If you have existing Windows NT 4.0 or Windows 2000 site-to-site connections, you must decide whether to upgrade your routers to Windows Server 2003 and migrate to the Windows Server 2003 Routing and Remote Access service, or whether to continue to support your current configuration. Before you install the Routing and Remote Access service on your demand-dial routers, you must decide how many routers you need, and you must make sure that the computers meet Windows Server 2003 requirements.
For more information about creating hardware and software inventories, see "Planning for Deployment" in Planning, Testing, and Piloting Deployment Projects of this kit. The flowchart in Figure 10.8 shows the tasks required when preparing to configure the router server.
Figure 10.8: Preparing for Server Configuration
If you have an existing site-to-site connection between remote offices using Windows NT 4.0-based or Windows 2000-based servers and plan to upgrade most of your network to Windows Server 2003, Windows Server 2003 can support your existing Routing and Remote Access or RRAS servers. Alternatively, you can take advantage of the new features in Windows Server 2003 by upgrading your demand-dial routers.
The following topics can help you decide whether to upgrade your demand-dial routers:
New features
Migrating router settings
In Windows NT Server 4.0, routing and remote access are separate services. In Windows 2000 Server and Windows Server 2003, these functions are combined in the single Routing and Remote Access service. Table 10.10 lists new features available in Windows Server 2003 and Windows Server 2000.
Windows Release | New Features |
---|---|
Windows 2000 Server |
|
Windows Server 2003 |
|
When you upgrade from Windows NT 4.0 or Windows 2000 to Windows Server 2003, you retain all IP-based routing configuration, including demand-dial, RIP, OSPF, and DHCP Relay Agent settings. However, Windows Server 2003 does not support the NetWare routing protocol Internetwork Packet Exchange (IPX). If you upgrade from Windows NT 4.0 to Windows Server 2003, and IPX settings are detected, you are provided the option not to upgrade after all.
Table 10.11 provides capacity planning information that you can use to help determine how many demand-dial servers you need to deploy and how much data throughput your site-to-site connection can support.
Factor | Capacity |
---|---|
Number of connections | For two-way connections, one answering router supports 10 simultaneous calling router connections before performance begins to degrade. For one-way connections, one answering router supports 100 simultaneous calling router connections before performance begins to degrade. |
Data throughput | The amount of data throughput that a site-to-site connection can support depends, in part, on what resources the users are using on the network. Other factors that affect data throughput include:
|
The following information can help you plan how to set up your server before you deploy the remote site connection:
Meeting server requirements
Disabling unused services
Planning physical and administrative security
Table 10.12 lists the minimum hardware and software requirements for a demand-dial router.
Component | Requirement |
---|---|
Processor | Pentium 233 MHz processor (550 MHz recommended) |
Memory | 128 MB RAM (256 MB recommended) |
Hard drive | 4 GB hard drive |
LAN adapter | A network adapter connected to the intranet. The adapter must have a driver that displays the Designed for Windows logo. The server must have multiple network adapters or a single network adapter configured with multiple IP addresses. |
WAN adapter |
|
Software | The Windows Server 2003 operating system. Windows Server 2003 includes the Routing and Remote Access service, which you must enable. |
Before you deploy a dial-up or VPN router, install and configure the required hardware and the appropriate drivers, and test whether each one functions properly. To determine if the hardware in your organization is certified and compatible, see the Windows Catalog link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Disabling services that you do not use on your demand-dial server has two advantages: It returns resources to the server that other components can use, and it makes your backend network more secure by shutting off services that are potential entry points for attackers trying to break into your network.
The following is a list of services that you might be able to disable on a server that you plan to use as a demand-dial router:
Distributed File System (DFS)
Distributed Transaction Coordinator
Fax Services
File Replication service (FRS)
Indexing Service
Internet Connection Sharing (ICS)
Intersite Messaging
Kerberos Key Distribution Center
License Logging Service
Print Spooler
Task Scheduler
Telnet
Windows Installer
Important | Do not disable the remote registry service. If you disable it, the demand-dial router cannot operate correctly. |
To prevent the intentional or unintentional modification of your router configuration, use the following guidelines to secure your routers:
Keep router computers physically secure from unauthorized users or intruders, for example, by placing them in a locked room.
Delegate administration rights and permissions for the Routing and Remote Access service to a limited number of individuals.
Assign administrator rights to an Active Directory group whose role is to administer remote site connections, and add only authorized users to that group. You can easily update changes to the group membership, whereas, if you do not use a group, you must administer each Administrator account separately on each Routing and Remote Access server.
On both the calling router and the answering router, rename the local Administrator account and use strong passwords for the account.