Exam 70-219 - Designing a Microsoft® Windows®
2000 Directory Services
Infrastructure
Analyzing Business Requirements
It is important
to identify the business model in place for a number of
reasons. Key among them is the fact that similar businesses
often have similar needs and requirements. Knowing the
geographic scope can help define the infrastructure employed
by the IT department. The geographic models and scopes can be
summarized as
Model
|
Comment
|
Regional
|
When implementing technologies that are within
companies restricted to regional boundaries, you can
often pay less attention to such things as international
translations than you would with different models.
|
National
|
Of a grander scale than regional, you can still
often overlook many factors such as international
regulations
|
International
|
Importance must be paid to translations,
regulations, laws, and representatives from all
countries should be involved in IT decision-making
processes
|
Subsidiary
|
When working with a subsidiary of a larger
conglomerate, make certain that approval for the
solution generated will be acceptable to the parent
company
|
Branch office
|
You must go to lengths to verify that solutions
implemented here work with technologies employed
throughout the rest of the company
|
During the design phase, it is important to ask
such questions as
-
Who is in charge of each department?
-
Who manages user accounts (are central polices used)?
-
Who manages resource accounts?
-
How is administration divided?
-
Who must sign-off on purchases and policies?
All processes employed by the company should be
documented and diagrammed. Of key importance are company
processes related to
Process
|
Comment
|
Information flow
|
This typically follows the organization chart,
but can differ with geographic breaks
|
Communication flow
|
It differs from information in that it often
lacks formal structure and comes about as a result of
communication with others (customers, vendors, etc.)
|
Service/Product lifecycles
|
Consider the lifespan of the product: this
differs for each product. A computer book may be
expected to last 12 months, while a weekly magazine has
a lifespan on only 1/52nd of that.
|
Decision-making
|
This can follow the organizational chart, or be
completely dispersed if the company practices
empowerment.
|
It is important to analyze existing and planned
organizational structures when deciding business requirements.
These categories can break down into the following key areas
-
Management model - determine if you are dealing with a
family-owned, privately held business, or a public company
with a CEO and Board of Directors. In the latter, operation
and ownership become separate, and can be driven by the need
for profit and quick solutions versus long-term planning.
Different risk models can be associated with different
management models.
-
Company organization - some organizations are divided by
products (transmissions in one division, four-wheel-drive
axles in another, etc.), while other organizations divide
operations and responsibilities purely on geographic terms.
-
Vendor/partner/customer relationships - know the contact
points and whether web presence is offered on an Internet,
intranet, and/or extranet basis.
-
Acquisition plans - is the company you are designing a
solution for actively seeking acquisitions (meaning you must
plan for future growth), or are they a likely acquisition
target?
Factors that can influence company strategies
are many. For the exam, you should know the following five
-
Company priorities - never assume these are constant.
They can change with management teams, market shifts, etc.
-
Projected growth and growth strategy - how is expansion
accomplished (acquisition, divestiture, franchises, and so
on)
-
Relevant laws and regulations - these are always subject
to change, and must be watched carefully. Is the company in
a high-profile position (such as house arrest) to be greatly
affected by new legislation? Do they work with encryption,
spamming, or other areas popular with lawmakers? Are there
local laws, or international laws, that can affect the
organization?
-
Company's tolerance for risk - how does the company
weigh risk against profit: vulnerability against value? Do
they employ basic security devices on sites, such as
firewalls, SSL (Secure Sockets Layer), and such? Do they
employ physical security at the facility such as card
readers, badges, and the like? Do they insist new employees
receive training, or are they turned loose for on-the-job
training in all instances?
-
Total cots of operations - what is the value of the
company's data; of the IT staff's budget; of having server
access 24 hours a day versus 8, etc.? Microsoft uses seven
categories to group budgeted costs: Hardware and software
costs, Management costs, Development costs, Support costs,
Communication costs, End-user costs, and Downtime
costs.
The structure of IT management should weigh
heavily in the analysis of business requirements. Factors that
help understand the management structure are shown in the
following table
IT Factors
|
Comment
|
Administration type
|
This can be centralized or decentralized. A
classic example of the former would be a segment of
government such as HUD or OSHA. All administrators are
stationed in Washington, D.C., while branch offices
exist throughout the United States. Whenever a branch
office needs administration, such as installing new
software, it is done remotely (often through SMS). With
a decentralized model, an administrator(s) is stationed
at each branch office to handle the needs at that
office.
Hybrid
administration has most of the functions performed at a
central location, but one or more key contact people are
on site for handling lesser responsibilities.
|
Funding model
|
Funding can be crucial in implementing
technologies. If the IT department is run as a profit
center, then departments they administer are charged for
services provided: this can be useful in acquiring new
software and distributing the cost among many
departments who can benefit from it. If the IT
department is run as a cost center - a fixed cost that
appears as a liability on the business sheets, then it
can be more difficult to gain approval to spend
additional dollars beyond those already allotted for a
set time period.
|
Outsourcing
|
Outsourcing is often used because certain needs
must be met that cannot be done internally. These can
include the need for IT professionals in a tight labor
market, the need for occasional service at branch
offices, international/temporary needs, and so on. While
outsourcing is a good way to solve such issues, it can
present problems down the road when you cannot find the
group who implemented a solution because they have moved
on, and the solution now has problems.
|
Decision-making process
|
Does the Chief Technology Officer need to approve
all expenditures, or can they be signed-off on at a
lower level. Does the CTO need to approve all solutions,
or does he/she make certain that the solution one
department generates is adopted by other departments? Is
there autonomy within the divisions, or do they work
together to contribute to decisions that affect all?
|
Change management
|
Is there a structure in place or not? When
changes occur, what is the procedure followed? If there
is no procedure, chaos can result. If there is too much
of a procedure, no change will ever occur.
|
Analyzing Technical Requirements
When evaluating the company's technical
environment, always factor in the existing as well as the
planned environment, and differences between the two. Be sure
to look at the following factors
Technical Factors
|
Comment
|
Company size
|
The geographic scope as well as the owner or
organization responsible for the company
|
User and resource distribution
|
Where are the users - how are the serviced (DNS, WINS, DHCP, etc.)? How do they reach the
resources (servers, printers, and such) they need (hubs,
switches, routers, bridges, modems, proxy servers...)
|
Connectivity between sites
|
What bandwidth is employed? Are there leased
lines, or dial-up connections (with or without multilink
see KB# QB235610))?
What are the
topologies employed (Star versus Mesh)?
|
Performance requirements
|
Are users connecting only for authentication, or
for the entire session (such as with Terminal Server).
Find out the peak utilization, the type of circuits
used, requirements of applications, and so on.
During this
analysis, it is important to identify any bottlenecks
and create a baseline from which to judge future
modifications.
|
Access patterns
|
Are all the resources centralized, or are they
disbursed? When users need to access a resource, is it
within their LAN 80% of the time, or only 20% (meaning
they access the WAN 80% of the time)?
Do users go
through firewalls, and/or do they use encryption. If
they do use encryption, is it for the password, the data
or both?
Authentication can be accomplished through the
use of the following, which may be used in conjunction
with one another (KB #Q227815)
-
CHAP - Challenge Handshake Authentication Protocol
- one-step above PAP in that it does not use
clear-text passwords
-
EAP- Extensible Authentication Protocol - the
client and the server negotiate the protocol that will
be used, in much the same way that networking
protocols are determined. Possible choices include
one-time passwords, username/password combinations, or
access tokens.
-
MS-CHAP - Microsoft Challenge Handshake
Authentication Protocol - requires the client to be
using a Microsoft operating system (version 2), or a
small handful of other compatible OSes (version 1)
-
PAP - Password Authentication Protocol - uses a
plain-text password authentication method and should
only be used if the clients you support cannot handle
encryption
-
SPAP - Shiva Password Authentication Protocol - a
shade above PAP, it is there for
backward-compatibility and is not favored for new
installations |
Network roles and responsibilities
|
Roles can be defined as administrative, or
associated with a user, a service or other.
Administrative roles are those predefined by the
operating system with additional responsibilities above
a user. Examples include:
-
Administrator
-
Backup operator
-
Server operator
User roles simply have the right to logon and use
the network resources. Service roles run as services,
without user interaction, in the operating system. Other
roles include being an application, a group, or owner.
|
Security Considerations
|
What are the needs of the organization, and what
operating systems does the organization support? Can
everything standardize upon TCP/IP (which offers the
ability to use numerous security features like IPSec and filters), or must NetBEUI
(insecure) be used, along with NWLink (IPX/SPX-compatible transport - (KB# Q203051) and other protocols)?
Is it
possible to use Kerberos, RADIUS, and EFS (Encrypting File System)? Must all
solutions work with third-party tools?
The most
effective means of implementing security with Windows
2000 clients is through the use of Group Policies.
|
Speeds employed on WANs differ by technologies.
The most common technologies, and their associated speeds,
are:
Analog
|
Traditional modem – requires a single phone line
for a connection and is limited in speed to around
57,600bps
|
ISDN
|
Integrated Services Digital Network, requires two
phone lines, and can reach a speed around 128,000bps
|
DSL
|
Digital Subscriber Line, uses existing phone
lines (copper), and is available only in certain areas.
You must be within a short distance of a switching
station, and speeds can reach 9Mbps
|
Cable
|
Works with the coaxial from the cable TV company
and speeds is reduced with the number of users, but is
approximately 2Mbps
|
T1/E1
|
a T1 is a dedicated line that operates across 24
channels at 1.544Mbps. E1 is the European counterpart:
it uses 32 channels and can run at 2.048Mbps
|
T3/E3
|
A T3 is a dedicated line of 672 channels (E3 is
the European counterpart) able to run at speeds of
43Mbps
|
When deciding to implement Active Directory of
an existing or planned network, it is important to detail the
possible impact of so doing. The impact should be calculated
in terms of
-
Existing systems and applications - for example, current
DNS servers will need to support SRV records
-
Existing and planned upgrades and rollouts - identify
those that are in the works and calculate any impact AD
could have on them
-
Technical Support structure - know what is there now
(internal versus external), and make certain they will
understand any changes that will happened before they
happen. Verify that there is a budget for any training that
needs to be done and that all relevant decision-makers are
in agreement on the need to support the existing support
staff
-
Existing and planned network and systems management -
this should be viewed in terms of the security policy, any
and all network tools used for management, monitoring, and
analysis
-
Client needs - not only their work needs, but also their
support requirements.
Designing a Directory Service
Architecture
Active Directory is a naming scheme that follows
the path Forest, Tree(s), Domains (see Active Directory Architecture). A forest can
consist of a single domain, or multiple domains (therefore, by
definition, a single domain can also be a tree). A tree is a
contiguous namespace, meaning the child has the parent as part
of its name. Each tree has its own identity within the forest.
A domain is an administrative as well as
security boundary since administrative privileges do not
extend past domain boundaries. The simplest network is one
with one domain. Reasons for creating additional domains would
include
-
To isolate replication traffic
-
To retain existing NT domain structures
-
To support decentralized administration
-
To support international boundaries
-
To support more than one domain policy
Domains contain objects, or Organizational Units
(OUs). An OU is a container for organizing objects within a
domain into logical sub-groupings. Reasons for creating OUs
include
Active Directory names are equivalent to DNS
names and use the SRV records of DNS to store information
about services and thus create "dynamic DNS". The first
division of DNS is into domains. The InterNIC (Internet
Network Information Center) controls top-level domains, which
are summarized in the following table
Name
|
Type of Organization
|
Com
|
Commercial organizations
|
Edu
|
Educational institutions
|
Org
|
Non-profit organizations
|
Net
|
Networks (the backbone of the Internet)
|
Gov
|
Non-military government organizations
|
Mil
|
Military government organizations
|
Num
|
Phone numbers
|
Arpa
|
Reverse DNS
|
Xx
|
Two-letter country code, such a "ca" for Canada,
"uk" for United Kingdom, etc.
|
To refer to a host in a domain, you use a fully
qualified domain name (FQDN). The Relative Distinguished Name
is the host name of the computer, while the User Principal
Name consists of a user logon name and a domain name
identifying the domain in which the user account is located.
Windows 2000 uses a multi-master replication
model, and the primary unit of replication is the domain. When
domain controllers need to replicate, they examine the values
of their Update Sequence Number (USN) for each object, and
only replicate the attributes whose objects contain differing
USN’s. A site (comprised of one or more physical subnets) is a
way to create replication boundaries within the Active
Directory. Working at the physical layer, a site can consist
of multiple domains, and domains can operate in multiple
sites.
The purpose of the Knowledge Consistency Checker
(KCC) is to generate a replication topology for both
intra-site and inter-site replication. Within a site,
replication traffic is done via Remote Procedure Calls over
IP, while between sites it is done through either RPC or SMTP
(see "How to Optimize Active Directory Replication in a
Large Network", KB# Q244368)
Site link bridges are used to connect sites
together and model the routing behavior of a network.
There is only one schema per Windows 2000
forest, and it is maintained forest-wide by virtue of being
stored on every domain controller. Throughout the forest,
though, there is only one write-able copy of the schema – held
by the Schema Operations Master. Modifying the schema is an
irreversible operation, thus schema modification is disabled
by default on all domain controllers and only members of the
Schema Admins group can make changes.
The schema container holds all the definitions
required to view the objects in the directory, and each is
identified by a globally unique number known as the Object
Identifier (OID). You can view Schema contents using the
Active Directory Schema MMC snap-in, or the ADSIedit MMC
utility.
Designing Service Locations
There are five Operations Master roles
-
*Domain Naming Master - allows additions and removals of
domains in the forest
-
Infrastructure Master - updates group-to-user references
when changes occur
-
PDC Emulator - used with older clients
-
RID Master - Relative ID Master - issues IDs to domain
controllers as needed
-
*Schema Master - controls all updates to the
schema
Operations Master placement (see KB# Q223346) is crucial to load balancing and
fault tolerance. It is also important to convert domain
controllers to native mode (non-Windows NT 4.0) enhance Active
Directory Performance. The two roles identified by an asterisk
are limited to only one controller within the forest, while
the other three are per domain roles.
Global Catalog Servers (see KB# Q232517) should be placed in locations to
reduce traffic and help with load balancing and fault
tolerance, as well. The first Global Catalog Server is created
automatically with the first domain controller within the
forest. Active Directory Sites and Services - an MMC snap-in
(see Step-by-Step Guide to Active Directory Sites and
Services) - allows you to change the role of the GCS to
another domain controller. In areas where bandwidth is at a
premium, a GCS can be configured to only receive updates after
hours. For speed reasons, a GCS should be created at each
site.
Domain controllers should be created for fault
tolerance and functionality, as needed. It is recommended that
the infrastructure master be placed on a domain controller
that is not the global catalog server to even the load and
separate the burden of each role.
DNS servers can be running Windows 2000, or
other operating systems, provided they accept SRV records.
When you install Active Directory, you must identify a DNS
server. If you cannot do so, the Active Directory Installation
Wizard will prompt you to convert the existing machine into a
DNS server as well.
Active Directory is created to be scalable and
interoperate with other name services (see Active Directory Interoperblity and
Metadirectory Overview).
Tools to Know
Active Directory Migration Tool (see Active Directory Migration Tool
Overview)
|
Migrate from Windows NT 4.0 to Windows 2000 with
Active Directory
|
ADSIedit
|
view the Active Directory Schema
|
Movetree
|
move objects within a forest
|
NTDSUTIL.EXE (see KB# Q255504)
|
perform many Active Directory administration
tasks
|
REPAdmin (see KB# Q229896)
|
work with replication between partners
|
REPLMON (see KB# Q232072)
|
show the replication topology
|
|