This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This report is an investigation into Configuration and management of a multi domain environment in Windows 2008 R2. Due to the topic nature, it is important to gather information and reference material from as many sources as possible e.g. books, internet and magazines etc. and to cover as many of the different topics such as trees and forests, trusts, Global catalog Servers, Time Synchronization etc.
Introduction to Microsoft Windows 2008 R2
Server 2008 is available in three main editions; Standard Edition, Enterprise Edition and Datacentre Edition has improvements over earlier releases Windows Server 2003 such as updated setup technologies in line with their mainstream windows Vista platform, improved security and more options available in the Active Directory.
Server 2008 requires at least 1.4GHZ CPU with 512mb of RAM and a minimum 10GB hard drive and a DVD ROM. Once checked to see if the hardware requirements are meet then the operating system installation can start.
Active Directory and Domain Controller
AD DS can used to provide many different features such as authentication, authorization, encryption, and Group Policies and many more.
After installation has completed and the system has restarted the Server Manager should open, if the server Manager has not opened then it can be done by clicking on the icon on the taskbar beside the start menu, the computer name and IP address details can be set.
The next stage is to create a domain controller which is carried out by installing Active Directory Domain Services (ADDS) onto one of the servers which can be carried out by clicking start button, scrolling along to run and entering DCPromo.exe to open the wizard to guide the user through the steps required. It is also worth noting that wherever possible to create a second Domain controller (DC) per domain can be configured to synchronise or replicate the original Domain Controller, which will result in a backup being created in the advent of the original Domain Controller failed. This will result in network downtime kept to a minimum. Also at this stage the option to select a deployment configuration will become available and to name the forest and enter a FQDN (Fully Qualified Domain Name) such as smith.local and an option to install a DNS Server.
DNS (Domain Name Service)
The Domain Name Services (DNS) is required for the Active Directory (AD) and the DNS information is stored in the Active Directory. DNS can be installed via the Service Manager and selecting add roles. The purpose of the DNS is to allow objects on the network to be referred to by a name such as www.bbc.co.uk and not the ip address 192.168.23.10 this also works both ways.
DHCP (Dynamic Host Configuration Protocol)
This Protocol can be installed in server Manager and selecting the add roles function. The main purpose of DHCP is to lease a range of address to client's machines wanting to gain access to the network and to block address from accessing the network. DHCP must be authorised with Active Directory.
User Accounts can be setup on a local machine or on the domain. Local accounts will only allow access to the local computer and will not work when moving from machine to machine. The accounts details are stored in the Security Accounts Manager (SAM), which is a database on the local machine.
Domain Accounts are stored in the Active Directory (AD) on the Domain Controller (DC) and accessed on any machine on the network. Unlike a local account, a Domain Account can allow access to resources that are on the network such as printers etc., even if that printer is on another network as long as the permissions have been set to allow. In addition, settings can be set to allow or deny resources on the network as well as restricting users from gaining access to the network at certain times of the day or night.
Forests, Trees, and trusts
Domains allow for centralised administration and require a minimum of one domain controller running the server software. The Active Directory is runs from the domain controller. Domains link to other domains to create the forest architecture. Each Domain holds information about objects that belong to the domain.
The domain root should be created first and then the tree can be built up by adding new domains to the existing domain known as child domains. Using the options available in dcpromo Active directory wizard. All domains are linked by trusts.
Trees are a single or multiple group of domains that are also known as subdomains or child domains that grow from a root domain. All the domains within a tree share a contiguous namespace. Domains can be identified by their DNS name structure.
Forests are collections of root domains. They do not share a contiguous namespace and represent the outer boundary, which computers groups and objects exist and provide a security boundary for Active Directory. A forest is a collection of multiple trees that share a common Global Catalog, directory Schema etc. The forest, tree and domain form the logical parts in an Active Directory (AD) network.
One-way or two-way
Use external trusts to provide access to resources that are located on a Windows NT 4.0 domain or a domain that is located in a separate forest that is not joined by a forest trust.
Transitive or nontransitive
One-way or two-way
Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and an Active Directory domain.
One-way or two-way
Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests that are made in either forest can reach the other forest.
One-way or two-way
Use shortcut trusts to improve user logon times between two domains within An Active Directory forest. This is useful when two domains are separated by two domain trees.
When external trusts are created, there is an option to create each side of the trust separately or both sides of the trust at the same time. When the new trust wizard steps followed. In addition, a good password is needed for each of the created domains, reduces unauthorised users accessing the network, and is a good security measure for the network.
Global Catalog Servers
Global Catalog's allows searches in Active Directory Domain Services without referrals to the Domain Controller in the domain by creating a partial read only copy of all domains within the forest.
The global catalog is stored in the global catalog server and to be successful the global catalogue by default will be on the first 0jhjhdomain controller created in the domain and if there is more than one global catalog server within a domain then there are synchronised
This is a very important as all computers connecting to the network need to be set to the same time. If an administrator had, set up a network to back up the system at 1.00am then depending on the difference in time set on each computer the system would not backup fully at the correct time.
Another example of issues from having no time sync management is that if a machine clock is not in sync with the network then a user starting at 9.00am may not gain access to the network, as the system clock has not registered its 9.00am and reading 8.45am.
One option to allow clients to synchronise the time is to write a small script to run at start-up which will allow itself to check its own time with the server and correcting itself if required.
There are three main groups available in Windows 2008, which describe objects arranged together within a group. The different available groups are
Domain Local Groups - Users in this group can join from any domain but will only be allowed access to resources in the Local Domain and is used to allow permission to resources on the same domain was created and not a member of any other domain local group or groups on the same domain.
Global Groups - Users start off in local domain but can access resources in any domain and is used to group together users that require similar network resources such as printer and off line files from another domain as well as assign permissions to gain access to resources located in any domain within the domain, tree or forest.
Universal Groups - Users can come from any domain and access resources in multiple domains, also not limited as other groups.
Distributed File System (DFS) and DFS Replication
Multiple copies of important data stored in different servers so if for some reason one server is not accessible e.g. server failure then the data can still be access. Most banks will use this information to store their customer bank details.
If a domain DFS is used then the client, accessing the data will be directed to the data that is stored on the server that is closest to them and if that is not available then the client will be directed to the remote version of the data. DFS uses the site information stored in the Active Directory to decide which server works the best.
This process is very useful as when one server is down then the administrator repairs or replaces the failed server, there is an example of a well-known high street bank that did not replace a server that went down and after a period, the second server failed which caused no end of problems for staff and customers. To install the DFS service and Management Console via the server's manager and selecting roles in the console tree and selecting add roles. In select server roles select files services and Select the checkbox for Distributed File System, which will highlight DFS Namespace and DFS Replication and click next.
If Replication is to be successful, all Domain Controllers must be up to date with the most recent information so that users can log on access resources and interact with the directory accurately. To set up replication is done with the use a wizard that is accessed through the DFS Management console.
After replication has been carried out from, the master share to other shares changes to one share is automatically updated on the other share that is also known as multi-master as there is no longer one master share.
To set up on the client machine to access the share involves mapping the share as a mapped drive. The connection will involve the client establishing a connection to the server hosting the DFS and the server returning the location of shared folder to client. The client will then cache the location of shared file so it can connect without referring to the server host and over a period connect to server host to gain update.
Remote Sever Administration
In Server 2003, remote desktop connection is called Terminal Services. Time is very important to an system administrator so make life easier it is considered good practise to set up servers so they can be accessed from the administrators work station or laptop, after all the servers may not be in the same building as the administrator. To achieve this there is an option to access the Server Remotely. However, one drawback using this method is that if the server requires restarting then the connection will be lost and reconnecting after start-up will be required.
Setting up remote server there are different ways to enable Remote Desktop Server Admin with an example shown below
On the client select the start button and scroll along to computer then right click the mouse and select properties then remote settings to access the remote tab of the system properties dialogue box. Then the following options are available:
Don't allow connections to this computer (Remote Desktop Disabled)
Allow connections from computers running any version of remote Desktop (less secure).
Allow connections only from computers running Remote Desktop with network levels authentication (more secure).
Once Remote Desktop has been enabled a connection exception is automatically created in the firewall settings on the local system this will create an exceptions through port 3389 to allow a successful connection, if not then it will be necessary to create a Remote Desktop Gateway server.
To launch the Remote Desktop Connection (RDC) select the start button and along to programs then Accessories and select remote connection. The RDC will have six tabs that can be provide different features available.
Windows 2008 server offers the administrator plenty of functions to protect and insure a smooth running network. Some of the functions available may be very in depth and would require specialized knowledge to gain the full advantages of what this operating system can achieve and fully understand the working going on behind the scenes.
Multi Domains may take longer setting all the different protocols and functions correctly but in the case of failure, that time is saved when the system failed.
One of the main advantages using multi domains is that reduces the occurrence of a network failure as single domain setups if failure occurred would result in the network being down. In the multi domain, case the second domain would replace the first domain and keep the network running which will allow users to continue using the network whilst the problem is being investigated.
Setting up a multi Domain Environment does have its disadvantages such as if settings are to be applied to all users then each domains will need to be set to similar settings to avoid any conflicts with security settings.