Lesson 5: Planning Server Placement for Authentication

DCs perform Windows 2000 authentication. A key part of your security design is ensuring that Windows 2000 DCs are readily available to clients when they require DC services. This lesson looks at server placement issues that affect authentication.

After this lesson, you will be able to

  • Design the optimal placement of Windows 2000 servers for authentication performance and reliability

Estimated lesson time: 45 minutes

Determining Server Placement for Authentication

When you're planning server placement for authentication services, the only servers to consider are those that play a part in the authentication process. These include

  • DNS servers
  • DCs
  • Global catalog servers
  • The PDC emulator

Planning DNS Server Placement

DNS servers act as the locator service in a Windows 2000 network. To ensure that DNS services are available on all portions of the network, you must use a DNS server that contains zone information for all domains located at each remote site. In other words, you want to make sure that each site has a locally accessible DNS server. This ensures that if the network link goes down, DNS services are still available. Of course, the DNS server must also be hosting the zone data for the domains located at that site.

In addition, you must ensure that the _msdcs.forestrootdomain zone is also available at all remote sites because the following information is stored within this zone:

  • All global catalog servers in the forest. DNS doesn't store the global catalog server SRV resource records based on domains. They're all stored in the forest root domain. Site location is more relevant for global catalog servers.
  • The Globally Unique Identifier (GUID)representation of each domain. In future versions of Windows 2000, it will be possible to rename domains. If the domain name is renamed, the GUID host record can be referenced to find the renamed domain.
  • The GUID representation of each DC. DCs find replication partners based on the DC's GUID, not on the DC's DNS fully qualified domain name.

If the DNS service can't be contacted, the Windows 2000–based client computers won't be able to find the nearest KDC for authentication. The user at the Windows 2000–based computer will use cached credentials if he has successfully authenticated before. Otherwise, the logon attempt will fail.


If there are clients on the network that aren't Windows 2000–based, or if there are down-level clients with the DSClient software installed, you probably need to deploy WINS for NetBIOS name resolution. Make sure that a locally accessible WINS server is at each remote site and that WINS replication is correctly configured so that clients can authenticate with remote DCs if necessary.

Making the Decision

When designing your Windows 2000 network for authentication, you must configure the DNS service to provide the following:

  • A DNS server should be located at each remote site to ensure DNS lookup capabilities to all clients if the WAN link to a central site is down.
  • Each domain must have at least two DNS servers to provide fault tolerance in the event of server or WAN link failure.
  • The DNS service at each site must contain zone information for all domains that must be accessed at that site. If clients can authenticate with two different domains at a site, DNS services should have replicas of the zones for those two domains hosted at a local DNS server.
  • All global catalog resource records are stored in the forest root domain. Each DNS server in a forest should have a replica of the _msdcs.forestrootdomain zone to ensure that the local DNS server can resolve global catalog (_gc) resource records.

Applying the Decision

Market Florist's current network design doesn't have sufficient DNS coverage should WAN links be unavailable. To prevent the loss of DNS access in the event of a WAN link failure, you should add the following components to the Market Florist network, as shown in Figure 3.11.

click to view at full size.

Figure 3.11 The recommended DNS configuration for Market Florist

  • The DNS servers at the Seattle site should configure the _msdcs.marketflorist.tld domain as a separate Active Directory–integrated zone to allow the zone to be replicated to child domains for the purpose of locating global catalog servers.
  • A DC at the San Francisco site should be configured as a DNS server. By using Active Directory–integrated zones, the DNS server would have a full replica of the forest root domain. For fault tolerance, the second DC can also be configured as a DNS server.
  • A second DC in the ca.marketflorist.tld domain should be configured as a DNS server to provide fault tolerance of the ca.marketflorist.tld domain.
  • The two DNS servers at the Winnipeg site should be configured as secondaries of the _msdcs.marketflorist.tld domain.
  • The second DC in the mx.marketflorist.tld domain should be configured as a DNS server to provide fault tolerance of the mx.marketflorist.tld domain.
  • The two DNS servers at the Monterrey site should be configured as secondaries of the _msdcs.marketflorist.tld domain.
  • All Windows 95, Windows NT, and Windows 2000 clients should be configured to use two DNS servers at their site as their primary and secondary DNS services. This can be either configured locally at each client computer or by using DHCP to assign the correct DNS IP addresses based on IP address scope.

Planning DC Placement

DCs host the KDC service for Windows 2000. When a user authenticates with the network, she attempts to authenticate with a local DC. If a local DC is unavailable, the site link costs are checked to determine which is the closest site to the current site, based on the lowest cost.

Making the Decision

To ensure that clients authenticate locally, place at least two DCs at each remote site. If there are no client computers or users at a remote site for a specific domain, there's no reason to deploy a DC for that domain at that remote site. Remember that if the WAN link goes down, users are restricted to logging on to the network with cached credentials. This can result in users accessing the network with group memberships that have changed since the last successful logon attempt.

Applying the Decision

Each of Market Florist's four sites has at least two DCs. Their presence ensures that all authentications for the local domain won't occur over the WAN. By installing the DSClient software to all Windows 95 and Windows NT 4.0 clients, Market Florist also ensures that all password changes can be made to local DCs, rather than to the PDC emulator for the domain.

Planning Global Catalog Server Placement

Global catalog servers are contacted during the following authentication scenarios:

  • When the domain is in native mode, the authenticating DC contacts a global catalog server to determine if the authenticating user is a member of any universal groups. If a global catalog server can't be contacted, the user must be authenticated with cached credentials. The reason is that there might be explicit deny permission assignments for universal groups that the user is a member of.


    In two cases a global catalog server isn't required for authentication purposes. The first is when the forest has only a single domain. Because there's only a single domain, all universal group memberships can be determined by querying the domain itself. The second is when a domain is in mixed mode. Universal security groups don't exist in a mixed mode domain, so there's no need to enumerate universal security groups.

  • When a user logs on at a Windows 2000–based computer using a User Principal Name (UPN), the global catalog is referenced to determine the account that's associated with the UPN. If a global catalog server is unavailable, the user will fail the authentication.

Making the Decision

To ensure that global catalog servers are available for authentication purposes, consider the following when placing global catalog servers:

  • Locate at least one global catalog server at each site. This ensures that clients will be able to contact a local global catalog server if the WAN link is unavailable. There's no additional WAN replication cost if additional global catalog servers are placed at the remote site. At each site one global catalog server will be nominated as the bridgehead server for global catalog replication. There won't be extra intersite replication related to the global catalog server.


    To configure a DC as a global catalog server you must use the Active Directory Sites And Services console. By editing the properties for the NTDS Settings for a DC, you can enable the Global Catalog check box.

  • Ensure that the _msdcs.forestrootdomain DNS domain is available at all remote sites on a local DNS server. This ensures that the SRV resource records associated with global catalog servers are available when the WAN link isn't. You can implement the _msdcs.forestrootdomain DNS domain as an Active Directory–integrated zone in the forest root domain and as a secondary DNS zone in all other domains in the forest.
  • Even in a single-domain environment, you must designate global catalog servers. Any LDAP queries against the entire forest will be sent to a global catalog server listening on TCP port 3268. TCP port 3268 is only available on a DC when it's configured as a global catalog server.

Applying the Decision

Market Florist's current network design has no local global catalog servers at the Winnipeg and Monterrey sites. At least one DC at each of the sites should be configured as a global catalog server to ensure that global catalog access isn't taking place over the WAN. If the WAN link became unavailable, all Windows 2000 clients would be authenticated using cached credentials.

In addition, the local DNS servers at each site should have a replica of the _msdcs.marketflorist.tld domain to ensure that authenticating clients can find a local global catalog server.

Planning PDC Emulator Placement

Windows NT 4.0, Windows 95, and Windows 98 clients connect to the PDC emulator for password changes, and Windows 95 and Windows 98 clients will connect to the PDC emulator for system policy application by default. If the DSClient software isn't installed on all Windows 95, Windows 98, and Windows NT client workstations, these clients will continue to depend on the PDC emulator for domain browse master functions, password changes, and system policy application.

Making the Decision

To reduce the dependency on the PDC emulator, you can take the following actions:

  • Install the DSClient software so that Windows NT 4.0, Windows 95, and Windows 98 clients aren't as dependent on the PDC emulator for password changes. With the DSClient software loaded, down-level clients can change their passwords at any available DC.
  • Ensure that system policy is configured to load balance the application of Group Policy as discussed earlier in this chapter. This ensures that system policy is applied from the authenticating DC, not the PDC emulator.
  • Upgrade all Windows NT 4.0 BDCs to Windows 2000 DCs as soon as possible. Windows 2000 DCs use multimaster replication instead of depending on the PDC emulator for all Active Directory database changes.
  • If the DSClient software isn't deployed, ensure that the PDC emulator is on a central portion of the network that's easily accessible from all remote sites.

Applying the Decision

The Market Florist network must ensure the quick deployment of the DSClient software to the client computers. The main location of the network that will benefit from the application of the DSClient software is the San Francisco site. This is because the PDC Emulator for the marketflorist.tld domain is located at the Seattle site and all Windows 95 and Windows NT 4.0 clients will perform password changes across the WAN link to Seattle without the DSClient software installed.

This isn't as much of an issue at the Monterrey and Winnipeg locations, because the PDC emulator for those domains will be located on the local network.

Lesson Summary

Server placement is the key design point for authentication services in a Windows 2000 network. Your design must include the placement of DNS servers, domain controllers, global catalog servers, and the PDC emulator to ensure that authentication requests are handled in a timely manner. If the services can't be contacted, it can result in logons with cached credentials and, in the worst case, failed logons.

Make sure that your network design includes the necessary services at each large site on the network. There will be cases where a site is too small to require localized network services, but make sure that your business and technical objectives allow for the risk of WAN-based authentication.

Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net