Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 60 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
60
Dung lượng
8,81 MB
Nội dung
274 Chapter 7 • Sizing the Infrastructure for Windows 2000 Figure 7.10 Performance monitor for replication traffic. Figure 7.11 Replication monitor. www.syngress.com 71_BCNW2K_07 9/10/00 1:18 PM Page 274 Sizing the Infrastructure for Windows 2000 • Chapter 7 275 Figure 7.12 Network monitor. The problem with using the Network monitor lies in the fact that it cap- tures every packet, and does not filter at the capture level according to the packet type. What you can do, however, is to set a port for RPC traffic by configuring the registry key at HKLM\System\CurrentControlSet\Services\ NTDS\Parameters\TCP/IP Port. Once the port for this is set, you can start the Network monitor. Next you will need to force replication by opening the Active Directory Sites and Services console, then right-clicking on the NTDS Settings objects below each domain controller object and selecting “Replicate Now.” Once replica- tion has completed, you can review the captured packets for those with the port number you configured. Those will represent the RPC traffic. If you have configured a site link to use SMTP traffic, you should also look for packets using port 25. Server Placement Which servers do you place into which sites? Do they have to be domain controllers? Do they have to be Global Catalog servers? Which sites need DNS servers or DHCP servers? Where do you put a RAS server for dial up? Where do you put a RAS server for VPN? What about a branch office with www.syngress.com 71_BCNW2K_07 9/10/00 1:18 PM Page 275 276 Chapter 7 • Sizing the Infrastructure for Windows 2000 30 users—do they need a domain controller or just a file and print server? Now server placement seems to be a dilemma—but it is one that is easily solved. First, there definitely will be an impact on your network traffic when you place servers in various sites. The availability of the Active Directory is directly affected by the placement of various types of servers as well. Domain Controllers When you start this exercise, you should already have a site topology plan for your network. This will be your starting point for determining the place- ment of domain controllers. In addition to the site topology plan, you should have your domain/DNS plan, and an understanding of the physical location of the end-users who will exist in each domain. This will allow you to determine which domains span which sites, and vice versa, as shown in Figure 7.13. Figure 7.13 Domains and sites spanning each other. It is highly recommended that, for each domain existing within a site, you also place a domain controller for that domain. There are some excep- tions to this recommendation—if you have a set of 10 users in a site for DOMAIN.COM, and you have 287 users in that same site belonging to ROOT.COM, then you will not need a DC for DOMAIN.COM in that site. However, if you have 100 users for DOMAIN.COM and 287 users for ROOT.COM, then you will probably want to include a DC from both domains. www.syngress.com Site 1 Site 2 s4.root.com s2.sub.tree.com s1.tree.com s3.tree.com Tree.com spans both Site 1 and Site 2. Site 1 spans tree.com and root.com. Site 2 spans tree.com and sub.tree.com. 71_BCNW2K_07 9/10/00 1:18 PM Page 276 Sizing the Infrastructure for Windows 2000 • Chapter 7 277 Imagine if you have a large campus network with five domains in a single site. You would want to put five different DCs in that single site simply to support authentication traffic. As you can see, the more domains that exist in a site, the more separate servers you will need. And this is not counting whether you need separate Global Catalog, DNS, DHCP, or other servers running in those sites yet. Once you’ve decided which sites will receive at least one domain con- troller from the domains in your plan, you need to determine how many domain controllers total you will want for that domain. This decision will be based partially on the number of sites that you deem require a domain controller, and partially on the size and power of the server hardware that will support the domain controllers. A single-processor Pentium PC with a 4GB hard drive will not support even a fifth as many users as a four-pro- cessor Pentium III server-class machine with a 40GB RAID array. But you don’t want to max out your server to start with either; you need to plan to leave room for growth. You will want to take into account whether your domain controller will provide other services such as DNS, DHCP, or file and print services because these services will reduce the capacity of the domain controller to support the Active Directory services. So, there is no magic formula regarding the number of users a domain controller will support. But there is a way of figuring out how many your domain controller will support. The first thing to do is to look at some statistics such as those in Table 7.2, and estimate what size servers you will need for today and for the future. Note that these are averages, and that there may be some differences in the size of your Active Directory objects and replication traffic based on the number of attributes you fill out in each object, whether you include custom attributes, and whether these attributes are copied to the Global Catalog. www.syngress.com Table 7.2 Sizing Statistics Component Definition Size Security principal Nonsecurity principal Attributes User, Group, any object that can be granted rights to other objects Organizational Unit, Organization, any object that is not granted rights to other objects Additional attributes added to support services on the network, such as DNS 3600 bytes 1100 bytes 100 bytes per attribute Continued 71_BCNW2K_07 9/10/00 1:18 PM Page 277 278 Chapter 7 • Sizing the Infrastructure for Windows 2000 When you determine the size of your Active Directory storage needs, usually you can be assured that any standard hard drive will be able to house even the largest domain partitions. Use the following equation to estimate your storage needs: (#Security Principals * 3600 bytes) + (#Non-security principals * 1100 Bytes) = Active Directory Size To ensure that you have enough space for growth, multiply this result by at least 200 percent or more, depending on your company’s growth over the last three years. Active Directory Size * 200% = Minimum DC capacity required If you have a domain with 200,000 users, 1000 organizational units, then you can safely estimate your AD database storage needs: (200,000 * 3600)+(1000 * 1100)= 721100000 Bytes = 687 MB * 200% = 1374 MB = 1.2 GB Table 7.2 shows that the size of the replication of new objects and changed attributes turns out to be more expensive than the incremental storage of that same data on a single DC hard disk. For example, if you have one DC storing all the objects in a single domain that is the only domain in its forest, then there is no replication traffic that will interrupt other network traffic on the wire. (However, you won’t have any redun- www.syngress.com Table 7.2 Continued Component Definition Size Intrasite replication of a single user Intrasite replication of a single attribute change Intersite replication of a single user Intersite replication of a single attribute The average amount of replication traffic generated within a site when creating a new user account The average amount of replication traffic generated within a site when changing a single attribute on an AD object The average amount of replication traffic generated between sites when creating a new user account The average amount of replication traffic generated between sites when changing a single attribute 13,000 bytes 4500 bytes 11,000 bytes 4000 bytes 71_BCNW2K_07 9/10/00 1:18 PM Page 278 Sizing the Infrastructure for Windows 2000 • Chapter 7 279 dancy in case that DC fails, so always make certain to have two DCs per domain.) If you have two domain controllers, then you will have one time replication for each change on the Active Directory database. If you have three DCs, then replication will occur twice (from DC1 to DC2, then from DC2 to DC3) for each update on the Active Directory. Replication is simply the number of DCs (one, as shown in Figure 7.14). Since hard drive storage is cheap and bandwidth has a lot of competition for its use by applications on the network, it is cheaper from a network traffic standpoint to maintain fewer DCs! Figure 7.14 Active Directory replication between four DCs. A DC’s processor utilization increases as the number of users increases in a domain. Several factors contribute to this phenomenon. The main issue is not replication or storage, but happens to be the number of users that log on simultaneously or query the network for resources at the same time. The differences in processor types that are supported by Windows 2000 are widely varied. Not only are the manufacturers and processor models variables, but the speed of the processor (MHz) and the supported bus speed of the motherboard (also in MHz, but different from the processor speed) are also variables—and these can make all the difference in how your processor performs. You will need to test your processor in a lab envi- ronment to determine its maximum simultaneous processing capabilities. You can test these capabilities using Performance monitor and simulation www.syngress.com s4.root.com s2.sub.tree.com s3.tree.com A full ring for replication traffic is achieved with 3 paths between the 4 DCs. 71_BCNW2K_07 9/10/00 1:18 PM Page 279 280 Chapter 7 • Sizing the Infrastructure for Windows 2000 /benchmarking utilities. (You can find many simulation or benchmarking utilities on the Internet. One of the largest benchmarking software devel- opers is ZDNet’s Benchmark Operation, whose Web site is www.zdnet.com/zdbop/.) But just finding the maximum simultaneous capacity is not enough; you need to consider the likelihood of that max- imum capacity. For example, if you have a processor that reaches 99 per- cent utilization with 1000 simultaneous logons, you will also want to consider how often 1000 users would log on simultaneously. If 1000 people were to arrive at work at the same time and log on, they would probably do so within the space of several minutes. If you give them five minutes, then you would be estimating that your server could support up to 5000 users in a network before it was maxed out. Again, the maximum capacity is not the beginning capacity for your network; you want to make certain to include enough room for growth. One way to do this is to add domain controllers to the domain. Another way to do this is to load up on the hardware for your domain controller. If you think that one processor will just about be sufficient to support your network, two processors will be better, and four will give that domain con- troller room for growth for quite a while. Once you specify how many DCs you need in each domain, compare that to how many domain controllers you will need to support your sites. From this comparison, select the number of DCs that is larger. For example, if you have three sites and intend to place a DC in each, and you have determined that only two DCs are needed to support the domain’s users, then you will need three DCs in total. What is nice about this situa- tion is that you know exactly where each DC will be placed. However, if you have three sites and you need five DCs to support the domain, then you must determine where to place the other two DCs. Look at the number of users in each site. If two of the sites have 200 users each, and the third site has 7000 users, then the two other DCs should be placed in the site with 7000 users. This method will ensure that the workload is balanced for those DCs. Aside from balancing the workload, redundancy is another issue to consider when deciding the number of DCs per site. If a WAN link is untrustworthy (it fails often or is overutilized), you should ensure that the number of DCs in each site connected to that WAN link is at least two. Global Catalog Servers The Global Catalog is required to be available in each site if the Active Directory forest consists of more than one domain. The multidomain forest is an important factor. In a single-domain forest, there is no need for a Global www.syngress.com 71_BCNW2K_07 9/10/00 1:18 PM Page 280 Sizing the Infrastructure for Windows 2000 • Chapter 7 281 Catalog since all resources will be available in the domain partition of the Active Directory. The Global Catalog is important for multidomain forests because: ■ It is used during the logon process to determine memberships of universal groups. If unable to contact a GC server, logon is refused to ensure that the user had not been denied access to resources through a universal group membership. ■ It is used for queries of resources that exist outside of a user’s own domain. If you have more than one domain, you will want to place at least one GC server in each site. This will probably not require any extra physical servers because a GC server is simply an enhanced domain controller, and will consume only a minor amount of storage and processing power. Although you will not need as many GC servers as you do DCs, wherever possible, you should try to ensure that workload is balanced among the GC servers in a site, and that redundant GC servers are placed in sites separated by untrustworthy WAN links. DNS Servers The Active Directory depends on DNS in order for ■ DCs to contact each other for replication ■ Users to contact DCs to log on to the network ■ Users to contact GCs to execute a query Without DNS, there is no communication—users can’t log on, and the Active Directory cannot replicate updates. Because of DNS’s importance, you should ensure that at least one DNS server exists in each site, and two should exist in any site that is separated from other DNS servers by untrustworthy WAN links. You can install DNS services on the existing DCs in the forest. The DNS service will consume a minor amount of storage and processing power. It is recommended that you test the capacity of a DC with additional services loaded on it when you add DNS and the Global Catalog. WINS Servers Windows Internet Naming Service (WINS) is used to map NetBIOS names to IP addresses. WINS is not necessary to the working domain running in native mode. You may not need to plan for WINS servers at all, but for those networks that do need to provide WINS services for downlevel clients, www.syngress.com 71_BCNW2K_07 9/10/00 1:18 PM Page 281 282 Chapter 7 • Sizing the Infrastructure for Windows 2000 they should be placed in a centrally available network location. You should have at least two WINS servers on the internetwork for redundancy. FSMOs There are five Flexible Single Masters of Operations (FSMOs) that you need to consider for placement on the network: ■ RID master ■ PDC emulator ■ Domain naming master ■ Infrastructure master ■ Schema master Relative ID (RID) Master The RID master is a designated DC. It provides unique relative ID portions of the SID to other DCs. When those DCs assign SIDs to security princi- pals (users, groups, or other objects that can be granted rights), the RID master ensures that the SID is unique. This is especially necessary when moving an object between domains. When placing the RID master, you need to consider which DC is most easily accessible by other DCs in the domain. If you have a hub-and-spoke formation in your network where there is one main site and the rest of your sites all connect to it, it is fairly simple to select a DC in that site. If, however, you have a more complex internetwork with several major sites, you should still select the site that is most central to all other DCs. In the case of a downed RID master, where the RID master is not recov- erable, you will need to change the role to another DC on the internetwork. This means that you should select a DC to serve as the backup RID master. Remember that the RID master backup will not automatically happen by itself; you will need to change the role over manually: 1. Open the Active Directory Users and Computers console. 2. Right-click on the domain. 3. Select Connect to Domain Controller from the menu. 4. Select the DC which you are going to transfer the RID master role to. 5. Click OK. 6. Right-click on the domain. 7. Select Operations Master from the menu. www.syngress.com 71_BCNW2K_07 9/10/00 1:18 PM Page 282 Sizing the Infrastructure for Windows 2000 • Chapter 7 283 8. Click the Change button on the RID tab. 9. Click OK. PDC Emulator The PDC Emulator does more than act as a backward-compatible PDC in a mixed mode domain. It still exists in a native mode domain. Overall, the PDC emulator handles these important functions: ■ Mixed mode PDC authority over Windows NT BDCs ■ Native mode and mixed mode central repository for domain pass- word changes ■ Native mode and mixed mode central authority for time synchro- nization When the domain is in mixed mode, the PDC Emulator is the PDC for any Windows NT BDCs in the same domain. The PDC Emulator cannot exist in a domain that has a Windows NT PDC in it, which is why a migra- tion plan must upgrade the Windows NT PDC first, when retaining the same domain. When the domain is in any mode, the PDC Emulator is contacted by each DC on which a password change has been made, and then stores that password change. If a user changes his or her password on one DC, and then attempts to authenticate to another DC that still holds the old password, the DC first contacts the PDC Emulator to check for a password change there. In this way, the user’s logon can be accepted. The PDC Emulator also takes on the role of the time authority for the domain. All other DCs will synchronize their clocks to the PDC Emulator, and then serve that time to the time clients in the domain. The PDC Emulator needs to be highly available to the entire domain, especially to DCs in its own domain. You will want to place that PDC Emulator in a location that is central to other DCs and is highly available to them. Because of the PDC Emulator’s critical nature for password changes, you will want to give that role to a DC that has fault tolerant hardware, such as a RAID array or cluster. You will also need to designate a potential backup PDC Emulator in case the original DC holding that role fails. To change the role of a DC to a PDC Emulator, follow a nearly iden- tical process as that of changing the RID master role: 1. Open the Active Directory Users and Computers console. 2. Right-click on the domain. 3. Select Connect to Domain Controller from the menu. www.syngress.com 71_BCNW2K_07 9/10/00 1:18 PM Page 283 [...]... Seattle-SanFran LA-SanFran Portland-SanFran Phoenix-SanFran AllSitesBridge 5 1 5 5 16 60 minutes 30 minutes 60 minutes 60 minutes NA Available all hours Available all hours Available all hours Available all hours Not configurable Because of the multiple domains, there should be a Global Catalog server in each site A Global Catalog will be installed on each DC for the westcoast.com domain The PDC Emulator,... only a single domain, ABC Chemical Company does not need Global Catalog servers available to all the users ABC will place a Global Catalog server at the main HQ and install it on the existing DC there The RID Master FSMO will be installed on that DC, as well as the PDC Emulator and the Domain Naming master However, the Infrastructure master and the Schema master will each be placed on the DCs at the East... counters The Application and Presentation Application and layers are often grouped together Presentation The Presentation layer manages the format of data, inclusive of encryption and compression, and the Application layer provides the user interface to the network To monitor at these layers, look at the server and redirector counters Layer 3 Layer 4 Layer 5 Layer 6 and Layer 7 Application Data to Monitor... company, you will find that there is either no space allocated or, as in most cases, you are given a pre-existing space that was formerly slotted for janitorial storage If possible, work with the facilities manager and make sure that there is adequate space available for your needs, and that the space is sufficiently resourced (power and cabling, as well as security) Here are some considerations for. .. for this parameter is between 0 and 0xFFFFFFFF The default value is 2000 TCBs for servers with more than 64 MB RAM You should increase this value only when you have a lot of available RAM because it will reduce the available RAM by setting aside a cache for more TCBs Continued www.syngress.com 71_BCNW2K_07 9/10/00 1:18 PM Page 293 Sizing the Infrastructure for Windows 2000 • Chapter 7 MaxHashTableSize... wcacctg.com.) West Coast Accounting decides to install DNS on each DC, with Active Directory-integrated zones for each domain In addition, West Coast needs to maintain WINS for backward compatibility for the remote workstations that end-users use to dial in to the network West Coast Accounting places the WINS service on a member server that also serves as a RAS server West Coast Accounting also installs... configuration partitions are rarely changed and do not cause much replication traffic Each domain is a separate partition of the Active Directory When a domain does not span a site, then less traffic crosses between the sites—only the Global Catalog, schema, and configuration would be transmitted Part of preparing a Windows 2000 infrastructure is knowing where each server will be placed on the internetwork,... 71_BCNW2K_08 3 06 9/10/00 1:08 PM Page 3 06 Chapter 8 • Designing the Cisco Infrastructure For Managers End-to-End Network Services for a Campus Environment Some of the challenges associated with creating an end-to-end campus solution are protecting mission-critical programs and applications, security, manageability, high availability, support for multimedia (voice and video), and scalability Keep these... default The Domain Naming master ensures that the domain namespace is unique within a forest, and is used each time a domain is added or removed from the forest The Domain Naming master must be installed on a Global Catalog server When placing the Domain Naming master, you should select a DC within the root domain (although being a member of the root domain is not necessarily a requirement, it can... likely that 56 Kbps Frame Relay links can withstand all the traffic that would be generated from each of the various sites because the amount of traffic from any site into San Francisco would constitute about one-sixtieth of this (one-sixth of 300 users = 50 users * 10% = one-sixtieth) Because San Francisco and Los Angeles share several cases in California, they require updates to be more available to each . Infrastructure for Windows 2000 • Chapter 7 291 www.syngress.com Layer 1 and Layer 2 Layer 3 Layer 4 Layer 5 Layer 6 and Layer 7 Physical and Data Link Network Transport Session Application and Presentation Most. a DC that has fault tolerant hardware, such as a RAID array or cluster. You will also need to designate a potential backup PDC Emulator in case the original DC holding that role fails. To change. value is 2000 TCBs for servers with more than 64 MB RAM. You should increase this value only when you have a lot of available RAM because it will reduce the available RAM by setting aside a cache