Contents
Overview 1
Identifying Domain Roles 2
Identifying Active Directory
Considerations 7
Identifying Application and Service
Requirements 15
Managing Servers Running
Datacenter Server 21
Identifying Tools for Interoperating
with Other Operating Systems 23
Configuration Check Tool 25
Demonstration: Configuration Check Tool 28
Winsock Direct for SANs 29
Review 31

Module 3: Integrating
Windows 2000
Datacenter Server



Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying

with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, BackOffice, FrontPage, Outlook, PowerPoint, Visual Studio,
Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of
Microsoft Corporation in the U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Program Manager: Don Thompson
Product Manager: Greg Bulette
Instructional Designers: April Andrien, Kelley Umphrey
Subject Matter Experts: Conrad Cahill (Entirenet), Jack Creasey
Classroom Automation: Lorrin Smith-Bates
Graphic Designer: Andrea Heuston (Artitudes Layout & Design)
Editing Manager: Lynette Skinner
Editor: Lori Kane
Copy Editor: Gwen Bloomsburg (S&T Consulting)
Production Manager: Miracle Davis
Build Manager: Julie Challenger

Print Production: Lori Walker (S & T Consulting)
CD Production: Eric Wagoner
Test Manager: Eric R. Myers
Test Lead: Robertson Lee (Volt)
Creative Director: David Mahlmann
Media Program Manager: Scott Daniels
Media Producer: Dean Connolly
Lead Production Artist: Scott Serna
Localization Manager: Rick Terek
Operations Coordinator: John Williams
Manufacturing Support: Laura King; Kathy Hershey
Lead Product Manager, Release Management: Bo Galford
Lead Technology Manager: Sid Benavente
Lead Product Manager: Ken Rosen
Group Manager, Courseware Infrastructure: David Bramble
Group Product Manager, Content Development: Julie Truax
Director, Training & Certification Courseware Development: Dean Murray
General Manager: Robert Stewart



Module 3: Integrating Windows 2000 Datacenter Server iii


Instructor Notes
This module provides students with the knowledge to identify issues and
situations that may occur when integrating a data center and Microsoft
®
Windows
® 2000 Datacenter Server into a computing environment. For students

to be successful, they must be aware of the special considerations and
requirements that apply to planning, server installation, and hardware
verification.
After completing this module, students will be able to configure and manage
Windows 2000 Datacenter Server, including:
 Identifying planning considerations for making Datacenter Server the
domain controller.
 Identifying Microsoft Active Directory
™
directory service considerations
and requirements prior to installation of Datacenter Server.
 Identifying application and service considerations and requirements prior to
installation of Datacenter Server.
 Identifying management services considerations and requirements prior to
installation of Datacenter Server.
 Identifying tools for interoperating with other operating systems.
 Running the Windows 2000 Datacenter Server Configuration Check tool.
 Identifying the benefits of Winsock Direct for system area networks
(SANs).

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the following materials:
 Microsoft PowerPoint® file 2089a_03.ppt
 Module 3, “Integrating Windows 2000 Datacenter Server”

Preparation Tasks
To prepare for this module, you should:

 Read all of the materials for this module.
 Complete the demonstration.

Presentation:
60 Minutes
iv Module 3: Integrating Windows 2000 Datacenter Server


Module Strategy
Use the following strategy to present this module:
 Identifying Domain Roles
This topic discusses the roles of Datacenter Server as a domain controller or
a member server. It covers operations masters, multimaster replication of
directory data on a SAN, large global catalogs, and protecting the forest
root. In addition, there is a discussion on justifying directory services on
Datacenter Server and another discussion justifying Datacenter Server as a
member server.
 Identifying Active Directory Considerations
Prior to installing Datacenter Server, students need to determine how to
integrate the data center with their Active Directory directory service
structures. This topic covers containers, groups, and Group Policy object
association.
 Identifying Application and Service Requirements
Prior to installing Datacenter Server, the students need to consider how
various applications and services will interact with and depend on
Datacenter Server. This topic covers considerations and requirements for
line-of-business applications, cluster-aware applications, supported
Microsoft products, Microsoft SQL Server
™
2000, and Microsoft

Exchange 2000 Server.
 Managing Servers Running Datacenter Server
Prior to installing Datacenter Server, the students need to identify how to
efficiently manage the servers within a data center environment. This topic
discusses Terminal Services and Windows Management Instrumentation.
 Identifying Tools for Interoperating with Other Operating Systems
This topic covers Microsoft Windows Services for UNIX and Microsoft
Host Integration Server 2000. Interoperability is an important factor when
placing Datacenter Server in existing data centers.
 Configuration Check Tool
This topic introduces the Configuration Check tool. The students will learn
the major functions of the tool and how they can use it to manage data
center server.
 Demonstration: Configuration Check Tool
This is a very simple demo that shows the use of the Configuration Check
tool. You might want to create additional files to compare against the
Datacenter Server.
 Winsock Direct for SANs
This topic is a brief introduction to Winsock Direct for SANs. If the student
is an administrator in a SAN, they will need to identify this feature of
Windows 2000 Datacenter Server, because it allows existing applications to
become transparently SAN-enabled.


Module 3: Integrating Windows 2000 Datacenter Server 1


Overview
 Identifying Domain Roles
 Identifying Active Directory Considerations

 Identifying Application and Service Requirements
 Managing Servers Running Datacenter Server
 Identifying Tools for Interoperating with Other Operating
Systems
 Configuration Check Tool
 Winsock Direct for SANs

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Before you install Microsoft
® Windows® 2000 Datacenter Server, you must
decide whether to configure it as a domain controller or as a member server.
You also need to consider how to design and implement Microsoft
Active Directory
™
, the directory service for Microsoft Windows 2000 Server.
Applications and services that are installed in the data center can have
dependencies or requirements that need to be evaluated if they are configured
for a four-node cluster, critical line-of-business applications, or applications
certified to run on Datacenter Server. As the data center administrator there are
several tools or management features in Datacenter Server that you can use to
efficiently manage the data center.
This module identifies issues and situations that may occur when you integrate
a data center and Windows 2000 Datacenter Server into your computing
environment. After completing this module, you will be able to configure and
manage Datacenter Server, including:
 Identifying planning considerations for making Datacenter Server the
domain controller or member server.
 Identifying Active Directory directory service considerations and
requirements prior to installation of Datacenter Server.

 Identifying application and service considerations and requirements prior to
installation of Datacenter Server.
 Identifying management services considerations and requirements prior to
installation of Datacenter Server.
 Identifying tools for interoperating with other operating systems.
 Running the Windows 2000 Datacenter Server Configuration Check tool.
 Identifying the benefits of Winsock Direct for system area networks
(SANs).
Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about the integration of
Windows 2000
Datacenter Server.
Explain the purpose of this
module.
2 Module 3: Integrating Windows 2000 Datacenter Server




 Identifying Domain Roles
 Configuring Windows 2000 Datacenter Server as a
Domain Controller
 Configuring Windows 2000 Datacenter Server as a
Member Server


*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Windows 2000 Datacenter Server can be either a domain controller or a
member server. Before installing Datacenter Server, you must think about its
role in the data center and identify its role in the domain. Depending on the
applications and services that will be located on Datacenter Server, you may
need to configure Datacenter Server as a domain controller.
An important planning issue is determining where to locate domain controllers
and global catalog servers for your enterprise. This is because after
Active Directory is installed and configured, the majority of Active Directory
traffic is related to Active Directory clients querying Active Directory for
information. Directory replication traffic is usually a less important
consideration, unless the organization is in a state of constant change. Placing a
domain controller at each geographical site optimizes queries but can increase
replication traffic. Nevertheless, placing a domain controller at a site that has
users in that domain is usually the best solution.
It is not recommended that Datacenter Server be installed in a workgroup (not a
member of a domain) because services such as four-node clustering require
domain accounts to function.
Topic Objective
To identify planning
considerations and
requirements for making
Datacenter Server the
domain controller.
Lead-in
Windows 2000
Datacenter Server can be
either a domain controller or
a member server.

Module 3: Integrating Windows 2000 Datacenter Server 3


Configuring Datacenter Server as a Domain Controller
 Install Domain Controller on Datacenter Server to:
 Protect the forest root
 Protect operations masters
 Support large global catalogs
 Datacenter Server as Domain Controller Would Be
Justified for:
 Operations masters and critical services
 Directory-aware applications
 Domain accounts for four-node clusters

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
A server running Windows 2000 Datacenter Server in a domain can have one of
two roles: domain controller or member server. Domain controllers contain
matching copies of the user accounts and other Active Directory data in a given
domain. Multiple domain controllers provide better support for users than just
one domain controller. Multiple domain controllers provide automatic backup
for user accounts and other Active Directory data, and they work together to
support domain controller functions. You would configure Windows 2000
Datacenter Server as a domain controller to:
 Protect the forest root.
 Protect single operation masters.
 Support very large Active Directory schemas.
 Support applications that must be installed on a domain controller.
 Provide high performance with large global catalogs.


Features of Datacenter Server, such as Winsock Direct and Enterprise Memory
Architecture (EMA), are designed to meet the demands of specialized domain
controllers in your computing environment. The increased reliability of
Datacenter Server makes it an ideal system to protect operations masters as well
as the forest root. The expanded EMA support of Datacenter Server can
increase performance in the largest Active Directory implementations. Winsock
Direct provides high bandwidth, low latency communication for super-fast
directory replication within SANs.
Topic Objective
To configure Windows 2000
Datacenter Server as a
domain controller.
Lead-in
Servers running
Windows 2000
Datacenter Server in a
domain can have one of two
roles: domain controller or
member server.
4 Module 3: Integrating Windows 2000 Datacenter Server


Protecting the Forest Root
The forest root is the domain controller that you promote first. The most
important server in any Active Directory implementation is the forest root. The
forest root is the location of the root domain. It cannot be renamed or removed.
It is the location of the schema master and the domain-naming master. If the
forest root becomes unavailable, your entire Active Directory service structure
ceases to function. If the forest root is permanently unavailable, your forest is
gone and must be rebuilt from scratch. The best place to put the forest root is on

the server in your organization that is the most stable and most reliable.
Datacenter Server is the most appropriate host for the forest root in your
organization.
Protecting Operations Masters
Because Datacenter Server is the most reliable server in the forest, it is the
logical home for the schema and domain-naming masters. In the
Active Directory directory service, there are certain operations that are single
master, which means that they are not permitted to occur in different places in
the network at the same time. These operations, called operations masters, must
be protected and controlled.
Large Global Catalogs
Any Active Directory implementation loads as much of the global catalog into
main memory as possible. This speeds any Active Directory directory service
operations but, depending on available resources, can impede local services on
the domain controller. With up to 64 gigabytes (GB) of memory by using EMA,
Datacenter Server supports fast and large Active Directory structures. Locating
directory services is a decision you may need to make. There are some
considerations that will help you make the best choice for your organization’s
needs.
If the domain tree is large, you should not place a global catalog server at each
site because this can create large amount of replication traffic. You should place
global catalog servers only at large regional sites. Remember that replication of
modifications made to your Active Directory might take some time to
propagate throughout your enterprise. For example, if you create a new user
account object, it might be a few minutes before the user can actually log on to
the network using the account.
Justification to Locate Directory Services on
Datacenter Server
In some cases it is best to have directory services hosted on your
Datacenter Server. It is recommended that you put directory services on

Datacenter Server computers if you must:
 Protect operations masters or other critical services.
 Provide directory services to a directory-aware application.
 Support a server cluster or a number of server clusters.
Module 3: Integrating Windows 2000 Datacenter Server 5


A domain controller is necessary to a Windows-based environment to service
server clusters. A Windows Clustering server cluster requires access to a
domain controller or it fails. So, if you have clustered critical services on
Datacenter Server, you must have a domain controller accessible by the cluster
to protect cluster services. If the cluster service account cannot authenticate to a
domain controller, the service fails and the server cluster fails with it.
6 Module 3: Integrating Windows 2000 Datacenter Server


Configuring Datacenter Server as a Member Server
 Make Datacenter Server a Member Server When:
 You need the highest performance
 You have reliable directory services local to your data
center

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
A member server is a computer that is running Windows 2000
Datacenter Server and is a member of a domain and not a domain controller.
Member servers belong to a domain but do not contain a copy of the
Active Directory data. Because it is not a domain controller, a member server
does not handle the account logon process, does not participate in
Active Directory replication, and does not store domain security policy

information.
If you are seeking the highest performance from the Datacenter Server
platform, do not host Active Directory services on a member server. If you have
reliable directory services local to your data center, those services may prove
sufficient to your needs.
Topic Objective
To configure Windows 2000
Datacenter Server as a
member server.
Lead-in
A member server is a
computer that is running
Windows 2000
Datacenter Server and is a
member server of a domain
and not a domain controller.
Module 3: Integrating Windows 2000 Datacenter Server 7




 Identifying Active Directory Considerations
 Planning DNS Services in the Data Center
 Active Directory Directory Service Containers
 Securing Access to Datacenter Server by Using Groups
 Group Policy Object Association

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Typical multi-application configurations running on Windows 2000

Datacenter Server can include directory-aware applications. Directory-aware
applications can extend the Active Directory schema to include information
critical to the operation of the applications. For example, Active Directory is the
directory service used for Microsoft Exchange 2000 Server and is therefore
critical to the operation of Exchange within an enterprise.
Windows 2000 Active Directory directory service is integrated with and
dependent on the Domain Name System (DNS) as a means of locating services.
DNS is critical to the functioning of Active Directory. When designing a data
center that uses servers running Windows 2000 Datacenter Server, you must
consider the design and implementation of Active Directory to maximize the
performance of the data center. Design decisions on the configuration of DNS,
domain controllers, forest root, and global catalog are critical to provide the
required level of reliability and redundancy for the applications being hosted.
Topic Objective
To describe the
considerations for
integrating Active Directory
within a Datacenter Server
environment.
Lead-in
Typical multi-application
configurations on
Windows 2000
Datacenter Server can
include directory-aware
applications.
8 Module 3: Integrating Windows 2000 Datacenter Server


Planning DNS Services in the Data Center

Datacenter.microsoft.com
Datacenter
 DNS Roles:
 Primary
 Secondary
 Integrated
 Caching only
 Active Directory
Integration
improves:
 Redundancy
 reduces zone
transfers

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Active Directory uses DNS as its name location service, so the availability of
DNS within the data center can impact both performance and reliability of
services and applications. Active Directory uses DNS to resolve domain names
into Internet Protocol (IP) addresses, and it can also use non-DNS naming
conventions to locate objects in the directory. These other naming conventions
include:
 The Lightweight Directory Access Protocol (LDAP) naming convention of
distinguished names and relative distinguished names. This includes LDAP
Uniform Resource Locators (URLs).
 User principal names for identifying users and groups.
 Security Accounts Manager (SAM) account names for user accounts.
 Universal Naming Convention (UNC) paths for shared network resources.

If the server in the data center is a domain controller, DNS is running locally

and is integrated with Active Directory, but running additional services can
limit performance on the data center server. If the data center server is a
member server, name resolution can be impacted by network speed and
availability. You should ensure that high-speed communication is provided
between the data center servers and the DNS name server.
A name server can function in one of four roles in the DNS:
 Caching-only name server, which does not contain any zone information
 Master name server, which can provide zone information to secondary name
servers
 Primary name server, which contains the master copy of the zone file for the
zones it has authority over
 Secondary name server, which obtains its zone files using a zone transfer
from a master name server

Topic Objective
To describe how
Active Directory uses DNS
in a data center.
Lead-in
Active Directory uses DNS
as its name location service,
so the availability of DNS
within the data center can
impact both performance
and reliability of services
and applications.
Module 3: Integrating Windows 2000 Datacenter Server 9


When using Berkeley Internet Name Domain (BIND) based name servers, you

must ensure that redundant primary name servers exist to improve the DNS
reliability. Where DNS traffic within the data center is high, you can implement
multiple caching-only servers to distribute the DNS query load without
incurring zone transfer traffic.
Windows 2000 gives you the options of integrating DNS with Active Directory.
This results in zone data being stored in Active Directory and eliminates the
need to manually configure zone transfers between primary and secondary DNS
servers. This integration provides:
 A more efficient mechanism for zone transfers through the domain
replication process of Active Directory.
 Additional fault tolerance for the DNS information because all
Active Directory integrated zones are primary zones and therefore contain a
copy of the zone data.

Consider integrating your DNS zone information into Active Directory because
this stores the DNS zone information in the distributed Active Directory. This
facilitates and simplifies updates of zone information through replication
between domain controllers and improves the reliability of the DNS service.
Creating a data center domain with multiple domain controllers can improve the
performance of Active Directory queries and the DNS queries while providing
service redundancy.
10 Module 3: Integrating Windows 2000 Datacenter Server


Active Directory Directory Service Containers
Datacenter Server in
a Site
Datacenter Server in
a Site
Site 1

Site 1
Domain
Domain
OU
Site 2
Site 2
Site 3
Site 3
OU
Site 4
Site 4
Domain
Domain
Datacenter
Server in
a domain
Datacenter
Server in
a domain
Datacenter Server in an
Organizational Unit
Datacenter Server in an
Organizational Unit

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Windows 2000 Active Directory provides both administrative and user level
access control for information in Active Directory. The Active Directory
structure or hierarchy permits control to be applied at the following levels:
 Forest

 Domain
 Organizational unit
 Site

Forest
An Active Directory forest is a set of one or more domain trees that are
connected by transitive trusts and that share a common schema, configuration,
and global catalog. Each domain tree in the forest defines a non-contiguous
namespace from the forest root. A forest enables a single enterprise to support
multiple namespaces (entities) but still enables the namespaces to be part of the
same Active Directory.
If your enterprise depends on applications such as Exchange 2000, a single
forest is recommended, in which transitive trusts simplify the authentication
requirements. Although a single forest simplifies the Active Directory design
for an enterprise, there can be a requirement to have a unique schema for
computers in a data center. If your data center design includes the requirement
for a unique schema, multiple forests are required, and trusts must be
established to allow authentication for resource access.
The first domain built defines the starting point for the forest and takes on the
special designation as the forest root. The forest root domain is significant in
that you cannot rename or remove the forest root domain after you create it.
Because of the special nature of the forest root, this domain must be protected
and replicated to ensure the domain's availability and recoverability. It is
recommended that the forest root be installed on Datacenter Server to ensure
the highest possible reliability.
Topic Objective
To describe how to plan the
DNS services in a data
center.
Lead-in

Windows 2000
Active Directory provides
both administrative and user
level access control for
information in
Active Directory.
Module 3: Integrating Windows 2000 Datacenter Server 11


Domain
A domain is a container within Active Directory that partitions replication,
partitions the DNS namespace, provides secure boundaries, and provides Group
Policy scopes. Multiple domains can be combined into a domain tree, and
multiple domain trees can be combined within a single forest. Domains
represent logical partitions within Active Directory for both security and
directory replication. Administrative rights are limited to domain boundaries.
By placing the data center servers in their own domain, you can effectively
separate the control of rights and permissions, but there is overhead associated
with replication traffic in enterprise domains. You may also need to control the
scope of replication because of geographical concerns, such as when your data
center is in a remote location. In this type of scenario, a separate domain may be
required to provide adequate control of replication traffic.
Organizational Unit
An organizational unit is a container within the Active Directory directory
service that provides partitions for administration and receptacles for policy.
Organizational units enable the most granular delegation of administrative
tasks. Users, computers, and other Active Directory objects can be collected
within an organizational unit, when the administration of that organizational
unit is delegated to the proper administrator.
In the data center, it is very important that only certain people have

administrative authority. One of the ways you can ensure that administrative
authority is delegated to the proper people is by organizing the computers,
users, and other important data center objects within a single organizational
unit.
Group Policy can be applied at the organizational unit level, and it is
recommended that all data center servers be placed in a single organizational
unit with a single Group Policy object providing security definitions for the data
center computers.
Site
A site is one or more well-connected TCP/IP subnets. Sites contain only server
objects and configuration objects. They define replication topology for domain
controllers and can control the association of Group Policy. Because a site is
simply a logical collection of objects that exist in physical locations, it can span
domains and organizational units.
Replication between domain controllers in different sites is performed on a
schedule so network bandwidth during peak hours can be conserved and
managed. In the data center, there may be multiple networks providing good
connectivity that can be defined by a site. Within a site, updates trigger
replication between domain controllers, which reduces latency, and replication
between domain controllers is not compressed, reducing the CPU load for
replication traffic.
If the data center servers use SAN-based Winsock Direct to provide intrasite
communication, performance can be improved over what is available with
Ethernet-based networks.
12 Module 3: Integrating Windows 2000 Datacenter Server


Securing Access to Datacenter Server by Using Groups
 Domain Local Groups
 Global Groups

 Universal Groups

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
To achieve efficient and secure management of your data center, you need to
understand the three types of security groups in the Active Directory directory
service. The three types of groups include:
 Domain local groups. May contain users from any domain but can be used
only in the domain in which they are created. Therefore, domain local
groups are well suited to limiting the scope of their usage while allowing
membership from any domain.
 Global groups. Contain users from only the local domain but may be used
anywhere. Use global groups if the membership of a group is intended to be
limited to a single domain but access to global resources is required.
 Universal groups. May contain users from any domain and are used to
assign access rights to resources.

In the data center, the most common group used for administration is the global
group so that a traditional administrative structure can be maintained in which
higher-level administrators have access to lower domains. This can be
problematic if you try to restrict users with administrative access to the data
center. With careful planning and management, you can partition the groups so
that the data center remains secure. In situations where the data center is in its
own domain, domain local groups provide an ideal way to add necessary users
while restricting their authority to the data center.
You should always delegate administrative control at the level of organizational
units, not at the level of individual objects. This allows you to better manage
access to Active Directory because organizational units are used to organize
objects in the domain tree. For example, you can delegate authority to those
who are responsible for creating users, groups, computers, and other objects

that commonly change in an enterprise.
You should always assign permissions to groups instead of to individual users.
Groups can be nested within one another and together with inheritance of
permissions; they organize the administration of Active Directory.
Topic Objective
To describe the types of
groups in Active Directory.
Lead-in
To achieve efficient and
secure management of your
data center, you need to
understand the three types
of security groups in the
Active Directory directory
service.
Module 3: Integrating Windows 2000 Datacenter Server 13


Group Policy Object Association
No Override = FALSE
No Override = FALSE
Group Policy
Object
Group Policy
Object
Domain
Domain
Block Inheritance = TRUE
Block Inheritance = TRUE
No Group Policy

Associated
No Group Policy
Associated
STOP
STOP
No Override = TRUE
No Override = TRUE
Group Policy
Object
Group Policy
Object
Organizational
Unit
Domain
Domain
Block Inheritance = TRUE
Block Inheritance = TRUE
Group Policy
Associated
Group Policy
Associated
STOP
STOP
Forced Group Policy Object Inheritance
Forced Group Policy Object Inheritance
Blocking Group Policy Objects
Blocking Group Policy Objects
Organizational
Unit


*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Group policies are applied to users when they log on and to computers when
they boot up. Group policies can be assigned to domains, sites, or
organizational units. If multiple policies apply to a user or computer and they
do not conflict, they are applied in a cumulative fashion. Users are subject to
group policies that apply to them as users and to group policies that apply to the
computer at which they log on.
Group Policy gives administrators granular ability to manage and control users,
computers, and other directory objects at the container level. Specifically,
within the data center, Group Policy provides administrators with the ability to
control security settings at the level of sites, domains, and organizational units.
Depending on your Active Directory structure within the data center, you need
to associate Group Policy with different containers in the directory and, if
required, block inheritance to stop permissions flowing.
Group policies are typically used to simultaneously configure the desktop
working environments of a group of users or computers, but they have many
other uses as well. Group policies can be used to:
 Assign scripts for startup, shutdown, logon, and logoff events.
 Manage applications, for example, by configuring policies to allow users to
install applications published in Active Directory or to automatically install
or upgrade applications on their computers.
 Manage security, for example, to control users’ access to files and folders,
control user logon rights, and configure account lockout restrictions.
 Manage software, for example, to configure user profiles such as desktop
settings, Start menu, and other common settings.
 Redirect folders from the Documents and settings folder on a user’s local
computer to a share on the network.

Topic Objective

To describe the effects of
Group Policy objects on a
Datacenter Server
installation.
Lead-in
Group policies are applied
to users when they log on
and to computers when they
boot up.
14 Module 3: Integrating Windows 2000 Datacenter Server


Group Policy Object
A Group Policy object is a collection of settings that affect a given user or
computer regardless of physical location. Because only the logical location of
the user or computer is important, it is extremely important to be aware of your
directory structure. Group Policy is defined by three different behaviors that
help you understand its effects on the data center environment:
 Accumulation is the description of Group Policy effects. These effects
associate, in sequential order, to all containers in which the Group Policy
effects exist.
 Filtering is the process of allowing or denying Group Policy to associate
depending on the membership of a user or a computer in a group.
 Inheritance is the process by which a Group Policy object associated with a
container also associates with children of that container.

If you understand these behaviors, you can predict what Group Policy objects
associate with the containers that define the logical location of the data center.
Best Practices
You must ensure that the data center containers are located in such a way that

detrimental Group Policy objects do not associate with them. To accomplish the
kind of Group Policy isolation necessary to ensure that detrimental Group
Policy objects are kept out of the data center, use filtering to set an initial
barrier to Group Policy object association.
By default, all Group Policy objects are inherited from parent to child
containers. On a per container basis, you can block policy inheritance on
containers connected with the data center. However, you must make sure that
there is a responsible process governing group policy association, because
block policy inheritance can be overridden if no override is enabled on Group
Policy objects.
The inheritance of a Group Policy object never extends beyond the domain in
which it was created, so inheritance is influenced only by either forcing
containers to accept and associate a policy or by blocking policy inheritance at
the container level.
If you use a site to define the data center, you must remember that sites act like
parents of domains for the purpose of policy. This means that any Group Policy
object that you define within the site may affect only a portion of a domain or
organizational unit. For a site that spans multiple domains, the site’s actual
Group Policy object is only stored in one of the domains.
You must also think about the effects of group policy accumulation when
planning for the data center. Group Policy associated with a container is
processed in a specific order, both within the hosting container, as well as
within those containers to which it is inherited. Accumulation can take the form
of true accumulation or aggregation. In other words, some policy actions might
be duplicated, whereas others may legitimately occur more than once.
Because Group Policy acts as an editor for Active Directory, caution must be
used at all times when creating Group Policy objects so that irrevocable
problems and detrimental results do not occur.
Module 3: Integrating Windows 2000 Datacenter Server 15





 Identifying Application and Service Requirements
 Applications on a Four-node Cluster
 Line-of-Business Applications
 Microsoft Supported Products
 Exchange 2000 Server
 SQL Server 2000

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Critical enterprise applications and services can depend on complex interactions
between a number of individual services and applications. It is important to
consider the dependencies of applications and services installed on
Datacenter Server, such as line-of-business applications, cluster-aware
applications, and supported Microsoft products, such as Microsoft
SQL Server
™
2000 and Exchange 2000 Server.
Topic Objective
To identify application and
service considerations prior
to installing
Datacenter Server.
Lead-in
Critical enterprise
applications and services
can depend on complex
interactions between a

number of individual
services and applications.
16 Module 3: Integrating Windows 2000 Datacenter Server


Applications on a Four-Node Cluster
 A Cluster-Aware Application Can:
 Run on a cluster node
 Be managed as a cluster resource
 React to cluster events
 To Configure an Application for Failover by Using the Generic
Cluster Resource:
 Application must use an IP-based protocol
 Application must be able to specify where the application data is
stored
 Client applications that connect to the server application must retry
and recover from temporary network failures

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
When applications are configured to run on a two-node cluster, hardware
resources must be sized considering only active/passive and active/active
configurations. When installing applications on a four-node cluster you can
consider configurations up to active/active/active/passive for the participating
nodes. The ability to configure active/active/active/passive permits significant
improvement in hardware efficiency, because only one node out of four needs
to be a passive resource.
To take full advantage of the services provided by the cluster service,
applications must be cluster-aware and use the cluster application programming
interface (API). A cluster-aware application can run on a cluster node, can be

managed as a cluster resource, and can react to cluster events.
Any application that fits certain basic requirements can be configured to use
server clustering failover mechanisms even though the application is not cluster
aware. These requirements include:
 The application must use an IP-based protocol.
 The application must be able to specify where the application data is stored.
 Client applications that connect to the server application must retry and
recover from temporary network failures.

Applications that fulfill these three requirements but are not cluster-aware may
still be configured to fail over by using the Generic Service resource or the
Generic Application resource. You can define the services and dependent
services that can be made to fail over in case of a node failure.
Topic Objective
To discuss cluster-aware
applications.
Lead-in
When applications are
configured to run on a two-
node cluster, hardware
resources must be sized
considering only
active/passive and
active/active configurations.
Module 3: Integrating Windows 2000 Datacenter Server 17


Line-of-Business Applications
Identify mission critical applications that you would move to the data center.
Identify mission critical applications that you would move to the data center.

Verify application requirements for kernel mode drivers, memory
Requirements, CPU requirements, and cluster support.
Verify application requirements for kernel mode drivers, memory
Requirements, CPU requirements, and cluster support.
Obtain approval from management to move the application to the data center.
Obtain approval from management to move the application to the data center.
Test applications offline, including dependencies.
Test applications offline, including dependencies.
Document the application for ongoing maintenance.
Document the application for ongoing maintenance.
Install applications and any necessary dependent drivers and services in
your data center.
Install applications and any necessary dependent drivers and services in
your data center.
1
1
1
2
2
2
3
3
3
4
4
4
5
5
5
6

6
6

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Line-of-business applications are the broadest category of applications. They
cover messaging, human resources, databases, and many other types of
applications. All these kinds of applications are critical to businesses, so you
must make a thorough examination of the specific situation before you decide
what must be included on the Datacenter Server platform.
The following procedure helps you to decide which applications must be on the
Datacenter Server platform:
1. Identify mission-critical applications you would move to the data center.
2. Verify application requirements for kernel mode drivers, memory
requirements, CPU requirements, and four-node clusters.
3. Obtain approval from management to move the application to the data
center.
4. Test the application offline, including any dependencies.
5. Document the application for ongoing maintenance.
6. Install the applications and any necessary dependent drivers and services in
your data center.

Some applications are dependent on access to Active Directory directory
service. Directory-aware applications can have improved performance when
installed on a data center server that is a domain controller, because network
data transfer is not required when accessing Active Directory. When directory
services must be accessed over the network, performance can be limited by the
network access method. For example, Winsock Direct allows faster
communications within a data center.
Topic Objective

To identify line-of-business
application considerations
prior to installing
Datacenter Server.
Lead-in
Line-of-business
applications are the
broadest category of
applications.
18 Module 3: Integrating Windows 2000 Datacenter Server


Microsoft Supported Products
Microsoft
product or service
Microsoft
Microsoft
product or service
product or service
SQL Server 2000 SQL
SQL Server 2000 SQL
Server 7.0 SP2
Server 7.0 SP2
Exchange Server 5.5
SP3
Exchange Server 5.5
SP3
Exchange 2000 SP1
Exchange 2000 SP1
Internet Information

Service 5.0
Internet Information
Service 5.0
SNA Server 4.0 SP3
SNA Server 4.0 SP3
Host Integration
Server 2000
Host Integration
Server 2000
Windows Services for
UNIX 2.0
Windows Services for
UNIX 2.0
Server cluster
nodes supported
Server cluster
Server cluster
nodes supported
nodes supported
4
4
2
2
2
2
4
4
4
4
Cluster-unaware

Cluster-unaware
Cluster-unaware
Cluster-unaware
No cluster support
No cluster support
Processors
supported
Processors
Processors
supported
supported
32
32
8
8
8
8
32
32
32
32
8
8
8
8
32
32
Memory supported
(GB)
Memory supported

Memory supported
(GB)
(GB)
64
64
4
4
4
4
64
64
64
64
4
4
4
4
64
64

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Applications must be certified to run Windows 2000 Datacenter Server. The
certification program ensures that kernel mode drivers, application installation,
and resource management are designed correctly for the data center. The first
product to be certified for Windows 2000 Datacenter Server is SQL Server
2000. Microsoft is working to certify the following Microsoft products on
Datacenter Server:
 Application Center 2000
 Commerce Server 4.0

 Office 2000, including Outlook®
 Site Server 3.0 Commerce Edition
 Systems Management Server 2.0

Microsoft will provide support for the following Microsoft applications and
services on Windows 2000 Datacenter Server:
 SQL Server version 7.0 with Service Pack 2.
 Exchange Server 5.5 with Service Pack 3. Recommend post-Service Pack 3
supported fix in Q247255 XADM.
 Exchange 2000 Server with Service Pack 1.
 Internet Information Services 5.0.
 SNA Server 4.0 with Service Pack 3. This does not take advantage of cluster
events. The services provided by SNA Server do not require more than eight
processors.
 Host Integration Server 2000. This does not take advantage of cluster
events. The services provided by Host Integration Server do not require
more than eight processors.
 Windows Services for UNIX 2.0.

Topic Objective
To identify Microsoft
supported product
considerations prior to
installing Datacenter Server.
Lead-in
Applications must be
certified to run
Windows 2000
Datacenter Server.
Module 3: Integrating Windows 2000 Datacenter Server 19



Exchange 2000 Server
 Supports Exchange 2000 Server with Service Pack 1
 Requires Access to an Active Directory Directory
Service Domain Controller
 Requires SMTP and NNTP

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Windows 2000 Datacenter Server supports Microsoft Exchange 2000 Server
with the release of Exchange 2000 Server Service Pack 1.
Exchange 2000 Server is an Active Directory-aware messaging application. It
combines the Active Directory services with Exchange messaging services so
you have a single point of management. However, Exchange 2000 Server
requires access to an Active Directory domain controller. This domain
controller can be located either on Datacenter Server running Exchange or local
to the Exchange server.
Exchange 2000 Server requires services external to the Exchange product.
Specifically, Exchange 2000 Server requires both Simple Mail Transport
Protocol (SMTP) and Network News Transport Protocol (NNTP) services.
If you cluster Exchange 2000 Server on Datacenter Server, you must be aware
of the following specific issues:
 Exchange 2000 Server supports only four databases per server. In a failover
situation, especially with a four-node cluster, you can have too many
databases fail over to the same node.
 Datacenter Server supports only 22 drive letters. You are limited in the
number of Exchange databases you can host because each database should
be located on its own logical drive.


Topic Objective
To identify Exchange 2000
Server considerations prior
to installing
Datacenter Server.
Lead-in
Windows 2000
Datacenter Server supports
Microsoft Exchange 2000
Server with the release of
Exchange 2000 Server
Service Pack 1.
20 Module 3: Integrating Windows 2000 Datacenter Server


SQL Server 2000
 Supports the AWE API for Addressing 64GB of Main
Memory
 Supports Four-Node Clustering
 Supports 32-Way SMP
 For Maximum Performance, Run on Dedicated Server
Clusters

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
SQL Server 2000 was built to achieve maximum performance on
Windows 2000 Datacenter Server. SQL Server 2000 uses all of the enhanced
capabilities of Datacenter Server to ensure the highest possible performance.
For example, SQL Server 2000 supports the Address Windowing Extensions
(AWE) API with full support for 64 GB of main memory. It supports four-node

active clustering and 32-way symmetric multiprocessing (SMP) for maximum
performance.
To achieve the highest and most efficient performance, SQL Server 2000
should run on dedicated, clustered servers. By running a partitioned SQL
database across all four nodes of a Datacenter Server cluster, you can achieve
greater performance levels than those previously known on the Windows
platform.
Topic Objective
To identify SQL Server 2000
considerations prior to
installing Datacenter Server.
Lead-in
SQL Server 2000 was built
to achieve maximum
performance on
Windows 2000
Datacenter Server.
Module 3: Integrating Windows 2000 Datacenter Server 21


Managing Servers Running Datacenter Server
Terminal Services
Terminal Services
Windows Management
Instrumentation (WMI)
Windows Management
Instrumentation (WMI)
Datacenter
Server
Datacenter

Server
Management Application
(WMI Consumer)
CIM Repository
CIM Object Manager (CIMOM)
(WinMgmt)
CIM Object Manager (CIMOM)
(WinMgmt)
Providers
Providers
Providers
Providers
WMI
Process Control
Process Control

*****************************I
LLEGAL FOR NON-TRAINER USE*****************************
Efficient management of the servers within a data center environment is
important for continued operation and availability. Datacenter Server provides
the following management features:
 Remote administration mode Terminal Services
 Enterprise tools using Windows Management Instrumentation
 Process Control tool for managing multiple processes and process groups on
a single server

Terminal Services
Terminal Services remote administration gives system administrators a
powerful method of remotely administering Datacenter Server from any client
device over a local area network (LAN), wide area network (WAN), or dial-up

connection. Terminal Services is a multisession environment that provides
remote access to Windows 2000 Datacenter Server. Windows 2000 Terminal
Services client software supports 16-bit and 32-bit Windows-based clients.
Enabling remote administration mode leaves server performance and
application compatibility unaffected and allows up to two concurrent remote
sessions. Terminal Services supports all snap-ins for Microsoft Management
Console (MMC).
Windows Management Instrumentation
In complex enterprise configurations, the development of management tools
can provide more flexible administration of computer systems. For
organizations that are willing to develop tools to support their management
requirements, Microsoft provides Windows Management Instrumentation,
which provides information on any services and applications with a Windows
Management Instrumentation provider. Management applications can then use
this information to create solutions that reduce the maintenance and life cycle
costs of managing an enterprise network and applications.
Topic Objective
To describe the
management tools used to
manage servers in the data
center environment.
Lead-in
Efficient management of the
servers within a data center
environment is important for
continuing operation and
availability.