Defining the Windows 2003 Infrastructure | Windows Server 2003 on Proliants. Deployment Techniques and Management Tools for System Administrators

< Day Day Up >

If you are currently in a Windows NT domain structure, this section can be used as a precursor to the AD design. In conducting assessments for Windows NT environments, I often used this section to give the customer a preview of how its environment will fit into AD, and to educate the customer about known best practices. With experience in doing migrations, and after completing the review of the environment, what needs to be done to complete the migration becomes fairly clear. Doing a thorough job here makes it easy to complete the recommendations section later in the assessment document.

If you have a Windows 2000 forest structure, this will be an opportunity to determine whether changes should be made. Sometimes, just getting all stakeholders together and taking a step back to analyze the infrastructure will create a list of problems and headaches that should be addressed. With many companies relying on the benefit of three or four years of experience running Windows 2000, and with the evolution of knowledge that accompanies that experience, this assessment provides a chance to make changes to correct those problems and employ best practices.

Structure of AD

Your design of the AD structure is dependent upon the DNS structure, domain structure, and to some extent, naming standards. Your assessment then, must include an accurate description of the current DNS infrastructure so that the Windows 2003 DNS requirements are integrated as seamlessly as possible. The existing domain structure ”whether it be Windows NT or Windows 2000 ”must be accurately defined during the assessment, including a description of infrastructure problems. This will help your AD design team design the new domain structure to address those problems.

DNS Structure

Having previously assessed and defined the existing DNS structure and reviewing the role of DNS in the Windows 2003 environment, I usually do a brief analysis of how the customer's DNS structure will support the needs of the Windows 2003 forest. The following points will help you in that analysis:

DNS must support dynamic updates and Service Locator (SRV) resource records. Although technically dynamic updates are not required, it would be an administrative nightmare to keep DNS updated without them. Think of updating the CName records that map the GUID to the FQDN for a large number of DCs.
Is the External DNS namespace different from the Internal? Although AD will work with either configuration, a single namespace presents challenges that must be resolved.
Are there non-Windows clients or a non-Windows environment, such as UNIX, Linux, or OpenVMS, that requires DNS and for which DNS already exists in the environment? You need to determine how the Windows 2003 DNS structure will fit in (most likely via a delegation from the existing DNSs).
How is the connection to the Internet made? This might be via an ISP or perhaps you have name servers registered on the Internet. This will affect how the Windows DNSs configure forwarding to permit the Windows clients to get access to the Internet. (Answers to the previous two points will help form the forwarding strategy.)

note

AD does not require access to the Internet. Configuring forwarders to permit this access is for convenience of the users only. Note that Windows Server 2003 Help and Support and event messages contain links to Microsoft articles to assist in problem resolution, so connection to the Internet does have value.
Are there any Windows-based DNSs in the environment (that is, in the Windows NT structure)? If there are, the new Windows 2003 DNS structure will need to be merged to the existing structure.

It is critical to do a thorough analysis of the existing DNS structure and how the new Windows Server 2003 structure will fit into it. AD depends heavily on a proper implementation of DNS. See Chapter 6 for more information on DNS implementation.

Windows 2003 Domain Structure

The content of this section depends upon whether the existing domain structure is Windows NT or Windows 2000. If you are migrating from Windows NT, you can take this opportunity to identify key Windows 2003 domain components such as single versus multiple forest structure, single versus multiple domain structure, and naming conventions. In the case of an existing Windows 2000 structure, this section could be used to list the pros and cons of these domain and forest options. You could then do a brief analysis, not giving a recommendation of the domain structure you might recommend at this point, but rather presenting how the company's infrastructure might look. Figures 4.3 and 4.4 show how I presented this to one customer, explaining the options of creating separate domain trees versus a single tree with child domains off of a single parent (root). This gave us the opportunity in a design review to explore both options and determine which made more sense for the customer's situation. Although this initial design might change after designing the OU structure, analyzing security implementation, and determining how the administration model will be configured, this at least gives you a starting point. The logical design will be covered in Chapter 5, "Active Directory Logical Design."

Figure 4.3. Creating multiple domain trees allows use of a disjoint namespace, where each tree will have a unique namespace, independent of the others.

Figure 4.4. Another option for the namespace is a parent-child relationship between the domains. In this case, they share a single namespace.

note

It is important to realize at this point that this is still the assessment ”not the design stage. Recommendations should not be given at this point even though you might feel that you know the domain or forest structure that should be used.

Naming Standards

This section should include two parts : Current Standards and Considerations. If the current environment is Windows NT, there will likely be significant changes; for example, the elimination of names with special characters that are incompatible with DNS, such as "." and "-". Although Microsoft's DNS allows Unicode characters , it's best not to include them for compatibility with other flavors of DNS. In addition, Windows NT domains were often implemented by many different entities within an enterprise without following company-wide standards for names and configuration. Many Windows 2000 and 2003 environments tend to include site codes, domain codes, and so on into the name to reflect where the server is in the topology.

If the environment is already Windows 2000, you might want to examine the current structure to determine whether the standards have been followed and whether changes to the environment or topology require a different naming scheme. Although this isn't the place for recommendations, it is the place for education, so note any concerns or problems with the current scheme and provide some examples or alternatives to be considered . In the recommendations section, you can formally make a recommendation of a particular scheme or specific changes.

Windows 2003 Network Services

Of course, network services are important in providing the AD data and services to users. These network services include subnetting, DHCP, WINS, DNS, and remote access as you might expect, but also includes the Distributed File System (DFS). The following list includes tasks that should be included in the assessment:

TCP/IP : Any changes in the subnet scheme should be made prior to the migration to Windows 2003. This could be the addition of new subnets or concatenation of existing ones, or changing the focus of the subnets. This will put the network on firm footing, preventing changing network addressing after the migration and adding to problems you might have that are caused by the migration. In other words, it reduces the potential problems to solve after the migration takes place.

Technical Advantage

A logical subnet scheme is critical to Windows 2003 as well as Windows 2000 due to the "client awareness" feature, which allows clients to find resources (DCs, GCs, DFS replica targets, and so on) in the client's site preferentially. Mapping a single subnet across multiple sites impacts this feature, causing clients to be authenticated by unexpected DCs.

With the introduction of AD Partitions in Windows 2003, this is even more important if you plan to take advantage of these nondomain partitions and their site awareness characteristics.

DHCP : The DHCP scopes might need to be configured as required for the new Windows 2003 structure, including new scopes (or changes to existing scopes), lease times, DNS configuration, and so on prior to the migration. Part of the assessment might be to determine scope utilization. This section can be used to identify those weaknesses that should be considered for changes.
DNS : The DNS structure should be designed and in place prior to creating the new Windows 2003 domain structure. In Windows 2000, it was critical to configure DNS prior to building the forest. Windows 2003 DCPromo does an excellent job of configuring DNS, including delegation of the important root _msdcs zone, as described in Chapter 6. If you are migrating from Windows 2000, although DNS is in place, take note of new DNS features such as stub zones, conditional forwarding, and application partitions. Summarize these new features, noted in Chapter 6, that you feel should be examined during the design for a more efficient DNS structure.

tip

Microsoft, as of this writing, has created an excellent DNS resource called DNS Center at http://www.microsoft.com/DNS . The DNS Center contains Webcast recordings, whitepapers, KB articles, Best Practice papers, and even some training documents. Whether you are unfamiliar with Windows DNS requirements and functionality or are a veteran looking for best practices, this is a great resource.
WINS : If you have Windows NT, you need to keep WINS for backward compatibility for Windows NT machines. With Windows 2000 to 2003 migration, you can elect to eliminate WINS altogether. But remember that downlevel clients and some applications relying on special records stored in WINS might prevent you from proceeding with this strategy anytime soon. Note that even though HP is operating in a Native Windows 2003 environment, we still use WINS.

Application Validation

Your applications ”third-party or custom in-house developed ”must be validated in the new environment. Even if the applications have been working in a Windows 2000 environment, they should be tested and validated with Windows 2003. It's amazing how many DOS-based client-server applications are still hanging around that depend on Windows NT servers or even Backup Domain Controllers (BDCs). Of particular interest are those that interact with Windows NT or perhaps the Windows 2000 AD.

Consider the following points in evaluating application compatibility:

Apps leveraging Windows NT 4.0 domain for Authentication or account lookup can leverage anonymous user access to DCs to access domain data.
Apps running on Windows NT 4.0 DCs. If migrating, need to be reinstalled on other machines, because DCs cannot be migrated . If upgrading, you need to ensure compatibility with Windows Server 2003.
Apps leveraging Windows 2000 AD need to check schema-compatibility prior to upgrading to Windows Server 2003 AD schema.

Make sure you test these applications as thoroughly as possible to avoid any surprises when the users access them during the migration.

You should run a pilot program, described in Chapter 6, to test applications in an environment with actual users and "live" data to certify each application.

User Working Environment

This section of your assessment should review the user environment ”the client workstations ”and how the current configuration will work in the new Windows 2003 structure. Most companies have a regular client upgrade program, purchasing new workstations every three to four years. In this case, the clients will likely have the newest OS (Windows XP at the writing of this book) and be able to take advantage of new features in the Windows 2003 domain. These features include security, remote connections, Encrypted File System (EFS), new Group Policy features in XP and 2003, SmartCard support, and additional hardware support.

The client features can significantly affect the ROI and Total Cost of Ownership (TCO) figures. Improving security, reducing support costs, and providing users with better remote connection support can be translated into direct cost savings. Laboring with Windows 9x clients might be cheaper in that you don't have to buy XP licenses, but limited support for new devices, archaic troubleshooting tools, and problematic site awareness causing them to ignore the local DC, can eat up that savings in additional support costs for your IT staff.

warning

The basic security in 2003 does not, by default, allow Windows 9x clients and pre-Windows NT 4 SP4 clients to log on. See Microsoft KB 811497, "Error Message when Windows 95 or Windows NT 4.0 Client Logs On to Windows Server 2003 Domain," for information on how to change this behavior

The following security improvements have changed the behavior of Windows 2003 Server DCs compared to Windows 2000 and Windows NT:

Server Message Block (SMB) signing and secure-channel encryption is enforced, as well as DC access policies
Adjustments are needed for Windows NT 4.0 pre-SP4 and Windows 9x clients (Microsoft KB 811497) to permit domain logon. However, Windows NT 4.0 SP4 and higher, Windows 2000, and Windows XP clients work without adjustments. Windows 9x and Windows NT 4.0 pre-SP4 clients or servers don't support SMB and secure channel signing by default.

note

Either install The Active Directory Client Extension (DS) client pack on Windows 95 clients and update Windows NT 4.0 clients to SP4, or adjust the default DC policies, disabling enforcement of SMB and secure channel signing.

note

The AD DSclient package is located on the Microsoft Web site and permits Windows NT workstation and Windows 9x clients to authenticate to a Windows 2000 or 2003 DC rather than the PDC Emulator. See Microsoft KB 288358, "How to install the Active Directory client extension," for more information including download details.

Use this section to review potential savings in the user environment as well as how new technology can improve productivity.

Security

As noted in the "Security" section in Chapter 1, security is of critical importance in any environment. In this section of the assessment report, note the security features in Windows 2003 compared to Windows 2000 and Windows NT. A comparison chart such as that shown in Table 4.7 can be used to point out that security design is not only important, but that Windows 2003 features give the company a lot of power and flexibility in securing the enterprise ”much more so than Windows NT and even better than Windows 2000.

Table 4.7. Security Feature Comparison Table

Feature	Windows 2003	Windows 2000	Windows NT
Authentication and Authorization	Kerberos authentication and authorization (fully MIT Kerberos compatible); very secure.	Kerberos authentication and authorization (not completely MIT Kerberos v5 compatible); very secure.	NTLM ”Not secure, very inefficient (no Kerberos session ticket type mechanism).
Single Sign-On (SSO)	Credential Manager for SSO (note that this is a feature of Windows XP client).	No SSSO.	No SSO.
Time Protocol	NTP (accurate within milliseconds ).	SNTP and W32TM time service (accurate within several seconds).	SNTP ”Not accurate, but doesn't need to be because there is no Kerberos.
VPN Protocol	IPSec, L2TP (improved, can be passed through a NAT server).	IPSec, L2TP ”IPSec won't go through a NAT server.	Point to Point Tunneling Protocol (PPTP) ” insecure .
VPN Features	Improved, more robust connection manager.	Connection Manager.	Limited, poor security.
Routing and Remote Access Service (RRAS)	Integrates RRAS firewall with NAT.	No firewall.	No firewall.
SmartCard Support	Increased support, such as when using the `runas` command to utilize a more privileged account.	Supported.	No built-in support.
IPSec Monitoring	IPSec snap-in that provides detailed IPSec policy configuration and active security state ( replaces the ipsecmon .exe monitor in Windows 2000).	Used ipsecmon.exe ”limited and cumber-some.	None.
IPSec Features	1. Network Load Balancing (NLB) group of servers to provide highly available IPSec-based VPN services. 2. IPSec has added the stronger 128-bit equivalency Internet Key Exchange (IKE) key. that provides a 3072-bit Diffie-Hellman key generation.	Introduced in Windows 2000, but had limited features such as not supporting NAT.	None
Wireless LAN Security	IAS/RADIUS server has been enhanced to allow authentication and authorization of users and computers connecting to Wireless and Ethernet LANs (IEEE 802.1X).	Limited.	None.
Encrypted File System (EFS)	1. Use of master key based on user's credentials to protect EFS private key. Master key is decrypted and re-encrypted with a successful password change. If the password is forced via hacker tools, the master key is not decrypted, protecting the EFS private key. 2. Solves forgotten password with password reset disk, backup of EFS private key and certificate, and EFS Recovery agents . Note: This is a client-side feature for local computer accounts rather than a domain environment where users authenticate to AD and use certificates stored in AD. 3. Can share encrypted files between multiple "trusted" users via certificates. 4. Supports Web Folders using WebDAV protocol (extension to HTTP 1.0). More secure than EFS. 5. Offline files preserve EFS attributes.	1. Standalone version vulnerable to hackers who reset account passwords. 2. User forgets password and files can't be decrypted. 3. Can't share EFS files. 4. EFS files on file servers are not secure (transferred across network in cleartext), and server has access to local profile (user's private key) to decrypt them. 5. No EFS encryption for offline folders or Client Side Caching (CSC) database.	Not available.
Software Restriction Policies (via Group Policy)	Available ”Protects against Trojan Horse programs, but has limitations (good start, though).	Not available.	Not available.
Internet Connection Firewall (Personal Firewall)	Available on Windows XP, 2003 Server for LAN, dialup, and VPN connections.	Not available.	Not available.

Business Advantage

The security feature comparison table, Table 4.7, can be leveraged in calculating cost savings. Comparing the damage that hackers can create when exploiting remote access connections with the protection provided by a more robust IPSec in Windows 2003 could show significant savings. Improved patching tools, such as the System Update Service, can reduce administration overhead and ensure a more secure environment in keeping computers up-to-date on security patches.

There are many good whitepapers and books that can provide details on all of these features. An excellent book for your reference is Jan de Clercq's Windows 2003 Security Infrastructures (Digital Press, 2004).

Management and Administration

The way that Windows 2003 management and administration affect current practices and organizations depends on whether the current infrastructure is Windows NT or Windows 2000.

Windows NT administration models were largely driven by OS constraints. For example, due to the lack of granular delegation of authority in Windows NT, we were forced to grant full domain Administrator privileges to Administrators who had limited roles. In addition, due to the limit of the number of objects that could exist in a Windows NT domain, the inability to delegate administration authority to any entity other than a domain, and other limitations of Windows NT, large enterprises were forced to create many domains, which inflated the number of Administrators required to manage this structure. Before Compaq migrated to Windows 2000 from its Windows NT multiple master domain model, they had 13 master user domains and more than 1,700 resource domains. Compaq had staff whose full-time jobs were validating and maintaining Windows NT trusts. In addition to creating domains to satisfy the delegation of authority, some domains were used simply to improve browsing performance. In the Hewlett-Packard Windows NT model, prior to the Compaq merger, there were 8 master user domains and about 800 resource domains.

In Windows 2000, with granular administrative functions you can delegate responsibility for a small group of users, groups, and computers, or Group Policy management, for example, to a single Administrator without giving him or her the "keys to the kingdom." With the scalability of Windows 2000 and consolidation of domains, the need for domain-level Administrators is greatly reduced. Compaq (now HP) reduced their environment from more than 1,700 domains to 4. Consider the impact on administration that reduction had. And, with transitive trusts, that Administrator taking care of all the trusts can be used somewhere else where he or she can be more productive.

You should be aware that there is not a dramatic change in the Windows 2003 administration model if you are migrating from Windows 2000. One area of increased complexity is Group Policy. There are approximately 200 new Group Policy settings in Windows 2003 compared to Windows 2000. Windows NT had about 79 System Policies, which are the equivalent of Group Policies in Windows NT. If you have an Administrator who is responsible for Group Policy administration, he or she should become familiar with the policy settings and analyze whether they are going to impact your environment and whether you should take advantage of them. Microsoft has made an obvious effort to implement features and bug fixes through Group Policy and it is growing. Windows XP included its own set of policies that can be uploaded to the Windows 2000 DC and managed from there. You might consider identifying a Group Policy Administrator to keep track of these important settings.

During the assessment, you should review the existing management and administration structure and note how Windows 2003 will impact this structure. One of the biggest impacts will be migrating from Windows NT to Windows 2003 and the reduction of domains. This will reduce the number of domain Administrators needed and will change the role of the ones who are retained as OU Admins. Again, making a chart and listing the current administrative assignments as well as the assignments needed for 2003 will easily show which changes need to be made. Don't forget training for these new Admins ”whether they are Windows NT Admins or Windows 2000 veterans , Windows 2003 will require training.

Other management and administration areas to be included in the assessment are

Administration model : Define whether the centralized or distributed administration model is being used and whether there is need for change. This will affect how you deploy software, manage Group Policy, and to some extent, how the OU structure is designed.
Tools : In addition to the snap-ins that Microsoft provides out of the box, there are some very powerful tools that you should explore. This is especially true if you have a large environment, and you intend to do some sort of AD health monitoring. Although the snap-ins will help to a degree, they won't monitor the AD for you. Some excellent management and monitoring tools are now available:
- Microsoft's MOM (Microsoft Operation Management) tool is free and a better alternative to the snap-ins. For more information on MOM, see Chapter 10, "System Administration," and the following Microsoft Web sites:
  
  Download: http://www.microsoft.com/technet/prodtechnol/mom/downloads
  
  Resource Kit: http://www.microsoft.com/mom/downloads/reskit/default.asp
- Microsoft's new Group Policy Management Console (GPMC) is a free download from Microsoft's Web site at http://www.microsoft.com/gp . This powerful tool lets you mange all the policies for all domains and OUs in the enterprise in a single console (snap-in). GPMC is described in Chapter 5.
- HP's OpenView Operations for Windows (OVOW) offers AD management, including an excellent 3D graphical tool called the Active Directory Topology Viewer (ADTV) that will make diagnosing difficult replication problems easy. The ADTV is described in Chapter 5, and more information on OVOW is available at http://www.openview.hp.com/products/ovowin/index.html .
- Other third-party companies, such as NetIQ ( http://www.netiq.com ), Quest Software ( http://www.quest.com ), BindView ( http://www.bindview.com ), Aelita Software ( http://www.aelita.com ), and NetPRO, ( http://www.netpro.com ), offer suites of very sophisticated tools for monitoring and managing AD as well.

As part of the assessment, you should review these tools and choose one or two to evaluate in the pilot. Take some time to find one that will fulfill the needs of your environment at a cost you can afford. This can result in cost savings by reducing administration time and "cost to solution" by solving problems when they occur. Regardless, ensure that some form of a management and monitoring system is put in place as the robust fault-tolerant nature of Windows 2003 might let problems go unnoticed until it is too late.

Growth

Planning for growth is important. Analyze the company's growth plans ”note the possibility for future acquisitions of other companies or business units, the stability of the organizational model (affects how the AD will be designed), known changes to the infrastructure, and current bottlenecks and limitations.

< Day Day Up >