Windows Server 2003 Best Practices for Enterprise Deployments phần 1 potx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.59 MB, 53 trang )
Simpo PDF Merge and Split Unregistered Version -
Windows
®
Server 2003
Best Practices
for Enterprise Deployments
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /
Blind Folio i
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:12 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /
Blind Folio ii
About the Authors
Danielle Ruest is a workflow architect and process consultant focused on people
and organizational issues for large IT deployment projects. During her 22-year
career, she has led change-management processes, developed and delivered
training, and managed communications programs during process-implementation
projects. Danielle is the co-author of numerous articles and presentations as well
as Preparing for .NET Enterprise Technologies, a book on mastering change in
the enterprise.
Nelson Ruest is an enterprise architect specializing in infrastructure design.
He is a Microsoft Certified Systems Engineer and Microsoft Certified Trainer.
The goal of his 22-year career has been to assist organizations in mastering the
technologies they depend upon. He is also a frequent guest speaker at Comdex
and other conferences in North America. Nelson is the co-author of numerous
articles as well as Preparing for .NET Enterprise Technologies.
Both work for Resolutions Enterprises ( />a Canadian consulting firm that provides services in the architectural and
project management fields.
About the Technical Editor
Stephane Asselin has been involved with information technology for the
past 11 years, with a majority of his time focused on hardware and networking
configurations. He has done infrastructure assessment and host hardening on
Microsoft technologies for five years. He is a Certified Information Systems
Security Professional (CISSP) and a Microsoft Certified Systems Engineer (MCSE).
More recently, he has been involved in supportability reviews for government
agencies to help them prepare for their Windows Server 2003 migration. He is
currently a senior technical account manager for Microsoft Corporation.
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:12 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Windows
®
Server 2003
Best Practices
for Enterprise Deployments
Danielle Ruest
Nelson Ruest
McGraw-Hill/Osborne
New York / Chicago / San Francisco
Lisbon / London / Madrid / Mexico City / Milan
New Delhi / San Juan / Seoul / Singapore / Sydney / Toronto
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /
Blind Folio iii
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:12 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
McGraw-Hill/Osborne
2100 Powell Street, Floor 10
Emeryville, California 94608
U.S.A.
To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please contact
McGraw-Hill/Osborne at the above address. For information on translations or book distributors outside the
U.S.A., please see the International Contact Information page immediately following the index of this book.
Windows
®
Server 2003: Best Practices for Enterprise Deployments
Copyright © 2003 by The McGraw-Hill Companies. All rights reserved. Printed in the United States of America.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed
in any form or by any means, or stored in a database or retrieval system, without the prior written permission
of publisher, with the exception that the program listings may be entered, stored, and executed in a computer
system, but they may not be reproduced for publication.
1234567890 CUS CUS 019876543
ISBN 0-07-222343-X
Publisher Brandon A. Nordin
Vice President &
Associate Publisher
Scott Rogers
Acquisitions Editor Franny Kelly
Project Editor Patty Mon
Acquisitions Coordinators Emma Acker
Martin Przybyla
Technical Editor Stephane Asselin
Copy Editor Lunaea Weatherstone
Indexer Karin Arrigoni
Computer Designers Carie Abrew, Lucie Ericksen
Illustrators Melinda Moore Lytle, Michael Mueller,
Danielle Ruest, Lyssa Wald
Series Design Roberta Steele
Cover Series Design Jeff Weeks
This book was composed with Corel VENTURA™ Publisher.
Information has been obtained by McGraw-Hill/Osborne from sources believed to be reliable. However, because of the possibility of human
or mechanical error by our sources, McGraw-Hill/Osborne, or others, McGraw-Hill/Osborne does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /
Blind Folio iv
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:12 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
If there is one thing we have learned in our 22 years of
experience, it is that even if technology is constantly changing,
one thing remains the same: we must always take the time to
master a technology before implementing it. But, even before that,
we must fully comprehend our needs. The best way to achieve
this is to work as a team. Including personnel from all areas of
the enterprise can only make a better product in the end.
Thus we dedicate this book to you, the reader, in hopes that
it will help you achieve this goal.
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /
Blind Folio v
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:12 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /
Blind Folio vi
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:12 PM
Color profile: Generic CMYK printer profile
Composite Default screen
This page intentionally left blank
Simpo PDF Merge and Split Unregistered Version -
Contents at a Glance
Chapter 1 Planning for Windows Server 2003 . . . . . . . . . . . . . . . . . . . . 1
Chapter 2 Preparing for Massive Installations of Windows Server 2003 . . . . . . . 36
Chapter 3 Designing the Active Directory . . . . . . . . . . . . . . . . . . . . . . . 78
Chapter 4 Designing the Enterprise Network IP Infrastructure . . . . . . . . . . . . . 140
Chapter 5 Building the PC Organizational Unit Infrastructure . . . . . . . . . . . . . 198
Chapter 6 Preparing the User Organizational Unit Infrastructure . . . . . . . . . . . 244
Chapter 7 Designing the Network Services Infrastructure . . . . . . . . . . . . . . . 286
Chapter 8 Managing Enterprise Security . . . . . . . . . . . . . . . . . . . . . . . 348
Chapter 9 Creating a Resilient Infrastructure . . . . . . . . . . . . . . . . . . . . . 408
Chapter 10 Putting the Enterprise Network into Production . . . . . . . . . . . . . . 446
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
vii
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /
Blind Folio viii
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
This page intentionally left blank
Simpo PDF Merge and Split Unregistered Version -
Contents
Preface, xix
Acknowledgments, xxi
Introduction, xxiii
Chapter 1 Planning for Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . 1
Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Building the Foundation of the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Server Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The Service Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
A New Model for Server Construction and Management . . . . . . . . . . . . . . . . . . . . 8
The Benefits of the PASS Model . . . . . . . . . . . . . . . . . . . . . . . . . . 11
A Structured Approach: Using Standard Operating Procedures . . . . . . . . . . . . . . . . . 12
SOP Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Enterprise Network Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Building on Windows 2000: The WS03 Model . . . . . . . . . . . . . . . . . . . . . . . . . 15
Product Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
The Windows Server Enterprise Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Designing the Enterprise Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . 19
The Architectural Design Process . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Performing a Situation Review and Needs Analysis . . . . . . . . . . . . . . . . . 22
The Changing Role of Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Consolidating Servers with Windows Server 2003 . . . . . . . . . . . . . . . . . 23
Using the PASS Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Migration Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
ix
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Upgrade versus Clean Installation . . . . . . . . . . . . . . . . . . . . . . . . . 28
Using the Technological Lab as a Testing Ground . . . . . . . . . . . . . . . . . . 29
Moving On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Best Practice Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 2 Preparing for Massive Installations of Windows Server 2003 . . . . . . 36
Choosing the Migration Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Choosing What to Migrate First . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Detailed Inventories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Licensing Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Installing and Configuring Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Preparing for Massive Installations . . . . . . . . . . . . . . . . . . . . . . . . 47
Using Installation Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
The Installation Preparation Checklist . . . . . . . . . . . . . . . . . . . . . . . 54
Documenting Server Installations . . . . . . . . . . . . . . . . . . . . . . . . . 54
The Post-Installation Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Massive Installation Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
The Initial Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Customizing Your Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Choosing the Massive Installation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Scripting Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Disk Imaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Remote Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Putting the Server in Place . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Best Practice Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Chapter Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Chapter 3 Designing the Active Directory . . . . . . . . . . . . . . . . . . . . . 78
Introducing Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
New Features for Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . 83
The Nature of Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
x Windows Server 2003: Best Practices for Enterprise Deployments
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Designing the Solution: Using the Active Directory Blueprint . . . . . . . . . . . . . . . . . . 87
AD Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
AD Service Positioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Implementation Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Putting the Blueprint into Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Forest/Tree/Domain Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Forest Design Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Production Forest Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Domain Strategy Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Other Forest Domain Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Forest Design Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Designing the Naming Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Naming Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Designing the Production Domain OU Structure . . . . . . . . . . . . . . . . . . . . . . . . 104
The OU Design Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
The PCs Object OU Structure Design . . . . . . . . . . . . . . . . . . . . . . . . 107
The Services Object OU Structure Design . . . . . . . . . . . . . . . . . . . . . . 107
The People Object OU Structure Design . . . . . . . . . . . . . . . . . . . . . . 108
Replicating the OU Structure to Other Domains . . . . . . . . . . . . . . . . . . 109
Production OU Design Best Practices . . . . . . . . . . . . . . . . . . . . . . . . 109
AD and Other Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Microsoft MetaDirectory Services . . . . . . . . . . . . . . . . . . . . . . . . . 113
Integrated Applications for NOS Directories . . . . . . . . . . . . . . . . . . . . 114
AD Integration Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Service Positioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Operation Masters Positioning . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Global Catalog Server Positioning . . . . . . . . . . . . . . . . . . . . . . . . . 118
Domain Controller Positioning . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
DNS Server Positioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Service Positioning Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . 120
Server Positioning Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Site Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Site Topology Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Contents xi
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Creating Site Link Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Best Practices for Site Topology Design . . . . . . . . . . . . . . . . . . . . . . . 130
T&T Corporation’s Site Topology Scenario . . . . . . . . . . . . . . . . . . . . . 130
Schema Modification Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Schema Modification Strategy Best Practices . . . . . . . . . . . . . . . . . . . . 135
AD Implementation Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
The Ongoing AD Design Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Best Practice Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Chapter Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Chapter 4 Designing the Enterprise Network IP Infrastructure . . . . . . . . . . . 140
TCP/IP in Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
New IP Features in WS03 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Implementing a New Enterprise Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Preparing the Parallel Network . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Creating the Production Active Directory . . . . . . . . . . . . . . . . . . . . . . 152
Forest Staging Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Installing the First Server in a Forest . . . . . . . . . . . . . . . . . . . . . . . . 154
Creation of the Second DC in the Forest Root Domain . . . . . . . . . . . . . . . 167
Creation of the First DC in the Global Child Production Domain . . . . . . . . . . . 171
Creating the Second DC in the Global Child Production Domain . . . . . . . . . . . 173
Connecting the Enterprise Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Network Infrastructure Staging Activities . . . . . . . . . . . . . . . . . . . . . . 176
Server Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . 176
Configuring the First Network Infrastructure Server . . . . . . . . . . . . . . . . 177
Configuring the Second Network Infrastructure Server . . . . . . . . . . . . . . . 185
Moving Servers and Configuring Domain Replication . . . . . . . . . . . . . . . . 185
Upgrading Active Directory from Windows 2000 to WS03 . . . . . . . . . . . . . . . . . . . 189
The Upgrade Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Ongoing Forest Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Best Practice Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Chapter Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
xii Windows Server 2003: Best Practices for Enterprise Deployments
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Chapter 5 Building the PC Organizational Unit Infrastructure . . . . . . . . . . . . 198
Managing Objects with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Group Policy Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Group Policy Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
GPO Inheritance (and Blocking) . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Policy Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Policy Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Fast Logon Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Policy Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Designing a GPO Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
GPO Application and Processing Speed . . . . . . . . . . . . . . . . . . . . . . . 212
Creating an OU Design for PC Management Purposes . . . . . . . . . . . . . . . . . . . . . 214
Centralized PC Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Decentralized PC Administration . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Designing for Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Delegation in Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Designing a Delegation Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Enterprise PC Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Software Installations with WS03 . . . . . . . . . . . . . . . . . . . . . . . . . 226
Enterprise Software Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Software Delivery in the Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 229
Completing the OU Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Putting the PCs OU Infrastructure in Place . . . . . . . . . . . . . . . . . . . . . 235
Using the Group Policy Management Console . . . . . . . . . . . . . . . . . . . . . . . . . 239
Best Practice Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Chapter Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Chapter 6 Preparing the User Organizational Unit Infrastructure . . . . . . . . . . 244
Managing User Objects with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . 245
The Active Directory User Object . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Using Template Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Massive User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Contents xiii
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Managing and Administering Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
WS03 Groups Types and Group Scopes . . . . . . . . . . . . . . . . . . . . . . . 258
Best Practices for Group Management/Creation . . . . . . . . . . . . . . . . . . 260
Creating an OU Design for User Management Purposes . . . . . . . . . . . . . . . . . . . . 266
The People OU Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
User-Related GPO Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Completing the People OU Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Putting the People OU Infrastructure in Place . . . . . . . . . . . . . . . . . . . 280
Best Practice Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Chapter Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Chapter 7 Designing the Network Services Infrastructure . . . . . . . . . . . . . 286
Preparing File and Print Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Sharing Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Expanding Disks for File Storage . . . . . . . . . . . . . . . . . . . . . . . . . 289
Disk Structure Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Creating the File Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Creating the Folder Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Enabling File Server Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Sharing Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Publishing Shares in Active Directory . . . . . . . . . . . . . . . . . . . . . . . 302
Finding a Share in AD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Managing Folder Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Distributed Link Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Working with the Distributed File System . . . . . . . . . . . . . . . . . . . . . 306
Sharing Printing Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
WS03 Printer Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Integration with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . 314
Managing Printer Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Internet Printing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Establishing a Shared Printer Policy . . . . . . . . . . . . . . . . . . . . . . . . 317
Creating the Print Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
xiv Windows Server 2003: Best Practices for Enterprise Deployments
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Sharing Files and Printers for Non-Windows Clients . . . . . . . . . . . . . . . . . . . . . . 323
Macintosh Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
UNIX Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Preparing Application Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Sharing Applications: Commercial and Corporate . . . . . . . . . . . . . . . . . . 324
Preparing Terminal Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Sharing Applications: Terminal Services . . . . . . . . . . . . . . . . . . . . . . 329
Collaboration Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Additional Network Infrastructure Server Functions . . . . . . . . . . . . . . . . . . . . . . 337
Preparing Remote Installation Services Servers . . . . . . . . . . . . . . . . . . 337
Server System Requirements by Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Designing the Services OU Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Considerations for the Migration of Services to the Parallel Network . . . . . . . . . . . . . . 343
Best Practice Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Chapter Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Chapter 8 Managing Enterprise Security . . . . . . . . . . . . . . . . . . . . . 348
Security Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Designing a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
The Castle Defense System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
The Security Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
The Microsoft Security Operations Guide . . . . . . . . . . . . . . . . . . . . . . 356
Windows Server 2003 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Applying the Castle Defense System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Level 1: Critical Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Level 2: Physical Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Level 3: Operating System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
System Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Security Template Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Antivirus Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
General Active Directory Security . . . . . . . . . . . . . . . . . . . . . . . . . 375
File System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Contents xv
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Print System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
.NET Framework Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Internet Information Server 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Final Operating System Hardening Activities . . . . . . . . . . . . . . . . . . . . 386
Level 4: Information Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Smart Card Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Securing User Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Managing Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Web Server Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
.NET Framework Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Access Audition and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Level 5: External Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Designing an Internal Public Key Infrastructure . . . . . . . . . . . . . . . . . . 400
Managing the Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Best Practice Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Chapter Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Chapter 9 Creating a Resilient Infrastructure . . . . . . . . . . . . . . . . . . . 408
Planning for System Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Preparing for Potential Disasters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Using WS03 Clustering Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Network Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Multiple-Node Server Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Server Consolidation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Consolidation Through Server Baselining . . . . . . . . . . . . . . . . . . . . . . 426
Planning for System Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Recovery Planning for the Enterprise Network . . . . . . . . . . . . . . . . . . . 428
Data Protection Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Finalizing Your Resiliency Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Best Practice Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Chapter Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
xvi Windows Server 2003: Best Practices for Enterprise Deployments
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Chapter 10 Putting the Enterprise Network into Production . . . . . . . . . . . . . 446
Migrating Data, Users, and PCs to the Parallel Network . . . . . . . . . . . . . . . . . . . . 447
Using the Active Directory Migration Tool . . . . . . . . . . . . . . . . . . . . . 450
Transferring Networked User Data . . . . . . . . . . . . . . . . . . . . . . . . . 454
Decommissioning the Legacy Network . . . . . . . . . . . . . . . . . . . . . . . 457
Revising the IT Role Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
New and Revised AD IT Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Designing the Services Administration Plan . . . . . . . . . . . . . . . . . . . . 460
WS03 Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Final Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Best Practice Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Chapter Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Contents xvii
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /
Blind Folio xviii
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
This page intentionally left blank
Simpo PDF Merge and Split Unregistered Version -
Preface
W
indows Server 2003 is a graphical environment. As such, many of its operations are wizard-
based. We recommend you use the wizard interface even though there may be command-line
equivalents. The reason for this is because a wizard enforces best practices and standard operating
procedures automatically. The wizard always uses the same steps and always provides the ability to
review your actions before they are implemented.
This does not mean that you need to dally on screens that only provide information. Read them
at least once and when you’re familiar with their content, move on to the screens where you need to
perform actions.
We cannot emphasize standard operating procedures enough. An enterprise network simply cannot
be built on ad hoc procedures. This is one of the reasons for this book. It provides best practices and
standard procedures for building an enterprise network with Windows Server 2003. We hope you find
it useful.
Comments can be sent to
xix
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:13 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /
Blind Folio xx
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:14 PM
Color profile: Generic CMYK printer profile
Composite Default screen
This page intentionally left blank
Simpo PDF Merge and Split Unregistered Version -
Acknowledgments
W
e would like to thank all of the people who helped make this book a reality, especially
Stephane Asselin of Microsoft Premier Support, our technical reviewer. Thanks for all of
your constructive ideas. We would also like to thank Charles Gratton of Hewlett-Packard Canada for
giving so much of his personal time and dedication to let us test Windows Server 2003 on various
hardware configurations.
Thanks also to Microsoft’s development and marketing team for Windows Server 2003 for all of
their help in finding the right solution when issues arose. Specifically, we’d like to thank Jan Shanahan,
Jill Zoeller, Jenna Miller, Jackson Shaw, Kamal Janardhan, and B.J. Whalen.
Thanks to VMware Corporation for providing us with the software required to create our entire
technical laboratory. Thanks also to all of the other manufacturers that provided us with pre-release
software tools so that we could cover enterprise needs as much as possible. You’ll find yourselves
within the book.
Finally, thanks to McGraw-Hill/Osborne for all their patience and dedication in helping us make
this a better book. Franny, it was fun to be part of your team.
xxi
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:14 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /
Blind Folio xxii
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:14 PM
Color profile: Generic CMYK printer profile
Composite Default screen
This page intentionally left blank
Simpo PDF Merge and Split Unregistered Version -
Introduction
B
uilding an enterprise network is no small task. Worse, it seems you have to start over every
time the server operating system changes. This book provides a structured approach that lets
you create a brand new enterprise network that is built on the best features of Microsoft’s new operating
system (OS), Windows Server 2003. This network is built in a parallel environment that does not
affect your current production network. Then, when you’re ready to make the migration, it outlines
how to take security principals, documents, data, and applications and move them from your legacy
network to the new, parallel environment. This way, you can immediately begin to profit from the
best of this powerful OS.
To achieve this goal, the book is divided into ten chapters, each building on the concepts of the
previous chapters to finally cover all of the elements required to build your new network. The core
concept of this book is its focus on enterprise features—only those features that are relevant to an
enterprise environment. Microsoft used a similar approach when they decided to remove such features
as Universal Plug and Play and scanner drivers from the OS because they are not server features and
are not relevant in an enterprise. Similarly, this book discards the features that are not intended for
the enterprise from Windows Server 2003’s more than 400 new features and improvements.
Each chapter includes both discussion points and step-by-step implementations. Each chapter is
chock full of best practices, checklists, and processes. In addition, each chapter ends with a Chapter
Roadmap—a graphical illustration of the elements covered in the chapter, relevant figures, and tools
found on the companion Web site ( The chapters are
divided into the following topics:
•
Chapter 1: Planning for Windows Server 2003 gives an overview of the processes you need
to prepare your migration to the new OS. It discusses the various elements you must have on
hand before you proceed.
xxiii
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:14 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
•
Chapter 2: Preparing for Massive Installations of Windows Server 2003 identifies the
four supported installation methods for Windows Server 2003 and helps you choose the most
appropriate massive installation method for your organization.
•
Chapter 3: Designing the Active Directory reviews all of the requirements of an Active
Directory and outlines the steps required to build it. It uses different scenarios to help you
understand the most complex concepts of this powerful enterprise network feature.
•
Chapter 4: Designing the Enterprise Network IP Infrastructure focuses on TCP/IP, the
core communication protocol of the enterprise network. Then it begins the parallel network
installation.
•
Chapter 5: Building the PC Organizational Unit Infrastructure looks at the elements you
need to put in place to manage PCs with Active Directory. It begins the discussion on Group
Policy, a discussion that will not end until Chapter 8.
•
Chapter 6: Preparing the User Organizational Unit Infrastructure examines how to
manage user objects through Active Directory. It includes an extensive discussion of the
use of groups within an enterprise network.
• Chapter 7: Designing the Network Services Infrastructure covers the services the network
is to deliver to users. It outlines how these services should be built and identifies how they
should be implemented.
• Chapter 8: Managing Enterprise Security focuses on one element and one element only:
security. It introduces a new system, the Castle Defense System, which can be used to simplify
security policy design and implementation.
•
Chapter 9: Creating a Resilient Infrastructure is concentrated on making sure your services
are always available. As such, it covers both redundancy and disaster recovery.
•
Chapter 10: Putting the Enterprise Network into Production tells you how to migrate users
from your legacy network to the new, parallel environment you created. In addition, it begins a
discussion of the new and revamped IT roles you will require now that you are running a
network through Active Directory.
Migrating to a new server OS is not a task that should be taken lightly. This is why you should
make sure your project team includes all of the right players. These should focus on at least two
groups: the first will work at the elaboration of the network architecture and the second will focus
on the preparation of installation procedures and perform the installation itself. The technical
project team should include architects, system administrators, installers, user representatives, support
personnel, developers, and project managers. You should make sure you involve your current
administrative and operational staff in this project. This will help you recover the best of the existing
network and help them learn more about the new operating system they will soon be using.
xxiv Windows Server 2003: Best Practices for Enterprise Deployments
Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Front Matter
P:\010Comp\Tip&Tec\343-x\fm.vp
Wednesday, March 26, 2003 4:49:14 PM
Color profile: Generic CMYK printer profile
Composite Default screen
Simpo PDF Merge and Split Unregistered Version -
