Module 3: Integrating Windows 2000 Datacenter Server 1
Overview
Identifying Domain Roles
Identifying Active Directory Considerations
Identifying Application and Service Requirements
Managing Servers Running Datacenter Server
Identifying Tools for Interoperating with Other Operating
Systems
Configuration Check Tool
Winsock Direct for SANs
*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Before you install Microsoft
® Windows® 2000 Datacenter Server, you must
decide whether to configure it as a domain controller or as a member server.
You also need to consider how to design and implement Microsoft
Active Directory
™
, the directory service for Microsoft Windows 2000 Server.
Applications and services that are installed in the data center can have
dependencies or requirements that need to be evaluated if they are configured
for a four-node cluster, critical line-of-business applications, or applications
certified to run on Datacenter Server. As the data center administrator there are
several tools or management features in Datacenter Server that you can use to
efficiently manage the data center.
This module identifies issues and situations that may occur when you integrate
a data center and Windows 2000 Datacenter Server into your computing
environment. After completing this module, you will be able to configure and
manage Datacenter Server, including:
Identifying planning considerations for making Datacenter Server the
domain controller or member server.
Identifying Active Directory directory service considerations and
requirements prior to installation of Datacenter Server.
Identifying application and service considerations and requirements prior to
installation of Datacenter Server.
Identifying management services considerations and requirements prior to
installation of Datacenter Server.
Identifying tools for interoperating with other operating systems.
Running the Windows 2000 Datacenter Server Configuration Check tool.
Identifying the benefits of Winsock Direct for system area networks
(SANs).
Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about the integration of
Windows 2000
Datacenter Server.
Explain the purpose of this
module.
2 Module 3: Integrating Windows 2000 Datacenter Server
Identifying Domain Roles
Configuring Windows 2000 Datacenter Server as a
Domain Controller
Configuring Windows 2000 Datacenter Server as a
Member Server
*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Windows 2000 Datacenter Server can be either a domain controller or a
member server. Before installing Datacenter Server, you must think about its
role in the data center and identify its role in the domain. Depending on the
applications and services that will be located on Datacenter Server, you may
need to configure Datacenter Server as a domain controller.
An important planning issue is determining where to locate domain controllers
and global catalog servers for your enterprise. This is because after
Active Directory is installed and configured, the majority of Active Directory
traffic is related to Active Directory clients querying Active Directory for
information. Directory replication traffic is usually a less important
consideration, unless the organization is in a state of constant change. Placing a
domain controller at each geographical site optimizes queries but can increase
replication traffic. Nevertheless, placing a domain controller at a site that has
users in that domain is usually the best solution.
It is not recommended that Datacenter Server be installed in a workgroup (not a
member of a domain) because services such as four-node clustering require
domain accounts to function.
Topic Objective
To identify planning
considerations and
requirements for making
Datacenter Server the
domain controller.
Lead-in
Windows 2000
Datacenter Server can be
either a domain controller or
a member server.
Module 3: Integrating Windows 2000 Datacenter Server 3
Configuring Datacenter Server as a Domain Controller
Install Domain Controller on Datacenter Server to:
Protect the forest root
Protect operations masters
Support large global catalogs
Datacenter Server as Domain Controller Would Be
Justified for:
Operations masters and critical services
Directory-aware applications
Domain accounts for four-node clusters
*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
A server running Windows 2000 Datacenter Server in a domain can have one of
two roles: domain controller or member server. Domain controllers contain
matching copies of the user accounts and other Active Directory data in a given
domain. Multiple domain controllers provide better support for users than just
one domain controller. Multiple domain controllers provide automatic backup
for user accounts and other Active Directory data, and they work together to
support domain controller functions. You would configure Windows 2000
Datacenter Server as a domain controller to:
Protect the forest root.
Protect single operation masters.
Support very large Active Directory schemas.
Support applications that must be installed on a domain controller.
Provide high performance with large global catalogs.
Features of Datacenter Server, such as Winsock Direct and Enterprise Memory
Architecture (EMA), are designed to meet the demands of specialized domain
controllers in your computing environment. The increased reliability of
Datacenter Server makes it an ideal system to protect operations masters as well
as the forest root. The expanded EMA support of Datacenter Server can
increase performance in the largest Active Directory implementations. Winsock
Direct provides high bandwidth, low latency communication for super-fast
directory replication within SANs.
Topic Objective
To configure Windows 2000
Datacenter Server as a
domain controller.
Lead-in
Servers running
Windows 2000
Datacenter Server in a
domain can have one of two
roles: domain controller or
member server.
4 Module 3: Integrating Windows 2000 Datacenter Server
Protecting the Forest Root
The forest root is the domain controller that you promote first. The most
important server in any Active Directory implementation is the forest root. The
forest root is the location of the root domain. It cannot be renamed or removed.
It is the location of the schema master and the domain-naming master. If the
forest root becomes unavailable, your entire Active Directory service structure
ceases to function. If the forest root is permanently unavailable, your forest is
gone and must be rebuilt from scratch. The best place to put the forest root is on
the server in your organization that is the most stable and most reliable.
Datacenter Server is the most appropriate host for the forest root in your
organization.
Protecting Operations Masters
Because Datacenter Server is the most reliable server in the forest, it is the
logical home for the schema and domain-naming masters. In the
Active Directory directory service, there are certain operations that are single
master, which means that they are not permitted to occur in different places in
the network at the same time. These operations, called operations masters, must
be protected and controlled.
Large Global Catalogs
Any Active Directory implementation loads as much of the global catalog into
main memory as possible. This speeds any Active Directory directory service
operations but, depending on available resources, can impede local services on
the domain controller. With up to 64 gigabytes (GB) of memory by using EMA,
Datacenter Server supports fast and large Active Directory structures. Locating
directory services is a decision you may need to make. There are some
considerations that will help you make the best choice for your organization’s
needs.
If the domain tree is large, you should not place a global catalog server at each
site because this can create large amount of replication traffic. You should place
global catalog servers only at large regional sites. Remember that replication of
modifications made to your Active Directory might take some time to
propagate throughout your enterprise. For example, if you create a new user
account object, it might be a few minutes before the user can actually log on to
the network using the account.
Justification to Locate Directory Services on
Datacenter Server
In some cases it is best to have directory services hosted on your
Datacenter Server. It is recommended that you put directory services on
Datacenter Server computers if you must:
Protect operations masters or other critical services.
Provide directory services to a directory-aware application.
Support a server cluster or a number of server clusters.
Module 3: Integrating Windows 2000 Datacenter Server 5
A domain controller is necessary to a Windows-based environment to service
server clusters. A Windows Clustering server cluster requires access to a
domain controller or it fails. So, if you have clustered critical services on
Datacenter Server, you must have a domain controller accessible by the cluster
to protect cluster services. If the cluster service account cannot authenticate to a
domain controller, the service fails and the server cluster fails with it.
6 Module 3: Integrating Windows 2000 Datacenter Server
Configuring Datacenter Server as a Member Server
Make Datacenter Server a Member Server When:
You need the highest performance
You have reliable directory services local to your data
center
*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
A member server is a computer that is running Windows 2000
Datacenter Server and is a member of a domain and not a domain controller.
Member servers belong to a domain but do not contain a copy of the
Active Directory data. Because it is not a domain controller, a member server
does not handle the account logon process, does not participate in
Active Directory replication, and does not store domain security policy
information.
If you are seeking the highest performance from the Datacenter Server
platform, do not host Active Directory services on a member server. If you have
reliable directory services local to your data center, those services may prove
sufficient to your needs.
Topic Objective
To configure Windows 2000
Datacenter Server as a
member server.
Lead-in
A member server is a
computer that is running
Windows 2000
Datacenter Server and is a
member server of a domain
and not a domain controller.
Module 3: Integrating Windows 2000 Datacenter Server 7
Identifying Active Directory Considerations
Planning DNS Services in the Data Center
Active Directory Directory Service Containers
Securing Access to Datacenter Server by Using Groups
Group Policy Object Association
*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Typical multi-application configurations running on Windows 2000
Datacenter Server can include directory-aware applications. Directory-aware
applications can extend the Active Directory schema to include information
critical to the operation of the applications. For example, Active Directory is the
directory service used for Microsoft Exchange 2000 Server and is therefore
critical to the operation of Exchange within an enterprise.
Windows 2000 Active Directory directory service is integrated with and
dependent on the Domain Name System (DNS) as a means of locating services.
DNS is critical to the functioning of Active Directory. When designing a data
center that uses servers running Windows 2000 Datacenter Server, you must
consider the design and implementation of Active Directory to maximize the
performance of the data center. Design decisions on the configuration of DNS,
domain controllers, forest root, and global catalog are critical to provide the
required level of reliability and redundancy for the applications being hosted.
Topic Objective
To describe the
considerations for
integrating Active Directory
within a Datacenter Server
environment.
Lead-in
Typical multi-application
configurations on
Windows 2000
Datacenter Server can
include directory-aware
applications.
8 Module 3: Integrating Windows 2000 Datacenter Server
Planning DNS Services in the Data Center
Datacenter.microsoft.com
Datacenter
DNS Roles:
Primary
Secondary
Integrated
Caching only
Active Directory
Integration
improves:
Redundancy
reduces zone
transfers
*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Active Directory uses DNS as its name location service, so the availability of
DNS within the data center can impact both performance and reliability of
services and applications. Active Directory uses DNS to resolve domain names
into Internet Protocol (IP) addresses, and it can also use non-DNS naming
conventions to locate objects in the directory. These other naming conventions
include:
The Lightweight Directory Access Protocol (LDAP) naming convention of
distinguished names and relative distinguished names. This includes LDAP
Uniform Resource Locators (URLs).
User principal names for identifying users and groups.
Security Accounts Manager (SAM) account names for user accounts.
Universal Naming Convention (UNC) paths for shared network resources.
If the server in the data center is a domain controller, DNS is running locally
and is integrated with Active Directory, but running additional services can
limit performance on the data center server. If the data center server is a
member server, name resolution can be impacted by network speed and
availability. You should ensure that high-speed communication is provided
between the data center servers and the DNS name server.
A name server can function in one of four roles in the DNS:
Caching-only name server, which does not contain any zone information
Master name server, which can provide zone information to secondary name
servers
Primary name server, which contains the master copy of the zone file for the
zones it has authority over
Secondary name server, which obtains its zone files using a zone transfer
from a master name server
Topic Objective
To describe how
Active Directory uses DNS
in a data center.
Lead-in
Active Directory uses DNS
as its name location service,
so the availability of DNS
within the data center can
impact both performance
and reliability of services
and applications.
Module 3: Integrating Windows 2000 Datacenter Server 9
When using Berkeley Internet Name Domain (BIND) based name servers, you
must ensure that redundant primary name servers exist to improve the DNS
reliability. Where DNS traffic within the data center is high, you can implement
multiple caching-only servers to distribute the DNS query load without
incurring zone transfer traffic.
Windows 2000 gives you the options of integrating DNS with Active Directory.
This results in zone data being stored in Active Directory and eliminates the
need to manually configure zone transfers between primary and secondary DNS
servers. This integration provides:
A more efficient mechanism for zone transfers through the domain
replication process of Active Directory.
Additional fault tolerance for the DNS information because all
Active Directory integrated zones are primary zones and therefore contain a
copy of the zone data.
Consider integrating your DNS zone information into Active Directory because
this stores the DNS zone information in the distributed Active Directory. This
facilitates and simplifies updates of zone information through replication
between domain controllers and improves the reliability of the DNS service.
Creating a data center domain with multiple domain controllers can improve the
performance of Active Directory queries and the DNS queries while providing
service redundancy.
10 Module 3: Integrating Windows 2000 Datacenter Server
Active Directory Directory Service Containers
Datacenter Server in
a Site
Datacenter Server in
a Site
Site 1
Site 1
Domain
Domain
OU
Site 2
Site 2
Site 3
Site 3
OU
Site 4
Site 4
Domain
Domain
Datacenter
Server in
a domain
Datacenter
Server in
a domain
Datacenter Server in an
Organizational Unit
Datacenter Server in an
Organizational Unit
*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Windows 2000 Active Directory provides both administrative and user level
access control for information in Active Directory. The Active Directory
structure or hierarchy permits control to be applied at the following levels:
Forest
Domain
Organizational unit
Site
Forest
An Active Directory forest is a set of one or more domain trees that are
connected by transitive trusts and that share a common schema, configuration,
and global catalog. Each domain tree in the forest defines a non-contiguous
namespace from the forest root. A forest enables a single enterprise to support
multiple namespaces (entities) but still enables the namespaces to be part of the
same Active Directory.
If your enterprise depends on applications such as Exchange 2000, a single
forest is recommended, in which transitive trusts simplify the authentication
requirements. Although a single forest simplifies the Active Directory design
for an enterprise, there can be a requirement to have a unique schema for
computers in a data center. If your data center design includes the requirement
for a unique schema, multiple forests are required, and trusts must be
established to allow authentication for resource access.
The first domain built defines the starting point for the forest and takes on the
special designation as the forest root. The forest root domain is significant in
that you cannot rename or remove the forest root domain after you create it.
Because of the special nature of the forest root, this domain must be protected
and replicated to ensure the domain's availability and recoverability. It is
recommended that the forest root be installed on Datacenter Server to ensure
the highest possible reliability.
Topic Objective
To describe how to plan the
DNS services in a data
center.
Lead-in
Windows 2000
Active Directory provides
both administrative and user
level access control for
information in
Active Directory.
Không có nhận xét nào:
Đăng nhận xét