This lab prepares you to design authentication for a Windows 2000 network by meeting the following objectives:
This lab looks at designing authentication for a Windows 2000 network that contains Windows 2000, Windows NT, Windows 98, and Windows for Workgroups clients. The network is comprised of multiple sites that are connected using dedicated WAN links.
Make sure you've completed reading the chapter material before starting the lab. For hints on how to design authentication security, pay close attention to the sections where the design decisions were applied throughout the chapter.
Contoso Ltd., an international magazine sales company, wants to ensure that the highest form of security is used for authentication on its corporate network. You have been asked to design the Windows 2000 network to ensure that security is maintained during the authentication process.
The network is configured into three native-mode domains, as shown in Figure 3.13.
Figure 3.13 The Contoso Ltd. domain structure
Contoso uses a centralized management approach for Windows 2000 operation masters. The PDC emulator role for each domain is maintained on a domain controller at the London location. This ensures that the forest-wide administrators in London have ready access to the operation masters.
In addition to the corporate offices in London, Seattle, and Lima, there's an East Coast office in Tampa. The Tampa office users authenticate with the seattle.contoso.tld domain. The WAN links between the offices are configured as shown in Figure 3.14.
Figure 3.14 WAN links for the Contoso Ltd. office
The network currently has network servers deployed as shown in the table below.
|Seattle||Three DCs for the seattle.contoso.tld are located at the Seattle office |
One of the DCs is configured as a global catalog server for the Seattle site.
|Tampa||There are no DCs at the Tampa office.|
|London||Two DCs for the contoso.tld, seattle.contoso.tld, lima.contoso.tld, and london.contoso.tld domains are at the London location. |
The PDC emulator for all four domains are at this location.
Two DCs are configured as global catalog servers for the London site.
Two DCs in the contoso.tld domain are configured as DNS servers. The DNS servers are authoritative for the contoso.tld domain and all subdomains.
|Lima||Two DCs for the lima.contoso.tld are located at the Lima office.|
Within Contoso, each office has a mix of Windows 2000, Windows NT 4.0, and Windows 98 client computers. The Lima office also has 10 Windows for Workgroups 3.11 client computers deployed. Each office has fewer than 1000 users. The Windows NT 4.0 Workstation computers have Windows NT 4.0 Service Pack 3 applied, and the Windows 98 clients don't have any service packs applied.
In all cases, both the computer and user accounts are located in the domain defined for the site in order to reduce authentication over WAN links.
This exercise will look at the design of Windows 2000 client authentication. Each of the Contoso network's four sites has Windows 2000 client computers that will require secure access to the corporate network.
To ensure that authentication can take place for Windows 2000 clients, you must determine whether servers are placed on the network so that authentication can take place as desired. The answers to these questions can be found in the appendix.
The Contoso forest currently has four domains: contoso.tld, seattle.contoso.tld, lima.contoso.tld, and london.contoso.tld. This section looks at optimizing the trust relationships between the domains. The answers to these questions can be found in the appendix.
This exercise looks at the design issues that Contoso will face with the Windows 98, Windows NT 4.0, and Windows for Workgroups clients. The answers to these questions can be found in the appendix.