Implementing the Windows 2000 Servers • Appendix 517 4. Select a site link (you can change this later, if you need to). 5. Click OK. 6. Right-click on Subnets. 7. Select New Subnet. 8. Type the IP subnet address and subnet mask. 9. Click OK. When you have multiple sites, you need to create site links, site link bridges, and connection objects to enable them to transfer information. To create the site link: 1. In the Active Directory Sites and Services console, navigate below the Sites container to the Inter-Site Transports. 2. There are two transports listed—IP and SMTP. Right-click on the transport you will use. Most often, you will only use IP. 3. Select New Site Link from the pop-up menu. 4. In the New Site Link dialog, select the sites that will participate in this site link and type the name of the site, as shown in Figure A.16. You must place at least two sites in each site link. 5. Click OK. Figure A.16 New site link. www.syngress.com 93_sbcran_appndx 10/16/00 12:43 PM Page 517 518 Appendix • Implementing the Windows 2000 Servers An administrator may wish to force replication to make recent changes synchronize throughout the forest. To do this, the administrator can use the Active Directory Sites and Services console to access the Replicate Now option, shown in Figure A.17. Replication is forced by right-clicking the connection object below the NTDS Site Settings of the server that you want to have synchronized. www.syngress.com Connection Object Management Even though you have created site links, your DCs will need to have connection objects in order to synchronize updates across the site link. Think of a site link like a road for traffic, but without any cars. The con- nection objects are like the cars that carry traffic across the road. It is easy to ignore connection object management because objects are generated automatically by the Knowledge Consistency Checker (KCC) within any particular site. They are not generated automatically across sites. Be careful when you move servers from one site to another! If you move a server from one site to another, the connection objects that were created by the KCC will move with it and never be changed thereafter. These connection objects may not be desirable if you want to manage traffic over that site link with bridgehead servers or by reducing the number of intersite connections. If you are creating bridgehead servers, you will need to check each server in each site to ensure that there are no connection objects created between nonbridgehead servers in the different sites. You will also need to make sure that there is only one connection object in the bridgehead server’s NTDS Settings object pointing from the other site’s bridgehead server. NTDS stands for NT Directory Service. Each domain controller has an NTDS Settings object. For IT Professionals 93_sbcran_appndx 10/16/00 12:43 PM Page 518 Implementing the Windows 2000 Servers • Appendix 519 Figure A.17 Replicate Now. Installing and Configuring Windows 2000 Components Once the Active Directory is installed on the Domain Controllers, your work is still not done. You will need to install or configure other Windows 2000 services such as the Domain Name System, Remote Access Services, and Terminal Services. Configuring DNS To start configuring DNS, you will want to start the DNS Manager, located in the Administrative Tools menu. 1. In the DNS Manager, shown in Figure A.18, select the server that will be configured for DNS. 2. Click the Action menu. 3. Select Configure the server. 4. The Configure DNS Server wizard will start. Click Next at the Welcome dialog. 5. Select whether the server is the first DNS server on the network or not. Click Next. www.syngress.com 93_sbcran_appndx 10/16/00 12:43 PM Page 519 520 Appendix • Implementing the Windows 2000 Servers 6. Create a Forward Lookup Zone. This is the domain name of the zone that the server will manage. 7. Select whether this zone is Active Directory Integrated, Standard Primary, or Secondary. If the server is not a DC, you will see that the first option, Active Directory Integrated, is grayed out. Click Next. 8. State the domain name for the zone and click Next. 9. You are then prompted to create a reverse lookup zone. For DNS experts, this is an In.Addr.Arpa zone, which can look up an IP address and find the domain name—the reverse of a standard zone. It is not necessary to create a reverse lookup zone for Windows 2000 Active Directory to function correctly. 10. The Configure DNS Server wizard completes with a summary page. Click Finish. Figure A.18 DNS Manager. www.syngress.com 93_sbcran_appndx 10/16/00 12:43 PM Page 520 Implementing the Windows 2000 Servers • Appendix 521 Configuring the Distributed File System The Distributed file system (Dfs) can be configured in two ways—as an Active Directory stored system, or as a standalone system. To create the Dfs root, start the Distributed file system console from the Administrative Tools menu. When you start the configuration wizard, you will be prompted for the type of system. To store the Dfs topology in the Active Directory, select the Create a Domain Dfs Root option. You will be prompted for the domain that will host Dfs, the server to host Dfs, a shared folder for the Dfs root, and a name for the Dfs root. The summary page of the wizard is shown in Figure A.19. Figure A.19 Dfs Configuration wizard. Dfs creates a full mesh topology between all the replicas. Each new replica and every other member of the replica set will share a link. This can create a lot of traffic on the network. To optimize Dfs, you can delete the connections that you don’t really need in the Active Directory Users and Computers console. Otherwise, Dfs is managed in the Distributed file system console shown in Figure A.20. www.syngress.com 93_sbcran_appndx 10/16/00 12:43 PM Page 521 522 Appendix • Implementing the Windows 2000 Servers Figure A.20 Dfs MMC. Public Key Infrastructure The Public Key Infrastructure (PKI) is an authentication method based on digital certificates and certification authority (CA) servers. Windows 2000 provides CA services natively. Once you install a server with CA services, you will not be able to change the role of the server, or the domain to which it belongs. The implementation process of PKI is: 1. Install one or more root CAs in the top-level domains of each Windows 2000 domain tree in the forest. The root CA is placed at the top of a CA hierarchy and is self-signed. It should be config- ured to issue only subordinate CA certificates. When you install the CA server, you will not be able to rename the server or change its domain membership (whether it is a DC or member server, or which domain it belongs to). You are given four choices for installing the server at the CA services installation, depicted in Figure A.21. 2. Install subordinate CA servers in the child domains to implement certificate policy. Subordinate CAs are issued their certificates from the root CA. These CA servers request a certificate from the root CA. When you install a CA on a subdomain, then the Enterprise Root CA option is grayed out. www.syngress.com 93_sbcran_appndx 10/16/00 12:43 PM Page 522 Implementing the Windows 2000 Servers • Appendix 523 3. Configure the CA servers to issue certificates for users. Issuing CA servers should be configured to issue appropriate certificates such as user certificates or session certificates. 4. Configure certificate revocation lists. 5. Configure Group Policy. 6. Configure certificate renewal and enrollment. 7. Issue certificates. Figure A.21 Creating a CA server. To create a CA on a Windows 2000 server: 1. Open the Control Panel. 2. Double-click Add/Remove Programs. 3. Select Add/Remove Windows Components. 4. Add Certificate Services. 5. Install an enterprise root CA. 6. You can optionally select Advanced options to specify whether the server is going to be a Cryptographic Service Provider (CSP)—which is responsible for creating and destroying keys and performing cryptographic operations. You can also change the hash algorithm, which detects modifications in message data. You can choose to www.syngress.com 93_sbcran_appndx 10/16/00 12:43 PM Page 523 524 Appendix • Implementing the Windows 2000 Servers use existing public and private keys, and set the key length. When you complete your selections, click Next. 7. Type the name of the CA server and its detailed information and click Next. 8. Specify the Validity Duration for the server. This value states when the CA expires, so carefully consider how long this server will remain in service. Click Next. 9. State the location for the CA database and log files and shared folder. Click Next. 10. If you have IIS running, you will be prompted to stop it. Click OK. The CA server is managed using the Certification Authority console that is found in the Administrative Tools menu and shown in Figure A.22. Figure A.22 Certificates management. PKI policies can be established through Group Policy. These policies are located in the Computer Configuration group policy under Windows Settings\Security Settings\Public Key Policies. This group policy section is illustrated in Figure A.23. www.syngress.com 93_sbcran_appndx 10/16/00 12:43 PM Page 524 Implementing the Windows 2000 Servers • Appendix 525 Figure A.23 PKI group policies. Internet Information Services Internet Information Services (IIS) is installed by default on every Windows 2000 server, but must be installed as an option on Windows 2000 Professional workstations. To add IIS to a machine that does not have it, use the Add/Remove Programs icon in the Control Panel. When it is used to serve files to the Web, IIS can create a tremendous load on a server. You can optimize IIS by selecting one of the application protection options for IIS processing of your directory: ■ High (Isolated) means that the application runs in a separate pro- cess. ■ Medium (Pooled) means that many applications share the same process, thus improving reliability (the default option). ■ Low (IIS Process) means that the HTML application runs in the same process as IIS. Selecting this can cause IIS to fail if the HTML application fails. To configure this option for the Web, open the IIS console, shown in Figure A.24. Select the Properties for the Web site. www.syngress.com 93_sbcran_appndx 10/16/00 12:43 PM Page 525 526 Appendix • Implementing the Windows 2000 Servers Click on the Home Directory tab and select the Application Protection drop-down box shown in Figure A.25. Figure A.24 Internet Services Manager. Figure A.25 Configuring IIS bandwidth throttling. www.syngress.com 93_sbcran_appndx 10/16/00 12:43 PM Page 526 [...]... Sessions, Remote Control, and Terminal Services Profile tabs in the Active Directory properties for each user object Manage active connections using the Terminal Services Manager once Terminal Services are up and running Configure remote access using the Routing and Remote Access console in the Administrative Tools menu Select a Remote Access Server to access the most common remote access needs Remote Routing... and Access Server Remote Access Continued www.syngress.com 93_sbcran_appndx 544 10/ 16/00 12:43 PM Page 544 Appendix • Implementing the Windows 2000 Servers Table A.5 Continued Server Role Component Configuration Method VPN Server Routing and Remote Access Router Routing and Remote Access Configure VPN using the Routing and Remote Access console in the Administrative Tools menu Select VPN Server to access. .. can access the Terminal Services server www.syngress.com 93_sbcran_appndx 534 10/ 16/00 12:43 PM Page 534 Appendix • Implementing the Windows 2000 Servers Figure A.31 Terminal Services Client Creator Configuring Routing and Remote Access Services Routing and remote access is configured through the Routing and Remote Access console available in the Administrative Tools menu You must configure routing and remote. .. walk you through the requirements for that option For example, if you select Remote access server, the next screen allows you to select the remote access protocols, shows how to assign IP addresses (as shown in Figure A.32), and asks whether you will use Remote Authentication Dial-In User Service (RADIUS) for central remote access authentication 7 After you make your selections, click Finish The service... remote access when you use a server to provide routing between network segments, to provide remote access services to dial-up users, or to provide virtual private network (VPN) services to Internet users To configure a server: 1 Start the Routing and Remote Access Server (RRAS) console on the Windows 2000 Server 2 Right-click on the server in the left-hand pane 3 Select Configure and Enable Routing and Remote. .. 93_sbcran_index 552 10/ 16/00 5:32 PM Page 552 Index Cisco remote access solutions FAQs, 26–27 introduction, 2 Cisco routers, 33, 58, 62, 83, 104 , 293, 384 PPP/ISDN connections, 99 103 support, 5 Cisco VPN terminology, 117–119 CiscoSecure, 330–331 ACS See UNIX; Windows NT Global Roaming Server See UNIX CiscoSecure ACS See Windows NT CiscoSecure Policy Manager, 147, 148 Class A address, 458, 463 Class A networks, ... file, 488 AppleTalk, 12, 77, 81, 181, 225, 234, 269, 329 protocol, 396 AppleTalk Control Protocol (ATCP), 82 AppleTalk Remote Access (ARA) Protocol (ARAP), 334, 335 advanced remote connectivity, 82 contrast See Point-to-Point Protocol Application services, 528 ARAP See AppleTalk Remote Access Protocol ARQ See Automatic repeat request AS See Autonomous system AS/400, 57 AS5000 Series, 17 AS5200, 39 AS5300,... Series, 16 7100 Series, 17 7200 Series, 17 7500 Series, 17 A AAA See Authentication authorization and accounting aaa authentication enable default (command), 341 aaa authentication login (command), 339–340 aaa authentication ppp (command), 340–341 AAL See Asynchronous Transfer Mode Adaptation Layer Access control lists (ACLs), 7, 390 Access layer, 486 Access lists, 383, 434, 435 creation, 439 Access network... Then you can specify the IP address(es) that you want to exclude from the scope www.syngress.com 93_sbcran_appndx 10/ 16/00 12:43 PM Page 546 93_sbcran_index 10/ 16/00 5:32 PM Page 547 Index 3Com, 35 3DES See Triple DES 10BaseT Ethernet ports, 14 700 series, 14 800 series, 14–15 900 series, 15 100 0 series, 15 1400 series, 15 1600 series, 15 1700 series, 16 modular routers, 15 2500 series, 16 2600 Series,... www.syngress.com 93_sbcran_appndx 532 10/ 16/00 12:43 PM Page 532 Appendix • Implementing the Windows 2000 Servers s Remote Control allows you to configure whether the user’s session can be shadowed by another user For example, if you configured Terminal Services for a classroom, you would enable remote control without user’s permission but with interaction for all students, but disable remote control for all teachers . and Remote Access Services Routing and remote access is configured through the Routing and Remote Access console available in the Administrative Tools menu. You must con- figure routing and remote. you select Remote access server, the next screen allows you to select the remote access protocols, shows how to assign IP addresses (as shown in Figure A.32), and asks whether you will use Remote Authentication. the Routing and Remote Access Server (RRAS) console on the Windows 2000 Server. 2. Right-click on the server in the left-hand pane. 3. Select Configure and Enable Routing and Remote Access from the pop-up