DCs perform Windows 2000 authentication. A key part of your security design is ensuring that Windows 2000 DCs are readily available to clients when they require DC services. This lesson looks at server placement issues that affect authentication.
After this lesson, you will be able to
Estimated lesson time: 45 minutes
When you're planning server placement for authentication services, the only servers to consider are those that play a part in the authentication process. These include
DNS servers act as the locator service in a Windows 2000 network. To ensure that DNS services are available on all portions of the network, you must use a DNS server that contains zone information for all domains located at each remote site. In other words, you want to make sure that each site has a locally accessible DNS server. This ensures that if the network link goes down, DNS services are still available. Of course, the DNS server must also be hosting the zone data for the domains located at that site.
In addition, you must ensure that the _msdcs.forestrootdomain zone is also available at all remote sites because the following information is stored within this zone:
If the DNS service can't be contacted, the Windows 2000–based client computers won't be able to find the nearest KDC for authentication. The user at the Windows 2000–based computer will use cached credentials if he has successfully authenticated before. Otherwise, the logon attempt will fail.
If there are clients on the network that aren't Windows 2000–based, or if there are down-level clients with the DSClient software installed, you probably need to deploy WINS for NetBIOS name resolution. Make sure that a locally accessible WINS server is at each remote site and that WINS replication is correctly configured so that clients can authenticate with remote DCs if necessary.
When designing your Windows 2000 network for authentication, you must configure the DNS service to provide the following:
Market Florist's current network design doesn't have sufficient DNS coverage should WAN links be unavailable. To prevent the loss of DNS access in the event of a WAN link failure, you should add the following components to the Market Florist network, as shown in Figure 3.11.
Figure 3.11 The recommended DNS configuration for Market Florist
DCs host the KDC service for Windows 2000. When a user authenticates with the network, she attempts to authenticate with a local DC. If a local DC is unavailable, the site link costs are checked to determine which is the closest site to the current site, based on the lowest cost.
To ensure that clients authenticate locally, place at least two DCs at each remote site. If there are no client computers or users at a remote site for a specific domain, there's no reason to deploy a DC for that domain at that remote site. Remember that if the WAN link goes down, users are restricted to logging on to the network with cached credentials. This can result in users accessing the network with group memberships that have changed since the last successful logon attempt.
Each of Market Florist's four sites has at least two DCs. Their presence ensures that all authentications for the local domain won't occur over the WAN. By installing the DSClient software to all Windows 95 and Windows NT 4.0 clients, Market Florist also ensures that all password changes can be made to local DCs, rather than to the PDC emulator for the domain.
Global catalog servers are contacted during the following authentication scenarios:
In two cases a global catalog server isn't required for authentication purposes. The first is when the forest has only a single domain. Because there's only a single domain, all universal group memberships can be determined by querying the domain itself. The second is when a domain is in mixed mode. Universal security groups don't exist in a mixed mode domain, so there's no need to enumerate universal security groups.
To ensure that global catalog servers are available for authentication purposes, consider the following when placing global catalog servers:
To configure a DC as a global catalog server you must use the Active Directory Sites And Services console. By editing the properties for the NTDS Settings for a DC, you can enable the Global Catalog check box.
Market Florist's current network design has no local global catalog servers at the Winnipeg and Monterrey sites. At least one DC at each of the sites should be configured as a global catalog server to ensure that global catalog access isn't taking place over the WAN. If the WAN link became unavailable, all Windows 2000 clients would be authenticated using cached credentials.
In addition, the local DNS servers at each site should have a replica of the _msdcs.marketflorist.tld domain to ensure that authenticating clients can find a local global catalog server.
Windows NT 4.0, Windows 95, and Windows 98 clients connect to the PDC emulator for password changes, and Windows 95 and Windows 98 clients will connect to the PDC emulator for system policy application by default. If the DSClient software isn't installed on all Windows 95, Windows 98, and Windows NT client workstations, these clients will continue to depend on the PDC emulator for domain browse master functions, password changes, and system policy application.
To reduce the dependency on the PDC emulator, you can take the following actions:
The Market Florist network must ensure the quick deployment of the DSClient software to the client computers. The main location of the network that will benefit from the application of the DSClient software is the San Francisco site. This is because the PDC Emulator for the marketflorist.tld domain is located at the Seattle site and all Windows 95 and Windows NT 4.0 clients will perform password changes across the WAN link to Seattle without the DSClient software installed.
This isn't as much of an issue at the Monterrey and Winnipeg locations, because the PDC emulator for those domains will be located on the local network.
Server placement is the key design point for authentication services in a Windows 2000 network. Your design must include the placement of DNS servers, domain controllers, global catalog servers, and the PDC emulator to ensure that authentication requests are handled in a timely manner. If the services can't be contacted, it can result in logons with cached credentials and, in the worst case, failed logons.
Make sure that your network design includes the necessary services at each large site on the network. There will be cases where a site is too small to require localized network services, but make sure that your business and technical objectives allow for the risk of WAN-based authentication.