Tải bản đầy đủ - 0 (trang)
Chapter 19. Windows Server 2003 Administration

Chapter 19. Windows Server 2003 Administration

Tải bản đầy đủ - 0trang

thesetaskscanindependentlybeverysimpleordifficultin

nature,administratorsshouldatleastunderstandtheirportion

oftheoverallenterprisenetworkandunderstandhowthe

differentcomponentsthatmakeupthenetworkcommunicate

andrelyononeanother.

ThischapterfocusesonthecommonWindowsServer2003

ActiveDirectory(AD)userandgroupadministrativetasksand

touchesonthemanagementofActiveDirectorysitesto

optimizeuseraccessandreplicationperformance.







DefiningtheAdministrativeModel

Beforethecomputerandnetworkingenvironmentcanbe

managedeffectively,anorganizationanditsITgroupmustfirst

definehowthetaskswillbeassignedandmanaged.Thejobof

delegatingresponsibilityforthenetworkdefinesthe

organization'sadministrativemodel.Threedifferenttypesof

administrativemodelscentralized,distributed,andmixedcanbe

usedtologicallybreakupthemanagementoftheenterprise

networkbetweenseveralITspecialistsordepartmentswithin

theorganization'sITdivision.Whenthereisnoadministrative

model,theenvironmentismanagedchaotically,andthebulkof

workisusuallymadeupoffire-fighting.Serverupdatesand

modificationsmustmorefrequentlybeperformedonthespot

withoutpropertesting.Also,whenadministrativeor

maintenancetasksarenotperformedcorrectlyorconsistently,

securingtheenvironmentandauditingadministrativeevents

arenearlyimpossible.Environmentsthatdonotfollowan

administrativemodelareadministeredreactivelyratherthan

proactively.

Tochooseordefinethecorrectadministrativemodel,the

organizationmustdiscoverwhatservicesareneededineach

locationandwheretheadministratorswiththeskillstomanage

theseservicesarelocated.Placingadministratorsinremote

officesthatrequireverylittleITadministrationmightbea

wasteofmoney,butwhenthesmallgroupiscomposedofVIPs

inthecompany,itmightbeagoodideatogivetheseeliteusers

thehighestlevelofserviceavailable.



TheCentralizedAdministrationModel

Thecentralizedadministrationmodelissimpleinconcept:All

theIT-relatedadministrationiscontrolledbyonegroup,usually



locatedatonephysicallocation.Inthecentralizedmodel,all

thecriticalserversarehousedinoneorafewlocationsinstead

ofdistributedateachlocation.Thisarrangementallowsfora

centralbackupandalwayshavingthecorrectITstaffmember

availablewhenaserverfails.Forexample,ifanorganization

usestheMicrosoftExchange2003messagingserveranda

serverislocatedateachsite,aqualifiedstaffmembermight

notbeavailableateachlocationifdataortheentireserver

mustberecoveredfrombackup.Insuchascenario,

administrationwouldneedtobehandledremotelyifpossible,

butinacentralizedadministrationmodel,boththeExchange

Server2003administratorandtheserverswouldbelocatedin

thesamelocation,enablingrecoveryandadministrationtobe

handledasefficientlyandeffectivelyaspossible.



TheDistributedAdministrationModel

Thedistributedadministrationmodelistheoppositeofthe

centralizedmodelinthattaskscanbedividedamongITand

non-ITstaffmembersinvariouslocations.Therightstoperform

administrativetaskscanbegrantedbasedongeography,

department,orjobfunction.Also,administrativecontrolcanbe

grantedforaspecificnetworkservicesuchasDNSorDHCP.

Thisallowsseparationofserverandworkstationadministration

withoutgivingunqualifiedadministratorstherightstomodify

networksettingsorsecurity.

WindowsServer2003systemsallowforgranularadministrative

rightsandpermissions,givingenterpriseadministratorsmore

flexibilitywhenassigningtaskstostaffmembers.Distributed

administrationbasedonlyongeographicalproximityis

commonlyfoundamongorganizations.Afterall,ifaphysical

visittotheserver,workstation,ornetworkdeviceisneeded,

havingtheclosestqualifiedadministratorresponsibleforit

mightprovemoreeffective.



TheMixedAdministrationModel

Themixedadministrationmodelisamixofadministrative

responsibilities,usingbothcentralizedanddistributed

administration.Oneexamplecouldbethatallsecuritypolicies

andstandardserverconfigurationsaredefinedfromacentral

siteorheadquarters,buttheimplementationandmanagement

ofserversaredefinedbyphysicallocation,limiting

administratorsfromchangingconfigurationsonserversinother

locations.Also,therightstomanageonlyspecifieduser

accountscanbegrantedtoprovideevenmoredistributed

administrationonaper-siteorper-departmentbasis.



ExaminingActiveDirectorySiteAdministration

Sitescanbedifferentthings,dependingonwhomyouask.

WithinthescopeofActiveDirectory,asitedefinestheinternal

andexternalreplicationboundariesandhelpsuserslocatethe

closestserversforauthenticationandnetworkresourceaccess.

Ifyouaskanoperationsmanager,shemightdescribeasiteas

anyphysicallocationfromwhichtheorganizationoperates

business.ThissectiondiscussesActiveDirectorysite

administration.

ADsitescanbeconfiguredtomatchasingleormanylocations

thathavehigh-bandwidthconnectivitybetweenthem.Theycan

beoptimizedforreplicationand,duringregulardaily

operations,requireverylittlenetworkbandwidth.AfteranAD

siteisdefined,serversandclientworkstationsusethe

informationstoredinthesiteconfigurationtolocatetheclosest

domaincontrollers,globalcatalogservers,anddistributedfile

shares.Configuringasitecanbeasimpletask,butifthesite

topologyisnotdefinedcorrectly,networkaccessspeedmight

sufferbecauseserversandusersmayconnecttoresources

acrossthewideareanetworkinsteadofusinglocalresources.

Inmostcases,definingandsettingupanActiveDirectorysite

configurationmighttakeonlyafewhoursofwork.Afterinitial

setup,ADsitesrarelyneedtobemodifiedunlesschangesare

madetonetworkaddressing,domaincontrollersareaddedto

orremovedfromasite,ornewsitesareaddedandoldones

aredecommissioned.



SiteComponents

Asmentionedpreviously,configuringasiteshouldtakeonlya

shorttimebecausethereareveryfewcomponentsto

manipulate.Asiteismadeupofasitename;subnetswithin



thatsite;linksandbridgestoothersites;site-basedpolicies;

and,ofcourse,theservers,workstations,andservicesprovided

withinthatsite.Someofthecomponents,suchastheservers

andworkstations,aredynamicallyconfiguredtoasitebasedon

theirnetworkconfiguration.Domaincontrollerservicesand

DistributedFileSystem(DFS)targetsarealsolocatedwithin

sitesbythenetworkconfigurationoftheserveronwhichthe

resourcesarehosted.



Subnets

SubnetsdefinethenetworkboundariesofasiteandlimitWAN

trafficbyallowingclientstofindlocalservicesbeforesearching

acrossaWANlink.Manyadministratorsdonotdefinesubnets

forlocationsthatdonothavelocalservers;instead,theyrelate

sitesubnetsonlytoActiveDirectorydomaincontroller

replication.Ifauserworkstationsubnetisnotdefinedwithin

ActiveDirectory,theuserworkstationmayauthenticateand

downloadpoliciesorrunservicesfromadomaincontrollerthat

isnotdirectlyconnectedtoalocalareanetwork.This

authenticationanddownloadacrossaWANcouldcreate

excessivetrafficandunacceptableresponsetimes.



SiteLinks

SitelinkscontrolActiveDirectoryreplicationandconnect

individualsitesdirectlytogether.Asitelinkisconfiguredfora

particulartypeofprotocolnamely,RPC,IP,orSMTPandthe

frequencyandscheduleofreplicationisconfiguredwithinthe

link.



LicensingServer(PerSite)



WithinActiveDirectory,serverlicensesandlicensingusagecan

betrackedbyacentralserverineachsite.UsingtheActive

DirectorySitesandServicesMicrosoftManagementConsole

(MMC)snap-in,youcandefineaparticularserverasthesitelicensingserver.AllWindowsservers,includingNT4,Windows

2000,andWindowsServer2003,replicatelicensesand

licensingusagetothisserver.Thesite-licensingservers

replicatewithoneanothertoenabletheenterprise

administratortotracklicensesfortheentireenterprisefromthe

Licensingconsoleonanyofthesite-licensingservers.



SiteGroupPolicies

Sitegrouppoliciesallowcomputeranduserconfigurationsand

permissionstobedefinedinonelocationandappliedtoallthe

computersand/oruserswithinthesite.Becausethescopeofa

sitecanspanallthedomainsanddomaincontrollersinaforest,

sitepoliciesshouldbeusedwithcaution.Therefore,sitepolicies

arenotcommonlyusedexcepttodefinecustomnetwork

securitysettingsforsiteswithhigherrequirementsorto

delegateadministrativerightswhenadministrationisperformed

onamostlygeographicbasis.



Note

Becausesitesareusuallydefinedaccordingtohighbandwidthconnectivity,somedesignbestpractices

shouldbefollowedwhenyou'redefiningthe

requirementsforasite.Ifpossible,sitesshould

containlocalnetworkservicessuchasdomain

controllers,globalcatalogservers,DNSservers,

DHCPservers,and,ifnecessary,WINSservers.This

way,ifnetworkconnectivitybetweensitesis

disrupted,thelocalsitenetworkwillremain

functionalforauthentication,GroupPolicy,name

resolution,andresourcelookup.Placingfileservers



ateachsitemayalsomakesenseunlessfilesare

housedcentrallyforsecurityorbackup

considerations.



ConfiguringSites

Thejobofconfiguringandcreatingsitesbelongstothe

administratorswhomanageActiveDirectory,butthosewho

managethenetworkmustbewellinformedandpossibly

involvedinthedesign.WhetherActiveDirectoryandthe

networkarehandledbythesameordifferentgroups,they

affecteachother,andundesirednetworkutilizationorfailed

networkconnectivitymayresult.Forexample,iftheActive

Directoryadministratordefinestheentireenterpriseasasingle

siteandseveralActiveDirectorychangeshappeneachday,

replicationconnectionswouldexistacrosstheenterprise,and

replicationtrafficmightbeheavy,causingpoornetwork

performanceforothernetworkingservices.Ontheotherside,if

thenetworkadministratorallowsonlyspecificportsto

communicatebetweencertainsubnets,addingActiveDirectory

mightrequirethatadditionalportsbeopenedorinvolvespecific

networkrequirementsontheserversateachlocation.



CreatingaSite

Whencreatingasite,ActiveDirectoryandnetwork

administratorsmustdecidehowoftenADwillreplicatebetween

sites.Theyalsomustsharecertaininformationsuchastheline

speedbetweenthesitesandtheIPaddressesoftheservers

thatwillbereplicating.Knowingthelinespeedhelpsdetermine

thecorrectcostofasitelink.Forthenetworkadministrator,

knowingwhichIPaddressestoexpectnetworktrafficfromon

certainportsishelpfulwhentroubleshootingormonitoringthe

network.Tocreateasite,theADadministratorneedsasite

nameandsubnetandalsoneedstoknowwhichothersiteswill

replicatetothenewsite.

Tocreateasite,followthesesteps:



1. LogontoaserveroraWindowsXPworkstationwith

WindowsServer2003AdministrationToolsinstalled.For

simplicity,logonwithanaccountthathastherightsto

createasite;usually,anaccountwithEnterprise

Administratorrightswillsuffice.

2. ChooseStart,AllPrograms,AdministrativeTools,Active

DirectorySitesandServices.Iftheconsoleismissing,

proceedtothenextstep;otherwise,skiptostep7.

3. ChooseStart,Run.TypeMMC.exeandclickOK.

4. ChooseFile,Add/RemoveSnap-in.

5. ClickAddintheAdd/RemoveSnap-inwindow.

6. SelectActiveDirectorySitesandServicesfromtheAdd

Stand-aloneSnap-inpageandclickAdd.ClickCloseand

thenOKintheAdd/RemoveSnap-inwindow.

7. Intheconsolewindow,clicktheplussignnexttoActive

DirectorySitesandServices.

8. Right-clicktheSitescontainerandchooseNewSite.

9. Typeinthenameofthesiteandselectanyexistingsite

link,asshowninFigure19.1.ThenclickOKtocreatethe

site.



Figure19.1.Creatinganewsite.



10. Apop-upwindowmightappear,statingwhattasksstill

needtobecompletedtoproperlycreateasite.Readthe

information,takenotesifnecessary,andclickOK.



CreatingSiteSubnets

Afteryoucreateasite,itshouldbelistedintheconsole

window.Tocompletethesitecreationprocess,followthese

steps:

1. Withintheconsolewindow,right-clicktheSubnetscontainer

andchooseNewSubnet.

2. Typeintheaddressofthesubnetandsubnetmask,select

theappropriatesitefromthelistatthebottomofthe

window,andclickOKtocreatethenewsubnetand

associateitwiththenewsite.Ifyouarenotsureaboutthe



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 19. Windows Server 2003 Administration

Tải bản đầy đủ ngay(0 tr)

×