are described in more detail later in this chapter.
High-Availability Scenarios As with all things that pertain to networks and servers, the key to high availability is redundancy and fault tolerance. A good rule of thumb for equipping servers is to correctly size your computers for the anticipated load you think they’ll undergo, then add 25% for a fudge factor. Be sure to design dedicated RRAS servers that have plenty of RAM and CPU. (Disk space isn’t so important in a telecommuting server, unless, of course, you’re planning on allowing users to access files or applications from the local server drives.) The redundancy idea takes on a whole new perspective when you begin to think about the correct sizing and fault tolerance of RRAS servers. For example, if you don’t already own an RRAS server, think about how users might use one were you to put it in place on the network. At first, maybe only a handful of users would begin to use the service (chief among them, developers and administrators). But it wouldn’t take too long before others who need after-hours or sick-day access to the network would follow as well. In a high-tech corporate environment of 1,000 users, you could probably expect about 10% of them would take the opportunity to telecommute, and in a not-so-technical setting it’s safe to say that 5% might do it. What does that mean in terms of available modems (or alternative circuits)? Should you install 50 modems for a 1,000-user non-technical shop? That may not be too far off of the mark, especially if your network is growing. But don’t hook all 50 modems up to one server! Remembering the SPOF
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
576
Chapter 15
Designing a Remote Access Solution
and fault-tolerance characteristics of servers, it’s better to dedicate at least two different servers to these processes, providing redundancy and loadbalancing. You can easily hook up 25 modems with a couple of multiport serial adapter cards such as those made by Digi International, or with a modem cage that contains several multiple-modem cards. It’s important to keep in mind that users definitely have the ability to wreck your infrastructure’s bandwidth, depending on the kinds of file access that they’re requesting. The speed of the infrastructure backbone is going to make a serious impact on how you set up your RAS servers. If you have a 10Base-T (10MBps) backbone, you won’t be able to host nearly as many RAS users as you would if you had a 100Base-T or 1000Base-T backbone— for strictly numeric reasons. Suppose each user was able to attain a 56Kbps connection to the RRAS servers. This means that you could reasonably provide service to 175 users or so (given a 10Base-T network). Why? Well, divide 10,000,000 / 56,000 and you come up with about 178 concurrent 56Kbps connections. But you have other traffic going over the wire, even late at night—backups, Exchange Servers chatting with one another, etc. So let’s drop this theoretical maximum to 150 concurrent users. There are indeed other factors, such as the fact that you’ll never truly realize a full 10,000,000 bits per second out of a network; it’ll be more like 8,000,000. Furthermore, your users will never experience true 56Kbps throughput due to error correction, waiting for other LAN processes, user authentication, encryption, and so forth, but you get the idea. Load calculation, balancing, and anticipation will go a long way in reducing downtime on your telecommuting installation.
You shouldn’t rely on RAS to offer applications to users over slow telephony circuits. Terminal Server is much better for this kind of work. Users will still connect to the terminal server via RAS, but the applications will run from the terminal server and provide much higher throughput for remote users.
It may be prudent to look into remote access servers that function as dedicated hardware devices and that help manage the load and take some of the impact off of the network. The Shiva products have been around a long time, and 3Com corporation has its new Total Control Module (TCM) with HiPer ARC router, an all-in-one box that acts as an NT computer, router, and RAS server. These devices can help manage your network traffic, provide telecommuters a modicum of reliability, and relieve other servers from some of the work. Both of these companies also have products that support RADIUS,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing an RRAS Implementation
577
but it may take some time for them to be completely integrated with the Windows 2000 environment. The TCM requires a full five days of training; it’s a fairly complicated unit to learn to operate and maintain.
Optimization and Tuning of Remote Access There are some things that you can do to help optimize and tune your remote access servers. Matching up HCL-compliant hardware to your telecommuting servers will go a long way toward providing more foolproof operation. Also, it’s beneficial to you to dedicate computers to the remote access process and not use them in other network processes. Making sure the servers that you configure the services on are themselves HCL-compliant and are well engineered from a hardware perspective will go a long way toward troublefree operation at deployment time. It’s good to create remote access servers that do not participate in the user validation process. In other words, don’t make your RRAS servers the same machines as domain controllers validating regular LAN users. Servers that have to validate users must spend part of their time doing something they don’t need to be doing. You can tune the servers by setting their primary task mode for background operation instead of for foreground operation. You can also make sure that you’ve nullified any IRQ conflicts you might have; that you have the operating system installed on one partition and the data and applications on another; and that the modems or telephony gear you’re using is Windows 2000– compatible, has the latest and greatest software drivers, and has been correctly optimized for your operation. In some cases, modems may need tuning or even BIOS upgrades. On older models, you might wind up having to fiddle around with the dip switches on them to get them just right. Cables running to the modems should be new and high quality. If you’re not sure of the telephony circuits coming into the building, provision new ones on new copper if possible or have a T1 run into the building instead. Keep in mind that telecommunication outfits schedule their work far in advance; you won’t see the crew for a few weeks. Be patient. If you go forward with commercial remote access server hardware, make sure that it’s Windows 2000–compatible, including, if possible, Windows 2000 RADIUS compatibility—you want to get away from the device performing RADIUS if you can let Windows 2000 do it instead. You’ll want to get some training on these devices so you know how they perform, how
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
578
Chapter 15
Designing a Remote Access Solution
to tweak them, and how to integrate them into your network. Match up the vendor, if possible, to the brand of switch gear and routers that you have. While this isn’t always a hard and fast rule, often the mismatching of vendor hardware can create problems in its own right. By supplying a DHCP relay agent service on the RAS computer, you allow users to receive the full extent of DHCP-supplied configuration information. Without the relay agent, the users get only the IP address and subnet mask that the DHCP server gives out, plus the WINS and DNS entries that were configured for the RAS server. Windows 2000 RAS servers obtain IP leases from the DHCP server in blocks of 10 (actually, it would be 11 if the RAS server were requesting a lease for itself). When a user is done using an IP address, it is released for use by the next user. If all of the IP addresses are used up, the RAS server requests another block of 10.
Integrating Remote Access into a Windows 2000 Environment Windows NT 4 RAS servers will integrate into a Windows 2000 network. Keep in mind that, until they’re converted to Windows 2000, they can’t use AD remote access policies, a shortcoming that you’ll want to rectify in order to get increased security granularity. Upgrading Windows NT 4 RAS servers isn’t quite as easy as it sounds because you not only have the current server configuration to worry about (making sure it can handle the increased requirements of Windows 2000), but you must also make sure that the current communications gear is compatible with Windows 2000 as well. This could be a big challenge. An ISDN internal adapter that has worked well for many years in your Windows NT 4 computer might not even be recognized in Windows 2000! The last thing you want to do is break a working server just because you’re trying to upgrade the NOS. Before integrating RAS into your Windows 2000 environment, design time would be the opportune time for you to figure out:
Whether to migrate to VPNs
Whether you need dial-up connectivity with other networks
Whether to allow high-speed circuits such as DSL or ISDN into your network
Whether current applications and file connections need addressing
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a RADIUS Implementation
579
There is a lot of work to do on the upgrade of existing RAS circuits into new Windows 2000 lines. Maybe now is the time to install that hardware VPN you’ve been thinking about for the last year or so. Or perhaps you’ll choose to get rid of the ISDN line you’ve been working with in favor of a much faster DSL circuit to your ISP. You might choose to integrate some terminal services for applications serving, independent of your conventional RAS services. And you might even decide to augment your current RAS offerings with more servers, faster modems, improved connectivity, highspeed offerings to remote users with non-asynchronous connections, and more secure credentials checking. You might even entertain the thought of using smart cards and EAP-TSL for access from laptops that you check out and send home with certain users.
Designing a RADIUS Implementation
Remote Access Dial-In User Service (RADIUS) is not a new feature in the RAS world, but it is a new feature to Microsoft’s RRAS implementation. RADIUS is designed to provide a centralized authentication and accounting service for RAS servers on your network.
Microsoft Exam Objective
Design an implementation strategy for dial-up remote access.
Design a remote access solution that uses Routing and Remote Access.
Integrate authentication with Remote Authentication Dial-In User Service (RADIUS).
RADIUS is a client/server protocol that insists on a RADIUS client connecting to a RADIUS server in order to provide remote access services. In the Windows 2000 world, the RADIUS client isn’t actually the RAS client; it’s the RAS server. And the RADIUS server isn’t the RAS server; it’s a server running the Internet Authentication Service (IAS) service. Table 15.1 shows the layout for a typical RADIUS arrangement.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
580
Chapter 15
Designing a Remote Access Solution
TABLE 15.1
The RADIUS Client/Server Model RADIUS
Server Type
OS/Platform
Client
RRAS Server
Multiple platforms supported
Server
IAS Server
Windows 2000 Server
The basic concept here is that you have one server doing the remote access functions—answering the modems, connecting the users—and a second one actually authenticating the users. There are a variety of uses for such a setup:
You’ve outsourced your remote access services, but you want to authenticate users from within your location.
You have a remote access server on the DMZ, but you want to authenticate from within the private network.
Your servers are separated by geographic distances.
The client and server components need to be on different platforms and different operating system architectures.
You want to encrypt your RAS connections at authentication time using either IPSec or MPPE tunnels.
You have multiple RAS servers, but you want all authentication to be handled from a centralized server.
You’ll find that RADIUS usually makes sense for corporate entities that are getting into the business of being ISPs, whether that means hosting extranet sites for corporate users or becoming a full-blown ISP. Regular corporations with a telecommuting need and no heavy-duty Internet activities might not need to go down this road.
Assessing Correct Remote Access Client Needs in a RADIUS Environment Think about the Level3 example. You’re an NSP that’s supposed to provide connectivity to a huge variety of users. What kinds of clients might you expect? Well, you’ll certainly have operating system issues; you’ll want to accommodate customers with Macintosh, Linux, Windows 3x, 9x, NT, or 2000, and
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a RADIUS Implementation
581
The Reason for NSPs Have you ever wondered how an ISP can have at least one point of presence (POP) in virtually every city in the country? Do they actually fly someone out to each city, rent some office space, and nail up a modem or two that users can connect to when they dial in to the ISP? No, they use a network service provider (NSP). Level3 is an NSP. They provide phone lines to people like America Online. When AOL was getting going, AOL requested a million phone lines from Level3. Lines were installed in 25 cities in about 90 days to get the project done. Level3 is primarily a company that supplies networking infrastructure to ISPs that don’t have the money, time, or resources to put up a national infrastructure. In a case such as this, perhaps Level3 would provide RAS services to a client (which is basically what they’re doing when you dial into a local ISP), and then use RADIUS to pass the authentication that’s necessary to log the user on back to the ISP itself. This way, Level3 is out of the authentication business and the ISP is out of the telephony/infrastructure business. That’s one of the purposes of RADIUS.
possibly even OS/2. There are even stranger operating systems out there that somebody might try to connect with—BE or even NeXt, for example. These disparate operating system types can mean at least one big problem for you: protocols. Some users will have the IPX/SPX protocol because they’re connecting from a NetWare network. Others will use TCP/IP, and you can imagine the various protocol “mixes” that you might encounter, such as AppleTalk over TCP/IP. You might want to run the AppleTalk protocol so that you can dial in to a location and remotely administer some Macintosh clients. Supported RADIUS protocols are TCP/IP, IPX/SPX, and AppleTalk. Some of these clients are primitive; others are quite sophisticated. For example, Macintosh clients don’t know anything about the new Windows 2000 MPPE protocol. Older clients might be able to use DES instead. And that brings up the whole issue of authentication. Some users can only authenticate with a clear-text password, others can use CHAP, others MSCHAP. It’s a big, variety-filled world.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
582
Chapter 15
Designing a Remote Access Solution
Users will want to connect with DSL, ISDN, cable modems, multilink modems, or POTS lines. Some might even want to get in with their broadband Palm VIIs or the equivalent. So, aside from all of the various hardware concerns that an NSP would have, it also has to be concerned about all these clients and their associated needs. Windows 2000 RRAS servers can be authenticated by Active Directory remote access policies in Windows 2000 or even by Windows NT 4 domains. RADIUS provides detailed logging of remote access client activity, including whether the user succeeded or failed in the logon, how long the user was on, and times when the RADIUS server could not validate the client. Windows 2000 RADIUS can integrate with RRAS to supply demand-dial scenarios, and IP filters can be configured to weed out unwanted traffic.
RADIUS is an Internet standard (RFCs 2138 and 2139), so a non-Windows computer, such as a Unix computer or a remote access server device equipped with RADIUS, could work with Windows 2000 RADIUS.
Good RADIUS designs will include the following information:
Identity of the connecting remote access clients
Location of the RADIUS clients and servers
Protocols necessary to support in this environment
Authentication schemes supported
Encryption technique
Whether remote access clients will be using a VPN or dial-in connection
The domain that RADIUS will be using to authenticate users— whether you’ll be connecting to a Windows 2000 native mode, mixed mode, Windows NT 4 domain, or domain accessible through a trust relationship (note that domains are called realms in RADIUS dialect)
The number of ports (dial-in or VPN) available for the system
Any restrictions that were set up in the remote access policies
User accounts that will be granted permissions
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a RADIUS Implementation
583
RADIUS in a Heterogeneous Environment RADIUS goes beyond supporting standard dial-in connections; it has the capability to allow both VPN and dial-in to provide access to the corporate network. There are various ways that you can use a RADIUS methodology. For example, look at Figure 15.4, which illustrates a standard situation where RAS users want to connect to the corporate network via an ISP. FIGURE 15.4
A basic RADIUS scenario
RAS clients ISP
RAS clients
ISP’s RADIUS server (the client)
RAS clients
Internet Corporate network Corporate RADIUS server
Three computers act as RAS clients wanting to connect to your corporate network. Perhaps these clients are quite a distance from your corporate location, many states or even countries away. Your firm negotiates a RADIUS connection with the ISP in that area. This RADIUS server is actually a RADIUS client to the Windows 2000 system. Then you set up a RADIUS server at your location and get the connections set such that, when these users connect to the ISP, they’re connected by the RADIUS client, then validation work is passed to your RADIUS server, and finally they’re logged on. In a scenario like this, you can use a VPN connection between the RADIUS client and server or a demand-dial connection (if the RADIUS client supports it).
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
584
Chapter 15
Designing a Remote Access Solution
Also, you can specify the kind of authentication that you’ll support and the protocols that the users will have to connect with. Now, this configuration seems to violate one basic tenet of RADIUS: You want your RADIUS servers close to the Active Directory servers or NT domain for quick validation. But a VPN (or very fast ISP backbone) would certainly still precipitate fast authentication. It’s interesting here to think about the platforms that could connect. For example, you don’t care if a user wants to connect with an iMac as long as they are a) able to connect using TCP/IP and b) running Dave in order to access NetBIOS shares. As long as they have the credentials necessary to log on, it’s up to the users to find the means to work with the data they needed. It’s up to you to make sure the connectivity is in place and that proper security precautions are being taken. A second use for RADIUS technology might be the joining of two different firms together temporarily for the sharing of some work on a project. Let’s say, for example, that you work with the lead American engineer for a huge dam project in China, and that your Chinese counterparts want to be able to share documents with you as the work progresses. Since it’s a long plane flight to China—especially just to drop off some documents—and since most documents today are digital anyway, you could easily set up a RADIUS connection that would satisfy the need. Figure 15.5 illustrates what this layout might look like. FIGURE 15.5
A possible international RADIUS scenario
Chinese network
LAN client
Corporate RADIUS client Dial-up VPN
American network
LAN client
Corporate RADIUS server
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a RADIUS Implementation
585
Figure 15.5 assumes a Windows 2000 server on each network because you’re going to want to use dial-up connections, probably demand-dial. But that doesn’t mean it can’t be done, and between VPN technology, RRAS, and RADIUS, you can indeed make this happen. The VPN tunnel could be comprised of either PPTP (including Windows NT 4 PPTP), or L2TP and IPSec. A suitable alternative (on either or both sides of the connection) to this scenario, given hardware or connectivity constraints, would be to outsource the VPN connection and the RADIUS server to an ISP. More complicated, yes, but still certainly doable. What is the one design feature that stands out when you consider these two suggested designs? If you’re saying words like “bandwidth” or “datarate,” you’re right on target! A RADIUS designer should take into consideration the persistence of the RADIUS connections (whether they stay up all the time, time out after a given period of inactivity, or are based strictly on a demand-dial scenario) and the bandwidth that will be required to transfer the requests between the RADIUS client and the RADIUS server. If a remote access client is going to try running an application upon connecting through a set of RADIUS servers, can the network throughput support it? A more basic question is, can a user be authenticated within a reasonable period of time? The persistence question is about saving money; the bandwidth question is about conserving WAN resources.
RADIUS Security Scenarios A serious security issue exists when discussing RADIUS designs. Instead of having just one server people dial in to, you now have that server and another server that is basically accessible to the world. You have to think about this security before you go charging into the boss’ office with this great new product suggestion.
Remote Access Client Connections First, think about the connection that the remote access client will use when connecting to the RADIUS client box. What kind of security should be involved there? Suppose, for example, that you’re setting up a solution like the one back in Figure 15.4, but the RADIUS client computer you’re connecting to is a Unix computer, not a Windows 2000 computer. What kind of security will the remote access client have? Chances are the ISP has provided a username and password for this client to authenticate with, so you have the
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
586
Chapter 15
Designing a Remote Access Solution
security concerns somewhat covered. It would be great if the Unix computer at least supported CHAP as an authentication method so that you knew for sure the user connecting was really the user who should connect. You might want to think about enabling the strongest authentication possible within non-Windows RADIUS client systems. Such clients also raise an encryption question: Can this host encrypt logons and data from users who request a RADIUS connection? In a Windows 2000 RADIUS environment, these questions are answered for you. For starters, when the Windows 9x, NT, or 2000 remote access client connects to a RADIUS client by PPP (dial-in) or PPTP (VPN), it has the choice of running MPPE or IPSec. MPPE is a strong, new encryption protocol that allows you to set whether you want a 40-bit key (for faster, not as secure performance) or a 128-bit key (slower throughput, much higher security). Remote access clients connecting to Windows 2000 RADIUS clients must be authenticated using MS-CHAP, MS-CHAP v2, or EAP-TLS in order to use MPPE. Consider enabling the strongest authentication possible, MSCHAP v2, so that you’re sure the user is who he says he is. IPSec uses certificates to validate who a user is and then encrypts the data. IPSec is used with L2TP VPN tunneling. Then there is the concept of a RADIUS secret. The secret is made up of the RADIUS client’s password, combined with a 16-byte random number that is passed through a Message Digest 5 (MD5) hash to produce a 16-byte encryption value. This value is kept with the password that was used by the remote user. You should always use secrets with your RADIUS implementation because they work both with user password encryption and with client-to-server mutual authentication. The ideal RADIUS scenario is a Windows 2000 Professional workstation connecting to a RADIUS client running Windows 2000 Server, which then talks to a Windows 2000 Server RADIUS server, with secrets enabled throughout. Then if the client dials in via PPP, MPPE is being used, secrets are in place, and the data is secure and encrypted through the entire path.
RADIUS Client to RADIUS Server Connection Next, you have a connection between two computers, going across the Internet or public wires. How can you make sure that the data gets from point A to B, from RADIUS client to server, and back without some hacker grabbing the data and using it for evil? RADIUS supports three different methods of encrypting and protecting data: PPTP (MPPE), IPSec over L2TP, and certificates.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a RADIUS Implementation
587
Government restrictions might make it difficult for you to provide anything other than encrypted data. Some governments don’t go along with some of the security standards in use elsewhere, and you won’t be able to encrypt the data.
RADIUS Server to Private Network Server Connection What about that idea of a partner relationship, where you have an engineer from one company dropping documents onto a server in the private domain of your corporate network? In other words, this engineer has ridden a highly secure line from a Windows 2000 Professional workstation through the RADIUS client to the RADIUS server and is now authenticated to your domain. But what control do you have once the user is inside the private network? Now it’s not so much a question of their data being protected as your data being protected from them! Isn’t that a security issue as well? You can control things with NTFS permissions and by restricting the usage to only the RRAS servers through dial-up properties. But this issue potentially creates a serious security hole that you’ll have to make sure is plugged before you finalize the solution. You don’t want engineers dropping off their documents, then probing around other servers to see what they can see!
Remote Access Policies Probably the most important tools you have available are the remote access policies that you implement in Windows 2000. By setting up robust remote access policies, choosing specific dial-up properties, and specifying that remote access clients be matched up with remote access policies on the RADIUS server (not the client), you can specify how much or how little the user can do on the network. You can control the time of day and day of the week that the user is allowed in. You can specify certain characteristics that pertain to a remote user, things like the phone number and the IP address. A remote access policy will not govern NTFS or share permissions, so proceed cautiously throughout the entire design, making sure that any potential holes are plugged.
Including RADIUS in your remote access planning provides for the centralization of the remote access policies. Without RADIUS, remote access policies are kept locally, not centrally.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
588
Chapter 15
Designing a Remote Access Solution
You can visit the currently installed remote access policies by going to a Windows 2000 domain controller and clicking Start Programs Administrative Tools Routing and Remote Access. Once inside the RRAS properties window, double-click the Remote Access Policies container to see the policies in place, as illustrated in Figure 15.6. In new installations, there is only one default remote access policy. Right-click it to view the policy’s properties, as illustrated in Figure 15.7. FIGURE 15.6
The Remote Access Policies window
FIGURE 15.7
The default Remote Access Policy properties sheet
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a RADIUS Implementation
589
By clicking the Edit Profile button, a window appears that allows you great control over remote access sessions. The Dial-In Constraints tab, illustrated in Figure 15.8, provides you with the ability to disconnect users after a certain idle time, to restrict the days and times they’re allowed on, and, most importantly, to restrict certain connect types from being allowed in. For example, you can restrict faxes from trying to connect to your RAS system. Note that you can have multiple policies defined for each RRAS server. When a client tries to connect to the server, the policies are parsed in order until a firm deny or firm allow is present or until there are no more policies to parse. FIGURE 15.8
Editing the constraints on your dial-in users
The IP tab allows you to define how the remote access client is going to get its IP address and what kind of IP filtering is going to happen. The Multilink tab allows you to detect multilink clients and either allow or disallow them. Multilink, as you may recall, is an NT (and now 2000) service that allows an NT computer to use multiple modems to create additional bandwidth. The Authentication tab is where you select the kinds of authentication you’re going to allow for this policy. The Encryption tab allows you to select the kinds of encryption you’ll allow over this Windows 2000 RRAS server. By default, all
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
590
Chapter 15
Designing a Remote Access Solution
four—No Encryption, Basic, Strong, and Strongest—are checked, meaning that your Macintosh users can get in easily as long as they match certain authentication criteria. Finally, the Advanced tab allows you to specify additional connection attributes that the RRAS server can use. There’s a whole bevy of preconfigured connection attributes at your disposal.
The default authentication protocols are MS-CHAP v2 and MS-CHAP.
Once you’ve written your remote access policies, simply go to Active Directory Users and Computers, double-click a user, click the Dial-In tab, and click the Control Access through Remote Access Policy tab.
Radius Servers Inside Screened Subnets (DMZs) Suppose you want to customize your setup just a bit further by putting the RADIUS server on the DMZ rather than inside your corporate private network. What does that mean in terms of added steps? First, RADIUS clients cannot and should not be placed within the DMZ. Your RADIUS server, on the other hand, being inside the DMZ means that you’ll want to connect the RADIUS server to the RADIUS client with a VPN tunnel. L2TP with IPSec is a good choice if you’re dealing with Windows 2000 computers—for the most security. You now have this piece covered. Next, you (actually, your internetworking experts) either poke a hole in the firewall to allow connectivity between the RADIUS server and the internal network or set up a VPN between the RADIUS server and the internal network. The RADIUS server would be a member server, not a domain controller, so when authentication is requested from a remote access client traveling through this pipe, it would be forwarded to an internal domain controller, validated, and then sent back to the RADIUS server and hence back to the client. This model is very secure because you don’t expose user accounts or remote access policies to the outside world and everything is done through VPN tunnels, making them encrypted and highly authenticated.
High Availability Scenarios You can take several steps to build fault tolerance and redundancy into your RADIUS configuration. You start with the standard redundancy technique: Provide two or more duplicate servers for each phase of the RADIUS design.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a RADIUS Implementation
591
This means you’ll have two or more RADIUS clients and two or more RADIUS servers, both comparably equipped. It goes without saying that these computers should have their configurations on RAID5 arrays for maximum fault tolerance. You can implement Cluster Server with such a setup so that if one computer fails (i.e., the motherboard dies or two or more drives fail), the whole system will failover to the other computer. If your goal isn’t to make sure the entire RADIUS scenario is Windows 2000– based, you might consider outsourcing your VPN tunnels to a carrier. In that case, you’ll want to know what sorts of authentication and encryption techniques are being used and what guarantees you’ll be provided by the carrier. Also, investigate how well a carrier’s VPN solution will cooperate with your Windows 2000 network. Carrier-based VPNs will provide redundancy and fault tolerance, but will they be able to provide the kind of security you’re looking for?
Optimization and Tuning of RADIUS When you consider the optimization and tuning of RADIUS installations, you need to think about three different regions of your network. First, consider your RADIUS client and server environment. If you have a large number of remote access clients trying to access the RADIUS clients, you’re likely have a bottleneck. The cure for this is obvious: hook up more RADIUS clients. It could also be that the number of RADIUS client servers is adequate for the number of remote access clients, but the client servers themselves are weak and under-engineered. You can cure this problem by either beefing up the hardware or replacing the servers with higher performance computers. Second, you can also tune RADIUS clients by adding additional modems. If a remote access client gets a busy signal half of the time it tries to connect, you need more phone lines. Obtain a set of phone numbers from your telephony folks and have them make this set of numbers a hunt group—that is, clients dial one number but can be connected to any one of the numbers in the group. Next, set up a multiport serial adapter with some intelligence built in and hook up your modems to this adapter, then hook the phone lines to the modems. You now have an interface directly connected to your computer that handles the modems and offloads the computer’s processor from having to do this work. A hunt group is handy because your users only have to remember one number and any of the modems in the hunt group can answer.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
592
Chapter 15
Designing a Remote Access Solution
Third, you can add additional RADIUS servers for improved authentication. Or, optionally, you can upgrade the hardware or replace a RADIUS server if it is adequately addressing the needs of the RADIUS clients, but just not doing it quickly enough. Note that there’s little you can do about remote clients trying to access the system, but you’ll be driven crazy trying to troubleshoot their problems. For example, hotels are notorious for bad telephone connections to RAS servers. But if your traveling salespeople can’t connect to you, they are likely going to blame your RADIUS setup. It’s a very difficult problem to fix. Make sure that remote access clients are up on the latest and greatest version of Dial-Up Networking (DUN) and that they have the modem and DUN settings optimally configured. Some shops actually publish papers on how to correctly set up a RAS (or RADIUS in this case) connection for remote users to be able to successfully connect.
Windows 95 with the DUN 1.3 Performance and Security upgrade can use MS-CHAP v2 only as a VPN connection into Windows 2000 servers, not as a dial-in client.
Integrating RADIUS into a Windows 2000 Environment Coming into a Windows 2000 environment with a legacy RADIUS installation might take some thought and work to accomplish. For example, 3Com Total Control Modules (TCM) support RADIUS. In fact, a TCM box is basically an NT 4 computer with one or many modem modules and a HiPer ARC router module added as well. The RADIUS service runs within the NT services on the TCM box and is stoppable. How well this device will integrate with your Windows 2000 RADIUS installation remains to be seen. The point is, if you have this problem, you’ll have to investigate and get it settled in your mind—get a design down on paper—before proceeding into the RADIUS deployment. Good designers play with a test version of a VPN using RADIUS, getting it up, running, and tweaked; then, once a certain comfort level was found with the VPN, go forward and build the RADIUS installation. This can be a fairly complex setup, so make sure you know what you are doing. Remote access clients using older operating systems should not have too many problems connecting to a RADIUS client unless there’s a configuration issue on your part. If a remote access client has been connecting with older
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Summary
593
RAS systems, the implication is that the client software is OK and doesn’t need to be checked; a new problem must be something on your side.
Summary
T
his chapter has been about Routing and Remote Access Services (RRAS). The chapter was divided into two halves: configuring RRAS itself and configuring a subspecialty of RRAS called RADIUS. RRAS allows users on conventional telephony circuits, such as asynchronous telephone (POTS) lines, BRI ISDN, X.25 PAD, or direct-dial circuits, to call and connect to a server you have running the correct RRAS services. RRAS allows you three types of connectivity:
Server-to-server
Dial-in, where you’re allowing users to phone in to your server
Demand-dial, where a few users are sharing a single phone line (as in a SOHO environment)
In each of these settings, you have the choice of configuring a regular dialtype connection or a VPN. You start by provisioning the circuits you’re going to need for your RRAS setup. If you need phone lines, you can provision individual lines, or you can obtain T1 lines, which contain 24 phone channels. T1 circuits require special gear for the servers. If you’re using BRI ISDN, it follows that you’ll have to have either an ISDN router, a circuit card, or a modem for ISDN connectivity. The same is true for X.25. Your carrier provides these circuits, although some larger installations might have full-time telephony groups that handle this provisioning for you instead of the telephone company. Next, you configure the servers that are going to act as RRAS servers. You must also select the type of authentication you’re going to require of users trying to connect to you, the protocols you’ll allow, and the type of encryption that you might offer for added security. Supported authentication types include EAP-TLS, MS-CHAP v2, MS-CHAP, CHAP, SPAP, and PAP. An authentication method simply describes how the RAS server is going to make sure that you are who you say you are before you connect. You can enable encryption, which is supported by MS-CHAP, MS-CHAP v2, and EAPTLS, but isn’t enabled by default. Authentication and encryption methods (or
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
594
Chapter 15
Designing a Remote Access Solution
rather, the lack thereof) don’t imply that anyone who wants to can dial in to the network. They must still have a user account on the network you’re connecting to, and they have to validate through the servers. RRAS supports four different protocols: IPX/SPX (in the form of NWLink), TCP/IP, NetBEUI, and AppleTalk. Macintosh users might be better off connecting with TCP/IP and using a third-party product called Dave to emulate NetBIOS. Remote Access Dial-In User Service (RADIUS) is a “new/old” technology. It’s new to Windows, but old to the remote access business. The basic concept is that the connection component is separate from the authentication component. There are usually three (or more) computers involved in a RADIUS setup: the remote access client (the one actually dialing into the system), the RADIUS client (the server that’s handling the client connection), and the RADIUS server (the server that’s authenticating the client). There are lots of good reasons to have a RADIUS setup; the most common reason is geographic separation of the user base and the servers. RADIUS uses the same protocols, authentication techniques, and encryption as regular RRAS does. You can leverage the security of RADIUS services by using VPNs instead of conventional RAS circuits, in which case the data is encrypted and the tunnel is secure. User passwords are encrypted using RADIUS secrets, a combination of the user’s password and a 16-bit random number that has been run through the MD5 digest to create a uniquely encrypted password. Tuning and optimization of RRAS or RADIUS servers typically involves adding more phone lines, upgrading server gear, or replacing the servers altogether with servers that have updated performance characteristics.
Exam Essentials Understand how Routing and Remote Access Service (RRAS) works. Users will dial in to servers set up with the RRAS service and be able to access network resources that they have permissions to. There are a variety of RRAS options, including deciding who can dial in and what network protocols, authentication protocols, and security protocols will be used. Know how RRAS integrates with RADIUS. RADIUS is implemented as part of Microsoft’s Internet Authentication Service (IAS) product. RADIUS provides a centralized base for accounting and authorization if you have multiple RRAS servers.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
595
Know the RRAS authentication methods. In order from most secure to least, the RRAS authentication methods are EAP, MS-CHAP v2, MSCHAP, CHAP, SPAP, PAP, and unauthenticated access. Know which operating systems can use which authentication methods. Windows 2000 can use all RRAS authentication methods. However, downlevel Microsoft clients are not able to use anything more secure than MS-CHAP. Non-Microsoft clients will most likely have to use CHAP, SPAP, or PAP. Since EAP is an industry standard, some non-Microsoft implementations do support it. For test purposes, if the non-Microsoft client can support EAP, you will be made aware of the capability.
Key Terms
The computer/telephony business is a fascinating one, with its own huge set of acronyms and terms to learn. Here are but a few that you’ll hear as you work with this fascinating line of computer technology. Be certain you are familiar with these terms for the exam: aggregate bandwidth
Microsoft Point-to-Point Encryption (MPPE)
Basic Rate Interface (BRI)
plain old telephone service (POTS)
Carrier
provisioning
d-mark
public switched telephone network (PSTN)
Dial-Up Networking (DUN)
screened subnet
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
596
Chapter 15
Designing a Remote Access Solution
Review Questions 1. You are the network administrator for your company. Your newest
project is to set up remote access for the company’s traveling sales force. The members of the sales force are all equipped with laptops that have modems and smart-card readers. Security is a major concern for the company’s management, so you need to implement the most stringent security measures available on the RRAS server. Which is the most secure authentication method available for RRAS? A. MS-CHAP v2 B. L2TP C. MPPE D. EAP-TLS E. SPAP 2. You are the remote access administrator for your company. Recently,
network performance has been sluggish, and the network managers have asked you to investigate how much bandwidth is being consumed by remote users. You are going to look for aggregate bandwidth. What should you look for? Choose all that apply. A. The total of all connected computers’ uploads B. The total of all connected computers’ downloads C. The total of all connected computers’ broadcasts D. The total of all connected computers’ times to authenticate 3. You are the remote access administrator for your company. To
increase security over your remote users, you decide to implement remote access policies. For what types of remote access installations can you create remote access policies? A. Native-mode AD only B. Native-mode and mixed-mode AD only C. Native-mode AD, mixed-mode AD, and Windows NT 4 D. Native-mode AD, mixed-mode AD, Windows NT 4, and NetWare
4.x or higher
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
597
4. You are the network administrator for a local insurance firm. The
associates often work from home in order to save costs on business space. The users would like to be able to connect to the network at a higher transmission rate than what is currently available. When would you possibly be required to supply more than one phone line per remote access client? A. When a remote access client has multiple locations it might
dial from B. When a remote access client has two different types of phone
service (e.g., ISDN and POTS) C. When a remote access client needs to connect to two different
networks D. When a remote access client is trying to use multilink 5. You are the network administrator for a small training firm. Your net-
work is a Windows 2000 domain running in native mode. You have two domain controllers running an Active Directory-integrated DNS zone, a DHCP server, and an RRAS server. You have purposely engineered your DHCP scope to have ample addresses for all clients on the network. When RRAS obtains a block of IP addresses from a DHCP server for use with dial-in clients, how many does it obtain? A. 5 B. 10 C. 15 D. 20 6. You are a network administrator for a local advertising firm. They
want to ensure that all data is encrypted when users dial in to the network from remote locations. You decide to use MPPE as the security protocol. Why might you choose MPPE as your encryption method? A. No other encryption method exists. B. You’re using “no authentication” as your authentication choice. C. There are Macintosh computers connecting to the network. D. There is no CA server available.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
598
Chapter 15
Designing a Remote Access Solution
7. You are the remote access administrator for a regional supply com-
pany. You have two locations separated by three counties. You currently have one RRAS server running and clients from both locations dialing in to it. Clients dialing in from the other location use a toll-free number to access your RRAS server. What’s the best way to provide fault tolerance to this scenario? A. Provide a second RRAS server in the other location. B. Set up a second RRAS server in the original location. C. Increase the number of phone lines in the RRAS server. D. Add a second toll-free number. 8. You are the remote access administrator for your company. One of
your users, Irma, is trying to connect to your RRAS server using a Windows 95 DUN 1.3 client. Everything in her DUN settings seems to be OK, but she still cannot connect. Your server settings appear to be fine, with MPPE encryption, MS-CHAP v2 authentication, and TCP/IP as your protocol. You’ve confirmed that Irma is a valid dial-in user in your Windows 2000 mixed-mode environment. What could be the problem? A. Irma needs to upgrade to DUN 1.4 for Windows 2000 server
support. B. MS-CHAP v2 cannot be used by Windows 95 clients in dial-in mode. C. Windows 95 clients cannot use MPPE. D. Irma’s computer is set for NetBEUI, not TCP/IP. 9. You are the remote access administrator for your company. You have
been using Windows NT 4 RAS for some time and are now upgrading to Windows 2000 RRAS. As part of your upgrade, you are installing a RADIUS server. What benefits will you derive from installing the RADIUS server? Choose all that apply. A. Provides a single source of authentication and encryption. B. Allows you to view all remote access success or failure logs and
administer remote access policies from one single point. C. Adds a second layer of security because it integrates with AD. D. Prevents users from authenticating to another domain.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
599
10. You are the remote access administrator for a regional department
store chain. The owners have decided to allow administrative and support users to telecommute. It has been delegated to you to control the users’ access and secure the remote access for those users. What are some of the things that you can manage with remote access policies? Select four answers. A. Domain the user is a member of B. Time of day and days of the week the user is allowed to connect C. Group the user belongs to D. Type of connection being requested (dial-in or VPN) E. Servers the user is allowed to connect to F. Logon script the user is going to run G. Authentication and encryption protocols the user is going to use
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
600
Chapter 15
Designing a Remote Access Solution
Answers to Review Questions 1. D. EAP-TLS is the most secure method, and it’s designed to work
with smart cards. If you don’t have a smart card, you can’t use EAPTLS at this time. MS-CHAP v2 is also highly secure, but not as secure as EAP. L2TP is a tunneling protocol, not an authentication method, and MPPE is an encryption protocol. 2. A, B. While aggregate bandwidth may not be a formal term, it’s cer-
tainly a useful one to remember. The concept you’re interested in is how much bandwidth remote access users are using by either uploading or downloading information to or from the network. It can have a serious impact on performance, especially on under-engineered infrastructures. 3. B. Remote access policies are a part of Windows 2000 Routing and
Remote Access Service (RRAS) and can be used in native-mode and mixed-mode environments. Windows 2000 RRAS policies can also be implemented on a RADIUS server. If you have multiple RRAS servers, it’s convenient to use remote access policies with RADIUS because you can use a single MMC to monitor and adjust all policies on all RRAS servers. In large networks, this is a useful feature to have at your disposal. Windows NT RAS servers cannot use Windows 2000 remote access policies. 4. D. Multilink is a Windows NT 4 and 2000 feature that allows you to
take several phone lines and call out over them so that they appear as one big piece of bandwidth. Windows 2000 RRAS supports multilink clients, but this implies that the client is going to use more phone lines than regular clients and that you’ll have to provide for that kind of capacity. 5. B. The RRAS server obtains an initial block of 10 numbers from the
DHCP server. When they’re all used up, it obtains 10 more. The good news is that when a client relinquishes its IP address, it returns to the RRAS “stock.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
601
6. D. L2TP, the other encryption protocol choice, works only with
VPNs and requires a certification authority (CA) server to be available. Thus, if you want to enable encryption without a CA server, MPPE is your only choice. 7. A. Adding a second RRAS server in the other location does two
things for you: It provides a fault-tolerant methodology for your dialup clients, and it allows you to curtail some of the usage of the toll-free line. These numbers are expensive because you’re picking up the freight for users that use them. That being said, a good fault-tolerance feature with twin RRAS servers would be to have a toll-free number for each server in case one was down. 8. B. When using MS-CHAP v2 as the authentication protocol, users
with Windows 95 and the DUN 1.3 Security and Performance upgrade cannot access Windows 2000 servers in dial-in mode; they can only access Windows 2000 servers via a VPN. 9. A, B. RADIUS is the only way you can centralize the management of
all of your remote access policies and be able to view the success or failure logs for your various dial-in clients. It also provides a centralized authentication source if you are using multiple RRAS servers. 10. B, C, D, G. Remote access policies provide a great deal of granularity
in the control you have over remote access users. You can control the time of day and the days of the week that they connect, the group to which they belong, the type of connection they’ll use, and the authentication and encryption protocols they’re to use when they dial in.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
602
Chapter 15
Designing a Remote Access Solution
Implementing RRAS and RADIUS in a New Network
Y
ou should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Background Overview You’ve been hired as a consultant and project manager to work for a large securities business: Crosby, Stills, Nash, Young, Pierce, Sacco, and Vanzetti (their motto being “Where the only bad stock is a Woodstock”). CSNYPSV is migrating its users from an older Novell NetWare 4.x and NT 4 shop to Windows 2000 native mode. All of the server and enterprise application conversion work is done, and users are now logging into the new network—things are working just fine. But one of the things that CSNYPSV has wanted and never had is a rock’n’roll RAS system. You’re the one who’s been hired to design and implement this new system. You’re starting from scratch with no previous environment to maintain or upgrade. The person you’re reporting to, the CIO, has some very definite ideas in mind. CIO “We’ve gotten a clear indication from our sales and marketing people that we need a dynamic, 24×7 dial-in presence in every one of our major locations. I’ll provide you with a table of those locations where we need a presence.”
Current System Overview The company has many offices all over the globe. The following table lists the locations where you’ve been asked to get a dial-up system working:
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Implementing RRAS and RADIUS in a New Network
International Locations
Detroit: 300 users
Toronto: 200 users
Sacramento: 200 users
Winnipeg: 50 users
Chicago: 200 users
Ottawa: 50 users
Washington D.C.: 100 users
London: 150 users
Atlanta: 100 users
Singapore: 50 users
Baltimore: 50 users
Madrid: 50 users
New York: 250 users
Johannesburg: 100 users
Los Angeles: 250 users
Tokyo: 150 users
Seattle: 100 users
Munich: 100 users
Denver: 450 users
Moscow: 50 users
Dallas: 150 users
Rio de Janeiro: 150 users
Miami: 50 users
Sydney: 150 users
Las Vegas: 50 users Philadelphia: 150 users Boston: 200 users There will be more to follow. You ask the CIO about the telephony presence that the company has in each of these locations. CIO “We have a telephony department that handles all of our telephone and other special carrier-based circuits. We install and maintain our own automatic call-answering devices (ACDs), PBXs, and IVR and computertelephony integration (CTI) gear, so I think that our manager of telephony can give you a pretty good idea about what you need to do.” Manager of Telephony “As a general rule, you’ll find that the Internet and ISPs are not as high-growth in Europe as they are here in America because every local call is a tariff call there. On the other hand, we find that Europe is a very good place to provide ISDN services; ditto for Asia. Europeans have been familiar with ISDN for a long time now, and we can provision ISDN circuits right away. Our methodology has been to provide a key telephone system in each of the remote offices to the HQ here
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Domestic Locations
603
CASE STUDY
604
Chapter 15
Designing a Remote Access Solution
in Denver. We provision as many trunk lines as we need at a given location, then put up either an ACD or a key system. Our users seem to be happy. We don’t currently support ADSL, but we’re planning on doing some of that kind of support in the very near future. Because we’re a large customer with our carrier, we can pretty much provision a circuit for you within 90 days lead time.” The WAN circuits are all high quality—a minimum of 128K to each location, most with far more, and an average committed information rate of about 70% of the circuit’s width. All locations are connected and all locations can talk to each other. The e-mail system is an Exchange system with several different locations set up in it. There are two of what the telephony people call “Internet points of presence” with this company, one in the Denver HQ and one in the Tokyo office. (What they mean by “Internet points of presence” is that these locations are where the company has a connection to an ISP.) The company lives and breathes by the Internet, and they have redundant ISPs for the purpose of maintaining the company’s web presence at all times. Web servers are kept in a corporate DMZ with Proxy Servers and PIX firewalls.
Problem Statement The biggest problem you face is the correct placement of RRAS servers versus RADIUS clients and servers. Because of the diverse telephony mixture involved with this network, you’re going to have to come up with a combination of services in order to adequately serve the clientele. For example, this company uses an enterprise fax system that allows salespersons to call a number and download faxes they’ve received to their local mailbox. The company has a robust e-mail system that users would like to be able to use after hours and offsite. There are a variety of uses that this company has in mind for remote telecommuters.
Envisioned System Overview You envision a system where users have a local number they can call for remote access to the network and a toll-free number they can call if the local number isn’t available for some reason. The clients, all Windows 98 or later, will use a standard DUN client to access the RRAS and RADIUS systems. You will implement the MS-CHAP v2 authentication protocol and use MPPE and L2TP for your encryption protocols.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Implementing RRAS and RADIUS in a New Network
605
CIO “I like the split at 50 users or less. That methodology would apply to many of our smaller, multinational offices.”
Security Overview Since this is a securities firm that is closely watched by the SEC, it is paramount that security be absolutely the topmost priority when implementing this configuration. CIO “I cannot stress enough to you how important the data is that will be coming over these wires. We would not have done this implementation prior to Windows 2000, just because the security wasn’t robust enough for us at the time. One thing I am worried about is the lack of 56- or 128bit encryption for our multinational sites” Security Admins “We will institute a checklist that a user has to fill out and have authorized by his or her manager before we’ll authorize any remote access. What guarantees can you make to us that we will not be hacked into?”
Availability Because of the international nature of this system, it must be available 24×7×365. Your CIO emphasizes, “The first time that a trader in Munich— one with a huge lead to give us—tries to RAS in and cannot connect will be your last day here and a day that I’ll spend getting screamed at by the boss!”
Maintainability Ideally, the Denver admins should be the first line of administrative defense with the system, but local admins should also understand and be able to maintain the system.
Performance Performance isn’t as big an issue because of the high-quality WAN circuits. The CIO says, “If you need to upgrade the circuit speed, now is the time!”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Wherever you have an office of 50 or fewer users or where a cheap connection to an ISP is available, you’ll use a RADIUS implementation with VPN tunneling back to the main RADIUS server location in Denver. With offices of more than 50 users, you may use a local RRAS server instead.
CASE STUDY
606
Chapter 15
Designing a Remote Access Solution
Funding The first thing you were required to do when you were retained for this position was to come up with a complete funding picture. Senior management has already bought off (no pun intended) on the funding proposal. The CIO tells you, “The funding’s approved, but if you run into any snafus where you need more than what you’ve projected, let me know as quickly as possible.”
Questions 1. You start with a few of the cities, as shown in the following graphic.
Place equipment “on site” as needed, then connect the appropriate RADIUS and RRAS links according to the envisioned system.
Las Vegas
Internet POP
Denver
Proxy Server
Dallas
RADIUS server
Toronto
RRAS server
London
Internet POP
Connection Types: Dial-In On Site RRAS VPN with RADIUS
Tokyo
Singapore
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Implementing RRAS and RADIUS in a New Network
607
implementation? A. MS-CHAP B. MS-CHAP v2 C. CHAP D. EAP-TSL 3. What will be your encryption protocol or protocols? Choose all that apply. A. MD5 B. MPPE C. L2TP D. PPP 4. How many servers are required for RRAS and for RADIUS, not counting
any redundancy? A. 9 RADIUS clients, 1 RADIUS server, and 17 RRAS servers B. 9 RRAS servers, 1 RADIUS client, and 17 RADIUS servers C. 9 RADIUS servers, 1 RADIUS client, and 17 RRAS servers D. 26 RRAS servers 5. Looking at the following chart, choose tasks as needed from the right
column and place them in the left column so that you come up with a completed RRAS/RADIUS installation. Task Categories
Tasks
RADIUS
Set up RRAS servers in each location.
RRAS
Provision telephony circuits. Purchase telephony gear for servers. Set up RADIUS server(s) in each location. Set up users for dial-in access. Set up RADIUS client(s) in each location. Establish application and file permissions. Test.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
2. Which authentication protocol or protocols will you use in this
CASE STUDY
608
Chapter 15
Designing a Remote Access Solution
6. What one thing will be required in addition to the RADIUS clients and
servers? A. WINS server B. DNS server C. Active Directory D. Certificate server
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Implementing RRAS and RADIUS in a New Network
609
1.
London
Internet POP
RRAS
RRAS
On Site
On Site
RRAS server
Toronto
Internet POP
Las Vegas
On Site
VPN with RADIUS
Denver
On Site
RRAS
RADIUS server
Dallas
RRAS
Tokyo
Proxy Server
VPN with RADIUS
Singapore
You’re told that any locations with 50 or fewer users connect via VPN. The rest of the locations connect via RRAS directly to Denver. Note that Tokyo, although an Internet POP for the company, doesn’t get involved in the VPN work. 2. B. You’re told that all computers are Windows 98 or better. Therefore
MS-CHAP v2 is the best and most secure choice for your implementation. 3. B, C. VPNs will use L2TP with IPSec; regular RRAS users will use
MPPE. MD5 is used by MPPE.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
Answers
CASE STUDY ANSWERS
610
Chapter 15
Designing a Remote Access Solution
4. A. The case study said that all locations of 50 or fewer users, and
any locations with cheap Internet connections, would use a VPN and RADIUS. Since you know that Tokyo is an ISP hub, you have a total of 9 RADIUS client locations. You can get by (disregarding redundancy) with 1 RADIUS server, and the rest will be RRAS servers. 5. See the following chart:
Task Categories RADIUS Provision telephony circuits. Purchase telephony gear for servers. Set up RADIUS server(s) in each location. Set up RADIUS client(s) in each location. Set up users for dial-in access. Establish application and file permissions. Test. RRAS Provision telephony circuits. Purchase telephony gear for servers. Set up RRAS servers in each location. Set up users for dial-in access. Establish application and file permissions. Test. Clearly, there’s a lot more homework to do than this, but the high points of the project are delineated here. 6. D. Because you’re following good Microsoft recommendations,
you’re including VPNs with all of your RADIUS clients. L2TP using IPSec requires a CA server to be available for the creation and maintenance of the certificates.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
16
Planning a Routing and Remote Access Implementation MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Design a Routing and Remote Access routing solution to connect locations.
Design a demand-dial routing strategy.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
I
n Windows 2000, Microsoft is placing a lot of emphasis on Routing and Remote Access Service (RRAS) and its new capabilities. Remote access has been around, even in the Microsoft camp, for quite some time. However, it seems that the economy is gravitating toward a greater reliance on telecommuting and traveling workers. Taking that into consideration, it makes sense that Microsoft decided to enhance RRAS features for Windows 2000. Consequently, it’s a heavier subject for testing as well. Designing a demand-dial strategy is a test objective unto itself, one that this chapter will address thoroughly.
Using Demand-Dial Routing
Y
ou work for a small company, one that can’t afford robust WAN connections. You have two locations but no routers connecting the locations. Frame relay is out of your price range, not to mention a dedicated T1. Because of where your office is located, you can’t even get DSL. You can’t afford the routers or router consultant fees for that matter. But now you need to connect the two offices together. What do you do? This is the problem that demand-dial routing sets out to solve. The concept behind demand-dial routing is that you use Windows 2000 servers to act as routers and set up an RRAS or VPN connection between them. Whenever one of the routers sees that a group of packets has a destination that’s not in its local routing table, it dials up the other router and passes the packets across. There are two ways that you can leverage demand-dial routing:
Create connectivity by having two Windows 2000 routers dial one another.
Increase fault tolerance for your current routing scenarios.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Using Demand-Dial Routing
613
Reduced Corporate Leased Line Expenses Demand-dial routing can help cut corporate leased line (frame relay, X.25, or ISDN circuits) expenses. Suppose, for example, you have a 256Kbps frame relay connection between Boston and Chicago. You’re probably paying several hundred dollars a month for that connection—not to mention the time it took to set up the connection, the router configurations involved, and the maintenance and upkeep cost of retaining an internetworking specialist who can work on the routers when there’s a problem. In a large corporate environment, these arrangements may be no big deal, and if a router fails, you can often go right to a supply cabinet and get a spare. But in a small company, such a setup is costly and troublesome, and it’s unlikely that you’ll have an unused router sitting around.
Known Secured Connections In a demand-dial routing configuration, you can also set up login usernames and passwords that the two sides must negotiate in order to talk to one another—authentication. You can set up tight encryption protocols, too, so that you know for sure that the data crossing the wire is secure.
Secure Internet Connections Demand-dial routing especially makes sense when you want to connect two of your networks over the Internet but you want to make sure you’re doing it in a highly secure fashion. Using a VPN allows you to use L2TP and IPSec for heightened security and encryption over the Internet. You’re able to leverage the backbone of the Internet to transport data from one router to another. This means that you could have a location in, say, Tokyo, and one in the United States. Under conventional routing practices, the intercontinental transport costs of a leased line could be enormous. But if you and the Tokyo location have high-speed, good-quality connections to ISPs, you can get a demand-dial routing setup going and save some money too. There are two interesting points to consider when thinking about security for either over-the-Internet (VPN) or dial-up connections. The first is whether to use authentication (you should) and if so, what kind. With some ISPs, you may have no choice other than a PAP connection, which is only a little better than no authentication at all. The password is transmitted in clear text, and anyone with a good packet sniffer could grab it. You can also
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
614
Chapter 16
Planning a Routing and Remote Access Implementation
use CHAP or MS-CHAP for more secure authentication. But you’ll have a problem when routers authenticate if you don’t pick the right authentication methodology. Since authentication says, “Who are you and what proof do you have that you are whom you say?” it would be nice to have routers perform two-way authentication when one router calls another. This technique, called mutual authentication, means that the two routers will physically be contacting one another and shaking hands. But with PAP, CHAP, and MSCHAP, you only have one-way authentication. Your router calls up and says, “Hi! I’m so-and-so from such-and-such. Let me in!” but it never bothers to say “And, by the way, who are you?” Fortunately for you, EAP-TLS and MS-CHAP v2 both support two-way authentication, so you have much stronger security with these two protocols. EAP-TLS requires the presence of a Public Key Infrastructure (PKI). The sending router uses a user certificate to validate the calling router, while the receiving router uses a machine-based certificate. If you don’t want to go to the trouble of setting up PKI to handle this scenario, EAP-TLS is not an option for you. Your second security consideration is whether to encrypt the data. Using a VPN with IPSec and L2TP automatically encrypts the data for you, so you don’t have a problem. But what about demand-dial? You still have the ability to set encryption. You can set it for
No encryption
Optional encryption, where the router being called validates you even though it can’t encrypt
Encryption required, where you insist that the data be encrypted—this is the natural choice for Windows 2000 routers talking to one another
Be aware that extra processing cycles will be chewed up by the computers encrypting and decrypting data.
Fault Tolerance for WAN Links What would happen if your WAN links crashed? Certain configurations of Systems Management Server (SMS) 2 freak out because they can’t find their primary site server. WINS has major problems if the client is trying to access a WINS server across a broken WAN link. If you have only one domain controller (DC) for a given set of users and that DC happens to be on the wrong side of the broken WAN circuit, the side that the users aren’t on, the users can no longer be validated. Some of these issues may not apply to your network,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Using Demand-Dial Routing
615
but others probably do. This list is certainly not inclusive, either. The point is, broken WAN links can cause major problems for your network. Suppose you work for a hospital or other company that has a missioncritical operation. You cannot afford to have WAN links out of operation for any duration, no matter how short. So you set up some Windows 2000 routers and a demand-dial connection. If the WAN circuit between two points goes out, your Windows 2000 routers will kick in and users will still be able to connect. It won’t be the fastest connection in the world, but at least users can get their data across the wire. Something is better than nothing.
Some applications can’t deal with the small bandwidth and timeouts that a dial-up connection might present.
The Across-the-Wire Applications Users You work for a company that has many geographically separated locations connected by WAN links of various speeds. One of the WAN links has been particularly troublesome for you (more accurately, for your internetworking department) because the link occasionally just drops out for no good reason. Your internetworking people have checked this problem over and over again and can’t find anything wrong. The telephone company that provisioned this circuit has checked it and finds nothing out of the ordinary. But still, users occasionally lose the connection between your location and theirs. Unfortunately, the users are running an application that is only available on your side of the wire. In fact, they’re using the application off of a specialized Unix server, so it’s not even possible to emulate the application on their side of the wire so that they can keep working if this dropout happens again. Their work completely revolves around the ability to connect to this application. If they can’t connect, things get ugly fast. This scenario is a perfect use for a backup set of Windows 2000 routers equipped with demand-dial functionality. Since phone lines are cheap and reliable and you’ll only use this circuit when the other one is down, you’ll be able to work around this very troublesome link-dropout problem.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
616
Chapter 16
Planning a Routing and Remote Access Implementation
Designing a Demand-Dial Routing Implementation
W
hile setting up demand-dial routing is pretty straightforward, you have to watch for several potential problem areas as you go through the installation.
Microsoft Exam Objective
Design a Routing and Remote Access routing solution to connect locations.
Design a demand-dial routing strategy.
The most important point to make is that your Windows 2000 routers shouldn’t be doing other things in addition to being routers. Having a Windows 2000 router providing multiple other services would be like installing Exchange on your Cisco router. Not a good idea. Let the routers do their job independently of any additional software you might be tempted to add. Perhaps you’re the administrator of a small business network. You can’t afford extra servers, or extra copies of Windows 2000. How are you supposed to set up Windows 2000 routers without Windows 2000 servers, let alone dedicated Windows 2000 servers? There is no easy answer to this, but if you need the solution, you need to find the money to make it work. If that means that you use a desktop for your router and you install a 120-day evaluation to see whether a proof of concept works before you buy, well then, that’s what you do. But you’re going to have to find a way to accomplish this. One thing that is perfectly viable is to buy one server that handles NAT, DHCP, WINS, DNS, and routing all in one box. This computer must be adequately equipped to handle this kind of load; remember that routing is I/Ointensive and that you’ll need extra RAM and CPU power for these activities (though not a lot of disk). You do not want to put services like file or print services or applications on routing servers.
Placement of these services on a software router is really only viable if the router is firmly inside your network. Since there are often good reasons to place such boxes on the edge of your network, or perhaps in a DMZ, be careful about the placement of these services.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a Demand-Dial Routing Implementation
617
Installing Demand-Dial Routing Hardware A second important point is to install the Windows 2000 software on good computers amply equipped with enough CPU, disk, and RAM to handle the job. You’re asking the computer to handle routing requests through its NICs, to run the RIP or OSPF protocols, and to periodically review the routing tables for routes to destinations other than the local network. This is not super-heavy stuff, but you don’t want it running on the bosses’ old x286, either. You’ll need an HCL-rated computer that exceeds the minimum requirements for Windows 2000 Server. Since routing is CPU- and RAM-intensive, it’s to your benefit to boost the RAM up a bit. If, for example, you find that Windows 2000 runs well on 128MB of RAM (the minimum supported), load up the system with 256MB for routing and Windows 2000. The computers are going to either need modems in order to dial out or a digital solution like ISDN, DSL, or a high-speed cable connection. Windows 2000 will probably detect any communications devices you have installed in each computer and install the drivers automatically. New or exotic devices might need to have a driver supplied by the device vendor in order for Windows 2000 to work with them. You’ll also have a NIC in each router so that it can talk to the private network. You should install RIP or OSPF on the routers. RIP is intended for smaller networks, and OSPF is intended for larger, more complex networks.
Installing and Configuring Demand-Dial Routing RRAS is pre-installed and ready to configure with any Windows 2000 Server installation. Install the server software on the router as a member server. Once you’re sure the server is up and running correctly, click Start Programs Administrative Tools Routing and Remote Access to open the RRAS window. Configure and enable RRAS, then right-click the Ports object and select Properties to open the Ports Properties window. Now highlight the modem or ISDN device and click the Configure button. A window appears like the one in Figure 16.1. If the Demand-Dial Routing Connections (Inbound and Outbound) check box isn’t selected, check it. Note that you can also check the Remote Access Connections (Inbound Only) box in order to facilitate dial-in to this device as well. With a VPN connection where you’re connecting to the Internet to get to the other router, you only need a one-way connection. If the two routers are connecting with one another directly, then you’ll need to enable remote access connections.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
618
Chapter 16
Planning a Routing and Remote Access Implementation
FIGURE 16.1
Configuring demand-dial routing
While in the RRAS window, you can navigate to the Routing Interfaces object, highlight the demand-dial interface, and right-click it to get a shortcut menu similar to the one illustrated in Figure 16.2. You can set the connection credentials, add IP filtering, and adjust the hours that the system is allowed to dial out. Clicking Properties brings up the Demand-Dial Properties window. Under its General tab, you can configure the modem’s settings and add the phone number. (If the connection is a VPN connection, no modem information is seen; instead, the General tab contains only the address of the remote router.) Under the Options tab, you can set the idle time allowed before disconnect or set a persistent connection, and you can modify the number of redial attempts and the time between redials. You can also set a callback number or set up an X.25 connection from within this window. The Security tab is where you stipulate what kind of validation you’re going to use (secured or unsecured), advanced security settings, and (for non-VPN setups) whether to use a script. The Networking tab allows you to set up networking properties for this connection.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a Demand-Dial Routing Implementation
FIGURE 16.2
619
Setting the properties of a demand-dial interface
Updating Routing Tables in a Demand-Dial Routing Environment Next, you need to add static routes to the routing tables for each of your routers. In order to accomplish this, the demand-dial part of your router must have a default static route with the IP address of 0.0.0.0 and subnet mask of 0.0.0.0. You can validate that this has been created by navigating to the Routing and Remote Access window, clicking the IP Routing object, then clicking the Static Routes object, as illustrated in Figure 16.3. Here, a demand-dial interface called DDGuy has been created, and it does indeed already have the static route created and ready to go. This should be the case with your demand-dial interface as well, though you can certainly add the static route manually if it’s not already present. FIGURE 16.3
Checking to see whether the default static route has been created
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
620
Chapter 16
Planning a Routing and Remote Access Implementation
You can see the entire routing table for your server by right-clicking Static Routes and choosing Show IP Routing Table. Another option is to type route print from a command prompt. However, be aware that the route print command has changed from Windows NT to Windows 2000, and you will not see your static routes. Using the GUI to look at the IP routing table is the best option.
Adding an additional route is easy. Just right-click the Static Routes window and select New Static Route from the shortcut menu. Enter the new route. Why would you add a static route to your demand-dial routing table? If, for example, you have a third router on a DMZ that’s part of the network that you’re connecting to. This router requires a second static route typed into your demand-dial routing entry if clients on this side of the router need to connect with the DMZ router. Suppose that you type static routes into your demand-dial routing table on a periodic basis, and you want to update the other routers in the route table with the new entries. It may sound weird, but there are people out there who can make use of this technology. You can accomplish this feat with something called auto-static updates and a Windows 2000 command called netsh (for net shell). Here’s the command text you use to update all of the RIP for IP routes specified in a demand-dial router called DDGuy: netsh interface set interface name=DDGuy connect=CONNECTED netsh routing ip rip add acceptfilter netsh interface set interface name=DDGuy connect=DISCONNECTED You can save this little netsh code snippet with the extension of .scp and then execute it as often as you like with the command netsh –f scriptname.SCP. If you want this kind of updating to happen on a regular basis, you just use the good old Command Scheduler, called AT, to run the script on a regular basis. You can alternately set auto-static updates through the RIP properties screen, as illustrated in Figure 16.4. You get to the RIP properties screen by going to Routing and Remote Access, clicking RIP, right-clicking the demand-dial interface, then clicking Properties.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a Demand-Dial Routing Implementation
FIGURE 16.4
621
Configuring auto-static updating through a RIP demand-dial interface’s properties sheet
Auto-static updating will only work for RIP for IP, RIP for IPX, and SAP for IPX routing implementations.
The purpose of static routing is to provide alternate routes for addresses that cannot be resolved locally. The router can’t resolve the address, so it dials up the other router and passes the request along for resolution of the address.
Demand-Dial Routing Considerations Demand-dial routing implicitly means that you’ll only periodically be connecting to the opposing router(s). But it’s possible to set up a demand-dial connection that’s persistent. An example of this might be a connection where you dial another Windows 2000 router and keep the connection open 24×7. This probably means that the other router is within the same area code and prefix as the first router; otherwise, the connect charges could get expensive.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
622
Chapter 16
Planning a Routing and Remote Access Implementation
Establishing a persistent connection does buy you the ability to set up dynamic routing, wherein all routers update each other’s routes, freeing you from the pain of auto-static updating. Note that auto-static updating is only useful for very small networks. In a network with hundreds of users spread across many campuses, auto-static updating—which isn’t automatic unless you make it so using the Command Scheduler—can turn into a maintenance chore. Don’t use Windows 2000 routers doing demand-dialing in large networks except as a redundant backup to your normal routing methodology. You can use remote access policies to strengthen the way your demand-dial connection works. For example, you can restrict anything but Windows 2000 computers from using the demand-dial connection. You can specify the authentication and encryption to be used with the connection. You can also set up the times and days when the connection is allowed to work and you can specify the idle timeout to be used by the connection.
Logging There’s one last point to make here, one that’s not discussed frequently in the new Microsoft training materials or in the testing: Be aware that all of these activities—NAT, DHCP, WINS, DNS, routing, and RRAS—are logged in the normal Event Viewer. Troubleshooting takes place first at the Event Viewer logs.
Summary
In this chapter, you learned about demand-dial routing. You use this technique to connect two or more Windows 2000 routers anywhere you do not have WAN circuits from one campus to another, or where you want to supply a backup route in case your conventional WAN circuits fail. You set up the routers using RIP, OSPF, or IGMP and a telephony connection of some kind; alternatively, you can set up a VPN through the Internet. You then configure a demand-dial connection to use the telephony circuit to dial the opposing router. You can configure conventional authentication and encryption protocols to make sure the connection is secure. You can set the times and days that the connection will be used.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
623
If you’re using RIP for IP, RIP for IPX, or SAP for IPX, you can set up auto-static updating. You enter static routes, then send out a command that updates all of the routers listed in your static route table. You can automate this command with the AT command scheduler in Windows 2000 or by using the netsh –f scriptname command. With persistent connections that dial in and stay dialed in, you can optionally set up dynamic routing. Remote access policies help provide a security structure for your demanddial routers that will prevent others from tampering with them or trying to hack into them. You should set up demand-dial routers as servers dedicated to the remote access process; be sure the routers are not involved with other applications. Also make sure that the servers are equipped properly so as not to be a bottleneck to the network; this means you’ll want to provide fast Ethernet NICs on the network side, good-quality telephony circuits on the routing side, and plenty of CPU and RAM for the task.
Exam Essentials Know when to use demand-dial routing. Demand-dial routing is good for networks that do not need a persistent connection to another network (or to the Internet) and cannot afford the permanent link. Demand-dial is also good as a backup routing method in case your normal router fails.
Key Terms
M
ost of the important RRAS terms are covered in other chapters, with the exception of these few. Be certain you’re familiar with these terms for the exam: auto-static updates
netsh
mutual authentication
Public Key Infrastructure (PKI)
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
624
Chapter 16
Planning a Routing and Remote Access Implementation
Review Questions 1. You are the infrastructure manager for your company’s network. You
are in the process of designing a backup routing solution in case your primary routers fail. What are the acceptable telephony connections you can use with demand-dial routing? Choose all that apply. A. ADSL B. X.25 C. Asynchronous telephone lines D. ISDN 2. You have just configured a Windows 2000 Server machine to act as a
demand-dial router. What is the default static route address and subnet mask that’s set up with a demand-dial routing interface? A. IP address: 0.0.0.0, subnet mask: 255.255.255.0 B. IP address: 1.1.1 1, subnet mask: 255.255.255.255 C. IP address: 0.0.0.0, subnet mask: 0.0.0.0 D. IP address: 1.1.1.1, subnet mask: 1.1.1.1 3. You are the remote access administrator for your company. You have
just installed a demand-dial router for a remote office that only needs to connect to the main office occasionally. You ship the router to the remote location, and the local administrator sets it up. While reading through documentation, they notice the netsh command. Not being familiar with the command, they ask you about it. When do you need to use the netsh utility with demand-dial routing? A. To set up multiple routers B. To set up manual route entries C. To set up dynamic route entries D. To set up auto-static updating of route entries
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
625
4. You are the network administrator for a small subsidiary marketing
firm. The users in the firm travel extensively and need to be able to dial in to the company network when they’re away. Also, the office needs to be able to connect to the main office to upload sales figures once a week. This connection needs to be secure. In order to increase security, you decide to use remote access policies for remote users as well as a dial-up routing solution. What are two reasons that you may have chosen to use policies? A. To enforce auto-static updating B. To enforce encryption C. To enforce selection of a backup circuit in case the existing line
is down D. To supply the correct credentials for dial-up connections requiring
authentication 5. You are the remote access administrator for your company. You have
a main office located in Seattle, with branch offices in Portland and Boise. To keep costs down, the branch offices do not have a persistent connection to the Internet. Users in the branch offices occasionally need to access resources on the corporate network. You want to make sure that the data sent between offices is encrypted. What two kinds of encryption options do you have with demand-dial routing connections? Choose two. A. MPPE B. IPSec C. Require Encryption D. Optional Encryption
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
626
Chapter 16
Planning a Routing and Remote Access Implementation
6. You are the network administrator for your company. You have two
networks, both of which have fewer than 20 users. The networks are separated by a large geographic distance. What is the best routing mechanism by which to connect these two networks? A. Conventional inexpensive routers with a low-speed WAN circuit B. Persistent demand-dial connection using RIP C. Demand-dial connection using RIP D. VPN circuit using PPTP 7. You are the remote access administrator for your company. Your
company has a central office located in Chicago and a branch office located in Madison, Wisconsin. The Chicago office has 450 users and a persistent connection to the Internet. The Madison office has 35 users, and management has determined that they do not need a permanent connection to the Internet. To facilitate their access needs, you decide to design a demand-dial routing solution. In this case, what will be the biggest risk associated with demand-dial routing? A. Potential for saturation of the routers if an inordinate number of
users try to use them. B. Windows 2000 computers doing the routing isn’t reliable. C. Windows 2000 computers doing the routing isn’t secure. D. Difficulty of setting up and maintaining the routers. 8. You are setting up a demand-dial routing solution for a company you
are contracting for. They want to know which protocols are supported by Windows 2000 demand-dial routing. What do you tell them? Choose all that apply. A. TCP/IP B. AppleTalk C. IPX D. NetBEUI E. DLC
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
627
9. You are the network analyst for a major Minneapolis-based research
and development firm. One of your job responsibilities is to present new Windows 2000 technologies to the board of directors. Your boss believes that these presentations will help educate the directors on new technologies, making it easier to get budget approval for new projects. What two reasons for using demand-dial routing would you give to the board? A. It’s used when routers and WAN circuits are expensive or
unavailable. B. It’s required when networking two Windows 2000 networks
together. C. It’s used as a backup to conventional router and WAN circuits. D. It’s used when you need to route NetBEUI packets. 10. You are the network manager for your company. One of your admin-
istrators, Jennifer, wants to set up demand-dial routing. She has installed a modem in the new router. What are the next two steps she needs to take to set up the router? A. Create a new demand-dial interface B. Add a routing protocol C. Enable routing through RRAS D. Set up the phone book entry through dial-up networking
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
628
Chapter 16
Planning a Routing and Remote Access Implementation
Answers to Review Questions 1. A, B, C, D. While the connections that are generally stipulated for
demand-dial routing are for asynchronous telephone lines and ISDN, you can indeed use demand-dial routing with X.25 circuits or ADSL as well. In the case of ADSL, you’ll likely be using a VPN circuit connecting you to your ISP, and the opposing router will be configured the same way. 2. C. The default static route address that’s assigned your demand-dial
interface is an IP address of all zeros and a subnet mask of all zeros. This allows the demand-dial interface to be the default gateway for the network. 3. D. You use netsh in combination with AT to automate the updating
of static route entries in Windows 2000 routers. You don’t have to use AT, but this facilitates regular updating of the entries. 4. B, D. You can use remote access policies to enforce encryption of the
circuit and to supply credentials for dial-up connections that might require them. Auto-static updating is handled elsewhere in the RRAS configuration window, and you have no choice of a backup circuit with demand-dial routing. 5. C, D. The encryption we speak of with demand-dial routing doesn’t
use conventional RRAS encryption choices such as MPPE or IPSec. Instead, you’re offered the choices of No Encryption, Optional Encryption, and Require Encryption. If you connect to a host that doesn’t understand Windows encryption, you might need to set Optional Encryption. If you’re connecting with another Windows 2000 router, you can opt for Require Encryption. 6. D. Of all the choices, probably the best would be a VPN circuit using
PPTP. Even though you may be restricted (for budget reasons) to using asynchronous telephone lines, you can set up a PPTP VPN, possibly using encryption and authentication, and save yourself money. Yes, you’ll have to go through a bit more pain to set things up, but you’ll have an inexpensive and secure technology in place when done.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
629
Answer B isn’t feasible because you’re told that you have a large geographic distance between the two, implying that you’re crossing area codes. A good second-place candidate would be answer C. Answer A isn’t feasible because of the potential costs incurred by the expense of the routers and the WAN circuits. Actually, that may not be a completely true statement. If you can obtain inexpensive routers with integrated CSU/DSUs and you can provision an inexpensive, albeit low-speed WAN circuit, you can come up with an inexpensive routing solution. But you still have the overhead of having to be the expert who maintains the routers and having to troubleshoot WAN circuits in the event that they go down. 7. A. If you set up Windows 2000 routers using HCL-compliant hardware
and you try your best to devote the computer to the routing operation, you shouldn’t run into reliability issues. As far as security goes, you have very robust security choices with demand-dial routing. Yes, you’ll have some difficulty in setting up the routers, especially if you don’t understand the technology, but Windows 2000 does the majority of it for you. Your biggest problems will occur when you try to point too many users at a Windows 2000 router. You run the risk of saturating the routers when too many users and too much data try to cross this wire. 8. A, C. You can route TCP/IP and IPX; you cannot route AppleTalk
(unless you’ve configured AppleTalk as a multiprotocol router) or NetBEUI. NetBEUI has always been a non-routable protocol, one of its major shortcomings. DLC is also non-routable. 9. A, C. NetBEUI isn’t routable no matter what routing method you
use. You can certainly use conventional routers and WAN circuits to connect two Windows 2000 computers together. A and C are the right choices. 10. A, C. She’d want to first enable routing through RRAS, then create a
new demand-dial interface.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
630
Chapter 16
Planning a Routing and Remote Access Implementation
Bridging the Dentists’ Offices
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Background You work as a SOHO consultant—your specialty is helping the smaller guy get his business networked and on the Web. It’s a living, and it beats shoe sales. You’ve been hired by a pair of endodontists who have developed their practice into a very lucrative multi-shop business. They have four offices in town, basically one in each quadrant of the city: northeast, southeast, northwest, and southwest. The northwest office is the central office. They’d like you to get them networked, and they’re especially interested in getting the networks hooked together so that the clerical staff in one office can contact the staff in the others and so forth.
Problem Statement Overview There is no current system. All staff use stand-alone PCs and sneakernet for their connectivity. There are six to ten users at each office, most of whom are sporadic users; only three users are on a PC full-time. All offices are in the same city so, even though you have different area codes, all calls between the offices are local and could be made persistent if need be. You’re torn as to whether to set up VPN tunneling through their ISP and use it for the routers (with a separate line for dial-up Internet access) or to stick with a standard asynchronous dial-up connection. You’re also not sure whether to fix them up with an ADSL connection to their ISP or to stay with the tried and true POTS. Your goal is to not have to spend loads of your time supporting this system once it goes in place. Performance The doctors want adequate performance, but they don’t need state-of-the-art speed. As one of them asks you, “This isn’t going to be bleeding edge, is it?” Dentists “Will the staff be able to surf the Web with this system? Also, we don’t want to rack up hundreds of dollars in additional phone bills each month, so try to keep the telephone charges down.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Bridging the Dentists’ Offices
631
The system you envision will consist of two Windows 2000 servers at each location connected to a small office 100Base-T hub. One of the servers will run Exchange, carry the special dentist office software, and act as a file and print server. This server will be loaded up on disk space due to the anticipated heavy number of files the staff will put on it. The other server will act as a DHCP, Proxy Server, NAT, WINS, and router server. Both servers will be quality dual-processor computers with plenty of RAM. Unfortunately, they won’t be Tier 1 computers, but you’ve found a reliable vendor who can supply computers that have worked well for you in the past and they’re Windows 2000–certified. Clients will connect to the hub and thence to the servers. You envision that you’ll use demand-dial routing so that when clerical or patient staff in one office need to send files or e-mails to the other office, the servers will automatically dial the opposing router. You’ll have two modems in each central-office server, one that dials the ISP you’ve provisioned for the offices, the other to dial the other routers. You envision that the system will have one connection to the Internet at the northwest office and that clients who need web access from the other offices will be able to request it through the routers. The dentists say, “You’ve done a good job keeping costs down on these server systems. How fast can you have them up and running? Can we get onto the Internet once you’re done? Do you know how to create web pages?”
Security Overview You discuss the security ramifications of a VPN vs. a standard POTS line with the dentists. From your perspective, nobody is interested in trying to grab information about a guy’s molars off of the Internet, so a VPN might be overkill in terms of security. On the other hand, they are medical records. Dentists “We’re just sending the files between offices, right? And you said that even if we opt for the telephone dial-up between routers, you can set up some security. Let’s think about this a little more.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Envisioned System
CASE STUDY
632
Chapter 16
Planning a Routing and Remote Access Implementation
Availability and Maintainability Regular office hours, plus every other Saturday, is the only time this system needs to be available. However, you’ll provide a dial-up connection for the dentists to the main office so they can connect to patient records and to their ISP from home. The dentists want to know, “Can we disconnect our AOL accounts?” Ideally, you want to be able to RAS in to fix most problems. You have a Windows 2000 server at home so that you can teleconnect to ailing servers. Your goal is to reduce the number of physical visits (especially to the dentist) once you get the office up and running on the new network.
Funding Overview All funding is highly scrutinized by the dentists. They drive Mercedes convertibles to work each day, but they made their money by being frugal. Dentists “We want a good quality system—we don’t need a Lexus—but we want people to be happy and we need the Internet connection.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Bridging the Dentists’ Offices
633
1. Connect the locations shown as indicated in your planned system.
Dentists’ homes
Northwest (central) office
Your home
Southeast office
Connection Types: DSL ISDN POTS/PPTP POTS/RAS POTS/RIP
ISP
2. How many regular POTS phone lines will the northwest office need
running into the router server? A. 1 B. 2 C. 3 D. 4 E. 5
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Questions
CASE STUDY
634
Chapter 16
Planning a Routing and Remote Access Implementation
3. What will be your authentication protocol or protocols? Select all
that apply. A. CHAP B. MS-CHAP C. MS-CHAP v2 D. PAP E. Unknown 4. Should you use persistent or dial-up connections between the
inter-office routers? A. Depends B. Persistent C. Dial-up 5. What is the biggest SPOF in this design? A. Central office router B. Outer office routers C. DSL connection to the Web D. Single DHCP and WINS point 6. What’s the one critical piece that’s missing here and isn’t mentioned
in the envisioned system? A. Firewall B. Virus scanner(s) C. Exchange connectors D. Certificate server
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Bridging the Dentists’ Offices
635
1.
Dentists’ homes
POTS/ RAS
Your home
POTS/ RAS
Northwest (central) office
DSL
ISP
POTS/RIP
POTS/ RAS
Southeast office
Obtain the DSL circuit for the ISP connection. Connect the other offices to the main office with routers over asynchronous lines. 2. E. Three routers, three separate phone lines. You wouldn’t dare take
the chance of having all three routers trying to call one phone line, would you? An intelligent multiport serial adapter is just the trick for such a setup. Ah, but there’s a hitch. The DSL circuit would require an additional DSL adapter and phone line, for a total of four regular POTS lines (DSL uses conventional copper phone lines). Ah, but there’s one more hitch, isn’t there? You said that you want to be able to dial into the network at any time (as do your dentists), so you’d better supply at least one additional RAS line strictly for that purpose.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
Answers
CASE STUDY ANSWERS
636
Chapter 16
Planning a Routing and Remote Access Implementation
3. C, E. You can safely use MS-CHAP v2 for the inter-office routers.
You’re not told what the ISP connection will be, so you can’t make a judgement on its authentication requirements at this time. 4. B. You might be tempted to answer “depends” because you might be
thinking, “Well, that’s an additional phone line that somebody could use when it’s not busy.” But that would be faulty reasoning. You want to dedicate the router connections to being router connections and nothing else. Since the lines are all in the city and not using any longdistance connections, you’re safe to nail up persistent connections between the routers. The speed and connectivity will be much better this way. Remember that if you’re hitting the Web from a remote location on a demand-dial routing setup, it’s highly possible that your page will time out before the routers can sync up and get the connection made for you. 5. A. If the central office router crashes, it’s all over. Nobody from the
other offices can talk to the central office, e-mail can’t go through, nor can anyone hit the Web. If an outer office router goes down, you have one office out but the others can continue to work. The web connection may or may not be important yet—seeing as how you haven’t had time to write that web page yet. The single DHCP and WINS point isn’t going to be a showstopper as long as you set up long expiration times on the DHCP leases. You might consider having each remote DC be a WINS server, but personally I think that’s overkill. 6. B. Proxy Server will make an adequate firewall for this tiny little net-
work. The Exchange Servers are all part of an office, so there’s no connector required. A certificate server isn’t in the picture. But a virus scanner—now that’s an important piece of software to have on this network, especially with all the surfing it sounds like the dentists are going to do. And, frankly, I’m ashamed of you for not mentioning it in the envisioned system document.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
17
Planning a Virtual Private Network (VPN) Implementation MICROSOFT EXAM OBJECTIVE COVERED IN THIS CHAPTER: Design a virtual private network (VPN) strategy.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
O
ne last chapter—and it’s about one of the most important features of Windows 2000 that you’ll use: a virtual private network (VPN). With this tool you can take advantage of the broad backbone of the Internet to gain access to corporate networks that are separated far from one another. You can set up telecommuters who already have high-speed connections to the Internet so that they can access the corporate network in a secure manner. Previous chapters already talked in some detail about VPNs; this chapter finishes off the discussion. Of course, this isn’t a full-length treatise on VPNs; there are many books and other resources out there for the interested reader.
Using a VPN
The biggest question you should ask yourself when considering a VPN is, “Will I be putting my users and their data at risk if I allow VPNs into my network?” It’s a security question. After all, we’re talking here about you setting up a connection that links your network and your telecommuters, or your network and another network, over the Internet, where millions of people can potentially get at the data that’s crossing the wire. We’ll cover security later in this chapter; for now it’s enough to say that if you correctly configure authentication and encryption on your VPN circuits, you have as much security as you’d have over RAS circuits, even though RAS circuits aren’t quite as easily hacked. You can do all the same authentication and encryption as you would with RAS. So what are the reasons that you’d offer to a stakeholder about why you need VPNs? Here are some uses you might have for VPN connections:
Home telecommuters with high-speed lines (ISDN, DSL, cable modem, etc.) need access to your corporate network and intranet. There are a variety of reasons for this need, among them employee leaves, night and weekend access, and the high cost of office space.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Using a VPN
639
Business partners need access to corporate files.
Two company networks with no connectivity need to connect to one another.
People need access to your network while traveling to places where the network doesn’t reach (overseas, for instance).
Use a VPN when you feel that the risk is low enough to substantiate implementing it. If you are working on the next high-tech, top-secret laser spy device for the CIA, you might not want to consider a VPN (even though with strong encryption and authentication, VPNs are pretty hack-proof). But for the average corporate network, you’ll be surprised at how easily you can get a VPN set up and how secure a VPN really is. VPNs use IP tunneling to accomplish their goal, as illustrated in Figure 17.1. The idea of tunneling is that you use the TCP/IP transport mechanism to transport the data across the Internet, but you tunnel your data inside TCP/ IP packets. It’s like transporting a car inside a truck: the truck is the transport mechanism and the car is the data. In a VPN, if you’ve correctly set up authentication, you know where the data came from and where it’s headed. Joe, the truck driver, knows he came from point A, and he knows Point B is expecting him, and he has some identification that proves it to point B’s guards. If you’ve correctly set up encryption, you’ve scrambled the data so it’s not readable by outside parties. Encryption is a second level of defense: the Volkswagen inside the truck is disguised as a refrigerator, making no sense to the viewer who is hoping to see a car, not an appliance. FIGURE 17.1
A possible VPN setup
Corporate network Data encapsulated in IP packets
ISP
Internet VPN server
Authentification method negotiated ahead of time. Encryption may be used to secure transmitted data. Telecommuter using an Internet connection
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
640
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
Secure Connectivity over Public Networks When sending data across the Internet using a VPN, you have a choice of two different connection methods: Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). In addition to these two connectivity selections, you also have a choice of authentication methods and the type of encryption that you’ll use with the VPN. In the United States, you can attain very good encryption levels, up to triple-DES (3-DES).
Reduced Leased Line Costs Some networks don’t even connect to one another because the cost of setting up a WAN link between the locations is prohibitive. But if you have an office in London and one in New York, how do you connect the two if not with a WAN link? VPNs provide you a way to connect two locations in a much less expensive fashion than if you use WAN circuits.
Administration of Remote Networks VPNs allow administrators to obtain high-speed Internet circuits and connect to their local network for administrative purposes. They’re just another user on the network at the point where they connect to it using VPN, albeit an administrative user. The only difference between a VPN admin and a conventional network admin is the fact that the VPN admin may not have the full complement of DHCP settings available in house. This, of course, depends on whether you’re using a DHCP relay agent on the RRAS server.
If you connect to the network through a VPN over asynchronous lines, you’ll get very slow performance and throughput, especially if you have encryption turned on. VPNs are designed to be used with high-speed circuits such as DSL, cable modems, or even multilink.
Privacy for Clients Connecting via Public Networks Imagine the possibility. You’re at a hotel in Chicago and you want to connect back to your e-mail server in Denver. So you fire up the laptop, dial into your ISP’s toll-free number, and connect using PPTP. From there, you connect to your local network and grab your e-mail, safely and securely, all
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a VPN Implementation
641
while using the Internet as your backbone. Clients connecting over public networks can be configured to use several different encryption protocols so that you’re assured the data is secure. In addition, the network administrator has the ability to require the user connecting to the network to authenticate with the connecting server. How hackable is this system? If you rigorously set up standards and monitor their implementation, you’ll find that hacking will be nearly impossible.
Designing a VPN Implementation
S
o how does one go about designing a solid VPN implementation? This section discusses some interesting techniques for making sure that the deployment is well thought out, well implemented, and maintainable yet secure.
Microsoft Exam Objective
Design a virtual private network (VPN) strategy.
VPNs in a Routed Environment Two major questions come up when thinking about VPNs in a routed environment. The first question should be: What network resources will you allow your VPN users to access? Should you let them access the entire network, or should you restrict them to the computer they’ve connected to? You can configure RRAS connections—the very same connections that are used for VPN—so as to prevent connecting users from utilizing any more than what is on the connected computer. When would this be pragmatic? Perhaps for a business partner with people who need to connect to your network to receive files, you’d keep the files local to the RRAS server. A second, much more interesting question is: Will you put the VPN server in the DMZ or bring it into the corporate network? You gain some security benefits by putting a VPN server on the DMZ. Users can’t get inside the private network, and you save yourself the hassle of wondering whether a hacker is trying to surf around and look at private stuff he doesn’t (or
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
642
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
shouldn’t) have access to. Here’s a neat trick to this kind of implementation: You put the VPN server on the DMZ, then connect the VPN server to your inside network with IPSec. The data that’s needed is fetched for an authorized user, but the user never gets inside the network. Figure 17.2 illustrates this concept. FIGURE 17.2
A VPN inside the DMZ Corporate network VPN server A on private network Data encapsulated in IP packets
ISP
Internet VPN server B inside DMZ
Authentification method negotiated ahead of time. Encryption may be used to secure transmitted data. Telecommuter using an Internet connection
Users with valid IP addresses (given out by the RRAS servers) are just like any other users on the network. They can get anywhere they need to and map to any shares, provided that the appropriate permissions are there. This capability includes all segments on the network that require a router to connect to. But suppose you don’t want these users going anywhere they want. How would you fix such a problem? In other words, suppose that you don’t want a user to be able to cross a router to another network segment—everything that user needs is on the segment of the network that he’s currently connected to. The simplest method is to configure the routers so that they do not allow the RRAS IP addresses across. A second method for fixing this problem is to configure a Proxy Server on each network segment, then disallow specific IP addresses. In either case, the goal is the same: keeping a VPN user out of segments he or she should not be allowed into.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a VPN Implementation
643
VPN Servers and Internet Connectivity VPN servers have a very unique job. A conventional router has a constant two-way dialogue with its neighbor(s). But a VPN server that’s being used as a server for telecommuters, not as a network-to-network router connection, has a one-way connection to your ISP. Of course, VPN servers that are designed to do nothing more than demand-dial routing with another Windows 2000 VPN server do indeed have two-way conversations. For this section’s purposes, we’re considering a VPN server connecting to the Internet for purposes of providing connectivity to telecommuting users. Imagine the irony here. You have these brand new Windows 2000 servers capable of using advanced authentication and encryption protocols. But your ISP is using a version of Unix that can’t handle MS-CHAP v2. Now you have a design problem because you’ll never really be sure whether you should have pressed the issue and either forced the ISP to come up to compliance or changed ISPs. Furthermore, can your ISP support advanced encryption protocols, such as MPPE or triple-DES? What good are those high-security servers if you’re connecting to a low-security ISP? A second ISP question follows closely behind the authentication issue: Can your ISP host various high-speed telephony connections? For example, is the ISP equipped to provide support for DSL connections or ISDN or even higher (such as T1 or T3)? If your intent is to provide VPN services to people who have high-speed connections to the Internet, then your connection had better be high-speed as well. It stands to reason that if you have two users connecting to you at 128K DSL but your pipe to the Internet is only 128K, then somebody’s going to suffer. It doesn’t matter what connectivity you have to your ISP, but how much bandwidth you have to offer those who are going to use a VPN to connect to you.
Understanding and Implementing VPN Security When setting up VPNs, you have to make three decisions:
Will you use the Point-to-Point Tunneling Protocol (PPTP), or will you use the newer Layer 2 Tunneling Protocol (L2TP)?
What type of authentication will you use to validate that the party trying to connect is indeed who they say they are?
What type of encryption will you use to scramble the data that’s being tunneled?
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
644
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
PPTP vs. L2TP Both PPTP and L2TP use IP tunneling to get the data from one place to the other. The difference lies in whether you’re interested in using certificates to validate the connecting party. To use L2TP, you’ll need a certificate authority (CA) server to generate certificates and check their validity. Windows 2000 servers have the capability of being certificate servers (but setting that up is beyond the scope of this book). It’s important to note that if you’re using a NAT device, such as a Proxy Server, your decision as to whether to use L2TP and IPSec or PPTP may be somewhat clouded. When using L2TP and IPSec, the headers of the IP packets are encrypted, which means that the NAT device can’t make any modifications to them. If you have applications that rely on the translation of addresses from one address to another using NAT services (such as a web server asking for internal database information), you may be in trouble if you choose a VPN using L2TP and IPSec. PPTP does not have this issue, but it also doesn’t have the enhanced security that L2TP with IPSec does.
Picking an Authentication Method Next, you pick the type of authentication you want to use. You might remember that the safest forms of authentication are EAP, MS-CHAP v2, MS-CHAP, and CHAP. There are also Shiva PAP, PAP, and no authentication method at all to pick from. If you know that the servers on both sides of the VPN connection are Windows 2000–based, then MS-CHAP v2 is the way to go. Start by selecting the top-most authentication protocol in terms of security, then go down if you must. (Note that even though EAP is technically the most secure, it is not yet very common.) Do not, under any circumstances, select “no authentication.” That’s just like saying, “Please, Hackerperson, come in here and do some corporate espionage. See what you can steal.”
Picking an Encryption Method If you’re using PPTP, you can use the Microsoft Point-to-Point Encryption (MPPE) protocol. It works with MS-CHAP, MS-CHAP v2, and EAP-TLS. Use it when you don’t have a certificate server to support IPSec. You can use 40-bit or 128-bit encryption in the United States and Canada, and 40-bit elsewhere in the world. (Keep in mind that the stronger the encryption, the more CPU cycles the server has to apply to the encryption/de-encryption process and the slower the transmission.)
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a VPN Implementation
645
If you’re using L2TP, go ahead and use IPSec. Realize that you’ll need at least one certificate server for IPSec to use to pass out certificates of authority. IPSec can use 40-bit or 56-bit Data Encryption Standard (DES) or triple-DES (3-DES) in the United States and Canada, or 40-bit and 56-bit DES in other countries.
You can get more information on DES by visiting the cryptographic arm of the National Institute of Standards and Technology (NIST) web site at http:// csrc.nist.gov/cryptval/des.htm.
Understand that L2TP does not provide encryption; that’s what IPSec is for. However, PPTP uses MPPE encryption by default.
The difference in the two encryption methods is that MPPE is based on user authentication (making sure that the users are who they say they are), but IPSec is machine-based encryption (this machine is guaranteed to be the machine it says it is). IPSec is more difficult to set up, but more secure.
Keep in mind, as you may see a test question on this subject, that one side of a VPN doesn’t necessarily have to be the same server platform as the other. It’s quite possible that a RADIUS client and server might be in use, in which case the RADIUS client might very well be a Unix server, not Windows 2000. You may connect to a hardware VPN resource at your ISP’s site while you run Windows 2000 for your side of the VPN. These disparate platform VPN setups may require that your method of authentication be severely downgraded from the standard MS-CHAP v2—a subtle yet important point.
It’s a good idea to have a chart that outlines which authentication methods can be used by which platforms so that you’re ready for any confusing authentication questions you may see on the test. Table 17.1 can help you remember the characteristics of various authentication protocols.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
646
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
TABLE 17.1
Authentication Protocols Protocol
Description
Typical Uses
EAP-MD5 CHAP
Uses the same methods as CHAP but sends responses as EAP messages
Smart cards
EAP-TLS
Certificates, private key exchange, very strong.
Smart cards
CHAP
Standard challenge/ response protocol
Supported by many platforms including Windows NT, 2000
MS-CHAP
First version of Microsoft CHAP, encrypted password
All Windows NT and 2000 platforms
MS-CHAP v2
Very strong authentication, public keys
Windows 2000 and NT with SP4
SPAP
Shiva remote access client
Shiva remote access servers
PAP
Password sent in clear text
Supported by most platforms
No Authentication
No username or password required
Supported by practically all platforms
Assuring VPN Availability There are several methods you can use to provide enhanced availability to your VPN setups. Let’s start with an unusual but clever method.
Round-Robin DNS Entries and VPNs It turns out that many DNS servers allow you to enter more than one address for a particular host name. When DNS is referenced for the name (and address) of the device, the first entry is consulted, then the second, and so on; when DNS reaches the end of the list, it returns to the first address and loops again. This round-robin DNS feature allows you to set up more than one VPN server with the same DNS entry, but with different IP addresses. When a user requests a
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a VPN Implementation
647
VPN connection, the first server replies. A second user gets the second server, and then usage moves to the third server (or falls back to the first server if there are only two). Suppose that you have one VPN server that has more power and can handle more simultaneous users than a second server. In this case, list two or more of the same DNS entry for the stronger server, followed by the DNS entries for the second server. When you have a round-robin setup like this, each listed address is hit in succession, so you might have something that looks like the entries in the following list: User Number
FQDN
IP Address
User 1
[email protected]
10.1.23.4
User 2
[email protected]
10.1.23.4
User 3
[email protected]
10.1.23.4
User 4
[email protected]
10.1.23.4
User 5
[email protected]
10.1.23.5
User 6
[email protected]
10.1.23.5
Using multiple, identical DNS entries for the 10.1.23.4 server forces more lookups there.
It’s important to keep in mind that this is not a failover methodology. In other words, if the first VPN server in this list (10.1.23.4) crashes, the first four users won’t get connected while the last two will! You can’t use this technique as a fault-tolerance method.
Putting VPN Servers on a Cluster Server You can put VPN services on a cluster server. If a VPN server dies, a failover happens and users can still get in. Failover is automatic, but users will see a timeout error if they fail to connect while the failover is occurring. This methodology is fault tolerant, as opposed to the round-robin DNS method. But—and this is a huge consideration—the CPU, RAM, and disk resources needed to support multiple VPN servers in a failover capacity is immense, much larger than a DNS round-robin setup might be. Engineer your hardware for these servers wisely.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
648
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
Using RADIUS to Centralize Your Operation Don’t forget that RADIUS servers allow you to centrally administer many different VPN servers and to read the success/failure audits for each server from a central location. While more intellectually difficult to set up in the beginning, you gain centralized administration from such an approach. There is no fault tolerance or high-availability feature attached to being able to centrally administer your VPNs from a RADIUS server. Using a RADIUS server also allows you to centrally view the logs for each of your VPN servers. It provides one centralized location for viewing how your VPN servers are acting in terms of telecommuting connectivity.
Optimizing and Tuning VPN Performance There are several ways to optimize your VPN server setup. Again, the DNS round-robin solution comes to your aid.
Round-Robin DNS Entries and VPNs This time when you have two VPNs that you’d like to optimize, create an FQDN for each one, but in your round-robin IP entries, point to the opposite VPN server as the second entry in the list. Here’s an example of how this is supposed to work. This kind of DNS entry creates a sort of load-balancing situation, meaning that you alternate between VPNs, but DNS isn’t smart enough to check to see how busy the other server is. It’s like having two administrators who work for you: You assign the first task to the first admin, the second to the second, the third back to the first, and so on, regardless of how busy (or not busy) each is. Here is an example of what a DNS roundrobin entry might look like: User Number
FQDN
IP Address
User 1
[email protected]
10.1.23.4
User 2
[email protected]
10.1.23.5
User 3
[email protected]
10.1.23.5
User 4
[email protected]
10.1.23.4
When the first user requests a connection to a specific VPN, DNS is queried and the user is pointed to the first server. The second user is pointed to the
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Designing a VPN Implementation
649
second server, and so on, in round-robin fashion. Do the reverse for the opposite VPN server.
Hardware Issues As you might suspect, VPNs are hardware-intensive and there are many ways that you can beef up your VPN servers’ performance:
Always dedicate a server to each VPN installation that you decide to have. Do not put Exchange Server, SQL Server, or any other applications on this computer. This computer should be dedicated to being a VPN server.
Make sure the VPN server has enough hardware. If needed, add RAM, upgrade or add a second CPU, and make the disk subsystem SCSI and Ultra as well, if possible. If your network infrastructure supports it, make sure the NIC in the computer is running at 100Base-T full duplex.
Speaking of networks, what do you suppose is the single biggest potential for a bottleneck in a VPN scenario? A safe guess would be the WAN circuit that’s connecting your VPN with your ISP or other network’s VPN server. The network card is running at 100Base-T, the CPU is fast, the hard drive is fast, and then you pump data out onto a 56K WAN circuit. You can significantly improve network-to-network performance simply by boosting the throughput (and committed information rate, or CIR) of your WAN circuits. Remember that anything above the CIR you negotiated is discard-eligible. This means that if a more important paying customer needs the bandwidth and he’s not over his CIR, your packets get discarded and his go through. So a 512K pipe with only a 128K CIR isn’t a very good thing, even though you might think you’re getting a great deal in terms of monthly costs.
Telcos that provision WAN circuits have a tendency to overprovision, meaning that they take on more clients than the bandwidth of their infrastructure can support. They’re playing a numbers game, assuming that not all circuits will be fully loaded at all times. And if they are, they throw in the discardeligible rule and jettison the packets that are above a company’s CIR. This doesn’t mean that your data never gets through, but it does mean that the sending side receives a NACK and must retransmit the data, slowing down the transmission.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
650
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
VPNs in a Windows 2000 Environment VPNs are allowed to interoperate with the Windows 2000 network in much the same way as a regular RRAS dial-up connection: DHCP The VPN server can obtain a block of 10 addresses for VPN clients and one for itself from the DHCP server. As more users come online, the VPN server requests a block of another 10. Just as with RRAS, if a DHCP relay agent is not installed, the client uses whatever WINS and DNS entries the VPN server uses. WINS Clients using a VPN circuit to connect to a Windows 2000 network and then receiving IP configuration information automatically register themselves with WINS. DNS DNS is not automatically updated when a VPN client comes online. However, the integration of DHCP with DNS allows for the automatic updating of the DNS database. Active Directory Integration You can administer remote access policies through Active Directory (AD). This provides you with replication of the remote access policies through the forest so that they’re usable in all locations and also with centralized administration capabilities. The domain must be in native mode.
Summary
If you think of VPNs as a subset of RRAS, you’ll be on the right track. The idea is that you set up a dedicated server running RRAS and configured for a VPN. This server talks to another server, which is either at an ISP or at another network that you’d like to connect to. A user can either telecommute in by dialing in to an ISP, and then tunneling through the Internet to connect to your network, or your network can connect to another network by using VPN servers. What do you get with a VPN? You get the ability to use someone else’s large bandwidth infrastructure (namely your ISP’s) and securely connect to a private Windows 2000 network. Disparate VPN servers can connect with one another as long as a mutually agreed authentication method is used. You need to be concerned with three things when setting up a VPN. The first is your VPN protocol choice, either PPTP or L2TP. Using L2TP with
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Exam Essentials
651
IPSec is more modern and provides greater security, but it also requires the use of a certificate server when you use the IPSec encryption protocol along with it. Next, you pick an authentication method. Typically, Windows 2000 Server-to-Windows 2000 Server VPNs use MS-CHAP v2 to garner the most security. But the opposite-side VPN server might not be a Windows 2000 Server, and you’re left with MS-CHAP, CHAP, PAP, Shiva, EAP-TSL, or no authentication at all. Finally, you pick an encryption method: MPPE for PPTP or IPSec for L2TP. MPPE provides 40-bit or 128-bit encryption; L2TP provides 40-bit, 56-bit, or triple-DES encryption. Remember that the 40-bit and 56-bit versions are used internationally, while the higher security methods are used in the United States and Canada. VPNs, like RRAS servers, benefit from the use of dedicated servers, hightechnology gear such as advanced CPUs, lots of RAM, fast disk, and hardware RAID. You’ll also be interested in your network infrastructure’s speed and your WAN connections to provide optimum performance. You can put VPNs on a cluster server. An interesting twist with VPN technology is to use DNS’s round-robin characteristics to load-balance the way that the VPN servers are connected to by users.
Exam Essentials Know which connection protocols you can use with VPNs. Microsoft supports both the PPTP and L2TP connection protocols. Understand how to secure information across a VPN. If you are using PPTP, the MPPE protocol is built-in for data encryption. If you are using L2TP, you must also use IPSec if you want to encrypt data. Know when to use PPTP versus L2TP. There are some critical differences between the protocols. PPTP has a built-in encryption protocol, but is Microsoft-only. PPTP also works through a NAT server. L2TP is an industry standard, but requires IPSec for encryption and does not work through a NAT server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
652
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
Key Terms
We’ve covered most of the terms used in this chapter elsewhere; here are the exceptions. Be certain you’re familiar with these terms for the exam: Data Encryption Standard (DES)
overprovisioning
National Institute of Standards and Technology (NIST)
round-robin DNS
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
653
Review Questions 1. You are the connectivity manager for your company. Recently, you
have deployed two VPN servers. You want to load-balance the VPN servers so that neither one is more loaded than the other is. What technique should you use? A. Round-robin DNS, alternating IP entries, same FQDN B. Round-robin DNS, alternating IP entries, different FQDN C. Round-robin DNS, same IP entries, different FQDN D. Round-robin DNS, same IP entries, same FQDN 2. You are the network administrator for an international marketing
firm. You have deployed nearly a dozen RRAS servers and three VPN servers for partner access to your network. You have also decided to use Microsoft’s IAS RADIUS service. What feature would a RADIUS server provide to your VPN installation? A. Centralized management of IP addresses for all VPN servers and clients B. Centralized management of all VPN servers C. Centralized management of remote access policies D. Centralized management of authentication and encryption protocols 3. You are the remote connectivity administrator for your network. Because
of your customer base, you have a variety of clients dialing in to your network. At your corporate office you are using a Windows 2000 VPN server, but your clients have to connect to a Unix-based VPN server through a certain ISP. What will you have to set up in order to authenticate users through this non-Windows 2000 medium? A. VPN router B. RADIUS server C. Firewall D. Shiva server
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
654
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
4. You are the connectivity consultant for a regional telephone company.
Your internal network has a screened subnet for securing the web server and a DNS server. You want to put your VPN server outside the firewall on the corporate DMZ. What is the safest method of connecting to the internal corporate network from this VPN? A. Use Secure Sockets Layer (SSL) web pages. B. Use a NIC on each side of the network dedicated strictly to the two
servers. C. Set up a second VPN server inside the network. D. There is no safe method to accomplish this task. 5. You are the network administrator for your company. You have
decided to set up a VPN server so users can securely connect to the local network when working abroad or from home. You want to make the network accessible to the users when they make a normal dial-up Internet connection through their ISP. What components do you need to set up an L2TP- and IPSec-based VPN? Choose all necessary elements. A. VPN server on your network side B. NAT server C. VPN connection on the ISP side D. CA server E. Installation of RRAS on the VPN servers 6. You are the connection consultant for a local manufacturing business.
They are interested in setting up a VPN so that their suppliers can obtain secure network access. You are trying to convince them to use L2TP and IPSec. Why is an L2TP-, IPSec-based VPN a better choice than a PPTP-, MPPE-based VPN? Choose the best answer. A. PPTP- and MPPE-based VPNs are user-oriented. B. Encryption strength is much stronger. C. L2TP- and IPSec-based VPNs are machine-oriented. D. Technology works better with Windows 2000.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions
655
7. You are the security and connectivity analyst for your company. To
secure resources for those who dial in, you have decided to implement a remote access policy. What three things can you control through the editing of a remote access policy? A. IP packet filtering B. Levels of encryption C. Which users can and cannot use the service D. Authentication settings 8. You are the network manager for a large banking services provider.
One of your job responsibilities is to present new technologies to the board of directors. Your manager hopes that their increased awareness of technical products will make the approval process for future projects easier. Tomorrow you are going to give a presentation on the benefits of VPNs. Select the best two reasons for your company to use a VPN setup. A. VPNs are good for securely connecting two switch closets together. B. VPNs are good for securely connecting two networks together,
such as partner companies. C. VPNs allow users to securely connect to the private network over
the Internet. D. VPNs are good for securely connecting two ISPs together. 9. You are the security analyst for your company. Recently, the connec-
tivity expert set up a VPN server on your company’s DMZ. It is now your job to make sure that all required security is in place. What is the best way to keep users who access your VPN server from getting inside your corporate network? A. Place all resources needed on the VPN server. B. Set up a Proxy Server between the corporate network and the VPN
server. C. Set up a firewall between the VPN server and the corporate
network. D. Set up a VPN server inside the corporate network that talks to
the outside VPN server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
656
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
10. You are setting up a VPN for your company. Since you want users to be
able to access the network by dialing in to their ISP, you will be setting up your VPN through your company’s ISP. What is the biggest potential bottleneck in a VPN scenario where your network is connecting to an ISP VPN? A. Insufficient ISP backbone B. Inadequate computing power on either side C. Inadequate connection speed with the ISP D. Disparate VPN operating systems
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions
657
Answers to Review Questions 1. A. When you’re attempting to load-balance two VPN servers, you set
up a round-robin DNS entry that has different IP entries and the same FQDNs. The client looks for [email protected] and hits the first IP number. The second client hits [email protected], but this time round-robin DNS kicks in and the second IP address is referenced instead, and the client is pointed to a different VPN server. 2. C. Implementing a RADIUS server to augment your VPN deploy-
ment allows you to centrally manage all remote access policies, which would include the proper authentication and encryption methods being used for all VPN servers in the network. 3. B. Remember from Chapter 15, “Designing a Remote Access Solution,”
that you use RADIUS to authenticate your users when they connect to a foreign system. 4. C. The safest method would be to set up a second VPN server inside
the corporate network and have the two talk to each other. You’d get the benefit of authentication and encryption of the data with a scenario such as this. 5. A, C, D. The installation of RRAS on the VPN servers isn’t necessary
because it’s automatically installed on Windows 2000 servers. You probably don’t care how your ISP gets a VPN going for you, as long as you understand the authentication and encryption protocols that they can support you with. You do need a VPN server on your side, a VPN connection on the ISP side, and a certification authority (CA) server. You’ll need the CA server because you can’t guarantee that your ISP uses a Microsoft-based VPN solution. Therefore, you should go with L2TP and IPSec. NAT isn’t correct because a network that’s big enough to set up a VPN for telecommuters is well beyond the capabilities of NAT. 6. C. An L2TP- and IPSec-based installation validates the machine, not
the user. Because the machine is validated, not the user, you’re much more assured that the connecting entity is who it claims to be.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
658
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
7. A, B, D. You actually control the user access through each user’s or
group’s permissions. IP packet filtering, encryption levels, and authentication are all set through remote access policies. 8. B, C. Answer A, while possible, is impractical, as is answer D. In
addition to answers B and C, you can also use VPNs to connect segments of networks that are not directly part of your own network, like those for business partnerships. 9. A. The best way to keep prying eyes out of corporate networks is to
not give them a chance to gain access in the first place. You do this by placing the resources needed by people accessing the VPN server right on the VPN server and not allowing users inside the corporate network. 10. C. The connection to the ISP is the most likely bottleneck in the system.
Make sure you have a high-speed ISP connection if you anticipate a lot of traffic.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Admins’ Software VPN
659
You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.
Current System Overview You’re the lead NT admin for a large corporation of about 2,500 users. You have five junior admins who report to you and help you manage the enterprise. You’re pretty new to the job and just beginning to see places where you can make significant changes. All of your admins work a rotating call-out schedule, and the company provides a cell phone and laptop that the person on call can take home in order to be able to dial in to the RAS system when it’s necessary to work on the systems from home. One of the things that you’ve noticed is that the RAS connections are slow and unreliable. The current RAS system is made up of a dozen 56K modems that are hooked up with one hunt number. Called-out admins are expected to be able to RAS in, connect to the servers with their Windows NT Workstation laptop, and do their administrative thing. Connecting is hit or miss, depending on the number of regular users who happen to be trying to connect at the same time. There is no dedicated circuit for the admins to call in to. There is no toll-free number either, making it difficult to RAS in when an admin is out of town and needs to connect to the e-mail system. The company does possess a double T1 connection to their ISP, which uses Unix servers and PAP authentication. (Recall that this type of authentication is clear text and only slightly better than no authentication at all.) Encryption is not in use with this connection. Admin Team “You know, if management expects us to stay in contact 24×7, the least they could do is supply the necessary means to do so!” Admins Manager “We do provide the necessary means. We provide you with a cell phone and a laptop that you can dial in with. We even pay for your second line!”
Problem Statement The thing that has the admins most upset is that each of them has either a DSL or a cable modem connection to their favorite ISP. Admins 2 through 5
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
The Admins’ Software VPN
CASE STUDY
660
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
have DSL connections; you (Admin 1) and Admin 6 have cable modems. So the bandwidth at the client side is there, but the company doesn’t seem to be willing to talk about providing anything other than the standard RAS system for the admins. You’d like to persuade them that you could easily and efficiently set up a VPN so that your admins coming in from home could access and administer the network at much higher speeds.
Envisioned System You check with each of your admin’s ISPs and find that each one can support a VPN connection. None of the six ISPs charge for the additional VPN connection. You envision setting up a Windows 2000 server that supplies the corporate side of the VPN connection and then checking with each admin’s ISP to make sure they’re aware that you’re going to use VPN connectivity through them. (Not that this step matters, but it sure doesn’t hurt to check.) You envision each admin simply connecting to his or her ISP using their respective connections and then tunneling into your Windows 2000 VPN server at the edge of the corporate network. This way, you don’t really care about what kind of authentication the ISP requires since you know you’ve established a secure tunnel to the corporate server.
Security CHAP authentication isn’t as desirable as the MS-CHAP v2 you can get with native Windows 2000. But since the user is authenticated with his or her ISP’s username and password, and after that, the tunnel is set up and the tunneling authentication is encrypted, you’re fairly sure that things are secure enough. You like the idea that there is only one server at the corporate network side that will be involved with this process. Admin 6’s ISP can support Windows 2000 authentication; the rest can only support CHAP or less.
Availability Overview The predominant availability need you have is a unique one— the systems always need to be available after hours, on weekends, and during holidays, when you’re most likely to need to use them. ISPs “We can guarantee 24×7×365 connectivity.”
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Admins’ Software VPN
661
The idea of only one server being involved at your work location is highly appealing to you: one server, one place that things can go wrong. Your admins aren’t so sure, saying, “Maybe we need a second server as a fallback.”
Performance The performance issue is what you’re hoping to solve. You’re worried that the authentication overhead, coupled by busy Internet backbones (due to the time of night that you’ll generally be accessing the corporate network through the VPN) might reduce the overall throughput.
Questions 1. For each participant shown, make connections for the encryption and
authentication methods used to get an ISP, and from there into the corporate server.
Admin 1 (you)
ISP 1
Admin 6
ISP 6
Authentication or encryption methods: CHAP IPSec L2TP MPPE MS CHAP v2 PAP PPTP Shiva
Corporate VPN server
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY
Maintainability
CASE STUDY
662
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
2. How many VPN servers are involved? A. 1 B. 3 C. 5 D. 7 E. 9 3. What will the admins not be able to do, from an administrative
perspective, that they might be able to do while at work? A. Administer corporate applications B. Telnet into infrastructure gear C. Modify server properties D. Install software E. Nothing 4. How do you assess the security risk of five of the admins having
to connect by CHAP? A. Scary B. Moderate C. Mild D. No risk 5. What is the biggest SPOF in this design? A. Single corporate ISP B. Single corporate VPN server C. Admin ISP connections D. Admin authentication failure 6. What method(s) can you use to improve the SPOF? Choose all that apply. A. Round-robin DNS entries and a second VPN server. B. Put VPN on a cluster server. C. Provide two T1 cards in VPN server. D. Backup RAS access in case the VPN fails.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
The Admins’ Software VPN
663
CASE STUDY ANSWERS
Answers 1. Admin 1 (you)
MS CHAP v2 CHAP L2TP
IPSec
ISP 1
IPSec
Corporate VPN server
L2TP MS CHAP v2
MS CHAP v2 MS CHAP v2 L2TP
IPSec
ISP 6
IPSec
Admin 6
L2TP
CHAP is an ISP limitation, and you can’t apply any encryption to it. Moreover, you depend on the various ISPs’ capability to authenticate each admin who is trying to connect. But since you’re only using CHAP to connect to the ISP and then setting up a secure L2TP/IPSec tunnel with the corporate VPN server, you don’t really need to care too much about how secure the admins’ connections are with the ISPs. 2. A. Only one VPN server is needed. The admin connects to the VPN
and then tunnels through to the corporate server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
CASE STUDY ANSWERS
664
Chapter 17
Planning a Virtual Private Network (VPN) Implementation
3. E. Provided that some care is taken before the admins leave work
for the day, there is nothing they cannot do from home. The admins are the same as an Ethernet client connected to the network at the point where they use a VPN to connect. In order to install software, some preparation has to be made—mounting the application CDs in a CD-ROM player before going home, for instance. But apart from that, there’s nothing an admin can’t do. To reboot an NT server from home, the NT Resource Kit utility Shutgui.exe is excellent for timing reboots of servers and very useful for remote admin work. Those of you with SMS servers can use Remote Tools to send a reboot to a computer. 4. C. There is mild risk associated with something like CHAP. The
authentication is encrypted, so you don’t have to worry about usernames or passwords being hacked into. 5. B. You only have one VPN server at the corporate side, and it’s one
that you’ve had to haphazardly piece together at that. If the server goes down, everyone is down. 6. A, B, D. You could set up a second VPN server and then round-robin
the DNS entries. You could put the VPN server on a cluster server, or your admins could always fall back on conventional RAS access in the event of a VPN server breakdown. Putting two T1 cards in the VPN server provides T1 redundancy and nothing more.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
666
Glossary
Numbers
A
2-tier client/server A system with a fat client (one that runs a lot of the application code) coupled to a server. A good example is the Exchange Server system talking to an Outlook client.
AAAA A DNS record specifically designed for IP version 6 (IPv6) hosts.
3270 A class of terminals that were used to communicate with IBM mainframes. When we speak today of 3270, it’s usually within the context of software that emulates the old 3270 terminals, thus the phrase “3270 terminal emulation.” You would use 3270 terminal emulation software on your PC in order to communicate with a mainframe—perhaps to open a TSO/ISPF or CICS session. There is also a special version of FTP, called TN3270, written to emulate 3270. Today, many mainframes are equipped to use TN3270. 3-tier client/server A system that consists of three different computers running three separate processes. The computers can be of different platforms. The first is the client computer, which is used to communicate with the application. The second computer, the middle tier, is the component that does the processing. The third computer, the database tier, is the place where the databases are housed. In a 3-tier client/server system, we always speak in the context of retrieving data from or putting data back into databases. A classic example of 3-tier is a browser that is used to connect to a web server in order to make an online purchase. The item being purchased is debited from the inventory database, and the information about the person ordering the item is recorded in yet another database.
access control entry (ACE) A record used by the operating system to determine resource access. Each access control list (ACL) has one or more ACEs that list the permissions that have been granted or denied to the users and groups listed in the ACL. access control list (ACL) A database used by the operating system to determine resource access. Each object (such as a folder, network share, or printer) in Windows 2000 has an ACL. The ACL lists the security identifiers (SIDs) contained by objects. Only those identified in the list as having the appropriate permission can activate the services of that object. access protocols Elements of network communication that provide communications rules between two computers. Typically referred to specifically when using remote access. access token An object containing the security identifier (SID) of a running process. A process that is started by another process inherits the starting process’s access token. The access token is checked against each object’s access control list (ACL) to determine whether or not appropriate permissions should be granted to perform any requested service. Users are granted an access token when their username and password are validated. ACE
See access control entry.
ACL
See access control list.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
active/active cluster A cluster in which all cluster partners are actively involved with client traffic. Failovers in an active/active cluster are much quicker than in active/passive clusters. In active/active clusters, each active node in the cluster is busy doing something (such as file and print services)—one node isn’t simply waiting for the other to failover. Active Directory (AD) A directory service available with the Windows 2000 Server platform. Active Directory stores information in a central database and allows users to have a single user account (called a domain user account or Active Directory user account) for the network. active/passive cluster A cluster in which only one partner is actively involved with client traffic. Failovers in an active/passive cluster occur much more slowly than in active/active clusters. AD
See Active Directory.
aggregate bandwidth The sum total of the bandwidth that users accumulate when they dial into an RRAS system. Suppose, for example, that you have 12 56K modems hooked up to your RRAS server. If five users dial in simultaneously and manage to connect at the full 56K, they’re taking up 280K of bandwidth on the network. APIPA
See Automatic Private IP Addressing.
AppleShare A communication protocol for Apple computers that allows Apple clients to communicate with servers, including Windows 2000 servers, on a network. AppleTalk The networking protocol built into every Macintosh computer.
667
AppleTalk Control Protocol (ATCP) Used over PPP connections to move AppleTalk packets. AppleTalk zone A grouping of Macintosh computers, similar to a Windows workgroup. You can seed a zone with the number of network numbers you want in the range times the maximum number of nodes (253) per network address. (If you had fewer than 253 Macintoshes, you could seed the zone with one network number times the 253 maximum nodes.) Windows 2000 servers equipped with AppleTalk have the ability to seed a Macintosh zone. Asynchronous Transfer Mode (ATM) WAN and backbone networking topology that allows for simultaneous voice, video, and data connections. ATM packets are called cells, and each cell is exactly 53 bytes long. ATCP
See AppleTalk Control Protocol.
ATM
See Asynchronous Transfer Mode.
ATMA A DNS record new to Windows 2000, one that specifies an Asynchronous Transfer Mode device. authentication The process required to log on to a computer locally or remotely. Authentication requires a valid username and a password that exists in the local accounts database. An access token will be created if the information presented matches the account in the database. automatic allocation The process of automatically providing TCP/IP configuration information: the IP address, default gateway, primary and secondary WINS servers, DNS servers, domain name, and so forth.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
668
Glossary
Automatic Private IP Addressing (APIPA) A method for clients to automatically obtain IP configuration information without requiring manual entries or using a DHCP server. APIPA uses a reserved range of IP addresses and is used by both the Windows 2000 and Windows 98 operating systems. auto-static updates When a RIP for IP or RIP for IPX router is configured with auto-static updates, the router sends a request to its neighbors and inherits their routes. The beautiful part of auto-static routing is that the routes are saved in the routing table instead of being entered only for the session; thus, they are present even upon restart of the router. Manually entered routes are flushed at restart.
B backbone A high-bandwidth connection used to connect network segments together. backout plan The proposed sequence of steps to undo a change. A backout plan is required in case the project does not go as planned. BACP See Bandwidth Allocation Control Protocol. Bandwidth Allocation Control Protocol (BACP) The protocol used by Windows 2000 RRAS to control and manage bandwidth for multilink connections. Bandwidth Allocation Protocol (BAP) The protocol used by Windows 2000 RRAS to control and manage bandwidth for multilink connections. BAP
See Bandwidth Allocation Protocol.
Basic Rate Interface (BRI) An integrated services digital networks (ISDN) phone configuration in which two Bearer (B) channels can carry up to 64K of voice or data each and one Data (D) channel carries synchronization and call-control information. Berkeley Internet Name Domain (or Daemon) (BIND) The original DNS implementation used to resolve host names to IP addresses, thus replacing the need for static hosts tables.
See Border Gateway Protocol.
BGP
See Berkeley Internet Name Domain.
BIND BootP
See Bootstrap Protocol.
Bootstrap Protocol (BootP) A TCP/IP protocol that allows a computer to boot up and find a server that can equip it with its IP configuration. Border Gateway Protocol (BGP) An Internet routing protocol that allows groups of routers in autonomous systems to share routing information. bottleneck A system resource that is inefficient compared with the rest of the computer system as a whole. The bottleneck can cause the rest of the system to run slowly. BRI
See Basic Rate Interface.
burst-mode name recognition A mode that a WINS server can be configured with, so that when hit with large numbers of simultaneous client registrations, the server provides clients with a short time to live (TTL), forcing clients to re-register when the server isn’t as busy. When there are more than 500 client registration attempts at any one time, WINS kicks into burst mode and sets client TTLs to 5 minutes. For every 100 client registration attempts above 500,
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
the TTL has another 5 minutes added to it; if 600 clients try to register simultaneously (if a new call center was powered up all at once, for instance), TTLs would be set for 10 minutes. This is new to Windows 2000 WINS. bus topology A networking model in which all computers are connected in a serial fashion. The main cable, often called the backbone, runs along the length of the network. All computers are connected to the backbone by a drop cable. Both ends of the backbone must be terminated, and one end must be grounded.
C CA
See Certification Authority.
CA hierarchy The certification authority structure where there is a parent (or root) CA, and subordinate CAs. The root CA is taken offline for security purposes, and the subordinate CA’s issue certificates. canonical name The name of a network object in the form defined by the rules of the directory. In Active Directory, the canonical name is in the form domain/container/sub-container/object common name. So, the canonical name of the user bsmith in the OU called sales in the domain called BigCompany.com is BigCompany.com/ sales/bsmith. carrier A telephone company that delivers signals for your WAN or phone connections. Also, a baseline signal on a network or phone cable. centralized A style of group that reports to a central administrative authority. Centralization
669
does not necessarily imply that direct reports to a leader are close geographically. Certificate Services The service provided by Windows 2000 Server that issues unique digital codes (called certificates) to individual users or computers to verify their identity. Certification authority (CA) The host responsible for providing certificates to other computers or users. Challenge Handshake Authentication Protocol (CHAP) The industry-standard remote access authentication protocol supported by Windows 2000. CHAP is less secure than MS-CHAP or EAP. change management The process of describing a change to a system, explaining what the change affects, how the system will be affected, how long the change will take, what the ramifications are of going through the change, what the ramifications are of not going through the change, and the backout procedure. CHAP See Challenge Handshake Authentication Protocol. Chooser The Macintosh service where users select and connect to networks and devices, such as drives, shares, and printers. CIDR
See Classless Inter-Domain Routing.
CIFS
See Common Internet File System.
class-based networks A specification that defines the length of the network address and length of node (or host) address as part of the overall IP address. As an example, a Class A address uses 8 bits for the network portion of the address and 24 bits for the node portion of the address.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
670
Glossary
Classless Inter-Domain Routing (CIDR) A new method of IP addressing that replaces the old Class A, B, and C scheme. A single IP designation can be used to refer to several IP addresses. With CIDR you specify an IP address that has a slash followed by an ending number, as in this example: 168.124.0.0/12. This ending slash and number is called the IP prefix, and represents the number of bits used to describe the network address. A CIDR address such as the one described earlier in this paragraph covers the equivalent of more than 1 million addresses, since there are 20 bits available for hosts (12 are used to describe the network). It’s immediately obvious that routers that can use CIDR can benefit enormously because their routing tables don’t have to be large and cumbersome. Hashing through routing tables looking for a specific number is made much simpler with this new scheme. client A computer on a network that subscribes to the services provided by a server. client/server A computing and network architecture that relies on servers and clients. Servers handle applications, files, print sharing, and other large tasks. Clients use servers. In a client/ server environment, the client may be a fat client, meaning that it offloads some of the work from the server, or a thin client, meaning that it does no work at all. Clients can vary anywhere in between the spectrum from thin to fat based on the way that the developers created the system. cluster Two or more computers set up to perform the same service in support of each other for fault-tolerance or load-balancing purposes. Common Internet File System (CIFS) The protocol that Windows 2000 clients use to make requests of Microsoft-based servers.
common name The name by which a network object is commonly known. computer name A NetBIOS name used to uniquely identify a computer on the network. A computer name can be from 1 to 15 characters in length. convergence time After a router failure, the time it takes for a group of routers to update their routing tables and to be in agreement with one another. cost center A group within an organization whose overhead is greater than its direct profitability. The opposite of a cost center is a profit center—a group within the organization that makes money for the company. Today’s IT structure can be fragmented along cost/profit centers. Web servers, for example, make money, so it’s important for them to be up and running all the time. Thus, IT department handling the web site could possibly be considered a profit center. E-mail servers, on the other hand, might not have anything to do with generating profits, so the admins for those computers are considered a cost center. (If a company makes money directly from the e-mail that it receives, then e-mail is a profit center.)
D Data Encryption Standard (DES) A 40-, 56-, or 128-bit encryption standard developed by the National Institute of Standards and Technology (NIST) and commonly used in the United States and Canada. Data Link Control (DLC) An older network protocol used predominantly by HewlettPackard printers. Occasionally, DLC is also used to connect to IBM mainframes.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
DC
See domain controller.
decentralized A style of group, with a common mission, that reports to more than one leader. For example, suppose that an Windows 2000 administration group is spread out over several geographic areas, each of which has its own supervisor who, in return, reports to the general manager for that location. This group could be said to be decentralized since it has no central leader. default gateway A TCP/IP configuration option that specifies which interface to use to reach the destination network if the local network contains routers. The default gateway is used when the routing table for the host does not have a route for the destination network. default router metric base The “cost” in terms of router hops, or another metric that you decide upon, to get to destination networks; can be assigned by the Windows 2000 DHCP service. By setting this as a default, all metrics start with this number unless you specify otherwise. If this value isn’t used, a default of 1 is assumed. delegated domain A domain for which authority has been delegated to another DNS server. For example, suppose that your company is widgets.com. You have authority for the root domain—everything beneath widgets.com. But now you want to delegate some authority for a domain that is geographically separate from you and would be better served by a DNS server local to that location, for example, remote.widgets .com. The remote.widgets.com subdomain would have an NS record in your database pointing to the authoritative DNS server for the subdomain, but it would not list any other records for that domain. Instead, the DNS zone for remote.widgets.com would have the listings
671
needed for the subdomain (including a matching set of NS records for the domain). delegated zones A zone consists of a partial domain, a whole domain, or multiple domains. Delegated zones are those managed by a group that is subordinate to the root. demand-dial routing A routing solution implemented with Windows 2000 Routing and Remote Access Services (RRAS). In demand-dial routing, there is no permanent connection to a WAN or the Internet. However, when someone needs external access (demand), a dial-up routing connection is made. demilitarized zone (DMZ) A network that a company maintains between the company’s private network and the Internet. Typically, DMZ networks contain web servers and computers that help support the web environment (such as Proxy Servers or firewalls). Also called a screened subnet. denial of service (DoS) An attack characterized by hackers flooding a network with as much garbage as they can in order to prevent people from getting to it. The famous ICMP (ping) attacks of a few years ago are a good example. DES Dfs
See Data Encryption Standard. See Distributed File System.
Dfs host server The Windows 2000 server that manages the Dfs root. Dfs root The root container that contains the links to shares and files in a Dfs system. DHCP See Dynamic Host Configuration Protocol.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
672
Glossary
DHCP relay agent A routing protocol that forwards, in unicast, DHCP requests from a network that has no DHCP server to a network that does. DHCP server A server configured to provide DHCP clients with all of their IP configuration information automatically. DHCPACK A positive acknowledgement by a DHCP server to a client requesting an IP lease. The DHCP server initiates the DHCPACK message. DHCPDISCOVER When a client initially comes onto the network and needs an IP lease, it sends a broadcast looking for a DHCP server. The message it sends is called a DHCPDISCOVER message. In a DHCP relay agent environment, the relay agent intercepts this broadcast and forwards the request to the DHCP server(s) it is configured to talk to. DHCPINFORM A DHCP packet containing requests for additional configuration information (WINS servers, DNS server addresses, default gateway, etc.) comes in the form of DHCPINFORM messages from the DHCP client. Also used by Windows 2000 DHCP servers to get information about the directory services used in the network, to determine whether or not the server is authorized in Active Directory.
DHCPRELEASE If a client is gracefully shut down (as opposed to a system crash), a DHCPRELEASE message can be sent to the DHCP server to release the IP address. Usually when the client restarts, it sends a message to the DHCP server requesting the IP lease that it originally had using the DHCPREQUEST message. DHCPREQUEST A DHCPREQUEST message is initiated by the client after the DHCPDISCOVER and DHCPOFFER packets are sent and received. The request is based on the information in the DHCPOFFER packet in the case of a new lease, or on the current configuration of the client in the case of a renewal. A message containing the client’s MAC address is sent by the client to both the 255.255.255.255 broadcast address and the MAC-level broadcast address in hopes of contacting a DHCP server for an IP lease. In a DHCP relay agent environment, the relay agent will intercept this broadcast and forward the request to the DHCP server(s) it is configured to talk to. DHCPServer object The object within the Active Directory database that lists all authorized DHCP servers within the directory. Dial-Up Networking (DUN) A service that allows remote users to dial into the network or the Internet (such as through a telephone or an ISDN connection).
DHCPNAK A DHCP packet containing a message to the client that the server cannot fulfill its request for an IP lease.
disaster recovery (DR) The process of restoring a network to the condition it was in prior to some sort of disaster, whether natural or caused by humans.
DHCPOFFER After a DHCP client requests an IP lease, a DHCP server offers an IP address. The message sent by the DHCP server is called a DHCPOFFER.
distance vector routing protocol A routing protocol that bases its decisions on how to route packets on distance alone. Distance vector
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
routing protocols always take the shortest number of hops to the destination. Routing Information Protocol (RIP) is a distance vector routing protocol. Distributed File System (Dfs) A utility in Windows 2000 Server that allows you to collect shares from all over the network and make them appear to be located on one central machine. d-mark The physical location at which a carrier provides a requested telephony circuit. Short for demarcation point. DMZ
See demilitarized zone.
DNS
See Domain Name Service.
DNS server A server that uses DNS to resolve domain or host names to IP addresses. DNSCMD A Windows 2000 command-line utility that allows you to configure DNS servers. domain In Microsoft networks, an arrangement of client and server computers referenced by a specific name that shares a single security permissions database. On the Internet, a domain is a named collection of hosts and subdomains, registered with a unique name by the InterNIC. domain component Used in Active Directory distinguished names to indicate an identifier for a part of the object’s domain. In the example /O=Internet/DC=ORG/DC=Charity/CN=Users /CN=BillyBob, the domain components are ORG and Charity. domain controller (DC) The Windows 2000 server that contains a copy of the Windows 2000 Active Directory database. In order to have a
673
domain, you must have at least one domain controller. domain name The textual identifier of a specific Internet host. Domain names are in the form of server organization type (www.microsoft.com) and are resolved to Internet addresses by DNS servers. domain name server An Internet host dedicated to the function of translating fully qualified domain names into IP addresses. Domain Name Service (DNS) The TCP/IP network service that translates textual Internet network addresses into numerical Internet network addresses. domain root The topmost part of an organization’s hierarchy. MyCompany.COM might be the domain root, while Sales.MyCompany.COM and Accounting.MyCompany.COM would be subdomains subordinate to the root domain. DR
See disaster recovery.
DoS
See denial of service.
DUN
See Dial-Up Networking.
dynamic allocation When IP addresses are automatically handed out by a DHCP server, we say that we are using dynamic allocation. The “dynamic” part of the phrase implies that there is some changeability in the way that the protocol interacts with a client. For example, suppose that a client shuts down and releases its IP address, then another client comes along and takes the IP address that belonged to the original client. The DHCP server should be able to compensate for this anomaly by providing the client a new IP address once it starts up again.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
674
Glossary
Dynamic Host Configuration Protocol (DHCP) A method of automatically assigning IP addresses to client computers on a network. dynamic routing A routing solution in which the routing tables for all routers are automatically discovered. Dynamic routing is function of an inter-routing protocol such as RIP or OSPF.
E
extranet An intranet that is accessible by outsiders. It typically includes some kind of authentication to verify that the person trying to access the network is actually who they say they are.
F
EAP
See Extensible Authentication Protocol.
EFS
See Encrypting File System.
EMS
Extensible Authentication Protocol (EAP) The most secure remote access authentication protocol currently supported by Microsoft Windows 2000. Used with smart card authentication.
See enterprise management systems.
failback Once a server is fixed after a failover, a failback operation can occur to make the failed server the active server in the cluster again.
Encrypting File System (EFS) The Windows 2000 technology used to store encrypted files on NTFS partitions. Encrypted files add an extra layer of security to the file system.
failover In a cluster server environment, when a computer fails and the backup computer takes its place, a failover is said to have occurred. Conversely, when the computer is fixed and back online, a failback occurs.
encryption The process of translating data into code that is not easily accessible to increase security. Once data has been encrypted, a user must have a password or key to decrypt the data.
fault tolerance Any method that prevents system failure by tolerating single faults, usually through hardware redundancy.
enterprise application An application that is used by the majority of users on a network. enterprise management systems (EMS) Programs that allow for advanced network management and monitoring such as remote control, remote auditing, and packet capturing. Examples are HP’s Open View and Microsoft’s Systems Management Server (SMS). EtherTalk A medium that the AppleTalk protocol can use to communicate over Ethernet networks.
fiduciary Involving a confidence or trust held for another; typically used to describe the responsibility held by company officials who act in a special relation on behalf of others. “Fiduciary” responsibility is normally used in the context of corporate monies or stocks. File Replication Service (FRS) The service used by Windows 2000 to create exact replicas of certain files from one machine to another. Replaces LAN Manager Replication (LMRepl), which was used by Windows NT.
Exchange Server Microsoft’s implementation of an e-mail server.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
filtering rule A logical rule that you impose in Windows 2000 routing or NAT, whereby you restrict certain protocols from being allowed into a network or out from a network. The most common filter is to bar incoming ICMP (ping) packets. firewall A firewall is designed to protect your network from outside attacks, while still allowing users to access Internet resources. Firewalls are usually hardware devices. forest A Windows 2000 network consisting of multiple domain trees that do not share a contiguous namespace. forward lookup The resolution of a known host name or FQDN to an IP address. forward lookup zone A zone that allows you to look up an IP address when a host name (FQDN) is known. FQDN
See fully qualified domain name.
fully qualified domain name (FQDN) A name used to represent individual hosts on the Internet. An FQDN consists of three parts: a host name, a second-level domain name, and a toplevel domain name. Examples of FQDNs are www.microsoft.com and www.purdue.edu.
675
global catalog server A computer that houses a copy of the global catalog, the Active Directory index that contains at least a partial replica of every object in a Windows 2000 forest.
H hardware compatibility list (HCL) A list of all of the hardware devices supported by Windows 2000. Hardware on the HCL has been tested and verified as being compatible with Windows 2000. HCL
See hardware compatibility list.
host A computer on a network, whether server or workstation. The term could loosely extend to printers, routers, or other devices—anything with an IP address—but is typically confined to computers. Host Integration Server 2000 for Microsoft SNA Server.
The new term
hunt group A grouped set of different telephone numbers that appear to be a single number to outside callers. HTTP
See Hypertext Transfer Protocol.
hybrid node (H-node) A name resolution method wherein the client first queries the listed name servers it has been given, then broadcasts, then checks an LMHOSTS file.
G gateway server A server that provides access to an otherwise unavailable resource. An example is Microsoft’s Gateway Service for NetWare, which allows Microsoft clients to access NetWare resources.
Hypertext Transfer Protocol (HTTP) An Internet protocol that transfers HTML documents over the Internet and responds to context changes that happen when a user clicks a hyperlink.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
676
Glossary
I IANA See Internet Assigned Numbers Authority.
See Internet Authentication Services.
IAS ICMP
See Internet Control Message Protocol.
ICMP attack Hacker attack that attempts to disrupt or crash a server by flooding it with bad Internet Control Message Protocol (ICMP) packets.
See Internet Connection Sharing.
ICS IGRP IIS
See Interior Gateway Routing Protocol.
See Internet Information Services.
infrastructure master A domain server role that assures object consistency across the domain. initial master The File Replication Service server that is initially responsible for replicating files and folders to other servers. interactive voice response (IVR) Telephony systems that provide a series of voice messages that guide a caller through menu selections; for example, “Press 1 for Sales, or press 2 for Marketing.” interclient state A Network Load Balancing term, used when talking about the synchronization status of updates of transactional systems after a client connection has taken place. For example, suppose that you have an e-commerce site where a client surfs in on the Internet and buys something. The act of updating the transactions in the various databases affected by the purchase transaction constitutes an interclient state.
international A company that has offices and does business in countries that are foreign to its home headquarters. Internet Assigned Numbers Authority (IANA) The organization that assigns and tracks protocol numbers, object identifiers (OIDs), and other numbers related to the TCP/IP protocol. Internet Authentication Services (IAS) The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server. Internet connection sharing (ICS) A Windows 2000 feature that allows a small network to be connected to the Internet through a single connection. The computer that dials into the Internet provides Network Address Translation, addressing, and name resolution services for all of the computers on the network. Through Internet connection sharing, the other computers on the network can access Internet resources and use Internet applications, such as Internet Explorer and Outlook Express. Internet Control Message Protocol (ICMP) A member of the IP suite of protocols. It provides for error, control, and informational messages. The ping command makes use of ICMP in determining whether a certain TCP/IP connection is present. Interior Gateway Routing Protocol (IGRP) A protocol that allows multiple routing gateways to coordinate with each other. Internet Protocol (IP) The Network layer protocol upon which the Internet is based. IP provides a simple connectionless packet exchange. Internet Service API (ISAPI) An application programming interface (API) written by Microsoft
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
so that programmers can write code for Internet Information Services. Some companies specializing in augmenting the use of Microsoft Proxy Server have developed ISAPI filters that help Proxy Server filter out unwanted traffic. Internet service provider (ISP) A company that provides dial-up connections to the Internet. Internetworking Packet Exchange/ Sequenced Packet Exchange (IPX/SPX) A routable networking protocol created by Novell, used for communication between NetWare servers and clients. IPX/SPX uses datagrams for connectionless communications. intraclient state A Network Load Balancing term involving the state of a client through a transaction. When a client is held throughout the transaction, as in an Internet e-commerce shopping cart transaction, the client is taken from connection to connection. intranet A privately owned network based on the TCP/IP protocol suite. IP
See Internet Protocol.
IP address A four-byte number that uniquely identifies a computer on an IP internetwork. InterNIC assigns the first bytes of Internet IP addresses and administers them in hierarchies. Huge organizations like the government or toplevel ISPs have Class A addresses, large organizations and most ISPs have Class B addresses, and small companies have Class C addresses. In a Class A address, InterNIC assigns the first byte, and the owning organization assigns the remaining three bytes. In a Class B address, InterNIC or the higher level ISP assigns the first two bytes, and the organization assigns the remaining two bytes. In a Class C address, InterNIC or the higher level ISP
677
assigns the first three bytes, and the organization assigns the remaining byte. Organizations not attached to the Internet are free to assign IP addresses as they please. IPC
See interprocess communications.
IPconfig A command used to display the computer’s IP configuration. IPSec Short for IP Security. IPSec provides encryption within the IP protocol for use when data must be secured as it travels from one place to another. IPX/SPX See Internetworking Packet Exchange/Sequenced Packet Exchange. ISAPI
See Internet Service API.
ISP
See Internet service provider.
IVR
See interactive voice response.
K Kerberos The default authentication protocol used by Windows 2000 domain controllers. It is currently on version 5, which is written as Kerberos v5.
L L2TP
See Layer 2 Tunneling Protocol.
Layer 2 Tunneling Protocol (L2TP) An extension of the PPP protocol, enabling the implementation of VPNs, either through ISPs or private networks. The protocol is a combination of the best of Microsoft’s PPTP and Cisco’s Layer 2 Forwarding.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
678
Glossary
latency There are two definitions for latency. The first definition is how much time a computer component spends waiting on another component to finish what it’s doing and honor a request. The second definition is the amount of time that a packet takes to get from one point to another across a network. LCP
See Link Control Protocol.
LDAP See Lightweight Directory Access Protocol. Lightweight Directory Access Protocol (LDAP) A protocol used in Windows 2000 to query the global catalog servers when a user is looking for a specific object in Active Directory. Line Print Daemon (LPD) A printer service that runs on Unix computers. Microsoft Print Services for Unix also includes an LPD service. link In Dfs, a connector from the Dfs system to a file, directory, or share. Link Control Protocol (LCP) The protocol that negotiates the PPP and link parameters, configuring the Data-Link layer of a PPP connection. link replica A copy of a Dfs link on a different computer. The idea is to create redundancy within the Dfs system, either to increase the fault tolerance of the share or to facilitate the need to take down a share for maintenance. link-state routing protocol A routing protocol that bases its routing decisions on three items: hops, ticks, and cost. Hops are the number of routers the packet must go through to reach its destination. Ticks are a unit of time, 1/18th of a second. Cost is a variable configured by the router’s administrator. OSPF is an example of a link-state routing protocol.
LMHOSTS A static table of NetBIOS names to IP address mappings. load balancing Load balancing is the act of distributing processes that would normally run on one machine or processors over multiple machines or processors. local In MCSE terms, the model of a company that only does business within a city or small region. LocalTalk The cabling scheme used to connect Macintosh computer systems in a network. LPD
See Line Print Daemon.
M MADCAP See Multicast Address Dynamic Client Access Protocol. manual allocation Configuring each computer’s TCP/IP settings without benefit of any automatic or labor-saving technology. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) The MS-CHAP version 1 and 2 protocols are a takeoff of the original Challenge Handshake Authentication Protocol (CHAP) as outlined in RFC 1994. The idea is that you connect to a remote access server, and you’re sent a challenge string. In answering the challenge string, you enter your username and password. The password is used to create a one-way hash using the Message Digest 5 (MD5) encryption scheme. In CHAP, the password is plain text. In MS-CHAP, the password is encrypted using MD4. In MS-CHAP v2, the entire mechanism is much stronger and allows for two-way authentication.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
Microsoft Directory Synchronization Services (MSDSS) A service that provides administrators with a way to synchronize Novell NetWare NDS directories or binderies with the Windows 2000 Active Directory.
679
when viewing the context tree and looking at the items or resources found therein, you’re looking at a namespace (which would include any Active Directory objects—simply because they’re viewed with the MMC as well). Alternatively, any hierarchical structure viewed within DNS is also said to be a namespace.
Microsoft Point-to-Point Encryption (MPPE) A protocol that uses 40-, 56-, or 128-bit encryption keys using the Rivest-Shamir-Adleman (RSA) RC4 stream cipher; useful for all PPP connections except L2TP. It can be used only with EAP-TLS or MS-CHAP v2.
Narrator A Windows 2000 utility used to read aloud on-screen text, dialog boxes, menus, and buttons. This utility requires some type of sound output device.
MPPE See Microsoft Point-to-Point Encryption.
NAT
MS-CHAP See Microsoft Challenge Handshake Authentication Protocol.
national In MCSE terms, the model of a company that does business in multiple areas of its home country.
MSDSS See Microsoft Directory Synchronization Services. multicast Transmitting data to a select group of recipients. Used primarily in video or audio streaming, stock ticker programs, etc. Multicast Address Dynamic Client Access Protocol (MADCAP) The protocol that provides support for DHCP IP configuration of multicast clients. mutual authentication The process of one host verifying the identity of another and vice versa. “I understand that you need to see my credentials, but please don’t be offended if I ask to see yours as well.”
N namespace Within Windows 2000, the term namespace has two different connotations. In the Microsoft Management Console (MMC),
See Network Address Translation.
National Institute of Standards and Technology (NIST) An office of the U.S. Commerce Department that works with industry to develop and apply technology, measurements, and standards. NCP
See NetWare Core Protocol.
negative caching A situation in which a negative response from a DNS server for the IP address of a host is cached. The purpose of the caching is to speed up the query on other DNS client computers. NetBIOS (Network Basic Input/Output System) There are two definitions of NetBIOS. One definition says NetBIOS is the name for the computer on a Microsoft network. A second definition says NetBIOS is an interface that programs can be designed to use to identify other computers (naming structure) on the network. The alternative interface is called Sockets, which uses host names instead of NetBIOS names.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
680
Glossary
NetBIOS Extended User Interface NetBEUI.
See
NetBEUI (NetBIOS Extended User Interface) A small, quick, non-routable protocol developed in the mid-1980s by the IBM Corporation. This protocol is rarely supported outside of Microsoft networks. NetBT NetBIOS packets encapsulated within TCP/IP. NetPC A computer that has no peripherals and is designed to be small, light, and inexpensive. Typically used for low-cost, thin-client computing environments. netsh A new feature to Windows 2000, a command-line scripting tool for developing configuration scripts for services such as WINS, DHCP, and RRAS. NET USE A command-line utility used to map network drives. NetWare A popular network operating system developed by Novell in the early 1980s. NetWare is a cooperative, multitasking, highly optimized, dedicated-server network operating system that has client support for most major operating systems. Recent versions of NetWare include graphical client tools for management from client stations. At one time, NetWare accounted for more than 70 percent of the network operating system market. NetWare Core Protocol (NCP) The protocol used by NetWare clients to make requests of NetWare servers. Network Address Translation (NAT) The process of hiding an entire network behind a
single IP address. This process helps reduce IP address space shortages and hides the internal network-addressing scheme from external hackers. Network Basic Input/Output System NetBIOS.
See
Network File System (NFS) An open design for Unix systems that allows all users of a network to access files on a server, regardless of their platform. Network Load Balancing (NLB) A service that allows you to combine two or more Windows 2000 Advanced Servers into a cluster for fault-tolerance or performance-improvement purposes. network management system (NMS) A system that allows you to monitor the network for errors and provides alerting if an error takes place. NFS
See Network File System.
NIST See National Institute of Standards and Technology. NLB NMS
See Network Load Balancing. See network management system.
node Often used interchangeably with the term host on a network, it refers to any device that has an IP address. node type One of four different name resolution paradigms that a client uses when attempting to resolve computer names to IP addresses on a network. The most common node type is 0x8, or more commonly called hybrid node. With hybrid node, the client first checks
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
any primary or secondary WINS servers for the name referenced, then broadcasts for it, and then checks LMHOSTS. NSLOOKUP A command used to query DNS servers with a fully qualified domain name (FQDN) in order to find an IP address, or to query with an IP address to find the FQDN of a host.
681
overprovision To allow more users to join a network than its bandwidth can support, projecting that not all users will be online at once. Unfortunately, some ISPs play this game, and the customer loses for it.
P
n-tier client/server A client/server environment that contains multiple server and/or client layers. An example might be an e-commerce site where the client is someone using a browser, and several servers are needed (web, database, firewall, etc.) to handle the transactions.
packet A smaller segmentation of an entire message being sent across a network. The terms “packet” and “frame” are typically used interchangably. However, packets are formed at the Network layer of the OSI model, and frames are formed at the Data-Link layer of the OSI model.
NWLINK IPX/SPX/NetBIOS Compatible Transport Microsoft’s implementation of the Novell IPX/SPX protocol stack.
PAP
O
Password Authentication Protocol (PAP) A plain-text authentication scheme. An early precursor to CHAP and its Microsoft iterations.
Open Shortest Path First (OSPF) A routing protocol developed using the link-state algorithm. organizational unit (OU) Used in Active Directory, the container that denotes the organization to which individuals or groups belong. Used to ease administration of AD objects and as a unit to which group policy can be deployed. OSPF OU
See Open Shortest Path First.
See organizational unit.
outsourcing The process of permanently contracting an entity to perform work that was once performed by a company employee, or retaining someone to help you accomplish a specific onetime task (such as a coding project).
See Password Authentication Protocol.
partial replicas A database that contains only a subset of the records found in a full copy of the original database. Used in Active Directory work.
persistent connection A connection that is kept continually up during the operation of computing devices and is restored after the restart of those devices. PKI
See Public Key Infrastructure.
plain old telephone service (POTS) analog telephone line.
An
Point-to-Point Protocol (PPP) A connection protocol that connects remote computers to networks.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
682
Glossary
Point-to-Point Tunneling Protocol (PPTP) A protocol invented by Microsoft and several other partners in a collective effort known as the PPTP Forum. PPTP is designed to facilitate the setting up of a virtual private connection with a client coming over the Internet to a private network. The data is tunneled inside TCP/IP packets.
Proxy Server A Microsoft add-on product for Windows 2000 Server that provides Internet security for inbound and outbound connections. Proxy Server allows for port filtering and auditing of Web access.
See plain old telephone service.
Public Key Infrastructure (PKI) A system that uses certificates and certification authorities that can vouch for the authenticity of a client accessing an Internet or network resource.
POTS
power user A computer operator who has a firm grasp of computing technology and can easily and quickly assimilate the tasks that need to be done in order to affect a computing endeavor. Power users are often given more control over a computer than they might need, sometimes resulting in problems. PPP PPTP
See Point-to-Point Protocol. See Point-to-Point Tunneling Protocol.
private reserved range A range of IP addresses that are not routed on the Internet. profit center A division or department that generates revenue for a company. Compare to cost center. protocol An established rule of communication adhered to by the parties operating under it. Protocols provide a context in which to interpret communicated information. Computer protocols are rules used by communicating devices and software services to format data in a way that all participants understand. provisioning The act of setting up a telephony or data circuit with a carrier. proxy array A group of Microsoft Proxy Server computers that are configured hierarchically to provide load balancing for each other.
PSTN
See public switched telephone network.
public switched telephone network (PSTN) Two phrases give away the low-level nature of a PSTN: copper wire and analog circuits. A PSTN is simply the collection of analog-based telephone circuits that are being carried by the hundreds of telephone providers on earth. push/pull partner The term given to the act of one WINS server sending (pushing) the changes to its database to another, while taking (pulling) the database changes from the other to itself. Also called push/pull replication partner.
Q QoS
See quality of service.
quality of service (QoS) A circuit with a guaranteed throughput and availability that is higher than normal data. Primarily used in ATM networks for voice and video circuits.
R RADIUS See Remote Authentication Dial-In User Service.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
RAS
See Remote Access Service.
RDN
See relative distinguished name.
real-time data mirroring A process in which data is duplicated from one server to another as it is written to the original server. Real-time data mirroring is a form of fault tolerance. redirection Restoring data that was backed up from one computer onto a different computer. redundant power supply (RPS) A device that fits into a rack along with your switches or hubs, providing redundancy, such that if a device’s power supply gives out, the RPS takes over. Typically, you purchase RPS units that match the switch or router gear that you’re purchasing. regional In MCSE terms, the model of a company that operates in its own city and several geographic regions nearby. The term regional might mean operating in several key cities in adjoining states, or simply in the suburbs of a city, depending on the size of the company and of the city. relative distinguished name (RDN) The name of an object within its current level in the directory. For a user DC=COM/DC=MyCompany/ CN=Users/CN=jim.smith, jim.smith would be the user’s RDN. Remote Access Service (RAS) A service that allows network connections to be established over a modem connection, an Integrated Services Digital Network (ISDN) connection, or a nullmodem cable. The computer initiating the connection is called the RAS client; the answering computer is called the RAS server. Remote Authentication Dial-In User Service (RADIUS) An authentication protocol based on remote access clients passing credentials to a
683
RADIUS client, which then queries a RADIUS server to authenticate the user. An advantage to RADIUS is that it is supported across a wide variety of platforms. Windows 2000 servers can act as both RADIUS clients and RADIUS servers. In addition to providing authentication services, RADIUS provides accounting services, allowing for the centralization of record keeping about users accessing the network through remote access methods. remote installation The installation of Windows 2000 Professional performed remotely through Remote Installation Services (RIS). Remote Installation Services (RIS) A Windows 2000 technology that allows the remote installation of Windows 2000 Professional. An RIS server installs Windows 2000 Professional on RIS clients. The RIS server can be configured with a CD-based image or a Remote Installation Preparation (RIPrep) image. resource record A description of the type of host listed in a DNS database. There are many different resource records that can be used to describe different types of hosts. Resource Reservation Protocol (RSVP) A protocol that allows hosts to prioritize certain quality of service streams, providing dedicated throughput for packets that require special treatment. reverse hosting A technique in which a Proxy Server is set up to allow Internet-based users to access a web server on a local network segment. reverse lookup The process of retrieving a name from a DNS server when given an IP address.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
684
Glossary
reverse lookup zone A DNS database that is responsible for maintaining records for reverse lookups. RIP
See Routing Information Protocol.
ring topology In networking, when all computers on the segment are physically connected in a ring. RIS
See Remote Installation Services.
risk In the business sense, that portion of a project or system that may be prone to failure, to extra costs, to unpredictability, to hazard, or to other unknown complications. Risk-takers in business often reap big rewards, but they also often have projects fail because they underestimated the size of the risk. rollout
The deployment of a project.
root replica A Dfs term used to denote a root Dfs volume that has been replicated by Active Directory to another Windows 2000 server. round-robin DNS The ability of DNS to have more than one IP address for a given FQDN. The entries are gone through first one, then the next, and so on down the list, then back to the first—hence the round-robin name. router A Network layer device that moves packets between networks. Routers provide internetwork connectivity. router hop Each router that is crossed as a packet moves from a source to a destination. We sometimes talk about how many “router hops away” a resource is.
Routing and Remote Access Services (RRAS) The Windows 2000 service that facilitates various remote access services (such as demand-dial and RAS) and routing services (such as RIP, OSPF, and others). Routing Information Protocol (RIP) A small, lightweight protocol that allows for routing between small- to medium-sized networks. Limited to routes no more than 15 routers away. RPS
See redundant power supply.
RRAS See Routing and Remote Access Services. RSVP
See Resource Reservation Protocol.
S Samba The brand name of a software product that uses Server Message Blocks (SMBs) to allow Windows computers to share files and directories with Unix computers. If you want to share files and directories from a Unix computer, you mount an NFS volume. If you want to share Windows files and directories with Unix clients, you use Samba. SAP
See Service Advertisement Protocol.
screened subnet Microsoft’s term for a demilitarized zone. seed Typically used with Macintosh zones, the concept is that you broadcast out network addresses for Macintosh computers to use. The process is called “seeding a zone.” You use Windows 2000 routers configured with AppleTalk to seed Macintosh zones.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
685
Serial Line Internet Protocol (SLIP) An older predecessor to the PPP protocol. SLIP is a connection protocol that gets clients hooked to remote networks or the Internet.
single point of failure (SPOF) The place at which a device, system, program, or other computing entity has only one point of support and thus will completely shut down upon failure.
Server Message Block (SMB) A protocol that pre-Windows 2000–based Windows clients use to make requests of the server.
SLIP
service A process dedicated to implementing a specific function for another process. Most Windows 2000 components are services used by user-level applications. Service Advertisement Protocol (SAP) A NetWare protocol that is used to announce the services and addresses of NetWare servers hooked to the network. Services for Macintosh (SFM) A Windows 2000 utility that provides for interoperability with Macintosh computers. Installing SFM automatically installs the AppleTalk protocol. SFM
See Services for Macintosh.
Shiva A company that produces remote access products. Shiva remote access products use their own unique authentication protocol, Shiva Password Authentication Protocol. Shiva Password Authentication Protocol (SPAP) A proprietary version of Password Authentication Protocol that is used by Shiva equipment. Simple Network Management Protocol (SNMP) A set of protocols that was designed to facilitate the managing of network equipment. SNMP is used with enterprise management systems to collect data and analyze network problems.
See Serial Line Internet Protocol.
small office/home office (SOHO) A very small office, which could have a small network as well. The standard SOHO office has a little hub or switch, a few computers, a shared printer, and maybe some other peripheral devices such as a scanner or CD writer. Dentist’s offices, hairdresser salons, home offices—there are many examples of SOHOs. SMB
See Server Message Block.
SNA
See Systems Network Architecture.
SNMP See Simple Network Management Protocol. SOCKS A protocol that can be used with Proxy Servers. SOHO
See small office/home office.
SPAP See Shiva Password Authentication Protocol. SPOF
See single point of failure.
SRV A type of resource record new to Windows 2000 DNS. The SRV resource record specifies which computers provide which kind of TCP/IP services on the network. Used to find out which servers are providing LDAP, Kerberos, and global catalog services, for example. stand-alone root A Dfs root that isn’t using Active Directory as its replication methodology.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
686
Glossary
standard primary zone The zone that is authoritative for the organization and handles the root domain structure. standard secondary zone A redundant partner to a standard primary DNS zone, one that receives replicated updates to its database as the standard primary DNS zone is updated. star topology The most common physical network topology, the star’s main feature is that all computers are connected through a central device, usually using a hub or a switch. Many stars can be connected together, and often they’re on larger networks. static routing A routing method in which all routes in the router’s table must be entered manually. Static routers do not communicate with other routers. strategic planning The ability to think and plan long-term—looking down the road several years and asking, “Where should this network be then?” subnet The term subnet literally means a “sub (or part) network”. Subnets have different network addresses in the IP world, and are separated by routers. subnet mask A number mathematically applied to IP addresses to determine which IP addresses are a part of the same subnetwork as the computer applying the subnet mask. Used to determine if the destination computer is on the same network as the sending computer. subsidiary A part of a company that’s involved in an activity distinct from its parent company. superscope Multiple DHCP scopes combined into one administrative unit. Superscopes are
convenient for managing multiple subnets that have been combined on to one network. SYN attack The act of a hacker sending thousands of Synchronize requests to a server, flooding the server so badly that the network cannot send or receive packets. Systems Network Architecture (SNA) Developed by IBM in 1974 as a network protocol that could be used with IBM mainframes. SNA was enhanced so that it could also be used to work connecting peer-to-peer networks. Today, working with SNA typically involves retrieving database data from mainframe systems in order to be processed by network servers.
T TCO
See total cost of operations.
TCP
See Transmission Control Protocol.
TCP/IP See Transmission Control Protocol/ Internet Protocol. TCP SACK ment.
See TCP Selective Acknowledge-
TCP Selective Acknowledgement (TCP SACK) A wonderful enhancement to TCP/IP, this concept requires a bit of thought before you can internalize it. When TCP packets are sent across the wire, if one is missing or out of order, a retransmit is requested. If the packet is not retransmitted in a very brief time window, the packet and all subsequent packets must be retransmitted. TCP Selective Acknowledgement allows for the retransmission of only those packets that are actually missing.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
TCP windows The receiving computer’s buffer size when participating on a TCP/IP– based network. When the TCP window is full, the receiver tells the sender to stop transmitting packets. Telnet A terminal emulation program for TCP/IP that allows you to connect to a server and execute commands on it as though you were actually sitting at its console. thin client A client that holds very little responsibility for the processing involved in a client/server application. Browsers make great thin clients.
687
Transmission Control Protocol (TCP) A Transport layer protocol that implements guaranteed packet delivery using the IP protocol. Transmission Control Protocol/Internet Protocol (TCP/IP) A suite of industry-standard protocols upon which the global Internet is based. TCP/IP is a general term that can refer either to the TCP and IP protocols used together or to the complete set of Internet protocols. TCP/IP is the default protocol for Windows 2000. tree A Windows 2000 network comprised of multiple domains that share a contiguous namespace.
time to live (TTL) A TTL is a number attached to a packet when the packet is sent out. Every time the packet passes through a router, and at certain time intervals, the TTL is decremented by one. If the TTL ever reaches zero, the packet is discarded.
TTL
TokenTalk An AppleTalk media type for use with token ring networks.
unicast Packets that are sent from a source to a single destination are said to be sent in unicast.
token-ring-to-Ethernet topology conversion bridge A hardware device (bridge) that converts packets from a token ring network to an Ethernet network. This function is also supported by routers.
Unicode A 16-bit standard that represents characters as integers, capable of representing 65,000 unique characters. Because of this huge number of possible character values (compared to only 128 in ASCII), almost all the characters from all the languages in the world can be represented with a single character set.
topology The physical layout and design of the network. total cost of operations (TCO) The total cost of performing a certain function on the network. For example, TCO would answer the question, “What is the cost, in dollars per thousand e-mails sent, to maintain an Exchange Server?”
See time to live.
U UAM
See User Authentication Module.
uninterruptible power supply (UPS) An emergency power source that can provide a limited amount of power to a computer in the event of a power outage. upgrade A method for installing Windows 2000 that preserves existing settings and preferences when converting to the newer operating system.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
688
Glossary
uplink card The part of a switch or hub that connects the device to the backbone of the network. UPN
See user principal name.
UPS
See uninterruptible power supply.
User Authentication Module (UAM) A builtin Macintosh module that allows Macintosh computers to log on to servers. Microsoft provides its own UAM for Macintosh clients. user principal name (UPN) A user logon name coupled with the @ sign and the domain that the user is associated with in the forest. Jim.Bob@sales .mycompany.com is an example of a UPN.
VINES A network server product produced by the Banyan Corporation, which is now known as epresence. virtual LAN (VLAN) A group of computers that behave as though they were connected together via on the same LAN, even though they may be separated into different subnets. VLANs are created using software and managed through software interfaces, though routers can work with VLANs. virtual private network (VPN) A private network that uses links across private or public networks (such as the Internet). When data is sent over the remote link, it is encapsulated, encrypted, and requires authentication services. VLSM
V
VPN
VAX A Digital Equipment Corporation (DEC) minicomputer, still in use and still for sale, though now called servers instead of minicomputers. Variable Length Subnet Masking (VLSM) When TCP/IP was in its fledgling stages, all IP addresses were based on class. There were three classes: A, B, and C. Based on the address class, the computer had a set (or default) subnet mask. The mask was 8 bits for Class A networks, 16 bits for Class B networks, and 24 bits for Class C networks. VLSM allows for the customization beyond the standard address classes and subnet masks, allowing administrators to configure their IP networks in an almost infinite number of ways. Note that routers must support VLSM (which most of today’s routers do) in order for you to be able to use VLSM in a routed network.
See Variable Length Subnet Masking. See virtual private network.
W web Proxy A Microsoft Proxy Server proxy protocol. Windows File Protection (WFP) A feature new to Windows 2000, the idea being that .sys, .dll, .ocx, .ttf, .fon, and .exe files installed in the Windows kernel directories (\%systemroot%, \%systemroot%\System32) cannot be overwritten. WFP writes an event to the event log upon detection of the attempt to overwrite a file in the kernel that does not have the same signature as the file already present. Even though the file is copied to the kernel directories, it is replaced by the original file, as obtained either from the DLLCache
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
689
directory or from the original Windows 2000 CD. If Windows 2000 cannot find the file in either location, the administrator is prompted for a location of the file.
security and coordination of a domain. Workgroups are characterized by decentralized management, as opposed to the centralized management that domains use.
Windows Internet Name Service (WINS) A network service for Microsoft networks that provides Windows computers with Internet numbers for specified NetBIOS computer names, facilitating browsing and intercommunication over TCP/IP networks.
workgroup application An application that is used by a small number of users on the network. An example would be an accounting application that only accountants need access to. Contrast with enterprise application.
WINIPCFG A Windows 9x utility that allows administrators or users of computers to determine the computer’s current IP configuration.
Z
WINS
See Windows Internet Name Service.
WINS proxy agent A Windows 2000 component that relays broadcast NETBIOS name resolution requests in unicast mode across a router to a WINS server for name resolution services.
zone(s) A DNS term for a group of records that share a namespace. A zone can contain a few records, a domain, or multiple domains, as long as the namespace for each host is common.
WINS server The server that runs WINS and is used to resolve NetBIOS names to IP addresses. Winsock An abbreviation for Windows Sockets; an application programming interface (API) that was written so that developers could write TCP/IP interface code for Windows programs. WINS-R A resource record new to Windows 2000. This is a WINS reverse lookup record. This record says, “Check WINS for an address, then do a reverse lookup on it to retrieve its FQDN.” workgroup In Microsoft networks, a collection of related computers, such as those used in a department, that do not require the uniform
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com