This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The purpose of this report is to research how the Windows Server 2008r2 OS manages a Multi Domain Environment. The report provides information from the research carried out through the references and sources made available in the bibliography. This research provides a fuller understanding of what a Multi Domain Environment is and highlights the logical and physical infrastructure implemented by Windows Server 2008 R2.
The report will focus its attentions on the following areas:
Groups, trees, forests,trusts
Schema, Global catalogues
DFS Multi-Master Replication
With the research and report carried out a conclusion is presented evaluating the advantages and disadvantages with Windows server 2008 R2s OS.
active directory Domain services
Active directory Domain Service (ADDS) is a distributed database that handles network administration and security. This Server Role provides the network administrator an interactive, hierarchical and secure infrastructure in which to administer resources. Once the Server Role ADDS and Dcpromo.exe (DC to a forest) is installed the computer is then promoted to Domain Controller.
The Domain Controller deals with security authentication for all users and devices. Active directory holds all information such as users, groups, computers, printers and files. This information is stored in Objects which are made available within the domain forest (logical security boundary). Objects within a domain are contained in Organisational Units (OUs), allowing network administrators to delegate the relevant security and share permissions for that particular OU or object. This is an efficient method in dealing with many objects in an instance. The advantages with Windows Server 2008r2 running Active Directory Domain Services are:
Domain Naming System (DNS). This maps names to IP addresses aiding human interaction
User identity with password protected logon using AD and LDAP (Lightweight directory protocol)
Advanced Encryption with AES 128 and 256
Kerberos V5 Authentication Protocol
Backup services and servers minimising data redundancy.
Integrating DNS zones with multi-master data replication reduces the use of network bandwidth and minimises data redundancy through secure dynamic updates
Access Control Lists
Trusts created to share and delegate information with other domains.
Domain naming system (DNS)
The Windows Domain Naming System is a naming system used to map names to IP (Internet Protocol) addresses. DNS is part of the protocol suite TCP/IP (Transmission Control Protocol) which transports data over LANs and WANs. This protocol suite formats, addresses, transmits and routes data to be sent to the receiver. Windows 2008r2 by default will install DNS when AD DS is installed.
Multiple Domains are configured when one domain needs to share resources with another domain. These domains work in a hierarchical structure and are organised in trees and forests. Forests are the logical security boundary of the network infrastructure with trees containing a hierarchical structure of the domains. The first domain on the network is the root domain which then becomes the parent domain for the next domain added. This sub domain of the parent is called the child domain. To optimise performance in a multi domain environment a network using a WAN connection breaks the network down into sites. Sites structure a network into LAN segments utilising the high speed bandwidth. Sites help to reduce AD traffic in instances such as logon and replication. More domains can be added to the forest to replicate data over the network. To enable windows server 2008 to share data with other domains trust are created.
Groups are used to contain objects which can then be configured in mass saving time with administrative tasks.
Stored on the local computer.
Limited to the local computer
Domain local groups are used to set permissions to resources.
This group can contain global and universal groups as well as other domain local groups for the same domain.
Global group contains users, computers and global groups.
Any domain in the forest.
Universal group contains domain and global groups from any domain in the forest. This group is stored within the Global Catalogue server (GC).
Any domain in the forest.
Group Scope Diagram
group container concept.PNG
Figure , Group Scope.
Trusts are authenticated communication links between domains. Trusts allow users from one domain to access resources from another domain. Once two domains have been connected the default trust applied to this gateway is a transitive two-way trust. This default trust creates a child domain to its structure. Authentication from the child domains carries upwards to the trusted domain for any changes in the global catalogue. Types of trusts:
External non-transitive one and two way trusts. Used to access resources from Windows NT and 4.0 domains.
Realm transitive or non-transitive one and two way trusts. Used to share information between third party severs and window servers.
Forest transitive one and two way trusts. Used to communicate between two forests.
Shortcut transitive one and two way trusts. Used shortcut trust to improve logon times between domains.
Figure , Trust Relationships.
(IT Geared, 2011)
Within a forest all domains hold a current Schema. This defines all object types held in AD database using a list of properties to specify an object. The schema is also responsible for the design and structure. When changes are made the schema is replicated to all domains in the forest.
Figure , Active Directory Name Contexts.
(Microsoft Technet, 2012)
Global Catalogue Server
2008r2 servers are set by default to become Global Catalogue Servers (GC) once they have been promoted to DC. The GC holds information relating to the AD database for that domain. This information is stored in the NTDS.dit file and provides a searchable index for objects within the domain using port 3268. The domain controller does not have information relating to resources outside that domain. DC uses a GC to contain all the information about objects in the forest. To manage this data the GC only holds enough information about an objects attributes to point to the object in the forest. This allows users from one domain to logon from another domain and access resources from within the forest. GC servers communicate with other GC servers to:
Locates User logon Information known as a UPN (unique principle name).
Locates directory Information in the forest.
Provides forest wide searches.
Provides forest wide services.
Directory database changes when made are updated to the GC servers in the forest. All Domain controllers with writeable attributes save data changes to their GC directory. Data is replicated with DFS (distributed file system).
The DFS service (Dfssvc.exe) is the core component of the DFS physical and logical structure. DFS Namespace allows an administrator to group shared folders stored on many servers into a hierarchal structured namespace. This displays the shared root folder with subfolders that relate to that namespace. DFS namespace structure stores file shares from multiple servers and sites. By using DFS namespace you can expand the availability of resources over the network and connect users automatically to these resources within the AD DS sites.
DFS Replication is a multi-master replication tool which allows an administrator to efficiently replicate shared folders over the network and multiple servers. This procedure is an effective way in dealing with limited bandwidth. Remote Differential Compression (RDC) which is a compression algorithm which enables changes to be made to a file that has been edited. This is then replicated to all the GC servers on the network. For bandwidth and server efficiency changes only take place with the actual data thatâ€™s edited. DFS benefits the network with:
Fault tolerant replication of data to multiple locations on a network.
Easy access to shared resources through logical structure.
DFS multi-master replication is implemented when a change has been made to the DFS folder. It is then replicated throughout the network to other DFS servers. Once the initial replication occurs between two servers the master copy is no longer a master copy it is then multi-master copy distributed to all DFS servers.
9.1. DFS Connection Process
Client connects to a domain/ member server storing DFS using UNC.
The Server then responds to the request and gives the location or of the resource to the user.
Client caches the location of the resource and can now access the resource directly without asking the DFS server.
A client will periodically ask the DFS server of any changes to the location. The time to live before a referral is requested is set by default to 300 seconds (5 minutes) with 1800 seconds (30 minutes) for link referrals, the time to live can be altered in
The Kerberos authentication protocol requires all computers in the domain to be time synced. Computers 5 minutes out of sync cannot join the network. Windows Server hosts PDC (primary domain controllers) to configure and synchronise with an external NTP (network time protocol) server. All DCs synchronise with the PDC time. Computers and members servers synchronise their time with the authenticating DC.
BranchCache requires 2008r2 and Windows 7 Enterprise / Ultimate. BranchCache is the method of sharing files by caching them to the local network over a wide area network (WAN). When a resource is requested it is held on the local network (high speed bandwidth) this improves performance with the lower bandwidth capabilities of a wide area network (WAN). BranchCache also supports end-to-end encryption between clients and servers.
Server 2008r2 at each branch.
Round trip calculated. If this is more than the default 80 milliseconds the file is cached to the local server.
Distributed Cache Mode
Windows 7 Enterprise / Ultimate
Computer stores the file in cache. If another computer requests the file it sends a broadcast to all computers and the file is then transferred between the computers.
BranchCache can be configured either through group Policy or netsh (command line scripting). Group policy has five settings:
Branch cache Modes
Turn On BranchCache
Enable / Disable
Set BranchCache Distributed Cache Mode
Enable / Disable
Set BranchCache Hosted Mode
Configure BranchCache Server
Configure BranchCache for network files
Set latency times (default 80milliseconds) for roundtrip.
Set Percentage of disc space use for client cache
Default set to 5%
group policy (GPO)
Group policies are held in active directory in SYSVOL. GPOs configure user and computer settings such as passwords, control panel options, firewalls. There are four types of GPOs, local, site, domain and OUs. To configure a domain based policy the group policy object editor is used. The group policy management console is used to link the policy to sites, domains and OUs. Group policies hierarchical order is with the lowest precedence being local, site, domain and finally OUs with the highest precedence (group policy setting to be applied in that instance).
Windows Server 2008 R2 manages a Multi-Domain environment securely and efficiently with AD DS and the other server roles available at its disposal. AD DS Hierarchical and logical structures simplify server data along with Kerberos, group policies and OUs setting the security and permissions for resources over a network.
BranchCache being one of the new editions to the server package furthers an organisations networking ability to provide necessary resources wherever and whenever requested. One disadvantage could be the added software cost (XP clients). BranchCache requires clients to be using the Windows 7 OS. Another possible disadvantage to take into consideration is the hardware aspect. If hardware specifications are not met what would be the upgrade costs for a company.
From the research carried out it is clear that the Windows server 2008 R2 edition provides a robust secure networking environment giving administrators more control with the server and network infrastructure. In todayâ€™s market place the Windows server 2008r R2 operating system enhances an organisation of any size with IT productivity and performance and reliability.