Test 1 Prep.docx

21 Pages
Unlock Document

Ryerson University
Information Technology Management
ITM 315
Frank Prychidny

 Windows 2003 Server, Standard Edition  For everyday needs of small to large businesses or as a departmental server in large environments  File and print services  Secure Internet connectivity  Centralized management of network resources  Supports up to 4 processors in the server (for symmetric multiprocessing)  Logical upgrade from Windows 2000 Server  Windows 2003 Server, Enterprise Edition  high-end applications requiring better performance, reliability & availability  e.g. to host large-scale accounting, manufacturing, or inventory systems  Supports up to 8 processors  Supports clustering i.e. linking of 2 to 8 servers so they appear to be functioning as one (increases access to server resources)  An evaluation copy is included with your text  Enterprise Edition is installed on ITM315 (our server)  Windows 2003 Server, Datacenter Edition  Windows 2003 Server, Web Edition  A new product optimized to be a dedicated Web server  A lower-cost version of Windows 2003 server that is meant to compete with Linux in the market for utility servers  Offers the easy manageability and performance of Windows without the complexity of Linux  Intended for small to large companies/departments that develop and deploy Web sites (Web server farms)  Optimized to run MS Internet Information Services (IIS) 6.0  Takes advantage of the .NET Framework tools and XML Web services  Supports up to 2 processors  Also, Windows Small Business Server 2003 (not covered in your text) Windows Server 2003 Features (all editions)  Centralized administration and management of resources  Active Directory allows users, computers, printers, applications, policies, data to be centrally organized and accessible to users  Objects are grouped for easier management into organizational units, domains, trees, forests, sites  Web edition is the only edition that cannot host Active Directory  Security  File and folder permissions  Security policies  Encryption of data  Event auditing  Scalability and compatibility  e.g. Standard edition can support from 1 to 15,000 user connections and can be scaled to dual-processor computers  All editions can coexist with other network operating systems (Novell, UNIX, IBM, etc.) and with many client operating systems (UNIX, Linux, Macintosh, etc.)  Reliability  OS kernel (core programs and computer code of the OS) runs in privileged mode to protect it from problems created by malfunctioning programs/processes (preventing system crashes)  Distributability  supports apps written to distribute functions among multiple computers i.e client-server apps  Fault tolerance and recovery  RAID, backup, etc. Network Security Models  Two different security models used in Windows environments  Workgroup  A workgroup is a logical group of computers  Characterized by a decentralized security and administration model  Authentication provided by a local account database – Security Accounts Manager (SAM) – The local security and account database on a windows server 2003 standalone or member server  Workgroups should only be used in networks with 10 or less client systems, although 20 systems are not uncommon  Server not required but WS 2003 system can still be made apart (Storage)  Limitations  Users need unique accounts on each workstation  Users manage their own accounts (security issues)  Not very scalable  Domain  A domain is a logical grouping of network resources  Characterized by centralized authentication and administration  Authentication provided through centralized Active Directory  Active Directory database can be physically distributed across domain controllers  Requires at least one system configured as a domain controller  Recommended for environment that consists of 10 or more workstations Member server – A windows server 2003 that has a computer account in a domain but is not configured as a domain controller  Used by all 4 editions  Used for a variety of functions including file, print, and application services What is a Directory Service?  A container or database for network resources called objects (physical or logical resources)  Sample objects: computers, printers, user accounts, user groups, shared folders  Makes it easier to locate and manage network resources  The directory service in Windows Server 2003 is called Active Directory Windows Server 2003 Active Directory  Active Directory provides the following services:  Central point for storing and managing network objects  Central point for administration of objects and resources  Logon and authentication services  Delegation of administration  Stored on domain controllers in the network  Changes made to any Active Directory will be replicated across all domain controllers  Multimaster replication  Fault tolerance for domain controller failure  Uses Domain Name Service (DNS) conventions for network resources Server Roles in Windows Server 2003: Domain Controller – A windows server 2003 system explicitly configured to store a copy of the active directory database, and the service user authentication requests or queries about domain objects  Explicitly configured to store a copy of Active Directory  Service user authentication requests  Service queries about domain objects  May be a dedicated server but is not required to be  A member server  Has an account in a domain  Is not configured as a domain controller (i.e. no copy of Active Directory)  Cannot authenticate users  Typically used for file, print, application, and host network services Directory Services & Standards  X.500 and the Directory Access Protocol (DAP): X.500 is an Internet Standards Organization specification that defines how global directories should be structured  Lightweight Directory Access Protocol (LDAP): has become the standard directory protocol used on the Internet; An access protocol that defines how users can access or update directory service objects  Novell Directory Services (NDS)  Used for Novell networks  Complies with X.500 standard  Active Directory  Integral to Windows 2000 and Windows Server 2003-based networks  Complies with LDAP standard Active Directory Schema  Schema defines the set of possible objects for entire Active Directory structure  Only one schema for a given Active Directory, replicated across domain controllers  Two main definitions  Object classes  Attributes  Objects are searchable by attributes Active Directory Logical Structure and Components  Active Directory comprises components that:  Enable design & administration of a network structure  Logical  Hierarchical  Components include:  Domains and organizational units  Trees and forests  A global catalog Domains and Organizational Units  Domain  The basic organizational structure of the Windows Server 2003 networking model  DNS name  Active Directory replicated across its domain controllers  Organizational unit (OU)  A logical container to organize domain objects  Makes it easy to locate and manage objects  Allows you to apply Group Policy settings  Allows delegation of administrative control Standard Models for OU Structure  Organization-based (for an organization with a strong divisional structure, each department has its own administrator)  Location-based (each location has different admin requirements, distributed admin)  Function or object-based (small organization where functions span departments)  Hybrid of location, then organization  Hybrid of organization, then location Objectives re OU design  Use OUs to enhance manageability & security of network resources  Top-level OU design should be based on a relatively static aspect of the organization e.g. location, object type  OU design should be consistent across all domains in the network  OUs are more flexible than domains Trust Relationships  Allow objects in one domain (the trusted domain) to access resources in another (the trusting domain)  One domain allows another domain to authenticate its users  Windows Server 2003 supports 6 types of trust relationships  Two-Way Transitive Trust - Security relationship between domains in same domain tree in which one domain grants every other domain in the tree access to its resources and, in turn, that domain can access other domains’ resources Single Domain Model: Advantages  No need to plan trust relationships with other domains  Easy to support a strong, centralized IT staff  User and group planning is simpler  Implementation of group policy is simpler  Single domain can hold 1 million+ objects  Rely on OUs to organize objects in the domain and delegate admin control  Simpler = lower total cost of ownership  User authentication is simpler and faster within a single domain, regardless of where user is located  Simpler to modify when needed – for example, if company is reorganized. It is far easier to create new OUs and move objects to them than to do the same with domains Reasons for Using Separate Domains  To facilitate decentralized administration of network resources  Different namespaces for different locations  Reduce the amount of replication traffic across slow WAN links more than you can by dividing a domain into multiple sites  User account requirements that vary among locations (e.g. password complexity) can only be handled by separate domains  International legal and language needs  Massive organizations can be broken down Forest Root Domain = The first domain created within the active directory Forest- a collection of active directory trees that do not necessarily share a contagious DNS naming convention but do share a common global catalog and schema Global catalog – An index of the objects and attributes used throughout the active directory structure. It contains a partial replica of every windows server 2003 domain within active directory, enabling users to find any object in the directory. Characteristics of a Tree  Sometimes necessary to create multiple domains within an organization e.g.:  Company divisions administered on a geographic basis  Different password policies required  Too many objects for one domain  Optimize replication performance Characteristics of a Tree  First Active Directory domain is the forest root domain  Tree consists of member domains in a contiguous namespace  Member domains compose a hierarchy with automatic 2-way transitive trust relationship  Member domains use the same schema ensuring that object classes and attributes are consistent  Member domains use the same global catalog Global Catalog  An index and partial replica of most frequently used objects and attributes across all domains  To facilitate finding resources, logging in across multiple domains  The first DC in the forest root domain automatically becomes the global catalog server  Replicated to any server in a forest configured to be a global catalog server  One GCS per site is recommended to improve authentication performance Characteristics of a Forest  A grouping of trees  Domains in each tree are contiguously named  Trees have disjointed names  Each top-level domain in a forest shares a 2-way transitive trust  Trees share same schema and global catalog  The only time it makes sense to use a forest is when two companies merge and want to maintain their separate identities (and DNS namespaces) Physical Network Structure  The physical structure is fairly simple compared to the logical structure  The components of the physical network structure are:  Domain Controllers  A server running Windows Server 2003 that has Active Directory services installed  Holds a complete replica of that domain’s directory partition (a master copy)  Locally resolve queries for objects in their domain and refer queries regarding information they do not hold to DCs in other domains.  Manage changes to directory information and replicate those changes to other DCs  Sites  Physical structure distinct from logical structure  Important to consider the effect of Active Directory replication traffic and authentication requests on physical resources  A site is a group of domain controllers that exists on one or more IP subnets connected by a fast, reliable network connection (fast = at least 1 Mbps)  Within a site, replication happens automatically  A site link is a configurable object that represents a connection between sites – required to allow replication between sites.  Configured to enable clients to access closest DC Geographical Design Considerations  Identify various physical locations of departments, divisions of the company  Your design goal is to reduce network traffic across WAN links  Does this mean you need to create separate domains for each geographic area?  You can use one domain for the entire organization, then:  use sites to distinguish geographic boundaries for the purpose of controlling network traffic and  Use OUs to distinguish geographic boundaries for the purpose of administration Active Directory Guidelines  Keep the Active Directory implementation as simple as possible  Implement the least number of domains possible (a single domain unless there is a reason not to)  Use OUs to reflect the organizational structure (instead of using less flexible domains for this purpose)  Create only the number of OUs that are necessary (and no more than 10 levels deep)  Use domains for natural security boundaries  Implement trees and forests only as necessary  Use trees for domains that have a contiguous namespace  Use forests for multiple trees that have disjointed namespaces between them (e.g. merger of companies)  Use sites in situations where there are multiple IP subnets and geographic locations to control network traffic Function of the Root Domain  You can leave this domain nearly empty with built-in accounts such as enterprise admins group or you can choose to populate it with OUs, security principals, and other objects  In a small company, the root domain is likely all that is needed  In a multi-domain environment, the following are advantages of leaving the root domain sparsely populated:  It replicates faster (because it’s smaller) and provides an additional measure of fault tolerance. So the “brainstem” is always replicated and protected in the event of a disaster at lower levels  Tighter control over domain administration in the lower-level domains. Only the administrator and a small group of forest-wide administrators are located in the root and reign supreme  Isolated from changes to company structure  In a multi-domain environment, the following are disadvantages of leaving the root domain sparsely populated:  Additional level in domain hierarchy adds complexity  Cost of additional domain controlle
More Less

Related notes for ITM 315

Log In


Don't have an account?

Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.