Microsoft
DNS - This is a very different animal in Windows 2000/3 compared to NT4,
not because of the way it does anything but because of what it is used for.
Microsoft NT4, Windows 95/8 uses WINS - the Windows Internet Naming Service
(rather confusingly named) to locate each other over inter-connecting LANs.
The system basically works with DHCP, the Dynamic Host Configuration
Protocol which ascribes an IP Address to your Network Interface Card and
supplies the Default Gateway, DNS Server and WINS server and also registers you
with WINS at the same time. One WINS server then replicates with another on
another LAN and then the hosts can look up your workstation on their own LAN
and the communication can be successfully routed between machines. DNS was
simply for looking up domains on the Internet at this stage and had a 'Reverse
WINS Lookup' feature for tracking down workstations from the DNS server.
Microsoft DNS on Windows 2000 has the option of being entirely dynamic. It can
be configured to live in Active Directory, has built in reverse lookup and is updatable just as WINS is
from the DHCP server negotiation.- better!
TCP/IP
- The Transport Control Protocol / Internet Protocol. This is just moving
from it's fourth to sixth incarnation at present and it is a complicated
protocol. It is routable in more ways than you can wave an Ethernet cable at
and with version 6 supports IPSec as standard. It is the basis of nearly all inter
communication of computers today, whether we are talking about Macintosh, Netware,
Linux or Windows, they are most likely using TCP/IP to speak with their
cohorts. Microsoft have favored it for some time whilst Netware moved over at
version 5. Macintosh jumped on the wagon (as opposed to leading the way as
they normally do) and began dropping AppleTalk with the arrival of OSX. Although TCP/IP is
referred to as a single protocol it is not. It is a standard set of
amalgamated systems and the resultant protocol lives in layer 3 of the
standard model. As with all other communications protocols, TCP/IP is
composed of layers:
-
The Internet Protocol (IP)
- is
responsible for moving packets of data from one node to another. IP forwards
each packet based on a four byte destination address (the IP address). The
Internet authorities assign ranges of numbers to different organizations.
The organizations assign groups of their numbers to departments. IP operates
on gateway machines that move data from department to organization to region
and then around the world. Each computer using the internet can do so
because at some level it is using an IP address. Typically in most networks
nowadays your LAN may have only one 'real' IP address at your router or
firewall and your computer may use a 192.168.x.x or 10.1.x.x address. These
are reserved address sets for computers in internal LANs and are assigned to
no one. This is made possible by NAT and PAT which stand for Network Address
Translation and Port Address Translation which is performed by your router
or firewall so as to redirect any traffic your machine requested back to
you.
-
The Transport Control Protocol (TCP)-
is responsible for verifying the correct delivery of data from client to
server. Data can be lost in the intermediate network. TCP adds support to
detect errors or lost data and to trigger retransmission until the data is
correctly and completely received. TCP makes TCP/IP a very robust system and
allows different sections of the Internet to fall over and reroute data constantly and seamlessly.
-
Port Numbers -
is a name given to
packages of subroutines that provide access to TCP/IP on most systems. A
socket is a combination of a port number and an IP Address and therefore
uniquely identifies a network process on any individual network. There are
many standardized port numbers such as 80 for HTTP and 25 for SMTP etc. A
port number is basically a feature of a packet just like the routing header.
It is a property that, instead of deciding where it is going, like the IP
Address, it decides what it will do when it gets there and most likely
whether it will be allowed to get there or not.
Microsoft
Active Directory - Don't be put off by the way this is continuously
described by Microsoft as all sorts of different things. The simple nuts and
bolts of it are most easily described as follows. AD is a secured and
replicated set of files shared around the domain or domains that allow all of
the clients and servers to share and use information. For those of us familiar
with the nuts and bolts of a Windows PC, it's like a replicated registry that
is shared around the Domain Controllers. It sits in different files, just like
the registry did, and it can be edited with a straightforward tool, just like
the registry. It relies on five central roles for a forest to function. (A
Forest is a collection of Domain Trees - yes I know very clever etc.) The
replicated information that is shared to non DC clients is stored in the
SYSVOL share on a DC and there will be a folder inside for each domain storing
policies, scripts and other information. The old Netlogon share is now inside
of the shared SYSVOL directory but is still shared as Netlogon for backwards
compatibility. The Database of all DC only AD information is kept inside %systemroot%\SYSVOL
- note that the SYSVOL folder shared to clients is inside of the first sysvol
directory i.e. at %systemroot%\SYSVOL\SYSVOL. The database itself and the log
files by default are kept in %systemroot%\WINDOWS\NTDS but the location can be
specified when installing Active Directory to a server.
FSMO Roles
- Flexible Single Master Operations (Pronounced by all the guys on
the Microsoft Websites as Fuszmo.) So there you are, after all of the fuss
Microsoft made about Windows 2000/3 no longer requiring a PDC or BDC it turns
out that there are five different sorts of the darn things.
PDC Emulator - All Winnt fans know what this guy
is bound to do. He emulated the old PDC on behalf of backwards compatibility.
He also creates group policy objects and synchronizes the w32time service.
RID Master
- Hands out the Global Unique
Identifiers to each Domain Controller. Each object in Active Directory must
have one to be indexed in the registry-like list. The RID hands out different
sets to each DC for labeling all of the objects created on it.
Infrastructure Master - This guy is the
Ambassador. He is monitoring everything to do with memberships of trusts and
other domains. He checks that you are allowed into the country by having a
good look at your passport- well you know the way things are these days.
Domain Naming Master - This ol' gal is the only
central repository for child domain names. There is only one in an attempt to
prevent duplicate domain names. Just as well, duplicate computer names are bad
enough!
Schema Master - This fellow is responsible for
changes to the Schema of Active Directory. In other words he is the man who
alters the way in which data is stored inside of any types of object. If you
want to add a field to the standard computer object then you've got to ask
him.
OK so there
we have it. It is worth remembering that Active Directory is dependant, not
only on all of the FSMO bear roles but also on TCP/IP and Microsoft DNS
because without either there is no transport with or from Active Directory.
So based
on these observations we will start with a few pointers. When you are building
or designing your new Windows Active Directory you will want to minimize
network traffic and administration and to optimize ease of use. This may seem
a confusing and daunting task but let us get things in perspective. Active
Directory goes a long way to doing this itself and the design does not have to
be completed before you begin your upgrades/installs. If it is not a huge network -
i.e. less than 10 sites and 20 Domain Controllers - you are not going to
notice a huge impact on how you do things anyhow, unless there are a lot of
different bandwidth connections. Windows 2000/3 Active Directory is based on replication and it can cause
networking problems and bottlenecks when it gets itself confused and is using
all of the available bandwidth, but these services can be stopped if they are bringing things to a halt
whilst you work out what is going on.
Active Directory does do some funny things just because of the order in which
it is created so make sure you design your Upgrade path from the center of
your networks where the most bandwidth lies moving out gradually toward the more remote
slower sites. But all of this is scare-mongering as much as anything else. If
you are just upgrading or designing a single LAN network then the most
important part is to choose the correct specification of servers and make sure
you have checked with manufacturers and software designers that the upgrade
paths have been tested and are supported. (This still doesn't guarantee
anything so if you can, test it on a dummy example.) The worst kind of
Microsoft designers are those who come to the job with all of the AD knowledge
in the world but have neglected to think about where the servers will be
plugged in. Try and effect a policy of security and robustness in where the
servers are and how they are looked after as well as in how Windows is
configured. Many server compromises are at source, remember that.
Some services
work better together than others. The Domain Controllers should be DNS
Servers, there is no point having a domain controller if it has no access to
DNS and it forgoes the risk of losing communications during adding and removing Domain
Controllers
which can lead to catastrophic results. If there is a DNS server on board then
you always at lease have a single copy of what is happening in the domain and
it can be replicated once network communications have been restored. If there is only
one DC in a site then they should be set as a Global Catalog, a Global Catalog
keeps a copy of every object in the forest and if a site needs information on
part of the forest it must be able to retrieve it without running home to mumma
down a slow connection. Sometimes replication must be set to copy to more remote sites when the
office is out of use to retain bandwidth but replication can always be halted
if a connection is beginning to feel the strain. Sites are important and define
the replication characteristics of Active Directory. A site boundary should indicate where
there is
a connection to the main LAN over a lower bandwidth; just because you
need a separate Windows 2003 site doesn't mean an separate Exchange site,
Exchange is another animal when it comes to designing site boundaries.
A dedicated Domain Controller is
always a good idea, a server that can deal with the FSMO roles which need not
be distributed over different servers unless your domain exceeds 2000 clients.
The FSMO roles are a difficult point because there are they are single entity
for an entire domain. With enough changes being made to the domain the
workload can become such that you will have to redistribute the roles to
multiple servers, the name changing role and the schema and operations master
are a good place to start. As a rule, if you are including Microsoft Exchange,
the Domain Controllers should have the Active Directory Connector for
Microsoft Exchange installed and it is also a good machine to have in charge
of your antivirus and DHCP. WINS should be phased out once all clients and
servers have been moved over to 2000/3 or XP and your network performance and
reliability should start to increase as duplicate WINS entries and the need to
replicate the WINS servers become things of the past.
Always change the logon name for
the Administrator account to something difficult to guess as a lot of the
scripts that people run trying to compromise security rely on password lists
which pre-supposes the administrator account login name.
