Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 53 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
53
Dung lượng
1,98 MB
Nội dung
4. Now, add a replication partner. This partner is the second server you will prepare afterwards. Right-click on Replication Partners and select New Replication Partner. Type in the name of the other server. If it isn’t available, you will get another dialog box stating the server name cannot be validated. If so, type in the server’s IP address and click OK. 5. Right-click on Replication Partners to set replication Properties. Make sure the option to Replicate only with partners is set under the General tab, then move to the Push Replication tab. Select all the options on this tab. This will turn on real-time replication. 6. Configure Pull Replication settings on the appropriate tab, and then turn on the Enable automatic partner configuration option in the Advanced tab. WINS uses multicasting to provide configuration parameters to its replication partners. This ensures consistent configurations. 7. Click OK to close the dialog box. That’s it; your first Network Infrastructure Server configuration is complete. NOTE More information on WINS is available at http://www.microsoft.com/technet/treeview/ default.asp?url=/TechNet/prodtechnol/windows2000serv/evaluate/featfunc/nt5wins.asp and in the TechNet articles Q185786 and Q239950. 184 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 4 P:\010Comp\Tip&Tec\343-x\ch04.vp Tuesday, March 25, 2003 4:06:24 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 4: Designing the Enterprise Network IP Infrastructure 185 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 4 Configuring the Second Network Infrastructure Server The configuration of the second Network Infrastructure Server is the same as the first, but in reverse. You need to install and configure both DHCP and WINS. Create all of the DHCP scopes in the DHCP server, make sure that these scopes are the reverse of the 80/20 configuration you performed on the first server, activate all scopes, and authorize the DHCP server. Don’t forget to set DHCP server credentials to ensure secure DNS updates. When you are finished with DHCP, configure WINS properties and create the WINS replication partner. Now that the first server exists, you should not face any error messages during this configuration. Refer to the server configuration worksheets for complete server configuration steps. WINS Connectivity and DNS Settings Depending on your migration strategy, you may need to temporarily configure your Windows Server 2003 WINS servers to share information with the legacy network you are replacing. If this is the case, create only one-way replication partnerships: from the WS03 network to the legacy network. You do not want your new WINS databases to fill up with objects that have nothing to do with your new network. In addition, DNS can be linked to WINS for additional name resolution support. If you have done your homework and have convinced the organization to move to a complete Windows 2000, XP, or WS03 network, this connection should not be necessary. Even though most Microsoft networks still require NetBIOS name resolution to some degree, failures of DNS name resolutions, especially failures that could be solved with WINS, should be very rare. Moving Servers and Configuring Domain Replication Now that all your servers are ready, you can move them to a new physical site. When you move DCs to another site, you need to ensure that Active Directory replication operates properly. For this, you need to work with the Active Directory Sites and Services console. Chances are that you’ll also have to modify some of the properties of the DCs and Network Infrastructure Server you move. As you know, it is preferable not to modify a DC’s IP address. Thus, your staging center would ideally include a router that supports the assignation of multiple subnets. In this way, you can actually give the appropriate addresses to these two DCs right from the start (as well as the DHCP/WINS server). Then, when you move them, you won’t need to change addresses. However, if you need to do so, it isn’t the end of the world. Just make sure that everything continues to operate properly once you’ve changed addresses. Now that you have DCs located in a different physical location, you need to configure domain replication. The activities you need to perform include the following: 1. Create a new site and enable Universal Group Membership Caching. 2. Add subnet(s) to the site. 3. Create a Site Link for the site. 4. Create a backup Site Link for this site. 5. Modify properties for each Site Link. 6. Install or move DCs into the site. 7. Select the licensing computer for the site. P:\010Comp\Tip&Tec\343-x\ch04.vp Tuesday, March 25, 2003 4:06:24 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com As you can see, the first five steps are preparatory steps. It is only when you reach the sixth step, placing the DC in the site, that replication actually begins. To configure replication, you will require the site topology report from the site topology planning exercise you performed during your Active Directory design exercise. An example of the contents of this report can be found in Table 3-9 in Chapter 3. You can configure site replication before moving the DCs physically into the site location, but if you do so, the Knowledge Consistency Checker (KCC) service will generate errors within the Directory Service portion of the Event Log. It is best to move the servers first, and then configure replication. Replication configuration is done through the Sites and Services console. 1. Open Active Directory Sites and Services. 2. Right-click on Sites and select New Site from the context menu. 3. Name the site and select the transport mechanism, in this case IP. 4. Click OK to close the dialog box and create the site. 5. View the Properties for the site and check Enable Universal Group Membership Caching. Click OK to close the dialog box. 6. Add a subnet to the site by right-clicking on the Subnets and selecting New Subnet from the context menu. 7. Type in the IP address and the subnet mask to use. Select the site to associate to this subnet. Click OK to create the subnet. 8. Now you want to create the site link for this site. A site link always includes at least two sites. Move to Inter-site Transports and right-click on the IP transport. Select New Site Link from the context menu. 9. Name the site link and identify the two sites in the link. Click OK to create the site link. 10. Repeat the procedure to create the backup site link. 11. As you can see, WS03 automatically assigns a cost and a replication interval to each site link. The default cost is 100 (a value that is appropriate for T1 links). The default replication interval 186 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 4 P:\010Comp\Tip&Tec\343-x\ch04.vp Tuesday, March 25, 2003 4:06:24 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com is 180 minutes. If your physical link is a T1, you don’t need to change the site link cost for your main replication link. If not, see Table 3-8 for the recommended values for site link costs. As you’ll remember, you don’t want to modify either the site replication interval or the site link schedule in order to let the KCC perform its work in optimal fashion. 12. However, you will want to add a description for the main site link you just created. To do so, right-click on the site link and select Properties. Type in the description and change the site link cost if you need to do so. Click OK when done. 13. Type in a description and change the site cost for the backup link as well. 14. Now you need to move the DCs into the new site. Move to the Default-First-Site-Name and right-click on the server you want to move. Select Move from the context menu. 15. Select the destination site and click OK. 16. The final step is to identify the licensing server for the new site. Click the site name and double-click on Licensing Site Settings in the right pane. Click Change to locate a server. Type in the first part of the server name and click Locate. Click OK to use this server as the licensing server. You should use your forest root domain DC as the licensing server in this case. Click OK to close the License Site Settings dialog box. Your replication is now configured. Chapter 4: Designing the Enterprise Network IP Infrastructure 187 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 4 P:\010Comp\Tip&Tec\343-x\ch04.vp Tuesday, March 25, 2003 4:06:24 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Two activities remain: designating a Global Catalog server in the new site and enabling the site for Global Catalog caching. The first is a function of the NTDS settings for the server you want to use as a GC and the second is a function of the NTDS settings for the site itself. 1. Expand the site information in the left pane until you see the server names in the site. Select the server you want to make a GC, in this case, the forest root domain server. 2. Double-click on NTDS settings in the right pane. 3. Select the Global Catalog Server checkbox and click OK. 4. To enable the site for GC caching, select the site name in the left pane. In the right pane, double-click on NTDS Site Settings. 5. Select the Enable Universal Group Membership Caching checkbox. Click OK to close the dialog box. Perform this for each site you create. 188 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 4 QUICK TIP You might consider configuring Printer Location Tracking at this time since it is done in this console and must be prepared on DCs. To do so, proceed to the section “Integration with Active Directory” in Chapter 7 and review the steps required to configure this option. P:\010Comp\Tip&Tec\343-x\ch04.vp Tuesday, March 25, 2003 4:06:24 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com You’re all done. Now you need to verify that replication works properly. To test inter-site replication, perform some AD modifications in the AD Users and Computers console and test them from the remote DC. You can use Terminal Services in Administrative mode to do so. Also verify the Directory Service portion of the Event Log to make sure there are no errors. CAUTION Your parallel network is now ready for prime time. The remaining chapters will show you how to populate this network and ensure its resiliency. Before moving on, though, be sure that you fully test every part of this network. It is the basis of your new enterprise network infrastructure. You want to ensure that everything is running smoothly. It is not too late at this stage to start over and repeat the Parallel Network Creation Process. It will be too late once you have begun populating this network. Upgrading Active Directory from Windows 2000 to WS03 Upgrading to a native WS03 forest from Windows 2000 is much less complex a process than migrating from Windows NT to Windows Server 2003. The advantage of having a Windows 2000 network is that everything is already in place. You may not need to plan for a new or parallel IP infrastructure. You may not need to perform an AD design, though it is necessary to review the design in light of new WS03 features. Even though this review might indicate a forest restructure, it is a task that is much less complex than creating an entirely new WS03 forest. CAUTION Only perform a Windows 2000 upgrade to Windows Server 2003 if you performed a clean installation of Windows 2000 when you migrated from Windows NT. If you performed an upgrade from NT to Windows 2000, this might be the right time to review your needs and use the parallel network to move to a native WS03 enterprise network. Even if you feel you are ready for the upgrade, make sure you review the information presented previously in this chapter to enable new WS03 features in your forest. Upgrading a production network to Windows Server 2003 is a major undertaking that will affect the entire network. This is why you should proceed with care. It is especially at this stage that you discover the usefulness of the testing and staging processes outlined in Chapter 1. Make sure you thoroughly test your upgrade procedure before you proceed. The Upgrade Process The recommended steps for an upgrade from Windows 2000 to WS03 are detailed in the forest staging activities checklist illustrated in Figure 4-7. It is divided into four stages: preparing for the upgrade, performing the upgrade, post-upgrade tasks, and ongoing forest management. Several Chapter 4: Designing the Enterprise Network IP Infrastructure 189 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 4 P:\010Comp\Tip&Tec\343-x\ch04.vp Tuesday, March 25, 2003 4:06:25 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com subtasks are derived from each stage. Make sure everything is tested and documented before proceeding in your production network. 190 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 4 Figure 4-7 Windows 2000 Upgrade Checklist P:\010Comp\Tip&Tec\343-x\ch04.vp Tuesday, March 25, 2003 4:06:25 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Preparing for the Upgrade The first thing to do to prepare for the upgrade is to perform a forest consistency check. This activity basically involves a review of the choices that were performed when planning your Windows 2000 Active Directory. Are they still valid in light of what you have learned from Active Directory and new Windows Server 2003 features? Don’t make light of this step. There’s never a better time than an infrastructure project to implement structural changes. Since you will be performing a systemwide upgrade, you may as well take the time to check how things are running and see if there are any possible improvements you could make. The second step is to run Windows Server 2003 Setup with the /checkupgradeonly switch to verify compatibility of every domain controller. This process was outlined in Chapter 2. Retrieve all of the output files and check the status of each of the domain controllers. Three steps need to be performed before you can move on to the WS03 upgrade: • Performing an Active Directory Preparation for the forest • Performing an Active Directory Preparation for every domain • In addition, if you used a Server Kernel concept as described in Chapter 2 and you installed the Windows 2000 Administration Tools on every DC, you will need to remove them before proceeding. This should bring your DCs to WS03 compatible levels. One last thing to check is free space. Depending on the size of your directory, you will require a minimum of 1.5 GB of free space on each DC to perform the upgrade. Next, prepare an upgrade task list. This list should detail, step by step, every activity you need to perform to upgrade your Active Directory from Windows 2000 to Windows Server 2003. Set it up as a checklist and check off each item as you proceed with your upgrade. This list should include all of the steps identified in Figure 4-7. The last step for preparation is to obtain the schema modification authorization. Since you are using Windows 2000, you have taken the time to put a schema change management committee in place. You should get its authorization to perform both a forest and a domain preparation. This authorization should include a time window outlining when the upgrade will be possible. Upgrading to WS03 You’re ready to proceed. Remember, test and retest in a laboratory first. Preparing the forest means moving to the Schema Operation Master and executing the adprep /forestprep command. The adprep executable can be found in the I386 folder of the WS03 CDs. Ensure that you are using the proper version of WS03 (refer to Table 1-2 in Chapter 1 for upgrade paths) and execute the following command: D:\i386\>adprep /forestprep where D represents your CD/DVD drive letter. Once you consent to the upgrade by typing C and pressing ENTER, this will launch the forest preparation process. In fact, this process consists of importing a number of different commands to extend the forest’s schema. This process is fairly quick, but by default, it doesn’t give you a lot of feedback while executing. Have patience. Don’t stop it in the middle because it seems to be hung. Once the preparation is complete, you need to wait until the Chapter 4: Designing the Enterprise Network IP Infrastructure 191 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 4 P:\010Comp\Tip&Tec\343-x\ch04.vp Tuesday, March 25, 2003 4:06:25 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com changes have been replicated to the entire forest. If you performed a forest replication latency calculation during your migration to Windows 2000, you will know exactly how long you need to wait because replication latency is the longest possible time of completion for a forest replication process. Once the forest change is complete, you can perform the domain preparation on each domain of the forest. This command needs to be performed on the Infrastructure Master for each domain. Execute the following command: D:\i386\>adprep /domainprep where D represents your CD/DVD drive letter. If you only want to test the upgrade process for both the forest and the domain, add the /analyze switch to either command. As before, you need to wait for domain replication to complete. Now you can upgrade each DC to WS03. It is always wise to perform another upgrade compatibility check to ensure that everything is okay. Then proceed with the Windows Server 2003 installation. WS03 will automatically propose an upgrade. The upgrade process is very simple. No answers need to be given during the upgrade, unless you need to provide special massive storage system drivers. The entire process can be automated as outlined in Chapter 2. Simply create a network share to store the installation source files, share it, and use scripts to perform the DC preparation, the domain preparation, and the Windows Server 2003 upgrade. These scripts can all be executed automatically through Terminal Services Administrative mode. Post-Upgrade Tasks Once all DCs have been upgraded, you can migrate your forest to native WS03 mode. But before you do so, you need to verify that every domain in the forest supports native WS03 compatibility. Windows Server 2003 offers two native modes: domain and forest. The native domain mode requires that all services in the domain be compatible to WS03. The forest mode requires every domain in the 192 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 4 P:\010Comp\Tip&Tec\343-x\ch04.vp Tuesday, March 25, 2003 4:06:26 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com forest to run compatible applications. Native domains cannot have either Windows NT or Windows 2000 DCs in them, and native forests can only have WS03 DCs. To migrate your domains and forest to WS03 native mode, first make sure that they meet all of the prerequisite conditions, and then use the following procedure: 1. Open the Active Directories Domains and Trusts console. 2. Right-click on the Console Root. 3. From the context menu, select Raise domain functional level. 4. Click Raise. Agree to all the warning messages. 5. Wait for domain replication to occur. If the forest has more than one domain, raise the functional level of each domain in turn. 6. Once all domains are raised to WS03 functionality, return to the Active Directories Domains and Trusts console. 7. Right-click on the Console Root. 8. From the context menu, select Raise forest functional level. 9. Click Raise. Agree to all the warning messages. 10. You will need to wait for replication to occur to all DCs within the forest before using WS03 native forest functions. Other operations you might consider at this stage are updating forest server roles and performing a DNS strategy review. If you decide to modify DC roles, you’ll find that operations are much the same as they were in Windows 2000. There are great new functionalities such as drag and drop editing within AD MMC consoles that make life a lot easier with AD. Operations you might perform at this stage are: • Modify DC role (Add/Remove Global Catalog service) • Modify DC role (Enable Universal Group Membership Caching) • Modify Operation Master roles DNS should be on every DC, and if it isn’t, you should add it. It doesn’t generate a lot of overhead and it makes DC location a lot easier. Next, you can create or modify application partitions to hold DNS data. The DNS Wizard will automatically create these partitions for you. These can be forest- wide or domain-centric. The advantage of application partitions in this case is that you no longer need to create secondary DNS zones anywhere in your network. The DNS infrastructure process is outlined in a previous section titled “DNS Configuration Finalization” for the first server in the parallel network. Your final migration tasks should cover a review of Active Directory replication. Make sure that all replication works properly. This should include replication within a site and replication between sites. You may need to create or modify AD sites or modify your replication rules to match WS03 best practices. You may also be interested in restructuring domains. If you find that your original Windows 2000 forest and domain structure does not meet all your needs, you can restructure domains. WS03 offers several tools for this step. The movetree command allows you to move computers and users from Chapter 4: Designing the Enterprise Network IP Infrastructure 193 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 4 P:\010Comp\Tip&Tec\343-x\ch04.vp Tuesday, March 25, 2003 4:06:26 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... computers NOTE To make the most of your parallel network, make sure you deploy only Windows 2000 or Windows XP PCs, and Windows 2000 or 2003 servers Ideally, you will deploy only Windows XP and Windows Server 2003 in your new infrastructure This will ensure that you make the most of this new network and provide the best return on investment because every WS03 feature will be available on your network... implementation outlined through the Enterprise Network Architecture Blueprint in Chapter 1’s Figure 1 -5 Best Practice Summary This chapter recommends the following best practices: • Use a parallel network to implement the new enterprise network (unless you already have Windows 2000 and it qualifies for an upgrade) • Test the implementation process in a laboratory • Prepare documentation before proceeding with the... all parallel network servers with an up-to-date Server Kernel (see Chapter 2) • Each server should meet the server sizing requirements • If you do not use an automated kernel installation, be sure you perform all steps required for a reference computer • Each server should have stringent quality control after staging • For DCs, pay special attention to hardware conflict resolution before proceeding with... operation is the implementation of forest trusts Now that you have WS03 forests, you can decide to implement global forest trusts These will link multiple forests together Beware, though! You can easily find the same difficulties in forest trusts that you found in Windows NT domains Forests are designed to protect schemas Unless there are significant requirements for forest trust implementations, you... for a maximum amount of time—600 seconds by default—in case the script hangs while running After the scripts are run, the computer will allow logons and display the logon splash Everything from steps 4 to 10 is reapplied during user logon Windows XP uses an asynchronous policy application process, while Windows Server 2003 and Windows 2000 use a synchronous process This means that for servers and Windows. .. monitoring policy that should be applied only to systems that run Windows Server 2003, Enterprise Edition To do so, you can create the following filter: Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows Server 2003 Enterprise Edition" Then you can apply this filter to the Group Policy object you create for the monitoring policy Another example is when you need to apply... according to the time zone (see Table 4-1) for time synchronization • If the alert management system is to work, install SNMP on all servers and computers (if required) Secure the SNMP service • Verify every aspect of the server s configuration before moving on to configure another server • If you ever need to do so, transfer the Schema Master with care • For better performance, create a special disk on DCs... such as Windows Components, System, Network, and Printers Yes Windows Components Yes Controls settings such as NetMeeting (for the remote desktop), Internet Explorer, Task Scheduler, Terminal Services, Windows Installer, Windows Messenger, and Windows Update Several settings are of use here Terminal Services determines how the TS session is established between the local and the remote systems Windows. .. to have more the 50 ,000 users in the production domain • Create an application data partition before you create the child domain DNS zone partition • It is recommended to create both domain and forest-wide application partitions for the production domain DNS data because users from most every other domain will require access to intranet resources • DHCP servers should have high-performance hard disks... Default Domain Controller Policy C h a t e r 5 : B u i Split h e P C O r g a n a t i o n a l n i t I n f r a s t r u c t u r e 2 0 1 Simpo PDF pMerge andl d i n g tUnregisteredi zVersion -U http://www.simpopdf.com A specific default domain policy is applied to every domain in an enterprise Windows Server 2003 network In the example used in Chapters 3 and 4, the T&T enterprise network will have several default . http://www.microsoft.com/technet/treeview/ default.asp?url=/TechNet/prodtechnol /windows2 000serv/evaluate/featfunc/nt5wins.asp and in the TechNet articles Q1 857 86 and Q239 950 . 184 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise. appropriate for T1 links). The default replication interval 186 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments. documented before proceeding in your production network. 190 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments