04 - Becoming Part of the Enterpriseby Don Benage
Setting up a single, stand-alone Windows NT computer is a straightforward task. Things become more complicated, however, when you must connect a server to an enterprise-wide network. The need for cooperation with others and coordination with the work they are doing becomes important. Decisions that were previously somewhat arbitrary become critical issues. This chapter discusses the most important considerations facing an administrator involved in creating an enterprise network and setting up servers to run in such an environment. When you finish this chapter, you will understand how computers on a large network are organized, the basics of network protocols, and Windows NT security.
Each of these activities is described in the sections that follow.
Each Microsoft BackOffice product provides a different set of network services:
Two schools of thought exist on server organization: the super-server school and the distributed computing school. Both approaches have strengths and weaknesses. You must weigh the tradeoffs and decide which approach makes sense in your organization. The super-server approach involves buying one (or few) very large computers with multiple processors and a large amount (for example, 256M or more) of random-access memory (RAM). This concentrated power can be easier to physically secure than multiple smaller machines. It also offers the advantage of letting one application make full use of the super-server if other applications are not yet active, or if they experience a reduced load during off-peak hours. By careful scheduling, you can bring a tremendous amount of computing power to bear on your server application. The distributed computing approach favors multiple, redundant servers each performing a portion of the overall delivery of service. This redundancy reduces the impact of a single machine failure. In a geographically distributed network, it can aid in the placement of server resources on the same fast LAN with client workstations. But it does make physical security a greater challenge and reduces your ability to easily apply a lot of computing power to one task. Chapter 30, "Managing Distributed Data," covers many of the issues associated with data distribution across a network.
Of course, your approach need not be one or the other. You may adopt a largely distributed approach, applying an occasional super-server if concentrated power is needed for a very demanding application. There is no single correct approach that fits the needs of all organizations.
Some of these structures are used for only one of the BackOffice products. An organization is only used when setting up Exchange servers, for example. Only Systems Management Server (SMS) uses machine groups. SMS and Exchange both use sites. SQL Server uses server groups. In addition, these structures don't necessarily map directly into the domain structures Windows NT uses to manage security. At first, this may seem arbitrary and needlessly complex. After you understand each of the products better, however, you should see the logic behind some of these differences. The products do different things and different structures are appropriate to manage them. There is one more thing to remember that may help make sense of all this. Don't make things any more complicated than they need to be. The capability to break computers and users into groups makes it easier to manage them. If natural divisions don't suggest themselves, perhaps you don't need to take advantage of these capabilities. On smaller networks (fewer than 100 users) you may only need:
A workgroup has no role in authenticating a user's identity or enforcing security. Windows NT Servers in a workgroup each have their own account database. If you want to use resources on two different Windows NT Servers in a workgroup (not a domain), you need to have an account on both computers, as shown in figure 4.1. If you change your password on one server, it does not automatically change on the other. Fig. 4.1 - Microsoft BackOffice servers have separate user accounts and security policies, which means no replication of account information occurs from one server to another.
To establish a domain, you must configure at least one Windows NT Server as a domain controller. This computer contains the master copy of the user account database. It is kept in an encrypted form so that it cannot be read by unauthorized persons, and permissions are set such that it cannot be tampered with or accidentally deleted. The domain controller also keeps the master copy of the policy information regarding passwords. It is possible, for example, to require that all passwords be at least six characters long, and a new password be selected every 90 days. Unless you have a very small network, you will also want one or more additional domain controllers, sometimes referred to as backup domain controllers. These computers are automatically updated whenever a user account is added, modified, or deleted. If any changes are made to the security policy of the domain, they are also forwarded to all domain controllers, as shown in figure 4.2. By default, this occurs approximately every five minutes. Fig. 4.2 - Account and security policy information is automatically replicated from the primary domain controller to all other domain controllers.
After you establish a domain, you can create user accounts and organize users into groups that reflect their computer needs or departmental affiliation in your organization. For example, you might create a group containing everyone who needs to use a particular application or a group containing everyone in the Research Department. After you create accounts and groups, you can use them to assign permissions to access shared resources on your network.
An additional feature provided by Windows NT Server is the capability to establish trust relationships between two domains. A trust relationship is set up by the domain administrator(s) for two domains. If domain B trusts domain A, then user accounts and groups from A can be assigned permission to use resources in B. In a very real sense, the administrators of B are trusting the administrators of A to be responsible about security policy and assigning users to particular groups. In figure 4.3, the domain INTERNAL trusts the domain GSULLIVAN. Fig. 4.3 - Establishing a trust relationship between two domains.
A single domain can span geographic locations, if necessary. More complex domain models also can be created, using domain trust, to accommodate large numbers of computers and users. A utility included in the Windows NT Resource Kit offers guidance for domain planning. This is an essential activity that should ideally take place before installing your first server. Although it is possible to reorganize your domain design later, it is not a simple process.
The most common domain model used in large enterprises is the master domain model. This structure uses a single master domain and one or more resource domains. In figure 4.3, GSULLIVAN is the master domain, and INTERNAL is the resource domain. All user accounts and global groups are created in the master domain. This domain is administered by the Information Systems (IS) department for the organization. As people join the organization, an account is created for them in the master domain. If they leave the organization, the account can be disabled or deleted.
A master domain typically has at least two domain controllers with fast processors and high-speed network cards. They do not usually need to have a lot of disk storage or RAM (32M to 64M of RAM should be enough) because they are only validating logons. Shared resources and server-based applications run on the resource domains.
Resource domains are then created by installing one or more domain controllers and establishing a one-way trust relationship. The resource domain trusts the master domain. Figure 4.4 depicts a typical master domain with two resource domains; each with a primary domain controller. Fig. 4.4 - A master domain with two "trusting" resource domains. The domain controllers and other servers in the resource domain provide the shared resources users need and are the real workhorses of the network. They may have multiple processors and a lot of RAM (128M or more) to support server-based applications. If they exist primarily to support file and printer sharing, you should consider fast disk subsystems with Redundant Array of Inexpensive Disks (RAID) Level 5 disk arrays or disk mirroring for high reliability. Windows NT supports RAID up to Level 5 right out of the box. The master domain model yields a very useful environment. The master domain administrators maintain control over who can and cannot log on to the network. But the day-to-day activities of sharing printers and directories, and giving users permissions to use them, can be controlled by members of the department or organizational unit where the work is being done. By making one or more members of the department administrators of the resource domain, you can delegate some authority and provide an environment responsive to rapid changes. If you want slightly less autonomy with more central control, you can make department members server operators, account operators, printer operators, or backup operators rather than full-fledged administrators. Administrators and server operators in the resource domain can assign permissions to shared resources. After the trust relationship has been established, the user accounts and global groups from the master domain can be used to assign permissions for resources in the resource domain. Figure 4.5 depicts a typical scenario in which the group Staff from the master domain GSULLIVAN is being given permission to use a shared directory called TechInfo on the server PrimSrv in the resource domain INTERNAL. Fig. 4.5 - Assigning permissions to a shared directory in a resource domain using master domain accounts and groups. In addition to the workgroups and domains understood by Windows NT, several other structures are used by the other server-based applications in BackOffice.
The exact mechanics of the conversation are somewhat more complicated, and the particulars vary depending on how the network is set up. The important things to remember are the following:
A network protocol is a detailed recipe for taking information, breaking it into groups or packets, adding some additional control information, and sending it over a wire (or even through the air with some equipment!) to another computer. A variety of network protocols have been developed over the years with different characteristics. The main features of the most widely used protocols supported by Windows NT are outlined in the following sections.
If you need to be able to communicate with computers at another geographic location, in another city or country for example, you will certainly not be able to run your own cable to the other site. You will probably need to arrange to use a cable owned by a telecommunications company (your local phone company for example) or another service provider. This requires special equipment designed for communication over such lines, and you then have a wide area network or WAN. See Chapter 8, "Wide Area Networking with Windows NT Server" for a complete discussion on this topic. The computer programs implementing a network protocol for a particular operating system are commonly referred to as a protocol stack. When LANs were first developed, it was common to have a single program handle all networking issues. This type of program was called a monolithic stack. Now it is more common for a protocol stack to have separate program components for the network adapter installed in your computer and the particular type of network protocol (for example, TCP/IP) you are using. These specific network protocols are sometimes referred to as transport stacks. Protocol stacks have three significant characteristics:
On computers running DOS or DOS/Windows, the size of the protocol stack is an important issue. DOS-based computers must operate within the constraints of a 640K address space. On more powerful operating systems such as Windows 95 or Windows NT, this limitation has been eliminated. Therefore, the relative size of a particular protocol stack on Windows NT, for example, is not very important. The speed of a protocol stack isn't always important, but may be an issue with certain applications where response time is critical. It is difficult to measure the actual speed of a protocol stack because many things affect their performance. Relative performance characteristics are well understood, however, and can help you decide which transport stack to use. If a transport stack can be used on a WAN to send packets of information across routers to remote network segments, the stack is said to be routable. Routable stacks generally have better error handling capabilities and are, therefore, more resilient when used over slow lines of poor quality. They also carry additional information indicating which network segment they are bound for and may indicate the best path to get there.
In comparison to other transports, TCP/IP is generally bigger and slower. Recently, however, improved stacks have been developed that are not much slower than NetBEUI. As a rule of thumb, the latest stacks included with Windows NT and Windows 95 are on the order of 5 to 20 percent slower than NetBEUI. Perform controlled tests in your own environment if you need more exact performance comparisons. The real benefit to using TCP/IP is, of course, it is designed for wide area networking and is routable. It performs as well as possible under poor conditions, using slow lines with a lot of extraneous noise. TCP/IP is essential if you want to connect your computer or your entire network to the Internet.
This list is just a sample of the kinds of Windows NT-based services that can be accessed with a single ID and password. Being able to integrate the security for all these services with the native Windows NT security subsystem is certainly a powerful feature. This capability is very popular with users who quickly get tired of managing and remembering multiple IDs and passwords. There are reasons, however, that you may not want to allow a single ID and password to be used for everything. If a user ID and password combination is discovered and misused, the results are obviously more traumatic if the compromised account has permissions to many resources. In some organizations, it makes sense to give the authority over database resources to a separate group of people. The database administrators may feel a need to create a separate set of user accounts that are used solely for database access. SQL Server allows either choice.
There are special security considerations for e-mail. The information included in messages may be extremely sensitive. Exchange Server offers powerful capabilities that augment the simple access control provided by an ID and password. It is possible to encrypt your message to another individual using a public key algorithm. It is also possible to digitally sign your message so that the recipient knows the message came from you, and it has not been altered in any way.
A system account has access privileges only on the computer on which it is defined. This can be a problem if it is a service that needs to communicate with other similar services on other computers. Clearly in an e-mail system some services need to have access privileges on more than one computer. This is also true in a SQL Server environment where data replication is desired. In these situations, it is important to define a service account that will be used as the security context for the service. If you have a single domain, your service account will be a regular domain account. In a master domain environment, you would want to create your service accounts in the master domain, even though most services are likely to be run in a resource domain.
RAS supports connectivity through three mechanisms:
By far the most common means of connecting is the third - standard telephone lines. With relatively high-speed modems (14.4K baud or better) you can get very acceptable performance. Many modems now available include the capability to compress and decompress information on the fly. This can yield an effective throughput rate that is approximately double the rated speed, or better, depending on the type of information you are transmitting. RAS access is particularly suited to client-server applications that minimize the amount of information transmitted from one computer to another. For example, in a typical database operation, a small query is sent to the database engine on the server. Only the resultant answer set is sent back over the wire. Large indexes are kept and used on the server and need not be transmitted to the (remote) desktop client. Another method for providing network connectivity to remote users is available from other vendors. This method allows one computer to remotely control a network-attached computer's mouse, keyboard, and display over a modem connection. An advantage of this configuration is improved speed because only typed keystrokes and the resulting screen changes need to be transferred across the wire. The downside is the need to have two computers dedicated to a single user's activity for the duration of the connection. If you need ten active connections, you must have twenty computers, two for each connection. With the design of RAS, on the other hand, the remote access connection takes the place of the network attachment. No additional locally attached computer is required. All network traffic destined for the client computer is transmitted over the RAS connection. Using RAS to provide ten active connections would require only eleven computers-the server and ten workstations. RAS therefore provides a cost-effective method for remote network access.
The procedures for setting up RAS are covered in more detail in Chapter 7, "Implementing the Remote Access Service," but an overview is presented here to aid in planning:
After you have made a connection, you can access and use any of the services on the network including shared resources such as files and printers and server-based applications like SQL Server databases.
|