Exam 70-219 - Designing a Microsoft® Windows® 2000
Directory Services Infrastructure
Analyzing Business Requirements
It is important to identify the business model in place for a
number of reasons. Key among them is the fact that similar
businesses often have similar needs and requirements. Knowing the
geographic scope can help define the infrastructure employed by the
IT department. The geographic models and scopes can be summarized
as:
| Model |
Comment |
| Regional |
When implementing technologies
that are within companies restricted to regional boundaries,
you can often pay less attention to such things as
international translations than you would with different
models. |
| National |
Of a grander scale than
regional, you can still often overlook many factors such as
international regulations |
| International |
Importance must be paid to
translations, regulations, laws, and representatives from all
countries should be involved in IT decision-making
processes |
| Subsidiary |
When working with a subsidiary
of a larger conglomerate, make certain that approval for the
solution generated will be acceptable to the parent
company |
| Branch office |
You must go to lengths to
verify that solutions implemented here work with technologies
employed throughout the rest of the
company |
During the design phase, it is important to ask such questions
as:
- Who is in charge of each department?
- Who manages user accounts (are central polices used)?
- Who manages resource accounts?
- How is administration divided?
- Who must sign-off on purchases and policies?
All processes employed by the company should be documented and
diagrammed. Of key importance are company processes related to:
| Process |
Comment |
| Information flow |
This typically follows the
organization chart, but can differ with geographic
breaks |
| Communication flow |
It differs from information in
that it often lacks formal structure and comes about as a
result of communication with others (customers, vendors,
etc.). |
| Service/Product
lifecycles |
Consider the lifespan of the
product: this differs for each product. A computer book may be
expected to last 12 months, while a weekly magazine has a
lifespan on only 1/52nd of that. |
| Decision-making |
This can follow the
organizational chart, or be completely dispersed if the
company practices empowerment. |
It is important to analyze existing and planned organizational
structures when deciding business requirements. These categories can
break down into the following key areas:
- Management model - determine if you are dealing with a
family-owned, privately held business, or a public company with a
CEO and Board of Directors. In the latter, operation and ownership
become separate, and can be driven by the need for profit and
quick solutions versus long-term planning. Different risk models
can be associated with different management models.
- Company organization - some organizations are divided by
products (transmissions in one division, four-wheel-drive axles in
another, etc.), while other organizations divide operations and
responsibilities purely on geographic terms.
- Vendor/partner/customer relationships - know the contact
points and whether web presence is offered on an Internet,
intranet, and/or extranet basis.
- Acquisition plans - is the company you are designing a
solution for actively seeking acquisitions (meaning you must plan
for future growth), or are they a likely acquisition target?
Factors that can influence company strategies are many. For the
exam, you should know the following five:
- Company priorities - never assume these are constant. They can
change with management teams, market shifts, etc.
- Projected growth and growth strategy - how is expansion
accomplished (acquisition, divestiture, franchises, and so on)
- Relevant laws and regulations - these are always subject to
change, and must be watched carefully. Is the company in a
high-profile position (such as house arrest) to be greatly
affected by new legislation? Do they work with encryption,
spamming, or other areas popular with lawmakers? Are there local
laws, or international laws, that can affect the organization?
- Company's tolerance for risk - how does the company weigh risk
against profit: vulnerability against value? Do they employ basic
security devices on sites, such as firewalls, SSL (Secure Sockets
Layer), and such? Do they employ physical security at the facility
such as card readers, badges, and the like? Do they insist new
employees receive training, or are they turned loose for
on-the-job training in all instances?
- Total cots of operations - what is the value of the company's
data; of the IT staff's budget; of having server access 24 hours a
day versus 8, etc.? Microsoft uses seven categories to group
budgeted costs: Hardware and software costs, Management costs,
Development costs, Support costs, Communication costs, End-user
costs, and Downtime costs.
The structure of IT management should weigh heavily in the
analysis of business requirements. Factors that help understand the
management structure are shown in the following table:
| IT
Factors |
Comment |
| Administration type |
This can be centralized or
decentralized. A classic example of the former would be a
segment of government such as HUD or OSHA. All administrators
are stationed in Washington, D.C., while branch offices exist
throughout the United States. Whenever a branch office needs
administration, such as installing new software, it is done
remotely (often through SMS). With a decentralized model, an
administrator(s) is stationed at each branch office to handle
the needs at that office.
Hybrid administration has most of
the functions performed at a central location, but one or more
key contact people are on site for handling lesser
responsibilities. |
| Funding model |
Funding can be crucial in
implementing technologies. If the IT department is run as a
profit center, then departments they administer are charged
for services provided: this can be useful in acquiring new
software and distributing the cost among many departments who
can benefit from it. If the IT department is run as a cost
center - a fixed cost that appears as a liability on the
business sheets, then it can be more difficult to gain
approval to spend additional dollars beyond those already
allotted for a set time period. |
| Outsourcing |
Outsourcing is often used
because certain needs must be met that cannot be done
internally. These can include the need for IT professionals n
a tight labor market, the need for occasional service at
branch offices, nternational/temporary needs, and so on. While
outsourcing is a good way to olve such issues, it can present
problems down the road when you cannot find he group who
implemented a solution because they have moved on, and the
solution now has problems. |
| Decision-making process
|
Does the Chief Technology
Officer need to approve all expenditures, or can they be
signed-off on at a lower level. Does the CTO need to approve
all solutions, or does he/she make certain that the solution
one department generates is adopted by other departments? Is
there autonomy within the divisions, or do they work together
to contribute to decisions that affect all? |
| Change management |
Is there a structure in place
or not? When changes occur, what is the procedure followed? If
there is no procedure, chaos can result. If there is too much
of a procedure, no change will ever
occur. |
Analyzing Technical Requirements
When evaluating the company's technical environment, always
factor in the existing as well as the planned environment, and
differences between the two. Be sure to look at the following
factors:
| Technical
Factors |
Comment |
| Company size |
The geographic scope as well as
the owner or organization responsible for the
company |
| User and resource
distribution |
Where are the users - how are
the serviced (DNS,
WINS,
DHCP,etc.)?
How do they reach the resources (servers, printers, and such)
they need (hubs, switches, routers, bridges, modems, proxy
servers...) |
| Connectivity between
sites |
What bandwidth is employed? Are
there leased lines, or dial-up connections (with or without
multilink see KB# QB235610))?
What
are the topologies employed (Star versus Mesh)? |
| Performance
requirements |
Are users connecting only for
authentication, or for the entire session (such as with
Terminal Server). Find out the peak utilization, the type of
circuits used, requirements of applications, and so
on.
During this analysis, it is important to identify any
bottlenecks and create a baseline from which to judge future
modifications. |
| Access patterns |
Are all the resources
centralized, or are they disbursed? When users need to access
a resource, is it within their LAN 80% of the time, or only
20% (meaning they access the WAN 80% of the time)?
Do users
go through firewalls, and/or do they use encryption. If they
do use encryption, is it for the password, the data or
both?
Authentication can be accomplished through the use of
the following, which may be used in conjunction with one
another (KB #Q227815):
- CHAP - Challenge Handshake Authentication Protocol -
one-step above PAP in that it does not use clear-text
passwords
- EAP- Extensible Authentication Protocol - the client and
the server negotiate the protocol that will be used, in much
the same way that networking protocols are determined.
Possible choices include one-time passwords,
username/password combinations, or access tokens.
- MS-CHAP - Microsoft Challenge Handshake Authentication
Protocol - requires the client to be using a Microsoft
operating system (version 2), or a small handful of other
compatible OSes (version 1)
- PAP - Password Authentication Protocol - uses a
plain-text password authentication method and should only be
used if the clients you support cannot handle encryption
- SPAP - Shiva Password Authentication Protocol - a shade
above PAP, it is there for backward-compatibility and is not
favored for new installations
|
| Network roles and
responsibilities |
Roles can be defined as
administrative, or associated with a user, a service or other.
Administrative roles are those predefined by the operating
system with additional responsibilities above a user. Examples
include:
- Administrator
- Backup operator
- Server operator
User roles simply have the right
to logon and use the network resources. Service roles run as
services, without user interaction, in the operating system.
Other roles include being an application, a group, or
owner. |
| Security Considerations
|
What are the needs of the
organization, and what operating systems does the organization
support? Can everything standardize upon TCP/IP (which offers
the ability to use numerous security features like IPSec
and filters), or must NetBEUI (insecure) be used, along with
NWLink (IPX/SPX-compatible transport - (KB# Q203051)
and other protocols)?
Is it possible to use Kerberos,
RADIUS, and EFS
(Encrypting File System)? Must all solutions work with
third-party tools?
The most effective means of implementing
security with Windows 2000 clients is through the use of Group
Policies. |
Speeds employed on WANs differ by technologies. The most common
technologies, and their associated speeds, are:
- Modems including analog, ISDN, DSL, and cable:
| Analog |
Traditional modem – requires a
single phone line for a connection and is limited in speed to
around 57,600bps |
| ISDN |
Integrated Services Digital
Network, requires two phone lines, and can reach a speed
around 128,000bps |
| DSL |
Digital Subscriber Line, uses
existing phone lines (copper), and is available only in
certain areas. You must be within a short distance of a
switching station, and speeds can reach 9Mbps |
| Cable |
Works with the coaxial from the
cable TV company and speeds is reduced with the number of
users, but is approximately 2Mbps |
| T1/E1 |
a T1 is a dedicated line that
operates across 24 channels at 1.544Mbps. E1 is the European
counterpart: it uses 32 channels and can run at
2.048Mbps |
| T3/E3 |
A T3 is a dedicated line of 672
channels (E3 is the European counterpart) able to run at
speeds of 43Mbps |
When deciding to implement Active Directory of an existing or
planned network, it is important to detail the possible impact of so
doing. The impact should be calculated in terms of:
- Existing systems and applications - for example, current DNS
servers will need to support SRV records
- Existing and planned upgrades and rollouts - identify those
that are in the works and calculate any impact AD could have on
them
- Technical Support structure - know what is there now (internal
versus external), and make certain they will understand any
changes that will happened before they happen. Verify that there
is a budget for any training that needs to be done and that all
relevant decision-makers are in agreement on the need to support
the existing support staff
- Existing and planned network and systems management - this
should be viewed in terms of the security policy, any and all
network tools used for management, monitoring, and analysis
- Client needs - not only their work needs, but also their
support requirements.
Designing a Directory Service
Architecture
Active Directory is a naming scheme that follows the path Forest,
Tree(s), Domains (see Active
Directory Architecture). A forest can consist of a single
domain, or multiple domains (therefore, by definition, a single
domain can also be a tree). A tree is a contiguous namespace,
meaning the child has the parent as part of its name. Each tree has
its own identity within the forest.
A domain is an administrative as well as security boundary since
administrative privileges do not extend past domain boundaries. The
simplest network is one with one domain. Reasons for creating
additional domains would include:
- To isolate replication traffic
- To retain existing NT domain structures
- To support decentralized administration
- To support international boundaries
- To support more than one domain policy
Domains contain objects, or Organizational Units (OUs). An OU is
a container for organizing objects within a domain into logical
sub-groupings. Reasons for creating OUs include:
Active Directory names are equivalent to DNS names and use the
SRV records of DNS to store information about services and thus
create "dynamic DNS". The first division of DNS is into domains. The
InterNIC (Internet Network Information Center) controls top-level
domains, which are summarized in the following table:
| Name |
Type of
Organization |
| Com |
Commercial
organizations |
| Edu |
Educational
institutions |
| Org |
Non-profit
organizations |
| Net |
Networks (the backbone of the
Internet) |
| Gov |
Non-military government
organizations |
| Mil |
Military government
organizations |
| Num |
Phone numbers |
| Arpa |
Reverse DNS |
| Xx |
Two-letter country code, such a
"ca" for Canada, "uk" for United Kingdom,
etc. |
To refer to a host in a domain, you use a fully qualified domain
name (FQDN). The Relative Distinguished Name is the host name of the
computer, while the User Principal Name consists of a user logon
name and a domain name identifying the domain in which the user
account is located.
Windows 2000 uses a multi-master replication model, and the
primary unit of replication is the domain. When domain controllers
need to replicate, they examine the values of their Update Sequence
Number (USN) for each object, and only replicate the attributes
whose objects contain differing USN’s. A site (comprised of one or
more physical subnets) is a way to create replication boundaries
within the Active Directory. Working at the physical layer, a site
can consist of multiple domains, and domains can operate in multiple
sites.
The purpose of the Knowledge Consistency Checker (KCC) is to
generate a replication topology for both intra-site and inter-site
replication. Within a site, replication traffic is done via Remote
Procedure Calls over IP, while between sites it is done through
either RPC or SMTP (see "How to Optimize Active Directory
Replication in a Large Network", KB# Q244368)
Site link bridges are used to connect sites together and model
the routing behavior of a network.
There is only one schema per Windows 2000 forest, and it is
maintained forest-wide by virtue of being stored on every domain
controller. Throughout the forest, though, there is only one
write-able copy of the schema – held by the Schema Operations
Master. Modifying the schema is an irreversible operation, thus
schema modification is disabled by default on all domain controllers
and only members of the Schema Admins group can make changes.
The schema container holds all the definitions required to view
the objects in the directory, and each is identified by a globally
unique number known as the Object Identifier (OID). You can view
Schema contents using the Active Directory Schema MMC snap-in, or
the ADSIedit MMC utility.
Designing Service Locations
There are five Operations Master roles:
- Domain Naming Master - allows additions and removals of
domains in the forest
- *Infrastructure Master - updates group-to-user references when
changes occur
- *PDC Emulator - used with older clients
- *RID Master - Relative ID Master - issues IDs to domain
controllers as needed
- Schema Master - controls all updates to the schema
Operations Master placement (see KB# Q223346)
is crucial to load balancing and fault tolerance. It is also
important to convert domain controllers to native mode (non-Windows
NT 4.0) enhance Active Directory Performance. The three roles
identified by an asterisk are limited to only one controller within
the forest, while the other two can have duplicates.
Global Catalog Servers (see KB#
Q232517) should be placed in locations to reduce traffic and
help with load balancing and fault tolerance, as well. The first
Global Catalog Server is created automatically with the first domain
controller within the forest. Active Directory Sites and Services -
an MMC snap-in (see Step-by-Step
Guide to Active Directory Sites and Services) - allows you to
change the role of the GCS to another domain controller. In areas
where bandwidth is at a premium, a GCS can be configured to only
receive updates after hours. For speed reasons, a GCS should be
created at each site.
Domain controllers should be created for fault tolerance and
functionality, as needed. It is recommended that the infrastructure
master be placed on a domain controller that is not the global
catalog server to even the load and separate the burden of each
role.
DNS servers can be running Windows 2000, or other operating
systems, provided they accept SRV records. When you install Active
Directory, you must identify a DNS server. If you cannot do so, the
Active Directory Installation Wizard will prompt you to convert the
existing machine into a DNS server as well.
Active Directory is created to be scalable and interoperate with
other name services (see Active
Directory Interoperblity and Metadirectory Overview).
Tools to Know
| Active Directory Migration Tool
(see Active
Directory Migration Tool Overview) |
Migrate from Windows NT 4.0 to
Windows 2000 with Active Directory |
| ADSIedit |
view the Active Directory
Schema |
| Movetree |
move objects within a
forest |
| NTDSUTIL.EXE (see KB# Q255504) |
perform many Active Directory
administration tasks |
| REPAdmin (see KB# Q229896) |
work with replication between
partners |
| REPLMON (see KB# Q232072) |
show the replication
topology |
Additionally, a complete list of relevant terms can be found in
the Active
Directory Glossary.
| |