MCSE: Windows 2000 Network Infrastructure Design Study Guide (with CD-ROM)

MCSE: Windows® 2000 Network Infrastructure Design Study Guide Bill Heldman San Francisco • Paris • Düsseldorf • Soest ...

Author: William Heldman

10 downloads 699 Views 7MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

MCSE: Windows® 2000 Network Infrastructure Design Study Guide

Bill Heldman

San Francisco • Paris • Düsseldorf • Soest • London Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com

Associate Publisher: Neil Edde Contracts and Licensing Manager: Kristine O’Callaghan Developmental Editor: Dann McDorman Editor: Pete Gaughan Production Editors: Molly Glover and Kylie Johnston Technical Editors: Carl Dubler and Dave Plummer Book Designer: Bill Gibson Graphic Illustrator: Tony Jonick Electronic Publishing Specialist: Nila Nichols Proofreaders: Nancy Riddiough, Laurie O’Connell, Camera Obscura, Nanette Duffy, Simone Scott, Liz Burke Indexer: Matthew Spence CD Coordinator: Kara Schwartz CD Technician: Keith McNeil Cover Designer: Archer Design Cover Illustrator/Photographer: Tony Stone Images Copyright © 2000 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 00-103814 ISBN: 0-7821-2759-2 SYBEX and the SYBEX logo are trademarks of SYBEX Inc. in the USA and other countries. Screen reproductions produced with Collage Complete. Collage Complete is a trademark of Inner Media Inc. The CD interface was created using Macromedia Director, © 1994, 1997-1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com. Microsoft® Internet Explorer © 1996 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft Internet Explorer logo, Windows, Windows NT, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Use of the Microsoft Approved Study Guide logo on this product signifies that it has been independently reviewed and approved in compliance with the following standards: acceptable coverage of all content related to Microsoft exam number 70-221, entitled Designing a Microsoft® Windows® 2000 Network Infrastructure; sufficient performance-based exercises that relate closely to all required content; and technically accurate content, based on sampling of text. SYBEX is an independent entity from Microsoft Corporation, and not affiliated with Microsoft Corporation in any manner. This publication may be used in assisting students to prepare for a Microsoft Certified Professional Exam. Neither Microsoft Corporation, its designated review company, nor SYBEX warrants that use of this publication will ensure passing the relevant exam. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1

Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com

To Our Valued Readers: In recent years, Microsoft’s MCSE program has established itself as the premier computer and networking industry certification. Nearly a quarter of a million IT professionals have attained MCSE status in the NT 4 track. Sybex is proud to have helped thousands of MCSE candidates prepare for their exams over these years, and we are excited about the opportunity to continue to provide people with the skills they’ll need to succeed in the highly competitive IT industry. For the Windows 2000 MCSE track, Microsoft has made it their mission to demand more of exam candidates. Exam developers have gone to great lengths to raise the bar in order to prevent a papercertification syndrome, one in which individuals obtain a certification without a thorough understanding of the technology. Sybex welcomes this new philosophy as we have always advocated a comprehensive instructional approach to certification courseware. It has always been Sybex’s mission to teach exam candidates how new technologies work in the real world, not to simply feed them answers to test questions. Sybex was founded on the premise of providing technical skills to IT professionals, and we have continued to build on that foundation, making significant improvements to our study guides based on feedback from readers, suggestions from instructors, and comments from industry leaders. The depth and breadth of technical knowledge required to obtain Microsoft’s new Windows 2000 MCSE is staggering. Sybex has assembled some of the most technically skilled instructors in the industry to write our study guides, and we’re confident that our Windows 2000 MCSE study guides will meet and exceed the demanding standards both of Microsoft and you, the exam candidate. Good luck in pursuit of your MCSE!

Neil Edde Associate Publisher—Certification Sybex, Inc.

SYBEX Inc. 1151 Marina Village Parkway, Alameda, CA 94501 Tel: 510/523-8233 Fax: 510/523-2373 HTTP://www.sybex.com


www.sybex.com

Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the "Software") to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms. The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the "Owner(s)"). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not reproduce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media. In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or warranties ("End-User License"), those End-User Licenses supersede the terms and conditions herein as to that particular Software component. Your purchase, acceptance, or use of the Software will constitute your acceptance of such End-User Licenses. By purchase, use or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations may exist from time to time. Reusable Code in This Book The authors created reusable code in this publication expressly for reuse for readers. Sybex grants readers permission to reuse for any purpose the code found in this publication or its accompanying CD-ROM so long as all three authors are attributed in any application containing the reusable code, and the code itself is never sold or commercially exploited as a stand-alone product. Software Support Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material but they are not supported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media. Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s). Warranty

Software is not available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com. If you discover a defect in the media during this warranty period, you may obtain a replacement of identical format at no charge by sending the defective media, postage prepaid, with proof of purchase to: SYBEX Inc. Customer Service Department 1151 Marina Village Parkway Alameda, CA 94501 (510) 523-8233 Fax: (510) 523-2373 e-mail: [email protected] WEB: HTTP://WWW.SYBEX.COM After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX. Disclaimer SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fitness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage. In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting. The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agreement of Terms and Conditions. Shareware Distribution This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a shareware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files. Copy Protection The Software in whole or in part may or may not be copyprotected or encrypted. However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.

SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase. The Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com

To my ever loving, always patient wife, Kim.


www.sybex.com

Acknowledgments

Thanks to the excellent Sybex crew involved on this book: Dann McDorman, Pete Gaughan, Kylie Johnston, Molly Glover, Nila Nichols, Tony Jonick, and a special thanks to Neil Edde for giving me the chance to “vent the spleen” one more time. Also thanks to the Sybex art and layout crews, who remain nameless behind the scenes but whose work is so very important. Readers should know that the editorial staff at Sybex consists of very patient, extremely diligent, and hard-working souls who strive to make the books that get published the best quality computer books on the shelves. Thanks to my technical editors: Carl Dubler, whose sense of humor is truly original, and Dave Plummer, whose job was doubly hard because he had to read the final galleys and make changes when the book was just about ready to ship. I’d also like to thank God for giving me the ability to write and for creating the circumstances where I could find a publisher who would let me do so.


www.sybex.com

Introduction

Microsoft’s new Microsoft Certified Systems Engineer (MCSE) track for Windows 2000 is the premier certification for computer industry professionals. Covering the core technologies around which Microsoft’s future will be built, the new MCSE certification is a powerful credential for career advancement. This book has been developed, in cooperation with Microsoft Corporation, to give you the critical skills and knowledge you need to prepare for one of the core requirements of the new MCSE certification program for Windows 2000. You will find the information you need to acquire a solid understanding of Windows 2000 network infrastructure design, to prepare for the Exam 70-221: Designing a Microsoft® Windows® 2000 Network Infrastructure, and to progress toward MCSE certification.

Why Become Certified in Windows 2000? As the computer network industry grows in both size and complexity, the need for proven ability is increasing. Companies rely on certifications to verify the skills of prospective employees and contractors. Whether you are just getting started or are ready to move ahead in the computer industry, the knowledge, skills, and credentials you have are your most valuable assets. Microsoft has developed its Microsoft Certified Professional (MCP) program to give you credentials that verify your ability to work with Microsoft products effectively and professionally. The MCP credential for professionals who work with Microsoft Windows 2000 networks is the new MCSE certification. Over the next few years, companies around the world will deploy millions of copies of Windows 2000 as the central operating system for their missioncritical networks. This will generate an enormous need for qualified consultants and personnel to design, deploy, and support Windows 2000 networks. Windows 2000 is a huge product that requires professional skills of its administrators. Consider that Windows NT 4 has about 12 million lines of code, while Windows 2000 has more than 35 million! Much of this code is needed to deal with the wide range of functionality that Windows 2000 offers.


www.sybex.com

xxx

Introduction

Windows 2000 actually consists of several different versions: Windows 2000 Professional The client edition of Windows 2000, which is comparable to Windows NT Workstation 4, but also includes the best features of Windows 98 and many new features. Windows 2000 Server/Windows 2000 Advanced Server A server edition of Windows 2000 for small to mid-sized deployments. Advanced Server supports more memory and processors than Server does. Windows 2000 Datacenter Server A server edition of Windows 2000 for large, wide-scale deployments and computer clusters. Datacenter Server supports the most memory and processors of the three versions. With such an expansive operating system, companies need to be certain that you are the right person for the job being offered. The MCSE is designed to help prove that you are.

As part of its promotion of Windows 2000, Microsoft has announced that MCSEs who have passed the Windows NT 4 core exams must upgrade their certifications to the new Windows 2000 track by December 31, 2001, to remain certified. The Sybex MCSE Study Guide series covers the full range of exams required for either obtaining or upgrading your certification. For more information, see the “Exam Requirements” section later in this Introduction.

Is This Book for You? If you want to acquire a solid foundation in Windows 2000 network infrastructure design, this book is for you. You’ll find clear explanations of the fundamental concepts you need to grasp. If you want to become certified as an MCSE, this book is definitely for you. However, if you just want to attempt to pass the exam without really understanding Windows 2000, this book is not for you. This book is written for those who want to acquire hands-on skills and in-depth knowledge of Windows 2000. If your goal is to prepare for the exam by learning how to use and manage the new operating system, this book is for you. It will help you to achieve the high level of professional competency you need to succeed in this field.


www.sybex.com

Introduction

xxxi

What Does This Book Cover? This book contains detailed explanations, hands-on exercises, and review questions to test your knowledge. Think of this book as your complete guide to Windows 2000 network infrastructure design. It begins by covering the most basic concepts, some of which are more business-oriented in nature—things like how to determine whether your shop is centralized or decentralized, what its IT makeup is, and so forth. But we also cover technical material such as routing, DHCP, DNS, WINS, RRAS, and many more rich features of Windows 2000. We’ll talk a lot about infrastructure design components, such as:

Installing VPN servers

Configuring RADIUS as a backbone to your VPN deployment

How to install devices on the screened subnet (the DMZ)

How to implement Windows 2000 routing

Working with a DNS design and deployment in a legacy environment

How to make Dfs work for your installation

Advanced security features of RRAS, VPN, NAT, and demand-dial routing

Hopefully, you’ll find this book to be a fun read that transcends the both business and the technical worlds. Throughout the book, you will be guided through design scenarios, which give you practical experience for each exam objective. At the end of each chapter, you’ll find a summary of the topics covered in the chapter, which also includes a list of the key terms used in that chapter. The key terms represent not only the terminology that you should recognize, but also the underlying concepts that you should understand to pass the exam. All of the key terms are defined in the glossary at the back of the study guide. Finally, each chapter concludes with 10 review questions and a real-life case study that tests your knowledge of the information covered. You’ll find an entire practice exam, with 30 additional questions and 4 case studies, in Appendix A. Many more questions, as well as multimedia demonstrations of the hands-on exercises, are included on the CD that accompanies this book, as explained in the “What’s on the CD?” section at the end of this Introduction.


www.sybex.com

xxxii

Introduction

The topics covered in this book map directly to Microsoft’s official exam objectives. Each exam objective is covered completely. Because Microsoft developed similar exam objectives for the three design exams, there is a degree of overlap between the Sybex books covering these exams. However, it is important to work through each book in its entirety, viewing any repeated material as a reminder and a chance to reinforce your understanding of Windows 2000.

How Do You Become an MCSE? Attaining MCSE certification has always been a challenge. However, in the past, individuals could acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new MCSE exams, this simply will not be the case. To avoid the “paper-MCSE syndrome” (a devaluation of the MCSE certification because unqualified individuals manage to pass the exams), Microsoft has taken strong steps to protect the security and integrity of the new MCSE track. Prospective MSCEs will need to complete a course of study that provides not only detailed knowledge of a wide range of topics, but true skills derived from working with Windows 2000 and related software products. In the new MCSE program, Microsoft is heavily emphasizing hands-on skills. Microsoft has stated, “Nearly half of the core required exams’ content demands that the candidate have troubleshooting skills acquired through hands-on experience and working knowledge.” Fortunately, if you are willing to dedicate time and effort with Windows 2000, you can prepare for the exams by using the proper tools. If you work through this book and the other books in this series, you should successfully meet the exam requirements. This book is a part of a complete series of Sybex MCSE Study Guides that covers the five core Windows 2000 requirements as well as the new Design electives you need to complete your MCSE track. Titles include:

MCSE: Windows 2000 Professional Study Guide

MCSE: Windows 2000 Server Study Guide


www.sybex.com

Introduction

xxxiii

MCSE: Windows 2000 Network Infrastructure Administration Study Guide

MCSE: Windows 2000 Directory Services Administration Study Guide

MCSE: Windows 2000 Network Security Design Study Guide

MCSE: Windows 2000 Network Infrastructure Design Study Guide

MCSE: Windows 2000 Directory Services Design Study Guide

There are also study guides available from Sybex on additional MCSE electives.

Exam Requirements Successful candidates must pass a minimum set of exams that measure technical proficiency and expertise:

Candidates for MCSE certification must pass seven exams, including four core operating system exams, one design exam, and two electives.

Candidates who have already passed three Windows NT 4 exams (70067, 70-068, and 70-073) may opt to take an “accelerated” exam plus one core design exam and two electives.

If you do not pass the accelerated exam after one attempt, you must pass the five core requirements and two electives.

The following table shows the exams a new certification candidate must pass. All of these exams are required: Exam #

Title

Requirement Met

70-216 Implementing and Administering a Microsoft® Windows® 2000 Network Infrastructure

Core (Operating System)

70-210 Installing, Configuring, and Administering Microsoft® Windows® 2000 Professional



www.sybex.com

xxxiv

Introduction

Exam #

Title

Requirement Met

70-215 Installing, Configuring, and Administering Microsoft® Windows® 2000 Server


70-217 Implementing and Administering a Microsoft® Windows® 2000 Directory Services Infrastructure


One of these exams is required: Exam #

Title

Requirement Met

70-219 Designing a Microsoft® Windows® 2000 Directory Services Infrastructure

Core (Design)

70-220 Designing Security for a Microsoft® Windows® 2000 Network

Core (Design)

70-221 Designing a Microsoft® Windows® 2000 Network Infrastructure

Core (Design)

Two of these exams are required: Exam #

Title

Requirement Met

70-219

Designing a Microsoft® Windows® 2000 Directory Services Infrastructure

Elective

70-220

Designing Security for a Microsoft® Windows® 2000 Network

Elective

70-221

Designing a Microsoft® Windows® 2000 Network Infrastructure

Elective

Any current MCSE elective

Exams cover topics such as Exchange Server, SQL Server, Systems Management Server, Internet Explorer Administrators Kit, and Proxy Server (new exams are added regularly)

Elective


www.sybex.com

Introduction

xxxv

For a more detailed description of the Microsoft certification programs, including a list of current MCSE electives, check Microsoft’s Training and Certification Web site at www.microsoft.com/trainingandservices.

The Windows 2000 Network Infrastructure Design Exam The Windows 2000 Network Infrastructure Design exam covers concepts and skills required for the support of Windows 2000 computers. It emphasizes the following areas of Windows 2000 support:

Standards and terminology

Planning

Implementation

Troubleshooting

This exam focuses on the business aspects and technical requirements for creating a functional Windows 2000 network infrastructure. It can be particular about how administrative tasks are performed in the operating system. It also focuses on fundamental concepts relating to Windows 2000’s operation. Careful study of this book, along with hands-on experience, will help you prepare for this exam.

Microsoft provides exam objectives to give you a very general overview of possible areas of coverage of the Microsoft exams. For your convenience, we have added in-text objectives listings at the points in the text where specific Microsoft exam objectives are covered. However, exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit Microsoft’s Training and Certification Web site (www.microsoft.com/ trainingandservices) for the most current exam objectives listing.

Types of Exam Questions In the previous tracks, the formats of the MCSE exams were fairly straightforward, consisting almost entirely of multiple-choice questions appearing in


www.sybex.com

xxxvi

Introduction

a few different sets. Prior to taking an exam, you knew how many questions you would see and what type of questions would appear. If you had purchased the right third-party exam preparation products, you could even be quite familiar with the pool of questions you might be asked. As mentioned earlier, all of this is changing. In an effort to both refine the testing process and protect the quality of its certifications, Microsoft has introduced adaptive testing, as well as some new exam elements. You will not know in advance which type of format you will see on your exam. These innovations make the exams more challenging, and they make it much more difficult for someone to pass an exam after simply “cramming” for it.

Microsoft will be accomplishing its goal of protecting the exams by regularly adding and removing exam questions, limiting the number of questions that any individual sees in a beta exam, limiting the number of questions delivered to an individual by using adaptive testing, and adding new exam elements.

Exam questions may be in multiple-choice or case study–based formats. You may also find yourself taking an adaptive format exam. Let’s take a look at the exam question types and adaptive testing, so you can be prepared for all of the possibilities. Multiple-Choice Questions Multiple-choice questions include two main types of questions. One is a straightforward type that presents a question, followed by several possible answers, of which one or more is correct. The other type of multiple-choice question is more complex. This type presents a set of desired results along with a proposed solution. You must then decide which results would be achieved by the proposed solution.

You will see many multiple-choice questions in this study guide and on the accompanying CD, as well as on your exam.

Case Study–Based Questions Case study–based questions first appeared in the Microsoft Certified Solution Developer program (Microsoft’s certification program for software programmers). Case study–based questions present a scenario with a range of


www.sybex.com

Introduction

xxxvii

requirements. Based on the information provided, you need to answer a series of multiple-choice, reordering, categorizing, and diagramming questions. The interface for case study–based questions has several tabs, and each contains information about the scenario. At present, this type of question appears only in the Design exams. Adaptive Exam Format Microsoft presents many of its exams in an adaptive format. This format is radically different from the conventional format previously used for Microsoft certification exams. Conventional tests are static, containing a fixed number of questions. Adaptive tests change, or “adapt,” depending on your answers to the questions presented. The number of questions presented in your adaptive test will depend on how long it takes the exam to ascertain your level of ability (according to the statistical measurements on which the exam questions are ranked). To determine a test-taker’s level of ability, the exam presents questions in increasing or decreasing order of difficulty.

Unlike the previous test format, the adaptive format will not allow you to go back to see a question again. The exam only goes forward. Once you enter your answer, that’s it—you cannot change it. Be very careful before entering your answer. There is no time limit for each individual question (only for the exam as a whole.) Your exam may be shortened by correct answers (and lengthened by incorrect answers), so there is no advantage to rushing through questions.

HOW ADAPTIVE EXAMS DETERMINE ABILITY LEVELS

As an example of how adaptive testing works, suppose that you know three people who are taking the exam: Herman, Sally, and Rashad. Herman doesn’t know much about the subject, Sally is moderately informed, and Rashad is an expert. Herman answers his first question incorrectly, so the exam presents him with a second, easier question. He misses that, so the exam gives him a few more easy questions, all of which he misses. Shortly thereafter, the exam ends, and he receives his failure report. Sally answers her first question correctly, so the exam gives her a more difficult question, which she answers correctly. She then receives an even more


www.sybex.com

xxxviii

Introduction

difficult question, which she answers incorrectly. Next, the exam gives her a somewhat easier question, as it tries to gauge her level of understanding. After numerous questions of varying levels of difficulty, Sally’s exam ends, perhaps with a passing score, perhaps not. Her exam included far more questions than were in Herman’s exam, because her level of understanding needed to be more carefully tested to determine whether or not it was at a passing level. When Rashad takes his exam, he answers his first question correctly, so he is given a more difficult question, which he also answers correctly. Next, the exam presents an even more difficult question, which he also answers correctly. He then is given a few more very difficult questions, all of which he answers correctly. Shortly thereafter, his exam ends. He passes. His exam was short, about as long as Herman’s test. BENEFITS OF ADAPTIVE TESTING

Microsoft has begun moving to adaptive testing for several reasons:

It saves time by focusing only on the questions needed to determine a test-taker’s abilities. An exam that might take an hour and a half in the conventional format could be completed in less than half that time when presented in adaptive format. The number of questions in an adaptive exam may be far fewer than the number required by a conventional exam.

It protects the integrity of the exams. By exposing a fewer number of questions at any one time, it makes it more difficult for individuals to collect the questions in the exam pools with the intent of facilitating exam "cramming."

It saves Microsoft and/or the test-delivery company money by reducing the amount of time it takes to deliver a test.

We recommend that you try the Edge Test Adaptive Exam, which is included on the CD that accompanies this study guide.

Exam Question Development Microsoft follows an exam-development process consisting of eight mandatory phases. The process takes an average of seven months and involves more


www.sybex.com

Introduction

xxxix

than 150 specific steps. The MCP exam development consists of the following phases: Phase 1: Job Analysis Phase 1 is an analysis of all of the tasks that make up a specific job function, based on tasks performed by people who are currently performing that job function. This phase also identifies the knowledge, skills, and abilities that relate specifically to the performance area to be certified. Phase 2: Objective Domain Definition The results of the job analysis provide the framework used to develop objectives. The development of objectives involves translating the job-function tasks into a comprehensive set of more specific and measurable knowledge, skills, and abilities. The resulting list of objectives—the objective domain—is the basis for the development of both the certification exams and the training materials. Phase 3: Blueprint Survey The final objective domain is transformed into a blueprint survey in which contributors are asked to rate each objective. These contributors may be past MCP candidates, appropriately skilled exam development volunteers, or Microsoft employees. Based on the contributors’ input, the objectives are prioritized and weighted. The actual exam items are written according to the prioritized objectives. Contributors are queried about how they spend their time on the job. If a contributor doesn’t spend an adequate amount of time actually performing the specified job function, his or her data is eliminated from the analysis. The blueprint survey phase helps determine which objectives to measure, as well as the appropriate number and types of items to include on the exam. Phase 4: Item Development A pool of items is developed to measure the blueprinted objective domain. The number and types of items to be written are based on the results of the blueprint survey. Phase 5: Alpha Review and Item Revision During this phase, a panel of technical and job-function experts reviews each item for technical accuracy, then answers each item, reaching a consensus on all technical issues. Once the items have been verified as technically accurate, they are edited to ensure that they are expressed in the clearest language possible. Phase 6: Beta Exam The reviewed and edited items are collected into beta exams. Based on the responses of all beta participants, Microsoft performs a statistical analysis to verify the validity of the exam items and to


www.sybex.com

xl

Introduction

determine which items will be used in the certification exam. Once the analysis has been completed, the items are distributed into multiple parallel forms, or versions, of the final certification exam. Phase 7: Item Selection and Cut-Score Setting The results of the beta exams are analyzed to determine which items should be included in the certification exam based on many factors, including item difficulty and relevance. During this phase, a panel of job-function experts determines the cut score (minimum passing score) for the exams. The cut score differs from exam to exam because it is based on an item-by-item determination of the percentage of candidates who answered the item correctly and who would be expected to answer the item correctly. Phase 8: Live Exam As the final phase, the exams are given to candidates. MCP exams are administered by Sylvan Prometric and Virtual University Enterprises (VUE).

Microsoft will regularly add and remove questions from the exams. This is called item seeding. It is part of the effort to make it more difficult for individuals to merely memorize exam questions passed along by previous test-takers.

Tips for Taking the Windows 2000 Network Infrastructure Design Exam Here are some general tips for taking the exam successfully:

Arrive early at the exam center so you can relax and review your study materials. During your final review, you can look over tables and lists of exam-related information.

Read the questions carefully. Don’t be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking.

Answer all questions. Remember that the adaptive format will not allow you to return to a question. Be very careful before entering your answer. Because your exam may be shortened by correct answers (and lengthened by incorrect answers), there is no advantage to rushing through questions.


www.sybex.com

Introduction

xli

On simulations, do not change settings that are not directly related to the question. Also, assume default settings if the question does not specify or imply which settings are used.

Use a process of elimination to get rid of the obviously incorrect answers first on questions that you’re not sure about. This method will improve your odds of selecting the correct answer if you need to make an educated guess.

Exam Registration You may take the exams at any of more than 1,000 Authorized Prometric Testing Centers (APTCs) and VUE Testing Centers around the world. For the location of a testing center near you, call Sylvan Prometric at 800-755EXAM (755-3926), or call VUE at 888-837-8616. Outside the United States and Canada, contact your local Sylvan Prometric or VUE registration center. You should determine the number of the exam you want to take, and then register with the Sylvan Prometric or VUE registration center nearest to you. At this point, you will be asked for advance payment for the exam. The exams are $100 each. Exams must be taken within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day registration is available in some locations, subject to space availability. Where same-day registration is available, you must register a minimum of two hours before test time.

You may also register for your exams online at www.sylvanprometric.com or www.vue.com.

When you schedule the exam, you will be provided with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from Sylvan Prometric or VUE. Microsoft requires certification candidates to accept the terms of a nondisclosure agreement before taking certification exams.


www.sybex.com

xlii

Introduction

What’s on the CD? With this new book in our best-selling MCSE study guide series, we are including quite an array of training resources. On the CD are numerous simulations, practice exams, and flashcards to help you study for the exam. Also included are the entire contents of the study guide. These resources are described in the following sections.

The Sybex Ebook for Windows 2000 Network Infrastructure Design Many people like the convenience of being able to carry their whole study guide on a CD. They also like being able to search the text to find specific information quickly and easily. For these reasons, we have included the entire contents of this study guide on a CD, in PDF format. We’ve also included Adobe Acrobat Reader, which provides the interface for the contents, as well as the search capabilities.

The Sybex MCSE Edge Tests The Edge Tests are a collection of multiple-choice questions that can help you prepare for your exam. There are three sets of questions:

Bonus questions specially prepared for this edition of the study guide, including 50 questions that appear only on the CD

An adaptive test simulator that will give the feel for how adaptive testing works

All of the questions from the study guide presented in a test engine for your review


www.sybex.com

Introduction

xliii

A sample screen from the Sybex MCSE Edge Tests is shown below.

Sybex MCSE Flashcards for PCs and Palm Devices The “flashcard” style of exam question offers an effective way to quickly and efficiently test your understanding of the fundamental concepts covered in the Windows 2000 network infrastructure design exam. The Sybex MCSE Flashcards set consists of 150 questions presented in a special engine developed specifically for this study guide series. The Sybex MCSE Flashcards interface is shown below.


www.sybex.com

xliv

Introduction

Because of the high demand for a product that will run on Palm devices, we have also developed, in conjunction with Land-J Technologies, a version of the flashcard questions that you can take with you on your Palm OS PDA (including the PalmPilot and Handspring’s Visor).

How Do You Use This Book? This book can provide a solid foundation for the serious effort of preparing for the Windows 2000 network infrastructure design exam. To best benefit from this book, you may wish to use the following study method: 1. Study each chapter carefully. Do your best to fully understand the

information. 2. Answer the review questions at the end of each chapter. If you would

prefer to answer the questions in a timed and graded format, install the Edge Tests from the CD that accompanies this book and answer the chapter questions there instead of in the book. 3. Note which questions you did not understand and study the corre-

sponding sections of the book again. 4. Make sure you complete the entire book. 5. Before taking the exam, go through the training resources included on

the CD that accompanies this book. Try the adaptive version that is included with the Sybex MCSE Edge Test. Review and sharpen your knowledge with the MCSE Flashcards. To learn all of the material covered in this book, you will need to study regularly and with discipline. Try to set aside the same time every day to study and select a comfortable and quiet place in which to do it. If you work hard, you will be surprised at how quickly you learn this material. Good luck!

Contacts and Resources To find out more about Microsoft Education and Certification materials and programs, to register with Sylvan Prometric or VUE, or to get other useful information, check the following resources.


www.sybex.com

Introduction

xlv

Microsoft Certification Development Team www.microsoft.com/trainingandservices/mcp/examinfo/ certsd.htm Contact the Microsoft Certification Development Team through their Web site to volunteer for one or more exam development phases or to report a problem with an exam. Address written correspondence to: Certification Development Team Microsoft Education and Certification One Microsoft Way Redmond, WA 98052 Microsoft TechNet Technical Information Network www.microsoft.com/technet/subscription/about.htm (800) 344-2121 Use this Web site or number to contact support professionals and system administrators. Outside the United States and Canada, contact your local Microsoft subsidiary for information. Microsoft Training and Certification Home Page www.microsoft.com/trainingandservices This Web site provides information about the MCP program and exams. You can also order the latest Microsoft Roadmap to Education and Certification. Palm Pilot Training Product Development: Land-J www.land-j.com (407) 359-2217 Land-J Technologies is a consulting and programming business currently specializing in application development for the 3Com PalmPilot Personal Digital Assistant. Land-J developed the Palm version of the Edge Tests, which is included on the CD that accompanies this study guide. Sylvan Prometric www.sylvanprometric.com (800) 755-EXAM Contact Sylvan Prometric to register to take an MCP exam at any of more than 800 Sylvan Prometric Testing Centers around the world. Virtual University Enterprises (VUE) www.vue.com (888) 837-8616 Contact the VUE registration center to register to take an MCP exam at one of the VUE Testing Centers.


www.sybex.com

Assessment Questions 1. Which routing protocols can be configured with auto-static updating?

Choose all correct answers. A. RIP for IP B. IGMP C. RIP for IPX D. SAP for IPX 2. Why is it important to understand how users access various servers

and applications? Choose all reasons that apply. A. Process improvement B. Change management C. Infrastructure issues D. Server adequacy 3. Bob has set up NAT on his 100-node network, and things seem to be

working fine. He has one problem, though: some users cannot get out on the Internet. On top of that, every few days the problem seems to sporadically change to a different bunch of users, though one or two stragglers may stay behind. What could be the problem? A. Bob has a second DHCP server on the network. B. The machines are configured with static IP addresses. C. There’s a problem with LMHOSTS. D. DNS is not configured correctly. 4. You’re planning on using a VPN setup for your dial-up telecommuters

to access your private network via their ISP and the Internet. You want to use L2TP. What encryption protocol should you use? A. PGP B. IPSec C. DES D. MPPE


www.sybex.com

Assessment Questions

xlvii

5. What is the process of ensuring that you’ve documented changes

you’re going to make to production systems? A. Process improvement B. Change management C. Change provisioning D. Change implementation 6. Your main headquarters site is in Chicago and you have two smaller

sites, one in Omaha and one in Cheyenne. Both of the smaller sites are connected to you by fractional T1 lines, and there is a small workgroup server at each site. In thinking about this setup, where is the most likely single point of failure (SPOF) going to be? A. Server at hub site B. Server at central site C. Router D. Frame relay connection 7. Name the components of a typical RADIUS installation. Choose all

that apply. A. Remote access client B. RADIUS client C. RADIUS server D. Telephony circuits 8. Name two advantages of Windows 2000 Dfs. A. You can maintain multiple instances of the Dfs database. B. Domain-based roots can be replicated through AD. C. Clients of various platforms can host Dfs links. D. You can interlink one Dfs link to another.


www.sybex.com

xlviii

Introduction

9. Can a company’s growth be a risk to its success? A. Yes B. No 10. A new message has been added to the Windows 2000 DHCP message

system. What is this message? A. DHCPQUERY B. DHCPAD C. DHCPINFORM D. DHCPROUTE 11. Choose three different types of users. A. Power user B. Dumb terminal C. Internet D. 3270 emulation user E. Managerial/professional/executive F. Network 12. You’ve installed a hardware RAID array controller card in one of your

servers, and now you’re going to re-initialize the drives and put the OS back on them. What sort of technique are you implementing? A. Fault recovery B. Fault management C. Fault tolerance D. Fault obliteration


www.sybex.com


xlix

13. Your company is going to hire external contractors to work on a big

software development project. What is this technique called? A. Outsourcing B. Contractor negotiations C. Software development life cycle (SDLC) D. Code externalization 14. You don’t know very much about routers. You’re the network admin-

istrator for a small company that has grown to have two locations. You need to link these two, plus you’d like to set up an Internet connection for your users. You’re not sure you have the time or the money it takes to get into the whole internetworking thing, learning all about routers and how to set them up. Plus, your company’s on a tight budget. Is there an easier way to set up some routing, both internally and to the Internet, using Windows 2000 servers? A. Yes, but it’s isolated to the Windows 2000 Advanced and Data-

center server products. B. Yes, and it’s easy to do across all the Windows 2000 server

products. C. No, there is no method. D. No, routing is included only for Windows NT 4 backward

compatibility. 15. Your management staff, from your boss on up the food chain to the

CEO, seems to be very good about letting you do your job with little or no interference. What management style most represents your management? A. Loose-bundle B. Neutral C. Autocratic D. Laissez-faire


www.sybex.com

l

Introduction

16. What is EAP? A. A router access protocol B. A network authentication method C. A VPN protocol D. A WAN protocol 17. Which authentication protocols can be used with two-way authenti-

cation in Windows 2000 demand-dial routing? Choose all correct answers. A. MS-CHAP v2 B. MS-CHAP C. EAP-TLS D. CHAP 18. You have a robust SNA Server deployment and would now like to

migrate to Windows 2000. Does SNA Server work with AD? A. Even the oldest version of SNA Server will work with AD. B. The SNA protocol is now built into Windows 2000 with no need

for adjunct software. C. Only Host Integration Server 2000 will work with AD. D. SNA Server doesn’t work with Windows 2000. 19. In DNS, what does the SRV source record do? A. Pinpoints specific servers B. Designates the standard primary DNS server C. Points to multiple servers performing similar TCP/IP services D. Points to the Active Directory global master


www.sybex.com


li

20. Which component(s) might you assess as part of your infrastructure

evaluation? Choose all that apply. A. Switches B. Telephony systems C. Routers D. Servers E. Hubs F. Cable plant 21. In pursuit of your Windows 2000 design finalization, you become

interested in the various geographic locations of your technical people. What is the exam term given to the distribution of people across geographic locations? A. Outsourcing B. Centralization C. Resource distribution D. Decentralization 22. What is a screened subnet? A. A subnet that targets specific IP addresses B. A subnet that contains on certain groups of computers C. A subnet that does not provide DNS services D. A subnet beyond the corporate firewall 23. You work for a government contractor that wants telecommuting

users working on sensitive documents to log on to the network using smart cards. What new Windows 2000 protocol could ostensibly help you accomplish this business rule? A. OSPF B. BAP C. EAP D. Dfs


www.sybex.com

lii

Introduction

24. You work for a company that has four Macintosh computers, in the

Publishing department. How can they be connected to your Windows 2000 network? A. Use the Services for Macintosh (SFM). B. Use the Macintosh File Control Protocol (MFCP). C. Use the Gateway for Macintosh (GFM). D. There is no connectivity for Macintosh in Windows 2000. 25. You have several non-WINS NetBIOS clients on a subnet. What can

you do to make sure they are able to adequately resolve NetBIOS names? Select the best answer. A. Place a WINS server on that subnet B. Install a WINS proxy agent on a computer in that subnet C. Install a WINS proxy agent on a computer in the subnet where the

WINS servers reside D. Adjust the routers so they allow NetBIOS broadcasts over the

router 26. What indicators can you personally look at when assessing a company

in your design of a new network? Choose all that apply. A. Risk B. Growth and growth strategies C. Capital markets D. Total cost of operations E. Company priorities F. Laws and regulations


www.sybex.com


liii

27. A new setting in Windows 2000 DHCP server is the default router

metric base. What does this setting do? A. Provides the global default gateway B. Allows you to key in multiple default gateways so the client can

pick one at initialization and configuration time C. Provides the path to the DHCP server in a non-routed (layer 3

switch) environment D. Sets up a cost value for providing a low-cost, reliable router-hop

count to correct default gateway 28. Your company would like to set up a method for recreating the mission-

critical servers in the event of a catastrophe. What name do you give this methodology? A. Disaster recovery B. Disaster avoidance C. Disaster amelioration D. Disaster blotting 29. You’re installing an L2TP/IPSec VPN server in Sweden. What two

strengths of encryption are you allowed to configure? A. 40-bit B. 56-bit C. 128-bit D. 40-bit DES E. 56-bit DES F. 3-DES


www.sybex.com

liv

Introduction

30. Suppose that you had a routed network of several hundred users and

wanted to control the way that they access the Internet. What feature would you use? A. Internet Connection Sharing B. Microsoft Proxy Server C. Shared access D. Network Address Translation 31. Help! You have so many UNC sharenames on the network, distrib-

uted over numerous servers, that your users are confused as to what to connect to. What Windows 2000 feature will help eliminate this problem? A. RADIUS B. Global catalog server C. L2TP D. Dfs 32. Mary is responsible for managing all of the backup operations. The

backup system runs on two System V Unix computers that talk to a StorageTek tape silo. Both the Unix and NT networks, along with the Oracle, SQL Server, and Exchange databases, are backed up to this system using VERITAS software. Does the work that Mary performs apply to an enterprise- or a workgroup-oriented situation? A. Workgroup B. Enterprise 33. You have several Windows 2000 WINS clients. How many WINS

servers can they talk to? A. 6 B. 12 C. 18 D. 24


www.sybex.com


lv

34. Why would a remote access client use a VPN circuit to connect to a

RADIUS client? Select all answers that apply. A. Secure authentication and encryption of all data. B. To come in through the Internet. C. Because RADIUS clients only work with VPNs. D. VPNs cannot be used with RADIUS clients. 35. How can you create fault tolerance in a Windows 2000 stand-alone

Dfs root? A. By creating a root interlink B. By linking with a domain-based root C. By setting up a root replica D. By setting up a link replica 36. Joleen is a mainframe programmer who used to use a 3279 “dumb ter-

minal.” Now she uses a PC. How does she do this? A. FTP connection to the mainframe B. Telnet session with the mainframe C. 3270 emulation session with the mainframe D. NFS session with the mainframe 37. Your main headquarters site is in Chicago and you have two smaller

sites, one in Omaha and one in Cheyenne. Both of the smaller sites are connected to you by fractional T1 lines, and there is a small workgroup server at each site. What sort of company model do you have? A. Frame/hub B. Frame/spoke C. Hub/spoke D. Spoke/spoke 38. Would a not-for-profit organization have a board of directors? A. Yes B. No


www.sybex.com

lvi

Introduction

Answers to Assessment Questions 1. A, C, D. While IGMP is indeed a Windows 2000 routing protocol, it

cannot be used with auto-static updating. RIP for IP, RIP for IPX, and SAP for IPX can be configured with this feature. See Chapter 18 for more information. 2. C, D. The two predominant things that user access patterns reveal to

you are the health of the infrastructure at heavy load time and the preparedness of application, file, or print servers to handle user load. Both of these issues have to be addressed before Windows 2000 rollout. See Chapter 5 for more information. 3. A. Most likely, the problem is that Bob has a second DHCP server on

his network handing out IP addresses that don’t correspond to NAT’s 192.168.0.0 range. See Chapter 16 for more information. 4. B. You’ll have to use IPSec with L2TP. IPSec requires a certificate

server, so plan on having this configuration up and running before you implement your VPN servers. See Chapter 19 for more information. 5. B. Change management, a term that’s as old as the first computers, is

not one that’s highly used in the PC network industry—yet. But it should be, and Microsoft would like to see you get more involved with change management in order to provide a more secure change environment, one that everyone has a relative certainty will work and work well. See Chapter 4 for more information. 6. C. The most likely answer is the router, though the others are cer-

tainly things you’d want to look at. See Chapter 1 for more information.


www.sybex.com

Answers to Assessment Questions

lvii

7. B, C, D. RADIUS setups require at least one RADIUS client and one

RADIUS server plus some form of telephony circuit, whether that circuit is POTS, ISDN, or X.25, for the remote access client to connect to. A remote access client is not a component of the RADIUS installation; it’s a user of the installation. Note that telephony circuits might not be needed at all between the RADIUS client and server if the installation includes a VPN to the Internet. But the remote access client would still probably connect using POTS (although DSL, cable modem, satellite, or ISDN are now also viable options). See Chapter 17 for more information. 8. B, D. Domain-based roots are replicated through AD and thus pro-

vide enterprise-wide visibility to the Dfs root structure. You can set up one Dfs link that points to a link on a different Dfs server. See Chapter 15 for more information. 9. A. Absolutely. Companies that grow too fast put themselves at risk

simply because they cannot assimilate all of the new load in a timely manner. In today’s roller-coaster economic society, this is a very common problem. See Chapter 3 for more information. 10. C. The DHCPINFORM message is used by Windows 2000 DHCP

servers for finding out information about Active Directory authorization. See Chapter 12 for more information. 11. A, D, E. A, D, and E are the correct answers. A dumb terminal isn’t a

user, it’s a piece of equipment. The Internet isn’t a user type, nor is network. There are certainly many other user types, but these are three readily identifiable habit types of users. See Chapter 7 for more information. 12. C. Fault-tolerance strategies are those that try to anticipate where a

failure might occur and prevent (or at least offset) them before they happen. With a hardware RAID array controller card, you’re probably going to set the drives up in either a mirror or a RAID 5 array. If one of the drives fails, the system will continue running until you have a chance to fix it. See Chapter 8 for more information.


www.sybex.com

lviii

Introduction

13. A. Hiring outsiders to do a company’s work is called “outsourcing.”

See Chapter 4 for more information. 14. B. While most networks already have a plethora of hardware-based

routers, it is certainly within your power to set up a software router instead by using any of the Windows 2000 server products. OSPF and RIP version 1 are natively supported in Routing and Remote Access, a service that’s automatically installed, so it’s very easy to quickly get up and running. See Chapter 10 for more information. 15. D. Laissez-faire managers typically don’t get involved in the day-to-

day operations of their people. There’s a trust level there, one that’s earned, not necessarily deserved. The good part of a laissez-faire style is that you don’t have somebody breathing down your neck all the time. The bad part is that when you need management input, it may not be there exactly when you need it. See Chapter 2 for more information. 16. B. The Extensible Authentication Protocol (EAP) is a network authen-

tication method intended to be used by things like smart cards and token cards. It can be used over VPNs, but that’s not its only purpose. See Chapter 10 for more information. 17. A, C. You can use MS-CHAP v2 or EAP-TLS as an authentication

protocol that would be used by two routers shaking hands with one another. See Chapter 18 for more information. 18. C. You’ll have to use Host Integration Server 2000 (the “new” SNA

Server, once code-named “Babylon”) for this task. See Chapter 11 for more information. 19. C. Predominantly used for Web servers, the SRV record points to

many servers performing similar TCP/IP services. See Chapter 13 for more information.


www.sybex.com


lix

20. A, B, C, E, F. Of the answers above, all but D qualify as the infra-

structure component. Some would argue (and probably have a good argument) that telephony systems belong in a category other than infrastructure. The servers are certainly in a category by themselves. See Chapter 6 for more information. 21. C. One of the 70-221 exam objectives is that you determine the com-

pany’s size and the user and resource distribution on the network. See Chapter 5 for more information. 22. D. A screened subnet is often used for Web servers that live beyond the

corporate firewall and allow the Internet public to make requests of their DNS services. The general design theory for a screened subnet, also sometimes referred to as a DMZ, is that you first have the corporate network, then a firewall, the Web servers and their associated services, then another firewall. See Chapter 13 for more information. 23. C. The Extensible Authentication Protocol (EAP) is what you want.

Users using this protocol can authenticate over RAS using a smart card. Now, are there any at-home readers for such a protocol? I’m not sure about that! But technically, you could certainly forge ahead with such a plan if you could find one. See Chapter 9 for more information. 24. A. The Services for Macintosh (SFM), a service native to Windows NT,

has been ported to Windows 2000. See Chapter 11 for more information. 25. B. The quickest, easiest method is to simply install a WINS proxy

agent on the subnet where the non-WINS clients are at. This way you avoid the expense, time, and configuration hassle of setting up an additional WINS server and yet the non-WINS clients can resolve NetBIOS names. See Chapter 14 for more information. 26. A, B, D, E, F. As a Windows 2000 network designer, you would not

typically be interested in a company’s capital markets. See Chapter 3 for more information.


www.sybex.com

lx

Introduction

27. D. This is kind of a tricky thing. When we talk about the path from

one computer to another, we sometimes talk about it in terms of router hops: the number of routers that a packet will have to go across in order to get to its destination. The default router metric base allows you to assign a router-hop variable (the default being 1) that will prevent messages from going across multiple hops to find a gateway. For example, suppose that you have a very large site with numerous routers spread out over large geographic distances. You don’t want your clients in Poughkeepsie to obtain an IP lease from a DHCP server in San Diego, because there would be way too many router hops involved. Keying in a default router metric base prevents this kind of thing from happening. See Chapter 12 for more information. 28. A. Disaster recovery is the act of assuming that you’ve had a cata-

strophic event occur wherein the network is not available. You figure out ways of making sure that all mission-critical servers and applications can be restored as quickly as possible. See Chapter 8 for more information. 29. D, E. When using IPSec, you use DES security for your encryption.

You have two strength choices, 40-bit and 56-bit DES. In the U.S. and Canada you can also use 3-DES. See Chapter 19 for more information. 30. B. Large networks require a Microsoft Proxy Server deployment,

especially in a routed environment. While the books say that NAT will work with large quantities of users, the one prerequisite is that they must not be on a routed network. See Chapter 16 for more information. 31. D. The Distributed File System (Dfs) is used for setting up one server

that links to different UNC shares across the network. Highly scalable, Dfs will be a major improvement in the way that users access UNC shares. See Chapter 9 for more information. 32. B. Mary’s work is more enterprise in nature than workgroup-

oriented, though she may occasionally have to do a restoration that applies to a workgroup. See Chapter 6 for more information.


www.sybex.com


lxi

33. B. Old Windows 3.x, 9x, and NT clients can only talk to one or two

WINS servers. Windows 2000 clients can talk to as many as 12. See Chapter 14 for more information. 34. A, B. The predominant reason you want to use a VPN, whether

through the Internet or otherwise, is to obtain high security through advanced authentication and encryption. Tunneling through the Internet is certainly the most prevalent use of a VPN, but it’s not a requirement for setting one up. RADIUS clients will indeed work with VPNs, but they’re not limited to VPN circuits. See Chapter 17 for more information. 35. C. Create a second Dfs root on a different server. From the first Dfs

server’s Distributed File System MMC window, right-click the root and select New Root Replica. Remember that you’ll have to manually replicate this stand-alone root—thus, fault tolerance is somewhat minimal, relying on your ability to regularly replicate. See Chapter 15 for more information. 36. C. Joleen uses some sort of 3270 emulation software that allows her

to access the mainframe to do her work. See Chapter 7 for more information. 37. A. In thinking of a bicycle, the main part is the frame, which is con-

nected to hubs or wheels. Your company’s central headquarters is the frame and the two remote sites are the hubs. If an office in, say, Billings were to connect to the Cheyenne office, which in turn connected to your central office, then you’d have a frame/hub/spoke setup. See Chapter 1 for more information. 38. A. The reason a board of directors exists is to accomplish a fiduciary

duty—acting as the trustee of an organization’s funding. In the case of a not-for-profit organization, even though the organization doesn’t have a stock offering, it requires that a body act as a trustee for the people that donate money to it. A board of directors exists as an accountability factor. See Chapter 2 for more information.


www.sybex.com

Chapter

1

Analyzing the Business Model MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Analyze the existing and planned business models.

Analyze the company model and the geographical scope. Models include regional, national, international, subsidiary, and branch offices.

Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decision-making.


www.sybex.com

A

s Dorothy famously told her dog when they stepped into the Technicolor world of Oz, “Toto, I don’t think we’re in Kansas anymore.” When you first took a look at Windows 2000, you probably thought the same thing. Windows 2000—its nuances, its changes from NT, its subtleties, and all of its associated add-on components (I speak here of Exchange 2000, SQL Server 2000, etc.)—is not at all Kansas anymore. You thought you knew all about the Windows NOS. Now, suddenly, with this new product and a wave of Microsoft’s wand, you really don’t. You might have assumed that all would be the same—that Microsoft wouldn’t change very much in its quest for an improved NOS—but lo, the changes are vast, dynamic, and extremely time-consuming to learn. For you old-guard MCSEs, you might have naively assumed that you could hobble along on your old, outdated Windows NT 4– track MCSE, but no, Microsoft is going to pull the rug out from under you very soon, requiring you to re-certify yourself on the Windows 2000 track. Presumably that’s one of the reasons why you have this book in your hand now.

Introducing the Enterprise

T

here’s an even crueler trick of fate going on here than just a new NOS—a trick that Microsoft did not design but has been complicit in. As networks have caught on within corporate environments, they have displaced the old mainframes that once dominated all of business computing. As recently as the early ’90s, it was not uncommon to see a dumb terminal— a monitor with enough computer guts to connect to a mainframe but not


www.sybex.com


3

enough intelligence to be a computing machine—on every computer user’s desk. (Notice that I said computer user to differentiate between someone who actually had some sort of work to do on the computer and the average slob who wasn’t allowed to get near the thing.) In the morning, the user would come in and log on to a mainframe session, then key in commands to bring up various homegrown transaction screens that they could use to enter data into the system. If the user was lucky, they had mainframe e-mail in the form of OfficeVision or Profs. That was how it went for this user day after day: keying data into CICS screens that subsequently used background code to populate the data into one of the several kinds of databases that are available for the mainframe (on a batch basis, of course). But today, that dumb-terminal environment has been replaced by PCs— lots of ’em. Those users who still have to connect to mainframe sessions can now use a terminal emulator program that will allow them to carry on multiple sessions with the mainframe. And while the user is working with a terminal emulation program, he or she can also be using Microsoft Exchange, and have Internet Explorer going out to the intranet or Internet, and possibly even have Word or Excel running. When the user walks away from the PC for lunch, a screensaver kicks in to protect the system from intruders, the mainframe sessions time out (or the user logs them out), and the user continues to receive e-mail. What a marvelous change from the days of dumbterminal, mainframe computing! Even non-mainframe folks are using PCs for everything from data entry on huge database systems to running software of every ilk known to man— all on a daily basis, all on your network. Oh, it sounds like all of this connecting has caused your network to grow too, hasn’t it? Yeah, from a few users utilizing your old Token Ring network with a handful of IBM PS/2 computers, to thousands of PCs connected by fast Ethernet and running on intelligent infrastructures. Ooh, boy, has it grown… and so have the headaches! But it gets more complicated, because now users in your Seattle office want to be able to work with files that belong to users in Montgomery. And your SMS administrators want to obtain asset inventory from the entire company’s PCs. And your Exchange administrators want everybody to be able to dialog with everybody else, using public folders and custom forms and all that good stuff. Besides that, your intranet team wants users to be able to point IE to the intranet, bring up customized forms of every kind and shape, and then key data into those forms—data that subsequently lands in big-hitter databases like Oracle or Microsoft SQL Server. On top of all that,


www.sybex.com

4

Chapter 1

Analyzing the Business Model

you still have your integrated systems—systems that talk to one kind of computer (typically a mainframe), translate the data downward, allow users to massage it, then populate it back up where it belongs. Finally, if you work for a company of any size at all, you deal with the famous client/server “experiment;” you have at least one client/server deployment representing every iteration of its development life cycle (two-tier, three-tier, n-tier, thin…). So your net is a busy little beaver, isn’t it? You have all these machines being logged onto and then being used to extract data from other machines. You have Macintoshes, 3270 terminals, Unix and Linux terminals, and all kinds of Windows variations. You might even have an OS/2 or a VAX hanger-on being ferociously defended by its user, for whatever reason. And all of these hosts connect with one another (or would like to connect with one another) some how, some way. You have an enterprise, my friend. Let me define enterprise in the terms I think of: An enterprise is a network, or grouping of networks, in which disparate computing hosts can interrelate to accomplish the corporation’s daily business. This interrelation can be strictly controlled by one or more administrators. The operating phrase is “can be.” In some sites there is little or no control, while in others you’re reminded of George Orwell’s 1984.

How Microsoft Contributed to the Enterprise Problem Microsoft has helped bring you into the enterprise-computing era, but this has been a disservice. How? Because they’ve made it so easy to install BackOffice software, what with the wizards and all, that you can easily set up a server even though you don’t know what you’re doing! Half the time your server setup works just fine, but the other half you’ve got something set incorrectly or not operating properly (probably because you guessed at an installation option) and it turns out later on to be a bugaboo to try to debug. Then, as if that isn’t enough, you convince yourself that the server’s working OK and put it into production with little or no testing! Why? Because the software installed just fine and the services are running. You don’t know what those services do, but you know they’re running. Most network administrators have been guilty of this at one time or another; I know I have. For example, in 1/4 of the SQL Server installations out there today, the SQL Server internal administrator account, called “sa” (for system administrator), has a blank password! This, of course, makes the SQL Server completely open


www.sybex.com


5

to anyone with enough intelligence to figure out that sa gets them in the door and, well, you don’t have to be a rocket scientist to figure out what a scurrilous type could do with that kind of power. You see my point? Microsoft has assumed that you were going to take the time to do the following things before embarking on any new server software venture:

Download any white papers on the software, including any project management or administration papers unique to the software

Perform a thorough project analysis in order to decide what it is going to take to successfully install and maintain the product

Come up with a solid project management plan that details exactly how you’re going to accomplish this deployment, test it and, upon rolling it out to production, provide its subsequent support and maintenance

Solicit the aid and assistance of any other stakeholders in your project, including setting up regular stakeholder meetings to keep people apprised of progress (see the following note about who is a stakeholder)

Secure the up-to-date and adequately engineered hardware that the product requires

Perform any infrastructure updates that the software requires

See to it that all stakeholders are in close communication with one another as you test and deploy, to make sure that the product is meeting the business objectives

Attend thorough training on the software (which sometimes encompasses more than one training class—SMS 2 is a perfect example) and make sure you understand exactly how its basic operation is supposed to work

It turns out that Microsoft is really serious about this stuff. Maybe you should be too.


www.sybex.com

6

Chapter 1


Stakeholders are the people are actively involved in the development, creation, deployment, management, and support of a particular software application running on the network. Client/server applications typically have groups of stakeholders who have a vested interest in the successful deployment of their app. But often other apps, like BackOffice application deployments, also have their interested entities. Surprisingly, those entities are not always strictly IT people. Stakeholder groups are frequently made up of nontechnical persons such as accountants and department heads, in addition to business analysts, programmers, and so forth. The term “stakeholders” is nebulous, but you must get a firm understanding of it.

Get Yourself Some Training My experience has been that administrators say, “Training? Who needs training when you have online manuals?” This is absolutely the wrong thing to say when you begin to think about entering the world of Microsoft enterprise software, especially Windows 2000. Let me put this to you in a different way. You need help setting up some routers, so you solicit the aid of a contractor who specializes in Cisco gear. She comes in and you watch her start to work on a brand new, very expensive router. Five minutes into its configuration, she gets out a book that says something like Welcome to Cisco IOS Administration for Neophyte Cisco Persons and starts looking in the index. Now what are you thinking? Do you have happy, mellow thoughts that she knows what she’s doing and is simply checking her work? Chances are you’re wondering why she has to check the manual if she’s this high-priced contractor who supposedly knows what’s up with Cisco routers. Do you see my point? You’re exactly that kind of person if you excitedly unwrap a CD containing the latest version of some BackOffice code—software you know nothing about—and you begin to blithely install it on a server. That’s fine if you’re just in “let’s see” mode in a lab environment, but it’s not fine if your intent is to set up a production box. You need to know and thoroughly understand what the software does, why it does that, and how it does it.


www.sybex.com

Assessing Your Company

7

And that goes double for patches, service releases, and service packs! If the Y2K rollover proved anything, it proved that you need to thoroughly know and understand what a specific patch or SP is about before you implement it.

Education, especially software education, is expensive. But think of how expensive it’ll be to your company if you mis-deploy some enterprise software, forcing several people to spend dozens of hours troubleshooting—not to mention the downtime that your users will experience, thanks to your lack of expertise.

Think Enterprise Beginning to think in enterprise terms is what Windows 2000 is all about. With exam 70-221, “Designing a Microsoft Windows 2000 Network Infrastructure,” Microsoft has turned a corner and has wisely decided that, in the case of big production software like Windows 2000, you need to know more than just how to drive the software. You need to know how to build the road it’s going to travel on. The first few chapters of this book are designed to get you thinking about the look and feel of your enterprise. They’re somewhat abstract, but they’re nevertheless just as important for your success on the exam as the physical software objectives are. This chapter starts with two big objectives: analyzing your company’s business model and processes. Later chapters go into more detail about thinking and planning for the enterprise.


Before venturing into the deployment of Windows 2000 in your enterprise, you first need to take a hard look at your company and see if you can decide what your company is about, in terms of its construction and how it conducts business. The exercise of digging in and examining a company’s model and processes isn’t just good for your Windows 2000 rollout and absolutely necessary to pass test 70-221; it’s also good for you. After going


www.sybex.com

8

Chapter 1


through such an exercise, you’ll undoubtedly find that there were holes in your thinking about certain daily company processes. Perhaps in some cases you’ll be able to help find a better way to make these processes happen. In other situations, you might find that your own education has been increased and you’ve learned something about the way that others have solved a business problem. Certainly in lots of situations, a business process will be just what you expected it to be, and you can go on to the next one. But the point of the exercise is that the more knowledge you accumulate about how your company does its business, the better the fit you can create between Windows 2000 and your company. Microsoft wants all its MCSEs to be responsive to the needs of their businesses, and so has made these kinds of analytical skills a critical part of this exam. Your first step is to analyze the company’s business model and its geographic scope. Understanding how the company is set up and where it calls home can assist you in your Windows 2000 design. Please recognize that, at this stage, you would not even have ordered the equipment for your deployment yet. Right now you’re simply in informationgathering mode; you are not yet ready to size the gear or write a p.o. The only equipment you need for the first few chapters of this book is a clipboard and a pen (or a Palm Pilot and a stylus).

Overall Company Model You begin by examining the company’s overall business model. What are the business models, and how will you recognize them as you start to drill in on this objective?

Microsoft Exam Objective

Analyze the existing and planned business models.




www.sybex.com


9

Let’s take a moment to detail the various company models and what they encompass: Local A local company is only in business within a city or a very localized surrounding area relative to a city. For example, suppose that you work for a flower company that has retail stores in several suburban towns and cities close to its headquarters. None of the retail stores are out of state, and all are within a few miles of one another. This would be an incidence of a local company. Note that Microsoft’s exam objective doesn’t include analyzing this level of company scope, though it seems it could certainly be part of a larger analysis.

I live in the Denver area. Denver has several suburbs that hug the actual city of Denver itself; in fact, I live in a suburb called Arvada. In addition to the suburbs, some metropolitan areas are also quite close to Denver, within a few miles, such as Boulder, Loveland, and Evergreen. All of these communities, while not actually a part of Denver, are close enough to be considered somewhat local to it.

Regional A regional company operates in several widely geographically dispersed cities within a state or in several states or both. Suppose, for example, that you work for a company that operates a chain of restaurants localized within one large state, but with a presence in different cities within that state. This would be an example of a regional company. Another example would be an electrical utility that supplies power to customers in towns and cities in several different states; this kind of company can also be called “regional.”

The Denver area also has some cities that are a fairly long distance from one another (a hundred miles or so), such as Colorado Springs and Fort Collins. This band of cities, starting with Fort Collins in the north and spreading down to Denver in the center and finally Colorado Springs in the south, compose what is called the Front Range. Businesses operating across the Front Range could potentially be called regional businesses. A business that operated in Salt Lake City, Albuquerque, and on the Front Range could also be called a regional business.


www.sybex.com

10

Chapter 1


National A national company is one with a presence of some kind across its country of origin. In a U.S. example, this does not specifically imply that there is an office in every state, or an office of great proportions, but it does imply that there is some presence in every state. The most basic and common example is a company that requires a small office in each state to maintain a sales force local to that state. An office might comprise just a few people, but it would nonetheless be part of your company and make for very interesting connectivity and computing planning. Engineering and construction companies, food distribution enterprises, insurance companies, clothing stores, and many others are examples of companies that have a national presence. Most national companies have at least one headquarters office where the bulk of the corporate decision making goes on. International A company that has offices all over the world is said to have an international presence. Again, these offices don’t necessarily have to be very large to influence your evaluation and planning. A company might have a distributed environment with a headquarters office in, say, Chicago, another large one in the U.K. (perhaps a “mini-HQ”), and several smaller offices staffed predominantly with salespeople and support personnel in many other countries. The small international offices would report their work to the U.K. office, which would subsequently report its progress to the central office in Chicago. Sounds charming, doesn’t it? Getting it to work… well, that’s another story, and there are lots of CFOs and vice-presidents out there who have stories to tell about the dynamics of international business, but that’s MBA material and well beyond this book.

Just because a company has an international presence does not necessarily indicate that it also has offices all across its home country. A company specializing in imports wouldn’t necessarily need a host of offices in its own country, but would require several strategically located international ones.

Subsidiary Offices Some companies specialize in a certain venture and then find that they need something else to make their particular area of expertise more palatable to the public. So, rather than reinventing the wheel, they buy a company that’s already doing whatever they need done.


www.sybex.com


11

Microsoft is a really great example of this. Although Microsoft has lots of coders feverishly working overtime on its software, that doesn’t mean Microsoft writes everything that it bundles on a CD. It also buys companies that have a certain software writing expertise. A company that is purchased and yet retains its own identity is a subsidiary. If, for example, a nationally recognized dairy were to buy a farm machinery company, it’s very possible—for financial, patent, and other reasons—that the newly purchased company would retain its own name, possibly its original staff, its location and buildings, and so forth. The parent company would certainly dictate and make changes, but the subsidiary could basically go on doing business as it had been doing it all along. Subsidiaries present unique challenges to network designers and IT people, because typically you inherit a legacy group of administrators who are accustomed to doing things their way and who may not necessarily be amenable to re-inventing their lives in order to fit their new parent’s mold. See the sidebar below on how you handle what I call cowboys. Branch Offices Some companies may maintain one central headquarters office but also have several branch offices that have some autonomy relative to HQ. Perhaps the most obvious examples are insurance companies. Since the insurance regulations are so different from state to state in the US, the central headquarters office may be forced to comply with certain regulations within one state that they don’t have to obey in another. Size also dictates the need for a branch office. A bank that has substantial operations in one state may require a large investment in buildings and employees there, thus granting a certain autonomous status, of necessity, to the branch. That autonomy is, of course, relative to the stuffiness of headquarters. An interesting side effect of a branch office is that it may feed several satellite offices within a jurisdiction. For example, a nationally known beverage company may have one or two large canning and bottling facilities in a state that, in turn, supply many downstream wholesalers and retailers.

The Frame/Hub/Spoke Concept The company where I work has an interesting network deployment. We have a centralized office where the executives live and where the majority of IT, HR, financial, accounting, and other services goes on. We also have regional sites where some decision making and lots of work occurs. We have several


www.sybex.com

12

Chapter 1


large call-center operations that are geographically diverse from central headquarters, but nonetheless are so large that they are essentially entities unto themselves. We also have smaller offices composed of sales or marketing people and others, but without the breadth of decision making that one of our larger, more distinctive operations has. Finally, we have some sites with only three to five users. Typically these tiny sites report to a larger regional site. Now, think of a bicycle. My company’s main office is the bike’s frame. You couldn’t get anywhere without a frame to ride on, could you? The larger regional sites are like the hubs of the bicycle wheels. You can have multiple hubs, can’t you? But the hubs are attached to the bicycle, and they turn where the driver says they’ll turn. Finally, the smaller three-, four-, or fiveperson offices are called spokes. They’re a part of the hub, and there’s a layer between them and the bicycle frame. They are not as intrinsically important as the hubs or the frame (one spoke can break on a bicycle and you can limp along for a while until you get it fixed), but they’re nonetheless part of the enterprise. In our environment we have, of course, enormous computing power located at our headquarters office. We have big Unix boxes, loads of NT servers, thousands of workstations, big high-end database processors, and so forth. We have vast arrays of PBX switch gear. Then the hubs typically have several servers, telephone switches, and so forth, but not to anywhere near the degree that headquarters has. The spokes often have no server whatsoever. Users at spoke sites typically log on to servers located at the hubs and are connected to the hubs by somewhat thin WAN connections. Perhaps you have a frame/hub/spoke layout at your workplace. It’s easy to spot, easy to diagram. Get out your clipboard and see if you can diagram what your company looks like. Are there other network deployments apart from the frame/hub/spoke method? Well, there are certainly differences in the methodology, but I think if you poke hard enough into figuring out your business design, you’ll see that it fits this basic layout. There may be several frames, for example. Some companies may have a main office but also have many, many other offices that handle enormous amounts of workload and are essentially autonomous. A setup like this would be a frame/frame (or frame/frame/frame…) deployment. I would say that vast companies probably are the biggest examples of this kind of deployment. Are there hub/hub sites? Sure. Smaller companies that have specific goals for each site would be representative of a hub/hub deployment. Medical


www.sybex.com


13

research institutions might be a good example. If you’re the director of a medical research facility that has labs in several different places, your overall goal isn’t to make sure that everyone does everything exactly according to Hoyle. (I’m talking in a research sense here, not necessarily in the day-to-day lab work itself—that has to be rigidly monitored.) Here your goal is to see to it that one entity completes its research on one subject and another does so on yet a different research topic. Autonomy is high, as is creativity, and there’s no need for the “my way or the highway” ethic. Sites like this make it very difficult for network administrators because of the laissez-faire nature of the business model. Spoke/spoke sites are essentially composed of small units attempting to garner some sense of connectibility. If you’re the owner of a small network consulting firm in Denver and you set up a small office in Salt Lake City, you want some method of getting files and e-mail to the remote office, but you’re not necessarily interested in calling every shot on every sale. You want to grant some autonomy and yet assure yourself of connectivity at the same time. Frame/spoke sites are those with one massive central HQ and tons of spokes that may or may not be connected to each other.

Finally, there’s the “flat-tire” site: the one where everyone has a 286 on their desktop and they use sneakernet to transfer data from their 5 1/4" floppy to another computer. Windows 2000 won’t work in these environments.

Don’t Let Your Babies Grow up to Be Cowboys Companies that purchase other companies often acquire hub or spoke sites that are off doing their own thing. My experience has been that the engineering and software development arms of companies frequently determine that their needs are unique to the overall computing dynamics of the company, and they begin to break away from the central administration team (if they ever agree or cooperate with the central team at all in the first place). Rogue Windows NT domains begin to pop up in Network Neighborhood; Linux boxes and Samba servers show up in Server Manager. Some companies have even reported unauthorized WINS servers, Web sites, and Network Monitoring sessions!


www.sybex.com

14

Chapter 1


While I certainly appreciate the uniqueness that engineers or software developers bring to the table—Heaven knows companies couldn’t survive without them—nevertheless these splinter groups tend to really put a crimp on things like standardization of desktops, centralized administration, and infrastructure and server hardware planning. And I would submit that they put an unmerited crimp on these things. When the engineers are asked why they think they need their own domain, the answer is seldom any good; often, the only reply is that what they do is so specific and important that it’s necessary. I’m not buying it, especially not with Windows 2000 security and Active Directory. I call the leaders of these kinds of groups cowboys. A senior coder who has issues with the network administration team, a person that thinks one OS is much better and more powerful than another, even network administrators that are located in hub sites, can all wind up being cowboys, installing rogue elements that may not fit in with the overall corporate structure or design. All of these kinds of people work hard to disconnect from the corporate network. This not only makes central administrators’ lives harder, it’s also less convenient for people not in these groups that nevertheless have to deal with them. It goes without saying that it’s not in the best interests of the company at large to have disconnected entities out doing their own thing. And the urge to be a cowboy doesn’t just stop with the engineers, software developers or administrators. One arm of a company I worked for brought in a developer who sat down and wrote a bunch of Borland Paradox code that subsequently had to be rewritten; neither the developer nor the managers of that arm realized that fitting in with corporate enterprise databases took way more work than simply whipping up a quick-and-dirty PC database. The managers of this arm were so intent on keeping IT from doing its job that they took it upon themselves to solve a business problem their own way; they actually wound up creating lots of extra work for themselves. Do you have cowboys where you work? If your company is of any size at all, I bet you do. One of the biggest challenges administrators and designers face is the question of how to allow a certain bit of autonomy with these people, yet provide a standardized desktop and an overall consistent computing environment. It’s a tough challenge and one that’s not easily met.


www.sybex.com


15

Geographical Boundaries and Scope The geographical scope of a company really presents an interesting twist to the whole network design scenario. Suppose, for example, that you’ve drawn out your company’s model in Visio or on a piece of paper. What does it look like? How many cities, counties, states, regions, or countries does it traverse? What economic, geographic, facilitation, and political issues do you face with a given connection? Are you comfortable with, or even familiar with, the costs involved to set up communications between two sites? If you have a frame/hub/spoke setup, from what you know now was it correctly designed? Look at the ordinary accounting difficulties (e.g., one country charges a tariff for crossing boundaries while another does not) that your network presents. To a company of any size, costs are the one thing that must be managed. A company that can’t manage its costs will at some point be forced to, or it’ll go out of business. But there’s a fine line between managing costs and digging too far into productivity—reducing costs so much that people can’t effectively get their work done. Unfortunately, even though you may not have an accounting degree, as a network designer you’re the one faced with the charge of managing that dilemma. And as an MCSE candidate, you have to understand these issues if you want to pass the exam. For example, should you design your Active Directory deployment so that the organizational units (OUs) you set up—the individual spokes or hubs as you define them— comprise logical geographic separations, business separations, or some iteration of both? The Windows 2000 model consists of forests, trees, and domains. Domains that share a contiguous name-space within a single active directory make up a tree. Several trees make up a forest. Now think of the frame/hub/ spoke model. Your entire organization is a forest; the central headquarters would be considered a tree. Out of it would come various geographic locations that are close together, or have some business function in common; these would also be trees. Each subdivision at each geographic site would be a domain within a tree. So you can apply the frame/hub/spoke model to the Windows 2000 forest model fairly easily.

Two Sites in the Same State For example, one company I worked with faced an issue with setting up a T1 line from Denver south to Pueblo (about 120 miles), simply because just


www.sybex.com

16

Chapter 1


south of Colorado Springs the proposed T1 would cross into an area served by another telephone company. Because of that proposed crossing, the monthly cost of the line was enormous. But setting up a T1 from Denver to Colorado Springs (about 90 miles) was quite inexpensive. Just because of a service-area boundary, that extra 30 miles really added to the cost of the line. Now I would submit to you: would it have been worth the extra money for five users? How about 15 users? How about 150? What if all those 150 users were contract data entry persons who were keying in data that was subsequently being batched and then sent across that expensive pipe late at night for posting to a mainframe? Make any difference? What if there were only 15 users, but they were all software engineers who regularly sent their new code across the wire to the host server, regardless of the time of day? What decision would you make then? What exactly is the importance of this wire? It turned out that this company solved the problem by putting up two connections: a less-expensive connection from Denver to their office in Colorado Springs and a second one between Colorado Springs and Pueblo. In other words, they already had an office in Colorado Springs that was not connected in any way to headquarters. Rather than nail up two headquartersto-remote-office connections—one from Denver to Pueblo (which consisted of 150 data entry personnel) and another from Denver to Colorado Springs (30 regular, non-power-user-type users)—they set up a hub relationship with a far less expensive connection for the shorter distance. Then they set up a connection between their Colorado Springs office and Pueblo. The connection from Colorado Springs to Pueblo was much cheaper than the Denver– Pueblo connection would’ve been. If the company had gone forward with two connections between Denver and their remote offices, they would’ve had a frame/hub connection between both sites. But they opted to use Colorado Springs as an intermediary connecting point, thus assembling a frame/ hub/spoke setup. Note that, even though there were servers at Pueblo—violating my earlier statement that spokes typically don’t have servers—in this case you can think of Pueblo as a spoke simply because it did not have direct connectivity to headquarters. Figure 1.1 shows the original situation and the two solutions.


www.sybex.com


FIGURE 1.1

17

Three sites, two possibilities Current situation No connectivity

Possible situation T1 frame/hub to both sites

Denver

Denver

Colorado Springs

Colorado Springs

Pueblo

Pueblo

Final situation T1 frame/hub/spoke setup

Denver Colorado Springs Pueblo

Thinking in purely data-oriented terms, where would the potential for a bottleneck be in this new setup? If I were doing the homework, I’d say that, if they were not properly sized, the routers responsible for receiving and sending data at Colorado Springs could be the biggest detractor to network performance. Can you think of a single point of failure (SPOF)—a place where there is no physical redundancy or backup for a given system? Sure you can! If the frame relay connection between Colorado Springs and Denver dies, not one but two remote sites are out for the count—in terms of Denver being able to talk to either site. Also, a single router at the Colorado Springs site would certainly qualify as an SPOF. The reason you ask yourself the SPOF question is this: if my remote sites die, what kind of impact does that have on the business in economic terms? In the case of 150 data entry personnel where the data isn’t even batched up to the mainframe until 1:00 A.M., if the frame


www.sybex.com

18

Chapter 1


relay connection croaks, you’ve got some time to play with and to hope and pray that it gets fixed before then. Software coders who have to upload the latest release code on a daily basis—well, that may be another story. You have to analyze these kinds of issues, talking with the stakeholders, and then make a site-design decision that meets the needs. How would you fix these SPOFs? Obviously redundancy is the key, but you’ve already set up this frame/hub/spoke situation to avoid added costs, so introducing a second frame relay circuit for backup purposes probably isn’t going to fly with the financial folks. What about a RAS server at each site? Maybe you could set it up so that if the frame relay connection went down, the servers could talk to one another using a RAS connection. That way your data, albeit very slowly, could nonetheless get to where it needed to go.

Keep in mind that if you design and recommend a particular backup solution, the onus is on you to produce that solution. I guarantee you that there will come a time when you will get to practice how well your solution works. Since you probably don’t want to look like a monkey doing a practice run during an actual crisis, I’d advise you to test your recommendations in non-real-time conditions before telling people that this is your backup policy. Backup policies that don’t work have a way of getting network designers and administrators fired.

Transoceanic Connections Another firm that I worked with had a connection to the Netherlands. The Dutch site then acted as a hub site to several European spokes. Transoceanic and transcontinental frame relay connections, as you might imagine, are not cheap; in fact they’re wildly expensive, so the company tried to skimp along on the bare minimum that the network designers thought they could get by with. Interestingly, this company was in the satellite communications business, but because their business was entertainment-oriented, they couldn’t afford to relinquish some space on the “bird” (as they called the satellite) to move data from one of their sites to another. Makes sense, but you can see the quandary that a network designer might be faced with. “What? You mean to tell me that you’ve got this bird flying in geosynchronous orbit, there’s room on the transponder, and we can’t do Exchange over it?” That might sound ridiculous to you, but it’s a very practical business decision that


www.sybex.com


19

makes complete sense. It’d be sort of like you managing a bakery but using your bread truck to transport your workers to work in the morning rather then delivering your baked goods to the grocery stores. It’s not profitable, and you’ll never convince the veeps to go for it. So now, pretend that you work for this company and that you’ve done this network design, in preparation for a Windows 2000 deployment. You’re just as sure as you can be that you’re not going to successfully get Active Directory replication done over a 56K link between the U.S. site and the Netherlands. Wringing your hands, staying up late at night tossing and turning over the problem, you continually ask yourself, what to do, what to do? Well, you have the RAS solution, don’t you? That might work, provided you can negotiate a killer deal with a carrier with dependable long-distance connections. (In other words, Ma and Pa Phone Company, Inc. probably wouldn’t work very well in this kind of circumstance.) But then again, if you check with the telephony people, specifically the manager who controls your business’ agreements with telcos, you might find that the international longdistance rates are highly cost-prohibitive. There is another, much more sophisticated solution, and Windows 2000 is completely oriented toward it. Got any ideas? How about a virtual private network (VPN) between your stateside HQ and the Netherlands site? Think about it. That’s not a bad idea, is it? If the Netherlands site doesn’t already have an Internet connection, you nail up a solid E1 (E3, OC-3, whatever— by the way, T1s in Europe are slightly faster and are called E1s) connection to an internationally established ISP. Then set up your Windows 2000 servers so that they’re doing a VPN thing over your ISP’s backbone. It’s secure, it’s private, it’s economical (a heck of a lot more economical than a full frame relay E1 to Europe), and it’s easily expandable. Sure, you’ve got your work cut out for you trying to figure out the logistics and mechanics of building the VPN, but that’s the fun part, isn’t it? Think about the SPOF and bottleneck questions I asked you relative to the Denver/Pueblo scenarios. Is there a bottleneck in this design? Absolutely. The most probable bottleneck lies with your connection to your ISP, either at HQ or in the Netherlands. If you nail up a VPN with an international ISP, you’ll probably ride an ATM-based cloud from the U.S. to the Netherlands, probably at OC-12 or higher speeds. But if you’ve got a little 128K connection from your Netherlands office to the ISP, and if the Netherlands site is of any size at all, you’ve just guaranteed yourself a bottleneck. The routers you use could also potentially be a bottleneck. What good does it do if your data gets across the ocean from point A to point B faster than a speeding bullet,


www.sybex.com

20

Chapter 1


but then it’s bogged down by slow telecommunications links or cheap routers that can’t handle the influx very quickly? Any SPOFs in the picture? Again, the connection between your sites and your ISP presents the most obvious SPOF. If you have one T1 connection between your HQ and your ISP, and a backhoe cuts that line, how are you going to keep the data flowing? As in the previous scenario, a RAS server might be a practical standby; if your company has opted to retain the old 56K transoceanic connection, perhaps you could use it as an emergency fallback. So in your network design, you now have two additional things to think about. The first is an economic issue: How much is it going to cost to connect one site to another? As we’ve seen, the answer to this question will depend a great deal on how your company is organized and on its geographic scope. The second point asks the same “how much?” question, albeit from the other end: Based on the users and the scope of the work they do, what’s the impact on the company if the connection goes down due to an SPOF or bottleneck? You won’t answer these questions by yourself; a host of people have to participate. Microsoft recognizes this point in the case studies on the exam by giving you the perspective of employees from all levels of a fictional enterprise. To determine the best solution, you’ll have to take all these perspectives into account.

Design Scenario: Understanding the Biz Model You just got hired at a company that has two large campuses, Campus A in the ’burbs and Campus B within the city. The campuses are about 10 miles from one another, but because of the navigational problems of big-city driving, it takes about 30 minutes to drive from one campus to another. The campuses are currently connected to one another by a T1 line provisioned by a regional phone company (called an RBOC in the U.S., for regional Bell operating company). At each site, there are about 500 users and an older Cisco 1000 router connected to a patch panel that then has wiring to the servers and users. Your first day on the job, you realize that this is the classic local company model.


www.sybex.com

Examining Your Company’s Processes

21

There are mid-level managers at both sites, some reporting only to one site, others with offices in both sites. Campus A houses the executives and, though there is moderate autonomy, the ultimate directional goals come from those executives. Just before your three-month review, management purchases eight small entrepreneurial organizations that they’d like to connect to. These small sites are composed of only a few people each. Two locations are within 30 miles of the city, two others are in different cities within a hundred miles of the main headquarters, and four others are in small towns in the same state. Your boss asks you to start thinking about some of the issues related to this proposed new setup. First off, you quickly figure out that your company has expanded to a regional model. With these new sites, there might be some problems with cowboys or, at the very least, rooted-in autonomy at the remote sites. This calls for serious communication by you—rapid and explicit relationshipbuilding with these new stakeholders. You also quickly grasp the importance of the SPOFs you’re likely to set up; you want to think long and hard about possibilities for reducing bottlenecks and providing fault tolerance and redundancy wherever possible. Your design goal involves high-speed data links provisioned by your phone company. The phone company will provide the routers, so you’ve been assured that they’ll be the latest and greatest that can be had. You get this agreement in writing. Redundant circuits are quite out of reason for these small groups, so you opt for a RAS setup on the local servers, just in case. Finally you put your foot down and insist on good quality server gear at these sites, over-engineered by 20%–50%. Having visited the sites, you’re underwhelmed by the caliber of gear they’ve provided themselves, and you decide that you want to make their connectivity experience very pleasurable and their impression of you quite professional.


A

nalyzing your company’s business model and geographic setup can lead to questions that worker bees—employees who don’t hold power positions—don’t often ask. What does my business do and how does it go about


www.sybex.com

22

Chapter 1


doing it? For example, why do we have a site in the Netherlands? Why is the engineering group based out of Detroit? Why do we have a sales team in Altoona? Who’s the network administrator in Kuala Lumpur?


Analyze the existing and planned business models.



Do you know why your company does what it does? Maybe you don’t agree with the decision making that went into a particular decision, but somebody must have put some thought into why the company acted in a certain way or established a certain geographic presence. It might be as nonsensical as a vice-president getting all puffed up with himself and deciding to start a sales office in Anchorage because he’d always wanted to visit Alaska. (That never happens, does it?) On the other hand, a decision might’ve been very well thought out and put in place for very good reasons at the time the decision was made. Maybe an entity in South America happens to make the very best widgets available and you need boxcars of widgets for your new product. The economic, engineering, and logistical planets align and boom!, you have a site in Argentina. Stuff happens. But here’s the problem you’ll find yourself getting into if you’re not careful: You might find yourself becoming cynical about certain decisions that have been made. You’ll sniff down your nose and say under your breath, “I wouldn’t have done it that way!” You’ll always have to wear your objective, non-emotional hat and remind yourself that, no matter how lame, there must have been some thought and decision making effort put into placing a given site and putting certain people to work at a given task. It’s not up to you to question the whys; it’s up to you to figure out the hows.


www.sybex.com


23

This is especially important relative to Windows 2000 deployments, because now it’s all about what your Active Directory design is like and how the forests, domains, and OUs are set up.

I can hear you arguing that your company employs 30,000 people, you have offices all over the world, you’re only responsible for one itty-bitty bit of its overall operation, and even your CEO doesn’t have a clue as to everything your company does. So why do you need to figure out all this information? Well, for starters I can almost guarantee you that your CEO does indeed know everything the company does. She’s not CEO for her health, you know! You may well be only a small fish in a big pond, but you nevertheless have to communicate with other entities or agencies in your company. It’s key that you know how you function relative to how others function. Example: If the software developers need to use Linux computers and Unix servers, but you’re planning a Windows 2000 deployment and need to maintain regular file transfers with them, how will you do this? My experience has been that IT people get in trouble when they don’t know or understand what it is that their business does. If you’re fly-fishing, will you catch fish if you don’t know which fly to use? Integration, interoperation, and interchange are keys to the enterprise administrator/network designer’s world. Understanding business process is a worthwhile—no, paramount investment of your time.

How Does Your Company’s Information Flow? How does your company get information from one point to another? Do you use Lotus Notes and have coders that have developed lots of collaborative frameworks within Notes for information transfer? Do you use public folders on the Exchange servers? Do you have a mainframe? Is there an intranet? Who are the people that maintain these systems? Where do these systems live, what servers are they on, what buildings are they in? Here’s the best question of all: Are there systems? Some companies do quite a bit of their information interplay with paper or word of mouth, not thinking that computer systems can accomplish the same goal. If your company wants to say something new—to go where no one has gone before—how does it accomplish that? How does your company get information from one point to another? That’s the one of the elements you’re looking to discover when you do your network design and diagramming.


www.sybex.com

24

Chapter 1


Successful Mainframe Information Flow One company I worked for, a large gas and electrical utility, was extremely good at information flow. They had a very well-managed mainframe that housed all of their billing activity plus their gas and electric operational programs. For example, if you wanted to know what kind of electrical transformer was on the pole at a specific address, you’d simply call up a CICS transaction that would give you all the information you needed relative to that transformer. If a line crew replaced the transformer, it was brought into a transformer shop, where a clerk would key in data pertaining to the repairs that had been done on it. Then, if another line crew used that transformer a second time somewhere else, they’d have the updated information on it as soon as they picked it up. What problems do you see with such a system in today’s technology? Well, for starters, it depends highly on additional workers to key in the correct information. Learning to operate a mainframe session and work with CICS transactions isn’t the easiest thing in the world. What if there were a way to downplay the technological ramifications of using mainframe-based technology to enter data? Maybe a client/server–based solution that provided a cellular-based PC in each line truck and transformer shop? That way, when work was done on a transformer, the information would be immediately keyed in and immediately available elsewhere. That kind of thinking is the goal of determining information-flow structures for a company. Not only do you discover and begin to understand work patterns, but you can possibly come up with ways of improving information flow. At the very least, you have a diagram of how information flow is accomplished at your company. Unsuccessful information flow happens wherever cowboys maintain the network connectivity. A friend of mine worked for a company with an office in Tokyo—an office, it turned out, that had some cowboys who would submit requests for payment for one thing and then turn around and buy something else. For example, they might’ve requested a couple thousand dollars for a copier and then bought a server with it. After all was said and done, this office had a Novell NetWare implementation, though the company standard was Windows NT; it took a full year for my friend to get a Microsoft Mail post office set up between them and the main office. What was the communications problem here? Was it the English/Japanese language intercommunication problem? While that was definitely an issue, my friend said, the real problem was that the disconnect from the parent company was painfully


www.sybex.com


25

prevalent in Tokyo; they thought they could do anything they wanted to do. This kind of thinking led to the dismissal of the manager of the Tokyo office.

What Are the Communications Like? A second question, quite closely linked with the first, is this: How do people communicate with one another in your company? This question can actually be approached from two different aspects, both equally important in terms of network design. Not only are we talking about inter-company communications such as e-mail, intranet, and virtual meetings, we’re also talking about the communications ethos that has been set up where you work. Let’s talk about the easier topic first—the hardware/software component—then tackle the more abstract component.

How Do Companies Communicate? This is where you sit down and take a physical inventory of how your company handles its intercommunications. For example, what’s your phone system like? Does one centralized set of Lucent Difinity switches handle the core business or, as with one agency that was my client, does every geographically separate site have its own system, whether that be a key system or a fullblown PBX? Are you in the midst of trying to accomplish a Voice over IP (VoIP) goal using software or routers? If you are, how’s it going? Moreover, are the majority of intra-company communications voicebased, or do you work for a more e-mail-centric company? As companies migrate more and more to network-based communications, e-mail has become the central method of communicating. I prefer e-mail personally; I’ve never been voice-oriented. Others, especially salespeople, are lost without a phone, so it’s all relative. And that’s the judgment call you have to make relative to your network design. Why is it so important that you understand your company’s physical communications component? Let me give you one example that might serve as a launching point in your mind to bring about several other reasons. If your company is predominantly e-mail-centric, it is incumbent on you as a network designer to make sure that the e-mail system is protected and highly fault-tolerant. I know what managers say: E-mail is not mission-critical. I would submit a hearty “Not true!” E-mail is indeed mission-critical; if you don’t believe it, then you’ve never had the distinct pleasure of working on a cratered e-mail server while five different managers look over your shoulder


www.sybex.com

26

Chapter 1


asking, “When’s it going to be back up?” How will you design your Windows 2000 deployment in such a way as to make your e-mail systems more fault-tolerant, more readily available, and more intelligent in how they work? My guess is that you’ll saunter down the Exchange 2000 road because of its integration into the Windows 2000 Active Directory, but that’s your design decision to make.

How Do People Communicate? Much more nebulous in its nature is how people interact in their daily business dealings. Can you assess how managers communicate to their direct reports? Can you readily determine how the worker bees get their requests up to management? Some managers, it seems to me, subscribe to the biz book du jour club and practice the latest things they’ve learned from the Mackeys and Robbinses of the business world. But is that really communication? Other managers are much more autocratic in their management practice. Some areas of a company might thrive on that kind of management technique; others (such as IT) might not thrive on such a style. As a network designer, you need to understand how interpersonal communication at your company works before you start interrogating people about their technical and business needs. If you don’t adapt your approach to the company culture, then your message will never get across. Above all, be patient and forgiving with people. Not everybody knows what you know about computers and Windows 2000. If you’re in a stakeholders’ meeting where you’re trying to convince some computer-illiterate people to part with $500,000 for your upgrade, then you need to put yourself in their shoes and answer their questions (as best as you can) from a non-technical, non-threatening position.

On the exam, you’ll be asked to design a solution based, in part, on the needs of various individuals within an organization. If you don’t take note of what each person tells you, then you won’t create an effective solution and you won’t pass the test!

What’s going to happen with your Windows 2000 network design and deployment is this: You’re going to have to convince lots of people why the upgrade needs to happen. You’re going to have to prepare documents that


www.sybex.com


27

lend credibility to your argument. You’ll be required to answer lots of questions that people pose you, some directed at you in an effort to derail your thinking. You’re going to have to prove your case before you get a nickel to venture forward into an unproven new technology. Otherwise, you’ll have to wait the three or four years it takes for Windows 2000 to become heavily divested in the industry and for your fearless leaders to say, “OK, it’s time now that we consider this.” The question is, do you think now’s the time, and if so, how will you convince others that are far more skeptical than you are? You’ve got to get rid of the noise and professionally introduce your recommendations.

The Product and Service Life Cycles Remember WordPerfect 5.1 for DOS? I do. At the time (not that long ago: 1992–1993), it was the premium word-processing product available. I remember studying hard and taking ten tests to attain my WordPerfect 5.1 for DOS certification! And it was a pretty big deal at the time. There was a WordPerfect magazine. WordPerfect, at that time based out of Orem, Utah, was riding a very high crest. Where is WordPerfect today? Well, it’s hidden in a perfectly good product, Corel Office. But it is not nearly the power software player that it was back in the early ’90s. So what happened? The product life cycle caught up with WordPerfect, and I suspect that some poor management decisions were made relative to its continued growth and improvement. It’s as simple as that. Products ride a life cycle very similar to the famous bell curve that seems to crop up in most of life. Figure 1.2 shows a standard product life cycle. This isn’t quite a fair representation of what really happens, because a company that is dynamically trying to improve and release upgrades to their software actually spawns a lengthening of the bell curve, or more practically, generates a whole new bell curve. Most users never get to the product decline stage, because they’ve adopted the new software upgrade and the old software version is allowed to die quietly. (At least that’s what software vendors hope will happen.) Nevertheless, software and hardware products go through distinct product life-cycle stages.


www.sybex.com

28

Chapter 1


FIGURE 1.2

The product life cycle curve Product is at the apex of its use—for new usage to continue, new developments and improvements must be made.

Product gains wide acceptance, moves into the fore of standard software.

Competitors enter in with superior products or company fails to produce new improvements. Product begins its decline.

Product begins to assimilate marketshare.

Service life cycles consist of roughly the same concepts. Let’s suppose, just for argument’s sake, that you have a really old, chassis-based hub in one of the wiring closets in your network. There are several Ethernet cards inside this chassis, which has run wonderfully for lo these many years. You’ve never had a problem with it (OK, there was that one time when a card went belly up and you had to scramble to buy a replacement for it), and it has run 24×7 for a very long time now. The service life cycle says that this device is probably now out of the realm of feasible repair if it breaks. Suppose you go into work one day and the chassis itself augers. Nobody that hooks into any of the Ethernet cards on this chassis can get on to the network. Dozens of users have come to a distinct slowdown in their productivity. You call the company: they’ve got to get somebody out here to fix it right away! But they tell you that they stopped making the chassis two years ago and that they no longer support the device. Heck, they don’t think they even have any old spare cards sitting around anymore in the service area! But you have to support the device, you angrily cry! I’ve got users out! They tell you they’ll gladly get you a trade-in on their current model or, if you’re lucky, maybe they offer to refer you to somebody that resells some of this old refurbished equipment, but other than that you’re out of magic wishes. You’ve hit the end of the service life cycle, my friend. The service life cycle applies not only to hardware, but to software. Microsoft recently dropped their Windows for Workgroups 3.11 test from


www.sybex.com


29

the MCSE program. Why? The product has reached the end of its practical life cycle, and so the service life cycle should cease also. The service life cycle lasts only somewhat longer than the product life cycle; the most likely reason is that some people tenaciously hang onto a proven thing rather than upgrade to an unknown entity. Sometimes this is a good position to take, most times not. In any case, you have to consider both the product and service life cycles when performing your network design assessments and recommendations. For example, if you drive out to your site in Hoboken and find that they’re on a shared-10 hub that’s covered with an inch of dust, I’d advise you to jot it down as a target for replacement before Windows 2000 rolls out to this office. Got a Microsoft Mail 3.2 server? Exchange Server has been out for years; what are you still doing hanging around with Microsoft Mail? (I know, I know! It’s easy for me so say things like this—I don’t have the boss you have!) OK, then. Now’s the time, since she obviously has ordered you to investigate an upgrade to Windows 2000, to recommend an upgrade for that Microsoft Mail box.

What Are the Decision Making Processes? This is probably the most complicated part of your network design segment to try to figure out. Who makes these goofy decisions? (Just being facetious.) No, really: who makes the decisions? Does the CIO listen to input that is generated from her managers (whom, we can only hope, got their input from people like you) and then funnel it upstairs to the veeps? Or does the CEO read about a new product or software methodology in a biz journal and order it implemented? Some companies have an “emerging technologies” department that’s charged with the research and recommendation of new technologies. Other companies use the “architect” concept—people who have tons of everyday experience in the industry and are now equipped to make corporate decisions regarding technical direction. Does money drive the majority of the decisions at your company? You’re probably saying, doesn’t the investment dollars question have that import everywhere? But I would submit to you that there are companies that don’t really question the money as long as they’re sure of the direction they’re going in. In your Windows 2000 network design and upgrade proposal, you’re going to have to bring forward the dollars issue. Be prepared to tell the financial chieftains who can yea or nay the project how much it’s going


www.sybex.com

30

Chapter 1


to cost. This is after you wow them with obvious need and the benefits to be attained from going forward with this project. Why is it important for you to understand the decision making process? Because you need to know the political climate in order to play a good ball game. Why is one football team able to beat another? Because they have reviewed the team’s previous games; they know the plays that the opposing team’s quarterback will make, they know who will run the ball. Thus it’s no surprise to them when the opposing team calls a play that they’ve seen before. They’re prepared and ready. But if you don’t even know who the quarterback is, if you don’t know who’ll run the ball, how can you expect to get any touchdowns?

In keeping with the football analogy, I suppose it’s good to mention that from time to time a football team whips out a play the opposing team has never seen before. This, of course, has very instant and dramatic effects. It’s to your benefit to plan for this kind of thing within your network design. “If he says this, then I’ll say that…”

Identifying Plans for the Future

Finally, we talk about a fascinating aspect of network design and upgrade recommendations: strategic planning. Technical people spend lots of their time reading about the latest and greatest, but they seldom look out beyond today’s pages to see what lies beyond. Strategic thinking—getting out the crystal ball, tea leaves, and chicken bones in an effort to forecast what’s on the horizon—is not an easy thing, but it’s a very necessary exercise to go through. Strategic thinking will impact you in two ways within your company:

What is your company planning for its future?

Where will the software and hardware that you’re recommending be in the future? Are you over- or under-engineering?


www.sybex.com


31

Strategically Planning in Heady Corporate Times The economy is terrific, the Internet is going gangbusters, and the stock market is out through the roof. Times are wonderful! What about at your company? Is your company economically strong? Does it have a viable product or service offering? Is it a company with a strong customer orientation, or one that has begun to sit back on its laurels… or is it somewhere in between? Is your management more entrepreneurial in nature, or are they bigcompany all the way? Are you aware of any plans that your company may have for selling itself to the highest bidder? Or is it possible that your company is in the market to buy another company in the near future? Some CEOs, sad to say, take the position of chief executive so that they can groom the company to a point of being very “takeover attractive” and then arrange a sale that nets them millions of dollars. On the other hand, is it possible that your company is so poorly managed that they couldn’t possibly be acquired? (Sometimes I wonder if this isn’t another management strategy as well.) Are you in a governmental agency, with its own unique needs and desires? Do you work for an impossibly large corporation, whose structure or intentions you could not possibly begin to understand? Are you involved with a start-up company, one that’s using venture capital to pay the bills, hoping for its first product (and ultimately its IPO) to be a huge hit? Your company can be any of these. You need to have a very clear concept, if at all possible, of where your company is heading, what it’s about, where it has been, and where it doesn’t want to go. If you can’t get your arms around these notions, how can you adequately plan a Windows 2000 deployment? For example, suppose that you work for a high-tech company of just a few hundred employees. You’ve gone through your IPO, and money is (thankfully) not the object it was back when the firm was you, the CFO, and a coder or two. You and your cohorts feel that you’re on the verge of a breakthrough in the new software you’re releasing. The release of this new breakthrough software could generate a subsequent tremendous growth surge in your company. Why should this matter to you? Because when you were originally setting up your Windows 2000 network, you didn’t see the need for multiple domains in a forest. You had a domain with just a few hundred users, and everything was cool. Now, in strategically thinking about the impact of a sudden, large growth spurt in your company, you realize that any new acquisitions or additions to the current network user list might affect


www.sybex.com

32

Chapter 1


your network design. Windows 2000 can handle this impact much more handily than the old Windows NT 4 trust relationship paradigm; but nonetheless, it’s up to you to think about and plan for these eventualities in your network design. Administrators in slow-growth organizations (such as government, or legacy cash-cow industries) don’t anticipate growth. They tend to get sloppy with the rules, and things tend to work anyway. Until, that is, the day comes when a growth spurt happens very quickly. Then they’re sorry they didn’t pay attention to the finer details of what was going on around them, in administrative terms.

Strategically Planning a Software and Hardware Future Several years ago IBM introduced a networking topology called Token Ring. The concept is really good. You have a single token (newer proposals include a second token and some fault-tolerance models) circling the network, insuring a user a dedicated piece of the network for as long as he holds the token. But as trouble-free as its operation is, the topology has scalability problems, and very few Token Ring installations exist today. If they do, I guarantee that there are network managers who are desperately looking for ways of getting out of the Token Ring business and into Ethernet. Ethernet, on the other hand, has taken off like a rocket and is the predominant networking topology in existence today, even with all its faults. After all, Ethernet is based on the concept of a “collision domain;” even the term implies that there is some trouble with the topology. But it’s solid, easy, scalable, reliable, and inexpensive to deploy. Token Ring couldn’t make it in the easy, scalable, or inexpensive categories. Now cast yourself back to 1990 or so. Token Ring has a strong foothold in the market. Boatloads of IBM PS/2 PCs are deployed in companies all over the globe. Token Ring is the catch-phrase of networkers everywhere. What, besides your 20/20 hindsight, would make you opt to go with Ethernet instead? Got the idea? That’s strategic thinking. For those 20 or so individuals who made that choice in 1990, it was a bold venture into an unknown. Today, those guys aren’t called risk-takers, but network-savers. OK, now come back to today. What’s out there on the horizon? Where are you going to turn? They’re looking at you to make that decision. You’re the IT guru, you’re the one who knows this stuff—what’s the hot thing for the next five, ten, even twenty years?


www.sybex.com


33

There are two places you can go for these kinds of answers:

Read every technical journal you can get your hands on

Talk with those in the industry who are driving technology’s future (by going to shows, attending chat rooms, and asking people who work at the forefront companies)

The point is that you cannot simply turn in a 100-page document stipulating why your network should be upgraded to Windows 2000 today. You need to include information in there about what the future looks like and why it’s good for you to implement Windows 2000 now as a segue to the future. For example, you’ve been reading about Exchange 2000’s ability to use Active Directory. With the organization that you’re in, spanning multiple geographic boundaries, coupled with the very problematic communications methods you currently use, you can see that this combination of Windows 2000 and Exchange 2000 provides a one/two punch for your network problems. But you can also see that this not an easy deployment to accomplish; you see it as several steps. Now you need to strategically devise a method with which to first deploy Windows 2000, then Exchange 2000, all the while retaining current network connectivity without any computing loss to the users. You see this as a year-long expedition into the future. Seeing the future and somehow integrating it into the present is the very hardest part of developing a network design and upgrade document. Microsoft Corporation has been in the business of seeing the future and integrating it for a long time now. We can learn from their genius at this. For example, consider Windows 2000: 29,000,000 lines of code by some estimates, 4,000 programmers, and two years to get the code out the door! What a fantastic undertaking. Reading Microsoft’s white papers and examples that they’ve published on how large project deployment and management occurs, coupled with actually listening to them when they speak their mind about their vision for the future… that kind of education is worth its weight in gold. If your stakeholders don’t ask you what the future of computing is and how your recommendations interface with that projected future, shame on them! But it’s still up to you to have that information ready and to bring it forward as part of the overall planning conversation.


www.sybex.com

34

Chapter 1


Design Scenario: Avoiding Communication Pitfalls “Jake the Brake” is his name… your CEO, that is. What a tough old son of a gun he is! Nothing gets by old Jake—there is no approval process that takes place without his input or acceptance. The problem is, the company has grown from the time when it was just him, his wife, and one or two friends working out of a crummy, old downtown office to the 8,000 employees he has nestled all over the world today. And you: you joined the company when it was several years into the gestation phase, when there were a few hundred employees. You’ve seen phenomenal growth at Widgets, Inc., haven’t you? You started out as their primary network administrator and, through attrition and experience, you now find yourself in the position of NT architect. This is a very good thing (especially in terms of salary), but it’s not so good because you’ve lost touch with the company’s overall networking makeup, especially in light of its phenomenal growth. You run Exchange Server 5.5 for your e-mail system. All users use Exchange with Outlook as their client. You also have a highly evolved intranet and, in fact, have a full-time team of intranet coders on staff. The majority of your business processes are home-grown client/server apps running against Oracle databases. Near as you can tell, you’ve got a frame/hub/spoke model in place, with the central headquarters where you work being the frame, several geographically distant sites acting as hubs, and lots of small sales offices working as spokes. The NT administration team asks you to begin looking into Windows 2000 and come up with a deployment design document so that you can roll out Windows 2000 in the third quarter. You have to make some decisions fast. You begin by analyzing your company’s current communications processes. The more you think about it, the more you realize that you’re in a highly autocratic environment, where the orders will come from the top and when Jake says “jump!” everybody asks “how high?”. This merits lots of investigation into exactly how the communications processes work, so that you can effectively negotiate the yea/nay terrain.


www.sybex.com

Summary

35

You realize that a strategic decision-point would be to move users off of the Exchange 5.5 servers and onto Exchange 2000, but you also realize that there’s a very long commitment to the design goal involved as you bring up the new server plan and begin to segue users from one scenario to another. This presents you with the next obstacle: What do you think might be the best way to communicate this information? With only the barest of details in these few paragraphs, it still appears evident that you need to first formulate a solid detail plan on how you’re going to accomplish this goal; then meet with the stakeholders to make a presentation to them on the “problem” and your solution; and finally, after getting buy-in from them, approach Jake for final adoption say-so. The biggest problem here is that Jake, still in the small entrepreneurial frame of mind, might not see the big picture. Your communications should be set up such that he understands today’s large-scale environment and tomorrow’s even bigger base.

Summary

Y

ou begin your Windows 2000 design journey by assessing your company’s model; models include local, regional, national, international, subsidiary and branch. Determination of the model your company fits will assist you in determining the Active Directory makeup of your new Windows 2000 framework. For example, should domains and organizational units be designed around geographic or business boundaries or both? Nameserver setup will be another consideration that requires understanding of your company’s model. For example, if you have two large campuses, should you place a DNS server at each site or use only one for the entire company? Next, you examine your company’s processes to determine the method in which communications are made and in which business decisions are implemented. This is a much more subtle thing to try to assess, but has the same kind of importance, in terms of your Windows 2000 deployment, as determining the model of your company. Strategic planning—making a bestguess decision about what your future network looks like—plays a very important part in your overall design as well.


www.sybex.com

36

Chapter 1


Key Terms Within this chapter, and succeeding chapters, you’ll find a Key Terms section. Here we list the key words or phrases that we mentioned in the chapter, words that you should insert into your mental BIOS, as it were. These are phrases that you can incorporate into your daily lifestyle, and that will help you converse with others about the terms and concepts involved in the Windows 2000 world. bottleneck cowboys international local national organizational unit (OU) regional single point of failure (SPOF) strategic planning subsidiary


www.sybex.com

Review Questions

37

Review Questions 1. What geographic company models are you likely to have to analyze as

part of a Windows 2000 deployment? Choose all that apply. A. Transoceanic B. Local C. National D. Regional E. International 2. What is a single point of failure (SPOF)? Choose all that apply. A. A physical term: The point at which a designed system has no

redundancy or backup B. A conceptual term: The point at which a Windows 2000 design

fails C. A company model term: The point at which corporate communi-

cations fail D. A software term: The point at which an enterprise computing soft-

ware program can take no more users 3. Who are the stakeholders in a Windows 2000 rollout? Choose all that

apply. A. The executive management of the company B. The accounting/financial arm of the company C. The risk analysis/risk assessment end of the company D. The IT personnel involved in putting the project forward E. The end users who will be using the computing environment


www.sybex.com

38

Chapter 1


4. Your company has purchased a company that specializes in creating

some hardware you need to bundle with your product. The other company will retain its original name and really not integrate into the framework of your company. What kind of model is this? A. Branch office B. Subsidiary C. Wholly-owned IPO D. Spin-off 5. You are an administrator for a technical consulting firm specializing

in marketing Asian, Indian, and Pakistani software developers to the U.S. and Europe. You have a main office in Sydney and two other offices, one in Beijing and the other in New Delhi. What is your company’s model? A. Regional B. National C. International D. Transoceanic 6. Your company, based in Ottawa, has what used to be a minimal pres-

ence in Bolivia. But it turns out that new sources of some natural resources you use in your product have been discovered in Bolivia. You anticipate that your office down there is going to grow at a phenomenal rate. Unfortunately, the availability of high-speed data or telephony circuits in that country is quite limited. What might be another way that you could set up a Windows 2000 server in your Bolivia office so that your main-office business transactions could be more efficient? A. Asynchronous RAS sender B. VPN C. Dial-up D. Satellite


www.sybex.com

Review Questions

39

7. You work for a state governmental agency. You have an even dozen

small sites with 10–30 users each, spread out across your state. They are unconnected, but some new state legislation is going to require that you interconnect all sites in order to accomplish the business goal this legislation is mandating. Specifically, you’ll require some method of transferring data back and forth between Windows 2000 servers at each site. What are the two steps that you should include in your business plan to accomplish the legislation goals? A. Arrange for a high-speed data circuit leading from your central site

to each of the outlying sites. The circuit should be as high-speed as you can afford, up to a full T1. B. Provide training to your outlying users. C. Set up Windows 2000 servers in each site, connecting all to the

same domain. D. Install an Exchange server at each site. 8. You arrange for a high-speed data circuit leading from your central

site to each of your outlying sites, as high-speed as you can afford. You set up Windows 2000 servers in each site, connecting all to the same domain. What communications type are you implementing? A. Frame/spoke B. Frame/frame C. Frame/hub D. Hub/spoke 9. What could potentially be an SPOF at outlying, hub sites? Choose all

that apply. A. Router B. Low committed information rate (CIR) C. Single server D. No outlying site administrator


www.sybex.com

40

Chapter 1


10. What could be a potential bottleneck for a frame/hub system? Choose

all that apply. A. Router B. Frame relay circuit C. Outlying site server D. Central server


www.sybex.com

Answers to Review Questions

41

Answers to Review Questions 1. C, D, E. While I mentioned B as a possible model, the test objective

does not state this as a model, so in the Microsoft sense, B is not correct, though in your design sense it might be. A is a method of communication, not a company model. 2. A, B, C. Technically all of A, B, and C are correct, but the most correct

is A. In the sense that I use SPOF, I’m talking about a place where there is no physical redundancy or backup for a given system. Routers, especially in older networks, are consistent SPOFs. Thank goodness they rarely fail! D is primarily a bottleneck, not an SPOF. 3. B, C, D. The stakeholder determination question is of the utmost

importance in your project planning research. For example, you could easily say, yes, the executive management has a stake in the Windows 2000 rollout. They’ll be logging onto the same network as everyone else, and they certainly have distinct business needs that can either be helped or hindered by the upgrade. But—and this is the important question to ask yourself—do they have direct input into the upgrade and a highly visible stake in the project’s success? The answer to that question would be no. So the definition of stakeholders on your part is a very subjective question that has great objective importance. Option E would typically not be correct because the end user isn’t responsible for the timely design and deployment of a new system, apart from a handful of testers. 4. B. Subsidiaries are often the lifeblood of a company. Why reinvent the

wheel when some other company out there is doing exactly what you need done? Perhaps they need a helping hand staying in business, while you need a hand making your business better. 5. C. The answer is C. But here you have an interesting model because

you’re really not doing anything in Sydney, or greater Australia at all, are you? All of your work is focused in other countries. You’re truly international in your business makeup.


www.sybex.com

42

Chapter 1


6. B. The Asynchronous RAS sender is a part of Systems Management

Server, not Windows 2000. Satellite has some inherent problems, latency and cost among them. Dial-up is a slow, impractical way of getting server work done between two large enterprises. Provided you can find an ISP that will work well in Bolivia, VPN provides the best overall solution to your needs. 7. A, C. We’re not told that e-mail is a priority, so D, while a nice thing

to have, doesn’t solve the business need. Also, though you will certainly need to train the users at some point, this objective does not solve the business need either. Answers A and C are the first bullet points that should go on your planning document. 8. C. Your site acting as the locus for the outlying sites and the commen-

surate direct tie-in of the outlying sites to yours represent a frame/hub setup. If an outlying site were to connect to another outlying site that then connected to you, you would have a frame/hub/spoke, which is unnecessary in this design; cleaner is easier. 9. A, C. Both A and C are obvious answers. Answer B is a little trickier.

If you negotiate too low a CIR when setting up your frame circuit, that’s not an SPOF; it’s a design error, isn’t it? Not having an outlying administrator isn’t as important as it used to be before Windows 2000, though it’s possible you’ll have to train a super-user how to reboot the server if need be. 10. A, B, C, D. All of the above answers could potentially be correct. The

most likely bottlenecks will be the router and the central server. You’ll probably over-engineer the outlying sites’ servers and the frame relay circuit. At least you should over-engineer, given the high pace of change in today’s computing environment. (Just the anticipated need for an Exchange server at each outlying site—you know they’ll be demanding that next, don’t you?—should be something that enters your mind as you go forward with your design.) Interestingly, I think the central server is a highly likely candidate for bottlenecking, especially if it’s a legacy server that you’re going to be adding data-transfer load to.


www.sybex.com

The Multinational Start-Up

43

You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this mini test.

Background You’ve been hired as a network design consultant for a small start-up company in Boulder, Colorado, consisting of 250 employees. The company is currently funded by venture capital, but there is an expected IPO at the end of the second quarter of this year. Because of the nature of your company, a medical software development corporation, you have people working in many parts of the world. Specifically, you have offices in Munich, Tokyo, Tel Aviv, Montreal, and Rio de Janeiro.

Current System Boulder This office contains the bulk of the employees, about 110. You have two network closets, connected together by one strand of Category 3 Ethernet cabling. You have five Windows NT 4 Servers with Service Pack 5 applied to all. One of the servers is dedicated to Exchange 5.5. One server has Visual SourceSafe loaded on it; the software developers that work in Boulder use this for uploading and checking in various versions of their software. Another server runs your financials. The fourth server runs some production software that tracks the assembly of your software as it leaves the burners and gets boxed. The fifth and last server acts as a building file, print, and RAS server. You have one DLT 4000 external tape drive, and you’re using Seagate Backup Exec 6.5 for your backup software. Your users are running a mish-mash of computing gear, relative to the kind of vendor the purchasing people could obtain equipment from at various times. You have a 40% laptop/60% desktop mix. You have a small-enterprise fax program running on a Windows 95 computer that allows about 10 marketing people to send faxes out from their desktops. The majority of your users, about 80, are basic non-power-user types. The other 30 are software developers running Windows NT Workstation and are very capable of getting themselves into all kinds of “exploratory” trouble with their computers. There is one small older PBX in the building. The amount of long-distance phone calling from this office is phenomenal, given its size.


www.sybex.com

CASE STUDY


CASE STUDY

44

Chapter 1


Munich This office is the second-largest office and has 50 users, the majority of whom are software engineers who have specialized in medical software for a long time. They have one Novell NetWare 3.11 server and one Windows NT 4; the NT server has had SP5 applied. The NetWare server acts as a file and print server, while the NT box is utilized for SourceSafe and RAS. The tape backup unit, a 4mm DAT drive, is on the NetWare box, and the tape backup software is very old. This office has a key phone system and does quite a bit of long-distance phone work with the Boulder office. The Munich office maintains an ISDN connection to their ISP and is using this to send e-mail to Boulder. Tokyo This office has about 30 users, most of whom are salespeople and marketing types. There are no software developers in this office. The office has one Windows NT 3.51 server running SP3, predominantly used for file and print sharing. There is an ISDN line connecting the server to the office’s ISP for Internet work. Tokyo, too, uses their ISP as an e-mail hub for messages to Boulder. Tel Aviv This office consists primarily of hardware engineers who participate with the software developers by writing appropriate drivers for the various hardware components your company’s hardware has to talk to. Like Tokyo, this office has 30 people, but they’re about half engineering and half sales and support. This office has one Windows NT 3.51 SP3 server and three Windows NT 4 servers. The Tel Aviv office has Visual SourceSafe for safekeeping of its code as well. Employees use their personal ISP and regular dial-up Internet connections whenever they want to send e-mail. Montreal This office consists of 15 travelling salespeople. There is no server at this office; users RAS into the Boulder Exchange server for local e-mail, but the costs are quite prohibitive. Rio de Janeiro Just as with the Montreal office, travelling salespeople report to the Rio office as well. In both of these offices the users do most of their work on laptops and use dial-up connectivity for Internet and e-mail. Rio salespeople also RAS into the Boulder Exchange server for e-mail.

Problem Statement The biggest problem that your company faces is the fact that nobody has e-mail connectivity with anyone else. It’s very difficult to get e-mail from one person to another, but you suspect that the enormously expensive phone


www.sybex.com


45

Envisioned System Overview The CEO (who is also a venture-capital investor in the firm), the board, and senior management have all said that it’s paramount that your little company become one intact entity instead of several distinct units that don’t communicate with one another very well. Simply having phone connectivity between sites is not helpful, especially with salespeople who rarely check into their office. The CEO envisions a system wherein all users participate in what looks to them like one big, universal network. CEO “We’re a small company with a big idea. We’re on the precipice of an IPO and, if we can convince investors that our idea is new and fresh enough, the investment influx will help propel us into the zenith of the marketplace for our product. Unfortunately, our communications are ghastly, especially in terms of their timeliness and expense.”

Security Because the software you write is highly subject to theft by other firms, the industry being what it is, security must be maintained at a very high level. The CFO tells you, “With an impending IPO and with spreadsheets floating around here that hold highly sensitive data, it’s paramount that security is maintained at an extremely high level. I cannot emphasize this enough.”

Availability Because you span several different time zones, network availability must be 24×7×365. The Munich and Tel Aviv operations managers say, “Our developers are working at different times of the day and night across the world.


www.sybex.com

CASE STUDY

bills would go down if only you could facilitate a better method of connecting your offices. A somewhat secondary issue, but no less important, is that of assuring that all your coders have up-to-date code in the SourceSafe repositories. You need to figure out a way to automatically update all the servers with the latest and greatest directories so everybody’s on the same page, code-wise. You’ve had occasions where a software version one or two minorrevision levels back from the current one was sent to a customer simply because the latest revision wasn’t on the local servers.

CASE STUDY

46

Chapter 1


On top of that, U.S. holidays are not those of other countries. It is really important that we somehow attain around-the-clock interconnectivity between our sites.”

Maintainability Overview There are two problems here. First, because lots of your users are software developers, some of them are cowboys who can get themselves into lots of trouble very quickly, simply by experimenting with the registry or cleaning out files that they deem unnecessary. But more important are the software files that your developers create; it’s crucial that version levels be kept uniform throughout your company and that outsiders cannot hack into the systems and steal this code. CEO “This new program we’re writing is so revolutionary and will have such an impact as we approach IPO rollout that it’s important for us to make sure all the developers are up on the latest iteration of the software.” Tel Aviv operations manager “My coders are developing the firmware for the cards for this new system. While it’s important for us to have the latest software for the GUI interface, we need to maintain some autonomy as far as what we’re doing. Tim, one of the Boulder developers, has already looked at our firmware and made unauthorized changes.”

Performance Some users have complained of slow performance. The CEO has made it very clear that you are to find the cause of the performance issues and rectify as needed.

Questions 1. What is the business problem? A. Users are not all on one network. B. The company’s software versions are not consistent. C. Everybody needs an e-mail account on the Boulder server. D. You shouldn’t have that many NOSs in the company.


www.sybex.com


47

problem? A. Set up wide-area connections between all of the sites. Wide-area

bandwidth should be adjusted according to the size of each site and its needs. B. Up-version all servers to Windows 2000. Move file and print shar-

ing off of NetWare boxes to the NT servers. C. Assure that there is an Exchange server at each site and that direc-

tory replication is taking place between all servers D. Set up some form of RAS server for the Montreal and Rio sites.

Salespeople should RAS into their offices for e-mail. E. Verify the infrastructure at each office to assure that it’s up to

modern standards, at least 100Base-T. F. Assure that all users are on a uniform O/S desktop, that service

pack and service release levels are current. G. Establish a plan to up-version the existing Exchange servers to

Exchange 2000 by Q1 of next year. 3. What solutions should you implement to meet all of the customer’s

needs? Choose all that apply. A. Set up wide-area connections between all of the sites. Wide-area

bandwidth should be adjusted according to the size of each site and its needs. B. Up-version all servers to Windows 2000. Move file and print shar-

ing off of NetWare boxes to the NT servers. C. Assure that there is an Exchange server at each site and that direc-

tory replication is taking place between all servers D. Set up some form of RAS server for the Montreal and Rio sites.

Salespeople should RAS into their offices for e-mail. E. Install antivirus software on all servers and workstations. F. Verify the infrastructure at each office to assure that it’s up to

modern standards, at least 100Base-T. G. Assure that all users are on a uniform O/S desktop, that service

pack and service release levels are current. H. Establish a plan to up-version the existing Exchange servers to

Exchange 2000 by Q1 of next year. Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY

2. What solution should you implement to solve the customer’s business

CASE STUDY

48

Chapter 1


4. You need to explain to the board why you want to up-version to Win-

dows 2000 on the servers. In what positive ways will this upgrade affect this little start-up? Choose all that apply. A. Increased security in the form of Kerberos will enhance the protec-

tion that the company needs to avoid software piracy. B. Active Directory will ensure that new users coming on board in

foreign countries will quickly show up in the overall list of users. C. Windows 2000 works better with Exchange 5.5 and enhances its

functionality. D. Windows 2000 provides increased support for NetWare servers. E. RAS support is greatly increased in Windows 2000. F. You can begin investigating virtual private networking for trouble

spots like Tokyo, where frame relay connections to the U.S. are prohibitively expensive but they could use a high-speed connection to their ISP to arrive at the same goal. 5. Given the following table, rank the sites in descending order of impor-

tance, according to the amount of attention you think they’ll require to facilitate your upgrade. From the sites listed on the right, write in the left column the order in which you think the sites deserve attention. Site

Site Boulder Montreal Munich Rio de Janeiro Tel Aviv Tokyo


www.sybex.com


49

ment items in the left column. Then move requirements from the right column into the sections of the proposed design document, for each requirement that you think should go into the proposal. Proposed Design Document

Possible Requirements

Infrastructure Upgrades

Establish frame relay or VPN circuit Boulder to Tokyo

Upgrading of Servers

Purchase switches to replace shared-10 hubs

Up-versioning of Servers

Procure workgroup server for Rio office

Retirement of NetWare Servers

Upgrade old key telephone systems or procure new systems for remote offices

Establishment of Frame/Hub WAN Links

Install RAS on workgroup servers

Installation of Exchange Server

Establish frame relay or VPN Boulder to Munich Procure workgroup server for Montreal office Upsize or replace all servers as needed Create strategic planning document for Q1 upsizing of Exchange server Upgrade PBX system Boulder Procure extra servers for Munich office Procure extra servers for Tel Aviv office Design and deploy Active Directory across all servers


www.sybex.com

CASE STUDY

6. Looking at the table below, first examine the proposed design docu-

CASE STUDY

50

Chapter 1


Proposed Design Document

Possible Requirements Install RAS on workgroup server for Rio Establish frame relay or VPN circuit Boulder to Montreal Establish replication policy for Visual SourceSafe Replace tape backup unit Establish tape backup system Flatten network protocol structure to only TCP/IP Generate TCP/IP design document Examine cable plant and upgrade as needed Install Exchange server 5.5, appropriate connectors, and service packs as needed on all remote servers Establish frame relay or VPN circuit Boulder to Rio Establish frame relay or VPN circuit Boulder to Tel Aviv


www.sybex.com


51

1. A. The main business problem is that your users are not all connected

together even though they should be. The very act of connecting everyone together via some methodology would clear up the majority of your software version and e-mail problems. 2. A. You would start with A, setting up wide-area connections in order

to assure that everybody’s on the same playing field. 3. A, B, C, D, F, G, and H. All of the above, with the exception of

answer E, are good starts, but not quite good enough. You have not addressed security needs, for example, nor have you addressed the Visual SourceSafe need. The servers may also have a hardware problem supporting Windows 2000, you don’t have enough information yet. More work needs to be done in these areas! Answer E isn’t within the scope of your project; let the administrators handle the viruschecking part of it. 4. A, B, D, E, and F. Your Exchange 2000 upgrade planned for Q1 of

next year is a good bet, because Exchange 2000 interfaces with AD but Exchange 5.5 does not. 5. The correct order is:

Site Boulder Munich Tel Aviv Tokyo Montreal Rio de Janeiro The first couple of choices are obvious. Boulder, being the main site, is the first candidate for upgrade, especially given their poor wiring closet condition. You’ll need to investigate the wiring closets of the other sites and, indeed, take a close peek at the entire infrastructure of each site, but Boulder is especially important because of its software developers, administrative staff, and overall centrality of operation. The key to this puzzle is the software development version leveling problem. I’d next pay attention to the Munich office because of its high population of coders, and follow Munich quickly with Tel Aviv. Tokyo would be next due to its size, and then you could finish up with a visit to the Montreal and Rio offices. Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY ANSWERS

Answers

CASE STUDY ANSWERS

52

Chapter 1


6. See table.

Proposed Design Document Infrastructure Upgrades Install RAS on workgroup servers Examine cable plant and upgrade as needed Upgrading of Servers Upsize or replace all servers as needed Up-versioning of Servers Procure workgroup server for Montreal office Procure workgroup server for Rio office Procure workgroup server for Montreal office Upsize or replace all servers as needed Establishment of Frame/Hub WAN Links Establish frame relay or VPN circuit Boulder to Montreal Establish frame relay or VPN circuit Boulder to Munich Establish frame relay or VPN circuit Boulder to Rio Establish frame relay or VPN circuit Boulder to Tel Aviv Establish frame relay or VPN circuit Boulder to Tokyo Establish frame relay or VPN Boulder/Munich Installation of Exchange Server Install Exchange Server 5.5, appropriate connectors, and service packs as needed on all remote servers There are some very clear divisions here, aren’t there? Clearly, getting RAS set up and the cable infrastructures up to speed are important goals. Upgrading the servers and installing Exchange servers are also important goals. It’s evident that a Windows 2000 deployment is about hardware, infrastructure, and cabling, in addition to the software that’s going to make it work. It’s an enterprise thing.


www.sybex.com

2759c02.fm Page 53 Tuesday, July 18, 2000 11:38 AM

Chapter

2

Analyzing the Organizational Structure MICROSOFT EXAM OBJECTIVE COVERED IN THIS CHAPTER: Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans.


www.sybex.com


N

ow we get serious about diagramming your management structure—trying to figure out how management ticks. Why? So you can get a project done. If you know where the dining car is on the train, it won’t take you nearly as long to get fed, will it? It’s vital that you understand the underpinnings of how management thinks, how decisions get made and how they’re integrated into the society of your company so that you can plan a Windows 2000 deployment that’s safe for your environment and makes sense to your managers. Are you a big-picture thinker? I hope so, because you’ll certainly need to wear your visionary hat as you move forward into your Windows 2000 rollout. It’s important to clearly hear what your managers are saying to you and then take the time to neutralize any misunderstandings they have about what this deployment is all about and what it means to the company. Certain management entities can tack on provisos and a quid pro quo or two to your plan that may not make sense in the overall scheme of things. Some managers simply don’t have a feel for what you’re really talking about (though they’ll tell you that they do). Others are very definitely on the same page as you are, but they may not have the power to help you get your mission accomplished. All in all, you’re faced with the delicate task of advising your leaders what the upgrade is all about, asking for what potentially could be a lot of money, and then assuring them that you have what it takes to get things installed and working. How’s that for a pressure situation? Do you feel like Atlas yet? We start this chapter with a look at the management model at your company and how that translates into organizational structures. (If you work on the test objective in strict chronological order, they have these two issues just backward—your management determines the organizational layout, not vice versa). Then we look at what could potentially be a fun thing: your vendor and partner relationships with other companies. Finally we ask a question: is your company set up for acquisition?


www.sybex.com


Understanding the Management Model

55


While the Microsoft test objectives don’t come right out and pinpoint the various management models you might experience in your career, you certainly don’t have to have an MBA to be able to spot the management models in place within any given company—just a few years’ experience under your belt will do. Let’s start by looking at the typical management hierarchy, from the top down, then segue into the management structures that get adopted as a result of various leadership styles.


Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans.

Management Hierarchy You’ve probably been through this exercise on your own, but it’s always good to review your firm’s management structure based on somebody else’s definition, just to see if you arrive at the same conclusion. In the case of a Windows 2000 design and deployment, buy-in at all levels may be critical, so it’s important to take a hard look at your company’s hierarchy.

The Top o’ the Heap Most companies operate with some sort of senior leader, be that a president, a chief executive officer (CEO), or someone who holds the combination of those two roles. In a privately held company, the president is the owner of the company, frequently the person who started the company in the first place. Often, as a company goes from privately to publicly held, the role shifts from president to CEO, but owners can tend to retain some semblance of the old mixed in with the new. The CEO is usually looked at as the visionary—the captain of the organization—calling out the direction wherein land and good times lie.


www.sybex.com


56

Chapter 2

Analyzing the Organizational Structure

Just because a person started and owns an organization does not necessarily imply that he or she knows anything about computers. The owner certainly holds a vast understanding of what the company’s about, but that does not necessarily imply that the owner is a cyber-visionary. It may well be up to you to bring this person up to technical speed with “executive summary” overviews from time to time, a job that you should be prepared for but one that you won’t relish. For example, how do you explain TCP/IP, in five words or less?

Figure 2.1 shows an organizational chart that might look very much like the one at your company. Are you, like most people, at the bottom of the food chain? There’s another word for us: plankton. This, of course, is not to say that you’re plankton. Or that you’ll always be plankton. But it’s probably safe to say that the majority of us probably won’t make executive management any time soon! FIGURE 2.1

Typical corporate organizational chart CEO

Chief General Counsel

President

Sr. Vice President

Vice President

Sr. Manager

Board of Directors

Vice President

Director

Sr. Vice President

Vice President

Sr. Project Manager

Manager

Scientist

Supervisor

Supervisor

Director

Technical Advisor

Team Leader

You?


www.sybex.com

Vice President

Sr. Manager



57

The Board of Directors Since a publicly held company is obligated to comply with a fiduciary duty— a responsibility to act as the trustee on someone else’s behalf of an organization’s funding, in this case shareholders—often there’s a board of directors that oversees the company’s operations. A chairperson heads up the board; this is most often not the same person as the president, though I’ve heard of cases where this was so. (Most board members don’t like this person being one and the same because the leadership roles can become confused and the makeup of the company gets tangled up. Clearly defined leadership roles are much better for companies.) The board is typically comprised of several stakeholders, often those with a heavy venture capital risk at stake, and various officers including a secretary, a financial officer, a chief technical officer, and so forth.

Executive Management Beneath this layer are the senior vice presidents and vice presidents. These individuals, the president, CEO, and board, together with an occasional benefactor chair or chief legal counsel, compose senior management.

Once in a great while you’ll have a person or group that reports directly to the president. A very frequent instance of this is the company’s chief legal counsel. The chief counsel and her associates report to the president and only the president. They take their orders from no one else. It seems that every company has at least one of the boxes near the top of their organizational chart.

Executives can be really tricky to figure out. Why? Because by the time a person gets to the rarified air of executive management, they often have what the regular folks in the company perceive to be mixed goals. For example, vice presidents of sales must be highly outspoken about the outstanding capabilities of their companies’ newest products. Even if they don’t necessarily believe in a new product, they have to make sure the company sells lots of it. My guess is that executives struggle with this “I should/I shouldn’t” vantage point more than anything else in their jobs. Frequently it’s hidden, so that you’re not aware of the problem; this makes for even more problems, in terms of garnering good designs. Another frequent executive management problem, one that I’ve personally seen quite a bit, is when the executives are apparently lied to by the


www.sybex.com


58

Chapter 2


project managers and stakeholders for a given project. The software developers say that the project has serious holes. The project managers, looking for ways to soften the blows (and perhaps come up with a workaround), don’t dig into the true meat of the problem and, as a consequence, often “hear” something different than what they’re being told. The project managers convey to senior management that, while they’ve got some minor glitches, everything seems to be on course. And then senior managers tell the executives that everything’s basically on track with only a minor one- or two-day delay in schedule. While there is seldom actually any lying going on, it certainly appears that way from the viewpoint of the software developer, doesn’t it? You can prove this concept to yourself. Perhaps you’ve played this game before, but it’d be fun to try it again. Write down a sentence or two. Gather 6 to 10 people in a circle, and whisper the sentences in the ear of the person to your right. Have each person whisper what they heard to the next person, and so on. When the person to your left finally receives the story, have them repeat it back to everyone. Now whip out the actual sentences you wrote down. Everyone (except you!) will be shocked at the level of misinformation that the last person conveyed.

For some reason, some executives have way more power than others, for many different reasons. One executive may be good friends with the CEO, play golf with him regularly, and maintain a vigorous extracurricular relationship, while other executives don’t have that kind of close ear. It’s a fact of life at all levels of management and, unfortunately, one that might be pretty hard to spot from a non-management perspective.

Mid-Management Directors and managers make up mid-management. Depending on the makeup of the company, they may or may not have input into the company’s direction—that is, they have different levels of power. There are lots of factors that govern the effectiveness of a mid-level manager. The visibility and importance of the department that’s being overseen, for example, can have a major influence on whether a project is given the go-ahead by executive management.


www.sybex.com



59

The Rest of Us Supervisors, team leaders, and then you and I at the plankton level round out the rest of the company. Some companies equate team leaders with supervisors, but I tend to look at team leaders as supervisors without any power. There are two main differences between a team leader and a supervisor: Does the individual do any budgeting? And does the individual make the performance reviews of the employees beneath her? Supervisors are budgeters and reviewers. Team leaders are the overseers of a technical endeavor and the chief knowledge-keepers for a given group. Now your company may be laid out very differently. Perhaps you work for a military organization, in which case you have somewhat the same kind of organization, but you have different names for the various roles that are played. On the other hand, small companies have one or two people who assume several of these roles. It’s up to you to decide exactly how your company is laid out. Frequently, somebody has taken the time to come up with a organizational chart that will really give you a boost as to how senior staff is arranged, but in most high-tech companies, this chart changes faster than you change your socks, so it’s not much good. Very large organizations have complex, decentralized pools of senior management spread out over several regions. The chairperson of a large electronics firm might have several senior vice presidents that head up the personal stereo arm, while another group manages the television and broadcast areas of the company. It can be very difficult, even at the senior management level, to unravel the windings of such a complicated makeup.

Why Knowing the Senior Management Makeup Is So Important There’s a reason why it’s good for you to take the time to diagram your senior management: because decision dissemination rolls downhill, not up. You might trickle information upward to your management—in fact, your input will be invaluable to the technical leads of your company—but they control the purse strings and, in the final analysis, the expense that will be required for a Window 2000 upgrade will merit senior management buy-in. If you want to get this deployment going, you and they need to be on the same page. Perhaps senior management mandated the study and you’re simply complying. Or, more likely, you’ve got the vision, and you’re now trying to make the case for the upgrade. In some cases, maybe you were brought in as a hired


www.sybex.com


60

Chapter 2


consultant by management so that they have the official word on what should be done. In any event, it’s both crucial and wise for you to assess the management style that your senior leadership uses, because knowing how they operate is going to give you many clues about how you operate.

It’s important for you to know and understand how this food chain is set up, who the players are, what their management styles are like, and how you can best present your business case to them. On the exam, you’ll be asked to balance these various interests and read between the lines to get at the correct solution.

Key Management Styles What, then, are some management styles in use today? As you might imagine, management styles are as varied as the people who use them, but if you look carefully, a manager exhibits some distinctive traits—traits that belong to one management style over another. While this information is useful, it’s certainly not like a Myers-Briggs test, where you can definitively point to someone and accuse him or her of having a certain style. People change, learn, grow, and mature, and so do management styles. Nonetheless, it’s good to see if you can figure out your managers’ overall styles. Before we proceed, it’s important to point out that above the management style of a certain person, there’s also the in toto management style that a group of managers might try to exude. For example, suppose that you’re in a struggling start-up company. One manager’s style might be forceful and autocratic while another’s is more laissez-faire, but both managers want to exhibit a sense of security and stability so that employees stay with the company and see it through its troubled times.

Laissez-Faire The French phrase laissez faire means “to allow to do.” The laissez-faire management style is typical in most computer environments where there are lots of software developers or administrators. Another word you might use in place of laissez-faire is “professional.” Workers are allowed to come and go as they like. Some shops don’t bother accounting for time, simply taking the approach that if you have to leave for an extended dentist’s appointment


www.sybex.com



61

one day, you might be forced to spend the night with a server on another, so it all comes out in the wash. In other words, you’re treated professionally. You’re expected to be there when you’re needed, and conversely, you’re allowed to take care of the extracurricular things that need attention. It’s an extremely powerful style and one that some managers have a hard time trusting. The exception to the laissez-faire management style in the computing industry is in clean-room assembly of computer components. Here you have what in essence is an assembly line, which does not lend itself easily to the laissez-faire approach. While you’ll see laissez-faire in computing environments, there is no shortage of it in other areas as well. Accountants who burn the midnight oil during tax season might be able to take a day or two of comp time to go skiing after the returns are filed. Engineers who have put in a lot of travel time visiting a remote site might be allowed a couple of days’ R&R when they get back. The laissez-faire style doesn’t work well with managers who are not diligent about making sure the work is getting done. In situations where the manager won’t stay on top of things, it will be difficult to finalize any project. The majority of undertakings will wind up petering out halfway through the endeavor.

Autocratic The autocratic leader is one who dictates that something should be done a certain way and expects to see them accomplished in that way. An autocratic leader typically allows little give-and-take and tolerates little variance in a project’s timeline or budget. Autocratic leaders are not the completely bad thing that they’re imagined to be. Autocratic leadership coupled with intelligent, visionary leaders makes for a very strong and dynamic organization. A team or unit in the hands of an autocratic leader with strong project management skills and a heightened sense of communication can attain astounding goals.

Loose-Bundle I’ve never seen this style labeled quite like this in any business book, but some managers live by the loose-bundle system. What I mean is that the manager, as good as his or her intentions are, cannot quite get all of the loose ends to come together so as to finalize a project.


www.sybex.com


62

Chapter 2


You’ve seen this type of individual, I’m sure. He has a stack of papers on his desk (hence the loose-bundle title) that are somehow supposed to represent the level of complexity that his job entails. But when pressed for answers on a given detail of a project, he has little or no recollection of how the project is supposed to go or where it should be at any given time and knows little of the overall functionality or details of the project. Loose-bundle is a great management style for individuals who are very bright and capable of bringing about project finalization on their own without the aid or encouragement of their managers. In other words, if you have a manager who operates on the loose-bundle system and you know that you’d like to accomplish a given project within a quick timeline, it’s usually very easy to slip the project past her. This might have repercussions on the manager later, but hey, that’s then, this is now. (“How’d this gigabit Ethernet infrastructure get here?”) Loose-bundle differs from laissez-faire in that loose-bundle managers can barely organize themselves, let alone you. On the other hand, a laissez-faire style doesn’t imply anything about the personal organization habits of the manager, only that he or she leaves you alone.

Hands-On Hands-on managers are those who aren’t terribly interested in the budgetary and performance evaluation aspects of their jobs, but instead like to get their hands dirty helping you out with a project. As you can imagine, this can have tremendous positive consequences if the manager knows what she’s doing. On the other hand, if the manager is completely incompetent (relative to the project at hand, of course), their interaction will be more of a thorn in your side than a help. Hands-on managers may or may not be autocratic. Often these are people who’ve been promoted from within and who intimately understand the systems they’re dealing with. You’ve been in a position like that, I’m sure, where you’re trying to show somebody else how a system works but you have to fight the urge to say, “Move over, darn it! Let me drive and show you how!” Hands-on managers can’t resist the appeal of personally working with the systems. But they can be laissez-faire and still be hands-on. Hands-on doesn’t necessarily imply autocratic, although in some cases they may be one and the same.


www.sybex.com



63

The famous “Peter Principle,” invented by Peter Drucker, states that people will be promoted to their level of incompetence. When someone’s incompetence is at its highest, that person will stay at the current level of management.

Neutral A neutral style of management is one in which your manager really couldn’t care less one way or the other what projects a person is involved in. This might have to do with any one of a number of reasons. For example, suppose that a manager was promoted into a department and, after working there a while, finds that she doesn’t really care for any of the people in the department. But the people working under her are vital to the department’s continuing function, so he opts for a manager-neutral approach. It could be that the team the manager is overseeing is so good that there’s little need for any management. The manager is bored but stays out of everyone’s hair. Or, the manager could be off hunting for bigger prey. That is, it’s important for the manager to make sure the department accomplishes all of its stated goals, but apart from that the next big project or promotion is the important thing. The neutral style can be dangerous because it’s so non-people-oriented; that’s where this style differs from laissez-faire. Laissez-faire managers believe in and are committed to their people; neutral managers may have at least one, if not more, commitments that are more important than their people.

Political The political manager is one who manages for political expedience, not necessarily for the common good of a project or the department as a whole. The goal here is individual promotion, not departmental success. Sometimes a project completion happens to align with the goals of the manager, so things appear on the surface to be motivated by company goals, but this is really not the case. A political manager can be a huge ally if you are smart enough to get one to be a big believer in the project. Convincing such a manager that accomplishing a given project will be a huge feather in their hat (which a successful Windows 2000 rollout would be) can make them a believer.


www.sybex.com


64

Chapter 2


Project-Oriented The project-oriented manager is one who focuses more on projects than on day-to-day activities. This style is good in the hands of one who must manage large project deployments. It can be bad when the manager must manage a team of individuals who are involved in the daily operation of a network and are also responsible for implementing various network upgrades. The daily operation will be neglected in favor of the project, or someone on the team must take responsibility for daily operations just to make sure those needs are met. Obviously, there are as many management styles as there are people who manage, and I’m sure you can fill in your own blanks with other styles you’ve seen. Most managers exhibit one management style during certain times and situations and another at a different time. People are complicated and don’t always follow the same path every day. Nonetheless, with some protracted study on your part, you can pinpoint the style that your leaders are using. Now the big question: How does knowing a group of managers’ management styles help you get your Windows 2000 design and deployment underway? Knowing how a person will react to a problem you’ve encountered with your design (for example, moving static DNS from your Unix servers to dynamic DNS on your Windows 2000 boxes) or to a “feature” of Windows 2000 (such as native Windows 2000 deployments requiring an active DNS setup, thus creating some “controversy” with your Unix admins) will help you pre-assess the way in which you approach a given situation. If, for example, your project includes creating an active DNS environment, but you know that your manager is very Unix-oriented and will need heavy justification for moving DNS off of the Unix servers and onto the Windows 2000 servers, you can then take steps to formulate this justification.

Design Scenario: Managing the Management You’ve diagrammed, to the best of your ability, what you think your management structure looks like and the various management styles of the managers in your organization. You’ve jotted down some quick notes: Leo Tungsten—CEO, autocratic Marvin Best—Controller, autocratic


www.sybex.com



65

Elizabeth Schuler—Senior Vice President Marketing, laissez-faire Suzanne Vickers—Vice President Technology, laissez-faire Jim Sheffield—Vice President Sales, political After a thorough examination of the NT servers in the organization, and having reviewed the strategic direction and projected needs for future computing power, you find that there are some serious shortages in the company’s server environment. You’re going to have to make some recommendations for extensive new purchases of server hardware before you can go forward with the Windows 2000 rollout itself. While Suzanne is very amenable to your suggestions, you know that she’s wrapped up in a huge Oracle upgrade that is consuming lots of her time and attention. How do you approach this situation? And who is going to be a challenge or an asset? Suzanne is an ally. She has a laissez-faire management style, implying (but not always meaning) that she trusts what her people are telling her. The fact that she’s tussling with the Oracle project may mean that she’s got issues with Leo that he’s not willing to listen to. It’s to your benefit to throw this ball into her court by setting up an appointment with her for a sufficient amount of time so as to get your point made, then present the nature of the problem to her. Be prepared to answer any questions she might have by anticipating her questions in advance. Go in with solid numbers to back up your diagnosis. You want her to OK the purchases, you don’t want to have Leo nix them, and you don’t want her to feel like she’s got to whip up the answers for you. You’re going in with a problem and a solution. You’re looking for buy-in, not for answers. Marvin’s going to be your problem child to try to win over. He’s also the controller and tight with the purse strings. Your efforts are going to have to center around the business problem, and the business solution for the problem, taking into account costs and especially focusing in on why certain costs are as high as they are. Expect monetary challenges from Marvin and be prepared to counter with reasons why you chose a specific device, license count, or other potentially expensive candidate that he’s looking to rule out.


www.sybex.com


66

Chapter 2


Jim is your basic sales personality: outgoing, charming, personable. Yet you know that you’ve got to measure your words carefully when you’re around him. He has previously interpreted things that you’ve said to be something different. He’ll expect you to provide whatever workplace he and his people need, but will not be a strong ally in terms of helping you get the money or resources necessary to put the project together. Elizabeth is a very nice person. She has huge networking requirements, seeing that her people send big files across the network all the time. She’ll defend your position strongly, but only from the perspective of what it can do to help her people. That’s as it should be, because she doesn’t really have control over other departments.


A

s important to your Windows 2000 design as the company’s management style is the organizational structure of the company. Determining an organizational structure can be as full of hidden, esoteric nuances as determining management styles, so take your time and try to really assess the situation. There are two parts to figuring out a company’s organizational structure:


How is the management organization laid out?

How is the organization itself logically laid out?


Organization of Management We talked about this in great detail above, so you should already have a feel for how to diagram such a thing. But it’s important to mention that your


www.sybex.com



67

company’s management structure could be just like the Wizard of Oz: things might not always be as they seem. Here’s an example. Often the management of a group of people falls to a person who has absolutely no clue what the group does—especially, for some reason, in network administration. Very often in smaller companies the network administration team reports to the financial officers, maybe because it’s thought that the administrators spend way too much money on computers. But if the manager over this group isn’t savvy about computers, guess what? Communications become exceedingly more difficult and projects that much harder to get approved and implemented. Another frequent situation involves someone from a remote site, who from the outside appears not to have much power at all, but actually possesses a great deal of input on given projects. You work up a huge project document, detailing to the nth degree how it will be accomplished, only to have this remote-site person swagger into a meeting one day and put the kibosh to the entire thing! (And smile while he’s doing it!) Your careful analysis of the organization of your management is all for naught because of a geographic oversight on your part. I call these situations icebergs because, to you, the people involved appear to be inconsequential blips on the radar screen, when in reality they have the capability of ripping a large hole right through your keel. An analysis of the organization of the management would have prevented the iceberg. You would have known that this person was out there, would be present in high-level meetings, and might have strong input.

The Organization’s Logical Layout So, enduring the wounds suffered in the above scenario, you determine to figure out how the organization is logically laid out. In other words, you try to put together, as best as you can, the compilation of the management structure, the management styles of each manager, where they’re located, and what they’re responsible for. Then, as an added bonus, you begin to see if you can add in those situations where you have icebergs looming on the horizon. Why is it important to find the icebergs? Well, maybe for you it’s not, especially if you’re involved in just a minor percentage of the company’s overall computing environment. Maybe your charge is only to upgrade the engineering division’s servers to Windows 2000, and you really don’t give a rip about the sales department’s servers. OK then, no problem. But what if


www.sybex.com


68

Chapter 2


you’re designing a deployment that’s going to reach out and touch all servers? Or, more importantly, what if your deployment actually will wind up affecting other departments in tacit ways you haven’t thought of yet? That’s where the icebergs come into play. For example, suppose that you have a company that spans multiple geographic regions. You have administrators in each region—smart, capable people whose input you respect. You’ve talked with them about the Windows 2000 rollout, and everybody’s chomping at the bit to move forward. But as you go forward and begin to meet with stakeholders and managers, you find quite a bit of friction in the form of one vice president of engineering in a region very far away from you. Now you’ve got an iceberg; how do you steer around it? My suggestion would be to first of all assure yourself that you have complete devotion to the project from the stakeholders and as far up the management chain as you need to go. Since this person’s a vice president, you might need to have some pretty big rudders to steer around this iceberg, in the form of executive management go-ahead. Next, you need to assess this executive’s credibility in the overall scheme of things (e.g., do others take this vice president’s complaints seriously?), and then you need to come up with your action plans. It’s not an easy task, but it’s one you need to anticipate and be prepared to deal with.

Design Scenario: Don’t Be the Titanic You’ve worked for a medium-sized service organization for years. There are about 2,500 employees spread out over a dozen states, each with a campus of about the same size, connected together by standard data network connectivity. The campuses all basically function the same, in terms of their management structure and mission. In other words, executive management has its headquarters at one location, and then within each site there are managers who effectively do the same thing as managers in the other sites. You have, for example, a service department that handles the intake, repair, and redeployment of goods needing service. There is a service manager at each location, all earning essentially the same pay, all handling roughly the same amount of traffic each month, all with about the same number of employees.


www.sybex.com



69

Windows 2000 will provide your company with enormous benefit in terms of name-server resolution problems you’d been having with old legacy systems, in Active Directory deployment, in Dfs implementation, in virtual conferencing using LDAP and NetMeeting solutions, and in advanced applications that you intend to install. One of your goals, for example, is to jettison a fairly large legacy database using a well-known enterprise database software product and replace it with a Microsoft SQL Server solution. You’ve taken a hard look at the management of your company and, since you’ve been there so long, you feel you have a pretty good handle on the majority of people in the upper ranks, personality-wise. Since the management layout is logically so flat and, from all appearances, benign, you don’t think that you have any problems with this suggested database replacement. You have serious credibility with your management, the CIO looks to you for your suggestions and leadership capabilities, and you feel pretty confident. Ask yourself: Are there any potential icebergs? The key word in this scenario is legacy. Regardless of how wonderful something new seems, people do not like change. I have a friend who is, to this day, administering a 10-node coax 10Base-2 network with Windows 3.11 workstations, and he’s happy as a clam with the setup, as is his boss. In this scenario I think there is a definite iceberg waiting to surface, especially when it comes to discussing a change to a legacy database system that has worked well all these years. You might well find that more than one of the managers you think you know so well will surface and try to thwart your plans. Here’s how I would attempt to plan for such an event, though I have to tell you that sometimes you just give up on situations like this and just learn to live with them. I’d really do my homework on why the database upgrade will help the company, how it will help them, and how much money it will save them. Be prepared with numbers that make good practical and economic sense. Don’t try to wow non-computer-types with megaflops. Try to put a TCO (total cost of operations) spin on the presentation. It’s good that you have credibility with your leadership; that’ll go far. But now you need to put some practical business sense into why you’re suggesting this maneuver.


www.sybex.com


70

Chapter 2


If it turns out that you yourself really can’t see the reason, other than it looks like the really cool thing to do, you’ll never in a hundred years convince others that the change is necessary—especially the stakeholders who are working with the system and are more or less happy with it. On the other hand, if the stakeholders have come to you and complained that the current database reeks of rotten eggs and that they’d really like you to come up with a replacement, then you have a different scenario and your icebergs might melt before you reach them.

In the sidebar and throughout the book, I use “total cost of operations” because that’s Microsoft’s phrasing; most people know this as “total cost of ownership.”

Organizations That Are Not Private Companies

T

here are two situations in which an administrator or designer might have unique considerations different from those of a private company: notfor-profit organizations and governmental bodies. Both of these kinds of organizations have budgeting, management, and process differences that can contrast drastically with a private company, whether the private company is publicly or privately held. If you work for one of these two kinds of organizations, you undoubtedly already know what I’m talking about. But suppose that you one day wind up working for a not-for-profit organization or for the government in some way. What differences can you expect?

Not-for-Profit Organizations Organizations that exist for a specific purpose, not for the sake of generating a profit, are not-for-profit organizations. They typically operate under a different set of accounting rules and are scrutinized very closely, both by the


www.sybex.com


Organizations That Are Not Private Companies

71

government (for tax reasons) and often by the people who donate money to the organization (a benefactor or donor). A benefactor is someone who donates a very large amount of money to an organization and may repeat the donation year after year. A donor is someone who donates a smaller amount of money (a few dollars, for example) and who may or may not repeat the transaction. Typically, a not-for-profit organization will have a board of directors with a chairperson and a variety of officers in charge of making sure the organization fulfills its charter. Planning a network upgrade in a not-for-profit environment will usually center on costs. Just like a publicly held company, a not-for-profit entity has a fiduciary duty to its benefactors. But because of the tax and accounting scrutiny that the organization is placed under, money will usually be very tight and closely guarded. Your Windows 2000 planning will likely center around legacy hardware, not new replacement gear (unless absolutely mandated), and your budgetary layout will be challenged much more often. It could be anticipated that your deployment will take longer due to the lack of funding.

Governmental Bodies Working for a government organization is completely different than working for a private company. There are many reasons for this:

The level of red tape and bureaucracy goes up by two to 10 times the amount you’d find in the average private company.

The pay is often less than the corporate average, so you’re either understaffed or else staffed with people who’ve come up through the ranks and who may not have as keen as grasp of networks and networking as you do.

Usually some legislative body (which may or may not understand exactly what the organization does) gives a governmental body its direction, so you may have little direct control over how you accomplish a given objective.

The budgetary cycle is often one in which the money for the year is doled out all at once and managers have to be careful about how they allot their funding so that they don’t run out too soon.


www.sybex.com


72

Chapter 2


The public has great say-so on how you do your job, either indirectly through the legislative body, or directly to you, so you’re constantly putting out fires that a “civilian” has started by complaining about a given system or scenario.

Since you’re relying on elected officials to oversee, you never know from one election to the next whether you’re going in the right direction. Your elected official may be replaced by someone of a completely different political persuasion than the last person in the job. Often a newly elected official comes in and completely cleans house, appointing all new officials under her, making yesterday’s hot project into today’s hot potato.

Because your executive management is motivated politically, not by business or technical concerns, your objectives may be in direct conflict with theirs.

Managing a Windows 2000 rollout in a governmental scenario will likely require much more stakeholder interaction. You’ll have to begin preparing very early and thoroughly document all processes. Budgetary factors will be of prime concern. Though there may or may not be a money problem, you’ll have to make numerous presentations in your quest for the OK to spend the money. You’ll likely have to present your arguments for the upgrade to some sort of oversight committee that will review your recommendations, present them to the legislative body, and approve or deny the project. Your Q1 plans for a Q3 rollout actually mean Q3 of next year or the following year, not the current one! The question of whether you should upgrade may even wind up on the local ballot! Governmental work is a long, winding road that you must go down in order to get your projects done. It requires patience, extra planning, foresight, and excellent communication techniques.

Defining Your Vendor, Partner, and Customer Relationships

I

n business as in life, relationships are everything. Treat someone reasonably and you’ll likely get reasonable treatment back. Treat them harshly and they’ll likely return the favor. Some companies seem to understand this


www.sybex.com



73

phenomenon, and others don’t seem to ever get it. But even if your company is neither hot nor cold regarding its relationships, you’ll probably find yourself in the middle of various alliances that you’ll have to treat with care if you hope to nurture and grow them. That’s what this section is about: the definition of and attention to your business relationships. Microsoft has seen fit to define three different kinds of relationships, though there may be others that you can readily define. Too, you may find that you are dealing with people who present a mix of types. The important action here is to define them so that you can begin to work positively with them.



Vendor Relationships Vendors are those who sell you the equipment, software, and services you need to get your job done. Some companies that manufacture things also act as the vendor for those things. It used to be that you had to go through a middle tier, a vendor of some kind, to purchase PCs. But recently some PC manufacturers such as Compaq and IBM have gone into the business of being vendors, along with continuing to have authorized channel resellers. Other companies such as Dell and Gateway have basically been vendors from the get-go, and thus have driven the older legacy firms toward the same environment. PC manufacturers are a given. But what about software vendors? Can you go straight to, say, Oracle Corporation, to buy their latest and greatest software? You might be able to, especially if you’re a big enough client; but in the high-end enterprise software world, unlike the PC world, a middle tier seems to come into play fairly frequently. This has to do with the ongoing support and maintenance assistance that some large software products require, and the hands-on intervention of an authorized vendor provides for quicker remediation and service than a large software firm can afford to provide. There seems to be a striation, of sorts, within this framework. For example, you can either choose to purchase your BackOffice software


www.sybex.com


74

Chapter 2


through an authorized dealer, or you can purchase directly from Microsoft. I’ve even seen various BackOffice software on the shelves at CompUSA! One company I worked for wisely realized that we didn’t possess the entire breadth of knowledge required to maintain a fairly eclectic enterprise, so the operations manager retained a service company that was “on call” for us whenever we got into a problem bigger than we could solve. And it came in handy a time or two! Once, when I was pretty new to TCP/IP, we had a problem that I could not solve. We called in this service organization; they showed up within a couple of hours. The young man sat down and promptly said, “This is a WINS issue.” I was stunned. I thought we were in for a long haul, traipsing through registries and going over event viewer logs, but instead he had the problem rectified within 20 minutes! Here was a vendor relationship that, while expensive, really paid off in the long run. Incidentally, I’ve since left that company, but they’ve retained their contract with this service organization. Recently, near the time of the Y2K turnover, the company’s Exchange server took a nosedive and this support company was called in to fix it. Crutch, curse, or blessing? Which do you think an organization like this is?

Partner Relationships Partners are companies or individuals that are in the business of helping you do business. Microsoft is perhaps the best example of a company that thrives on partner relationships. They have thousands of Microsoft Certified Solutions Providers and Microsoft Certified Training and Education Centers all over the world that assist them with the massive job of training and providing programming support for Microsoft software. Microsoft uses not one, but two different partners to provide testing for the various Microsoft certification programs. Microsoft also maintains a strong partner relationship with Intel and Compaq. Lots of people might say that the companies benefiting from these partner relationships are the partners and not Microsoft, but don’t you think that Microsoft would really have a hard time doing business if they didn’t have all this help at the ready? It’s a “you scratch my back, I’ll scratch yours” relationship, one that’s been in place for years. A different, more subtle kind of partnership is the one that Linux users enjoy. When you use Linux, you don’t necessarily buy the code from any one company (OK, I realize that you actually do buy from Red Hat or other


www.sybex.com



75

Linux vendors), but you have a sort of unwritten partnership with all the different software developers out there who are busy writing drivers, add-ons, components, and other software bundles for Linux. Since Linux is an open system, anyone can write code for it, and that makes the software highly partner-based. Can you analyze the kinds of partner relationships that your company might be involved with? Maybe in your IT area, perhaps in the financial, engineering, training, operations, or management offices? How about legal partnerships, where your firm doesn’t have a bunch of corporate lawyers but retains several lawyers for a rainy day? Some partnerships are obvious; others are quite subtle. But you need to clearly understand the partnerships in place at your company. Why? Because these partnerships may be the foundation that helps you in your quest to get a Windows 2000 network going. Remember the support partnership I was involved with? Maybe you’ve got something like that where you work; if so, you’ll find, if you dig a little, that the people who provide you your support are knowledgeable about Windows 2000 and ready to help you make your deployment succeed. Or quite the opposite: perhaps you have partners that are working against you in your quest to get a solid Windows 2000 network nailed up. Maybe your partners have different “goals” in mind, one of them that you convert from one NOS to another. In the process of doing so, they pick up lots of business, and perhaps you pick up lots of headaches you could’ve done without. Maybe you have partners who can help you figure out the little nuances of software that has to interface with Windows 2000. For example, suppose that you obtain most of your BackOffice software through a Certified Solutions Provider. They might have lots of experience in working with Exchange deployments and can give you oodles of hands-on help plus pointers on what to do and what not to do. All of these ideas and more are the reason that you need to pinpoint your partner relationships.

Customer Relationships Now we get to the rhetorical relationship. Quick! What’s the most important part of your business? Your customer, right? Well, can you tell me who your customer really is? What sort of person


www.sybex.com


76

Chapter 2


or business represents the main type of customer your company usually works with? If you’re involved with a chain of bookstores, maybe your customer is the average person walking in off the street. If you’re a medical supply manufacturing firm, perhaps your average customer is a hospital or a doctor’s office. It’s vital that you personally know and understand what or who your company’s customers are comprised of. I can think of some scenarios where defining the customer is very difficult without the assistance of some heavyweight demographics. For example, you work for a mutual funds organization. Who’s your customer? The company buying massive quantities of shares based on the orders their employees turn in as a result of a benefit the company’s offering? Individual buyers? Investment clubs? You can see how it would be tough to get your arms around exactly who your customer is in this case. Lots of organizations use software, such as that written by Customer Insight Corporation, that is able to perform demographic analysis on huge customer databases and answer some fairly involved questions about the profile of the typical customer. Banks have a vested interest in this kind of software, because it allows them to profile their average customer, the kinds of banking products that their customers typically use, and even spots where the bank could begin focusing its efforts so as to increase its business. Coincidentally, you’d probably be involved with maintaining this software if your company were to purchase it and put it on a server. Grocery stores have for several years now been obtaining demographic information about their customers. It’s no secret that the reason you have to obtain a “discount card” in order to reap the benefits of some markdowns is that the grocery is assimilating demographic information on what you purchase every time you go shop. Did you buy bread? What kind of bread was it? How many loaves? Your grocery store’s IT department could probably whip up a fairly quick ad hoc report that would provide a very detailed profile of your grocery shopping habits. That’s how important it is for companies to know who their customers are. So, think hard… who are your company’s customers? But even more importantly, who are your customers? That’s right, who would you say represents your personal customer within your company? If you’re a project manager, your customer probably consists of two groups: the stakeholders and the managers to whom you report. If you’re a network architect, then you have a slightly different set of customers: your managers and the team that will receive the app that you’re designing for deployment. If you’re a network administrator, your customers are the network users.


www.sybex.com



77

Once I took a Windows NT 3.51 server class. The instructor actually said this: “User is a four-letter word.” Buzz! Wrong! If it weren’t for your users, you wouldn’t have a job and you wouldn’t need this book. Your users, far from being a four-letter word, are your bread and butter. Treat them well.

It’s important to understand who your company’s customers are, because it keeps you focused on why you’re doing what you’re doing. It’s important to understand your own customers, because it keeps you focused on what they’re doing. You need both to get this Windows 2000 deployment established correctly.

Design Scenario: The Relationship Dance Danny is a Web developer who’s an expert with Java. He’s an utter Web wizard, as a matter of fact. Your company is so lucky to have him; they don’t seem to get how crucial this guy is to the company relative to the kind of Web development he’s capable of. Especially when you’re told how little they pay him! What’s the matter with them? Danny loves Macintosh computers, of which your company has a handful. You don’t go out of your way to support the Macintoshes—thank goodness most of those users were capable of taking care of themselves long ago. One day Danny is offered an astounding amount of money to go somewhere else, and he’s sorely tempted to take the offer. He’s not being recognized for his level of expertise where he is, and he knows it. He can make some headway by leaving. What’s he got to lose? You’re very disturbed by this scenario. You start to think about customers. While Danny isn’t a customer of the company, in a sense your customers will suffer if he goes, won’t they? After all, the Web pages he designs are the things that attract visitors, who in turn become customers.


www.sybex.com


78

Chapter 2


It’s a long shot, but you wonder if Danny would benefit from a couple of the Windows 2000 options that you can offer him with your rollout. Danny has often complained that the company’s servers are basically out there by themselves—there is little to protect them if they get overloaded with visitors, which they sometimes do. Windows 2000 load balancing would help that scenario, wouldn’t it? Plus, the built-in proxy server facility would be of great benefit to him. In fact, the entire Windows 2000 upgrade is basically built around webs and Web pages, isn’t it? So, while it’s a pretty weak argument, maybe he’d stick around because of these concepts. The Macintosh support stays the same, isn’t heightened or decreased by Windows 2000, so you don’t have much to offer him there. But nonetheless, he is indeed a network customer, isn’t he?

Are There Acquisition Plans in Your Company’s Future?

S

ome company CEOs, especially those who head up small businesses, are interested in grooming the company to a state of health where it’s ready for an acquisition of some kind. The company has a product that’s unique, the engineering and marketing forces are in place, and the firm is moving strongly forward. It’s almost like dangling a worm in front of a school of catfish and wiggling the poor thing enough so that one of the fish takes the bait. There are different reasons for acquisition, so let’s see if we can elucidate them here.




www.sybex.com



79

Acquiring a Needed Service or Item Some companies are so huge that, when they need something that fits into the profile that they’ve established for a given product or service, they often buy a company making that very something rather than make it themselves. For example, if you needed a speaker to fit into the console of a new electronic device you were manufacturing, but you knew nothing about making speakers, wouldn’t it be easier to simply buy a company that knows how to make speakers and then have them put speakers in your devices? Sounds like a stretch, but it’s done every day. It’s sure easier than trying to reinvent the wheel and make your own speakers. Plus, it might be cheaper than buying specially made speakers by the boxcar-full.

Acquiring a New Business Venture Another reason for acquisition is that a company is doing something that the company looking to acquire wants to get into. If you’ve got a big communications company, for example, that specializes in magazines, books, movies, television, and radio, but you’re hungry to get into the Internet, what do you do? You look for an ISP of some success and size that’s available for acquisition. And, depending on the price, they’re all available for acquisition. It’s been said that everyone has his or her price. We’re in crazy times, in terms of acquisitions. The Time Warner/AOL merger is one that people didn’t expect because it was AOL that bought Time Warner! People saw this as sort of a reversal of roles—David buying Goliath. In the ’00s, with the boom economy and tsunami-like acquisitions going on, you should be surprised at nothing that happens in the business world.

Acquiring to Accumulate Market Share Often a company is overwhelmed by its competition. A brutish little firm somehow manages to make a far better product than its oversized competitor. The bigger company’s solution to the problem? Simply buy the technology and get rid of the waifs! Other times a large company will buy a firm that has developed a part, device, service, or software solution that they desperately need. Cisco, for example, recently purchased a smallish Boulder firm that specialized in VPN


www.sybex.com


80

Chapter 2


software. Why? To assist with Cisco’s overall goal of providing a VPN presence to any company that desires one. Years ago 3Com purchased a small company in Israel that was manufacturing ATM switch chassis. And so it goes.

How Takeovers Happen The act of one company purchasing another is called a takeover. There are two kinds of takeovers, hostile and non-hostile.

Hostile Takeovers A hostile takeover occurs when the company that wants the goods or services of the target company simply barges in and acquires controlling interest. This can happen, for example, when a company has managed itself so poorly that it’s weakened to the point where it’s a good target for takeover. Provided, that is, that its goods or services are something that are desired in the industry. It’s a simple thing really, provided your purse strings are big enough. You simply buy up the majority of the stock and all of a sudden you hold the controlling interest in the company. OK, it’s not that easy, but there are individuals and companies that specialize in the art of the nasty takeover and make really big money at it (remember Wall Street?). My point is that a hostile takeover is one that the target company does not want to have happen. But, like a rabbit being chased by a cheetah, there’s little hope of survival.

Non-Hostile Takeovers Non-hostile takeovers happen when a company is amenable to the proposition of being taken over by another company. Some companies are founded and managed in such a way as to drive the company toward a takeover. There’s huge money in it for the officers of such a company, but you have to be an extraordinary manager to pull it off. A person starts the company, preferably with a product or service offering that’s hot, hot, hot, and then manages it well until it’s highly attractive to other companies. Then the company introduces an initial public offering (IPO). We’ve seen that a well-managed company with an IPO can make extraordinary money in just a few months. By then the company is ripe for the pickin’, so to speak, and hopes are that one big-time merger-and-acquisitions person to come along and propose the deal. Boom! Whoever started


www.sybex.com



81

the company is out of there with a ton of cash in his personal bank account, and someone else gets the company. Employees? Who said anything about employees? This isn’t about what your employees will think of the process, or of you; it’s about that big paycheck at the end of the line. There are some key people who will most likely be snatched up in the takeover—developers, support staff, maybe some financial people, the engineers—but for the most part it’s very likely that the parent company will rely on its own resources to handle the brunt of the new business’ day-to-day activities. Sound cynical? Maybe so, but there are people in the industry that are hoping for just this kind of payoff. So, you have two questions that you must ask yourself:

Is your company in business-acquisition mode? You may have noted a new trend in business where it’s not necessarily the gargantuan company that winds up buying out the smaller one. There have been some “smaller fish” buying up bigger ones. A notable example is Qwest Communications, a company that didn’t even exist a few years ago, purchasing U S WEST, a fairly hefty regional telephone company. Is your company in the business of buying businesses?

Is your company setting itself up to be acquired by another company? I guess that I can offer no clear indicators of exactly how you would know that your company is in this state, apart from the concepts described above. Is your company small but provides a unique presence in your particular industry, one that others clamor for? Have you had an IPO—are you publicly held? Is your company financially strong and well managed? These are all indicators of a company that’s a sitting duck for an acquisition. Then again, you might be internally aware that your management is the worst there ever was, but the scenario that’s portrayed to the public at large is that they’re geniuses, so it’s all relative. This question is more subjectively than objectively answered. For example, the fact that a company is publicly held doesn’t matter if the majority stock is held by a family, one that has been in the same business for generations. Such a family probably isn’t willing to get out of the business. On the other hand, if the company is run by venture capitalists, I’d say the chances are very good that you’re cruising down lover’s lane toward an eventual acquisition.


www.sybex.com


82

Chapter 2


What This All Means in Windows 2000 Terms One thing any Windows 2000 deployment is going to require is the ability to see what you’ve already got, in terms of the overall computing environment, then to make plans for the transition from the ’90s Windows to the ’00s. If you can clearly see that your company is inevitably going to be acquired, maybe you’ll decide that it’s not necessary to go to Windows 2000. What if this was a big turn-off to companies that are courting you? On the other hand, if you work for a high-technology company, maybe already being up and running on Windows 2000 would be a big attraction to potential buyers. On the other hand, if you’re in acquisition mode, you’ve got a strategic planning and logistics problem on your hands. Let me give you a scenario. You’re the Windows NT network architect for a mid-size company—say, 5,000 employees. You’ve been running on Windows NT servers and workstations for years now, so everybody in your company is pretty well adjusted to how things work. You’ve got a solid support infrastructure built around this computing environment. Now your CEO goes out and buys a company that makes a widget you need for your new product offering. To your chagrin, you find that the new company is running on NetWare 3.11 with Windows 95 computers; their financial, engineering and manufacturing apps are loaded on the NetWare boxes; and they’re really rooted in to their computing paradigm. You have a long haul in front of you if you’re going to bring this computing environment into the Windows 2000 arena. And it could be even more complicated if something like a VAX, Apple, OS/2, Unix, or mainframe operating environment is introduced. This is why Microsoft wants you to be able to put on your X-ray goggles and see if you can figure out where your company’s leaders are steering the ship—not to mention what life rafts, dinghies, barges, or battleships they’re going to be picking up along the way.

Summary

T

his chapter was all about how your company is made up. What’s the management model like? First you need to look at how your company is constructed. Is there a board of directors? Do you have a CEO? Do you have a president? Who are the senior officers? Is it publicly held?


www.sybex.com


Summary

83

Design Scenario: One Fork Goes Left, One Right. Which Way? A very large bank, family-owned yet publicly held, has gained in stature, favor, and notoriety to the point where it now employs 40,000 people and has branches spread out over many states in the U.S. The bank was so old that, in fact, it is one of few that was grandfathered in under a rule disallowing banks from participating as brokerages. So the officers of the bank have purchased several brokerages in order to be able to add to the current suite of product offerings. The bank has been able to successfully manage these smaller acquisitions and bring them into your native computing environment, with your help. You’re the network architect for this bank. You have very successfully engineered your environment to the point where all users’ workstations and all servers run entirely on Windows NT. You’re running Systems Management Server for your asset management, and you’re heavily invested in the full BackOffice suite of product offerings. In addition to the basic network computing environment, the bank also has a mainframe and plenty of mainframe coders who write CICS transactions that are used by bank personnel to track accounts. These personnel use 3270 emulation software on their NT workstations to perform mainframe transactions. You also have some large enterprise databases that run on SQL Server. Everything works very smoothly. You’re in the throes of planning your Windows 2000 upgrade, a massive project that’s going to require considerable time and expertise to accomplish. One day you find out that the officers of your bank have once again gone into acquisition mode and have purchased their nearest competitor: another huge bank, also with 40,000 employees! And to your amazement, you also learn that this bank is entirely based on NetWare 4.x—not a stick of NT anywhere to be found. You have Exchange servers; they use GroupWise. You use SMS 2; they use ZEN Works. They have huge Unix servers running Oracle databases; you use n-way Intel computers running SQL Server. Their physical plant is still on 10Base-T; you migrated to 100Base-T with a gig backbone last year. Your users all use Windows NT workstations; all of theirs are on Windows 9x.


www.sybex.com


84

Chapter 2


Negotiations begin between you and your team and their network architects. Your management has instructed you that the assimilation of your computing environment needs to be accomplished as quickly and easily as possible. Suddenly, you went from having a substantial Windows 2000 project plan on your hands to having to figure out how this whole new situation is going to happen. You have three options: You can go along with the flow and fully get into the NetWare way of life. You can “fight” the change (using diplomacy, business sensibility, and building the business case), but you probably won’t win. Or you can polish up your résumé and get out of Dodge.

Then you try to determine the management style of your leaders. Management styles are as varied and hard to pinpoint as the number of people there are, but you can reasonably expect to find certain styles, among them autocratic, laissez-faire, loose-bundle, hands-on, neutral, and political. A Windows 2000 deployment is going to require that you solidly communicate, and to do that requires that you understand how a manager likes to be communicated with. Next you determine the company organization. There are two key components involved here: determining how your management is laid out, as you just accomplished above, and then figuring out the logical layout of your management, a much more tricky detail item. There are people with key points of power who don’t have the title to go along with their ability. These people can stop your endeavor dead in its tracks. You must have a firm grip on who the players are so that you can present your case in a way that suits them. It’s not about wanting to accomplish a Windows 2000 rollout—we all want that—but about how to communicate to others why it’s necessary and how you’re going to do it. If you barge into a director’s office and tell him how the hog ate the chicken, chances are your rollout won’t be approved. Better to understand with whom you’re trying to communicate so that you get buyin on your project plans. Next you analyze vendor, partner, and customer relationships that you or your company have built. They’re going to be key in your endeavors as well. Finally, you must understand whether your company is either in a position to be acquired or will be acquiring other companies as time goes on. This too has substantial importance in how your Windows 2000 project plan will be formulated.


www.sybex.com


Summary

85

Key Terms The following key terms apply to the things you’ve read in this chapter about how companies are managed. autocratic fiduciary hands-on hostile takeover initial public offering (IPO) laissez-faire loose-bundle neutral non-hostile takeover political project-oriented takeover


www.sybex.com


86

Chapter 2


Review Questions 1. Typically, the management of a publicly held corporation would

include which of the following? (Choose all that apply.) A. Board of directors B. Chairperson C. Chief technical officer (CTO) D. President 2. Your supervisor is completely disorganized! She has papers lying all

over and can seldom find anything quickly. E-mail isn’t answered on a timely basis. She seems to be effective in her management (at least her superiors think so), but you can’t for the life of you figure out what her “just in time” style of management accomplishes. What would be the closest example of her management style? A. Loose-bundle B. Laissez-faire C. Neutral D. Autocratic 3. Typically, to whom would the chief general legal counsel report? A. President B. Board of directors C. Chief financial officer D. Vice president of operations 4. What is the chief difference between a senior vice president and a vice

president? A. Time in company B. Management hierarchy C. Pay D. Perks


www.sybex.com


Review Questions

87

5. When would there be more than one board of directors? A. Company has more than one stock offering B. Large company has multiple subsidiaries C. Company merges with another company D. Company has multiple product offerings 6. The president of your company is an ex-Marine Corps officer and his

philosophy is very plainly “my way or the highway.” He runs a tight, stern ship. What is his management style? A. Laissez-faire B. Neutral C. Autocratic D. Loose-bundle 7. You work for a small electronics company that specializes in home

surveillance gear. The company is very successful and recently went through its IPO, so now your company’s officially listed on the stock exchange. You’ve noticed that your senior management has been having quite a few meetings, both out of office and at home, with some people from one specific company. This kind of behavior is unusual, based upon what you’ve observed in the past. What is the most likely reason for what’s going on? A. Hostile takeover B. Merger C. Non-hostile takeover D. Large sale 8. Your company purchases a small firm that specializes in a service

you’d like to begin offering to your customers. This new company will be renamed, many duplicate personnel will be eliminated, and, in short, this company will act like just another part of the corporation. What kind of activity was just performed? A. Merger B. Acquisition C. Hostile takeover D. Non-hostile takeover Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com


88

Chapter 2


9. Your company has merged with another company of roughly the same

size and with the same operating philosophies in mind. You will double in size after this merger completes. As a network designer with a fresh Windows 2000 deployment about ready to come out, what are some of the considerations that you’ll have to bear in mind as you go through this merger? Choose all that apply. A. Network operating systems in place in the other company B. PC O/S in use in the other company C. Mid- and mainframe computing environment D. Licensing ramifications E. Budgeting structure of the new company 10. Why would a Windows 2000 rollout in a governmental environment

have a different look, feel, and context than one in a private company? Choose all correct answers. A. Governmental bodies report to the people, either indirectly

through an oversight body or directly. B. Governmental bodies have much more money to spend. C. Legislation may hinder the kind of technology you can use. D. Budgetary time constraints are different than they are in private

companies.


www.sybex.com



89

Answers to Review Questions 1. A, B, D. Usually companies that have a fiduciary duty to their stock-

holders are comprised of a board of several officers, headed up by a chairperson, so A and B are correct. The company’s senior management might have a leader who’s responsible for their oversight. This person would be the president and may or may not be the same person as the chairperson. (There are varying thoughts about the mixture of president and chairperson.) There may or may not be a chief technical officer, so C would not be a good choice. 2. A. Your boss’ management style most closely resembles loose-bundle.

We’re not given enough information to know if she uses a laissez-style with you or not. Nor can we make any assumptions about whether she’s neutral to your cause or autocratic. All we know is that she functions using the loose-bundle system. 3. A. The most typical scenario is that the chief counsel reports to the

president of the company. 4. B. Usually senior vice presidents have vice presidents who report to

them, so there is some sort of intermediary structure between the president and the vice presidents. Time in company may or may not have something to do with it. Certainly a senior vice president should be paid more than a vice president, but who’s to say? Ditto for perks. 5. B. A board of directors is in place to act in a fiduciary capacity for one

body of persons: the stockholders of the company. Singular companies don’t have multiple stock offerings. Companies with subsidiaries could potentially have multiple boards of directors. When a company merges with another company, the merged company becomes a part of its parent. Multiple product offerings don’t have anything to do with stock, except in the case of a large company with numerous subsidiaries. Multiple boards might lend lots of confusion to potential upgrades, reorganizations of departments, and other fun things. 6. C. This man is very definitely autocratic.


www.sybex.com


90

Chapter 2


7. C. The most likely answer is a non-hostile takeover. Your company is

prime for an acquisition. As a home surveillance company, you offer something related to a variety of other companies. For example, a telecommunications company might be interested in you as an acquisition, in which case you’d be the chief supplier of gear that they would turn around and market to their customers as a total home surveillance solution. On the other hand, a merger makes sense because you have a product that could augment the current offerings of a company already involved in the home surveillance business. Even though your company’s financial health is very good, the fact that you have a hardware product and not a software offering may not be enough to tempt someone into a hostile takeover. The key to ruling out your suspicion that all you’re looking at is a large sale is that there are lots of meetings, both off and on site. 8. A. Your company just participated in a merger. The small firm was

merged into your large one and the two became one. Acquired companies generally keep their same name and operating style—they just have your company as a parent. You can’t tell from the information given whether this was a hostile or non-hostile takeover, so you can’t make a judgment. 9. A, B, C, D. Of all of the considerations, E is the least likely to be some-

thing you’ll have to worry about, though it may crop up. You’re certainly going to have to be concerned about the NOS that’s currently in place, as well as the PC O/S. You’ll have to know what kinds of intermediary environments are in place, and you’ll surely be interested in the licensing scenario. 10. A, C, D. Though it sometimes may not seem like it, governmental

bodies have a duty to the people. Government isn’t in existence for itself, it exists for the good of the people. It’s possible that the legislative body that gives a governmental body its direction will not allow a certain technological jump—or if it does, at the very least there will have to be some serious study done before rollout. Governments have a whole different budgetary cycle than private companies do, and an upgrade rollout of Windows 2000 will have to take that into consideration.


www.sybex.com


The Multi-Office State Agency

91

You should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.

Background You work as the senior network manager for a state agency. Your responsibilities include the maintenance of the network infrastructure across six different campuses. You are also responsible for the server farm, the tape backup system, any client/server applications you have running, the helpdesk and PC technician support structure, the telephony systems, the e-mail system, and the fax system. There are about 1,000 users spread out over the six campuses so, while your enterprise isn’t large, it’s geographically diverse. Your agency is directly funded, meaning that money isn’t as big an obstacle as it is in those agencies that could, at the whim of the governor’s pen, go away tomorrow. That’s a very good thing, but it doesn’t mean that you can spend money any old time that you want to. There are strict accounting rules in place, and a lot of your time is spent in conversation with one of the agency’s budgetary specialists. New technical projects of a certain size must be presented to the governor’s oversight committee for technical approval before you can go forward.

Current System Campus A Your office is at Campus A, which is housed in a building close to the state capitol building, nice and close to the legislators and the governor. Here you have about 200 users. Most of the users in the agency have desktops that are either on Windows for Workgroups 3.11 or Windows 95. There are very few Windows 98 workstations, and your team of four is the only group in the agency that uses Windows NT Workstation. There are only one or two laptops. Your campus is the locus for the other five campuses; each other campus has a T1 line that connects you to them in a star topology. Each office has a small Cisco 2500 router and a CSU/ DSU. Most of the NT server farm is in this building, though you maintain a BDC and an Exchange 5.5 SP2 server at each of the other campuses. The network infrastructure is 10Base-T; all wiring is Category 5. The agency


www.sybex.com

CASE STUDY



Chapter 2


has a staff of developers that write Visual Basic front ends for Oracle databases on Unix servers, and this is how the agency does the majority of its work.

CASE STUDY

92

Campus B This campus is in the same city as you, a few miles away. There are about 150 users at this campus, and they are geographically separate from you simply because the state tries to obtain the least expensive office space it can find and yet maintain a reasonable level of quality. You have an Exchange server and a BDC at this site. The network infrastructure is 10Base-T; all wiring is Category 5. Campuses C–F These four campuses are scattered around the state. Each has between 100 and 300 users. The network infrastructure at these locations is 10Base-T; all wiring is Category 5. Each location has an Exchange server and a BDC.

Problem Statement You want to upgrade the entire network to Windows 2000, including bringing all of your users up to Windows 2000 Professional. You’d like to migrate the Oracle databases off of the Unix servers and onto NT, thus effectively getting your network onto one NOS.

Availability Overview The campuses are open during regular business hours and you don’t very often have anyone working after hours, with the exception of a developer or a manager who occasionally burns the midnight oil. But because your information processing load is high and must be accurate, losses in daily computing activities can be very troublesome. Operations Manager “We need to be sure that when people are working, the systems are available. The Unix computers don’t give us any trouble. If you port the Oracle from Unix to NT, can I be guaranteed of the same performance?”

Maintainability Overview This is the chief reason you want your users on Windows 2000 Professional. You can implement profiles and keep them from getting into things that they shouldn’t. With your pared-down PC technician and


www.sybex.com



93

Software Developers “If you implement policies, we want you to be sure that you make us local administrators for the computers we’re using. It’s important that we are able to administer the computers.” Operations Manager “I want a standardized desktop deployment, and I don’t want any cowboys.”

Performance Overview You’re concerned about the 10Base-T infrastructures, whether they’re up to the traffic that hundreds of Windows 2000 Professional workstations can generate. You think the T1 lines between each of the campuses are fine—over-engineered, if anything. Governor’s Technical Excellence Committee “If you upgrade your network, we think that you should consider upgrading each infrastructure to 100Base-T. That is the state’s current standard.” Telephony/Data Circuit Manager “When I provide a frame relay circuit for you, I generally try to over-engineer the circuit. I can do this because we have such a favorable contract with our telecommunications company. My charts show that you will not easily overload the T1 circuits with the number of users you have at each location. Our telephony circuits are on a different wire going into each building, so you don’t have to worry about voice getting in the way. I think you’re fine for this upgrade, in terms of WAN circuits.”

Funding Overview Of the 1,000 computers that are going to receive Windows 2000 Professional, only about one-third have the hardware needed to handle the software. The state has a three-year life expectancy policy for computers so, depending on the purchase date of the computer, you may be able to make a case for replacing quite a few of them (at $1,200 each). The


www.sybex.com

CASE STUDY

help-desk staff, you’d really like to be able to cut down on the number of nuisance calls you have to make because somebody deleted an important registry key, file, or folder.


Chapter 2


servers can handle the upgrade, though a couple may need to be replaced for about $15,000 each; you’ve been thinking about replacing them anyway. The infrastructure upgrades will be expensive, on the order of $3,000 each for switches that can handle two dozen users. Then, of course, there’s the cost of licenses ($59 per user, and more than ten times that per server). And migrating Oracle to Windows 2000 will run you $25,000 to $50,000.

CASE STUDY

94

Vendor relationships are a pretty funny thing. You can’t just go out and decide that you’d like to purchase one brand of equipment. Instead you’ll have to come up with a sheet that details exactly what you’re looking for, then put it out for bid. You have to use the devices that are supplied by the winning bidder. If you’ve got a brand loyalty, you’ll have to write the bid detail sheet in such as way so that the winning bid consists of the brand of gear you want to install. CIO “You know me—I’m a visionary and like new technology. But if I stick my neck out on the line with this upgrade and it blows chunks, I’m not going to be happy. I want to see a thorough project plan. I’d like to see white papers and detail sheets that tell me exactly what to expect, and I want a solid budget plan. I think you’d better test all of this out in the lab before you do anything. Plan on a two-year deployment—I don’t think you can get the funding for any more than 50% of the computers you need to upgrade.”

Questions 1. What is the first step that you need to take? A. Prepare the infrastructure upgrade plans and budgets B. Prepare the workstation upgrade plans and budget C. Prepare the server upgrade plans and budget D. Plan the test environment


www.sybex.com



95

left, in the order that you should begin working on this project. (Note: These tasks are certainly not all-inclusive. In a real deployment you’d have many more tasks than this!) Tasks

Tasks Prepare infrastructure upgrade budget Prepare infrastructure upgrade project plan Identify server readiness— determine which servers need to be upgraded Prepare server upgrade budget Prepare server upgrade project plan Identify workstations that cannot run Windows 2000 Upgrade workstations that cannot run Windows 2000 Prepare workstation upgrade budget Identify Windows 2000 licensing costs Identify legacy BackOffice compliance issues Obtain white papers and spec sheets for CIO Prepare overall project plan, identify project phases, milestones, resources Meet with stakeholders


www.sybex.com

CASE STUDY

2. Look at the chart below. Move tasks from the right column into the


CASE STUDY

96

Chapter 2


Tasks

Tasks Meet with governor’s Technical Excellence Committee Talk with Microsoft about porting Oracle to Windows 2000 Datacenter Prepare lab environment Test Windows 2000 mock deployment in lab Test Oracle databases running on Windows 2000 Datacenter in lab

3. What will be the biggest obstacle you’ll encounter as you go through

your upgrade project planning? A. Upgrading of infrastructures B. Upgrading of workstations C. Conversion of Oracle from Unix to NT D. Legacy Exchange server problems on Windows 2000 4. In your project planning, what will be the biggest expense you’ll

encounter as you implement your project? A. Infrastructure upgrades B. Workstation upgrades C. Server upgrades D. Licensing E. Move Oracle to Windows 2000 Datacenter


www.sybex.com



97

gest long-term impact on the project in terms of budget? A. Abandon your mass Windows 2000 Professional upgrade plans

and migrate the workstations more slowly. B. Leave Oracle on the Unix computers. C. Leave the network infrastructure at 10Base-T. D. Purchase the licenses a little bit at a time. 6. In the table below, reorder the people or groups into the order of

importance that you think they have, from biggest bearing on the success of this project to smallest. Person or Group

Person or Group CIO Operations manager Telephony/data circuit manager Governor’s Technical Excellence Committee Legislature Stakeholders PC technicians Help desk Network team Unix admins NT admins Exchange admins Users Non-IT management


www.sybex.com

CASE STUDY

5. How could you mitigate some of the expenses that would have the big-


CASE STUDY ANSWERS

98

Chapter 2


Answers 1. D. Listening to the CIO, in this case, is a very good thing. She knows

what she’s talking about when she tells you to develop a test environment first, then follow on with your other plans. 2. See chart below.

Tasks Obtain white papers and spec sheets for CIO Meet with stakeholders Meet with governor’s Technical Excellence Committee Prepare lab environment Test Windows 2000 mock deployment in lab Talk with Microsoft about porting Oracle to Windows 2000 Datacenter Test Oracle databases running on Windows 2000 Datacenter in lab Identify legacy BackOffice compliance issues Identify Windows 2000 licensing costs Prepare infrastructure upgrade project plan Prepare infrastructure upgrade budget Identify server readiness—determine which servers need to be upgraded Prepare server upgrade project plan Prepare server upgrade budget Identify workstations that cannot run Windows 2000 Prepare workstation upgrade budget Upgrade workstations that cannot run Windows 2000 Prepare overall project plan, identify project phases, milestones, resources


www.sybex.com



99

project planning is the idea of moving Oracle off of the Unix servers and onto Windows 2000 Datacenter. You’re going to get lots of static over this suggestion—from your Unix administrators, from the stakeholders, maybe even from the CIO and others. While the idea is solid and one that should be pursued—it’s always good to consolidate your computing environment’s software platforms when possible—this is going to be an extremely tricky objective, especially from a political point of view. 4. B.

Infrastructure upgrades: 1,000 users / 24 users per switch = approx. 42 switches, × $3,000/switch = $126,000 Workstation upgrades: $1,200/workstation × 250 workstations (this year) = $300,000 Server upgrades: $15,000/server × 2 servers = $30,000 Licensing: $649/server license, $59/CAL = approx. $65,000 Oracle over Windows 2000: $25,000 to $50,000 These are very approximate calculations that you could tweak up by obtaining exact quotes from your vendor, but they’re good enough that you can make an educated decision about the biggest budget item in the project. Surprisingly, the workstation upgrades are your biggest expense. 5. A. There’s no need to do a fell-swoop upgrade and mass install of Win-

dows 2000 Professional on the workstations. For example, as a PC technician visits a computer for another problem, take the extra hour and upgrade the box to Windows 2000. Yes, you have a bit of a cowboy problem, but you can manage that while you get your upgrades done. This buys you time to establish some lockdown policies and get people trained up (by department, for example), and gives you some breathing room.


www.sybex.com

CASE STUDY ANSWERS

3. C. Without a doubt the biggest hitch you’re going to run into in your


CASE STUDY ANSWERS

100

Chapter 2


6. See chart below.

Person or Group Legislature Governor’s Technical Excellence Committee Stakeholders CIO Operations manager Unix admins Non-IT management Users Network team NT admins Exchange admins PC technicians Help desk Telephony/data circuit manager While this is certainly a subjective ordering, if you think about the order of importance listed here, you can begin to ascertain which non-IT players might really have a considerable say in the stoppage or slowdown of the project.


www.sybex.com

Chapter

3

Evaluating Factors That Influence Business Strategy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Analyze factors that influence company strategies.

Identify company priorities.

Identify the projected growth and growth strategy.

Identify relevant laws and regulations.

Identify the company’s tolerance for risk.

Identify the total cost of operations.


www.sybex.com

S

mart managers have two things going for them: vision and planning skills. They don’t necessarily have all of the IT skills it takes to whip up a Web page or a database or to install a copy of Exchange server, but they do have what it takes to facilitate the people who can accomplish these tasks. A manager’s job isn’t necessarily to know or understand the latest and greatest in technology (though that usually doesn’t hinder someone); rather their job is to look out at the future, compare it to what’s currently being done, and try to steer the ship toward that horizon. Managers have to be able to look at the way that their business is being done and make sure that the way the company does business tomorrow is aligned with (and hopefully out in front of) the rest of the competition. All this while maintaining the day-today firefighting that managers are there for in the first place. Vision: A manager gets tired of hearing users complain about an antiquated COBOL system residing on a mainframe and says, “Can we move this to a client/server environment—get it off the mainframe, save some money, and come up with a nicer interface than TSO/ISPF?” Planning: The manager then assigns teams of business analysts, researchers, coders, project managers, and so forth in order to make it happen. Sometimes others offer a manager a glimpse of what their vision is like, then the manager picks up the cue and begins looking down that road herself. Other times the manager catches the vision herself. All too frequently the vision, though plainly visible to everybody else, isn’t seen by the manager and is lost for good. In the case of a Windows 2000 rollout, one part you’re going to play is that of visionary. That’s why this chapter exists: to help you identify and plan for the factors that influence your company’s strategies. We’ll discuss how to understand the internal priorities of your company, and talk about


www.sybex.com

Identifying Company Priorities

103

ways you can anticipate future growth in your network design. We’ll also identify outside factors that weigh heavily on a company’s technical infrastructure, including any relevant laws and regulations. Finally, we’ll consider your company’s risk tolerance and the total cost of operations (TCO) for any given network design. In order to be successful on the exam, you’ll need to be able to evaluate all these concerns—sometimes in 10 minutes or less!

Throughout the book, I use “total cost of operations” because that’s Microsoft’s phrasing; most people know this as “total cost of ownership.”


Every company has priorities, and they’re not universal, or even obvious. You need to seek out what your firm finds important.


Analyze factors that influence company strategies.

Identify company priorities.

Why would it be important to have a feel for what your company’s priorities are? I can hear lots of you mumbling under your breath, “My company’s number-one priority is to make money!” And you’re absolutely right. Most companies are in the business to make money. But haven’t you ever considered why and how a company got started? How did so-and-so ever get into the casket business, for example? Some companies are so big that it’s difficult to picture what goes on the minds of the corporate heads who live in the ivory towers. Maybe they don’t even have a grasp of the original priorities that the company was founded on, but the concern is the present. What is your company in business for today? By identifying a company's priorities and goals, you’ll be able to drill in on how computing technology will help the company to meet those goals. Then, as a matter of course, if you don’t have that computing technology in


www.sybex.com

104

Chapter 3

Evaluating Factors That Influence Business Strategy

place, you’ll need to design it in and provide it. For example, suppose that you know one of your company’s priorities to be insourcing their call-center activities for their product’s technical support, thus getting away from expensive outsourcing. You might have very definite plans about call-routing scenarios and computing gear that meets those needs. Next question: Does this gear and software work with Windows 2000? That’s the concept behind knowing company priorities, then somehow translating them into IT priorities. People who work for governmental and not-for-profit organizations will have a much easier time identifying these priorities than corporate workers will. Nevertheless, the exercise is ours to accomplish, no matter who you work for.

It could be safely argued that some companies don’t have a priority. Like people who are content to just sort of shuffle through life, there are some companies that were started long ago, continue on doing what they do with almost machine-like dullness, and are led by people who possess no vision. They’re not exciting to work for. They merely provide a decent honest living for the employees. Is that OK? Is that a good company priority?

Let’s start with some ways that you can begin to identify your company’s priorities. There are lots of places where you can begin to look for clues as to what your company’s leaders are concerned with:

Does your company print an annual report? Most publicly held companies will print an annual report and usually, somewhere near the front, you’ll find the company’s mission statement. If your company has an intranet or newsletter, you’ll probably also find the mission statement posted there.

Did you attend an orientation when you went to work for this company? If so, the presenters undoubtedly gave you a clue about what the company considers important somewhere along the line.

Do you have all-company meetings in which the CEO gets absolutely everybody together to discuss issues? If so, that’s very good! And if you listen closely, you’ll probably hear some priorities coming out.

Are your company’s priorities clearly reflected in the communications that managers send down to their employees? If the company’s big enough, the answer is probably not, but it’s still important to see whether you can hear it in your manager’s communications to you.


www.sybex.com


105

What do people stress in team meetings? What consistently comes up as the most crucial part of any project? Often, you get the clearest sense of what a company’s priorities are by listening to employees at the grass-roots level—that’s where the burden of a company’s goals usually falls.

If you work for a not-for-profit organization, do you know the mission of your organization? Here, more than in any other organization, mission statements are important, highly utilized, and fundamental in the organization’s operation.

If you work for a governmental entity, do you know why the legislature spun that entity into motion? Or has the entity spun so far off of its orbit that the initial mission isn’t recognizable anymore?

Think about your company. What are your company’s actual priorities? Certainly making money is the obvious one, but what I mean here is, how do they go about making money? Do your company’s leaders take the market into consideration when they make a decision? Are they fast-paced and quick to act, or are they stodgy about the decisions they make? Some companies have gotten into trouble when they stayed with the “tried and true” only to find that the market was outpacing them; I think IBM would be a good example of this kind of thinking. They started out with the PS/2 and its proprietary multi-channel architecture (MCA), thinking that since they were king of the hill, everybody would jump on the MCA bandwagon. And they stuck stubbornly by their guns, even while the clone makers were coming up with alternatives that didn’t have all the baggage associated with the PS/2. It took IBM a while to realize what was happening in the marketplace and make a change in its priorities. Yet another example, and one that’s happening as we speak, is the nuisance that Advanced Micro Devices (AMD) is making of itself with its new Athlon chip in the Intel camp. Intel has for years thought that its chip was the only thing going, and here a little company like AMD just kept chugging along, creating chip after chip to the point where now Gateway offers the Athlon as the standard chip in its new desktop boxes. Intel is in serious trouble if they don’t react to what they’re seeing in the marketplace and adjust their priorities. AMD is focused ahead, its priority being to create great chips; Intel is focused on itself being the giant in the industry, and I’m not sure that it has dawned yet on the leaders at Intel that they have a small dog taking very large chunks out of their pant leg.


www.sybex.com

106

Chapter 3


One thing, I think, is very clear. In the first decade of the 2000s, change is the operating word of the day, and companies and technoids that understand this are the ones that will succeed in the long term. Slow, stodgy companies that don’t get the new high-paced environment aren’t going to be able to hang on.

Design Scenario: The High-Tech Company on Ginseng and Steroids You work for a start-up company, funded completely by venture capital and governmental research grants. The goal of the company? It’s a very cool one—to perfect the concept of using scanning tunneling microscopes (STMs) to place individual atoms on other atoms, thus customizing new atomic compounds. What could someone do with such technology? The two founders of the company, both fundamental-particle physicists, think that the sky’s the limit. Builders could forge new building materials that are stronger, lighter, and more malleable than any known presently. Biologists could perfect new organic compounds that might fight disease very efficiently. But physicists, as you might be aware, are stuck in the awesomeness of the universe and essentially have no practical sense about business. So the marketing guy’s frustrated because he can’t get the founders out of the clouds, the sales guys have nothing to sell yet, and the mission of the company is not really clear. But, for all of the problems with trying to put a product together with a technique, there’s incredible energy in this company. Everybody’s on the same page in terms of what the capability to synthesize new atomic compounds can do. The founders have published numerous articles, and there are always research fellows, pharmaceutical company brass, governmental types, and commercial alloy researchers walking through the door. It’s just that, well, you don’t feel like you connect with anything in the real world. It’s almost like you’re selling air. You’re selling a concept. And you’re curious as to how much a concept is worth. How would you identify your priorities relative to this company’s priorities? Would you find it hard to support the technological needs of a company such as this, if you didn’t feel it was going anywhere or that it was just in the business of gaining grants and not really going forward with its research?


www.sybex.com

Assessing Company Growth and Growth Strategy

107


M

anagers, especially entrepreneurial types, can sometimes be very cautious about a company’s growth. And rightly so. Too much growth too soon can kill a company, or at the very least stifle its capabilities for years to come. Too little growth can keep a company from seizing opportunities that might propel it to a new, higher level. It takes skill and thought to make the right decisions that position a company’s future in such a way as to obtain a strategically planned kind of growth.



Identify the projected growth and growth strategy.

Your Windows 2000 rollout has to include the planning and forethought that you bundle in as a result of taking a look at these prospects. For example, growth will have a very definite impact on your design of the Active Directory (and its future growth), not to mention the adequate provision of services such as DNS and Dfs. Being able to look out into the future and fathom how the company will grow will allow you to plan for that kind of momentum. This kind of planning will most likely find its way into over-engineering infrastructures and computers that aren’t being used to their fullest potential today but will be tomorrow. The Windows 2000 test will assess your ability to formulate valid judgments about a company’s growth and its growth strategy. But what kinds of things are involved in company growth patterns? Let’s take a look at some of the patterns that you might see when sizing up your company’s growth potential.

The High-Tech Pharmaceutical Company Recently a new kind of pharmaceutical company has surfaced and is making a huge splash. The company’s scientists aren’t looking for new cures in the flora and fauna of the world, but in the design of customized genes that have


www.sybex.com

108

Chapter 3


a very specific purpose in life. The company I’m thinking of, a small start-up with only a couple hundred employees, thinks that it has invented something as radical as the cure for the common cold! Not only will this new gene work for the cold, it looks like it’ll dispatch polio and a host of other viral diseases that have plagued humanity for millennia. How does it work? Well, it’s actually quite a simple concept. The gene fits, like a key, into a place on the virus. The virus gets confused by the new addition and can no longer go about effectively making the havoc that it once was able to do. It would be akin to driving a wedge smack dab into the middle of your head; you couldn’t work because you would be too busy trying to figure out how to get the wedge out! The company has gotten FDA approval to begin using the drug created from this customized gene, not as a cure for the common cold just yet—that’s thought to be down the road a bit—but initially as treatment for other viral ailments. Now, let me ask you: If you were the CEO of such a company, what would be your future growth plans? Perhaps the CEO is thinking of an enormous buy-out by an already well-established pharmaceutical company. Certainly, if this new drug does what it’s advertised to do, the CEO will be an extremely rich person by the time it’s all over. But that seems like a fairly selfish motivation. Is that the only kind of plans a top official for a company such as this might have? What if the person heading up the company were a doctor or scientist who wasn’t very materialistic? Then what would your assessment be of what he intended to do with the company? Would you be more or less cynical? Plainly, senior managers and their lifestyles and attitudes influence the way that you and others think about companies. It’s important to try to get a realistic feel for what a manager thinks, not the grapevine feel, so that you can make real true assessments about what you think is going to happen to your company.

The Mine That Just Couldn’t Get It Going High up in the mountains of Colorado, near Leadville, was the Black Cloud Mine, and the ores taken from its veins consisted of lead, gold, silver, and other minerals. The main ore mined from the Black Cloud was lead, though. Lots of heavy, black lead.


www.sybex.com


109

Now, a mine is a very ponderous thing to run. It needs brave men and women who aren’t afraid to risk their lives each and every day to go down the deep shaft, wind their way across the tunnels that connect the various stopes (the places where the miners actually drill for their ore), and trudge to work. You deal daily with high explosives, the potential for a cave-in, the risk that the miners take when they work in the stopes, and much more. I worked at the Black Cloud for a summer. I worked in the mine itself, pulling on an ore chute called the “Irene.” The chute was air-operated and had a handle that opened the door to the chute then closed it again. Open or closed, that was the only choice you had. The miners would climb up into the stope, drill for ore, blast, and then the ore would be “mucked” into the chute. From there I’d pull the handle to open the chute, the ore would fall into a waiting muck train, and after filling up several cars’ worth, we’d take the ore to another place (called a “Grizzly”) and dump it. There the ore would be transported to the surface and prepared. I also worked in the ball mill at the mine. The ore, fresh from the ground, would be put into a giant rotating mill made up of heavy crib liners of steel. There were many solid steel balls in the mill. The mill would rotate, the balls would fall, and the ore would be crushed to a fine powder as a result of their onslaught. Then the powder would be sloughed into some bins where it would be prepared into the final product. All very heavy (no pun intended) stuff for a 19-year-old to watch. Now imagine that you work this mine, owned by one of the largest mining companies on earth. Surely, this mine will stay in business, will it not? Surely, with the backing of a company as big as the owners of the Black Cloud Mine, there would be no closing it down. So, as the network designer for the engineers who work for the mine (mining is heavily engineering-intensive), you design a killer little network. You design high-speed interfaces to the corporate systems so the engineers can do geological studies based on the huge geology databases back on the corporate servers. You provide CAD stations where the engineers can draw their diagrams, revealing where they think the next veins are and how the tunnels are going to be drilled there. You provide them with spacious RAID5 arrays that can hold the copious drawings these engineers are capable of creating. All of this you design with the latest Windows 2000 elements in mind— things that will help your remote little site, way up at the 14,000 ' elevation of some of Colorado’s tallest (and prettiest) mountains, keep in continuity with the parent company. Things like RAS and RADIUS authentication,


www.sybex.com

110

Chapter 3


Exchange servers using AD and retrieving the company user lists from other servers, and so on. What an exciting design. You get approval for the network and its design. In fact you’re approved to spend quite a bit of money, but not nearly as much as just one of the big trucks that the mine uses in its outdoor operations! In fact, you’re even approved to purchase some new whiz-bang prediction software that might help the engineers figure out where the most likely new ore deposits are. But then the winds of fortune shift. The futures markets for the kind of ore the Black Cloud mines dry up and wither away. You have a stockpile of clean ore that you cannot sell. There is no point in going one step further in the mining of the land because there simply is no demand for it. And so, as abruptly as the money was awarded to you, it’s taken away. Within three months, the mine is closed and you find yourself looking for new work. You don’t want to move from Leadville—what a beautiful little city—but you have to! There are no other computer/network jobs in a town of 3,500 people. You are forced to move to the Denver/Boulder area, back into reality, into the traffic, noise, and people, and join the human race again. Can this happen to you at your workplace? Do you have contingencies in the back of your mind for such occurrences—maybe not as drastic as the above, but certainly within the same sort of realm of possibility? What is the track record like of the company that you work for? Are you aware of the stability that a given company has? How susceptible are they to the whims of the market? How can you plan for such a company’s future? These are questions that no one has ready answers for, but ones that you must ask yourself as you ponder the design of your Windows 2000 upgrade.

Predicting a Company’s Future Not very long ago some computer dweebs in San Francisco were inventing a new computer technology—virtual reality (VR). You’d use computer code to design a building before it was ever built, then put on some gloves and a mask and go inside the computer for a virtual visit of the building. VR was touted in its day as a highly relevant science that would enormously assist engineers in their quest to build a better mousetrap without having to assemble tons of prototypes. And to some degree, the techniques of VR have been assimilated and are truly being used in engineering applications, but to nothing like the radical degree that VR proponents would like to have seen.


www.sybex.com


111

Suppose that you worked for a company that thought VR was going to be the biggest thing since the invention of the laser printer. They invest tons of time and money perfecting both the code that’s needed to generate VR images and the accoutrements that a person would need to wear to view the VR images in the computer. But then, VR never catches on, dies a big death, and the company goes out of business. How could that company have capitalized on its product, its technique, and its future, and not gone out of business? Thinking about it another way, what’s the difference between a WordPerfect and a Microsoft Word? WordPerfect was an awesome product. Why is it now on its fourth or fifth owner and yet Word just keeps chugging along? In this case, it’s not the technology that’s dead, so what the heck happened? How about a company that has a highly mature product like an automobile? How do you take an ordinary thing like a car and turn it into an extraordinary thing that people will clamor for? Where is the company in the maturity life cycle of its product? What are the leaders at the company like? Often a leader who won’t get off of the dime (either monetarily or through autocratic leadership) kills the company with his practicality. “Nope, nope, nope. Gotta think about the bottom line!” Yes, but then there won’t be a bottom line if the product line doesn’t match what’s being released by the competition. Does the company stand on its laurels? “We’ve been Acme Insurance for 110 years! Solid, reliable, no-nonsense insurance you can trust.” Yeah, so can you advise me on mutual funds? Can you convert my term policy to a whole life account? What perks are you offering that your competition just offered me? The business of doing business is a very interesting thing. Some people think of it as a game. You put the players here, make the strategic move there, force this battle over there, and so forth. Is your company playing the game? Are the leaders expert players? Are decisions being made relevant to the rest of the competition? Is your company the one that aces out the competition all the time? Are you the idea guys? Are you sitting on a cash cow product and just raking in the bucks, not concentrating on the next step? What’s your company’s future? You have to consider all these factors as you design a network. If you fail to do so in real life, your design will suffer. If you fail to do so on the exam, your grade will suffer!


www.sybex.com

112

Chapter 3


Design Scenario: Truly, What Is the Best Fit? Let’s pretend that you begin to work a new job for a civil engineering firm, one that builds the cloverleafs and bridges and other highway elements that are needed for safe travel. The engineers, you begin to find, are a humorous bunch with a large intelligence quotient and tons of ideas. They’re easy to get along with. Until you try to mess around with their computer systems, that is. Then they get really riled. For example, some of their favorite software is based on Vax VMS, ancient as the sands of the Gobi, and you really think they could better themselves by checking into something with a little more chutzpah. Your company uses Windows NT for the majority of its networking needs. You have a couple of Exchange servers, the financials are kept in Oracle on some Unix boxes, your admin staff uses the standard office support tools and, all in all, the whole place sails smoothly, except for this antiquated software that you can’t see any reason why the engineers keep. You begin to do some checking around. You’d like to get into a thorough Windows 2000 upgrade, and you’d really enjoy proposing a design that would include bringing the latest in engineering software to their desktops. You think you can make the case for things like a reduced cost of operations, because the engineers won’t have to work so hard to do what they do, payroll time will be reduced, and software resources will be consolidated. After your presentation, you find that the engineers are quite amenable to your suggestion. So much so that, instead of you, they appoint one of their gurus to go out and research the newest, latest, and greatest in the field.


www.sybex.com

Risk Assessment

113

You’re disappointed to think that your growth plans still won’t include the engineers’ software. Why? Because the solution the guru found is based on, you guessed it, Linux. Now you have only one of two options on your hands. You can try to argue with the engineers that Linux is not the solution for your network (possibly even getting forceful with them in the process— something you’ll learn that engineers will never stand for), or you can submit to their desires. What’s the call? How would you design this net? A couple of thoughts here might help you out. While your intentions are wonderful, realize that you already have Oracle sitting on Unix servers. It’s unlikely that you’ll convince people to move software they’re totally reliant on. I’m not convinced you’d want to make that move, not unless you’re a glutton for punishment. So Linux isn’t all that big a stretch for the environment anyway. Second, engineering apps are highly specialized. It’s quite possible that the best fit isn’t on an NT platform. You like Ford, another likes Chevy, still another likes Dodge. Which is best? That’s up to the person using the vehicle, isn’t it? Finally, note that Windows 2000’s tight Unix integration, while not making for a marriage made in heaven, doesn’t rule out the systems cohabiting. All is not lost—it’s merely integrated!

Risk Assessment

R

isk. The word is one that the managers of new companies must try to get their arms around. It’s a scary word. We wish there wasn’t risk in our lives. But then again, without risk, there isn’t much gain. Risk is the business concept that we’re placing some key aspect of our company, maybe even the whole company, into jeopardy by going forward with an idea we firmly believe in, one that we think will forge new ground for us and for our customers. Some companies are risk-averse. Others are like tightrope walkers, willing to take that step out onto the taut line.



Identify the company’s tolerance for risk.


www.sybex.com

114

Chapter 3


The first thing a good manager should look at when pondering a company’s potential for growth is the risk-management aspect of it. How much can I grow this company before it’s in a danger zone and I’ve gone too far with it? How little do I want it to grow? When should I stop growing the company so that it stays manageable? The answers to these questions are as far-reaching as the managers that are asking them. For example, consider the entrepreneurial manager who owns a restaurant. Most restaurants in the Denver area are wildly successful. People just clamor for more and more, and if you think you’re going to get a table at a downtown Denver restaurant on a Saturday night after 6:00 P.M., you’ve got another think coming. Suppose that you’re an entrepreneurial restaurant manager. Business is good, customers are flocking to the door, your reviews in the Denver Rocky Mountain News are sterling. Would you consider building another restaurant? Probably so. But how far, realistically, could you take such an operation by yourself? You probably wouldn’t grow your restaurant “chain” much larger than the point at which quality began to drop, because you couldn’t keep up with the demands of attending to each restaurant. And that would be reasonable. But then, think about a restaurant chain like Denny’s or the Olive Garden. How does a company like those maintain the quality of its food while growing out over thousands of restaurants in many different countries? The secret is in the planning for growth: planning for the capitalization of the growth, training the managers, preparing a special one way that things are to be done. You have to have plenty of capital to pull off such a venture. It’s a risky thing and you have to plan for the inevitable failure of a restaurant or two. The entrepreneur doesn’t have that luxury. So there’s risk associated with both kinds of endeavors, but the risk for the ambitious entrepreneur is far greater than for the corporation that’s starting up its 1,000th restaurant, you see? In the IT world, the planning that’s needed is identifying risks, eliminating or at least reducing them. For example, it’s a risky thing for an IT shop that 128s DNS and all of the ramifications associated with installing and maintaining the service. The risk is that computers won’t resolve names correctly; users will take longer finding computers than they used to. The mitigation of the risk is to learn everything you can about DNS, apply what you’ve learned in a “mini-setting” such as a lab, then go forward with the rollout. You still won’t be home free—you’ll have some cuts and bruises to show for the risk you took—but the patient will indeed live.


www.sybex.com

Risk Assessment

115

Maybe it’s that way where you work. You want to roll out a Windows 2000 solution. You’ve got plenty of managerial backing, the financing is there, you have people who can help you with the rollout—people who are anxious to get the experience. You’ll prepare a project plan and go slowly. The risks are not that great because if you fail, you’ll only have failed in one tiny segment of your rollout. You can back it out and see what fix is needed. On the other hand, the administrator who works by himself with a handful of servers—the kind who troubleshoots user problems by day and only has the luxury of configuring Windows 2000 rollouts at night—is in much greater danger of failure. So risk assessment, both of how you think your company’s going to grow and of how risky your rollout is, plays a big part in how you’ll handle the design and deployment of your new Windows 2000 environment.

Categories of Risk Risk assessment is tricky. Risk is like a chameleon, taking on the shape and form of the project being considered. Sometimes you can think of it like the old sirens of the sea, luring sailors away from their journey with sweet promises only to sink their ships on the rocks. But risk is at once your nemesis and, managed wisely, in small ways, an asset. You have to know what kind of risk you’re looking at. Below you’ll find some kinds of risk that I’ve run into over my years in business. I’m sure you’ll think of more. But the exercise of seeing where you can pinpoint risk is the most fruitful of all because it saves you, and your ship.

Technology Risk Companies put themselves at risk when they put technology to the stress test, an unpleasant strategy that can be done in a couple of different ways. One way is to try to blend two (or more) very unique technologies together in such a way as to form one whole entity. I can’t tell you how much this is done in business… and how often it fails. You like a particular kind of database, the way it performs, how it handles data. Now you’d like to get some of that data and pipe it into a totally different application that requires data to look very different than the way your database keeps it. No big deal—just code up a simple little solution and voila, you’ve got it, right? Nothing could be further from the truth. The managers that make these kinds of decisions wouldn’t dare dream of putting a Chevy water pump in a Ford engine, but


www.sybex.com

116

Chapter 3


they’ll take multi-million dollar systems and try to tinker with them in the hopes of accomplishing basically the same thing! It doesn’t add up. Don’t get me wrong here. There are ways of getting systems to talk to each other, most often with APIs. I’m talking here about ways of putting two technologies together that should not be thought of. Another way that a company puts itself at technology risk is when it launches out into a totally new, completely unproven technology that almost nobody has a handle on. That’s a fine thing, in a lab environment. Sure, obtain the software or hardware or whatever it is that you want to look at, and knock yourself out—in the lab. But to talk about putting unproven technology into production environments is asking for somebody to walk up and hit you on the head with a ball–peen hammer. Technology risk assessment means asking the question: Are we ready for this technology and is it ready for us?

Minimal Skill Risk Very often minimal skill risk follows hand-in-hand with technology risk. Minimal skill risk is incurred when the people you’re trusting a system to can’t possibly maintain the system. Often this kind of false trust (hope?) leads to a decision to bring in scads of contractors to help maintain the system and paint some kind of successful face on it. Corporations would be better places to work if managers and stakeholders would realize that in order to make a project work well, the people who are going to own the project have to be able to maintain it well. People with minimal skills in a given area, as technologically capable as they might be, are a risk to a corporation at deployment time.

Strategic Overshoot Risk This is a fun one, and easy to spot. You take a company that’s staffed by highly professional, highly qualified people. Put them in a room with lots of money, an ambitious project, and the promise of a wonderful payoff for them if the whole thing succeeds, and you've just mixed yourself up a big batch of strategic overshoot risk. The conversation in the meetings starts out pretty realistic. “We need such-and-such,” the CIO says, “the users are demanding it!” “Great,” the senior developer says, “I think we could go about it in this direction.” And then, all of a sudden, somebody stands up in the meeting and says something, a “I know! We do this…” moment, that becomes a turning point in the


www.sybex.com

Risk Assessment

117

project—the kind of turning point that interstellar probes encounter when they’re shot around the earth in order to propel them deeply out into space. Before you know it, the project winds up having many different bells and whistles, most of which don’t meet the actual stated need but are “nice to haves.” Often strategic overshoot risk will disguise itself as over-engineering a project, just in case the extra heavy-duty stuff is needed later. But, as you know, in technology today’s whiz-bangs are tomorrow’s boat anchors, and this kind of overstrategizing often winds up making planners, designers, and engineers look silly.

Disney’s First Law Risk A hopelessly inept manager, deep into the last days of a multi-million dollar IT project that would inevitably fail big-time, actually asked her developers, “Can’t you code faster?” Then, not a month later, she fired all 100 of them. She was personally let go just one quarter after that. Some companies actually subscribe to Disney’s first law: wishing will make it so. We wish our payroll system talked to our tax accounting system, so we’ll just hire the expertise to make it happen. We wish that our fleet’s GPS system could also be used to manage our inventory database. We wish that all types of different disparate systems could be combined into one huge GUI. We wish that our telephony gear could talk to our mainframe and that everything could talk to our video production studio. Quite frequently, Disney’s first law risk manifests itself in the form of two totally dissimilar software products being somehow jammed together with the belief that there will be a cohesive fit, a molecular kind of thing would happen, and the business would be healthier and better.

No-Pain No-Gain Risk In “no-pain no-gain” we have a “reverse” risk. There are companies out there that don’t see the sense in strategically investing in technology in such a way as to enhance their future. I’m not talking here about companies that are afraid of running beta software on their network. I’m talking about companies that are still running DOS and Windows 3.1 because they work perfectly fine and, well, this whole Windows 95 thing isn’t proven to their satisfaction yet. Companies like this actually put themselves at a competitive disadvantage because they’re not taking advantage of the kinds of smart features that


www.sybex.com

118

Chapter 3


updated software can bring to the table to help them get their jobs done more quickly and with less hassle. Managers of these kinds of companies are living in some kind of vague, “it’s good enough” world, thinking they’re saving money, when in reality their risky behavior is costing them money. To wit: Web sites. Some companies would find that they’d greatly benefit from a smartly built, well-implemented Web site, if not in e-commerce, at least in the enhanced visibility their company would get. So there you have a few of my ideas about what risk entails. As I said earlier, I’m sure you can pinpoint other kinds of risk that you see going on in your company. My guess is that for every person, there is probably some unique form of risk that’s being taken in one way or another. And that’s the final point of the risk conversation, isn’t it? There’s a very fine line between too much risk and too little. Where would we be, for example, without the adventurous risk-taking nature of Thomas Edison or Alexander Graham Bell? On the other hand, where is the NeXt computer today?

Design Scenario: Rolling for the High-Tech Lucky 7 Josh, a very nice 27-year-old MCSE with a couple of years’ worth of NT experience under his belt, has gone to work for a high-technology start-up company. The business? What else: Internet development. This company thinks that it has an angle on a fresh new way to perform e-business, something having to do with virtual malls, shopping avatars, and IVR (interactive voice response) salesperson assistance. It’s all pretty sketchy at this point, at least in Josh’s mind, but it sounds very hip, if it’ll work. He was brought in at a very low salary, with the promise that as the company grows and things get better, there is a great economic future awaiting him, in the form of salary increases and stock options. There is no stock now, but he is promised that there will be. In fact, the hiring authorities say, they’re bringing him in precisely because he’s got the kind of attitude, that hard-working self-sacrificing persona that they’re looking for in an administrator. They need people, they say, who are straight ahead with the business and willing to invest lots of time in making it work.


www.sybex.com

Risk Assessment

119

There appears to be plenty of money to go around—the company’s spending money like it’s going out of style. After a week of getting organized and adjusted, he meets with his superiors and they lay out the grand plan. They want him to build their networking strategy around Windows 2000. Specifically, they’re interested in IIS 5, Windows load balancing, DCOM+, and other features that Windows 2000 can bring to the Internet table. Windows 2000 is nothing if not Internet-ready. The company has Web developers—Java coders who know their way around ASP pages and all things Internet. But they need somebody who will nail up the servers needed to meet their goals, install them, configure them, and maintain them. They tell Josh that they know the company is really out there, but that’s exactly the point—the company is really out there. Josh begins to think about these things in terms of risk assessment. He sees three clearly delineated paths of risk:

Technology risk

Minimal skill risk

Strategic overshoot risk

First, the Windows 2000 technology, while undoubtedly very robust and solid, isn’t proven, in terms of years of exposure to different companies trying to figure out the very best configurations for specific business uses. The heady plan to use IIS 5, Windows load balancing, and DCOM+ sounds really great on paper, but is it the best plan? Josh can see tremendous risk associated with such a move and decides to recommend that the company look at better-known platforms for its efforts, perhaps Windows NT 4 or Sun servers. Then, when things in the Windows 2000 front have had a chance to calm down, maybe they can pursue a more elegant approach. But he also realizes that he has a significant minimal skill risk in this venture out there. He knows nothing about Windows 2000, would have to learn everything by the seat of his pants, and, having been there before, he decides there is a very significant risk associated with their trust of his knowledge.


www.sybex.com

120

Chapter 3


But the biggest risk, he thinks, has to do with the broad assessment of his superiors that they can do a virtual mall thing replete with unproven dissimilar technologies. It occurs to him in the car on the way home one night that this company is shooting for the moon, and though they have some bucks to spend, they don’t have moon-shot money. Josh negotiates his old job back over the weekend, and leaves the start-up company to find somebody else to shoot the dice! He’s pretty sure, having mentally evaluated all of the risk postures this company is assuming, that there won’t be a company within just a few short months.

Targeting Laws and Regulations Affecting the Company

T

oday’s wild ride in the corporate world means that you never know what to expect regarding the laws and regulations that are set down before a company. Some of the world’s largest mergers have taken place just within the last couple of years. Consider, for example, the merger of Time Warner and America Online (and now EMI music in Britain). Here you have an absolutely enormous media conglomerate that owns everything from books to magazines to movies to TV studios (CNN included) and now to the Internet and the Beatles’ catalog of songs! Are they a monopoly? What about Microsoft? How is each going to be regulated by the government?



Identify relevant laws and regulations.

As a network designer, you may feel that you’re far removed from these considerations, but you’re not: When you create a network design, you have to take into account how governmental regulations affect the way your company does business. Are there any trust-busting law enforcement agents


www.sybex.com


121

looming on the horizon? What about environmental-protection officials with emissions detectors? How about setting up networks in other countries, where the rules are different, the networking standards are far-removed from your own, the security standards may or may not be enforced, and even the language set that you install on the computer is different from your own? There are lots of rules to learn and understand, especially in multinational enterprise environments. The bottom line is that companies have so many places to look for potential trouble spots as they grow that once they hit a certain size, it’s worth their while to keep a full-time cadre of legal experts on retainer just for the times when their opinions are needed in cases such as the above. Imagine, for example, being in the gas and oil business. You’re very heavily regulated, both in the way that you run your company and in the manner that you deliver your products to market. On top of that, you always have the whims of OPEC on your mind. What will tomorrow’s oil be worth? Then there’s how potentially dangerous refineries can be and the constant oversight that occupational safety authorities maintain at such a facility. Top that all off with environmental concerns, with the difficulty of finding good people, struggles with unions… why does anyone go into the oil business? Because it’s profitable as all get out, that’s why! But what if you’re an upstart, entrepreneurial oil company? Or is there such a thing today? How do you break into competition with players like Mobil, Shell, and Conoco? What if you head up Conoco and you see the recent mega-merger between Mobil and Exxon forming the largest oil company on earth? Are you jealous? Is there a way that you could merge with another biggie too and become even larger? Just how large is too large? And what would the Justice Department, the SEC, the United Arab Emirates, and a host of others have to say about it? How long would it take your lawyers to talk to their lawyers to get the whole thing nailed together? What if you were slapped with a lawsuit? No! You can’t do that! This is the kind of thing that keeps CEOs up nights: worrying about how they’re going to pull off such a huge growth spurt.

The Incredible Plethora of Laws and Regulations There is hardly a business in the world today that isn’t regulated in some way. It seems like it’s almost a fourth law of physics: for every business endeavor, there’s an equal but opposite legal reaction. For example, take the


www.sybex.com

122

Chapter 3


recent Y2K brouhaha. There was actually talk of the lawyers making oodles of money because they would sue large corporations for not seeing to their duty of providing a computing environment free of capricious bugs. It was outrageous, but for all of its outrageousness, lots of people were totally serious. So, what kinds of legal ramifications can a company face in its decision making efforts, especially relative to a Windows 2000 rollout? Let’s see if we can enumerate some. Again, just as we pointed out above, there’s no doubt that you can personally augment this list tenfold. But the point here is to get you thinking about what sorts of laws and regulations you work with and how they might impact you in your efforts.

Medical Laws and Regulations Do you work for a medical facility, a medical equipment manufacturing firm, a pharmaceutical company, or some other entity that somehow touches the medical community? Then you’re probably highly aware of the endless rules and regulations that are in place in order to keep people from getting sicker than they already are due to an oversight on your part! One of the more fascinating things I think I’ve ever seen is a huge pillcounting machine that was designed to make pharmacist’s lives easier. You’d fill the hoppers of this device with thousands of pills and then, using a computer interface, you could set up your prescriptions; the machine would exactly count out the pills and place them into a holding area so you could come along and bottle them up for the customer. No more standing there with a little butter knife and a counting tray. What an interesting machine! And yet I’m sure the regulations put on the coders was incredible. What if, for example, the machine gave out four or five too many of a pill that happened to be highly toxic if taken too long?

Interstate Commerce Rules Got a trucking company hauling goods across state lines? Then you’re undoubtedly familiar with (and probably cringe at the amount of) state trucking regulations. Some states actually weigh the trucks as they’re moving along and send the company a fine if they find that the truck is overweight. In some states trucks are routinely searched. Trucking companies put GPS systems on their trucks so they can keep track of their location, their load, and their expected destination arrivals. All of these situations are regulated closely and would provide some interesting challenges for you in terms of setting up fault-tolerant networks that could support such endeavors.


www.sybex.com


123

Utilities You think your company has a rough time earning a buck? You ought to examine a gas, electric, telephone, or cable TV utility sometime. What a terrible (but necessary) way to have to earn a living! Frequently public utility commissions (PUCs) act as oversight committees for their state legislatures. The PUC’s sole purpose in life is to make sure that the utility is doing its level best to satisfy the needs of its customers, without raking them over the coals in terms of the rates they charge. Utilities, even though they’re private companies, wind up being looked at as semi-governmental because they’re so strictly regulated. Because of this kind of scrutiny, technological ventures often require certain features in order to make them harmonious with the PUC scheme of things. A Windows 2000 rollout, for example, might require providing proof to the PUC that the network you intended to build was secure, would be readily available (so that employees could get their work done), and could operate the various software components needed to efficiently run a utility. It turns out that the laws and regulations that companies face have serious effects on the technological decisions that get made by a company’s officers. It’s up to you to familiarize yourself with your company’s purpose in life and the legal necessities that it’s forced to adhere to.

Design Scenario: The Government Contractor Suppose that you work for a big company whose mission is to act as a contractor to the U.S. government. A lot of what the company does is highly classified. The most mission-critical component of your company is its ability to maintain its work according to the various layers of classification that are imposed on it by its government contracts. You currently use a variety of NOS platforms: Novell NetWare, Unix, and even some OS/2 Warp servers, plus, of course, Windows NT 4. Your management is considering consolidating everything onto one NOS, a big, tough, expensive, and gutsy move. The leading contender, of course, is Unix for the servers, Linux at the desktops. You’re asked, as one of the NT designers, what Windows 2000 would have to offer that Unix could not.


www.sybex.com

124

Chapter 3


After nobody laughs at your line about how hard it would be to find Microsoft Office for Linux, you then begin to talk about the security features of Windows 2000 that Unix does not have. Specifically, you mention the triple Kerberos security paradigm. You talk about Active Directory and how its use of Kerberos makes for a one-time, secure logon anywhere in the plant. You talk about how AD can segment the rather large operation into meaningful entities, regardless of how small or large they need to be. Forests can be created, as can trees and groups. You can have universal groups, domain global groups, and local groups. You mention that the telecommuting factor, a strong one at this company, has been highly updated in terms of its security. RADIUS can now be used on the RAS servers. There is support for highly secure VPNs. You also mention that Windows 2000 Professional workstations are highly secure and even more “user-proof” than they were before due to the Windows Installer. All in all, there is little convincing evidence that would make a company migrate from Windows to a complete Unix environment and much more evidence to support the opposite move.

Identifying the Total Cost of Operations



Identify the total cost of operations.

T

he total cost of operations (TCO)—the costs incurred by procuring, installing, and maintaining a specific system—is another factor in how a manager chooses to grow the business. There are many factors in the TCO question, many considerations and details to think about. For example, what if you make garden equipment and you’d like to begin offering motorized equipment that could be used for mowing lawns, trimming shrubs, mulching, and the like? You set up your new business branch and purchase the


www.sybex.com


125

small engines that go inside lawnmowers and weed trimmers. You personally manufacture the chassis, frames, and so forth that are used in the devices. As time goes by and your new motorized tool division gains some steam, you begin to look at the books and realize how much it costs you to purchase the crates full of engines that you need for your business. What if I could find a company making small engines and merge with them, you ask yourself. I could effectively cut down my TCO and grow the company at the same time! But what risks would there be in such an undertaking? Probably capitalizing the merger would be the single biggest problem—how am I going to pay for it? What kinds of other issues might I face in such a venture? What if I purchased a company with problems that were cleverly hidden, and we inherited a mess? Would I reduce my total cost of operations, or would I actually see an increase in the total cost? It’s highly possible that even though a company thinks they’re leveraging themselves in such a way as to make a huge dent in the marketplace, they actually make a mess of their company and wind up with less than they had to start with. This is what it’s like to take stock of the growth of a company and make sure that growth is managed well. As a network designer, your job will probably not be to make financial decisions, but it will be to understand financial decisions. Furthermore, it’s up to you to present a network design in the best possible financial light and then to objectively compare and confirm whether a decision to go forward with a design is the financially most amenable approach. You’ll have to detach your technological thinking and think about things purely in dollars and cents.

Return on Investment A company’s return on investment, or ROI as it’s called, represents the time that must elapse before a company can expect to realize the benefit from its initial investment in a project. ROI can be thought of in terms of the number of years that elapse before a system pays itself back in time and operations savings, or as a percentage returned over (an assumed) time frame. You’ve probably used this same concept at home. If you purchase a new car, for example, how long do you have to pay for it and use it before it begins earning its keep? Given that kind of thinking, what would be the very


www.sybex.com

126

Chapter 3


best kind of car to buy in order to optimize your ROI? Would it be better to buy that BMW sports car you’ve had your eye on, or would your ROI be much shorter if you purchased a more utilitarian vehicle, one that was capable of meeting your needs in more than one area? ROI happens to be something that takes on shape and meaning at many different levels of a company’s operation. Now think about the importance of a smoothly operating network. Users need to be able to consistently log on and begin working on a daily basis. Applications need to run smoothly and quickly. Printers can’t be bogged down with print jobs or require huge amounts of time to regularly troubleshoot. Peripherals need to operate the way they were designed to. E-mail must fit the company’s patterns for communications and dialog. Web sites must operate efficiently and provide optimum service for users utilizing the site. All of these things and more are a network designer’s bullet points for ROI. When thinking about how ROI fits into a network plan, you must take yourself out of the technological picture for a moment and ask yourself the questions that the financiers of the project, typically non-technical types, are going to ask you. They have their financial hat on, not their computer hat, and they’re going to be thinking in terms such as, “What’s this new network going to cost me? If I expend the dollars for it, how will it benefit me financially? What’s my ROI, if I authorize the spending of this money?” With that point of view in mind, you now need to take an objective look at the network design you have in mind and try to put some numbers to your design. For example, if a company pays $2,500 per switch for an infrastructure upgrade, how long will the company be able to use those switches before they must be traded out? How much per year can the company expect to spend in maintenance and support for these switches? How much, in terms of dollars per port, will it cost to upgrade to the switches? Is there a correlation, in terms of increased bandwidth vs. dollars lost with today’s poor capacity, to support buying the switches? How will the company benefit, from a strictly financial aspect, by purchasing these switches? Got the idea? Your design will be so much better received if you take the time to honestly answer the ROI questions and get them out in front of the stakeholders and managers who are going to ultimately say yes or no to the project. Table 3.1 shows a sample ROI worksheet that you might use to demonstrate your ROI thoughts to managers. You’ll be much better received and the project will have a much more solid likelihood of succeeding if you use something like this to show that you’re taking ROI into account and make practical decisions revolving around it. Pragmatism is one quality all managers appreciate in their IT people.


www.sybex.com


TABLE 3.1

127

A Sample ROI Calculation Old Network Number of closets

2

Number of hubs (24 port)

4

Total hubs

8

Date hubs purchased

4/30/92

Purchase price per hub

$300

Expected lifespan

3 years

Actual lifespan

8 years

Net gain

5 years

Total expenditure

$2,400

Payback, per year

$800

Maintenance costs

$750

Net gain realized (gain realized because hubs were kept 5 years longer than anticipated, saving an $800/year expenditure over 5 years minus the $750 maintenance)

$3,250

New Network Number of closets

2

Number of switches (24 port)

4

Total switches

8


www.sybex.com

128

Chapter 3


TABLE 3.1

A Sample ROI Calculation (continued) New Network Purchase price per switch

$2,500

Expected lifespan

3 years

Projected maintenance per switch per year

$50

Total projected expenditure

$19,600

Minus previous ROI realized

$3,250

Total expenditure

$16,350

Do not try to use the old “dollars saved due to increased productivity” trick. Managers won’t buy it if you try to tell them that the network will be faster, therefore people can get more done. First, for the most part it’s not true. And also, increasing productivity isn’t about beefing up a person’s tools (at least most of the time it’s not); it’s about equipping the person to be more effective in his or her job. The increased-productivity trick is an age-old one that will not pass muster in a presentation to senior managers.

The Decentralization of the Windows Network Probably the most fundamental accounting talk you’ll want to have with yourself, before you talk to the financial folks at your company, is how you’re going to set up your server farm. In fact, you’ll have to pay pretty close attention to where you’re going to place things. The day and age of having every single application running on one or two servers, even in small shops, is now officially over. As soon as you implement Windows 2000— resource-hungry NOS that it is—you are no longer going to be able to run


www.sybex.com


129

your entire shop on one box and meet network user performance or uptime requirements. It’s as simple as that. You need to examine ways that you can decentralize the server software components of your network. What I mean by that is, look at the jobs the various servers are involved in. If you run into a server that’s involved in several dissimilar duties—i.e., the server is doing WINS and DHCP, is print serving, hosts an application or two, plus acts as a file server for some users—you’re going to want to split that duty out. Why? Your server simply won’t have the bandwidth for all the activity that’s going to be placed upon it by Windows 2000 and your users. The centralized concept is not a good design point, and it’s one you must jettison as you go forward into your new upgrade design. One little exception: I think it’s fine to have one or two servers acting as DCs and hosting your DHCP/WINS/DNS environment. That’s all they do, validate users and keep TCP/IP happy. In a centralized fashion, this particular design will work fine. But then, once your centralization of your DCs is done, don’t go loading Exchange or SMS or any of the hundreds of other NT-based apps on them! Apps go on app servers that are engineered and built for apps. File and print sharing boxes have the heft needed for multiple simultaneous user accesses. And so on. Figure 3.1 shows a very small network design that goes from being highly centralized to highly decentralized. In this diagram, the old network only had two computers. Even in the Windows NT 4 environment and with a very small shop of only 25 to 50 users, they were undoubtedly highly overworked computers. You had tons of things happening on each computer: SQL, Exchange, file and print, plus the everyday, garden-variety user validation. In a Windows 2000 design, you won’t get away with this. For starters, the computers would have to be so large that it wouldn’t be cost-effective, but more importantly, it’s just not a good design. The key to stability in the Windows environment is to not introduce numerous variables into any one system. The new server farm shows that you’ve had to purchase six more computers! (And probably beef up the two you already have.) But you’ve wisely decentralized your computing environment so that disparate computers are handling dissimilar apps. You’ve opted to put Navision, your Windows 2000–certified financials software, on a cluster so that it has higher fault tolerance than even one native Windows 2000 box can provide.


www.sybex.com

130

Chapter 3


FIGURE 3.1

Decentralizing your server farm Old server farm

PDC Exchange 5.5 SQL Server DHCP WINS 6 Printers New server farm

BDC SMS 2 Navision WINS 12 Printers File sharing

DC DNS DHCP WINS AD

DC DNS DHCP WINS AD

MS Apps Exchange

SQL Server

SMS

Navision Cluster Navision

Navision

File & Print File & Print

All of these design issues, of course, mean that you’re going to meet with the financial folks and ask for way more computing equipment so that you can accomplish your design. Do you have buy-in from the stakeholders and managers on going forward into Windows 2000? Then you shouldn’t have a problem obtaining the funding for the new equipment. If you don’t have initial buy-in for the project or they won’t fund the new gear, then my advice would be to not go into Windows 2000 until you can do so. I would not put this software on older gear that can barely hang with Windows NT 4. It’s not a good idea and won’t fit good design criteria.


www.sybex.com

Summary

131

Design Scenario: Breaking the Bank Let’s talk more about the situation described above, where you have a small network, you’re interested in going to Windows 2000, and you’ve come up with a solid design plan. The chief financial officer has told you that you cannot purchase the extra six computers you need; he doesn’t see the need for all those computers. But you can purchase three, provided you can get a good price for them. He has told you that you can spend $10,000 on your total computer hardware budget. You’ve looked at the existing domain controllers, and you know you’ll have to upgrade them from their current 64MB of RAM apiece to a minimum of 256MB. The disks look OK, there’s quite a bit of space on them, and they’re both using hardware RAID controllers. You estimate that the new memory going to cost you $2,100, so you’ve officially cut your budget down to $7,900. The computers you need to buy must be fairly sophisticated. They must have enough RAM in them to make the applications and the NOS happy. You’d like to have lots of disk space for your file and print server(s), and you’d prefer to put everything on hardware RAID controllers for optimum speed, disk efficiency, and fault tolerance. There are now two design issues. The first is this: can you redesign your server farm in such a way that you can adequately host the apps on three additional servers? The second question follows: can you purchase the computing power you need with this limited budget?

Summary

I

n this chapter we examined the various factors that affect a company’s business strategy. We began with the question of what the company’s priorities are. Often asking this simple question can alert you as to whether a new design is appropriate or not; if the company’s priorities are not IT-oriented, then what’s the point? But more appropriately, the company’s priorities will show you what your design should ultimately look like and will act as a guide for you as you formulate your Windows 2000 network.


www.sybex.com

132

Chapter 3


Next we talked about your company’s growth and growth strategies. Will this company grow? If so, how much? Can you pinpoint the company’s growth strategy? Does your company intend to grow itself as large as possible, do its managers see themselves as not growing very much, or are they somewhere else along this spectrum? Windows 2000 networks are scalable and highly amenable to growth, but your network design still needs to take into account the potential for growth. We examined the importance of relevant laws and regulations that your company has to take into consideration when going through a network design. Many companies have to obey strict rules in everything they do, and your design might have to take those rules under advisement. Is your company at risk? What kinds of risk might your company be prone to and how do you account for this risk in your Windows 2000 network design? These were some of the questions we talked about when considering the risk element. For example, a company that is in the e-commerce business has risks associated with potential hackers, while a software development company has risks associated with the marketplace. Both companies have risks in both areas, but the risks are heightened in one area over another given the nature of the two different companies. Finally, we talked about a company’s total cost of operations. IT and commensurate operations account for a large percentage of a company’s investment in its future, so the money that is spent to upgrade the IT area must be wisely spent and provide the most bang for the buck. What kind of return on investment will your Windows 2000 network design provide?

Key Terms These terms are introduced and defined in this chapter. It’s important you understand them for your planning and your exam analysis. The terms below were used in this chapter as phrases you might hear used when managers of a company are talking about setting its priorities. return on investment (ROI) risk total cost of operations (TCO)


www.sybex.com

Review Questions

133

Review Questions 1. You’re trying to decide if your company’s newest venture into cold-

fusion research is going to work out. What are you trying to measure? A. Risk B. Growth C. Regulatory impact D. Total cost of operations 2. The company you work for has been involved for years in the business

of writing tax return software for businesses. Now you hear a rumor that they’re talking about possibly getting out of that business and venturing into the e-commerce business of filing electronically on behalf of businesses. In other words, a business that had at one time used their software would now simply do all their updates online to your company and you would handle the filing. What areas do you think will produce problems, should this rumor prove to be true? Choose all that apply. A. Priorities B. Laws and regulations C. Risk D. Growth E. Total cost of operations 3. What would a Windows 2000 deployment be most likely to affect, in

terms of the items studied in this book? A. Priorities B. Growth and growth strategies C. Laws and regulations D. Risk E. Total cost of operations


www.sybex.com

134

Chapter 3


4. You work for the U.S. Army at a research area on the eastern sea-

board. Your unit is considering a Windows 2000 upgrade. What item might be the most important to an entity involved in the protecting the nation’s security? A. Priorities B. Growth and growth strategies C. Laws and regulations D. Risk E. Total cost of operations 5. You work for a large pharmaceutical company. You’re considering a

Windows 2000 rollout. What one item would you particularly need to have in mind relative to the design and commensurate rollout? A. Priorities B. Growth and growth strategies C. Laws and regulations D. Risk E. Total cost of operations 6. You would like to go forward with a Windows 2000 rollout. The

company you work for, an electronics engineering and design firm, is right in the middle of designing a revolutionary new product. Your managers are quite hesitant to allow the upgrade to go forward for the time being and want you to wait. What item is at the top of their mind regarding this suggested rollout? A. Priorities B. Growth and growth strategies C. Laws and regulations D. Risk E. Total cost of operations


www.sybex.com

Review Questions

135

7. You’re a network design consultant who has been called in to render

counsel and advice in the design of a new Windows 2000 network that a large restaurant supply company would like to implement. The company is thinking that updating their technology will help increase their efficiency and hence their bottom line. When you visit the company, though you’re no MBA, you can see lots of disarray in terms of how the company is organized, who reports to whom, and other subtle nuances that hint to you of a much larger problem than a technical one. While you don’t want to turn down the design and rollout job, you have some concerns that you want to bring to management. Around which item do these concerns revolve? A. Priorities B. Growth and growth strategies C. Laws and regulations D. Risk E. Total cost of operations 8. Your CIO can see merit in your Windows 2000 upgrade suggestion.

Now she wants to know how you would improve the current situation where you have only a few computers and the users are complaining about the slowness. What actions should you recommend? Choose all that apply. A. Put enterprise apps onto one dedicated server per application B. Reduce the number of DCs and consolidate the TCP/IP portion of

networking (WINS, DHCP, DNS) to the DCs C. Upgrade the tape backup software D. Purchase dedicated network-based RAS servers, taking the RAS

job away from Windows


www.sybex.com

136

Chapter 3


9. Your company, a sporting goods manufacturer, desperately needs two

separate things, but only has the funds for one. They need a new set of assembly-line devices that would allow them to make their sporting goods equipment faster and cheaper. They also need to totally revisit their IT infrastructure, upgrade accordingly, and move to a Windows 2000 environment. The IT upgrade would allow them to complete the billing, invoicing, and materials-handling cycles on a much more timely basis. What would be your suggestion as to which one to do first? A. Manufacturing equipment upgrade—impacts company’s

bottom line. B. Computing environment upgrade—impacts company’s

bottom line. C. Neither. Sounds like the company is close to bankruptcy. D. Both, but use a phased approach that would allow you to handle

both things at once, just more slowly than projected. 10. Your company started out as a “Ma and Pa” outfit with only a couple

of employees, 15 years ago. Today the company has thousands of employees spread out over several countries, and it continues to grow at startling rate. You’ve suggested that the company look at launching a Windows 2000 deployment and switching from their current Windows NT 4 implementation of 20 separate domains and hundreds of servers. In context of what we’ve talked about in this chapter, what might be one of your main concerns relative to this rollout? A. Priorities B. Growth and growth strategies C. Laws and regulations D. Risk E. Total cost of operations


www.sybex.com


137

Answers to Review Questions 1. A. When a company begins to venture into something, it’s wise to

assess all of the above, but your question about whether or not it will work out is a question of risk. 2. A, B, C. Well, first of all, never ever give credence to the rumor mill

until you hear the same thing from the horse’s mouth. But that being said, given the little bit you know right now, it appears that there may be a priority issue. Why abandon a perfectly good cash cow? You’ll undoubtedly run into lots of legal issues with this prospective new angle, and there is definitely risk associated with anything e-commerce. 3. E. Of all of the things that a Windows 2000 deployment will affect, it

will most deeply affect a company’s pocketbook, both positively and negatively. The total cost of operations is the single biggest item that a new Windows 2000 deployment will affect in a company of any size. 4. D. Risk is the question the commanding officers are going to have at

the top of their mind. With so much intellectual property requiring exquisite protection from outsiders looking in, you will undoubtedly be looking at whether Windows 2000 can handle the security needed by your group. The answer, of course, is yes it can, but this is something you need to check out very thoroughly. 5. C. A heavily regulated industry like a pharmaceuticals firm has to con-

sider the legal and regulatory impacts of any upgrades it makes to its computing environment. 6. D. They’re thinking that they should let sleeping dogs lie until the new

product is ready and shipping. Then, when things have settled down, you might be able to reconsider the design and rollout. This is good advice—listen to it. While priorities are always on the minds of managers, hopefully you have their ear. If you say that you think Windows 2000 would be a go, and they sense that you have the personal bandwidth for such a project, then priorities might not be the leading fear. My sense is that risk probably brings more to this table than priorities.


www.sybex.com

138

Chapter 3


7. A. It sounds like the company is barking up the wrong tree—thinking

that high technology will fix managerial problems. While the technological aspect of things is wonderful and you’d like to go ahead, management needs to know that you spot other issues here. This is a highly risky consultative proposition, because you’re being brought in as a technological consultant, not a management consultant. Nevertheless, it might be beneficial to point out that you see inefficiencies elsewhere in the business cycle that technology will not improve. 8. A, B. The top two answers are the best ones. Segmenting your heavily

used enterprise apps onto dedicated servers will increase their performance and decrease the likelihood that they’ll crash (or interrupt other network processes if they do crash). Consolidating DC activity is a very good idea—one you can implement without benefit of Windows 2000, but one that will work with Windows 2000. Items C and D might be practical, but they have little relevance to the Windows 2000 upgrade apart from the question as to whether your old tape backup software will work with Windows 2000 or not. Dedicated hardwarebased RAS servers are great things, but not really necessary in the Windows 2000 environment. Windows 2000 addresses many RASrelated issues. 9. A. See, it’s a question of priorities. The company can get along with

the current computing environment. All right, so they work slowly, but at least they work. But the manufacturing thing, well, that’s the company’s bread and butter. If they can’t compete in terms of being able to manufacture the latest and greatest in fine sporting gear, they might as well go bankrupt because the competition will quickly overrun them. 10. B. Not so much growth as growth strategies. You already know the

company’s capable of rapid growth. What you should really be concerned about is management’s viewpoint on continued growth. It’ll be tough for you to plan a network based on growth if you don’t know how the firm is going to grow.


www.sybex.com

The Billing Company

139


Background You work for a company that performs billing and receiving the payment of bills for other companies. Companies that don’t want to go to the added expense of billing and maintaining the payments of their own accounts, or who can’t really afford to set up such an operation at this particular juncture in their growth, will outsource the work to your company. Your company is responsible for the timely preparation and submission of bills to the clients of the companies that you represent and for processing the payments of those bills. You don’t handle the collections part for bills that aren’t paid on time—your client companies do that. You have a Windows NT 4 network that is working fine. Your company has 475 employees, the majority of whom work on remittance processing machinery. The remittance processing machines are hooked to the network so that regular reports and accountability functions can be run.

Current System You have 10 Windows NT 4 servers connected to a standard 100Base-T Ethernet network. Everybody that is not a remittance processing operator logs on to the Windows NT network. You run Exchange server, a financials package, and some other applications, and you have a BRI ISDN Web connection that’s hooked to a proxy server. The remittance processing machines (your company calls them “the line”) can talk to the network but require no logon of their own. The supervisors who head up the remittance processing personnel can log on to the equipment and maintain it as needed. They have the ability to run reports that provide system-uptime and other status updates. It is highly critical that the remittance processing devices be able to talk to the network at all times so that the supervisors have an idea of how much is being processed through the systems, thus giving everybody an idea of how on-track the company is with that day’s processing cycle.


www.sybex.com

CASE STUDY

The Billing Company

CASE STUDY

140

Chapter 3


Envisioned System Overview You want to upgrade the entire network to Windows 2000, including bringing all of your users up to Windows 2000 Professional. There is no need to update the remittance processing devices, as they were updated last year at this time. Your Supervisor You’ve taken your project notes to your supervisor, and presented your vision and goals to her. She says, “This is a fine idea. I’m all for it as long as you can control costs and assure us that the line can continue to talk to the network.” Remittance Processing Manager “I really don’t care what you run on your network as long as these remittance machines continue to run and process the bills. Downtime on this line means lost revenue to the company!”

Security You are responsible for the security of your network. Your supervisor says, “From a security standpoint, I’m not concerned about a Windows 2000 upgrade. I just want to make sure that the line can continue to talk to the network.”

Availability Overview Your business is a standard 40-hour-a-week environment. Very little overtime is worked. Uptime is critical, though; the servers need to be up when the line is up. Your Supervisor “Remember that when the line is up, the servers need to be working! Can you provide me with a statement that tells me what benefits this upgrade will bring about for the network? For example, will this upgrade make the network run faster?”

Maintainability One of the things you’re excited about with a Windows 2000 rollout is your ability to maintain copies of installed software on the network and then use a Group Policy Object (GPO) to download the apps to users, whereupon client software in the form of Windows Installer sees to it that the software is


www.sybex.com

The Billing Company

141

Performance Overview The 100Base-T infrastructure is well-designed and runs fine. You have some concerns about servers. You’re wondering if maybe you should move the reporting app that the remittance processing team uses from the server it’s currently on—actually nothing more than a desktop that had server installed on it—to an actual dedicated server of its own. Your Supervisor “You don’t have to sell me on this idea. The desktop acting as a server situation isn’t a good one and keeps me up nights wondering when it’s going to crash. Thank goodness we haven’t had all that many problems with it.” Remittance Processing Manager “I don’t mind if you upgrade the computer, especially since you’re telling me that it’ll improve the reporting performance. Be aware that you’ll have to replace it on a weekend, and it’ll have to be guaranteed to be operational by Monday!”

Questions 1. What is the business’ main concern? A. Money B. The line C. Their customers D. Timely billing processes


www.sybex.com

CASE STUDY

installed and correctly configured. Then, when a user breaks an app—which happens more frequently than you’d care to admit—it’s automatically repaired. You think this will help make your life much easier.

CASE STUDY

142

Chapter 3


2. In the chart below, move tasks from the right column into the left col-

umn in the order that you should begin working on this project. (Note: These tasks are certainly not all-inclusive. In a real deployment you’d have many more tasks than this!) Tasks

Tasks Assess what brand and model of computer you will buy for the reporting server replacement Prepare business need documents for distribution to the managers Prepare a presentation detailing the need Prepare the budget forecast Meet with stakeholders Identify Windows 2000 licensing costs Prepare overall project plan, identify project phases, milestones, resources Arrange to test your Windows 2000 deployment in a lab with a spare remittance processing device Prepare reporting server Cut reporting server from desktop to new server


www.sybex.com

The Billing Company

143

A. Windows 2000 won’t work with the line. B. The reporting server won’t be any better than before. C. There’s a steep learning curve from Windows NT to Win-

dows 2000. D. You don’t have enough time to get project accomplished. 4. In your project planning, what will be your biggest priority to assure

project success? A. Assuring that the reporting server works as advertised B. Assuring that the remittance processing devices can continue to

talk to the network C. Making sure the servers have increased reliability D. Assuring that Exchange stays up 5. None of the people you talked to indicated that there were any laws or

regulations involved that might hinder your work. Nevertheless, can you think of any laws or regulations might be involved as you go about your Windows 2000 upgrade planning? A. Your company has a fiduciary responsibility for the companies

they’re representing. Inaccurate billing representation could result in a lawsuit for your company. B. SEC regulations control companies such as yours. C. The Accounting and Finance Act of 1980 applies to your

company. D. You could be held liable for all of your client company’s torts.


www.sybex.com

CASE STUDY

3. What’s the biggest risk associated with this project?

CASE STUDY

144

Chapter 3


6. Looking at the table below, list the people or groups from the right

column in the left column, in the order of their bearing on the success of this project (from most important to least). Person or Group

Person or Group You Your supervisor Remittance processing supervisors Remittance processing managers Client companies CFO Remittance processing users Reporting server users


www.sybex.com

The Billing Company

145

1. B. If you haven’t gathered that the line is everything, you haven’t been

listening! The line is everything; it’s the company’s money stream, the reason they have customers, and the reason for their existence. Take care of the line! Priorities, priorities! 2. See chart below.

Tasks Prepare business need documents for distribution to the managers— obtain managerial buy-in Identify Windows 2000 licensing costs Prepare the budget forecast Prepare a presentation detailing the need Meet with stakeholders Prepare overall project plan, identify project phases, milestones, resources Assess what brand and model of computer you will buy for the reporting server replacement Arrange to test your Windows 2000 deployment in a lab with a spare remittance processing device Prepare reporting server Cut reporting server from desktop to new server 3. A. Without a doubt, the biggest risk in this project is the line. They’ve

made it very clear that you must not hinder the operation of the line. 4. B. The most important piece of this puzzle, the one with the biggest

priority associated with it, is the assurance that once you cut over to Windows 2000, the remittance processing boxes will continue to talk to the network. The second-biggest priority will be to make sure that the reporting server can see what the line is doing and accurately report on its progress. The two are pretty close priorities, almost head to head.


www.sybex.com

CASE STUDY ANSWERS

Answers

CASE STUDY ANSWERS

146

Chapter 3


5. A. You have no other information other than the fact that you know

your company is acting on behalf of other companies and as such you’re a representative of them. This implies that if something went wrong with your network design and billings were inaccurate, untimely, or in some other way incorrect, your company could be in a lot of trouble. 6. See chart below.

Person or Group You Remittance processing users Remittance processing supervisors Your supervisor Reporting server users Remittance processing managers CFO Client companies Unfortunately, in this case you are by far the biggest factor on the success of this project. And, from the sounds of what you were told in the interviews, you have no breathing room in terms of making sure the network works with the line. Here is where the concept and the need for a lab environment would really pay big dividends. If you could thoroughly test your concepts in the lab before you deploy, you’d be able to sleep better. Unfortunately, it may not be possible to free up one of the big remittance processing boxes just for some lab work. The next best thing is to take up a serious dialog with the makers of the remittance processing gear, alert them of your intentions, and see if you can get any feedback on how well this will work in a production setting.


www.sybex.com

Chapter

4

Analyzing the IT Management Structure MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management process.


www.sybex.com

T

his chapter revolves around one solitary test objective: analyzing the structure of IT management. But what a large objective it is to understand IT management! There are very few companies whose bottom line is not affected severely by the way that the IT department is structured and goes about its business. Even from just the hardware standpoint alone, there are very few other parts of a company’s makeup that require as much capitalization on such a regular basis. Add to that enterprise software purchases, including user licenses for all of the client software, and the salaries of the technical folks themselves, and you come up with a large sum of money devoted strictly to making IT work. Small wonder that senior managers and other non-IT people become annoyed when they don’t see an IT project deploy on time or, worse, when it finally does deploy but doesn’t work correctly. But what of IT when thinking about a Windows 2000 upgrade? Why is it important to know what the IT management structure is all about? Because with a Windows 2000 rollout, the stakeholders generally are the IT managers. They’re the ones with a vested interest in making sure the project goes forward smoothly and finishes on time and within budget. IT managers are the ones whose heads will roll if your deployment isn’t as secure or fast as you said it would be, or if it doesn’t provide the added benefits you talked about in your project plan. IT managers are the ones who’ll be watching the progress of the project, who’ll want regular status updates they can pass up the food chain, who’ll require an accounting for the money you’re spending. Think about it. Users will log on basically the same way as they did before. To a normal user, life with a Windows 2000 server won’t change much over their experiences with a Windows NT 4 server. To them, it’s a pretty anonymous thing, with some minor exceptions like the added possibility of using your user principal name ([email protected]) for a logon name. But to the IT managers, your Windows 2000 upgrade has the potential for causing all kinds of problems. For example, it’s possible that some


www.sybex.com

How Does IT Get Funded?

149

legacy enterprise applications won’t play very well together in the Windows 2000 sandbox. Maybe you’ve got an older database application that you either can’t or don’t want to upgrade—how will that work with your Windows 2000 plans? There are so many varying degrees of issues that a manager might have with the rollout—issues you need to solve—that it’s worth our while to know what IT management is all about. Another good reason to understand IT management revolves around the actual Active Directory design and its associated services. Among these services are the ancillary support services that I talk about in this book—DNS, WINS, and others, the organization of which will be affected by the organization of your management. On top of that, there’s a strategic aspect to your rollout. You need to know how IT managers think in order to properly understand how a Windows 2000 network will fit into their plans—their paradigm. That’s what this chapter is all about. It starts with examining how IT gets funded. Then we look at the kind of model IT uses, centralized or decentralized. The two types present huge differences in the way that you’ll design your rollout. We then examine the decision making process, and wind up the chapter with an overview of how IT managers view the change-management process.


F

irst of all, let’s define what we mean by the word funded. This word has drastic differences in meaning when we examine it from the perspective of someone in the government vs. the private sector or a not-for-profit organization.


Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management process.


www.sybex.com

150

Chapter 4

Analyzing the IT Management Structure

Governmental Funding Unlike their private-sector counterparts, governmental IT departments are not distinct profit-center entities that have the ability to make major corporate decisions. A government takes in money from the people by collecting taxes. The government has a fiduciary duty to assure that the taxes are spent with the greatest benefit to the taxpayer in mind (never mind whether you think that fiduciary duty is really accomplished). Someone has to decide whether your IT department and your IT projects are worthy of spending hard-earned taxpayer dollars on them. If not, then you won’t get approval. That’s how governmental IT departments are funded. When we talk about how an IT department gets funded and we’re working within the confines of a governmental organization, we might literally be talking about the department getting funded from year to year. The legislature or other controlling body decides how much of a pot of money the IT unit is going to get each year. The legislature doesn’t decide this on a strictly arbitrary basis—they use the history of previous IT budgets, in comparison with the budget requested for the current fiscal year and advice from the controlling body, to make decisions about how best to fund the department.

The Big Brother Committee There may be some sort of a watchdog committee, person, or group that is responsible for reviewing the department’s planned projects, checking the project plans for completeness, accuracy, and need, and approving or disapproving accordingly. It’s very possible that if you work for a governmental entity of some type and you want to go forward with a Windows 2000 rollout, you’ll be told, “No, you can’t do that” because the overseeing body has called a moratorium on any new upgrades for a year after the upgrade’s release to the public. Also, it’s within reason that the overseeing body might not let you do the project just because they don’t have any faith in you to be able to get the project done. Whether this is actually true is between you and the body that didn’t approve your plan, but nonetheless it happens. The body might decide to reject your project plan because there’s no money for the project, or because they want to divert money to a more important project within a different agency or unit. Your project plan and commensurate request for funding might not be approved simply because you didn’t do a very good job communicating the need, the plan itself, and how you intend to implement the plan. These are just a few of the reasons that funding might be cut for a Windows 2000 upgrade design.


www.sybex.com


151

Outsourcing or Wrong Platform Choice For better or worse, some governmental entities are outsourcing lots of their IT, and this may affect whether you can upgrade to Windows 2000 because somebody else will decide whether to go forward with a rollout. Then too, losing your funding might be blamed on as simple a thing as the fact that the ultimate decision-maker on a department’s funding might be biased toward one kind of computing environment over another. You are not allowed the opportunity to go forward with your rollout because you’re not using this specific platform.

Annual Budget Cycle One more interesting thing about governmental funding is that, in some cases, you’re allowed only enough money to get you through one year’s worth of activity. You cannot carry forward into next year a budget that you didn’t completely use this year. This kind of “annually retiring” budgeting has many frustrations associated with it, especially the inability to strategically plan anything that has a project implementation plan of more than one year with the certainty that funding will be available for the following years. While there are many clever workarounds to this situation, budget planners and IT personnel who work for entities with this sort of restriction are careful to make arrangements around it.

Vendor Problems Planning for a specific brand of equipment is often a very difficult task as well. Often you have to submit a written proposal for the kind of equipment you’re looking for and then take bids from people who think they can match the items within your proposal. Then you must go with the lowest bidder. If, for example, you want Compaq gear throughout, but Compaq isn’t on the award list of vendors who can sell to you, then you must either go with a different vendor or write up a proposal in such a way that Compaq and only Compaq computers will work. This kind of trickery takes up a lot of budget analysts’ and planners’ time. It’s one of the rabbit holes you run down as a result of working for a governmental entity and a source of frustration that private-sector planners often don’t have to worry about.


www.sybex.com

152

Chapter 4


Private-Sector Funding In the private sector, you don’t have the unique situation that you have in government, where somebody completely separate from you is making decisions about how you can spend your money or telling you what brands of equipment you can and cannot buy. From that perspective, funding for IT shops in the private sector is much freer and allows for projects to be implemented more spontaneously. But private-sector departments have their own problems as well.

Cost Center Vs. Profit Center The first thing to establish is whether your IT department constitutes a cost center or a profit center. There happens to be quite a bit of difference in the way that managers look at funding for a department, given the answer to this question. If your IT department helps to create software that your company is selling, then your contribution is intrinsic to the company’s success and you are involved in a profit center. You help make a profit for the company. On the other hand, if you are involved with an IT department whose mission is simply to keep things on the straight and narrow on a daily computing basis—meaning that the servers stay up, the databases stay fast, and so forth—then you probably are considered a cost center. You cost the company money to maintain, and you really don’t contribute much toward helping them earn a buck. Now, it doesn’t take a rocket scientist to figure out that if you’re working for a cost center, chances are it’s going to be much harder for you to get new projects pushed through than if you work for a profit center. After all, working for a profit center means that all you have to do is go to your management and say, “We need thus-and-so to make this project succeed,” and you’ll probably get it. Companies don’t frequently bite the hand that feeds them. But that’s not to say this is always the hard-and-fast case; it’s just a fairly stable rule of thumb that you can abide by. Are you a member of a team that’s a cost center and you’re considering performing a Windows 2000 upgrade? Then from a straight project-management point of view, your upgrade proposal may meet with a thumbs-down. Unless, of course, you can make a business case for the upgrade’s necessity; then you’ve got a leg to stand on.


www.sybex.com


153

Pragmatic IT Decision Making Today, more than ever, IT managers have more work on their plates than they can possibly handle. Part of this has to do with the concepts that underlie systems integration. Your company keeps most of its data on a mainframe, but you’d like to view it in a much easier GUI-like format that brings the power of buttons and scrollbars to the data. You have a lot of data on Unix computers, but you want to intermix it with data on NT systems and present the whole thing on a Web site. Those kinds of issues make up systems integration. If you really think about it, systems integration is a hefty chunk of what IT shops are all about today. But systems integration and the commensurate infrastructure tuning and server build-up that go along with such efforts make up enormous task loads for IT shops. To top it all off, there just aren’t enough people to go around and to help manage this terrific load. So IT managers are forced to make decisions about the most important projects on their plate, then cut the rest. That’s part of what working in a private sector is all about, where the things you do directly reflect on how profitable your company can be and how quickly it can gain momentum in a new marketplace. Today’s computing environment is not one for the manager who’s faint of heart and cannot take a pragmatist’s view of how they run their shop, cutting the fat like a butcher trims the edges of a fine steak. You have to do it. Unfortunately, you may find that your Windows 2000 project has been weighed in the balances, has been found wanting, and is on the chopping block. Funding for projects in tight situations like this has to do with need. The project with the most need gets the most dough, then the next most necessary, and so forth down the line, to the end where the money is all gone. This need evaluation is done by a group of individuals who one day go meet somewhere for the majority of the day, armed with tablets and pencils (or palmtops), and hammer out the most pressing projects that the IT shop has on its plate. Then the money gets doled out accordingly. (Smart managers also plan a fudge factor for the inevitable budget overrun, but that’s another story.) How do you plan your Windows 2000 upgrade project proposal for such an event? I think the best planning is in the solid business case. Managers are quite willing to listen to what you have to say about a situation, as long as you approach things from a finely honed business point of view. It’s not good for you to go into a project proposal meeting with the idea in mind that everyone wants to go to Windows 2000 because it’s the hottest new thing and obviously the smart answer. You’ve got to make the case, coming up


www.sybex.com

154

Chapter 4


with reasons why you must go to Windows 2000. Look at your shop. What is it that Windows NT 4 or Unix does that Windows 2000 could do so much better? How could going to this new product increase productivity and offer up smarter, better apps? You must approach the pragmatist managerial philosophy from a strictly business point of view, presenting your well-made case and being prepared to answer each and every question with the perfect answer—anticipating the questions in advance, in other words. Then you’ll have some success. But if you go in and say, “Well, the magazines are all talking about it—duh! Join the 21st century!” you’ll be wasting their time and yours.

Funding in Not-for-Profit Organizations The not-for-profit organization is a really tough one to design for. You have no money—or at least, you’re not likely to get approved for very much money with which to upgrade computing equipment—and you shouldn’t be involved with a not-for-profit if you don’t expect those kinds of things. The goal of a not-for-profit is to provide some service that’s a benevolence to mankind. While computers certainly are bought and networks are installed by not-for-profits, they are nowhere near the size or grand design of business networks. Funding for not-for-profits comes from the donors, the people who write out the $20 and $30 checks to keep the organization going. Think about it this way. You have a teenage daughter in high school, and one day you get a call from a not-for-profit organization in town that operates, of all things, a roller-hockey club for high-school girls who don’t have a lot of the things you’ve been blessed with. You write out a $25 check, and a person comes by and picks it up. Now, let me ask you: where do you expect that money to go? Right! You expect the money to go straight to the purchase of hockey sticks and roller skates and gas for the bus to get the kids to wherever it is that they play hockey. Not for HP NetServers and Cisco Catalyst switches. See how delicate the situation is for the managers, the guardians, if you will, of such an organization? Many times the “funding” is in the form of donations of older equipment that somebody else can no longer use but you can. A Windows 2000 rollout in an environment like this is going to take lots of planning, careful consideration and, most importantly, lots of time to see the project from start to completion.


www.sybex.com


155

Design Scenario: Your Perceptions, Their Priorities You took a network architect job with a mid-sized high-technology firm that’s involved in computer communications. The firm is quite progressive, and you feel like you’ve been riding a whirlwind the entire time you’ve been working for them. But you took the job because you wanted to learn more about computers and networking, and you felt that this company’s attitude toward all things high-tech was the right fit. Windows 2000 is now out and, while you understand that you can’t just run out tomorrow and get the deployment going, you’d like to begin your project plan and really take your time in thinking about how the whole thing will come together. Right now you’ve got 15 domains, most of which have complete trusts; 5,000 users; and a geographic span that includes an office in every major city in the U.S., Canada, and most of Europe. It’s exciting and, you think, pragmatic that you’d go to Windows 2000, if for nothing else than the Active Directory help. Your cadre of senior IT managers, good, respectable people all, has met and looked at all the projects on their plate; there are boatloads of them! The managers feel that they can safely handle 10 highly important projects—hot potatoes, every one. On top of that they’ve listed 15 other projects that have varying degrees of importance, but which will be included only after the first 10 are safely completed. Your problem is this: none of the projects include anything having to do with a Windows 2000 upgrade and rollout! In fact, the managers have added a little blurb that says, in essence, “Here are projects we’re not going to work on this year: Windows 2000.” So the law’s been laid down. Now, the question is, what are you going to do about it? Can you find a challenge elsewhere in one of the other projects? No, not if your heart’s set on Windows 2000—there’s nothing quite as cool (or résumé-building) as a new NOS, is there? On top of that, the other projects don’t really apply to you; they’re developer kinds of things. You don’t think money is the problem. The way this company spends money on IT, if a Windows 2000 rollout were the hot button for the year, no expense would be barred in obtaining it. So the question for you now is what you’re going to do. Should you try your best to make a solid business case for a rollout? Should you wait the year out and hope for a new decision next year? Or should you send out your résumé and find a company that is going to do a Windows 2000 upgrade? All valid solutions, all requiring intense thought and objective decision making. Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com

156

Chapter 4


Centralized or Decentralized IT Structure?

Our next question has to do with a very interesting yet esoteric subject: Is your IT organization centralized or decentralized? How can you tell?



Let us first describe the two different categories of organizational makeup, then see what we can do about taking the high road in terms of designing a well-thought-out Windows 2000 upgrade based on each. By the way, there’s a lot of gray between these two opposites. Figure 4.1 shows the way that I think about this scale. FIGURE 4.1

Where does your firm weigh on the centralization scale?

Centralized IT environment

Your company probably fits somewhere in between the two extremes. Could be that one division of IT is centralized and another decentralized

Decentralized IT environment

It’s possible that one arm of your IT organization is decentralized while another is centralized (I’ve seen this before and it’s very difficult to manage). But what exactly do we mean by these terms, and how will you know a particular environment type when you recognize it? Here’s a sense of what to look for.


www.sybex.com


157

Centralized IT Structure Perhaps the best way to think about such an organization is to think about the phrase, “one group for the common good.” The centralized IT structure has a key leader, typically a CIO, followed by several directors or senior managers who head up various areas, and then the leadership trickles down from there. If you have an autocratic CIO with a very firm grip on the direction of the IT organization, you’ll find that centralized environments can really do marvelous things. Two caveats accompany that statement, though. First, CIO visionaries must know what they’re talking about. Somehow business schools have begun teaching that the CIO of a company doesn’t have to be technological. No! This is wrong. That’s like saying that a hospital’s chief surgeon doesn’t have to be a physician. Yes, CIOs must be good businesspeople, but they must also know technology and understand it and be able to converse with those who are wrestling it. The second caveat is that CIOs cannot have such a dogmatic management style that there’s no room for others beneath them to breathe. The “my way or the highway” ethic doesn’t go very far with technical people who know and understand systems and who are trying to illustrate to the CIO the fine points of why something won’t work. Far better for the key leader to place some level of trust in the lieutenants that the work will get done—maybe not completely the way she’d have it to get done, but it’ll get done nevertheless. Centralized structures do not lend themselves to renegades or rogues, though it’s interesting that you’ll often find one of these people in a highmanagement job within the organization, and somehow that person seems to find favor with the CIO. Go figure. But for the most part, a centralized structure can be highly effective, much more so than a decentralized structure, as long as the leadership at the top is strong, organized, and effective at communicating the process and then insisting on accountability when it’s time to turn in the code. Planning for a Windows 2000 rollout in a centralized structure will mean that you’ll have to present your plans to a cast of thousands. You will be faced with hundreds of questions; you’ll be told “no” by more people than you can shake a stick at. And yet, if you present a good solid business case, and the CIO is convinced that you’ve got something there in what you’ve said, you’ll likely get the green light. And that leads me to the very best part of centralized structures. If you’re good—really good—and you put a project together that does what you said it’d do, and you bring it in on time and


www.sybex.com

158

Chapter 4


under budget, you’ll get noticed by lots of people and you’ll likely bounce up the ladder a rung or two in the near future. Conversely, if you flub it up, you might as well polish up the résumé because your next job is in the mailroom.

Decentralized IT Structure In a decentralized environment there are different groups of people handling different computing scenarios and managed by different authorities. It’s possible that all groups report to the same CIO, but that’s about where the similarities stop. From there, it’s any person’s guess as to what line of definition there is for a given computing environment. When setting up a decentralized environment, there are two different methods of accomplishing the goal: You can choose to decentralize across specialties or across geographic lines.

Decentralization Across Specialties An IT shop that’s decentralized across lines of specialties has managers who manage specific groups of people. For example, one group located in the downtown headquarters office building might be responsible for the Oracle DBA work, while another group in another part of town is responsible for the SQL Server DBA duties. The mainframe programming team has one manager; the scheduling team, which handles the JCL that submits the jobs to the mainframe, has yet another. The network administration team is broken into so many sections that it’s basically not a team. Your Macintosh administrators live on the marketing floor of headquarters; the NT admins are segmented out by logical line of business (finance, HR, sales, etc.); and the internetworking people (those who handle the routers) are based at some little engineering office elsewhere in the city. There is a manager or supervisor responsible for each distinct group of people. Chances are that one group isn’t even aware of the other’s work and vice versa. Decentralization across specialties is a good thing when the company is so diverse in its computing needs that it just doesn’t physically make sense to maintain a centralized environment. Typically, very large enterprises qualify for this kind of makeup, though I’ve seen wildly decentralized setups in shops of fewer than 6,500 people. Decentralization reeks of the famous Sinatra song, “I did it my way.” A lot of the time it develops from “one-shop thinking”—believing that a specific unit’s needs are so distinct from others’ that it just doesn’t need the same reporting structure as others.


www.sybex.com


159

Decentralization across Geographic Lines There’s another reason to decentralize: the geographic location of one entity compared to another. For example, perhaps you work for a large company that has satellite offices in many states in the U.S. and in countries all over the world. You have one big mainframe environment based in a large U.S. city and several computing centers in other cities. Here it would make sense to decentralize the environment into more manageable chunks. Often the chief network architects and internetworking geniuses are based in one city, but they make decisions for the entire worldwide network. Yet when it comes to deployment time, the network administrator in the local office is the one who actually bolts the router into its rack, hooks it up, and gets it going. This is another example of geographic decentralization. The network admin in the local town has a different supervisor than the network architects, yet their goal is the same. Decentralization has, at its core, one fundamental good point. Since decentralized units are broken up into such bite-sized entities, it makes them quite easy to manage. You don’t have to worry about a broad-based set of skills in your managers, because they only have to manage one distinct skill set. You don’t have to worry about broad-based training for your people, because they’re hired for only one or two skill sets. You can move more quickly and in much tighter fashion than you can in a centralized environment, where everything has to emanate from Oz and move down the Yellow Brick Road accordingly. On the other hand, centralized setups are wonderful because all of your geniuses live at headquarters. You can get them together any time you like in order to make earth-shattering announcements. The corporate goals can be much more easily disseminated (and understood) because they’re coming from one consistent source. You can lend out expertise from one overstocked group to another starving group in order to get some work done. Best of all, when you’re centralized, collective heads can get together and brainstorm on the tough problems and come up with very creative solutions. Your Windows 2000 deployment’s success will have a lot to do with whether you’re decentralized. Why? Because if you’re broken into little pieces and spread out across the land, your communications model has to change in order to be assured that everyone hears the message. In a centralized environment, you only have to have one message that’s heard by all; on the other hand, in a decentralized environment, you’re not going to have to be so inclined to do your rollout all at once. You can pick distinct entities,


www.sybex.com

160

Chapter 4


roll them out, then go on to the next and the next without anyone somewhere else being the wiser. It’s hit or miss, but it’s something you need to know in either case. There is a second kind of group that’s fairly prevalent in working society. Suppose a company grows to a fairly substantial size—maybe a couple thousand employees. All of a sudden, an IT department becomes a necessary evil that has to be dealt with in this company, because of all the computing needs that must be taken care of. Lots of times, in companies like this, IT management gets relegated to a person who has no clue how to spell PC, much less how to handle people who administer them. Often, this person also manages people with whom he or she has great experiential knowledge. By that I mean, perhaps this manager has a CPA license and manages a group of accountants along with the IT staff. She has great expertise managing financial people because she knows finances, but she doesn’t know how to manage IT people. Such a management arrangement, I have found, leads down one of two roads: either the head of IT makes nonsensical determinations that aren’t relevant to the IT needs of the company (“We’re going to keep this on the mainframe, no matter what!”), or one trusted IT individual is basically given carte blanche to do whatever he likes. Both paths are dangerous for growing enterprises.

Design Scenario: Windows 2000 in a Decentralized Environment You work for a fairly large company, about 10,000 employees. The company has all of the various computing platforms that accompany big-corporation IT environments: mainframe, Unix, client/server, NT, Mac, etc. You use Exchange server for your e-mail system. All of your users validate through NT servers, though many of them work off of a terminal emulation client to gain access to a Unix host. You have TCP/IP and SNA as your predominant network protocols.


www.sybex.com


161

Your company is spread out over five geographic areas that are separated by hundreds of miles. The four remote sites are hooked to you by fast WAN links (several T1 frame relay circuits), and speed isn’t typically an issue across the WAN links. The network structure is solid, and there are no speed issues there either. The majority of the speed problems that you’ve run into have to do with badly written Web or database code that slows down certain operations. There are NT administrators at each of the four remote sites, but they are junior-level administrators and do not report to your supervisor. They report to managers located at each of the remote sites. There is not much rhyme nor reason to why certain managers were picked for the job. For example, at one of your remote sites, the two NT administrators you have there report to the controller, while in another site they report to the chief engineering officer! The management structure is singularly top-down, and most of this has to do with your product offering. You have a very limited, discrete product line that appeals to only a certain category of clientele, so management can afford to make unilateral decisions in a fairly autocratic fashion without much challenge from the “rear guard” in each of the four remote sites. There’s a bit of cowboy blood at these sites, but for the most part management is very hierarchical and strict. The exceptions to this are the IT departments, which are managed almost as if to say, “I don’t know about your team; I’m a part of the only IT team in the company.” You say one thing and another gets done, even though you’re a part of the central IT team and are supposed to be making up the rules. You’ve had lots of different problems as a result of this. There was the time you inherited several OS/2 servers that you had to scramble to find support for, and one or two non-standard databases that have surfaced from time to time. You’re bothered by the decentralized model. Why is management so rigorous about everything else they do, but so noncommittal about the lack of structure across their IT teams? You need to get everybody, all 15 NT administrators, on the same page and talking to each other in clear precise terms. Your Windows 2000 rollout will not succeed if you don’t, especially in site 3, where you have a group of administrators who are very seriously looking at a complete Unix/Linux model and completely getting away from Windows. While you don’t think this would fly with management, clearly there are schisms that require senior management intervention to rectify.


www.sybex.com

162

Chapter 4


You approach your boss, tell her about the issues you face, and describe the problem that presents in terms of going forward with any new server NOS rollouts. She’s disheartened because she wants the project to go forward, is interested in Windows 2000, understands the viability of what it brings to the table in terms of increased networking capabilities, and wants to help out. She’s especially concerned about rogue elements that are trying to introduce unwarranted software that’s not a part of the corporate structure. She agrees with you that you need to escalate this up the chain of command. She gives you a plan: get a dialog going with the senior managers, make it very clear that there are serious IT issues and that centralization is in order, and present a centralization plan. Your centralization plan will be met with harsh political criticism and will take valuable time away from your rollout. But you’ve got to go forward. The decentralization is killing you!

Identifying Outsourcing Risks and Strategies

T

he word outsourcing became a business fad in the late eighties and early nineties because it promised great financial returns to companies that were heavily invested in the IT world and whose managers did not feel they were getting the biggest bang for the buck from their regular staff. They felt that by outsourcing IT functions, the overhead associated with maintaining and operating an IT department would go away and costs would be significantly reduced.



It’s safe to say that the experiment failed miserably. There were several problems with outsourcing and, though the problems were obvious to IT


www.sybex.com


163

folks, they weren’t necessarily as obvious to managers thinking about going forward with outsourcing. Outsourcing itself is not a big deal, provided you know why you’re doing it and what you’re outsourcing. The problem came about when managers made a blanket statement that they were going completely eliminate IT departments and let somebody else do the work, all in order to save costs. That’s the experiment that failed. I’d like to elucidate the kinds of problems that companies ran into for you here, so that you have fodder you can use when discussing outsourcing ramifications with your managers.

Outsourcing Risks We must first examine the risks associated with an outsourcing maneuver. If you have a quiver full of arrows you can use when discussing outsourcing with the management powers at your place of business, you’ll have a better chance of winning the battle. (If their minds are already made up, then not much of a chance, but hey, it can’t hurt to try, right? What do you have to lose, your job?) Here are some arguments you can shoot your managers’ way to give them something to think about when considering the possibility of any kind of outsourcing.

“Outsource entities can’t understand internal functionalities.” Companies that have spent thousands, hundreds of thousands, or millions of dollars developing internal software programs that are specifically customized for their business can’t expect outsource entities to come right in and understand the ramifications of the program. One state agency I worked for had a massive, mainframe income tax system that had been written in a variety of languages and performed an enormous number of different functions. Three or four full-time programmers managed the system on a day-to-day basis. One woman who had been moved to the tax system programming unit took a full 10 years to understand all of the nuances of the system! I find it impossible to believe that when you hire somebody from the outside, no matter how skilled they are in the particular development environment, you can expect them to come in and get right up to speed on how the code works. Sure, they understand how people coded it (and might even make some great recommendations for correcting bad parts), but they can’t possibly know, in


www.sybex.com

164

Chapter 4


the little time they have, how the modules work or what their original design intent was. Doesn’t happen, won’t happen, can’t happen. A manager’s retort to this will be “Well, we’ll just use our senior programmers to provide knowledge transfer to these entities before we complete the outsourcing program.” Yeah, right. Somebody who’s going to lose his job because he works for an ignorant company isn’t going to do “knowledge transfer” to an outsource entity. He’ll probably polish up his résumé at the same time that he feeds as little information as possible to the new folks. Give me a break. One company that went through a huge outsourcing program actually kept their several of their senior people on board just for this reason. But excuse me, isn’t the whole purpose behind outsourcing to eliminate the expensive overhead of the salaries of those highly paid senior people?

“Companies don’t typically save money by outsourcing; they lose money.” Outsourcing isn’t cheaper, it’s more expensive. As in the income tax system above, suppose that this state agency actually considered outsourcing. How much do you think they’d have to pay somebody like an EDS or an IBM Global Systems to manage hundreds of thousands of lines of COBOL, Natural/ ADABAS, and assembler code? What does a senior mainframe programmer consultant charge a business these days: $250 an hour, maybe? And the first 10 to 12 months of those hours will be spent trying to figure out how the code works in the first place? Not practical. “OK,” you say, “That’s fine for programming, I can understand that. But we’re not talking about programming. What about networks and networking?” Well, my experience has been that a really good network person, somebody who actually understands networks and knows what they’re doing, is, at a minimum, a $125-an-hour person. Just any old paper MCSE on the bench that the consulting company is trying to get placed will run $90–$100 per hour. See, consulting companies have to pay several salaries out of the one Joe or Jenny they’ve got placed. They have to pay for the salesperson who got him there in the first place, and then there’s all the benefits, overhead, etc., etc. Consultants are not cheap.


www.sybex.com


165

“Consultants, like trainers, are not geniuses; they’re ordinary Joes.” Consultants are often not be much better at a task than you and your staff. Unless you pay the big-dollars freight for a very specific knowledge category—a highly specialized person who knows all about one specific subject—you’re wasting your time and money. The people you have on staff are as adequately prepared (or can quickly become that way) as the people you bring in. I’ve actually worked for companies that brought in consultants who made a recommendation for a specific product, then sat there, on company time, racking up consulting dollars, reading the manuals that came with the software! Don’t believe it? I’m willing to bet that this is more often than not the case. A friend of a friend of mine is a consultant who specializes in C++ objects. He’s a C++ Zen master, no doubt about it. And he understands the whole object request broker (ORB) concept up one side and down the other. He’s definitely the object whiz-kid. He travels 100% of the time, makes a sixfigure income (a nice six-figure income), and is worth every penny. He’s a specialist. He’s brought in for a very specific task and then, as soon as the project is put together and is running right, he exits. He’s expensive, but he gets the job done. Does that describe the average consultant?

“Outsourcing doesn’t work if you use the consultants as the project managers.” Perhaps the biggest mistake companies make is in outsourcing the whole works (or an entire huge project), then using some of the consultants as the project managers. First, the project managers are the ones who understand the project from stem to stern. That doesn’t describe contractors who don’t have a whit of a clue as to how your business runs, does it? And if the project managers are consultants, who has final authority and control? You? Nope, think again. If the project manager is convinced that Product A will do the job in getting one system to talk to another, and you’re not sure, guess who’s going to go with Product A? I’ve seen this over and over and over again in my professional career. I don’t understand why managers don’t trust their own IT staff to act as the project managers, but time and again managers appoint contractors as the project managers and the whole thing winds up being a big expensive joke.


www.sybex.com

166

Chapter 4


Outsourcing has another drastic affect on companies: it causes “talent flight.” Once a company announces that it’s going to outsource, the good folks are generally gone in a hurry, on to newer, bigger ground.

“It’s not true that the company isn’t in the IT business.” The most common excuse given for outsourcing is this: “We’re not in the IT business, we’re in the (fill in the blank) business.” Oops; better ask Regis if you can phone a friend or ask the audience for help. Not true again. Even though your business is making the best doggoned bicycle wheels money can buy, if you keep your business all on computers, you’re automatically in the IT business as well. (Folks, I didn’t invent these laws, they just assimilate themselves into the business practices of the day. What can I say?) Let’s go back to the early 1900s for a different kind of example. You work for a pharmaceutical company, and aspirin has just been discovered. Aspirin, as you know, is made from the bark of a tree. Are you in the tree business? No? I think you are indeed in the tree business and had better learn all about this specific tree, because it’s your lifeblood. If those trees don’t grow well, you could be out of business. Now come back to today. Keep your financials on Oracle? Then I’d say you’re in the Oracle business, like it or not. That’s life in the techno-zone we have going in the 2000s.

Outsourcing Strategies There are two situations where you might get involved with outsourcing— two separate situations where you need to think about yourself and your company’s involvement:

Outsourcing a specific component of an IT project

Outsourcing a specific IT project

Outsourcing the entire IT staff

Outsourcing a Specific Component of an IT project There are times when outsourcing is the only safe feasible way to go. Web programming is probably today’s best example. You want to come up with a killer Web page but don’t have the technical expertise or the money to train someone up that expertise. So you outsource.


www.sybex.com


167

In the Windows 2000 design world, you may very well find that some outsourcing is necessary for specific components of expertise that you require. The DNS example is a great one. Maybe you’ve never worked with DNS, and the highest form of name resolution work that you ever got into was the occasional WINS problem. Now you’re faced with DNS over a big AD deployment. How do you handle such a thing—design in its components and make sure they run? Perhaps here is a place where outsourcing makes sense.

Outsourcing a Specific IT Project When designing a Windows 2000 network, outsourcing a specific IT project is going to be of importance to you. Why? Because your company is going to bring in contractors who have a given objective in mind. They’re going to assess the current environment—probably not asking questions about the future environment—and then design a solution that fits today’s network. That may or may not be tomorrow’s network, so it’s important for you to raise the flag, saying, “Hey! Things are going to change around here, and you need to design your system so it interfaces with today’s Windows NT 4 network and tomorrow’s Windows 2000 network.” Chances are good that they’re going to panic and say things about not guaranteeing compatibility; your boss is then going to panic and tell you to stick with NT 4 until everybody’s sure. Your operating principle should be to tell everybody, all project players including the contractors, that you’re planning on moving to Windows 2000 in the very near future and you expect the app they’re designing to work with it. How do you plan around such eventualities? I think the best thing is to begin interfacing with the project planners at the very earliest stages of the project, in an attempt to try to figure out what the project aims to accomplish. Often this is difficult because the ideas are only being fleshed out and the company thinks that contractors are going to put meat to the bones. But you can be sure that specific device drivers, hardware requirements, and things like that are going to require a long hard look at how Windows 2000 will interface with this new project. Then you need to make sure you work with the contractors, trying to figure out what they’re going to recommend, making sure the software solutions they’re recommending will play politely with Windows 2000, assuring that they pick gear that comes with compatible Windows 2000 device drivers, and so on. It’s a big challenge, one that’ll require a lot of extra legwork on your part. But if you don’t do that legwork, you can realistically expect your Windows 2000 upgrade to be killed indefinitely.


www.sybex.com

168

Chapter 4


It’s quite possible that your contractors will actually help you out by insisting that you upgrade to Windows 2000 as a feature set of what they need to accomplish their project’s completion. I can visualize lots of situations where this kind of serendipitous thing might happen.

Outsourcing the Entire IT Staff What can I say about this? If you’re pretty sure the entire IT operation is going to be outsourced, I’d bag any notion of going forward with a Windows 2000 deployment and hope that in your next job you get to do such a deployment. Stuff happens.

Design Scenario: The Desperately Needed IT Project from Hell You work for a high-tech, high-pace company that thinks on the run, makes decisions retroactively, puts out fires instead of proactively handling any problem and, in short, lives life as though its hair is on fire. Ever since you’ve come to work for this company as an NT engineer, it has been this way—moment-to-moment living. But you’re here because this company loves high technology and you love being where the action is. Now you’re designing the Windows 2000 rollout. You’ve stipulated the hardware requirements for the servers, made the requisite upgrades to the infrastructures, and planned out your entire deployment. You are ready… you are so ready. But there’s a new fire. A hot, burning inferno that is causing lots of problems for the company. There’s a business problem in one of your profit centers, something about getting work orders from one place to another in a timely basis. This has to do with decisions that were made on the fly to bring in disparate systems that must now talk to each other because it takes way too much time to manually get them in sync. So the company is going to bring in a huge wave of contract programmers, and they’re going to come up with a solution that takes the data off of one system and puts it on another. An integrated system—something that contractors often are pretty good at.


www.sybex.com


169

The coders get to work and take up lots of your time asking questions about the current design. You tell them about the existing Windows NT 4 network and your plans for a Windows 2000 network. They tell you that things will “absolutely” work in the Windows 2000 environment. You’re hoping against hope that they’re right, but you have a checkmark in your mind about the whole thing. One day, your suspicions are solidified when they come to you and tell you that a certain set of DLL files they’re using in their test environment aren’t the same as the ones in the production environment. The production environment is wacky; the test environment seems to be working OK. Upon investigation, you find that the DLL files they’re talking about are in the WINNT\System32 directory! Now you’re sure things aren’t going to look good for a Windows 2000 upgrade. Why? Because nobody can put updated DLL files into the WINNT\System32 directory. Windows 2000 will alert the administrator that this has taken place and automatically revert back to the old DLL file. This is a godsend most times, but in this case it’s going to kill the upgrade unless you can figure out a way to get those updated DLLs where they need to be when the contractors need them there. And then you’re not sure what the rest of your once-pristine Windows 2000 system will be after the DLLs are updated. You could administratively turn off the automatic file-checking, called “Windows File Protection,” that Windows 2000 does, but you don’t want to do that either. (Besides, you can only turn it off if a kernel debugger is hooked up to the machine.) This is a problem that interferes with your Windows 2000 design goals. You find out that there is a workaround where developers can put a tag file in any system directory that they choose to create, put their system DLL files there instead of in the WINNT\System32 directory, and Windows 2000 will automatically look for the DLL in the application system directory instead! This project is again officially on the road.

This is a side note, but it’s worth mentioning because it’s probably something you’ll run into sooner or later. Microsoft development teams have determined that there is one major thing that tends to crash Windows NT systems. It happens when one application copies some system DLLs to the WINNT\System32 directory without regard for any other application needing a newer (or older) version of that same DLL. Some applications can’t


www.sybex.com

170

Chapter 4


work with an old DLL; others can’t work with a new one. This makes perfectly good sense, if you think about it. One of the more common DLL system files are the Microsoft Foundation Class (MFC) DLL files that are used universally by Visual C++ coders. Almost every application I install on a server seems to want to update MFC40.DLL, MFC42.DLL, or some other iteration thereof. If one app is expecting a certain DLL version and another is expecting a new version of the DLL, chances are good one app or another is not going to run correctly. It’s even possible that both won’t run exactly right, the system might BSD, you’ll get frequent Dr. Watson errors, and so on. The reason Unix systems are so stable is because they don’t have application after application installed on them. And then, applications don’t write to the Unix kernel; it stays intact. But in the Microsoft world, anybody who wants to write an application can do so and put their DLLs right into the WINNT\System32 directory. Windows 2000 will help drastically alleviate this problem.

The Decision Making Process

D

ecisions in your company are made through some process. The process could be as simple as “Oh, why the heck not?” or as complicated as thorough review boards and diagnostics and tons of spreadsheet documentation to prove your point. Only you can know what the decision making process is like for your company. But you need to ascertain this information and keep it in the back of your mind for the purposes of your Windows 2000 rollout.



For example, suppose that all major decisions involving the kind of money a Windows 2000 upgrade will entail require that you go through the CFO for final approval. He wants to see spreadsheets and vendor information and project timelines—all that good project management stuff you


www.sybex.com

The All-Important Change-Management Process

171

would naturally have assembled in the course of putting the project together in the first place. But of course, the CFO is an incredibly busy man, so once you turn in a complete project to your boss and she reviews it, passes it upward to the operations manager, and he approves it and sends it to the CFO, you might be looking at 90 days of wasted time before you even know whether you can go forward. On the other hand, you might decide to phase the system in one server at a time and then upgrade the whole thing to a native Windows 2000 environment once the entire structure has been updated. This way you can do a piece at a time, avoid some of the pitfalls of submitting big project plans to managers, and maybe get things done more quickly. Not to mention that you get a more even feel for what the product can do once it’s unleashed. Or, it’s possible that you submit only part of the project plan at a time and work through it, then submit the next, work on it, and so forth. It’s all relative to the kinds of decision making techniques that are in use where you work. Can your operations manager sign off on smaller segments of projects, so that you can get going early on and stage in the various components of the upgrade (e.g., this group of servers, that group of servers, etc.)? Should you prepare complete project plans, even for small stages of a deployment? (Yes.) How will decisions be made regarding your project?

The All-Important Change-Management Process

F

inally, we want to discuss the change-management process. I’m so glad that Microsoft has included this in the testing programs for Windows 2000. Mainframers have used change management for decades to make sure that changes are well documented and that there's a backout methodology in place before a change is implemented. Well-implemented change-management techniques can all but guarantee a much safer and more successful rollout of an application or project.




www.sybex.com

172

Chapter 4


What does change management mean, anyway? It’s a very simple concept, but one that’s terribly difficult to implement, simply because it requires so much rigor to stick with the program. Basically what any change management program requires is that when you want to make a change to a system, you document the change, going through a series of steps in your documentation procedure. Specifically, your change-management document should contain all of the information shown in Figure 4.2 shows a sample Change Management document. FIGURE 4.2

A sample change-management document

Change Management Document Proposed change (please supply full written details):

Server or servers impacted:

Application or applications impacted:

Network infrastructure changes needed:

Estimated time to make change: Persons involved:

How the change will be tested to assure that it is complete & satisfactory:

Backout procedure if change is unsuccessful:

Date and time change is to take place: Stakeholders involved:

Approvals:


www.sybex.com

Summary

173

Change-management documents are usually very official documents that are signed off by managers. If the evidence that you’re sure the change won’t crater something is insufficient, managers will often either refuse to sign off on the change or they’ll require that you watch the change and implement backout procedures as soon as you see something wrong happening. The owner of the change-management document (the one making the change) is the one who must be with the system (or be immediately available) the entire time the change is being made. If server operators and administrators had begun using change-management techniques years ago, we wouldn’t have nearly the problems we have with servers today, because we wouldn’t take the chances we take with disparate applications being loaded on one server. Instead, we’d prepare a changemanagement document, file it with the appropriate management powers, and then perform the change. Because we had been forced to think about how we were going to implement the new change and to write a commensurate backout, we would be much more familiar with what the change was going to do and we’d be able to manage it much more effectively. This is the heart and soul of change management. How does this show up in a Windows 2000 design? Change management is something you should seriously consider as you go forward with your Windows 2000 upgrade. You start by making sure you test things in a lab environment. Does it work there? Yes. What did you observe when you implemented something in the lab? Can you be sure that will emulate itself in the production environment? How can you take back what you just did (backout)? Then, after making sure your ducks are in a row, having worked through things in the lab, you file a change-management document stipulating what your intentions are, what’s going to happen, what people should observe happening, how you’re going to test the rollout, and what your backout policies are. Get it approved by all the stakeholders, set a time to deploy, and follow the letter of the document. That’s how change management works, and it works very well.

Summary

This chapter has pointed out some IT management structural issues. For example, upon close examination of your IT group’s makeup, would you say that you’re centralized in nature or decentralized? This isn’t always


www.sybex.com

174

Chapter 4


an easy thing to diagnose and might take some digging to figure out. How is IT funded? Are you a profit center or a cost center? What about outsourcing? Do you outsource for help with specific IT projects? Is your IT department in danger of being outsourced? How does the decision making process work in your company? For example, some companies are quick to make decisions at a departmental level, but then things get stalled when the decision needs to be made by a board or a high executive. Change management is the process of actively documenting all changes that are made to production systems; providing for testing of desired results, and stating backout procedures in the event the change isn’t successful. Good change management always calls for a thorough lab test before rolling into production.

Key Terms These are the key words or phrases mentioned in this chapter. These terms will help you structure your analysis of IT management. backout centralized change management cost center decentralized outsourcing profit center


www.sybex.com

Review Questions

175

Review Questions 1. Your company has offices in New Zealand, Hong Kong, and Los

Angeles. There are going to be Windows 2000 administrators in all locations, but they will all report directly to you. What sort of administrative model is this? A. Laterally responsible B. Centralized C. Mobilized D. Decentralized 2. You work for a governmental agency. You want to implement a Win-

dows 2000 rollout, but you have a problem. You can’t get the entire budget approved, at least for this year. Why not? A. Your agency has an all-time spending limit on computing equip-

ment that you cannot go over. B. There are laws and regulations affecting this rollout. C. You can’t get the budget through committee if it’s too high. D. You’re on an annual fiscal budget. 3. Your Windows 2000 project plans and time lines were finished

months ago! The plans have gone to your boss, and now you find out that they’ve been stalled in an IT committee. Which process is holding up the project? A. Project-planning process B. Decision making process C. Change-management process D. Risk-assessment process


www.sybex.com

176

Chapter 4


4. You design a document that formalizes a process so that whenever

anyone makes a change to a server you can refer back to what was done. What is the name given to this process? A. Risk aversion B. Change formalization C. Change management D. Centralization of administration 5. What are two of the things that a good change-management document

should include? A. Home phone numbers of persons involved B. Management and stakeholder approvals C. Testing procedures D. Personnel authorized to OK the change 6. What are the two things that can be outsourced when a company con-

siders some segment of IT outsourcing? A. Project outsourcing B. Network outsourcing C. Complete IT outsourcing D. Risk outsourcing 7. Your company has an IT department that handles the development of

all new software for the company’s systems. Another department handles all server upgrades, and yet another handles all internetworking (routers, switches, and so forth). What kind of administration model is this? A. Decentralized B. Centralized C. Loose-bundle D. Laissez-faire


www.sybex.com

Review Questions

177

8. What is one of the Windows 2000 components that will assist admin-

istrators with the overwriting of critical system DLLs? A. Windows DLL protection B. Windows File Protection C. Windows System Protection D. System safeguard 9. You work for a company that has offices in New Zealand, Hong

Kong, and Los Angeles. You’re based in the L.A. office, and you have a team of three people. The administrators in the Hong Kong and New Zealand offices are separate from you and, though you all maintain the same Windows 2000 Active Directory, each group is responsible for unique domains. What administration model is this? A. Complete trust B. Decentralized C. Master model D. Centralized 10. You work for a not-for-profit organization. Where will the funding

for your Windows 2000 rollout come from? A. Benefactors and donors to the organization B. Government assistance C. Solicitations D. Prospectus


www.sybex.com

178

Chapter 4


Answers to Review Questions 1. B. Seems like it should be a decentralized model, doesn’t it? After all,

about two-thirds of the other administrators are hundreds of miles from you. But with today’s virtual technologies, not to mention the global features of Windows 2000, you actually have a centralized administrative environment. 2. D. While the other answers might be possible, the most likely answer

is D. You’re on a budgetary cycle where the budget is an annual one and any money you have left over this year is forfeited. Then you get a whole new budget and set of money to deal with. In situations like this, you’re forced to break large projects up into chunks if you see that they’re going to go beyond annual budget. 3. B. Things are held up in the decision making process. 4. C. You’re practicing good change-management techniques. Good

for you! 5. B, C. Phone numbers are great things to include, especially for the

people involved in the change, but it’s more important to make sure that managers and stakeholders see the document and understand what you’re trying to do and that testing procedures are formalized. 6. A, C. Project outsourcing implies that you’re going to outsource a

complete project, such as a software development project or an infrastructure upgrade, so B is actually a component of A. Also, a company can choose to completely outsource the entire IT department. This has happened before, it’ll undoubtedly happen again—but I’m not a strong proponent of it. Answer D is ridiculous. 7. A. This is a decentralized model. Often models such as these create

lots of trouble because entities don’t communicate very well with one another. In most cases, I’d recommend that units centralize when possible and where it makes sense.


www.sybex.com


179

8. B. The Windows File Protection system prevents the unauthorized

overwriting of critical system DLLs into the WINNT\System32 directory and provides a workaround for software developers who need to be assured that their code is working with a certain version of a system DLL. 9. B. This scenario describes a decentralized environment. I’m not a big

fan of an environment like this, because there’s not much room for collaboration of the teams. Even if there’s a desire to intercommunicate, it’s difficult, and often networks will tend to go off in different directions than the original designers intended. 10. A, B. The main answer is A. Not-for-profit organizations (e.g., the

Red Cross) receive money from benefactors and donors. But it’s possible that an organization might receive some money from the government in the form of a research grant or something similar.


www.sybex.com

CASE STUDY

180

Chapter 4


The State Revenue Agency


Background You work for a state agency that handles a wide variety of civilian needs such as driver’s licenses, motor vehicle registrations, income tax, and liquor licenses—basically, anything that generates income for the state is within your agency’s jurisdiction. You have about a thousand employees, and while you’ve got employees tucked away in little offices all over the state, the majority of your employees are based at two campuses that are just a few miles apart. The two campuses are separated predominantly by the kinds of business activities they’re involved with. One campus is essentially oriented toward taxation, the other toward licensing issues. The agency has one CIO, who has managers under her who work at both campuses. The CIO maintains an office at both campuses. You are the network manager for this agency, and you report directly to the operations manager of the taxation campus. You have several people under you who handle the day-to-day network activities of the taxation campus and some outlying offices. The other campus has its own set of network managers, somewhat autonomous in nature. Unfortunately, your CIO has made the statement that she wants all of the network managers to be involved in a selfdirected work team, which you set up. You are the lead network manager for the entire group.

Current System The licenses campus has a strong Windows NT network and an OS/2-based network made up of highly proprietary gear and software that talks to some county offices. The taxation campus is a straight Windows NT 4 network. Both networks and all outside offices use Exchange server for e-mail. There is a mainframe involved as well, and several of the taxation and licensing systems exist as mainframe systems. Workers access these systems via 3270 terminal emulation software.


www.sybex.com


181

Availability Overview The agency is beholden to many different people and groups. The county offices and their respective county commissioners have great say when something goes wrong, not to mention the governor and the legislature. And how could we forget the oversight committee? The directors of each area of the agency are also powerful, though heavily computerilliterate. All want the system to be readily available 24×7. CIO “I want a dial-tone network. I want people to be surprised when they can’t log on—just like you’re surprised when you pick up the phone and you don’t hear a dial tone.”

Maintainability Overview The caliber of worker that you have on the network team can be challenging. You have some people who are incredibly capable: selfstarters, problem solvers, challengers. Others just want to be out of the office at 4:30, no matter what’s going on. Maintainability of a serious system such as the one you’re planning is going to require some thought and care. CIO “I think it’s to your benefit to try to set up some mini-training sessions for the self-directed work team.” Taxation Operations Manager “There’s not a lot of money for training in the budget.”


www.sybex.com

CASE STUDY

There are about 25 servers in total. The network infrastructure is a switched 10Base-T network and, in terms of throughput, is quite healthy. WAN circuits are redundant and high-speed. The kind of gear that you buy depends on which vendors are on the state award for that year and the brands of gear that they carry. You’ve been fortunate in that every year you’ve been able to purchase Tier 1 vendor equipment for your network. Your budget is an annually retiring budget, meaning that if you have money left over at the end of the year and you don’t spend it, you lose it and you run the risk of having your budget for next year cut.

CASE STUDY

182

Chapter 4


Performance Overview Your biggest concern is the OS/2 proprietary network. Somehow you’ve got to find a workaround to connecting with it. Today the Windows NT 4 network connects just fine, but you wonder about the Windows 2000 network. You’re wondering if there’s a potential upgrade path where you can get rid of the OS/2 segment and get everybody on flat Windows 2000. Licenses Operations Manager “Listen, this system works and works well. I have no intention of upgrading it unless you can give me a very good business reason for doing so.” Taxation Operations Manager “I think we really need to figure out a way that we can get the heck off of OS/2!” CIO “If at all possible, I’d like to see us have one and only one network operating system. Work with the self-directed work team to see if you can accomplish a compromise.”

Envisioned System and Funding Overview You want to upgrade the entire network to Windows 2000. You will not bring the users up on Windows 2000 Professional until the next year or even the following year; they’ll stay on Windows 9x. There are no Windows 3.x or DOS workstations, though there are two OS/2 Warp workstations at the licensing campus. You design a two-year, two-segment rollout. Year 1 will affect the taxation and licenses campuses; Year 2 will upgrade the OS/2 components and outlying offices. The projected first-year segment of the rollout looks like it’ll cost around $500,000. The second year is just a bit less at $450,000. This price includes updating of servers (and workstations where needed), some new network infrastructure components, a consultant to help you with the OS/2 conversion, and the Windows 2000 software and licensing itself. Taxation Operations Manager “OK. Good. This is a lot of money. If it were anybody else but you, I’d say we’ve really got to think about it, but I think you can make this happen.”


www.sybex.com


183

CFO “Cool!”

Questions 1. What is the administration model for the network? A. Co-management B. Decentralized C. Complete trust D. Centralized 2. Look at the chart below. Move the tasks from the right to the left col-

umn into the order that you should begin working on this project. (Note: These tasks are certainly not all-inclusive. In a real deployment you’d have many more tasks than this!) Tasks

Tasks Get buy-in from the self-directed work team on the project Prepare a detailed project plan for both years’ segments identifying project phases, milestones, resources Prepare both years’ budgets Meet with the directors to explain how the project is going to be rolled out Install systems Identify Windows 2000 licensing costs


www.sybex.com

CASE STUDY

CIO “I’m going to have to get buy-in from all the directors of the various departments. I’ll need some time.”

CASE STUDY

184

Chapter 4


Tasks

Tasks Assimilate the self-directed work team into a cohesive body Meet with county commissioners to determine their requirements and needs regarding replacing the OS/2 system Arrange to test your Windows 2000 deployment in a lab Purchase new gear

3. What is the funding model in use at this agency? A. Capitalized budget over several years B. One-time project budget C. Annual budget that expires every year D. Budget that contains a depreciation clause 4. What outsourcing component are you going to use? A. Retain a contractor to help set up the servers B. Retain a budgeting assistance contractor C. Retain a contractor for help with the OS/2 to Windows 2000 con-

version and to find a replace software package for the one currently in existence D. Retain a contractor for help with the project design


www.sybex.com


185

this project’s finalization. In the left column of the chart below, list the steps in the order you should act to assure that your decentralized environment behaves as a centralized one, in spite of your CIO’s insistence that you stay decentralized. Step

Step Formulate a self-directed work team (SDWT) Make sure all computing entities are represented on team (e.g., mainframe, internetworking, etc.) Prepare regular reports to CIO on SDWT status Prepare regular reports to operations managers on SDWT status Set up leadership roles in SDWT Use SDWT to publish the project plans and budgets

6. In terms of the decision making process, who do you think are the

most influential, in terms of their capacity to impact a design-go or a design-stop decision? List them in order in the left column, from the most influential on down. Person or Group

Person or Group Taxation operations manager Licenses operations manager CIO Directors Oversight committee Governor & Legislature County commissioners SDWT


www.sybex.com

CASE STUDY

5. The decentralization of these different network teams is not good for

CASE STUDY ANSWERS

186

Chapter 4


Answers 1. B. You’ve got a classic decentralized model. 2. See chart below.

Tasks Assimilate the self-directed work team into a cohesive body Get buy-in from the self-directed work team on the project Prepare a detailed project plan for both years’ segments identifying project phases, milestones, resources Meet with the directors to explain how the project is going to be rolled out Identify Windows 2000 licensing costs Prepare both years’ budgets Arrange to test your Windows 2000 deployment in a lab Purchase new gear Install systems Meet with county commissioners to determine their requirements and needs regarding replacing the OS/2 system You wouldn’t meet with the county commissioners until Year 2, because you don’t have to worry about the second segment until then. However, it would be to your benefit to prepare the self-directed work team, and the directors, for the eventual replacement. This includes buy-in from the licenses operations manager, who is currently opposed to the idea. The directors are going to be concerned with costs and benefits, and if you meet with them before identifying licensing costs and preparing budgets, they are likely to nix the project. 3. C. You have an annual budget that expires every year. You don’t have

enough money to meet the entire project’s expenses this year, especially in light of all the other projects the taxation operations manager has to fund, so you must break the project out into two years.


www.sybex.com


187

face a disparate NOS situation. You’ve got the licenses operations manager telling you “no, never” on the one hand, and on the other your CIO is saying she wants everything on one system. On top of that, you’re looking at proprietary software you may not be able to upgrade to Windows 2000. This could be a messy part of the project! A contractor who knows something about the software and can suggest replacements that will work with Windows 2000 is in order. 5. See chart below.

Step Formulate a self-directed work team (SDWT) Make sure all computing entities are represented on team (e.g., mainframe, internetworking, etc.) Set up leadership roles in SDWT Use SDWT to publish the project plans and budgets Prepare regular reports to CIO on SDWT status Prepare regular reports to operations managers on SDWT status It’s not necessary to report your findings to the directors or the oversight committee at this time. They need to see progress, and you certainly need to keep them informed, but it’s overkill at this point. 6. See chart below.

Person or Group County commissioners Licenses operations manager CIO Taxation operations manager SDWT Directors Oversight committee Governor & Legislature


www.sybex.com

CASE STUDY ANSWERS

4. C. The biggest hurdle you’ve got to overcome is the one in which you

CASE STUDY ANSWERS

188

Chapter 4


Wrap-up: The part you’re going to have the most trouble with in this project is the decentralization of the network teams. It would be one thing if you were working for a huge conglomerate of a company that had divisions all over the world, but you’re only talking about a thousand users. There is no need for the decentralized environment, except that there is a natural division in processing requirements. Your CIO’s insistence that you go with a self-directed work team only serves to increase the potential for project failure; because you don’t have full buy-in or direction from the CIO, you could potentially have disinterested members of the SDWT, and there isn’t fullfledged support from their managers. So politically, this project is already in trouble. Add to that the county commissioner’s power to simply call the governor and complain whenever they sense that something isn’t going their way, and you’ve got the second segment of this project in real trouble of not being completable. Now for those of you who think I’m solidly against decentralized environments, please trust me that I’m not. In fact, I think there’s an unwritten rule in place that stipulates, “The larger the enterprise, the more decentralized it’s going to be”—sort of an IT law of entropy, if you will. But the point I really strove to make in this chapter is that decentralized environments are much harder to manage, because you have so many political and managerial points to deal with. Also, people being who they are, you’re going to get a hundred opinions about a design you’re trying to accomplish—not to mention that, after the fact, you’ll have lots of Monday morning quarterbacks telling you how you should’ve done it. Design is a hard thing. So, all that being said: if it’s possible to recentralize some of your IT efforts, it’s wise to do so. Obviously, it’d be tough to recentralize GM or Fujitsu, so you have to make your own call. But my experience has shown me that a decentralized environment presents more challenges than centralized IT or management.


www.sybex.com

Chapter

5

Evaluating the Technical Environment MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Evaluate the company’s existing and planned technical environment and goals.

Analyze company size and user and resource distribution.

Assess the available connectivity between the geographic location of work sites and remote sites.

Assess net available bandwidth and latency issues.

Analyze performance, availability, and scalability requirements of services.

Analyze data and system access patterns.

Analyze network roles and responsibilities.

Analyze security considerations.

Design a resource strategy.

Plan for the placement and management of resources.

Plan for growth.

Plan for decentralized resources or centralized resources.


www.sybex.com

S

o far, we have looked at the analysis of the company’s business model and its organizational structure. We’ve also examined factors that influence business strategies, and we’ve discussed the makeup of the IT management structure. You can see how in these first four chapters our scope has been large (company’s overall business model) and we’ve begun to drill down, one step at time, examining the various components of a company’s business until we’ve now reached the internal structure of IT. We’ll take this drilling-down one more level in this chapter and discuss the technical environment you’ll encounter at a company. (Note that one of the subobjectives under “Design a resource strategy”— Plan for growth—is covered elsewhere, in Chapter 7. Also, there is more information on the centralization of resources in Chapter 9.) It’s important to know the technical environment because now we’re beginning to talk about how you’re actually going to get your Windows 2000 rollout to happen. Understanding the nuances of how the technical environment is laid out will help you figure out a game plan for how get a certain step accomplished. We’ve talked a lot about geographically segmented sites and the uniqueness that you find when you try to do enterprise rollouts to sites such as these. This issue is all-important, one that most administrators will deal with. We’ve also briefly touched on the issue of decentralized versus centralized teams and this, too, carries importance in technical areas just as it did in management ones. Now we begin to dive into deeper fundamentals of issues you’ll encounter as you ponder the technical environment.


www.sybex.com

Planning Company Resource Distribution and Management

191


W

hen we talk about a nebulous exam topic like “company resource distribution and management,” we must first ask ourselves what the phrase “company resource” means. Microsoft is pretty good about using the term “resource” in very esoteric ways, so we need to think about and define what are resources in a technical environment. Resources can be divided into six categories:

Servers and associated tie-in gear, such as RAID array controller cards, fax boards, CD-ROM towers, etc.

Routers and associated internetworking gear (CSU/DSUs, for example.)

Network infrastructures, including cable plants, network closets containing the patch panels and switches and hubs, and the actual switches and hubs themselves

Telephony gear not used for internetworking (RAS devices, for example)

Printers and network printing gear (JetDirect cards, etc.), including scanners, plotters, and other miscellaneous peripheral gear used in day-to-day business activities

People

This list is certainly not all-inclusive. You may add other items to this list that I’m not even aware of. For example, if you work for an engineering company, you undoubtedly have tons of test gear sitting around that qualifies as company resources and may very well play into your Windows 2000 design. Suppose a very expensive piece of electrical test gear uses a dedicated server—but you’re dismayed to find that the server cannot be upgraded to Windows 2000 because the company that made the test device wrote the associated server code to Windows NT 4 Server, not Windows 2000. Either they have no plans to upgrade the code to Windows 2000, or they plan to release it much later than you need it. This is part of why we’re so interested in resources and associated resource distribution. It’s not the whole reason, but it’s a big part of it.


www.sybex.com

192

Chapter 5

Evaluating the Technical Environment


Evaluate the company’s existing and planned technical environment and goals.

Analyze company size and user and resource distribution.



Let’s talk about these six categories, one at a time, in terms of how and why they’re resources, where they’re distributed, and how they’ll need to be accounted for in a Windows 2000 rollout. You should plan on drawing up a resources document to represent what you have and where it is.

Servers and Associated Gear You need to document the location of every server within the scope of your Windows 2000 rollout, its function in life, and how it will play into your upgrade plans. Information that you glean about each server should include the current version of Windows NT it’s running (if indeed it’s running NT), the processor, memory, hard drives, fault-tolerance gear, brand of computer, network connectivity, drivers, peripherals, installed software, and users working on it. If a box isn’t running NT (maybe it’s on Windows 3.x, 9x, or Linux), are you going to upgrade it to Windows 2000? It’s very good to have baseline information on each server before you roll out Windows 2000, so that once you upgrade, you can compare the outcome to its previous performance. Figure 5.1 shows what a sample first page of your resources document might look like, capturing this server survey. If the server is acting in an applications server capacity, it might be a good idea to include documentation about major software components in addition to its physical components. For example, if the computer has software such as SMS, SNA Server, Exchange, Oracle, or SQL Server loaded on it, you’d want that on your list as well.


www.sybex.com


FIGURE 5.1

193

Servers and associated tie-in gear, documented in a sample resources document Notes: A-PDC • HP LH4 • 256MB RAM • 3 9.6GB HD • NetRaid controller • 100Base-T … and so on

Atlanta A-BDC1 A-PDC Fax card A-APFS

A-BDC2

Denver D-BDC1 D-PDC

D-APFS D-BDC2

Ask yourself about the mission-criticality of each server. When can you down it for upgrade? What impact will this have on users? What testing and backout plans will you need to formulate? Will peripherals continue to function for you in the Windows 2000 world? Keep in mind that if you don’t go to a completely 100% Windows 2000 environment for your servers, you cannot use the native mode, and you’ll have to work toward that goal. Your goal is native mode for your Active Directory, and that means that all servers (participating in user validation as domain controllers) have to be Windows 2000 servers. The biggest problem you’ll run into here will be finding Windows 2000 device drivers for peripheral gear you’ve got hanging off of the servers or for RAID array adapters that are already in the box. You may wind up having


www.sybex.com

194

Chapter 5


to go to the vendor to get updated Windows 2000 drivers for these devices. The RAID cards aren’t super-critical because they run off of their own BIOS, but managing them with software (such as HP TopTools for HP servers) that worked in Windows NT 4 might not work in a Windows 2000 system.

Routers and Associated Internetworking Gear The biggest challenges that Windows 2000 network planners are going to run into, in terms of working with in-place internetworking gear, fall into two categories:

Replacing older routing equipment with Windows 2000 routers

Using modern routers that are capable of hosting DNS and dynamic host configuration protocol (DHCP)

Figure 5.2 shows you what this part of a sample resources document might look like, illustrating where your routers are. FIGURE 5.2

Routers and associated internetworking gear in a resources document

Notes: Atlanta • Cisco 2500, integrated CSU/DSU Denver • Cisco 2500, integrated CSU/DSU WAN • T1 frame relay, 1.544Mbps

Atlanta Router

Router Denver

You may opt to replace some of your older routing equipment with a Windows 2000 router (that’s precisely one of the topics covered later in this book). Windows NT 4 server was capable of acting as a Routing Information Protocol (RIP) router pretty early on in its release period. Now Windows 2000 routers can use RIP or Interior Gateway Routing Protocol (IGRP), and I see no reason why you would have to replace an older


www.sybex.com


195

hardware router that is slow and inefficient with a new, expensive router when you could simply use Windows 2000 as a router instead. Obviously, in a huge environment where you have thousands of users, you’re going to want to get into the router business (you probably already are). But for the hundreds of smaller enterprises that need routing, the Windows 2000 router is a good solution to an expensive problem. Today’s high-dollar, high-tech routers have the capability of doing DNS and DHCP at the router and switch level, thus relieving servers of this duty. My problem with this isn’t in the DCHP realm; it’s with DNS. Since Windows 2000 uses dynamic DNS—learning about new users as it goes, populating WINS, generating reverse address lookups—you’re going to want a strictly Windows 2000 DNS implementation. And since Windows 2000 DNS can make use of the DHCP addresses that are sent to it by Windows 2000 DHCP server (see Chapter 12 for more info), that means you’ll use Windows 2000 to host DHCP, so internetwork planners should probably not plan for the routers and switches to perform these functions. Again, just as with your servers, you need to document the location, brand, size, and type of routing and internetworking equipment that you have now and are planning for in the future.

Network Infrastructures Another resource at your disposal, one that you may not think of as a resource, is your actual network infrastructure. You need to take a serious look at all network infrastructures on every campus. Diagram where the switch and hub closets are. What is the brand name of the patch panels? Do the closets contain switches, hubs, bridges, or some combination? What is the backbone between closets made of? Figure 5.3 shows how you might depict this in a resources document. Identify the core closets and core switches, then identify your spanning switches. Brand names and model numbers of switches and hubs are necessary, including any updates that have been applied to the firmware. Document all add-on cards in the switches or hubs. I don’t think it’s out of reason to try to estimate the age of each switching or hub device, so you can target replacement for aging devices. As long as you’re budgeting this rollout, you need to budget replacement of networking gear that won’t cooperate with Windows 2000.


www.sybex.com

196

Chapter 5


FIGURE 5.3

The network infrastructures section of a resources document Atlanta

Wiring closets: Atlanta North closet • Apex patch panel, 48 ports • CAT5 backbone with redundant cabling • 3 - 3Com 1000 switches, 3.05.01 firmware … and so on

North

South

Wiring closets

Denver

North

South

East

Got Cat3? It’s probably time to get the wiring dudes in to update any old Cat3 wiring to Cat5, throughout. That means backbone connections and closet-to-user connections. Remember that we’re thinking enterprise now. If you’re going to roll out Windows 2000, the rollout doesn’t just happen at the servers. Windows 2000 is going to use those network infrastructures to get its AD updates, logon validations, application serving, printing, and other functionalities out the door. Your infrastructure’s quality is as important as that of the servers themselves.

Non-Internetworking Telephony Gear You also need to clearly document telephony gear used in the network that will be affected by Windows 2000. I can think of two very specific categories, but you can probably come up with more:

RAS switches that are not servers

IVR servers

See Figure 5.4 for an example of how you draw up this gear in your sample resources document.


www.sybex.com


FIGURE 5.4

197

Telephony gear diagrammed in a resources document Notes: Atlanta RAS Switch • 3Com • 48 ports • Authentication software A-IVR • Edify software • HP LH3 • 256MB RAM • 500Mhz • 3 - 9.6GB drives • NetRaid Denver D-RAS • 8-port Digi asynchronous card • U.S. Robotics Sportster 56K modems • Compaq Proliant 800 • 128MB RAM • 2 - 4.2GB disks … and so on

Atlanta

RAS switch Atlanta PBX

A-IVR

Denver

8-port Digi

D-RAS

Administrators often buy boxes that act as RAS devices; these little things have gotten pretty sophisticated. One such device from 3Com (a leader in this kind of technology) has an onboard Windows NT server, places for several 24-port modem cards, and a router designed for RAS! Suppose you own a box like this? How is that bad boy going to participate in your Windows 2000 design? Also note that some older RAS switch devices had the capability of using an on-board database or, optionally, you could purchase authentication packages for them (including authentication for Windows NT 4). In other words, when you connected, either the RAS switch itself could authenticate you, or it would offload authentication to the DCs in the network. You need to figure out where all of these RAS devices are, what they have on them, what code level they’re at, whether they’re using authentication packages, and what your upgrade path is going to be, if any. You probably use interactive voice response (IVR) technology almost every day. When you call a company and begin to cycle through a series of


www.sybex.com

198

Chapter 5


menus, you’ve contacted an IVR system. It’s big business, and very important for many corporations because their bread and butter lies in how well they communicate with their customers. (OK, some companies haven’t figured this out, but that’s fodder for another book, right?) IVR systems are unique because they talk to the company’s PBX, but they typically run some form of server software as well—often Windows NT Server. Document where these IVR boxes are, what version of server software they’re running, what version of IVR code they have on board, and how they’re going to run in your deployment.

Printers and Network Printing Gear If you have a large enterprise, documenting your printing resources could be a complicated task, but I think it is completely necessary. Figure 5.5 illustrates the printers portion of a sample document. FIGURE 5.5

The printing section of the resources document Atlanta

Notes: Atlanta A-PRT • HP LC3 • 128MB RAM • 2 mirrored 4.5GB A-PrintQ1 • HP 5SI • JetDirect firmware 5.06 … and so on

HPLJ-5SI HPLJ-5SI A-PRT HPLJ-5SI HPLJ-8000

Denver

HPLJ-8000 D-PRT HPLJ-8000

HPLJ-8000


www.sybex.com


199

First, you need to figure out what servers are acting as NT print hosts for your network-connected printers. Some companies have only one or two Windows NT boxes that act as print servers for all of their printers! Next, you need to try to get a handle on where the printers are, what they are, and how they’re connecting. I don’t think you need to include personal printers that are attached to desktops, just network-attached printers. One very good thing that will arise from this work is identifying old and ailing print server boxes or JetDirect cards that need to be updated. You’d probably like to try to figure out what level of firmware your print boxes and cards are at as well so that you know which ones need updating. Cards and boxes that can’t be updated to the latest and greatest firmware, in my opinion, need to be replaced. Figure out whether your printers are using Line Print Daemon (LPD) via TCP/IP or Data Link Control (DLC) to talk to the servers. All of this information needs to be mapped out so that you know what printer talks to what print server using what LPD port and IP number. You also need to document the share names and the permissions associated with each printer share.

People Finally, you need to map out the personnel at each site, their level of responsibility, applications managed, and so forth, as demonstrated in Figure 5.6. Include internetworking personnel, NT server admins, Unix admins, PC techs, and any others that will be affected. Anyone who may come in contact with this Windows 2000 upgrade—not as a user but as a participating technology owner—must be included in the list. It’s up to you to communicate your Windows 2000 plans to the people targeted in this documentation and then keep them updated as you go along. I think a small desktop intranet page or an Exchange distribution list is an excellent way to maintain communications such as these. It’s not difficult to whip up a quick little e-mail for the people who are routinely being hit by the changes, so they know what progress you’ve made. Be prepared for detractors and arguments; Rome wasn’t built in a day, and it wasn’t built without a lot of wars!


www.sybex.com

200

Chapter 5


FIGURE 5.6

People—the final section of the resources document Atlanta

Notes: Atlanta John • NT admin • MCSE • Exchange admin

Maggie John

Maggie • PC Tech Bill

Sue • Telephony/IVR … and so on

Sue

Denver

Mary Dean Wilbur

Note that your resources document might take up many more than six pages or sections—it’s all relative to the size of your network. Do you get a sense that a resources document might be a large undertaking and will take a good chunk of time to complete? Good, you should.

Design Scenario: Generating a Sizable Resource Document You work for a moderate-sized company (12,000 nodes). You’re charged with handling the entire Windows 2000 rollout in a decentralized environment spread out over several geographic locations. You need to build a resources document. Where do you start?


www.sybex.com

Evaluating Centralized Vs. Decentralized Resources

201

You start by contacting the team lead for each site’s NT admin group. You make an appointment with this person and visit (preferably in person but maybe by phone), sharing with them your project charge, and you begin assessing names and technology components for their site. You make several return visits to each site, finding it necessary to physically go to each site in order to get a better feel for how the closets are laid out or what condition the components are in. You are able to begin putting faces with names and job functions as well, so this phase of the rollout has been very beneficial to you. You feel more like you’re working with a team than fighting disparate components of a large company.


S

o, you have all of your resources pinpointed and written down. A very good exercise, don’t you think? Now ask yourself: are your “people” resources centralized or decentralized?




I talked about centralization versus decentralization in Chapter 4, its good features and its bad. Now it’s time to see if you can figure out whether your IT personnel structure qualifies as one or the other type. This may not be so easy. To illustrate, here are some examples—some “mini-case studies”—to help you learn to determine whether you’re looking at a centralized or decentralized IT team.


www.sybex.com

202

Chapter 5


Geographically Dispersed IT Members Susan works for a multinational training company based in San Francisco. She’s not only a Microsoft Certified Trainer (MCT) who does some daytime training work, but she also maintains the company’s widely diversified network. A staffing coordinator named Bob is responsible for Susan and her team members. Bob has other administrators in other cities, fulfilling about the same duties as Susan, but it’s understood that Susan is the team lead over the other members. There’s Jerry in the Seattle office, Norma in Atlanta, Brian in Fort Worth, and Allison in Toronto. Bob is a fairly laissez-faire manager and usually puts the onus of project coordination on Susan’s plate, but occasionally he gives instructions to the other team members directly. This is particularly annoying to Susan when she’s in the office, because she feels like she should be the one to distribute all work. So, what’s the verdict? Centralized or decentralized? If your thoughts center on the geographically diverse aspect of the team makeup, rest assured that geography doesn’t usually determine whether a team is decentralized. That’s not always the case, but centralization versus decentralization has more to do with management’s attitudes (or an excess of managers with decision-making and budgetary power) than the geographic location of the respective members. There are lots of coding teams that are separated by entire continents, who nonetheless get a lot of work done! Bob’s penchant for occasionally giving out work to the other members without alerting Susan might tempt you to think the team is decentralized, but my take on this scenario is that they’re largely centralized.

Help Desk/PC Tech/NT Admins Jeremy works for a medium-sized manufacturing business as a PC technician. Because the nature of the company is manufacturing, Jeremy is all over the place every day looking at computing equipment, repairing as needed. He seldom reports to anyone other than responding to an occasional e-mail from his boss, the technical support manager. Most of Jeremy’s correspondence has to do with keying entries into HEAT, a help-desk/PC technician program that allows you to create a knowledge base of problems you’ve


www.sybex.com


203

encountered. Jeremy almost never talks to the network team—only when they have a question about something he said in a HEAT ticket related to a network problem. The help-desk people seldom interact with either the PC technicians or the network team. They spend their days talking with users on the phone and, in the event they couldn’t solve the problem over the phone, keying in a HEAT ticket for the PC technicians to work. The network team spends its days maintaining the servers, server apps (including HEAT), and network infrastructure, and they hardly ever talk to either the PC technicians or the help-desk personnel. The PC technicians and help-desk personnel report to the technical support manager; the network team reports to the operations manager, the same person who’s responsible for a small team of software developers. Both managers report to the CIO. OK, now then. Is this group centralized or decentralized? I’d say, with the little information presented here, that the team is largely decentralized. There doesn’t seem to be much “ownership” of one another’s jobs and daily activities; it feels like there’s a lot of disinterest on the part of the other teams. This setup doesn’t sound like a centralized environment, where everybody communicates through some common medium. The existence of HEAT might have misled you into thinking that the teams are actually centralized, but I’d submit to you that the only time it acts as a centralizing factor is when it presents a source of contention, pitting one group against another. In my mind, a Windows 2000 rollout would have to first do something about this dichotomy before anyone could progress with the upgrade.

A key point to take into account with help-desk and PC-technician personnel: Are they using a trouble ticket system such as HEAT or Tivoli? How do the field personnel respond to tickets? What changes will have to be made to the system to reflect the new Windows 2000 model?


www.sybex.com

204

Chapter 5


Design Scenario: The IT Support Personnel Mercedes works for a large, geographically diverse company as an NT administration team lead in the central office. There are many sites, with anywhere from a couple of users to more than a thousand. The larger sites have a dedicated NT admin or two all their own. For sites with between two and 20 users and only one server (there are about 30 such sites), the company has opted to have “IT support personnel” (ITSP) “own” several geographically close sites and travel among them. The ITSPs are sort of jacks-of-all-trades (in the sense that they can do a bit with an NT server, though they’ve had no training), but they’re not fully qualified to administer every nuance of the servers, nor are they allowed to configure them. The ITSPs also handle updates to the phone system’s user database, provide help-desk and PC technician support to their offices, and so forth. Mercedes reports to the manager of the Enterprise Server Group (ESG), but the ITSPs report to the manager of the Remote Location IT Group (RLIT). While Mercedes is free to contact the ITSPs and ask them to help her out with things that go on with field servers (for which she is ultimately responsible), she has gotten into trouble for this at times when one or another of the ITSPs did not like the way that she asked for assistance. On the other hand, when the ITSPs ask her for help, she’ll occasionally get a little perturbed because she doesn’t feel like it’s her job. As a contract Windows 2000 network designer, you’ve studied this organizational setup for a while now. You think you’ve come to the realization that this setup doesn’t really fit the description of a centralized group, with one entity reporting to one manager and vice versa. However, it’s also not a decentralized group because the two groups depend on each other a little. Although they occasionally tick each other off with some request, that little bit of evidence alone implies that they’re comfortable working with one another within the confines of a centralized environment. You decide to treat this setup as a hybrid centralized-decentralized environment requiring special care and handling at deployment time.


www.sybex.com

Assessing Network Connectivity

205

Assessing Network Connectivity

These days, of course, the words “network” and “connectivity” can mean many things, and you’ll have to judge their meanings before you can assess the real world behind the words.


Evaluate the company’s existing and planned technical environment and goals. Assess the available connectivity between the geographic location of work sites and remote sites.

This phrase “network connectivity assessments” has three distinct connotations:

You need to assess how disparate networks connect to each other. How do offices in Chicago and Tokyo talk to each other, if at all?

You must determine how telecommuters connect to the network. Do you have RAS servers, VPNs, high-speed telephony interfaces, or some other method of allowing contact with your network?

You must determine how users connect to the network.

The first bullet item is a straightforward one to assess. A simple call to the internetwork WAN people will yield the appropriate information. They can usually tell you the type of WAN connection between buildings, the speed, the carrier that’s providing the connectivity, and any special information you need. In some cases, you might even get read-only status to telnet into the routers. (Not! Just kidding…) But assessing the WAN connectivity is vitally important for those shops that have geographically separate entities that are connected to one another. Two questions would be important to me when assessing WAN connections: If the speed is too slow to support a Windows 2000 upgrade, can I get it upgraded, and if so, how fast? If no connection is present, what’s the possibility of getting them connected soon? You can always use RAS for interconnection in the Windows 2000 network, but a WAN connection is greatly preferred!


www.sybex.com

206

Chapter 5


The second bullet item is probably more difficult to assess, and the second half of this book talks in detail about telecommuters and their special needs. Microsoft has done tremendous work with Windows 2000 to provide enhanced connectivity for telecommuters. Major questions arise when considering RAS, such as whether they’re using NT-based RAS or switch-based RAS—and if switch-based, are they using an authentication package? If VPNs are in use, what is the company’s ISP, and is it a software solution or hardware (such as Cisco VPN switches)? What about allowing DSL or cable modems? Are telecommuters coming in through an ISP (implying that they’re using a VPN) or natively, through duplicate equipment at the company site? Ditto for high-speed lines like ISDN. Finally, an assessment of how users connect to the network is important. First, find out what kinds of clients are connecting. There is a profusion of connectivity options. Users can connect through NetWare or via a Macintosh. The OS makes a difference in the connection client; OS/2 clients have a client that looks (and acts) different than Windows for Workgroups, and Windows 3.x and 9x clients even differ among themselves. Then there’s the protocol issue: what protocol are clients connecting with—and for multiple protocols, which one is at the top of the stack?

Some users don’t really connect to the network. They long ago learned to simply cancel at the standard Domain logon prompt; when it comes time to launch Outlook and connect to their Exchange mailbox, they simply key in their network credentials then. Shares? Well, they don’t use them, except for that Shared folder kept out on the main file-server box, and since Everyone and Guests have change access to that… well, they’re in business for any files they need. Ever run into a user like this?

User Usage Patterns It’s not enough to know what user components are accessing the network. You also need to determine the times of the day that users access the network more heavily and which applications or files garner the most access. This has very practical application to determining how the infrastructure handles things when the network is at critical mass. Knowing usage patterns also allows you to make scalability decisions about servers that are constantly being hit. You can use NT’s performance monitor for a lot of the usage


www.sybex.com

How Do Users Use the Network?

207

tracking you need, and several good, third-party products can help you get more details. Your network manager can sniff the network and give you some concepts about which packets are traversing the LAN at what times. Knowing usage patterns helps you strategically place servers that will handle the most load and beef up infrastructures that are too weak to handle user onslaught.


T

his is a much more interesting question than how users connect to the network. Here you must pause and take a good, long, hard look at how the network is used.



Analyze data and system access patterns.

I’m willing to bet that in some cases you’ll find it utilized in a totally different way than you might have imagined it to be. I can think of at least six separate categories of network utilization that you have to direct your attention toward.

E-mail/Scheduling Services Users use the network for e-mail and calendar-sharing purposes. Generally, in a Windows NT environment, there is at least one Exchange server where Exchange clients inherit the right to use Schedule+, and Outlook users can opt to use Schedule+ or Outlook calendars. Calendars can be shared to schedule meetings, and users can actually view one another’s free and busy times. Exchange services like public folders, custom forms, Outlook Web Access (OWA), and distribution lists are not visited as frequently as they could be.


www.sybex.com

208

Chapter 5


I’ve seen some very cool uses for these things, and it’s a shame when NT administrators fail to leverage the power of Exchange Server and Outlook. Exchange supports a variety of clients, making it an almost universally acceptable tool for the users on your network.

File Server Services File serving is a huge part of any user’s network utilization, even though the user may not realize that he or she is getting files from the network. Many shops provide large RAID arrays with gigs of hard drive space that are made available to users so that they can store all kinds of important documents, which are then subject to routine tape backups. A very famous use for large-capacity network storage is the famous “shared” folder, where everybody in the company is allowed to drop files that they’d like to share with other users. You have to stay on top of global directories like this because the NTFS permissions can be a bear to maintain, especially in large, constantly changing shops. On the other hand, logon scripts make it so easy to connect a big batch of users to one sharepoint that the technique is very frequently used.

It’s possible to mount a Macintosh volume on one of the drives while allowing non-Macs to connect to other drives or other shares. (You can instead use Dave, Macintosh software that allows Macs to connect to individual NT shares that are not in a Mac volume.) It’s even possible to share Mac files from a Mac to a PC or vice versa by putting them on the Mac volume and allowing others to see and copy the files.

Windows 2000 IntelliMirror will allow users to work on network-based copies of their files, then take those with them when they disconnect from the network. When the user reconnects, IntelliMirror kicks in and synchronizes the files worked on in stand-alone mode with the files kept on the server. I predict that IntelliMirror is going to do lots for RAID cabinet sales to network administrators.

Print Server Services Print serving is another widely used feature. You set up one or two NT computers and then just map a bunch of printers, through either LPD or DLC


www.sybex.com


209

connections. (Pick good, quality hardware that’s more than adequately equipped for the job, please, especially when it comes to over-equipping the box with RAM.) Share the printers out, apply appropriate permissions, set the printer settings you’d like, and allow users to map to the printers. The biggest problem with this kind of setup is Windows 9x users, who must have a locally loaded driver for the type of NT-shared printer they’re trying to connect to. NT computers don’t have this problem; they simply download the driver if they don’t have it. There’s been a lot of work done in this area, and it’s one of the more foolproof aspects of NT computing. From a maintenance standpoint, the biggest headache associated with printer shares is when a printer goes down and users have to temporarily point to a different network printer for their printing needs. If they haven’t already been set up for the additional shares, they might not understand how to accomplish this without a visit from a PC tech. You can fix this small problem before it pops up by simply adding a second standby share to the user’s printers folder.

Setting up a single print server for the whole enterprise, though common, creates a single point of failure (SPOF) that you have to overcome. (Larger enterprises might have several print servers, but still markedly few for the number of printers serviced.) The SPOF is: if the one print server augers, everybody in the building is out! You can fix this by having a duplicate box—same name, same IP address, with all of the printer shares previously configured—waiting as a cold standby somewhere, just in the event the main print server goes down. A second potential SPOF would be if your print server only had one hard drive in it without the benefit of RAID 1 or RAID 5 protection.

Application Server Services Users access the network for applications, all kinds of applications. They might be using applications you weren’t even aware were loaded on the network. Some of the kinds of applications that can be used on a network can be described as follows:

Server-based applications such as SQL server or Exchange server, which typically require some kind of user interface or application.

Internet/intranet-based applications requiring only a browser for access to the application. This is called thin-client computing.


www.sybex.com

210

Chapter 5


Terminal applications that need terminal emulation software, which then allows users to access a Windows Terminal Server or Citrix MetaFrame server (or combination of the both). SNA server also requires a client that acts as a front end to an NT computer, which in turn communicates with a mainframe host.

n-tier client/server applications that depend on some sort of user application, which talks to the NT computers that talk to a Unix or mainframe back-end host, sometimes using middleware to do so.

Remote Bootstrap Protocol (BootP) devices that, upon bootup, send out a BootP request looking for a validation server that can supply the credentials (and apps) needed to participate on the network.

TCP/IP Configuration Services You don’t often think of DHCP, DNS, or WINS as applications, but they really are. The user boots up and sends out a DHCP request, a DHCP server answers because it’s running the DHCP application, and the user is equipped with the proper TCP/IP credentials.

Service Requirements

A

solid Windows 2000 design requires the analysis of an existing network and its associated server services, plus forward thinking about the growth of the network and the needs of users as time goes on.



Analyze performance, availability, and scalability requirements of services.

When I talk about server services, I’m typically speaking not of applications running on the network—things like Exchange or SQL Server—but of


www.sybex.com


211

OS-associated services that users use (sometimes unwittingly) on a daily basis: DHCP, DNS, WINS, RRAS, print and file services, and directory services such as AD. When I think of server services, I immediately think about users and their needs relative to these services. So with our design in mind, we must concentrate on the quantity and location of the users in order to make good design decisions about the placement and requirements of the services. There are three coefficients of these services that we’re required to study: performance, availability, and scalability.

Performance There are three places where an administrator can drive off the road when considering service performance: user count, configuration, and under-engineered hardware. You may underestimate the number of users that will be utilizing a service. For example, suppose that you have only two WINS servers in a sixcampus network. You anticipate that most users will cross the wire to obtain name server services from one server that’s faster than another. But lo, your internetworking engineers have the routers set to forward differently than you had anticipated, and your weaker server is getting hit harder. Or, as another example, you might have one print server handling dozens of printers with hundreds of users printing to it. In cases like these, the hardware may not be under-engineered, but the number of users hitting it may make it appear to be. A poorly configured service can cause problems as well. For example, an inadequately configured DHCP scope—one that does not supply additional parameters such as the default gateway, DNS, or primary and secondary WINS servers—can really create havoc on a network. It’s not enough to configure a scope; you must also configure either global or scope properties that accompany the scope. Under-engineered hardware probably accounts for the majority of a network’s woes when it comes to services. I understand that smaller networks need to consolidate their operations onto one or two computers, but why does that computer have to be a garage clone that the administrator built in his basement one evening? When buyers and technical managers who are on strict budgets look at cutting costs with server purchases, then you have trouble. The server farm and its associated trappings are the bread and butter of a


www.sybex.com

212

Chapter 5


corporation’s IT (second only to its people, of course). A file server that has hundreds or thousands of users hitting it for routine files must be engineered to handle the load. That may imply that you equip it with super-fast SCSI hard drives on a RAID controller card, or make sure it has adequate RAM, or whatever. Probably the best way to measure server service performance in Windows 2000 is with the System Monitor, formerly known at Performance Monitor (found in the Performance console in Administrative Tools). There you can set up object counters for just about any service that’s installed on the computer. In fact, often third-party software will also include performance object counters for their software. There are counters for DNS, DHCP, WINS, and other server services. Additionally, monitoring the event logs, particularly the security log, is a good way to audit user traffic on your key file and print servers. By turning on terse auditing (in the Security log of the Event Viewer)—tracking all success and failure audits in addition to normal events and warnings—then watching the average hits a server takes in a day, it won’t take you more than a few days to realize what kind of load a server is under.

Availability In Windows 2000 you can enhance server availability by utilizing a couple of methods, Network Load Balancing—clustering and redundant servers sharing the load. I’ll talk more about clustering in Chapter 9. But the more important, more useful technique—the key to providing availability of services—is to provide redundancy for server services. For example, in Chapter 12 I’ll talk about a DHCP concept called “scope splitting.” The idea is that you take a pool of IP addresses and split it, say 80 percent one way and 20 percent another. The split can take place in two slightly different ways. You can assign the larger portion to the server that’s going to be providing primary DHCP services most of the time to the clients, and set up another DHCP server on the same subnet with the remaining IP addresses. This way, if the main DHCP server croaks, you have a redundancy, a fall-back server that will provide DHCP. Clever, eh? Or, put the smaller part of the scope on a DHCP server on a remote subnet, and the remainder on the local subnet. A DHCP relay agent is then configured on the local scope to forward DHCP requests only after a certain


www.sybex.com


213

number of retries. So, if the local DHCP server is active, clients will lease addresses from it all the time. If the local server goes down, the DHCP relay agent will “hear” multiple requests for IP leases from each client, and will forward those requests to the remote DHCP server. Thus, the 80/20 rule allows for instant failover, without requiring administrative action to activate the fallback machine. How does the telephone company provide 99.9999% dial-tone availability? Heavy-duty redundancy of their switchgear. With all Windows 2000 services, look for ways to provide redundancy to enhance availability. Let’s go back to the print server example. Suppose that you’re happy with one computer doing all print-server work for your network. That’s fine. But what happens if that computer does down? How do you provide print services to your network users while you fix the computer? The answer is, of course, Network Load Balancing, where a failover would take place and a second, equally configured, computer would begin taking print requests in the stead of the failed computer. Tough to set up? Not too much so—it requires a little thought and some testing, but it’s doable. And it will save the day if your print server ever keels over.

Scalability The concept behind scalability is really the notion of over-engineering. You say to yourself, “Hmmm. These users are going to need such-and-such a computer with this much RAM and this CPU speed and these hard drives.” But then, the clever part of you says, “But… I know for a fact that management is re-organizing a department, and if that’s the case, this server will have probably another 20 percent added to its load. Therefore, when I order this computer I will buy this more RAM and two CPUs and more hard drives.” Scalability involves the ability to ramp up hardware as usage increases on a computer. Alternately, scalability also includes providing more than one server for a service. Users coming across a slow WAN link from Atlanta to your office in Boston in order to hit a DNS server might benefit from a second DNS server placed at their office. Maybe when you first set up the Atlanta office, there were only a handful of users there, so they were able to effectively use the DNS server in Boston. But now, with a hundred users and that same slow WAN link, you have a very different scenario. Scalability connotes that the


www.sybex.com

214

Chapter 5


savvy network designer is able to design in “just enough for the current network and a little bit more,” and then provide avenues for scaling up as corporate hotspots build up. Finally—and this is a much more subtle notion—scalability also includes offloading services to other computers. The heart and soul of Windows thinclient computing is built on the Distributed Component Object Model (DCOM, the Microsoft implementation of CORBA). Think of it as “a little bit here, a little bit there.” You spread processes out over many servers in order to accomplish one common good. Heavily in use today, DCOM is powerful when programmed by top-notch coders. DCOM isn’t a scalability option you would pick, but one your server application would pick for you. So, the bottom line is this: How can you adequately plan for the performance, availability, and scalability of your Windows 2000 service components? You need observe and take notes of what you see. Use the event logs, System Monitor, and the command utilities at your disposal (things like PING, NETSTAT, and others) to ascertain how quickly services react to your request. As more and more users come on line and begin to use a service, plan for more computers running the same service so that you can offload the operation of the current server a bit. Proactively upscale the hardware, rather than reactively trying to add hardware to a sick computer. Use fault-tolerance measures, redundancy, Network Load Balancing, and other features to make sure the services are available. And most importantly, think about these services, because they are the most highly used components of your entire network!

How Is the Network Managed?

Again, you may think that network management is a straightforward consideration, but there are more parts to it than you might imagine. Let’s see if we can discover some different concepts around which network management revolves.



Assess net available bandwidth and latency issues.


www.sybex.com


215

Physical Network Management The physical management of the network has to do with the people who sit and watch the status of the network infrastructure. In a switched virtual LAN (VLAN) environment on a large network, this activity can be a fulltime job for one or more people. Using HP OpenView, CA Unicenter, or another network management system (NMS), network managers watch Simple Network Management Protocol (SNMP) traps for specific events on different pieces of network gear. They watch for TCP/IP events such as duplicate named devices and IP numbers, and for devices that fail in their operation. The advent of smart switching and routing has led to a whole new breed of devices that can cleverly report their status to a centralized management station, where people who know what to watch for can make decisions that anticipate network behavior. Another management technique is network sniffing, where somebody can do an actual network protocol capture and make thorough analyses of what’s happening on the network. This kind of activity has frequently saved my bacon. On one occasion, we had an unusual problem with users finding it very slow getting onto the network, even though the network itself was a switched environment. We found, through the (outsourced) aid of a network sniffer, that several Windows 95 boxes were trying to declare themselves as browse masters, and they were attempting to do it with a Vines server, not the NT servers. The Vines server knew nothing about browse-master contests, of course. Turning off the browse-master contests on the boxes was a simple thing, and we were in business. Network managers are typically internetworking experts who know their way thoroughly around OpenView or other NMSs. This is the oh-so-heady stuff of watching SNMP MIBs report a trap to the management station for complete monitoring. It’s knock-down boring but highly critical, especially in a large environment. These people typically report to the network staff, not the Windows 2000 staff. In smaller environments, the network manager may be the same person as the Windows 2000 admin. Internetwork managers also look at the overall latency of the network: the speed with which a packet can travel the network from point A to point B, relative to the expected speed. It’s all about deltas (changes or differences in


www.sybex.com

216

Chapter 5


speed). The slower the packet is traveling, the more that internetwork managers wonder about incorrectly configured routers or VLANs, pointers to invalid VLANs, poor name resolution, cards or switches going bad, even bad wiring. Latency says, “The speed here should theoretically be 0.05s per packet on a network in normal use. I’m really reading 0.08s per packet. The delta-T is 0.03s—where’s the problem?” It’s not normally your job as a network designer or server admin to worry about the latency, but for the test and for your design you should make yourself aware of it. (Interestingly, the word latency comes from a Latin root meaning “to lie hidden.” That’s a great way to think about it in terms of networking—how long will the data stay hidden until we finally get to use it?)

Logical Network Management Another internetworking bailiwick lies in the fascinating, complicated, and highly evolved world of logical network layout—the internal management of VLANs on switches and routers. You can significantly isolate portions of the network that do the most talking to each other, keeping them from other similar network environments, all through the magic of VLANs. Typically, especially in larger networks, the internetworking experts will manage the router and VLAN configurations; the Windows 2000 admin won’t be involved.

Managerial Network Management This is probably the most fascinating aspect of network management, simply because it revolves around how the people are arranged to accomplish solid network management, not how switches and routers are configured.



Analyze network roles and responsibilities.


www.sybex.com


217

There are, as you might imagine, many ways that a manager can set up staff so that the network is competently managed. I’d like to bring one or two of these to the fore, to give you a flavor for what I’m talking about in terms of strategic layout of personnel to produce the most effective network management scenario:

The number-one method is to segment internetworking (router/ switch) people, server people, apps people, PC techs, and help-desk personnel all into different camps. This is a harsh methodology, because one hand does not know what the other is doing. I’d prefer to see more cooperation among these teams, but my experience has been that once you isolate the various elements of network management into these categories, you have specialists who never experience the other components of the network. The only exception to that rule, of course, is the help-desk person who wants to get off the help desk and do PC tech work, or the PC tech who wants to stop troubleshooting computers and move up to working on networks. The Holy Grail seems to be the Cisco certification.

Application admins are often absolutely married to one app. In large companies, specific people handle Exchange server and all of its application nuances. The server admin configured the box, but the app admin manages the app on it.

Another method is to have the server admins also function as server application admins. (This doesn’t include database admins (DBAs), who tend to just work large databases by virtue of the special problems associated with management of those resources.) The help-desk and PC tech people stay where they are, but the server and application admins are one and the same. The guy who configured the Exchange server also installed the app on it and manages the mailboxes.

Yet another paradigm is the jack-of-all-trades manager. This person runs help desk, maintains PCs, configures servers, and installs and supports application software. Typically this is seen in very small (500 nodes or fewer) networks.


www.sybex.com

218

Chapter 5


Finally, we have an unusual combination where the PC techs are the help-desk personnel and vice versa. Can’t figure the problem out over the phone? Personally visit the computer. Note that this person isn’t yet a full-fledged administrator, but is functioning in the dual role of help-desk and PC tech.

When you think of your managerial network management setup, you probably come up with some sort of mixture of these methodologies, but at least you get a feel for what I’m trying to describe: the disparate nature of help-desk work; PC tech work; server, app, and database administration; and internetworking.

Systems Management Server 2 and its Remote Tools allow help-desk personnel to remote into computers and potentially solve problems without having to send a PC technician out to the computer. This is a terrific boon to large, geographically separated environments.

Design Scenario: Unbundling Network Management and Coordinating a Project Plan You work for a medium-sized entertainment organization, about 2,500 users. You have help-desk personnel, PC technicians, internetworking gurus, server admins, and apps admins. There is also a DBA that handles both the SQL Server on NT and Oracle on Unix DBA chores. You are the server systems architect for the company. Your task is to figure out a way to upgrade the network to Windows 2000, including moving all workstations from a combination of Windows 9x and NT Workstation computers to Windows 2000 Professional.


www.sybex.com

Analyzing Network Security Considerations

219

You first must coordinate with the PC technicians to figure out which user machines need to be brought up to correct hardware compatibility list (HCL) standards for Windows 2000 Professional. You set up a project time line for this to happen. You examine the servers in the same way, making sure that the server admins know which servers need to be beefed up or replaced, and you create a project timeline and budget that reflects the necessary hardware upgrades. You then work with the internetworking folks to make sure that the switches and routers are in OK status, and that the TCP/IP structure in place is solid. You coordinate with the app admins on a strategic plan to move toward Exchange 2000 and SQL 2000. You’d like to see SMS come in the door at some point, but you delay that until the following year after rollout of the new network structure. You coordinate your efforts with the DBA so they’re aware of your thoughts and can advise the most strategic movement toward keeping the database apps available. Some terminal apps need to be addressed, because several users are using terminal sessions into the Unix boxes. Finally, you prepare a complete project plan to handle all of the various segments of this undertaking.


N

etwork security has some of its own unique ramifications, some of which are completely beyond the scope of this book (security being a career unto itself) and others of which you can manage in your project plans.



Analyze security considerations.

I can see at least three considerations that you need to take into account when thinking about the security of the network in your rollout: protecting the network from those trying to get in, from employees who have the potential to compromise network security, and from terminated employees who have the ability to harm the network.


www.sybex.com

220

Chapter 5


Protecting the Network from Outside Intruders Firewalls and proxy servers protect networks from outside intruders, but they’re only as good as the people who program them and the network design. For example, suppose that your network team has designed a company Web site that consists of several Web servers sitting on the public side of the firewall (unprotected), and you’ve allowed a hole to be poked through the firewall on a certain port so that transactions can take place between the Web servers and database servers on the private side. This is a very common technique, but there’s a security flaw here—one that’s not trivial. If a hacker can come in from the outside and figure out the IP address of the Web server he’s hitting, and if he can ascertain the port that the Web server’s using, he has essentially all he needs to get inside the corporation and poke around a bit. Don’t think it happens? There are some astonishingly good freeware programs available for downloading that can make life easy for port sniffers. A hacker will often come in from the outside, hit port 25 (the SMTP port) of your e-mail server, and use standard SMTP commands to send e-mail to whomever he desires. Sometimes it’s just a joke; sometimes it’s not funny at all. Suppose, for example, that somebody entered your system this way and e-mailed an assassination threat to the president of the United States. Whose door would the CIA knock on, yours or the hacker’s? Another nifty attack is called the SYN attack. A SYN is a TCP/IP synchronization request sent by a user trying to contact one of your external servers, typically a Web server. The concept here isn’t to hack into your private network, it’s to disrupt you. If someone wrote a program that would send a SYN request to a server, then somehow mask their IP address and re-send the very same SYN, mask their IP again and re-send the SYN again, doing this thousands of times in a few seconds, they could theoretically overload a server that’s trying to acknowledge all of the SYNs. A second disruption attack is a simple ICMP attack (or PING for packet Internet groper), where you simply ping the box millions of times, the result of which is to bring the server to its knees. This was used on Microsoft a couple of years ago, and it did a good job of cratering their servers for a few hours. Today, if you try to ping a Microsoft host, you won’t get a reply. Why? They’re trying to keep out ICMP attacks. The point I’m making here is not about what software to buy (I’m a big proponent of hardware firewalls like the Cisco PIX firewall, with proxy servers behind the hardware) but to be aware that there are many tricks in the kit


www.sybex.com


221

bag of a hacker who really, really wants to get to your servers. Your Windows 2000 design is going to have to include some plan for people like this, whether it’s Windows 2000 native proxy server or a PIX or a combination of both. You must account for the details with your design.

Protecting the Network from Inside Intruders There’s a second, potentially much more dangerous aspect of network security: the kind of damage a user can cause to a network. Some stunts that users pull are really just inconvenient; others are potentially catastrophic. Let me say here that when you consider a Windows 2000 rollout, you need to consider developers as users, not as network people… and power users to boot. I’ll explain why in a moment; I first want to give several illustrations as to what to think about when contemplating this category of network security. A shared drive on a massive RAID array is as common as tomato soup. Every network has a dumping ground where users place their common stuff for other users to be able to see. Two examples of this are Exchange public folders and regular disk shares that are mapped out as \\Server_name\ Shared with the Everyone group having Change permissions. Here’s how your users drive you off into the weeds: If the rights on the shared directory aren’t sufficiently examined, a user with Change permission to absolutely everything can simply drag and drop a critical folder somewhere else in the system with one click of a mouse button and not even know it happened! Then the users who need this share get ticked off looking for it, submit backup-restoration help-desk tickets, and send hate e-mails to you wanting to know how this happened. You wind up looking like Homer Simpson: “Duh, I don’t know. Somebody just dragged it elsewhere.” Not a good scenario. “Everybody and their dog” rights on the Exchange public folders can produce similar uncomfortable circumstances. Now your coders, engineers, and power users present a whole different kind of threat. They’re (usually) smart enough not to drag an entire shared folder to a different spot on the RAID array. But that’s the problem—they’re smart. They can figure out workarounds for situations you’re trying to guard against and really smash your nose into the sidewalk with them. One famous software developer muck-up is to write a bunch of code and then immediately place it onto a production box with no testing. Seldom, if ever, does code work right out of the developer’s mind, so change management rigors need to be implemented to prevent this kind of “development.”


www.sybex.com

222

Chapter 5


The standard procedure is to have a developer work in a development (dev) environment that looks exactly like the production (prod) environment (barring, of course, space issues on dev boxes). When the developer thinks the code is satisfactorily safe to test, he moves it to a test environment that also looks exactly like the prod environment. Testing takes place with live test users, and when everybody’s satisfied that the code works and is bugfree, then it’s OK’ed to be rolled into prod. This is a long process, typically a couple of weeks. You don’t just roll code into a prod environment in a couple of hours. This dev test prod methodology has worked well for mainframes for decades; it’ll work well for you.

I’m talking here about production software, not things like logon scripts and little stuff that doesn’t take long to crank out. Big VBScript, Perl, and Rexx logon scripts need to go through the dev test prod routine just like everything else.

The thing to plan for, relative to a Windows 2000 rollout and internal user security, is to understand who has what rights today and to either mimic those rights on the new system or to crack down even further. I’m a huge believer in providing the fewest rights possible and tweaking up until it’s just enough, as opposed to giving the Everyone group Full Control. Mapping user rights is going to be a huge pain, especially on your Shared directory, but you need to manage those NTFS and share rights proactively during design time. This is one of the places where you can begin immediate implementation without waiting for rollout. Documenting all the users and groups is going to present you a large challenge.

Protecting the Network from Terminated Employees Terminated employees, especially network admins or coders and engineers with tons of rights, need to be observed very closely at termination time. Whether the user is being fired or is quitting, I don’t think it’s good to leave power-user accounts active for their last couple of weeks. You just don’t know what kind of mentality somebody might have, and RAS is a great back door. A power user could be very disgruntled with the company and find a new job. Then, the Saturday before he takes the new job, he just tests his RAS account, and sure enough, it works! He maps to a server admin share, does a quick DEL *.*, and you’re in there for the next 14 hours doing a server and tape restoration.


www.sybex.com


223

A Windows 2000 designer should ask the security person who handles the terminations and how they’re handled. Then, if the answer is “I don’t know, we eventually get around to it,” the designer should insist on either deleting the account or, at a bare minimum, disabling it. And this deleting/disabling activity should happen the day the person is terminated.

Several different companies I’ve known of actually had an HR person watch the person being terminated to make sure he didn’t log on to the network as he was collecting his stuff. At the same time HR was walking the guy out, the network admin was on User Manager for Domains, disabling the account. This stuff sounds like incredible overkill, but it could wind up killing your network if you don’t watch it.

Design Scenario: Protecting the Network You’re in the throes of a Windows 2000 design on your little 200-node network. You’re horrified to find out that your entire company has been sitting out on the Internet, all nice and exposed, without benefit of proxy or firewall for a year or better! You’ve got a standard Class C network number and registered domain with your ISP, and when you ping an internal host from home, you get a reply! You lose sleep at nights when you begin to realize that anyone who wanted to could simply come along and do their hacker thing. You’re shocked that you haven’t been hit by now. It’s time to react. You don’t really have time to wait for the Windows 2000 deployment, do you? It’s serendipitous that you haven’t been hit yet, but it would be stupid to trust your luck even further. So you, knowing nothing about internetworking gear, negotiate with an internetworking consultant and get a hardware firewall put in place between you and the Internet. The only thing you allow into your company are SMTP requests on port 25. You allow all users access to the outside. To them, it looks just like before. Now you can take some time and plan proxy-server integration behind the firewall. This way you can tighten up port-25 hacks and begin to filter user Web requests. You really do need both the firewall and the proxy—one doesn’t do the job of the other—but you’ve bought yourself some time before going forward with the Windows 2000 rollout.


www.sybex.com

224

Chapter 5


Summary

This chapter was a big one, wasn’t it? It’s not much longer than some of the others, but it captured some real meaty detail that you’ll need for your Windows 2000 design. It started by discussing the company’s size and resource distribution and pointed out that the term “resources” means more than just people; it also includes servers, routers, telephony, and printers and associated network peripherals. When talking about resources, we also defined the difference between centralized and decentralized resources. Planning your Windows 2000 network will require that you figure out which are which. Then we discussed various concepts involved in how these resources are placed and how they’re managed—their connectivity. We talked about the various breakups of IT teams, decentralization and centralization of same, and how to manage those components. We also talked about network connectivity, determining speed factors, and making sure you understand the latencies between sites—why they exist and what’s being done about them. This kind of determination allows you to have a feel for the kind of performance you’re going to get out of the network and also for any scalability planning you might like to do. We talked about how users access the network, about the various network roles (not people; people can be replaced but the role stays the same). Finally, we discussed the various security considerations involved in making Windows 2000 decisions.

Key Terms These are the key words or phrases mentioned in this chapter. These terms will help you structure your analysis of company resources. Bootstrap Protocol (BootP) Data Link Control (DLC) ICMP attack interactive voice response (IVR) Interior Gateway Routing Protocol (IGRP) latency Line Print Daemon (LPD) Routing Information Protocol (RIP) Simple Network Management Protocol (SNMP) SYN attack Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

225

Review Questions 1. A slow delta-T in throughput of a network packet from point A to

point B indicates what kind of potential problem? A. High latency B. Saturated collision domains C. Router saturation D. No additional VLANs 2. What are some of the resources you’ll have to account for in a Win-

dows 2000 rollout? Choose all that apply. A. Servers B. Mainframes C. Telephony gear D. Routers 3. How can you make select server services highly available? Select the

two best answers. A. RAID card B. Tape backup unit C. Redundant server D. Cluster server 4. You find out from your internetwork manager that you have a T1

frame relay connection between your site in Kansas City and the home office in Chicago. In terms of the technical environment, what does this knowledge globally describe for you? (Choose all that apply.) A. Latency B. Connectivity between geographic locations C. Decentralization of resources D. Available bandwidth


www.sybex.com

226

Chapter 5


5. Which two features would you put on your network if you wanted to

enhance security between your company and the Internet? A. Proxy server(s) B. Layer-3 switches C. Firewall D. Virus scanner 6. Jenny and Joe are NT admins who work in the Honolulu office. Steve

and Sherry work in the Brownsville office. All four people report to the same manager. What sort of resource allocation does this describe? A. Decentralized B. Centralized C. Hybrid centralized/decentralized D. Top-down 7. You have a spoke site in Phoenix that has no server. Users in the Phoe-

nix office log on to a server in Denver over a 56K wire. When they print, they send their print request again to the server in Denver and the job is sent back across the wire to the printer in Phoenix. What two design features does this (poor) model describe? A. Net available bandwidth B. Latency C. Resource distribution D. Security 8. What would be a good method of assessing a Windows 2000 com-

puter’s performance? A. Event Viewer log files B. System Monitor C. PING times D. Network Monitor


www.sybex.com

Review Questions

227

9. You examine the network and find that the biggest periods of usage

for your Oracle database are 8:00 A.M. and 3:00 P.M. What design attribute are you assessing? A. System access patterns B. Network roles C. User access patterns D. Management of resources 10. What is the meaning of the objective, “Design a resource strategy”?

Choose all that apply. A. Figure out what your resources are B. Optimize the placement of your resources C. Assess the need to upgrade any of the resources that are not Win-

dows 2000–compatible D. Assign support personnel to the resources E. None of the above 11. Which two components would you assess for available bandwidth? A. RAS servers B. Internal LAN infrastructure C. VPN connectivity D. WAN links 12. When network designers purchase computing gear that can easily be

upgraded as more users begin to utilize it, what network need is being met? A. Scalability B. Offloading C. Availability D. Performance


www.sybex.com

228

Chapter 5


13. What does the internetwork manager do? (Choose all that apply.) A. Manages the network infrastructure (switches, cabling) B. Manages the routers and WAN links C. Manages the telephone systems D. Manages the IVR servers


www.sybex.com


229

Answers to Review Questions 1. A. Latency is the difference between what’s expected and what’s

observed relative to packet speeds on the network. This is not something the normal Windows 2000 designer will be involved with calculating; it is stuff for internetwork engineers. Latency can be addressed in a variety of ways, and it’s not a showstopper, but the Windows 2000 network designer needs to know it’s out there. 2. A, C, D. A, C, and D are good answers. You’re not likely to get

involved with the mainframe from a resource perspective, though you might work with it in terms of using a host emulation software program or obtaining an LU for a user. For the purposes of a Windows 2000 design, the best three answers are A, C, and D. 3. C, D. You can increase availability by providing redundant equip-

ment or by implementing a cluster server. 4. B, D. For test purposes, you’ve described the connectivity between

two geographic locations. But in technical terms, you’ve also described the available bandwidth, 1.544 megabits/second. 5. A, C. Proxy servers and firewalls protect users from the big bad Inter-

net (and vice versa). Item D is valid—you certainly want virus protection—but it doesn’t enhance security, it protects files. 6. C. From a managerial standpoint, everybody is centralized, but from

a resource standpoint, these people are decentralized. 7. B, C. You’ve deliberately introduced latency into the system with such

a setup. Validating to a spoke server is fine, but hauling print jobs up the wire to Denver for print preparation then dragging the job back down to Phoenix to the printer is a different story. You’ll need to address this problem.


www.sybex.com

230

Chapter 5


8. B. System Monitor, the replacement for the old Window NT 4.0 Per-

formance Monitor, would be the tool of choice to see how a computer is behaving. You have wonderful granularity that you can apply with this tool—all based on the objects and their associated properties that you decide to count. 9. C. You’re assessing user access patterns. When users come in of a

morning, they log on, pull up their e-mail, and so forth. So 8:00 A.M. and right after is a large user-access period when systems are busy. Ditto for closing time, around 3:00 P.M., when users are getting ready to log off for the day and are closing files and checking that e-mail one last time. Can you think of why noon to 1:00 P.M. is a very heavy time as well? 10. A, B, C, D. The test objective “Design a resource strategy” is aimed at

the idea of figuring out what resources you have, where they are, how they’re managed, whether they’re Windows 2000–compatible, and how you’ll change the current configuration to match your new one. 11. B, D. You’ll be assessing the bandwidth of your internal infrastructure

and your WAN links. Since there’s a connection with a private telephone company in the middle when users connect via RAS, you may have little say in their bandwidth. Ditto for VPN connectivity. 12. A. Scalability’s goal is to provide computing equipment and periph-

eral gear that is easily upgraded in order to accommodate an influx of new users utilizing the computer’s services. 13. A, B. The internetworking manager is responsible for all the things

that have to do with the global infrastructure. That would include the routers, switches, WAN links, and cable plant. The internetworking manager would certainly get involved with the telephony people, but telephone system management is a separate management component in most companies.


www.sybex.com

The Large Corporate IT Environment

231


Background You work for a large utility of about 5,000 employees that provides gas and electricity to a large Midwestern city. The company is publicly held and has other locations besides the one that serves the city you live in and its surrounding community. The utility has subsidiaries that perform natural gas storage, appliance repair, and research into renewable energies; these subsidiaries are cowboy outfits that don’t feel much need to be subservient to the parent company. Your task is to design and implement a Windows 2000 deployment.

Current System The company’s IT unit is broken up into quite distinct groups. A mainframe coding and maintenance organization has coders spread out over several different buildings; the thinking is that if the coders are placed where the users need them, their response times will be faster. A network group handles all of the building infrastructures but not the internetwork structure (WAN links & routers); this group, comprising six people, is centrally located. The internetworking group of three technical persons is based in the same building as the network team. The help-desk and PC technicians are scattered about the various buildings you have throughout the metro area. The helpdesk ticket management product in use is HEAT, and all techs—network, internetwork, PC technicians, help-desk, or server admins—use the ticket system. All groups report to different managers, and the management of the various groups could potentially differ by geographic region. Some groups don’t know the people who are members of others; there is little dialog between groups. While you don’t have problems with things like multinational links, you do have lots of small buildings that house dissimilar parts of the utility, zoned by geographic designation. The company is broken out into four large segments (northwest, northeast, southeast, and southwest), following logical geographic separations in the contour of the city. Some large facilities in each


www.sybex.com

CASE STUDY


CASE STUDY

232

Chapter 5


of these segments house a few hundred users apiece. In addition, many smaller facilities run the gamut as far as user population. The majority of the users are on Windows 95 running on standard Pentium computers, hooked to the Ethernet network and logging onto Windows NT. Lots of users access the mainframe with a 3270 host emulation program. The company has a wide variety of engineers spread out across the city and outlying areas. These engineers predominantly use Solaris work– stations or Windows NT Workstation as their computing environment of choice. You have several Exchange servers and have exploited them heavily with custom forms and public folders. There are pockets of customized and off-the-shelf apps running in various areas all over the company. As near as you can discern, there isn’t a lot of thought or attention paid to the apps scenario; there is no centralization of apps management or knowledge. The technical environment is complicated and decentralized, one that will require pulling together widespread system resources and fixing the problem of lack of communications lines among the people resources. Your assessment is that the majority of your Windows 2000 rollout problems and issues will fall along these lines.

Envisioned System Overview Your boss is the supervisor over the architect team. There are three people on the team: yourself as the network architect, an internetwork architect, and a server architect. You present your concerns and plans to your supervisor. Your Supervisor “The plan looks good. I agree with you that we’ve got a problem on our hands with the decentralized atmosphere around here. I want you to work closely with the field office IT reps and the network and internetwork teams in coordinating this effort. Try to figure out what apps there are, so that we don’t kill them as we deploy. You’re the deployment manager as of today.” Network Team Members “We’re completely behind the idea. As you know, we’ve recently upgraded the network to support 100Base-T to each desktop and gigabit on the backbone.” Internetwork Team Members “From a bandwidth and latency standpoint, you have no issues. All WAN circuits, with the exception of the link


www.sybex.com


233

Server Admins “The Solaris boxes are doing DNS right now. We understand your need to go to Windows 2000 dynamic DNS, but that will take some coordination with the engineers because they have lots of field gear with static entries coded into it. As far as the apps go, we’ve put together some spreadsheets and Visio documents that may help you figure out what’s going on in specific areas, but nobody really has the full scoop on all of the apps.”

Performance Overview Your biggest concern is the applications that the users use and their safe integration into the Windows 2000 environment. Server Admins “The majority of the apps are well behaved and don’t require special Windows NT drivers. It’s probably a good idea to do some checking with the manufacturers of the apps, but we’re pretty confident that most apps will play nicely with Windows 2000.”

Questions 1. What are this deployment’s chief business problems? Choose two. A. Decentralized environment B. Apps C. Geographic disparity D. Lack of cooperation 2. Group the tasks on the right into the deployment topics on the left,

corresponding to the type of tasks you’ll need to go through to finalize deployment. Not all the suggested tasks will be used. Deployment Categories

Tasks

Applications Issues

In lab, test migration of app to Windows 2000 server


www.sybex.com

CASE STUDY

to two of the control stations, are T1 frame relay. The control stations only need 128K since there is hardly ever anyone there.”

CASE STUDY

234

Chapter 5


Name Resolution Issues

Get rid of coaxial DLC connections to mainframe

Mainframe Issues

Identify Windows 2000 DNS servers Identify all apps Meet with engineers to discuss DNS migration Identify app servers Ask coding team to check for problems with custom app migration to Windows 2000 Confirm that the 3270 emulator is Windows 2000–compliant Identify app stakeholders Verify Windows 2000 conformity with app vendors Coordinate with Unix server admins to move DNS from Unix to NT, if possible Test dynamic DNS implementation in lab Identify whether 3270e is on the mainframe Identify app stakeholders

.

Set up a Unix box as a secondary zone Investigate what’s needed for WINS for backward compatibility


www.sybex.com


235

Identify app functionality 3. What will be the biggest issue with the Windows 2000 rollout if not all

of the apps can migrate? A. Have to stop the entire project till the problem is rectified B. Apps residing on non-DC boxes can continue to live there just fine

and not hinder Windows 2000 native mode C. Apps must be upgraded D. Stick with standard non-native mode until all apps are replaced 4. What will happen if you can’t move the network to dynamic DNS for

some reason? A. Nothing B. Big problems—AD needs to use dynamic DNS C. Try to use Unix as best as you can D. Don’t need DNS in the Windows 2000 environment anyway


www.sybex.com

CASE STUDY

Up-version Unix version of BIND if Windows 2000 DNS move not possible

CASE STUDY ANSWERS

236

Chapter 5


Answers 1. A, B. The foremost issue you face here is the decentralization issue and

making sure everybody’s on the same page. After that, you’ve got to take a serious look at the apps. 2. See chart below.

Deployment Steps Applications Issues Identify all apps Verify Windows 2000 conformity with app vendors Identify app servers Identify app stakeholders Identify app functionality Ask coding team to check for problems with custom app migration to Windows 2000 In lab, test migration of app to Windows 2000 server Identify app servers Name Resolution Issues Meet with engineers to discuss DNS migration Identify Windows 2000 DNS servers Coordinate with Unix server admins to move DNS from Unix to NT, if possible Test dynamic DNS implementation in lab Investigate what’s needed for WINS backward compatibility Up-version Unix version of BIND if Windows 2000 DNS move not possible


www.sybex.com


237

Mainframe Issues Get rid of coaxial DLC connections to mainframe Identify whether 3270e is on the mainframe Confirm that the 3270 emulator is Windows 2000–compliant 3. B. Apps that reside on non-DC computers can stay there and run in

the Windows NT 4 environment just fine. You’re not going to hurt the global catalog by having Windows NT 4 boxes out in the world. That way, you can take your time and upgrade accordingly. Apps on DCs are not a good idea anyway, but also they’ll be a showstopper in terms of your rollout if they can’t get along with Windows 2000. 4. B. Since Windows 2000 is a domain-based system (not Windows NT

domain, TCP/IP domain) using X.500 standards, it’s radically important that you use dynamic DNS. This part of the project could be sticky, because you’ve got to move the DNS from Unix to NT, but it has to be done before project completion. Wrap-up: There are three distinct problem components to this deployment. First, the apps thing is huge! You or somebody in the IT area has to know what the apps are. You have to be able to ascertain how they’ll play with Windows 2000 and, if not, make sure they’re placed on a server that won’t require the upgrade for a while. The DNS thing could get blown out of shape, especially from a political perspective, but if it’s handled correctly, everything should be OK. The decentralization problem means that you personally are going to have to work your tail off to make sure communications are thoroughly maintained. It’ll be very easy to let a ball drop, communicationwise, in a deployment like this.


www.sybex.com

CASE STUDY ANSWERS

Deployment Steps

Chapter

6

Anticipating the Impact of Infrastructure Design MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Analyze the impact of infrastructure design on the existing and planned technical environment.

Assess current applications.

Analyze network infrastructure, protocols, and hosts.

Evaluate network services.

Analyze TCP/IP infrastructure.

Assess current hardware.

Identify existing and planned upgrades and rollouts.

Analyze technical support structure.

Analyze existing and planned network and systems management.


www.sybex.com

T

he previous chapter went into detail about the technical environment, its makeup, the roles that make up the network’s operation, and how the network management team is spread out. Now we go a little further down that road and begin to discuss the nitty-gritty details of the enterprise. We start out by talking about the applications that are on the network (a very important, often under-noticed, subject). We then look at the network services and the existing TCP/IP infrastructure. We also examine current hardware situations, with an eye toward what we need to do to fix weaknesses. We need to identify any planned rollouts or upgrades, analyze the support structure, and describe the layout of network and systems management facilities. This is another busy chapter—that very much rides the coattails of the previous one—and one that’s highly important for Windows 2000 rollout considerations.

Defining Your Enterprise Network Applications

W

e begin with a discussion of what applications are on your network and how to sort them into distinct cubbyholes that match functional profiles.


Analyze the impact of infrastructure design on the existing and planned technical environment.

Assess current applications.

There are two separate distinctions we need to make here: the app’s scope—whether it is enterprise or workgroup—and, regardless of scope, whether the app is client/server or Web-based. Copyright ©2000 SYBEX , Inc., Alameda, CA

www.sybex.com


241

Enterprise or Workgroup Scope? Network applications can be split into two different varieties: enterprise and local. This is a loose definition, but one that I think you can safely use in your network examinations. An enterprise application is one that is used daily by a lot of people. Exchange is an enterprise application, but that’s an obvious one. Can you think of other applications that are enterprise in scope, but don’t have the Microsoft seal on them? How about a front-end client that talks to Oracle databases? Often, shops have customized an application that lives on the client’s desktop and maintains connectivity either with the enterprise databases or with middleware that, in turn, talks to the databases. The scope of these kinds of applications is usually large, and I’d say that they’re generally enterprise-class apps, based on the app’s volume of use. Let’s try another one. How about Internet Explorer? Is that an enterprise application? I’d say no; it only brings Web pages back to the local user and doesn’t further the corporate good globally. An intranet app that lives on a Web server and is used with IE is a different story. The number of users and daily volume of use could be vast. Think of enterprise applications as those that have a mission-critical status, are being used by large numbers of people, and are in use almost all of the time during working hours. Workgroup apps live on a server and serve a purpose specifically for one group of people. Financials are probably the most common of several good examples. Not everybody in the company needs to use server-based financial software—typically, only the accountants and payroll people. Nevertheless, the software is large and expensive, requires tons of training for the admins and end users, and needs a lot of care and feeding. Often a client-based GUI has to be installed and periodically upgraded. I’ve seen financial software that bundles extra features into Excel; the accountants and finance people then work with spreadsheets, coupled with the added financials package features. Another good example might be Visual SourceSafe (VSS) for coders. Few people in the company need VSS, but the software lives on a server and requires a lot of admin maintenance. How about engineering or statistical apps that supply important information to an entire group of engineers? Or legal software on CD that provides case information to lawyers? The list goes on, but the scope of these apps is not enterprise; they’re local in nature and shouldn’t be considered enterprise software.


www.sybex.com

242

Chapter 6

Anticipating the Impact of Infrastructure Design

“Enterprise” can be defined many different ways, not just in number or scope of users. Besides the “volume of use” or “corporate good” definitions here, you could decide that the difference between enterprise and workgroup apps is determined by whether the app serves the whole company (enterprise) or a specific sub-group of the company (workgroup). Mission-criticality could be your criterion for “enterpriseness.” Even Microsoft uses the term loosely!

Client/Server or Web-Based? A second distinction, independent of the scope of the app, is the way that the app is distributed across the environment. Do you have a client/server app or a Web-based app? Let us start by differentiating the various client/server iterations, so you can get a feel for how very complicated an apps disbursement can be. 2-Tier Client/Server We start with 2-tier client/server, which typically means that a client software piece is installed on several computers and then this client component talks to the server. A database is usually involved. Exchange Server is a good example of 2-tier client/server. It includes a set of centralized databases (that are replicated to other servers, but that’s a different story) and a client such as Exchange client, the Outlook client, or Outlook Web Access (OWA). Clients can be home-grown with tools such as PowerBuilder or Visual Basic, or they can come with the application (as in the case of Exchange Server). Figure 6.1 illustrates a typical 2-tier client/server model. FIGURE 6.1

A 2-tier client/server model

Client

Server

The client may have some serious client-side “brains” and help offload the server from part of its work. Maybe the client requests a rowset from a SQL server, then brings the result set back and performs some modeling on it. Other clients are only moderately smart, while some are completely stupid.


www.sybex.com


243

3-Tier Client/Server Suppose that you have a database living on a Unix server, and you want to get at it with your Windows NT Workstation client. How can you do that? A third piece called middleware is introduced into this client/server picture; middleware in a predominantly Windows environment usually resides on an NT computer. The user makes a request to the middleware box, which in turn passes the request on to the Unix host and then sends the result set back to the user. Thus, there are three components and a 3-tier client/server model, as illustrated in Figure 6.2. You don’t always have a client talking to NT middleware that then talks to Unix. You might find hundreds of different variations on a theme, but the point is that there are three players in the application system. The client component that the user uses can be home-grown (with Visual Basic, PowerBuilder, Oracle tools, Delphi, and others) or a client that actually comes with the application. FIGURE 6.2

A 3-tier client/server model

Client

Server 1 Middleware

Three-tier client/server implies that there is some sort of pre-processing, if you will, going on at Server 1. The client requests a recordset from the database server. The request is passed to Server 1, where the middleware formulates a request and passes it to Server 2. Server 2 gets the appropriate result set, passes it back to Server 1, and Server 1 then in turn passes it to the client. There are bandwidth and coding concerns involved in 3-tier systems that can be more serious than with 2-tier ones.

Server 2 Database

n-Tier Client/Server The phrase n-tier client/server is given to systems, like the one shown in Figure 6.3, with much more complicated levels than standard 2-tier or 3-tier systems. Suppose an interactive voice response (IVR) system comprises a 24-port T1 telephony card, a database repository on an NT server, a Unix flat file that is periodically downloaded to the database, and a client component that communicates with the system.


www.sybex.com

244

Chapter 6


Here you have deeper “granularity” than a simple 2-tier or 3-tier system; in fact, you could theoretically have a system that went many levels deep. This is why we say n-tier, because the design dictates how many tiers deep we go. Databases that replicate and consolidate with other databases might also qualify as n-tier systems. N-tier systems are highly complicated and require careful attention by server and application admins and DBAs. FIGURE 6.3

An n-tier client/server model

Client

Server 1 Middleware

Server 3 Database

n-tier client/server computing has n levels of complexity associated with it. In this example, the client requests a recordset from the servers. Server 1 passes the request to Server 2 and Server 3, because the recordset requested is obtained from two different tables living in two separate databases on two different servers. Server 2 also has to provide an image, so it makes a request for the image from Server 4. The entire result set is then sent back to the client. This could potentially be quite a bandwidth- and processing-intensive scenario, as you might imagine.

Server 2 Database

Server 4 Images database

Thin-Client/Server Thin-client computing is truly client/server computing, called “thin” because very little processing goes on at the client level (and much at the server). Thin clients access server applications via a Web browser, the best example being access to an Exchange server for e-mail. When you access an Exchange server via OWA, you’re accessing a database and using a browser to read it. You’re not truly out on the Internet


www.sybex.com


245

or even the intranet; you’re using the browser software’s limited skill for a different purpose. Relying on the power of the server is what a thin client is all about. A thin-client/server system looks just like Figure 6.2, but instead of a GUI-based client you’d hit the app with a browser.

You can purchase “thin-client computers,” pizza-box-sized computers that don’t have a hard drive but do have RAM, a CPU, and the ability to boot the network via BootP (or, alternately, PXE in the Windows 2000 world). These computers are touted as low cost, and users can’t corrupt them by installing files that shouldn’t be there. My experience has been that the cost of thinclient computers is prohibitively high.

Web-Based Web-based apps also rely on a browser, but their functionality rises entirely from coding paradigms that center around the Web, things like ASP, HTML, XML, Java, and VBScript. When you use a browser to access an intranet app that talks to a database, you’re using 3-tier client/server (because your browser request a row from a database and the Web app on the server carries out the request and brings back the result set), but you’re working in a strictly Web-based environment.

What About the Clients? When dealing with client/server apps, there are two questions that the Windows 2000 network designers need to keep in mind. The first question is, what client are the users using? Is it a home-grown app that was coded using software like Delphi, VB, or PowerBuilder, or was it developed with something else? Home-grown client components can be scary from a design perspective, because you don’t know whether the client will continue to cooperate in the upgraded environment. If the programming staff in your client/server shop has developed some custom front-ends, it’s a really good idea to test the client accessing the databases on a Windows 2000 server to ensure things will continue normally. I’d also test the client on a Windows 2000 Professional workstation, just to make sure that it can play in that sandbox as the time arrives to upgrade the user machines. With off-the-shelf client software, you have a little bit better opportunity to find out what sorts of compatibility issues you’ll run into. The company that wrote the software should be able to give you a good idea of the client


www.sybex.com

246

Chapter 6


component’s capability of working with Windows 2000, and I’d definitely check this out before the project went too far. The second question is whether the server software itself will behave in the Windows 2000 environment. Some cases may be a slam-dunk; others may be complicated. Suppose, for example, that you have some middleware that you need to use to talk to a Unix database. It works just fine on NT, but when you port it to Windows 2000 for testing, it breaks. What’s the deal? This could be a very long, arduous, tricky road. What about Microsoft SQL Server 7? If you’re using it for you current databases, will you run into difficulties if you migrate the databases to a Windows 2000 box? Presumably you won’t, but it’s worth testing anyway.

BackOffice and Off-the-Shelf Server Applications Some apps are designed to run in a heavy enterprise environment. All of the Microsoft BackOffice suite is, of course, built that way. But there are many other server software programs that reside on NT boxes and provide large user support for a specific function. It’s important to identify these apps and then check with the vendor to make sure they’re going to be able to keep up with the Windows 2000 environment. Test these apps before things get too far down the road, just to make sure everything will work. What’s my point here? When working out your Windows 2000 design on paper, part of the activity that you’ll perform—a big part—is describing all of the different apps that are installed on servers throughout your enterprise. You need to determine type and scope of each app, its use in the company, and whether it’s going to cooperate with Windows 2000. You’ll probably need to do some testing on the app in a Windows 2000 environment (something that might be much harder to set up than you first imagine) to make sure it’s going to be OK with the change. One last component of this kind of thinking has to do with parallel processing. It’s practically—if not completely—impossible for you to have a small body of users hitting one production database that’s in the Windows 2000 environment and have another body hitting a copy of the same database in NT. You’re asking for trouble if you consider allowing parallel user processing and somehow consolidating the databases after they’ve gone home or even after you finish a piecemeal upgrade. I’ve heard of it being done, but I personally think you’re safer just planning a cut-over date when the old application or database is locked out from users and the new one goes live. This, of course, is after you’ve thoroughly tested it to make sure it’s going to behave in the Windows 2000 world.


www.sybex.com

Evaluating the Current Network Environment

247


I talked a lot about evaluating your network in the previous chapter, but now I’m going to do a finer analysis. If you’re not the internetworking and/or infrastructure keeper of the knowledge, that person’s going to have to be available when you begin this undertaking.



Analyze network infrastructure, protocols, and hosts.

There are three separate issues we concern ourselves with here: infrastructure, protocols, and hosts.

Infrastructure The infrastructure is the way that the various buildings your company occupies are wired, the health of the various switch closets, the backbone that connects the switch closets, and the switches, hubs, and routers that build the switching matrix of each building. When designing Windows 2000 for your company, select a building for examination. Take a walk through the building, getting a feel for where the wiring closets are and how they’re wired. Are the patch panels old? What about the terminations into those patch panels? I once worked for a small company where the terminations in the patch panel were extremely poor and caused us a lot of intercommunication trouble between clients and servers. How about the connectivity between the switch closets? Is it fiber optic or copper? Cat3 or Cat5? Are you running a totally switched environment—one where you have no hubs whatsoever in any part of the building—or do you still have some hubs you have to replace? (Worse, are you still completely on hubs?) How about your switch layout? Do you have one or two core switches that the closet switches hook into, or is everything running off of closet switches? Figure 6.4 shows three wiring closets, two of which are “user closets”—that is, users connect from their office to the switches in the closet. Data travels the backbone to the core switch and thence to the servers.


www.sybex.com

248

Chapter 6


FIGURE 6.4

A typical network infrastructure model Client

Client

Fiber optic backbone

Patch panels

Closet switches

Core switch

Server

What Comes out of the Closet? Closet switches usually have a high number of ports. Users connect to the ports on the closet switches via a jumper cable that runs from the patch panel node corresponding to the user’s wall plate to a port on the closet switch. The closet switches have one (or more) cables that connect to special ports on the patch panel. The patch panels connect to one another via Ethernet or fiber optic cable. You can have redundant runs of either. The core switch has one (or more) connections going into the patch panel as well. Servers often hook to a port on the core switch for higher speed. Cat5 wiring throughout is required for 100Base-T or 1000Base-T (gigabit) speeds. Fiber optic is a much better choice for backbone connections. In gigabit backbone environments, servers can feasibly connect to the core switches via gigabit network cards.


www.sybex.com


249

Older networks that started out as Cat3 and have steadily gone through wiring upgrades to Cat5 are the ones that you should worry the most about, in terms of assuring yourself that the network is healthy and happy. For a client computer to obtain satisfactory 100Base-T service to the desktop, the connecting cable from the NIC to the computer has to be Cat5, the wiring from the jack in the user’s office to the patch panel has to be Cat5, and the patch cable from the patch panel to the switch has to be Cat5. All of the planets have to align. It’s scary to think about older buildings that have a bizarre mixture of dark coax, in-use Cat3, and some Cat5. The whole wiring plant has to be up on Cat5 for 100Base-T or Gig. You can get switches to talk to each other via either Cat5 or fiber optic cabling, but I greatly prefer fiber optic and here’s why. You must have special cards in each of the switches to accept a fiber input (there are two different types of fiber connectors—type SC and type ST) and they’re more expensive, but when the company you hire runs the fiber, they add extra pairs within the cable so that you have a fall-back in the event that the pair you’re on fails. That’s good fault tolerance, and I like it better than having a dark, spare Ethernet cable running through the ceiling. It’s very plug-andplay, because your fiber optic installer will terminate the other fiber pairs in the fiber patch panel, and picking up the entire network is as easy as swinging the connectors from the dead patch panel terminator to the spare on both sides of the house. Very cool, from a fault-tolerance perspective. If you have switches that support multiple fiber connections, you could even run a redundant link across the backbone and protect yourself from any downtime whatsoever (provided both cables don’t fail at once). Infrastructures are complicated little beasts. You have to watch the connections at the patch panel terminators to make sure they’re professionally installed. You want to run plenum Cat5 through ceilings, and it should be solid, not stranded, wire. Don’t run the wire parallel to any lights or up chases with phone lines (crosstalk occurs in both cases), only across lights. The jumper cables and user connection cables should be stranded, not solid (this keeps them from slipping out of the RJ-45 jack easily). You should always outsource your fiber optic cable installations, and I would certainly recommend that you outsource all cable installations. Your cable plant is your lifeblood, so have an expert build it. The switches you pick need to come from reputable vendors and should be periodically replaced with newer technology. Just like computers, your switch gear needs to be on a three-year replacement plan.


www.sybex.com

250

Chapter 6


Why switches instead of hubs? Because hubs are dumb, passive devices that simply relay packets. They have no intelligence whatsoever. Switches have a CPU in them that manages the bandwidth, and they’re a godsend for networks. They’re an order of magnitude more expensive than hubs, but they’re worth every penny. Generally, you price switches by the port cost. You add up your users, servers, printers, and other peripherals, and that’s how many ports you need (called port density). Then you buy enough switches to add more ports than currently needed (for growth). Today you can get well below $99/port on switches—the market is absolutely saturated with good quality switch vendors. Just like servers, you don’t want to go with clone switches; go with tier 1 vendors (3Com, Intel, Cisco, etc.). Routers are an entire science unto themselves. Would you like chassisbased or stand-alone? Do you need to do wire-speed routing (on a layer 3 card in a switch chassis), or are you happy with standard 10Base-T throughput? What vendor should you use? What WAN protocols does the thing need to know? What LAN protocols should it pass? The list goes on and on. Are you a CCNA or CCIE? No? You might want to consider outsourcing your router purchase, configuration, and maintenance. Keep in mind that contractors offering router configuration services might not be much further ahead of the curve technically than you are, so shop around for somebody who you hear has solid credentials. While we’re on the subject of infrastructure hardware, I’d like to recommend that you consider hardware-based firewalls. The Cisco PIX firewall is a great example and is in use all over the world. Wire-speed firewalls give you the comfort of firmware-based protection, knowing that you won’t have a Dr. Watson or some other problem. Certainly, hardware breaks, but hardware firewalls are eminently more un-crackable and faster than software.

Pay attention to your infrastructure (the cable plant, switches, routers, and patch panels), and it’ll take care of you. Go bottom dollar, and you’ll rue the day you put the cheap gear in production.

What About ATM? Asynchronous transfer mode (ATM) networks are still hot, hot, hot. They’re especially hot with ISPs. You typically begin your connection speed on ATM networks at OC-3 (Optical Carrier level 3) running at 155 megabits per second (Mbps). This is much faster than regular 100Base-T. Then, if you’ve


www.sybex.com


251

selected the right gear, you can simply pop a card into the chassis at slow network time and bump the speed to OC-12: 622Mbps! The big carriers (Qwest, AT&T, U.S. West, Sprint, MCI, and others) all have ATM clouds that your data rides as it goes from one place to another. So, the question is, should you consider ATM? Answer: probably not. The technology is great for huge, megalopolis enterprises that require oodles of bandwidth and the ability to forklift the speed by an order of magnitude overnight. But ATM is incredibly complicated, the gear is expensive… in short, you just don’t need it. Go gigabit with your infrastructure.

Protocols There are two kinds of protocols: LAN protocols (those in use on the network itself) and WAN protocols (those used by the routers and frame relay gear to get your packets to outlying destinations). By and large, you probably won’t mess around too much with the WAN protocols. Routers make conversion of almost any LAN protocol into packets that the WAN can understand very seamless, so you don’t have many concerns there. One thing you will have to consider are networks with older protocols still hanging around. For example, suppose you had a Banyan Vines deployment at one time, and you’ve still got a couple of legacy Vines boxes being used by outlying employees. But you want to upgrade the router. Guess what? Either you will not be able to host the Vines protocol over the new router, or you’ll have to pay some hefty cash to have support for Vines included. And that includes Vines TCP/IP, a proprietary TCP/IP implementation that works only with Vines and that routers still don’t understand without add-on software. So you either stick with the old stodgy 10Base-T router, or you figure out a way to bag the Vines servers once and for all. It’s a tough call that network designers have to make and develop a project plan for. But what about LAN protocols? Now that you’re in the thick of planning a Windows 2000 rollout, the best advice I can give you is to migrate toward a straight TCP/IP environment. There are very few protocols that Windows 2000 supports natively; it can deal with many legacy protocols, each of which requires a driver provided by the company requiring the protocol. Vines is one famous legacy example: Windows 2000 does not provide native support for Vines, but if Vines were to provide Windows 2000 support then you


www.sybex.com

252

Chapter 6


wouldn’t have a problem. The implication isn’t that Windows 2000 will only support a handful of protocols; rather that a handful of protocols are the ones that occupy the vast majority of the computing world. Exotic protocols require third-party support. You might be able to hook up with your vendor for protocols that are specific to legacy apps or peripherals, but my question would be why would you do that, especially if the app could also use TCP/ IP? Of course, some legacy apps have to stay around—some forever. That’s life, but all in all, now is the time to jettison all unsupported protocols and go with a flat TCP/IP stack on your network. It’s up to you to ascertain what protocols are on the LAN side of the house and make plans to get rid of unsupported protocols. This may involve a server-to-server visit, just to find out what’s on each computer and thus what’s running on the LAN. The following sections break down some supported Windows 2000 protocols.

LAN Protocols NetBEUI is still supported, but why do you want that old thing? Sure, it was fast, but it wasn’t routable. I’ve seen administrators cheat client computers into talking to a server by loading NetBEUI and using the protocol on the client and the server in order to initiate a dialogue. But doesn’t that really indicate either your lack of understanding of TCP/IP or a larger problem that needs addressing (because for some reason you couldn’t connect using TCP/ IP)? I would say so. IPX/SPX is also supported, for backward compatibility to legacy NetWare boxes. NetWare went straight TCP/IP a few years back, and they’ve never gone back to IPX. But there are scads of old NetWare 3.11 boxes still hanging around, running only IPX and with users needing to access them. You’ll use IPX/SPX in a legacy NetWare environment, but only long enough to convert the NetWare boxes to TCP/IP (or to Windows 2000). Windows 2000 supports the IPX/SPX protocol with the Microsoft implementation of IPX/SPX, a protocol called NWLink. An AppleTalk network integration is included for continued support of Macintosh clients. Both Intel-based and Apple clients can share files and printers using this feature.


www.sybex.com


253

Communication Protocols The Point-to-Point Tunneling Protocol (PPTP) is supported in Windows 2000. Its single purpose is to assist with the nailing up of virtual private networks (VPNs). PPTP has been around the Microsoft camp for several years now and works well. A second VPN protocol, newer than PPTP, is the Layer 2 Tunneling Protocol (L2TP). It too is used for VPNs, but does not rely on vendor-specific encryption technologies. Microsoft expects this protocol to wind up being the industry VPN standard. The RADIUS protocol is predominantly used for dial-up users accessing a third-party RAS server device, but ISPs also use it for tunneled network users. All three protocols—PPTP, L2TP, and RADIUS—use the tunneling method. What this means is that the user’s packets are buried deep in TCP/ IP packets as they fly along the Internet. At the place where they knock on the door of the network, they are authenticated and unbundled and the data is read.

Specialized Protocols Simple Network Management Protocol (SNMP) is still supported in Windows 2000. With this protocol, your network monitoring software such as HP OpenView can obtain information from network gear and other equipment that has the ability to send SNMP traps. At the network management station, a management information base (MIB) is loaded that knows how to decode and present the SNMP information within the confines of the network management interface. A MIB is basically a definition file that describes the gear and the various alerts that can be sent to the management station. The Hewlett-Packard DLC protocol is also included for backward compatibility with DLC connections to shared printers. There are other specialized protocols (such as the exotic infrared-device protocols IrDA-FIR and IrDA-SIR), but for the most part, the above protocols are the ones you’ll be using most often.

Hosts The word “hosts” is a TCP/IP word. Whenever anyone says the word “host,” you should think of “computer.” A host is simply another computer out in the big bad network world. That’s why the old Unix file that translates


www.sybex.com

254

Chapter 6


IP addresses to FQDN is called hosts; it lists the hosts on your network. (The hosts file, by the way, was a great idea back in the early ’80s. Today, with so many TCP/IP hosts, it’s a terribly inefficient way to maintain name resolution.) What’s being asked of you in this particular topic is that you assess the kinds of hosts you have on the network. I would look at that task as assessing what kinds of operating systems are loaded on your computers, because the operating system essentially defines the host, does it not? Linux is beginning to be a really popular OS. Do you have Linux hosts operating in your environment? If you do, then they’re probably going to make LPR print calls to your shared NT printers. They’ll also probably mount NFS volumes (Unix’s way of sharing out files for access by others), and you’ll find that you can map to these NFS volumes and grab data—provided they’re set up accordingly. Linux hosts that use StarOffice and whose users don’t have a regular Windows 9x or NT box with which to run Office will probably run into file sharing issues with others on the network that need to see their documents. Do you have Macintosh hosts? These users have very unique requirements, but Windows 2000 has provided accessibility (just as Windows NT did) so that your Mac users can access files and printers just like your Windows users do. What about OS/2 hosts? Oops, sorry. Unless there is special network connectivity software written for OS/2 clients, they’re out of luck in the Windows 2000 world. But you know what I’m willing to bet? I’d say that IBM is already working on an OS/2 client for Windows 2000 networks. One thing IBM does is make hay while the sun is shining. Got a mainframe? Old-time mainframers call that big boy “the host.” A mainframe is considered a host, just like any other computer on the network. How do your users currently connect to the mainframe? If they’re using some kind of 3270 or 5250 emulation software, you’ll have to be sure you check to make sure it’s going to live on in the Windows 2000 world. Attachmate Corporation, makers of extremely good emulation software, is probably already aware of the issues. (Since everything’s done through TCP/IP these days, the issue isn’t nearly as complicated as it sounds. It’s just a matter of making sure the GUI works in the 2000 world like it did in the NT or 9x world.) What about other hosts that have proprietary protocols associated with them (such as the Vines hosts we talked about earlier)? Well, sad to say, but


www.sybex.com


255

unless they can speak native, non-proprietary TCP/IP, chances are the company that developed them will have to write software that makes them compatible with Windows 2000. And that’s always dicey, because you really don’t want other exotic protocols loaded on your systems—you want native TCP/IP and only TCP/IP. The astute Windows 2000 designer would take this opportunity to find replacements for those old software components that aren’t dancing at the same disco as Windows 2000.

Design Scenario: The New Administrator’s Position You’ve been hired by a small start-up company to administer their network. The company is a small software-development company that’s very hightech. You’re expecting to see really great infrastructure when you arrive at your first day on the job, but you’re disappointed to find cables sticking out of the RJ-45 connectors, poorly terminated patch panels, old-fashioned hubs, and a variety of other problems throughout the office. The majority of the wiring is Cat3, with Cat5 between the two switch closets. You’re told on your first day’s orientation that the company would like to migrate as quickly as possible to Windows 2000. You wonder how they’re getting any computing done at all on their seven Windows NT 4 servers, based upon the incredibly poor infrastructure! You meet with your boss, the CFO, and explain that the wiring plant is in incredibly decrepit shape. You want to replace all of the Cat3 wiring with Cat5. Next you want to add a fiber optic run on the backbone but keep the existing Cat5 for backup purposes. You want to get rid of the hubs and purchase enough switches for all 100 users on the net, about five switches. (No core switches are needed.) This will bring the network up to 100Base-T or 1000Base-T capability. Then, and only then, do you want to go forward with the Windows 2000 rollout, and that will only happen after you’ve assessed the servers, the network’s protocols, and all of the other pertinent discovery items. You tell the CFO the cost of the cable plant rewire is about $18,000, and the switches will cost around $10,000. Project total costs will be around $28,000–30,000 and will take about two weeks to complete. You can install the switches, but you’ll outsource the wiring updates.


www.sybex.com

256

Chapter 6


Assessing Network Services

Microsoft has really broken the infrastructure objective into small pieces, haven’t they? Without some context, “Evaluate network services” could mean a lot of things.



Evaluate network services.

What comes to mind when you hear the phrase “network services”? The purpose of this section is to talk about services consisting of either software or hardware that comes to the aid of the network in order to formulate a stronger, better-functioning system. Let’s see if we can detail some of the various network services categories.

Network Monitoring Network monitoring services typically consist of network monitoring software coupled with a computer that’s designated to handle only the influx of SNMP and Remote Network Monitoring (RMON) traffic from the LAN. (RMON is a more robust, scalable, and intelligent iteration of network management protocol.) The combination of the network monitoring software and hardware is called a network management system (NMS). Some companies have many NMS computers housed in one area, strictly for the purpose of monitoring their huge networks. I’m sure you’ve seen pictures of these centers in the paper or elsewhere (perhaps on a tour of your facility). Men and women sit at NMS computers and watch for any alerts to come up from devices on the network. Sound pretty dull? Oh yeah, like watching paint dry. Is it necessary? You bet it is. The combination of lots of NMS computers in one location is called a network operations center (NOC). Network devices report their status to the NMS via the SNMP protocol. Management information bases (MIBs) loaded on the NMS know how to prepare and present the freshly reported data. The most common NMS software around the world would be HP OpenView or CA Unicenter TNG, though there are others.


www.sybex.com


257

You can purchase add-on software components for NMS software. OpenView has a huge listing of snap-in components that makes it more intelligent and capable.

Metrics Monitoring The concept of metrics centers around ascertaining how much uptime the servers have had the luxury of experiencing. There are two methods of determining uptime, each at opposite ends of the scale. You could opt to manually keep track of every time that a server went down, how long it was down for, and what the cause of the outage was. It would be easy to keep track of this kind of thing in a spreadsheet. Then, at the end of the month, you could go through and tally up the amount of time that a server was down in, say, minutes and then calculate the percentage of that downtime over the whole month. For example, suppose that you had a server that went down for 15 minutes in the month of April. Since there are 30 days in April and 1,440 minutes per day, there were 43,200 minutes in that month. Take 15 / 43200 and you come up with 0.00035. Now multiply by 100, and you get the downtime as a percent: 0.035. Subtract this number from 100 and you get 99.965 percent uptime, quite remarkable for a server!

Industry standards vary, but there are two basic delimiters that you’ll hear when people talk about uptime statistics: “4-nines,” meaning 99.99% uptime; and “5-nines,” meaning 99.999% uptime. You probably won't be able to handle 5-nines uptime (though phone companies do) and probably not even 4-nines. More than likely, you'll be in the 99.8% to 99.9% range. At 99.99% uptime, you have 53 minutes of downtime per year. Think about that number a minute, and then decide whether you can realistically keep servers up for that kind of time. Purchasing high-quality equipment that’s on the Microsoft HCL and keeping only one app on a server are good ways to increase uptime, but less than an hour per year downtime (including maintenance) isn’t truly attainable, is it?

The number of outages that occur on a specific server can be quite revealing information as well. If you know, for example, that a server was down four times in one month, you might find out that an application had been recently loaded on the server and that this was the cause for all the outages.


www.sybex.com

258

Chapter 6


What you’d do to correct that problem is another story, but at least you think you have a handle on what’s causing all the outages. A more elegant solution is that of software that handles metrics monitoring. NetIQ, BMC Patrol, and ManageX are all designed to give you super granularity in terms of watching critical servers and services, handling problems with them, and alerting you of the issues.

TCP/IP Services TCP/IP services would consist of things like DHCP, WINS, LDAP, and DNS. The most interesting of these is DHCP and DNS. While Unix boxes don’t readily do DHCP (though I understand some Unix software applications can now handle this function), they do DNS pretty darn well. And in legacy environments where DNS servers are already running and handling things nicely, you might have a really hard time convincing people that you think DNS should move to Windows 2000. Lucent Technologies offers a replacement DNS/DHCP/WINS application called QIP, which lives on servers and takes the place of regular NT services. I’ve heard both good and bad about it, but you get a feel anyway for the kind of thought that people have put into TCP/IP services. Some switch and router gear can host TCP/IP services. Again, it’s not feasible for switches to do your DNS work, because you need Windows 2000 to do it for you.

Security Monitoring Security monitoring, in my mind, has to do with the alerting that goes on with proxy and firewall servers. Recently, for example, there was a rash of attacks on Web servers. These attacks were called SYN attacks (short for synchronization) and essentially amount to a request that a host makes for connection to another host (typically a server). If the hacker can duplicate enough bogus SYN requests and barrage the server with them, the server is so busy acknowledging SYNs that it can’t do any other work. The papers said that a 15-year-old could easily fight off this attack, and they’re right. It wouldn’t be hard at all. A firewall product would be expected to alert the administrator that some sort of attack was transpiring. Moreover, good firewall software should have some method of ascertaining when it’s being hit by a SYN attack and dismantle the attack before it craters the network.


www.sybex.com


259

As I mentioned in Chapter 5, another famous attack, one that had basically the same affect on servers a few years ago, was the ICMP (or PING) attack. Here you simply ping the host over and over again, hundreds of thousands of times. The poor computer is so busy answering pings that it cannot do anything else. Very clever, very easy, and terribly disruptive. The same kinds of security checking features apply with the ICMP attacks as with SYN attacks. The firewall should be able to monitor for ICMP attacks and then proactively shut them down. Some companies don’t respond to a ping because of the potential for this kind of attack. Their ICMP-defense software simply keeps anyone from being able to ping the box in the first place. Microsoft Proxy Server supports ISAPI filters—customized filters that third-party vendors write in order to prevent users coming in or going out from performing some specific activity. One of the more popular ISAPI filters is the one that SmartFilter uses to keep internal users from surfing out to porn, racist, or other undesirable sites. You install Proxy Server, then install SmartFilter. SmartFilter includes files (that can be updated automatically on a regular basis via FTP) that know about most of the bad Web sites out there and, after configuration by an administrator, prevents users from traveling to these sites.

Fault-Tolerance Monitoring When you install tools like HP’s TopTools or Compaq’s equivalent, Insight Manager, one of the things you do is monitor the fault-tolerant gear that’s installed in the server. This is fault-tolerance monitoring. For example, HP’s brand of RAID array adapters, NetRAID, will respond to faults by alerting the TopTools agents if there is a problem. SNMP could be said to be acting in a fault-tolerance monitoring capacity when it sends out a trap alerting the administrators that a redundant link (a special port on switches that allows you to set up a second, fall-back link into them) has gone down. When this happens, of course, the switch represents a SPOF and needs to be addressed quickly.

Web Monitoring A new kind of monitoring activity that administrators have to be cognizant of is monitoring the company’s Web sites, both internal and external. With Web sites you’re interested in a variety of things. You’d like to know how


www.sybex.com

260

Chapter 6


many people hit the site on a daily basis and where they “clicked through” to. You want a feel for the performance of your pages—how fast they load and how accurate they are, in terms of whether they generate script errors and so forth. You also would like to capture any visitor information that you can get. Most importantly, you need to keep the sites from being hacked and changed in some ways. Some of the things that hackers do sound like they’re pretty funny. As a not-so-good Web site developer, I can tell you that there’s a heck of a lot of work that has gone into developing even a cheesy little site, and it’s devastating to see somebody else tank all of your hard work.

Design Scenario: Playing the Metrics Game You work for the same company that was mentioned in the design scenario above, a little high-tech start-up group. Your boss tells you that she wants you to keep track of server uptimes, especially the Web, e-mail, and code repository servers. You set up a spreadsheet, create a column for each server, and begin monitoring the uptimes, the outages, the duration of the outages, and their causes. But the monitoring process gets darned tedious and, after a month or so, you find that you no longer keep track of it as closely as you once did. You can’t afford enterprise-level metrics software like NetIQ; it’s too much for this tiny company’s budget. Besides that, you can’t mentally justify the expenditure because, after all, it’s only a few servers. How hard could this be? Finally, you discover a cheap, little freeware package that monitors server uptime, in days, the way Unix boxes generically report their uptime to anybody who’d like to see it. The software is called Uptime, and you put it to immediate use monitoring your servers’ uptime. (You could use the Windows 2000 Resource Kit utility Uptime as well, but you opt for the GUI instead.) Now all you have to do is keep track of the number of outages, the length of time the outages lasted, and the reason for them, and you have this problem licked. (Visit www.idyle.com/uptime/index.html for more information on Uptime.)


www.sybex.com

Assessing the TCP/IP Infrastructure

261

Assessing the TCP/IP Infrastructure

Assessing the TCP/IP infrastructure is probably going to be one of the simpler tasks that you’ll be involved with in your Windows 2000 network design. You need to know where key servers are, what their names and IP addresses are. You need to know the network IDs and subnet masks in use on the network. You need to know what the router, firewall, and proxy server IP addresses are.


Analyze the impact of infrastructure design on the existing and planned technical environment. Analyze TCP/IP infrastructure.

Here are the kinds of things you’ll be watching out for:

Key servers are the DNS, DHCP, and WINS servers in the environment. Find out these servers’ names (both NetBIOS and FQDN) and IP addresses and where they’re located. While you’re locating this information, also identify the server scopes: where they are, what they’re composed of, and the various global or scope settings that are applied.

Identify all of the network IDs. Also find out what subnet masks are in use throughout the various parts of your network.

Obtain all of the critical connector server information, such as router addresses (typically the network ID with a .1 address—e.g., 10.1.1.1). You’ll also want to know the NetBIOS and FQDN names and the IP addresses of the various proxy servers and firewalls on the network.

Obtain the IP addresses of the printers and the locations of their LPR, DLC, or HP ports.

List the IP addresses and NetBIOS and FQDN names of the servers.

If a BootP server is in use for thin-client workstations that have no hard drive and use BootP to boot off of the network, identify the server names and IP addresses.


www.sybex.com

262

Chapter 6


Identify any RAS servers, their names, and IP addresses. While identifying these boxes, it’d be a good idea to jot down the phone numbers that are associated with the servers.

It’s not important to know the IP addresses of the switches in the closets. Chances are you won’t be connecting to them for any reason.

Assessing Current Hardware

H

ere’s a fun little task to do when you have nothing better going on (just kidding!). Depending on the size of your network (and whether you have SMS installed), you might have to spend several weeks getting information about the hardware on your network. You need to diagram several different categories of hardware in order to have a more complete understanding. In larger installations, a complete view might be impossible, but it’s at least possible to ascertain what servers are in the domain. Once you know that, the very least that you should do is to find out what hardware the servers are.


Analyze the impact of infrastructure design on the existing and planned technical environment. Assess current hardware.

The point of this exercise is to find weak spots on the network that need to be addressed before you go forward with the design and deployment. Speaking in terms of budgets, if you’re going to ask for the money for the upgrade, also ask for the hardware upgrade dollars you’re going to need to support this new NOS.

Servers are the most critical part. Figure out which servers are on the network. Identify the brand; write down how much RAM is in each, how many CPUs and their speed, the hard disks and their size and remaining space, and whether they have FAT or NTFS partitions. Jot down any special peripheral equipment on the box, such as hardware RAID controllers, DAT or DLT tape drives, fax cards, and so forth.


www.sybex.com

Assessing Current Hardware

263

You cannot install Windows 2000 Server on anything less than a 133MHz Pentium with 128MB of RAM (and Microsoft recommends 256MB) and a 2GB hard drive; decide whether your servers fit those guidelines. Those are marginal, barely operational parameters, so then you need to decide how much horsepower is a good thing and if you have that horsepower. It might be a good idea to arrange the servers by function, i.e., file, print, application, database, and Web.

Identify networked printers, by type, manufacturer, and model. If you can obtain the printer’s duty cycle, the number of pages it is rated for monthly, that’s a great piece of information to have on hand. If you know roughly how many pages are printed in a day and you know the printer’s duty cycle, you can very quickly tell whether a printer is overworked and ready for replacement. You should also jot down the amount of RAM the printer has, the driver it’s using, the amount and type (laser or ink) of any cartridges, whether it’s connected by an internal card or an external network box, and the card type (JetDirect, for instance). From the print server, you should also get the IP address and port that the printer is using. Don’t forget specialized printers such as plotters.

Ascertain the type of switches and hubs you have on the network. You’re interested in the port density of each switch, the types of ports (fiber, Ethernet, etc.), the types of uplink cards, the brand name, model number, firmware revision level, and how you get into the switch or hub’s UI to maintain it (telnet, Web, etc.). Hubs should throw up an immediate red flag in your design plans; they don’t prevent W2K, they’re just dangerous and difficult. Hubs connected to hubs connected to hubs should make you sit down and do a complete infrastructure redesign, then go into the Windows 2000 design.

Repeat the same kind of work for the routers. I don’t think it’s necessary to know things like firmware revisions on routers; most networks have somebody who maintains the routers. But it is good to know the router’s WAN connectivity, overall throughput speed, model number, and manufacturer. The type of routing protocol it’s using would be good information to jot down as well. For years, Cisco used a proprietary routing protocol that didn’t work well with the other router vendors like 3Com. This kind of routing protocol information may come in handy at router update time or in the event you decide to do some Windows 2000 routing.


www.sybex.com

264

Chapter 6


Tape backup systems should be revisited at this time. If you’re barely getting the enterprise onto a couple of 4mm DAT tapes at night, don’t even think you’re going to get Windows 2000 backed up to the same system using the same number of megabytes. This is a much bigger NOS and requires much bigger tape-backup horsepower. DLT is practically the only way to go for enterprise backups these days, and the Windows 2000 deployment presents an excellent opportunity for you to make sure backups are adequate for the new network paradigm.

RAS servers such as those made by Shiva, US Robotics, and 3Com— standalone devices that provide telecommuting interfaces into your network—are also going to come into play on the new Windows 2000 network. Write down the model and manufacturer of the RAS server. If the server is using a database to validate telecommuting users, state so; if it’s using NT authentication software, then note that. You need to know how many ports are on the server, what kinds of modems it is using, the relevant firmware revisions to the box, and the telephone numbers (and if they’re hooked to a hunt group), including toll-free numbers.

Miscellaneous devices that you should know about when considering the Windows 2000 upgrade should appear on the list as well. There are all kinds of devices that come to mind. For instance, manufacturing lines, sometimes called “packout lines,” often have specialized computers on them that handle the flow of the line. Test gear, imaging equipment, network scanners, and other exotic peripherals should be listed, along with their manufacturer, model, and a description of what they do.

Identify Existing and Planned Upgrades and Rollouts

T

he company I currently work for always has something going on in terms of new computer applications coming on line. We have a big staff of developers who seem to work nonstop in their quest to provide better applications for the business. My company is in a constant state of flux with respect to new hardware upgrades, new application rollouts, aggressive Web site development, integrated systems development, and so on. It’s a very busy place.


www.sybex.com

Identify Existing and Planned Upgrades and Rollouts

265

Does that describe your company? Maybe you work for such a large operation you couldn’t possibly know all the things that are going on. And yet, Windows 2000 is going to mandate that you somehow get a handle on at least the major undertakings, don’t you think? For example, suppose that you have a development group planning on going forward with a huge computer telephony integration (CTI) application sometime in the next few months. They’ve spent several weeks looking for the ideal product/vendor mix that will provide the application zest and business fit that they’re looking for. Now all of a sudden, you’re going to saunter in and apply an NOS that their system may not work with. In the best case, you’ll be guilty of bad timing. In the worst, if you try this with a business unit that has a high profile, you could see your upgrade project killed!



Identify existing and planned upgrades and rollouts.

It is highly critical that you identify any existing or planned upgrades or rollouts that might be affected by your Windows 2000 plans. Let us identify the difference between an upgrade and a rollout. Upgrade An upgrade is something that happens to an already extant system or device—an improvement over a like existing system. If you have 3Com switches in your closets and the network folks are going to go through and apply the latest rev of firmware, that’s an upgrade. If your database people are on Oracle 8 and they’re changing to Oracle 11, that’s an upgrade. An HP 5SI network printer that’s being replaced by an HP 8000 is an upgrade. Rollout An entirely new thing, a new hardware device, a new way of doing a business task, or a new software application, is a rollout. Suppose that for years your parts department simply wrote down the parts they worked with on a form. The forms were keyed into a spreadsheet that somebody kept track of on a PC. But when too many people needed to see the results of that spreadsheet and there came to be too many parts people, a client/server system was needed. So coders were brought in and the system was developed (VB over SQL Server, of course). When the developers were ready to go live with the new system, they were said to be in rollout stage.


www.sybex.com

266

Chapter 6


Design Scenario: The Rollout That Can’t, Won’t, or Might Not Suppose that you work for a company that’s fairly leading edge, in terms of its computing capabilities. The managers are completely on board with a Windows 2000 rollout and have, as a matter of fact, mandated that you accomplish this right away. But they’re also fairly progressive in terms of the kinds of development activities that they’re involved with, especially intranet and Internet sites. One group is responsible for developing a Web site that will be available for your various retailers spread all over the world. Retailers will be able to hit a Web site, key in their unique validation information, and view documents about order entry and fulfillment that pertains to them. It’s a fantastic idea! The developers have worked hard to develop a Web presence that’s outside the firewall but still secure. The current system uses ordinary Windows NT– based Internet software such as IIS and Site Server. The system has not yet rolled out to production. How will your Windows 2000 deployment fit in with this new rollout? For starters, Windows 2000 includes IIS 5, so your developers have to stop and take some time to figure out what’s different with IIS 5 than IIS 4. They might find that some of the ways they’re doing things are IIS 4 methods that won’t fit into the new structure. Can they keep using Site Server? What about Windows load balancing? Windows 2000 includes this feature as a standard part of the NOS; Site Server provides this feature to Windows NT 4 Web systems. Windows 2000 is a smarter Web player than its little brother was, but how smart? All of these things will require that you and the developers involved in the retailer project become informed on what’s new and different with Windows 2000. All of this new information gathering will take time and will affect not only their rollout, but your upgrade. It will also most likely change your ability to go from mixed mode to native mode with your AD rollout. Why? Because the developers will likely opt to go forward with the current design (their project has a very high profile) and worry about the upgrade later. This means that if you have NT 4 DCs that the developers do not want changed, you can’t go to a completely native Windows 2000 environment for some time, and you’ll have to maintain the AD structure in mixed mode.


www.sybex.com

What Is the Current Technical Support Structure?

267

What Is the Current Technical Support Structure?

A

fter you’ve analyzed the equipment and code, it’s time to find out what people and procedures your company uses to maintain all that. Who are the technoids that are going to support all of this equipment and provide a place for coders to display their wares?



Analyze technical support structure.

There are two ways of looking at this exam objective, and I think it’s probably safe to examine both. You must ask yourself, as you prepare your Windows 2000 upgrade plans, what kind of technical support is in place for the administrators who are going to have to own the system, and for the users who are going to use it? These are two separate technical support domains and require two different assessments and answers. Network Manager Support The first kind of technical support we need to examine is: what technical support infrastructure do you and your deployment managers require for the Windows 2000 rollout, and is today’s technical support environment adequate? In other words, how much support do you think you’ll need as you go forward with the rollout and begin to get people used to the new system? You’re undoubtedly going to encounter problems—how ready for those problems are you? How much technical support from Microsoft can you afford? Will you have contractors helping you and will they agree to provide support for a limited time after deployment? If you’re bringing Windows 2000 into an environment that includes third-party applications, will the vendor support the application on Windows 2000? How much support can you expect? This may be the time to examine the possibility of replacing applications that you’re not happy with and that you know won’t win in the Window 2000 arena.


www.sybex.com

268

Chapter 6


User Support The second kind of technical support is the structure that your users expect. Do you have help-desk personnel in place, and if so, are they aware of the changes that are coming their way? Chances are good that if you deploy Windows 2000 correctly, the users won’t notice the change on the servers, but they’ll obviously notice Windows 2000 Professional. That’s what communicating the changes and training are all about—putting your users on a knowledge level where they can use the network the way they used it before the rollout.

How Is the Network Being Managed Today?

Finally, we need to figure out how the network is being managed today and how the Windows 2000 change is anticipated to affect the network managers.



Analyze existing and planned network and systems management.

Depending on the size of your network, you’ll find that network managers fall into several different categories. It’s important that you determine the various layers of network management that are involved at your site, who manages what, and to what depth each person’s knowledge goes when it comes to Windows networks and TCP/IP. A training chart is called for, one that has “Current” and “Windows 2000” as column headers. Write the network manager’s name, the type of management he or she is responsible for, and the level of knowledge currently possessed. Then you can write in the Windows 2000 column how much training is required for this person, and how much involvement will probably happen on the new network. Let’s pinpoint some of the kinds of network management tasks that various people might be performing (depending on the network’s size, of course): Backup Managers These people are responsible for nothing other than the backup of the network. It’s possible that these are Unix people who happen to also back up the NT network, a very feasible paradigm.


www.sybex.com

How Is the Network Being Managed Today?

269

Internetwork (Data-Comm) Managers These people are responsible for the routers and WAN connections, though they may not be responsible for the infrastructure. There may be a logical separation of the two camps (internetwork and infrastructure). My experience has been that companies tend to lump the infrastructure and internetwork people in the same unit or department together. Infrastructure Managers These people are manage the overall infrastructure of the network. They handle the cable plant, the wiring closets, the patch panels, and the hubs and switches. Applications Managers Someone is responsible for the enterprise applications on the network. Often they have one or, at the most, two separate applications that they manage. There might be several different applications managers. A really great example of an application that requires specialized management is an IVR system. Almost all big companies have an IVR system of some type and an associated group of IVR managers. These people might not know much at all about how Windows NT functions, let alone Windows 2000, and you can rest assured that they probably don’t know much about servers. But the interconnection between the IVR software and telephony—now that’s something they’re keenly aware of. Print Managers In larger companies, believe it or not, there are people who do nothing but handle print queues all day long. If you’ve ever hassled with JetAdmin software over a new printer on the network, you’ll know how challenging this job can be. Database Administrators DBAs set up tables, create namespaces, write stored procedures, perform business analysis on new database systems, and so forth. They’re usually very skilled, in terms of the database software, and are wonderful resources for you. Very frequently they don’t know a whole lot about hardware, but they’re highly involved in server systems and have a good understanding of enterprise concepts. NOS Managers Some companies have people who strictly handle the setting up of servers and the installing of the NOS. These people would not be terribly application-aware, but chances are they would be highly aware of the changes coming their way in Windows 2000. E-mail Managers E-mail systems can grow to be so large and ponderous that dedicated administrators are required. This part of network management would then be relegated to the e-mail managers.


www.sybex.com

270

Chapter 6


Web Managers For both Internet and intranet sites, dedicated Web administrators are sometimes required. Telephony Systems Managers Here we have the rare breed of individual who is responsible for the telephony systems (and associated interfaces into the corporate network). My experience has been that telephony people either have an incredibly up-to-date knowledge of Windows NT, or they don’t know a thing about it. Windows NT 4 was highly CTI-aware, and Windows 2000 will be even more that way. Security Managers These folks create and manage user accounts, groups, NTFS permissions, mainframe logons, Internet usage accounts, and so forth. Software Management In addition to the activities that some of the above-listed human managers perform, you may have software management involved in your network as well. HP Openview, CA Unicenter, and other management software products can help perform some of the tasks human managers might be involved in. Systems that help manage the enterprise in this way are called enterprise management systems (EMS). EMS installations are complicated, typically require a dedicated person or two in order to manage them. More than one of these network management roles could be occupied by the same person. That’s perfectly reasonable, especially on smaller networks. But on bigger ones, you might have a “cast of thousands” who all work together for the good of the corporate network. It’s possible that one entity might not even know that another exists. Nevertheless, all of these various management components need to know and be aware of the ramifications of a Windows 2000 network that’s barreling their way.

Summary

T

his chapter’s goal was to discuss all the ramifications of the infrastructure design on the existing and planned technical environment—with emphasis on technical environment. What you’re really being asked to do here is to take a huge overall look at the network, make determinations about its present and its future, and then decide how the Windows 2000 rollout will be affected by the various components or, more importantly, how


www.sybex.com

Summary

271

the components will be affected by the rollout. A Windows 2000 designer must look at many things when making these kinds of determinations. We started out by looking at the enterprise applications on the network. You need to discern that there is a difference between an enterprise application (one that’s in use by a majority of the users) and a workgroup application that may only be used by a few. While both applications are important, the enterprise app obviously has more weight in decisions relative to a Windows 2000 rollout. There are different types of applications as well: client/ server, Web, and back-office applications are three of the major delineations that can be made. Next we discussed the evaluation of the current network environment. This topic includes describing the infrastructure, the protocols in use (Windows 2000–supported protocols are largely unchanged from Windows NT 4, with the exception of the addition of VPN protocols), and hosts. Hosts are nothing more than computers. In computerese, the word “hosts” is a TCP/ IP term for single computers on a network. We talked about assessing network services, identifying several that need to be looked at when considering a Windows 2000 rollout. Among them were network monitoring, metrics monitoring, various TCP/IP services such as DHCP and DNS, security monitoring, fault-tolerance monitoring, and Web monitoring. All are important to the health and well-being of the network. We then discussed the assessment of the current TCP/IP infrastructure. There are many details to examine here, the chief of which is the placement of DNS. Unix-based DNS is no longer the best option in a Windows 2000 world. Some shops have brought in third-party DHCP managers that live on Windows NT servers—this too needs to be examined. The overall network ID, subnet mask, and VLAN characteristics are highly important to the design of the new network. We also talked about assessing current network hardware: things like servers, printers, internetworking gear, infrastructure gear, specialized hardware, and RAS servers. You need to identify existing and planned rollouts and upgrades. We talked about the technical support structure and its two facets, the user component and the network manager component. By far, the network managers will need the most technical support as you go forward with your rollout, but users need to also be aware of the various issues surrounding the rollout.


www.sybex.com

272

Chapter 6


Finally, we discussed the very relevant topic of how your network is being managed today. Depending on the size of the network, it’s possible that you have a wide variety of manager types, and each function may be performed by separate people or combined into one person or group.

Key Terms This chapter presented lots of important terms, but terms that you might’ve run into in your work experience. 2-tier client/server 3-tier client/server asynchronous transfer mode (ATM) client/server Layer 2 Tunneling Protocol (L2TP) management information base (MIB) network management system (NMS) n-tier client/server Point-to-Point Tunneling Protocol (PPTP) RADIUS rollout Simple Network Management Protocol (SNMP) thin-client thin-client client/server upgrade workgroup


www.sybex.com

Review Questions

273

Review Questions 1. In analyzing the TCP/IP structure of your network, you find that the

Unix hosts are hosting DNS. Why could this potentially present problems with your Windows 2000 rollout? A. Lack of support for SRV resource records B. Can’t be secondary zones to Unix hosts C. Can’t be secondary domains to Unix hosts D. Can’t work with AD 2. What network component will you not need to consider for your Win-

dows 2000 evaluations? A. Servers B. Mainframes C. Telephony gear D. Routers 3. Which activities are upgrades and not rollouts? Choose all that apply. A. Hubs to switches B. Exchange 5.5 to Exchange 2000 C. Debut of an Oracle client D. Migration from NetWare to Windows 2000 4. In your company of 5,500 employees, about two-thirds of the people

use a front-end application that talks to the company’s back-office databases. Select the kind(s) of applications this represents (all that apply). A. Client/server B. Workgroup C. Enterprise D. Mainframe


www.sybex.com

274

Chapter 6


5. When would Exchange Server turn from a 2-tier to a 3-tier client/

server application? A. When Unix users start using it B. When you can use your browser to get e-mail C. When you add Outlook Web Access (OWA) D. When you install the Lotus Notes connector 6. What’s a good example of thin-client computing? A. A Visual Basic GUI client on a PC talking to a SQL Server database B. A middleware server that handles translation from the mainframe

to the client C. An ODBC request to a SQL Server D. A browser that points to a server-side Web database application 7. You have an ATM network. What category or categories would you

place this in when assessing the technical environment? Choose all that apply. A. Infrastructure B. Internetworking C. Telephony systems D. Routers 8. Which are valid network services? Choose all that apply. A. Metrics monitoring B. Backup monitoring C. Security monitoring D. Fault tolerance monitoring


www.sybex.com

Review Questions

275

9. A computer sits in a tiny, unattended control room. This computer

periodically talks to your network, sending back reconnaissance data on some metering equipment. What is this computer considered to be in TCP/IP terms? A. TCP reference B. ICMP computer C. Host D. Layer 2 switch 10. You have a group of four users on your 250-node network who use an

Excel spreadsheet to keep track of comp time for the department. What sort of application is this said to be? A. Workgroup B. 2-tier client/server C. 3-tier client/server D. n-tier client/server


www.sybex.com

276

Chapter 6


Answers to Review Questions 1. A. Your goal is to make DNS a dynamic network service. If a Unix

DNS installation is up on the most current BIND version, it’ll have no problem with dynamic DNS, but it must support SRV resource records. There’s more on this in the DNS chapter. 2. B. You don’t have to worry about mainframes; they’re handled by

somebody else entirely and won’t affect your rollout. The 3270 emulation software, the code that allows PC users to talk to the mainframe, is another story and may require a good hard look from you before Windows 2000 rollout. 3. A, B. Upgrades are improvements over like existing systems. While

Windows 2000 is definitely an improvement over an existing NetWare system, the two are not alike; NetWare uses a completely different paradigm. “Debuting” an Oracle client implies that it has not been on the network before, hence it’s a rollout. 4. A, C. An application that uses a client component and a back-office

component (I’m speaking generically here when I use the term backoffice—meaning that there is some server process running—not necessarily that Microsoft BackOffice is in place) is said to be client/ server. Since so many users are using it, it also qualifies as an enterprise application. 5. C. The client uses a Web browser to talk to the Web server. The Web

server, in turn, talks to the Exchange server, retrieves the data, and returns it to the client. 6. D. The browser is the ultimate thin client. Yes, you may download

some runtime code to the client, but more likely most or all of the processing will run at the server, including database requests.


www.sybex.com


277

7. A, B. ATM is a “freezer to the oven to the table” protocol, meaning

that you could be running it in the infrastructure with special ATM uplink cards in the closet switches talking to core ATM switches, or you could be connected to an ATM cloud with your ISP and telephone company or both. That’s why A and B are allowable answers. ATM has nothing to do with telephony and does not natively require routers (though routers may be involved if you’re using TCP/IP encapsulated in ATM cells). 8. A, C, D. Backup monitoring falls under the category of enterprise

applications, not network services. Answers A, C, and D are correct. 9. C. Computers that participate on the TCP/IP network are called hosts. 10. A. This app qualifies as a workgroup app, since it doesn’t involve very

many people. It is certainly not client/server in any sense of the word.


www.sybex.com

CASE STUDY

278

Chapter 6


The State Agency with the Complicated Technical Environment

Y

ou should give yourself 10 minutes to review this case study, diagram as needed, and complete the questions for this testlet.

Current System You are the network manager for a large state agency. About 1,500 employees occupy one entire building adjacent to the capital. You are designing a Windows 2000 deployment and have gotten to the point where you’re ready to look at the technical environment. The system in use is exceedingly complicated. For starters, you have about 150 users, on IBM 3279 dumb terminals, who are still using expensive coaxial SNA connections to the mainframe computer at the state’s computing center across town. Others are using 3270 emulation software and TCP/IP to connect to the host, a much cheaper solution. Several home-grown systems use old DOS FoxPro to access databases, then output the results that are keyed in to a flat file that’s uploaded to the mainframe via FTP. The systems were never designed to be used by as many users as they do today, and they’ve turned into a poor man’s client/server system. They break frequently, and you have to go in and rebuild the indexes. There are many printers hooked to the network using JetDirect cards and boxes. You find, after a review of the infrastructure, that you’re on an old 10Base-T hub-based system; users are quite unhappy with the throughput. After reviewing the server “farm” (10 servers that are quite antiquated), you discover that serious work needs to be done to upgrade them. Several department heads are demanding that some form of telecommuting be put in, but nothing has been done along those lines yet. There is one router: an older Cisco 1000 that has a 10Base-T connection to the main computing center. All users have Web access; there is no proxy server. The computing center handles the firewall process. You’re being barraged by department-head requests for some form of control over what users are allowed to surf to on the Internet. There is a request for an intranet. There was an old Vines-to-NT conversion, but you still have two Vines boxes hanging around—you’re not sure what for even though you’ve been repeatedly told why.


www.sybex.com


279

Problem Statement Your mandate is twofold: clean up the mess, and get Windows 2000 installed (including a complete detachment from the Vines apron strings). The biggest problem here is that you’re just not sure where to begin. There are so many problems, so many specialized systems, so little technical help from others, that you’re just not sure you can even get everything done.

Envisioned System Overview Your boss, the CIO for the agency, has told you that he wants a complete Windows 2000 upgrade. When you press him with the detail of what a mess you’ve found, he says that he’ll do whatever “pavement pounding” he needs to do to make sure things are caught up. You’re at once heartened by the promise to help raise the necessary resources, but you’re also not sure that the network is salvageable at this point. You have three people under you who can assist you, but they’re all junior people and not ready for the prime time that this project is going to involve. CIO “I want to take this pathetic little network out of the Stone Age and put it into the rocket age. I’m a realist, and I’m aware that this might take some cash and contracting resources to get done. I’ll do whatever pavement pounding is needed—by that I mean visiting the other department heads to see what kind of budgetary resources they can scrounge up. You have one year to get everything accomplished—remember that we’re on a year-long fiscal cycle, so things have to get done in one year. If you need to bring in some contractors, I’m OK with that, but you have to be sure you document what you need so we can prove it to the oversight watchdogs.” Team Members “We’re excited!” Data-Comm Technicians “Boy, oh boy, do you have your work ahead of you!”


www.sybex.com

CASE STUDY

The only good part about this entire network is, about a year ago a complete rewire of the cable plant was done and everybody is now up on Cat5 cabling throughout. The patch panels are wired together with Cat5 (there is no fiber). E-mail is another plus, having been recently converted to Exchange 5.5, but it’s very slow to use.

CASE STUDY

280

Chapter 6


Department Heads “It’s imperative that we not quit processing at any time! The taxpayer is our customer, and you can’t possibly understand how important it is that we continue to provide great service to them.” State Computing Center Head “The state has provisioned a DS-3 circuit that we want all agencies to utilize. We’re doing this because of the heavy mainframe traffic. We want to increase throughput and efficiency of our mainframe TCP/IP clients.”

Security Security Personnel There are two people who handle all security: mainframe, network, and e-mail. They tell you, “We need to talk about naming standards to use as we roll forward into this new environment. When we were on Vines, everybody got to pick his or her own username, and that philosophy has found its way into the NT network. We want standards just like the mainframe has.” Department Heads “Is there any way that you can keep our people out of certain Web sites? We have some people that tend to want to surf into sites they shouldn’t be allowed to, and it has caused us some trouble in the past. What’s the policy?”

Availability The system has to be up as often as possible. You’re striving for 4-nines uptime (99.99% up, or 52.5 minutes downtime per year, including maintenance windows). The CIO agrees with the department heads that you must get a handle on this ridiculous downtime situation: “I want dial-tone reliability. As soon as you’re done with deployment, I want metrics on this network.”

Maintainability You know you can maintain the network just fine, but if you ever leave, the junior ranking of the rest of your team members leaves you wondering if they could handle a very complicated network. Their response is, “With the right training, we think we can handle it.”


www.sybex.com


281

1. What is this network’s biggest technological hurdle? Order the prob-

lems in the table from most important to fix to least. Problem List

Problem Old custom DOS FoxPro apps Poor infrastructure Poorly maintained server farm Proprietary forms readers Continued support of Vines servers Old SNA mainframe connections

2. In the table below, select tasks from the right column to form

deployment-step trees on the left that you’ll need to go through to finalize deployment. Deployment Steps

Tasks

Infrastructure Upgrade

Change out hubs to switches

Server Farm

Procure contractors for FoxPro app conversion

Old DOS FoxPro Apps

Identify server deficiencies

RAS Server

Identify apps on servers

3279 Users

Procure DS-3 to state computing center

Proprietary Forms Reader System

Update router

Internet Use

Convert FoxPro systems to client/ server (VB over SQL Server) Migrate coax users to 3270 emulation software over TCP/IP


www.sybex.com

CASE STUDY

Questions

CASE STUDY

282

Chapter 6


Procure PCs for coax users Coordinate linkup with state computing center’s mainframe Procure hardware for server upgrade or replacement Install Proxy Server Purchase a core switch for the computer room. Core switch has two cards with eight 100Base-T ports in it and a 2-gigabit card (for linking to important servers and router). Install SmartFilter and configure to keep users from certain sites Purchase 100Base-T switches with gigabit uplink cards for the closets Upgrade or replace servers Procure new router with DS-3 WAN interface, redundant power supplies, gigabit LAN port and updated firmware code Do nothing at this time. Investigate after rollout is done. Logically separate apps by moving them to different servers as required, including dismantling of Vines servers Install fiber cable to all switch closets for backbone Perform a protocol analysis Procure a RAS server for telecommuting purposes


www.sybex.com


283

seem to be in use on the network? Choose all that apply. A. TCP/IP B. NetBEUI C. Vines TCP/IP D. DLC E. SNA 4. Why is the DS-3 requirement being laid down by the computing

center? A. For future growth purposes B. Because of so many mainframe TCP/IP users C. Because of the FoxPro apps D. To connect to the SONET ring 5. What is the biggest technical support hurdle you have to overcome? A. Learning how switches work B. Continued support of FoxPro apps C. Learning routing D. Team needs lots of care and feeding to help support the new

network


www.sybex.com

CASE STUDY

3. Based on the description of the current environment, what protocols

CASE STUDY ANSWERS

284

Chapter 6


Answers 1. See chart below.

Problem List Poor infrastructure Poorly maintained server farm Continued support of Vines servers Old custom DOS FoxPro apps Old SNA mainframe connections Proprietary forms readers Your biggest problem is the infrastructure. It’s also going to be the most expensive problem. Then you have to take a look at the server farm, which would include getting rid of the Vines servers. You also have a problem with some DOS FoxPro apps that almost certainly need to be upgraded, since they’re being used in a client/server setting that FoxPro was not intended for. The SNA connections are expensive and need to be eliminated. Why are some users using coax anyway? Finally, you have the proprietary forms readers to contend with, and they might not be a problem anyway.


www.sybex.com


Deployment Steps Infrastructure Upgrade Install fiber to switch closets for backbone Procure a DS3 to the state computing center Procure router with DS-3 interface and gigabit LAN port Purchase closet switches Purchase core switch Change out all closet hubs to switches Coordinate link-up with State’s Cisco Catalyst mainframe Server Farm Perform a protocol analysis Identify server deficiencies Identify apps on servers Procure hardware for server upgrades or replacement Upgrade or replace servers Logically separate apps by moving them to different servers as required, including dismantling of Vines servers Old DOS FoxPro Apps Procure contractors for FoxPro app conversion Convert FoxPro systems to client/server (VB over SQL Server) RAS Server Procure a RAS server for telecommuting purposes 3279 Users Procure PCs for coax users Migrate coax users to 3270 emulation software over TCP/IP


www.sybex.com

CASE STUDY ANSWERS

2. See chart below.

285

CASE STUDY ANSWERS

286

Chapter 6


Deployment Steps Proprietary Forms Reader System Do nothing at this time. Investigate after rollout is done. Internet Use Problem Install proxy server Purchase SmartFilter and configure to keep users from certain sites 3. A, C, D, E. We know that TCP/IP is in use because of the mainframe

TCP/IP connection with the 3270 emulation software folks. Several printers use JetDirect cards, so there may be a possibility of DLC. There are 150 coax (3279) users in place, and that means only one thing: SNA. Finally, since Vines is in use along with TCP/IP, we could surmise that Vines TCP/IP is in use, though the native Vines protocol may be in use as well. Who’s to say until we do a thorough protocol review? 4. B. The main reason given is because of so many mainframe TCP/IP

connections. But other state connectivity will also benefit, and the pipe is certainly over-engineered and big enough for future projects. Internet connectivity will benefit as well. DS-3 is 44 megabits per second, and it’s a huge pipe. The SONET ring thing would work out well if you went forward with an ATM deployment, but since you’re on a gigabit connection to the state, they’ll have to haul you across the SONET ring by converting your data to cells. You have no responsibility for this. The FoxPro apps don’t come into the picture, since they don’t leave the network. 5. D. Without a doubt, your biggest concern in terms of technical sup-

port will be your junior team members. They need lots of training, coaching, hand-holding, and encouragement to assimilate this new, totally revitalized network!


www.sybex.com

Chapter

7

Analyzing Client Access Requirements MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Analyze the network requirements for client computer access.

Analyze end-user work needs.

Analyze end-user usage patterns.



Plan for growth.



www.sybex.com

W

e’re gaining headway on the design that we’re creating and headed strongly into the sections where we talk about the raw details of a Windows 2000 infrastructure—only two more chapters. However, we must continue down the design road for just a bit more. In this chapter, we talk about the analysis of your end users: how they access the network and how they work on it when they get there. I’ve been able to work three test subobjectives into two separate sections here. We’ll first talk about the needs and behaviors of the end user, and then we’ll talk about plans for the network’s growth in terms of the user count. Some networks grow startlingly fast; knowing that and planning for it are aces in the hole for the Windows 2000 designer. (The placement and centralization subobjectives under “Design a resource strategy” are covered in Chapters 5 and 9.)

Determining the Needs and Behaviors of End Users

This section has two separate threads of thoughts. First, we want to identify specific needs of users, and then ascertain what their behavior is. The goal of these analyses is to design systems, especially network additions, so they benefit users.


Analyze the network requirements for client computer access.

Analyze end-user work needs.

Analyze end-user usage patterns.


www.sybex.com


289

For example, if we know that there are many Exchange servers spread throughout the enterprise, all linked with connectors, then it might be to our benefit to create a bridgehead server that doesn’t host users, but hosts the connectors instead. This provides two advantages: if an administrator feels a reboot of the bridgehead server is necessary, he doesn’t affect any end users by booting it during the day. Also, with such a methodology we create a more fault-tolerant environment for users, because we take one potential trouble source out of the Exchange mailbox servers and move it elsewhere. We can accomplish things like this if we only choose to observe user behavior.

Analyzing End-User Habits If you stand back and take a good hard look at why and how users access the network, I’m sure that you’ll find yourself putting users into different stereotypes that describe their behavior. Let’s elucidate some of those pigeonholes so you can get a head start on the activity of determining how users access the network. Knowing user patterns helps you plan more airtight implementations of future network rollouts.

Power Users The power user is one who is potentially dangerous. This person knows enough about computers to be able to do things like erase critical files, hack the registry of the local machine, change .ini files, and so forth. Power users are quite special to administrators. They’re the reason that Windows NT Workstation exists—to come up with a serious lockdown that keeps them out of harm’s way. Though you’ll find power users in any department that accesses the network, I’d say that they are predominantly the engineers, software developers, and some financial types. It’s important to identify the power users, because you can make educated decisions about how to address their needs and yet keep them out of trouble. Power users will often tell you that they need something far more powerful than they really do, and it’s up to you to study their needs, accommodate them, but keep them from being able to do things they shouldn’t. (We’ll get into a subset of power users, the cowboys, a little later.)

3270 Emulation Software Users These folks don’t use their PC for a whole lot, maybe the Web and e-mail. Typically they’re either mainframe programmers running 3270 emulation


www.sybex.com

290

Chapter 7

Analyzing Client Access Requirements

software to access the mainframe in order to do their programming, or they’re order entry or billing folks who use the mainframe to check records and edit data that’s already in the system. There are also operations people who schedule jobs to run, review job control language (JCL), and so forth, but they’re better categorized as mainframe programmers. Users who are on the mainframe most of the time normally don’t require the latest and greatest in computing machinery the way power users do. The biggest problem you’ll run into with these people is when the mainframe isn’t working well and they cannot access their host session. It’s not usually your problem to deal with, but nonetheless you might be called in to look at it.

This is embarrassing, but confession is good for the soul. Once, when I was working at a large gas and electric utility, I thought I knew more about the mainframe than I actually knew. I installed Attachmate Extra!, and proceeded to key a Logical Unit (LU) number into the software that I should not have entered. From the time I did that, for about the next week or week and a half, there were more network and mainframe troubleshooters running around than you could shake a stick at trying to find the source of the problem. At one point, they even brought in a network sniffer! I didn’t even realize for the first few days that I was the one causing the whole floor to crater. Finally, it dawned on me, and I removed the errant number. The whole network popped back to life instantly, and the troubleshooting team was just totally baffled. Of course, I didn’t tell them that I created the problem. I was, after all, a senior programmer and knew exactly what I was doing, didn’t I?

Macintosh, Unix, Linux, OS/2, or Vax Users These kinds of users have extremely special needs that you’ll have to handle on an OS-by-OS basis. For example, a Linux user might want to mount a Samba NFS share for people on the Windows 2000 network to look at. (Happens all the time—it’s much more common than you might think.) Or, quite the opposite, the Unix host might need to extract files from a Windows 2000 host by using FTP. Linux users will also want to surf the Web, exchange e-mail, and create documents that are available for nonLinux users. Macintosh users have very specific computing needs, and my experience has been that they typically like to save their large graphics files out to a


www.sybex.com


291

RAID array on the Windows NT or Windows 2000 network. That’s a perfectly fine use for them and one that you should sanction (because the files are privy to backup at that point). Windows 2000 has visited the whole Macintosh access issue and has, it’s hoped, made it easier (more crash-proof) for administrators to maintain. Mac users will also want to surf the Web and exchange e-mail and documents. Unix users access the Unix servers either via an emulation host on their PC or through a Unix workstation that sits next to their PC. The basic needs are the same, with the exception of Unix admins, who require the ability to modify server files. I’ve seen Unix admins with a Sun station at their desk and a PC (a darn powerful PC, I might add). Of all of these user types, I’d say that Unix users are probably the most proficient in the NT world (and will eventually be in the 2000 world as well). Though you might not have many dealings with OS/2 users, they’re definitely out there, and the OS is still quite common. Typically, OS/2 requires its own special software for anything that you might want it to do on the Windows 2000 network. OS/2 users are often power users choosing that OS for very special reasons. Vax systems are still in use throughout the world, especially in the manufacturing sector. I find Vax systems to be very complicated and (for me) annoying. Nonetheless, Vax administrators have to be able to find ways to share files and data on the regular network. Those methods are probably already in place, and the Vax admin will typically be aware of them.

Managerial/Professional/Executive Users Can we speak frankly? I find these users to be the biggest pain of all the users on the network. They’re usually accustomed to having things move quickly and they expect you to take every bit of time you need in order to get their computing needs solved, even though the entire network may be burning down around you! It seems that the higher you go up the food chain, the more demanding they get. That’s not exactly fair, because they’re usually quite nice about the way that they go about getting you to fix the problem, but they’re firm in that managerial kind of way. I, for one, always feel a little tense when I have to work on an executive’s computer.


www.sybex.com

292

Chapter 7


I worked with a small, start-up imaging company. The president (and one of the venture capitalists) was a millionaire tycoon who flew to Boulder regularly from Chicago. Once, he wanted an ISDN line hooked up to his home office. I ordered a very expensive ISDN phone for him and procured an ISDN circuit through the Chicago phone company. (ISDN was still very new to the home market then and really never did catch on in that venue.) The day came to hook the phone up and get going on the new system and, of course, we had problems with it right from the start. I wound up working most of the following couple of days on the problem, talking to him by regular phone at his office in Chicago. I don’t think he ever did get the circuit working correctly, and I certainly went down a notch in his eyes after that.

Cowboy Users How does a cowboy user differ from a power user? Both are power users. I’d say it has to do with the cowboys’ tendency to install rogue software on their PCs and then call the help desk for support when things auger. Both cowboys and power users have the ability to surf the registry, but most admins can’t say with certainty exactly what their cowboys are doing when they get into the registry to hack it. So a cowboy brings in, say, the latest copy of Doom and installs it on his PC. Things go along fine for the first little bit; then when he tries to access a program that used to work beautifully, he finds it no longer works at all. Who does he call? You, of course, but only after he does really due diligence trying to figure the problem out, creating an even bigger mess for you in the process. (And when they call you, they say, “I don’t know what happened, I was just computing along and WHAM! it cratered. Stupid NT!”) That’s a cowboy. Cowboys delete the Domain Admins group out of the Local Administrators group on their Windows NT Workstation computers.

Ordinary Joe and Jenny Users These are the ordinary people who just want to log on and get a day’s work done. The standard user e-mails, probably surfs the Web, uses Microsoft Office, and possibly runs some specialized apps that pertain to his or her area


www.sybex.com


293

of the company. For example, an accounting aide might use Navision financials while a manufacturing or engineering employee might use Agile. These users are relatively harmless. They don’t typically bring software in from home or the Web, although they can get into trouble with e-mail attachments that take up a lot of room or use a lot of CPU cycles. These clients are your bread and butter, because they make up fully seven-eighths of the organization’s user base. All users deserve a high-quality, ergonomic work environment (this component is probably not under your control) and a good quality computer. The monitor needs to be at eye level, not higher or lower. The higher you can adjust the resolution of the monitor, the better their vision will be at the end of the day. A resolution of 1280 × 1020 with 75Hz is very good and will be less tiring on the eyes. A mouse needs to be lower than the user’s arm when the arm is held in a 90° crook. Nothing is more frustrating for users than trying to cope with inferior computing machinery, especially those users who must use the computer and the network all day long.

Analyzing End-User Behaviors Have you ever really looked at the way that your users go about doing their work? I’m not talking about how they sit and chat with others, or how they file or things like that. I’m talking about simply sitting and watching how they compute—how they interact with the computer. Try it some time when you’re visiting a PC for a trouble call. You’ll be fascinated to watch how people react to various windows, how they dutifully obey error boxes (unlike you and me), how they get lost so easily when the computer is telling them what to do. It’s really a lot of fun. I especially like watching their eyes and their head movements as they scan the monitor looking for information from the computer. You can easily spot the people who aren’t very comfortable with computers and those who have worked with them for years. Watching users is one way to analyze user behaviors. What sorts of things do users have loading up in the morning when they log on? Is their logon time incredibly long? Do they have enough time to log on, go get their coffee, and come back before they’re finally logged in? Does the computer snap to life and instantly give them all of the things that they need to get their day started? (If not, this isn’t necessarily indicative of a PC issue. It’s very possible you also have a slow network—or, at the very least, so many users hitting the


www.sybex.com

294

Chapter 7


network all at once that bandwidth is completely gone). Try to spend some time just watching a variety of user types. See if you can glean any information about how ordinary users go about their computing lives. It’ll be very informative and time well spent. You can also run performance monitoring on the main servers (applications servers such as Exchange, and file and print servers) to get information about the load at specific times. If you ran performance-monitor scans periodically over the course of a few days, you’d have good benchmarks as to how the network performs. In most shops, it’s safe to say that you can anticipate your heaviest loads in the morning hours between 8:00 and 10:00, then around midday (when users log out and get ready to go to lunch), and then at the end of the day. Web surfing volumes go up during lunch and after 3:00 P.M. In shops where you have two or three different shifts (or more— police stations have people coming on from 1:00 P.M. to 3:00 A.M., and so on) you’ll observe some radically different access times, but at least you’ll know when your peak times occur. E-mail is another story. Most shops are fairly e-mail-centric now, so it’s a good bet that the server is in heavy use throughout the business day. However, it’s understandable that your main peak time for e-mail (when everybody has opened their e-mail and is reading the day’s news) would be the morning hours. You can get a good feel for e-mail traffic by watching the Exchange performance monitor threads and by checking out the IMS queues. The only showstopper you can run into with e-mail—something that’ll affect everybody—is the genius who decides to either send an extremely large attachment (80–100MB) to somebody, or to send an e-mail to 5,000 recipients all at once. You can muck up an e-mail server quickly that way but, fortunately for us, Exchange provides the capability of limiting file sizes that can be received or sent. Network managers might be able to sniff the network and give you some idea of usage patterns, though the information will mostly be about broadcasts and the amount of traffic going across the wire. Some metrics software such as NetIQ or ManageX might be helpful to you too, in your quest for user-behavior information.


www.sybex.com


295

Design Scenario: Users That “Disappear” from the Network You have all these Windows NT Workstation users. And when you open up Server Manager for Domains, then select Workstations view, you see all of the computers, but some are grayed out. When you double-click a grayedout computer to bring up the Properties window, you’re told that the device cannot be found. Yet you’ve verified that the computers are online and out there in the network world. In fact, you’ve physically checked the computers to see if they really are powered up and connected to the network, even though a user may not be logged on. You wonder what the problem could be. In your investigation, you determine that one of two things could be wrong. Either the workstation services and server services are shut off at the desktop (highly possible with cowboy users who somehow have been granted admin access to their local box), or WINS doesn’t have an entry for this computer. But how is it that a third of your workstations show up offline? Upon rebooting a couple of the errant computers, surprise, surprise, they show back up online. You surmise that people have gotten the (true) word around that if they don’t want you remoting into their PC (by doing a Net Use to the C$ share), they can just turn off the server service and, boom, you’re no longer a player on their computer! Pretty cool stuff, huh? You wonder how this will affect Windows 2000 Professional computers. The answer is, the same way. If users decide to stop a service, and that service happens to prevent you from hitting their computer, nothing new in Windows 2000 Professional will prevent this. But the one good thing you have in both situations is the fact that you’re dealing with workstation-category software; you can begin to implement a little more serious lockdown that will keep the cowboys (and cowgirls) out of Services and out of the Registry.


www.sybex.com

296

Chapter 7


What Are the Plans for This Network’s Future?

T

he company I currently work for is a very high-tech, high-speed company that is in constant growth mode. For example, we have about 15 spoke sites that have single servers at them. We anticipate that this year alone, that number will increase by 50! That’s a lot of servers. In an environment like that, it’s really tough to plan strategically for growth of any kind. You’re going so fast that you feel like a moving target—you have to react quickly, assess the situation in a short period of time, and make a solid judgment call with very little time to mull the whole thing over. Gone are the days of passive engineering! But there’s a larger problem with this scenario, and one that I’m sure is common throughout high-tech environments. Management has a hard time communicating what new things are coming down the pike. So even though they might’ve talked about the upcoming changes among themselves, it’s very difficult for them to find the time to explain to those under them what the changes are all about. In my experience, my managers are really great, and I love them to pieces; but they’re so busy that when they do get the time to explain the changes that are coming, they can only do it in a quick alldepartment meeting where nobody has time to ask questions, and the managers themselves don’t have time to develop the ideas that they’re thinking about. It’s really a problem.



Plan for growth.

So, how do you make any kind of plan for a Windows 2000 upgrade that’s going to be involved in a high-growth environment? How do you assure yourself that as things progress, the new gear, the new changes are added to your plans? Moreover, how do you assure yourself that your managers have given you the complete scoop on what’s happening down the line?


www.sybex.com


297

Opening the Lines of Communication In high-growth areas, it’s best that you take the initiative to stay informed. Let’s suppose that you’ve finalized and submitted a Windows 2000 project plan. Everybody likes the plan; it looks solid. Here’s what you have in mind: you’ll install Windows 2000 on the PDC, including Active Directory. You’ll leave all other Windows NT 4 servers (BDCs and member servers) alone for now. Then you’ll upgrade the entire user community to Windows 2000 Professional—using Remote Installation Services (RIS), of course. Finally, you’ll upgrade the rest of the servers to Windows 2000 and cut the AD over to native mode. It’s a good plan, one that allows you to make sure the user body is up on Windows 2000 (and trained on its use) before you switch the rest of the network over. So you set up an appointment with your management team and make your presentation to them. They like the plan and give you the go-ahead. Now’s your chance to present the management team with the news that you have a real need to know when changes to the user environment or network are coming your way. You might even whip up a little Outlook e-form that helps minimize their effort, yet allows you to get the information you need. The concept is twofold: you understand that they’re busy people and can’t (or don’t want to) communicate constantly changes in the company, but you have a legitimate need to be kept abreast of the changes. So when the company plans to hire, train, and turn loose a new bunch of users in the next month or two, instead of quick-and-dirty Windows 95 computers that will work on any old box, you can take the time to prepare some Hardware Compatibility List (HCL)–compatible boxes (a necessity in the Windows 2000 Pro arena) and give your users a real computer that you can really manage. The point here is communication. You have to ask what’s going on, you have to listen to what they’re telling you, and you have to be ready to react to the news. One problem with this, at least for some shops, is managers who tell you that they’re indeed growing and planning on bring new users on line, but they won’t give you the resources to meet those new user needs. Or at the very least, they won’t give you the resources until the very last possible moment (in order to maximize the time the money stays in the company’s account and not in somebody else’s). How do you manage a situation such as this? You need to communicate back that your design requires HCLcompatible computers, that Windows 2000 Professional is the company’s


www.sybex.com

298

Chapter 7


new OS, that it has this benefit and that benefit. Then you wait for their answer, which could go either way. But I’m willing to bet that if you explain the scenario in the right light, it’ll be met with the right attitude on their part.

I sound like I’m selling hardware. What I’m really trying to sell is a solid design that will be more fault-tolerant and easier to maintain than your old environment. Want to get rid of the problems? Pick an OS that keeps users out of the kernel cookie jar and run it on HCL-compatible machines. That’s the Unix way; it’s time that it was the Microsoft way.

We’re Poor—We’re So Poor The opposite end of the spectrum, one that’s much worse than the high-tech company that is moving at lightning speed, is a company that’s sluggish to make technological decisions and very tight with a buck. Some of these organizations can’t help it—not-for-profit entities come to mind. There’s just nothing you can do if the money isn’t there to support the design. Do networks like this grow anyway? You bet they do! Just because the organization is poor doesn’t mean that it can’t hire employees (or bring on more volunteers). So, if the network is in growth mode and you’d like to bring it into the Windows 2000 arena, is this really possible in a sluggish, stingy organization? My honest assessment is that you’re better off trying to make do growing the network you already have than to come up with a baling-wire and bubble-gum Windows 2000 network that’s going to give you nothing but fits. Here are some reasons why I think this:

Windows 2000 requires a minimum of 2GB for the operating system partition of the server. If you’re so poor that you can’t afford new disk space, even though you have the room to install Windows 2000 now, chances are you won’t have the room to grow it in any way—in the form of applications or added services.

Networks that struggle along with garage clone computers (or computers that you hand assemble yourself), that use ”borrowed” software, that skimp along with the least they can get away with—these are not good candidates for a big powerhouse OS like Windows 2000.


www.sybex.com


299

This deployment is going to take more money than the software will cost you—it’s going to take serious bucks in the form of infrastructure, server, and workstation upgrades. It’s a fact, and knowing it up front helps you make your decision early on.

The HCL is even more highly thought of than in earlier versions of Windows NT. Why? Because of Windows 2000’s plug-and-play features. The drivers portion of Windows 2000 itself is a huge chunk of code! Windows 2000 can find a lot of hardware. But throw some older device at it that’s now exotic or, even worse, defunct, and you have a plug-and-play problem. The computing device, equipped as it is, is what you need to measure against the HCL. It’s not enough to say, “well, my drives are Seagate drives so I’m good to go;” the sum of the components in the computer must be on the HCL.

Need quality HCL information? Check out www.microsoft.com/windows2000/ upgrade or www.microsoft.com/hcl.

The Middle-of-the-Road Network The final portion of this puzzle is the network that’s growing, that expects you to plan for its growth, but has moderate resources to give you as you go forward. Is it possible to deploy a Windows 2000 network in this kind of situation? I think it is, but you have to be patient and diligent. Your one-year plan turns into a three-year plan. You install Windows 2000 on one or two DCs that are on the HCL and, as you get a little money, you upgrade another server and put Windows 2000 on it. When you visit a workstation to re-burn the OS for a user, if the workstation’s on the HCL and can handle Windows 2000 Professional, you go ahead an install it. In other words, you piecemeal the deployment as you get the opportunity and financing to do so. Eventually, all users and servers are up on Windows 2000, and the time comes when you can convert AD from mixed mode to native mode. But that day isn’t in the here and now; it’s a long way down the road. If you can live with that principle, you can make this design happen. The big caveat here is that you must communicate to management that this is your design intent and you don’t want to waver from it. You communicate to them that you’re looking for buy-in on their part, for joint


www.sybex.com

300

Chapter 7


ownership of the idea. They’ll like the idea because you’re taking your time; you’re not breaking the bank as you go (and you may not be as likely to leave the company because you have this mission to accomplish). You’ll like the idea because you can deploy Windows 2000, just not as quickly as you’d like to. And here I’m going to make a broad statement: I think that a slower methodology like this affords you the time to learn the ins and outs of the system—to really get comfortable with its nuances. By the time three or four years have elapsed (and we’re on Windows 2004), you’ll be completely comfortable with how this OS works and how it’s supposed to respond.

Earlier, I said that you need to be visionary and forward-thinking. Now I’m counseling you that slow and steady wins the race. Well, which is it? It’s actually both. I think you’re fine when you use visionary thinking, but put some practicality to it as well. For example, when gigabit Ethernet solutions came out, would you have been the first one on your block to purchase a gig switch for your switch closets? Probably not. So, now that Windows 2000 is out, will you go out and install it without first doing your homework and making sure you know how it fits into your enterprise? Again, probably not.

Design Scenario: The Company That Doesn’t Think It Needs Windows 2000 You work for a moderate-sized enterprise, about 500 users. There are a halfdozen servers that are big enough to handle a unified workflow methodology (two of the servers do basic logon and TCP/IP functionality for the network; the others are apps, file, and print servers). The servers are all running Windows NT Server 4, all equipped with SP5. The majority of your users are on either Windows 95 or 98; you, in fact, are the only user on Windows NT Workstation. You really want to go forward with a Windows 2000 deployment. You think that the OS is more solid than Windows NT, that it has tons of new features to offer and, frankly, you need a good, solid technological kick in the pants. You’ve been administering this same old tired network too long!


www.sybex.com

Summary

301

You install Windows 2000 Server on a machine at home and play with it a bit. You get semi-comfortable with it, and you’d like to begin planning a deployment at work. You work up a design and present it to management. It’s met with a solid ho-hum. Some of the managers don’t like the idea of spending the money; others don’t like giving up Windows 95 and having to re-train on a new OS (not to mention spending the money to upgrade their computers to run the new system). Others just simply don’t see the need for the upgrade. What do you do? Is there a way to make them see that this upgrade would be good for them? Unfortunately, networks like these still exist all over the country. Some of them are running NetWare 3.11 on 10Base-2 (that’s right—coaxial cable with barrel connectors and terminators). Others are still running LanMan Server. Some are even still running Windows NT 3.1 or 3.51; I daresay some are even still running LANtastic or Invisinet. You are stuck with a company that doesn’t have a technological vision, but probably does have a business vision. You’re going to have to face the notion that the managers are looking at what’s best for the company’s health, and this upgrade just does not make good economical or practical sense to them. You have one of two choices: live with the decision for the next few years or polish up your résumé.

Summary

Finally, a chapter that gives you a reading break! The last few have been pretty long, but this one was nice and short. In this chapter I talked about analyzing end-user work needs. I identified several different categories of users and spent some time analyzing end-user behaviors. While watching users is a good method of figuring out patterns of usage, you can use more sophisticated techniques such as performance monitoring and network sniffing to gain greater insight into user behavior patterns. Neither of these techniques yield absolutely scientific results. Typically, internetworking experts will be able to help with network sniffs to obtain usage patterns. Finally, I talked about planning for growth and came up with three different scenarios in which you might find yourself trying to plan a Windows 2000 rollout. I talked about the (fortunate) possibility of working with a


www.sybex.com

302

Chapter 7


company that is growing rapidly and can afford to throw lots of money at the project. You’ll be allocated everything you need to make it succeed. That’s a great thing, finding yourself in this position. But there are very poor companies or organizations where you might find that it is truly impossible to roll out Windows 2000, simply because you don’t have the money for the needed infrastructure, even if the organization is on a growing spurt. And there is the middle-of-the-road company—one that wants you to watch your budget, but also to go forward with the rollout as best as you can. Caution is advised here, because you’ll be tempted to save money when you really should be spending it! Of the three growth patterns, working for a poor entity is the hardest, because you may be forced to completely jettison any Windows 2000 upgrade plans until things are much better.

Key Terms We’ve got some terms to add in this chapter. The following terms were used in this chapter and should find their way into your vocabulary. Hardware Compatibility List (HCL) power user Remote Installation Services (RIS) Vax


www.sybex.com

Review Questions

303

Review Questions 1. What would be one way to analyze end-user usage patterns? A. Performance Monitor B. Task Manager C. HP OpenView D. Observation 2. What’s a good way to plan for the growth of your network? A. Regularly speak with management about their future plans for the

company (and hence your network) B. Get users off of the mainframe C. Migrate the network to Windows 2000 D. Observe users 3. Choose an end-user work need. A. Hub B. Ergonomically comfortable work environment C. Uninterruptible power supply D. Regular breaks 4. Which of the following qualify as user work needs? Choose all that are

correct. A. Connectivity to e-mail systems B. 21" monitor C. Connection to the network D. 800MHz processor


www.sybex.com

304

Chapter 7


5. You are observing the network to see if you can figure out its heaviest

use times. What are you analyzing? A. End-user work needs B. End-user usage patterns C. Growth characteristics D. Network utilization 6. You work for a company that has manufactured the same kind of

candy for a hundred years. The manufacturing process doesn’t change much, nor do the quantities of candy that the company sells. How should you plan for growth? A. There is no growth to plan for here. B. Anticipate some minor growth. C. Grow the network at a moderate pace. D. Plan for rapid growth. 7. You work in a plant that is open 24×7×365. What will be the most

fundamental assessment you’ll have to make about your end users? A. Usage patterns B. Work needs C. Network connectivity D. Growth plans 8. You have a huge set of engineering power users to worry about. What

work need are they most likely to have? A. State-of-the-art PCs B. UPS C. Fluorescent lighting D. RAID array


www.sybex.com

Review Questions

305

9. What are some protections that you can place on user computers—

counting them as work needs although users may not see it that way? Choose all that are correct. A. DHCP leases B. Virus scanner C. Profiles D. Windows Installer packages 10. Of the following companies or organizations, which one is the most

likely to be subject to continuous aggressive growth? A. Not-for-profit organization B. High-tech start-up C. Large publicly-held corporation D. Medium-sized publicly-held corporation


www.sybex.com

306

Chapter 7


Answers to Review Questions 1. D. Simple observation is probably one of the better techniques you

can use when it comes to analyzing user patterns. Performance Monitor can help yield information about users attaching to resources, logons per second, and other such information. The Task Manager reveals memory, CPU, and other information about servers and workstations. HP OpenView will yield SNMP information and will be helpful for tracking how the users and their usage patterns are impacting server performance. 2. A. Of all of these answers, A is the best choice. 3. B. While C is a great answer, B is the most significantly important one

that will impact user’s work needs. 4. A, C. Differentiating between needs to have and nice to have is a

tough decision that administrators make about end-user support on a daily basis. Where needed, A and C are valid choices. Answer D probably falls within the “nice to have” category; most users could get along nicely with less. 5. B. You’re trying to assess end-user usage patterns. 6. C. Odds are that, even though the manufacturing part of the business

is fairly uniform, the company has a sales data mart in place, tracking where, when, who, how, and why the candy is sold and how that varies from store to store and demographic to demographic. (Plus, since there is a lot of consolidation in the candy market lately, it’s a safe bet that this company will either be bought or buy a competitor themselves.) So, while you might be tempted to say there is no growth plan, chances are they’ll actually grow at a moderate pace. 7. A. User usage patterns will be a very important consideration to you

with a network like this. Especially important will be considerations such as using the Windows Installer to provide packages to end users. If the net is always in use, which shift should be the one that gets the packages?


www.sybex.com


307

8. A. The other needs are nice, but engineers will most likely demand

very high-tech PCs. 9. B, C, D. Virus scanners are a protective feature that keeps users safe.

Profiles keep users from doing harm to themselves, as do Windows Installer packages. 10. D. Of all of these answers, B, C, and D are all highly possible. You

might be tempted to select B, but it’s more likely that they’ll sustain a period of rapid growth and then even out until after the IPO. Large corporations don’t necessarily grow aggressively, but they do grow. Medium-sized corporations, especially highly successful ones, are the most likely sources of phenomenal growth.


www.sybex.com

CASE STUDY

308

Chapter 7


The Large Shoe Retailer


Current System You are the network manager for a large shoe retailer with stores all over the U.S., several in Canada and Mexico, and even some in Europe—about 1,300 stores in all. The company has made it clear to employees and shareholders that it’s poised for growth and will continue its European growth. In the spring, it plans to move into Asia. Each of the stores are equipped with point of sale (POS) terminals that use Windows CE and can use Ethernet to upload the day’s information to the servers at your headquarters office. Also, the back room of each store has a Windows 95 workstation that the manager can use to send e-mail, maintain corporate spreadsheets, and enter sales and ordering information into the proprietary client/server GUI that talks to the headquarters office SQL Servers. Because the company tries to be prudent in their enterprise connectivity, the speed of the connections from the retail stores to HQ often isn’t all that impressive. Your charge is to update the network to Windows 2000 without hindering the POS terminals (which work fine). You are also supposed to consider whether to get rid of the client/server GUI and replace it with a terminal server connection to a very high-speed server at HQ (which would also run the GUI), minimizing the speed problems that managers experience at peak load times.

Problem Statement Your biggest problem is that you’re not sure whether the terminal server component is necessary. Yes, it’s a pain in the neck to prepare new updated machines for periodic replacements for the managers, but on the other hand you’re not convinced that the terminal server method is all that it’s cracked up to be either.


www.sybex.com


309

Overview Your boss, the CIO, has told you that she would really like to see this terminal server thing work. But if it doesn’t seem plausible, the next best thing would be to adopt a plan for steadily migrating the manager PCs to Windows 2000 Professional, which would require a hardware upgrade on two-thirds of the computers. CIO “We’ve looked at the usage patterns of our managers. In most cases, managers don’t sign in to the database system until well after closing, often right around midnight, and it just absolutely hammers the system. We get lots of complaints that managers think they could go home earlier if the network wasn’t so slow and if the GUI didn’t crawl along. We think the terminal server part of Windows 2000 will really help this part of it. Obviously we can’t control when managers find the time to be able to log on and work, but we can try to make things faster. But if I can avoid updating all those computers at once, I’d rather go that route. Changing out managers’ PCs is a very expensive proposition.”

Availability The system has to be up around the clock. Managers have the ability to come in any time in order to key in the day’s work. You’ve had some fairly serious outages in the past, and managers aren’t happy about it because it means they have to make double the entries the following night.

Maintainability Overview You have to admit that the maintainability of the terminal server component would provide fewer hassles for the NT admins. If they only had to change one GUI instead of thousands, life might be easier for them. On the other hand, you need the terminal server client anyway, so you’re not sure if there’s a difference there. You could use Windows Installer and Group Policy Objects (GPOs) to download the GUI updates on a regular basis, so the jury’s still out on the terminal server component.


www.sybex.com

CASE STUDY

Envisioned System

CASE STUDY

310

Chapter 7


CIO “As you’re probably aware, the managers have, in times past, managed to delete the GUI, and we’ve had hassles getting a copy to them so they can work again. If you can make sure that the managers can’t shoot themselves in the foot this way, then I’d be amenable to looking at keeping the GUI and not going forward with the terminal server solution.” NT Admins “We’ve been downloading the GUI through logon scripts for years now. The process works fine. If you have a better method, we’ll take a look at it.”

Questions 1. What is the end user’s primary work need? In the chart below, order

the work needs of the end users from highest priority to lowest. Work Need

Work Need Improved hours Faster WAN connectivity Better performing computers Ability to work during the daytime hours Round the clock support No loss of data

2. What would you say is the main usage pattern in this complicated

network? A. Round-the-clock usage B. Between the hours of midnight and 3:00~AM C. Between the hours of midnight and 8:00~AM D. Between the hours of 6:00~PM and midnight


www.sybex.com


311

WAN connection speed? A. Less data travels across the network. B. There’s more security for NT admins. C. Only one GUI update is required when new GUIs are written. D. Managers could keep PCs longer. 4. How does this Windows 2000 rollout affect the company’s above-

average growth plans? Choose as many reasons as apply. A. The terminal server implementation would help facilitate growth. B. Using Windows Installer to provide updated GUIs would help

facilitate growth. C. There is no effect on the company’s growth plans. D. The terminal server implementation would adversely affect

growth. 5. What is the biggest technical-support hurdle you have to overcome? A. Testing and verifying that terminal server is a viable approach B. Testing the installation of new GUIs via Windows Installer C. Curbing slowness on the WAN as managers log on D. Preventing hackers from getting into the system


www.sybex.com

CASE STUDY

3. How would Windows 2000 terminal server services improve the

CASE STUDY ANSWERS

312

Chapter 7


Answers 1. See chart below.

Work Need Faster WAN connectivity Improved hours Round the clock support No loss of data Better performing computers Ability to work during the daytime hours While the answers are subjective, the main problem is the speed with which managers can file their order-entry work. Terminal server might indirectly improve WAN connectivity because you’d be moving the net from 2-tier client/server to thin-client/server. 2. B. C looks like it might be a correct answer too, and indeed there

might be some managers that are logging on after 3:00 A.M., but that’s probably because the network isn’t available until then because it’s so heavily in use. It’s probably a safe thing to say that managers don’t want to stay that late. Answer B is the most predominant usage pattern. 3. A. Windows 2000 terminal server provides the ability to run apps on

a fast server and send the user the data, thus cutting down on the local PC’s processing. This would definitely trim down the WAN connection time per user, because less data would have to cross the network and thus the managers could go offline sooner. The effect would be marked in terms of freeing up network bandwidth. 4. A, B. Any time you can automate processes and offload the time that

it takes for technicians to visit PCs and install new software, you’ve augmented the network’s capability to grow. This would be true of either A or B. Now which is more practical is up to you. 5. C. The problem is the slowness that managers experience when they

log on for the night in order to fill out their order entries. Whatever method you use to solve the problem, that’s your biggest hurdle to overcome.


www.sybex.com

Chapter

8

Analyzing the Current Disaster Recovery Strategy MICROSOFT EXAM OBJECTIVE COVERED IN THIS CHAPTER: Analyze the existing disaster recovery strategy for client computers, servers, and the network.


www.sybex.com

I

t’s amazing how we have one little test objective listed for the entire chapter. But this objective is so all-encompassing, so full of potential detail, that we must examine it very thoroughly. On top of that, this particular objective is so vital to a network’s well-being that it deserves to stand on its own. You can see that the objective has three parts: client computers, servers, and the network. We’re asked to examine the existing disaster recovery strategy, but the purpose behind this is an eye toward improvement, especially as we venture forth into the Windows 2000 environment. How will Windows 2000 help us in our quest for more disaster-proof networks? Does this new operating system provide us with more tools than we currently have in our kit? Are we adequately prepared today for any kind of disaster recovery? If not, how do we get there? Further, there is some room for examination of exactly what is meant by disaster recovery, so this chapter starts with a discussion of the difference between that and fault tolerance. They are two very separate things. Once the concepts are defined, the chapter will trace their application through your system. First, we delve into the topic of fault tolerance and disaster recovery for client computers, and then the same aspects for servers. We’ll wind up the chapter by going over the same concepts at the network level. From a practical standpoint, we are highly interested in making sure that the network is as fault-tolerant as we can make it and that we have a solid disaster recovery plan in place, should the very worst happen.


www.sybex.com

Defining Fault Tolerance and Disaster Recovery

315


T

he differences between fault tolerance and disaster recovery have been known in the mainframe, Vax, Unix, and AS/400 worlds for decades. Can you safely say, as one who works in the PC/network universe, that you know the difference? It’s a question that is vital to you and your network. So before we go forward with a discussion of the various components in your network and how you apply fault tolerance and disaster recovery techniques to them, we need to clarify the differences so we know what operational platform we’re on when we talk about the two.

Fault Tolerance Providing fault tolerance means assuring that a system is protected from some sort of catastrophic event, be it a disk failure, power outage, or other anomaly. Systems might need to be protected from several different kinds of failures or anomalies, so it’s possible that you’ll have to apply lots of different techniques in order to assure yourself that a given computer or system component is adequately covered. Fault tolerance is like a little insurance policy that you give to yourself—making sure that, in the event of a failure of some kind, your computers and system components keep running until you can fix them. There are many different methodologies you can employ in fault-tolerance planning, some of which I’m sure you’re aware of. We’ll discuss these methods throughout the chapter, and we’ll include fault-tolerance methodologies used by Windows 2000 to help you move toward your goal of a reliable, fault-tolerant network.

Redundancy When possible, add redundant features to the servers and workstations that require it. Dual power supplies, for example, are an excellent idea in both servers and network apparatus. You can often equip network components such as routers and switches with a redundant power supply (RPS). You run a second cable from the extra socket on the back of the switch or router to the RPS. Then, if the device’s power supply fails, the RPS takes over and alerts administrators that this has happened. Of course, an RPS also has two power supplies. Of course, all of this redundant-power backup work does no good if your computer room isn’t hooked to a generator and the power goes out. Multiple cooling fans in devices is another example of redundancy.


www.sybex.com

316

Chapter 8

Analyzing the Current Disaster Recovery Strategy

RAID RAID systems have come a long way. It should be fundamental network administration for server hard drives to be hooked to a RAID array controller card, and either a mirror or RAID 5 array should be implemented on the disk set. Yes, purchasing a hardware RAID array controller card will add another $1,000 or so to the server bill, but it’s worth it. Not only will the fault tolerance of the server improve, but throughput will as well, due to the addition of the disk I/O management capabilities of the RAID array card. Some higher-end servers have drive bays that are hooked to two different on-board SCSI (not RAID array) adapters. Thus, you can set up several drives on bay A, for example, and several on bay B (as demonstrated in Figure 8.1). If the SCSI adapter goes on bay A, where is your fault tolerance? You need that RAID array controller card! If you were to purchase two RAID cards for such a high-end server, hook one to bay A and one to bay B, then you’d have fault tolerance. FIGURE 8.1

Modifying a server with a RAID card

SCSI A SCSI B

Motherboard Drive bay A

Drive bay B

Drive bay A

Drive bay B

RAID array card

Motherboard


www.sybex.com


317

A high-end server will typically include two SCSI adapters embedded in the motherboard. A SCSI cable connects drive bay A and another connects drive bay B, as shown in the top diagram. If SCSI adapter A on the motherboard fails, drive bay A goes down, but B could continue working. The problem here is, if the operating system is on bay A, it doesn’t matter whether B is working or not! Where’s the SPOF in this picture? Actually, you have three: the motherboard and each embedded SCSI adapter. If a drive in any of the bays goes out, the data on it is lost. If you change this server by adding a two-channel hardware RAID array controller card (bottom diagram), you can now hook drive bay A’s cable to the first channel on the card and B’s to the second. Then you can mirror the two bays and create different arrays within that mirror as you see fit. You gain two benefits from such a method. First, fault tolerance is drastically improved because the drives are mirrored. Second, disk I/O is managed more effectively. You still have two SPOFs: the mother– board and the RAID card. You could clear the up RAID card SPOF by simply adding one more RAID card. You won’t be able to get rid of the motherboard SPOF without clustering. The basic RAID configurations that you’ll be interested in are RAID 1 (mirroring) and RAID 5 (striping with parity). Often you might want to mirror the drive the OS is installed on, so you’d implement a mirror. Both are good, but you’re better off on a RAID 5 array because access is faster and it doesn’t burn as many hard drives.

Clustering The technique of clustering is very old and proven in mini-computing environments. In PC networks, the methodology is much newer. Microsoft’s first foray into the world of clustering came about with Microsoft Cluster Server and was only available on Windows NT 4 Enterprise. Clustering is an integrated component of Windows 2000 Advanced Server and Datacenter Server; you simply install, enable, and configure. It’s not available with Windows 2000 Professional or Windows 2000 Server. The concept of clustering is that you have two identical computers standing side by side. They can talk to each other through a heartbeat cable that connects them. Clustered servers often follow one of two paradigms: both cluster boxes talk to a single RAID array (such as in an EMC cabinet), or they’re both identically configured with the same applications. Clustering works best with file servers or with cluster-aware apps; it does not work well


www.sybex.com

318

Chapter 8


with devices that require special hardware additions where the systems are specifically addressed by apps. Clustering in NT is something that didn’t garner a whole lot of usage. The jury’s still out on whether Windows 2000 clustering will catch on or not.

Power Conditioning/Power Protection This aspect of fault tolerance deals with the idea of providing steady power flow to the servers. Not only is it a good idea to prevent the servers from experiencing a power outage, but it’s also good to reduce fluctuation in the voltage that the servers receive.

Power Generation Some companies go so far as to provide backup power generators for their server rooms so that even if there is a prolonged power outage, the servers can be gracefully downed instead of experiencing a dirty shutdown.

Disaster Recovery Where fault tolerance means building in protection against emergencies, disaster recovery (DR) is making and testing a plan for the complete restoration of critical systems in the event of a catastrophe, after the fact. Suppose, for example, that a huge flood hit your company over the weekend (when nobody was there, thank goodness). The server rooms were totally flooded out, as were the switch closets and the majority of the user workstations. The floodwaters got so high that essentially everything was under water (at least on the first floor). This may be good news to some, because they won’t have to go to work for a while; but to you it means chaos and disaster. How are you possibly going to replace all of those servers? More accurately, how are you going to replace the data that’s on them? That’s the DR question. It is not good enough to have a DR plan; it’s vital that we also periodically go through a DR test, so our plan makes sense and includes recent changes. Of the two elements of physical network security, DR is by far the more esoteric to try to accomplish and, though probably never needed, will be the most important if that catastrophic day ever arrives. You can employ some interesting DR techniques. For example, you can create a sophisticated setup where you copy the data on your network, in real time, to another repository using something like Legato Octopus (www.legato.com). Real-time data mirroring, as this is called, allows for


www.sybex.com

Establishing Fault Tolerance and Disaster Recovery for Client Computers 319

data to be copied from one server to another, preferably one that’s offsite, in order to protect that data. There are variations on this theme, but it’s a good (and expensive) DR strategy. Recovering from backups is another part of a good DR plan. Tape backup operators, the administrators who maintain the system, are charged with making sure that the backups are reliable and that they occur on a regular basis. The majority of corporate backup systems are not very reliable; backups are missed, and if managers only knew how poorly they were backed up, they wouldn’t sleep well at night. Yes, there are solid, reliable implementations of backup operations, but they’re reliable because they require meticulous care and maintenance and somebody (or lots of somebodies) makes sure they get it. Tape backup systems are not “set ’em and forget ’em” as one might imagine. These systems require a plan for backing up the servers and critical workstations on your network; this plan must be revisited frequently, as your network changes almost constantly. Many tape backup systems require that you install a software agent on each computer.

Establishing Fault Tolerance and Disaster Recovery for Client Computers

C

lient computers are troublesome, aren’t they? Think about it for a minute. People use their computers day in and day out. Every day, users log on, pound away at the keyboard, and save files—some of them to the network, some of them to the client computer hard drive. Question: How much company-critical data is on client computers, data that’s not being stored on backed-up file servers? If the entire network were to experience the flood we talked about above, how much of that client computer data is irreplaceable? I’m not talking about the user’s résumé or that cooking shareware that he downloaded one day or the millions of joke e-mails that she saved in her PST file. I’m talking about the end-of-year report that Bob the controller was working on and failed to save to a file server before the weekend that the flood hit. How about the price sheet that the sales office had spent an entire week working up and that, unfortunately, was being saved to a client computer hard drive that wasn’t being backed up? You were flooded, and the price sheet is just a bunch of soggy bits now. Just before the flood, the engineers were prototyping a new technology they were getting ready to roll out


www.sybex.com

320

Chapter 8


to production. The schematics were still on Joanne’s hard drive and hadn’t yet been uploaded to the SQL Server repository. One of the developers, “Doogie” by nickname, had whipped up a neat little JavaScript applet that he was going to implement in the company’s Web site on Monday. He hadn’t saved it to the network, though, and now he has to reinvent the code. What do you do with client computers that contain lots of companycritical information? I can hear some of you letting out a great big Harrumph! You’ll tell me that this kind of situation is the end user’s fault. They should’ve been saving to the S: drive like you taught them way back when. Maybe now they’ll start doing that! True. Maybe now they will. But moreover, aren’t you the caretaker of the company’s data? It’s true that you can’t be everywhere all the time, knowing what everyone is saving, but it’s also true that you can make a protracted effort to assure yourself (and the company) that critical data like this is taken care of. So let’s see if we can put our heads together and come up with some ways to handle these situations so you’re protected next time.


Analyze the existing disaster recovery strategy for client computers, servers, and the network.

Step one will be to look at user behavior (using the information we examined in the previous chapter). Hopefully, you’ve examined your user behaviors, and you know who your power users are—the critical ones who save lots of important files to the local disk. You have to target these individuals first, making sure that you have some fault-tolerance methodologies in place for them. Step two is to communicate strongly. Make sure that all end users understand that company-critical data needs to be saved to file servers, not to the local, unprotected drive. You can do this in a variety of ways: periodic cautionary e-mails, one-on-one conversations, company meetings, training opportunities. The word needs to be put out repeatedly that users must save critical files to backed-up environments. Some users won’t understand what you’re talking about, so it’s always good for network managers to take the extra time to explain to naïve end users what is meant by saving the files to a network drive and then show them how to do it. I’ve found that users are


www.sybex.com


usually anxious to be sure they help maintain a safe computing environment, but often they just don’t know how to help.

Some end users save their personal data to the home or shared drives on file servers and the company data on their local PC, somehow thinking it’s safer that way!

Implementing Fault Tolerance on Client Computers What kinds of things can you do to the local end-user computer to make it more fault tolerant? Are there steps that you can take to assure that crashes don’t occur as frequently, files are not lost, and data is backed up? Indeed, you can take several steps to minimize the danger to end users.

Fault-Tolerant Workstations Most end users don’t require fault-tolerant workstations, but some do: some of your developers, engineers, legal people, accountants, marketing folks, and other power users like them. When I say “fault-tolerant workstation,” I don’t mean giving the user a personal tape backup unit hooked to their computer. I mean that you might consider a SCSI-based upper-end workstation equipped with a RAID array card, with added multiple hard drives in a mirror or RAID 5 array. I do not pretend to advise you that all users should be so equipped, but your power users are worthy of such consideration.

IntelliMirror Windows 2000 Professional workstations operating in Windows 2000 Server environments lend themselves very well to the IntelliMirror concept. The idea behind IntelliMirror is that, while you’re hooked to a network, the system is keeping track of changes and synchronizing the local copy. If the network goes down or you take your laptop home, you have a local copy to work on. Then, when you get back to work, the files sync up and you’re back to working on a network copy. What’s the inherent problem with IntelliMirror? It has the potential to be very bandwidth-intensive, and nets that don’t already have excess bandwidth might find themselves sodden down with the extra load.


www.sybex.com

322

Chapter 8


Editing Work on Server-Based Home Directories All users should be provided with a home directory on a server—a place where they can keep important work files. These home directories should be part of the nightly tape backup jobs. That way, if a user somehow deletes a file or it becomes corrupt, you can then restore the last good backup of that file back to the home directory. This technique has been in use for years. There are two problems associated with this technique. The first one is that administrators may not provide adequate disk space for their users to keep all the files they want to save in their home directories. NetWare servers allowed you to actually lock down the amount of space that users could occupy on the servers, and Windows 2000 follows suit with quota management software that does this kind of thing. Users who like to copy non-business files to the server wind up using space that’s better reserved for files necessary to the workplace. A second problem with the home directory technique is that users often don’t make use of the space. You can lead a horse to water, but you can’t make him drink, and nowhere is this proverb more the case than with serverbased home directories. You have a training issue on your hands.

Installer-Based Applications Any applications installed using the Windows Installer will be a blessing for administrators. If, for some reason, the user decided to delete, say, Office 2000’s Winword.exe, the Installer will put the file back; it’s a “dumb user” protection device. It’ll probably work really well with cowboys too, providing you can figure out ways to download registry keys and other updates via Installer packages. The Installer is a Windows 2000 service, not an application generation tool. You’ll need a way of generating .msi files that you can download to Windows 2000 users and the Installer will handle the rest.

Policies and Group Policy Objects Lots of network administrators have discovered the beauty of policies on Windows NT workstations. When a user logs on, he launches a policy that locks him out of (admin-defined) critical areas of the computer. In the Windows 2000 arena, you use group policy objects (GPOs). GPOs are policies that run in Active Directory and are easier to administer than the old Windows NT 4 policies.


www.sybex.com


Windows File Protection Application installation programs are not allowed to write the Winnt\System32 directory. By default, Windows File Protection will allow a temporary overwrite of a critical system DLL, but upon reboot Windows restores the old DLL that was in the directory to begin with. Not only that, but applications that are trying to overwrite system files cause Windows 2000 to put up an error box telling you that this is happening and that it’s not going to be tolerated. This very cool feature keeps application installation programs from hosing up computers. What about the apps that actually require the DLL they’re trying to install and not the other version that’s already in the Winnt\System32 directory? Developers have been given the ability to put a tag file in the application installation’s directory and place the DLL files there instead. This way, when the application is launched, it checks for the instance of the DLL in the application installation directory instead of the system directory.

Implementing DR on Client Computers Perhaps the biggest disaster recovery step you can take with client computers is a proactive one: make sure that end users understand that critical business files need to be saved to file servers for safekeeping. Ask yourself this question when considering DR (on client computers or otherwise): “What parts of the system can I not recreate with standard techniques?” This question will help you identify absolutely critical parts of end-user systems that have no other replacement option. What is irreplaceable on these machines? The answer, of course, has to be data files. You can probably replace almost every other component of the system (drivers, OS, apps, etc.), but you cannot replace files that the user created. So your job is to coach users to understand that their files need to be saved to servers, not the local machine. This might seem to contradict our earlier fault-tolerance discussions, but all the fault tolerance in the world still needs human effort. Even if your user has a RAID controller on her computer and three hard drives set up in a RAID5 array, if two drives go bad on her computer (don’t think it doesn’t happen—it has happened to me!), then you’re in the weeds and the user is out of luck. IntelliMirror would come in handy in a situation like this, but you still need to have users keep files on server hard drives that are subject to regular tape backups.


www.sybex.com

324

Chapter 8


Another option—probably one you’d use for users who have to locally keep highly sensitive or mission-critical data that must be privy to regular backups—is to install a backup agent on their PC, then regularly back them up over the network. I don’t like this methodology very well, because it leads to turf wars and jealousy about who’s being backed up. But you do indeed have this option.

Design Scenario: Determining to Package Applications In the midst of your Windows 2000 design, you begin to realize that part of your fault-tolerance methodology will be to “push” software-installation packages to users instead of using the old manual method, where PC technicians visit the computers and run through a personal installation procedure. This kind of hands-on application installation takes time, cost lots of money, and is somewhat error-prone. Having recently upgraded to a 1000Base-T environment, the network’s bandwidth can support the extra load that this packaging effort might create. You purchase a third-party repackage utility that can create .msi files and decide that all new packages will be packaged as Windows Installer files so that you can advertise them to your Windows 2000 Professional users. Which packages will get this treatment? Simply any software, registry keys, or files that you need to drop on the user’s hard drive and that the Installer can assure will be replaced if accidentally deleted. This methodology, of course, requires Windows 2000 Professional workstations. It also requires that you understand how to package files using repackage utilities (something that’s not all that hard to learn).

Windows 2000 Server and Professional disks come with a light version of Winstall by Veritas, which creates MSI files (cd\valueadd\3rdParty\mgmt\ winstle). For more functionality, you can buy the full version of this or other packaging software.


www.sybex.com

Establishing Fault Tolerance and Disaster Recovery for Servers

325


N

ow we come to a subject with much more depth: how do you provide fault tolerance and solid DR techniques to servers? Here you’ll find that you cannot make unilateral decisions the way you can with workstations. You must examine each server separately, writing down the things that are installed on the computer and then making decisions about the fault-tolerance and DR methodologies you will put in place for that server.

Implementing Fault Tolerance on Servers Suppose for a minute that you’re working with a print server. This was a Windows NT 4 server in a previous life, but it has had a Windows 2000 Server upgrade and is participating in your new network as a print server box. There are maybe 30 or 40 printers set up on the computer (in the terminology here, “printer” means the print queue you’ve set up on the server; “print device” is the actual printer itself) using LPR ports. There are no other exotic services running on the computer, nor are there any apps. This server is a print server and nothing more. Before you upgraded the computer, you checked the HCL for this product and found that it was fine. You did a quick run-up on the hardware that’s installed and found the box to be RAM-starved. So you purchased a second DIMM for the computer, boosted its RAM up a bit, and installed Windows 2000. The computer has two hard drives that are put together in a mirror using software RAID. Question: What’s wrong with this fault-tolerance picture? I would say, the software RAID portion of the computer. Purchasing the RAM was a fine idea, but you also need to purchase a hardware RAID array controller card. Why? Because you’ll get some added I/O performance from the card, but more importantly you’ll get increased comfort knowing that hardware is handling the mirror and not software. I would always trust hardware RAID over software implementation.


www.sybex.com

326

Chapter 8


Why don’t I trust software RAID? Because when I was a newbie administrator working for a very poor company that couldn’t afford exotic things like RAID array controller cards (which were just becoming a regular thing in the industry), I got burned by Windows NT Server 3.51 software RAID—burned bad. Since then, I’ve never used the technology, and I’ve always recommended hardware RAID. There are just some things worth the extra few bucks it takes to buy some security. Windows 2000 does indeed support the same levels of software fault tolerance as previous versions (Windows NT 3.51 and 4.0). But you must use them on dynamic disks.

Besides the things that we talked about for client computers, are there extra things that you can do for servers? There are two things that will really go a long way toward bringing fault tolerance to a high level in servers: redundancy and clustering. For example, in the print server mentioned above, what else could you do beyond providing a hardware RAID card and setting up a mirror to make sure that the computer didn’t fail? Would dual processors help provide fault tolerance? Absolutely! While you would only gain marginal increases in performance (because Windows networking printing is predominantly a RAM thing), if the CPU croaked for any reason, you’d have a redundant backup to take its place. Now, is it worth it to go to the expense of purchasing a dual-processor computer for a print server? That’s a question you’re going to have to answer, but it’s pretty obvious that a print server with 40 printers on it is busy and will be sorely missed if it’s out of service for any length of time at all. Would dual power supplies be useful in a print server? Again, it’s pretty obvious that if one power supply failed, you’d save users a lot of grief if another could keep the computer running until you had a chance to down it (after hours, of course) and replace the power supply. “But redundant power supplies in a print server?” you sniff. Well, let’s just do some rough calculations—very rough. Suppose that 500 users are using this print server to print documents to the 40 printers. Suppose this print server goes down and those 500 users can’t print for, say, four hours. Further, just for pure guessing’s sake, suppose that each user makes $15.00 per hour and the print server outage costs an average of an hour’s work per user. That little outage cost the company $7,500—just about the cost of a fairly nice server! What do you think—is it worth your while to try to come up with a redundant power supply for this computer?


www.sybex.com


327

Hopefully these two examples have helped you think about the faulttolerance role of something as simple as redundancy. The phone company has a very reliable system. Is that because they purchase really good gear? Heavens, no! It’s because they have redundancy upon redundancy built into their systems. You probably don’t need to emulate the reliability of phone systems; you probably don’t have the money for it, nor is it necessary. But just a little bit of redundancy applied judiciously to servers that are highly utilized will go a long way toward making your end users feel safe when they use the network. Clustering is a much more complicated and detailed thing. Use clustering for a mission-critical file or applications server that you can’t afford to lose for any amount of time. Here’s the scenario: Users are on computer A and working happily along. The computer goes down, for whatever reason; the cluster software sees the failure and immediately transfers operation to server B. This event is called a failover. Does it happen that fast? My experience with cluster servers has shown that the failover takes several minutes, so users will definitely see the blip on the radar screen. It’s supposed to happen so fast that users don’t see anything unusual, but over and above all that, even if users see a temporary delay, clustering will save the day because inevitably the failed process does come back up and users can continue working. Windows 2000 Advanced Server and Datacenter Server support clustering.

Implementing DR on Servers Almost all administrators know a lot about fault tolerance; the techniques have been taught for years now. But something that few admins talk about, something as important as fault tolerance, is the idea of coming up with a great DR plan. You want a plan so solid and so tested that, if the day ever comes when the network completely goes toes-up, you’re ready to bring everything up from the ashes. That’s the heart and soul of DR. The question’s an important one: What will I do if something catastrophic happens, and I need to get this network running again with nothing but a handful of backup tapes? Of course, the backups are absolutely important to a DR plan. That’s all you have at your disposal when your servers are sitting there smoking, the water from the fire sprinklers still dripping off of them (actually, most computer rooms should be equipped with halon fire protection, but the water picture really drives the point home). That and a plan. But what if you’ve


www.sybex.com

328

Chapter 8


never actually practiced restoring things from tape? What if you’re not really sure that you can pull it off—that the SQL Server module you’ve been trusting all this time really wasn’t working? What do you do now that your CIO is staring at you with that vacant, hungry stare on his face, hoping against all that is good that you can make the company’s data rise again? The real key to DR is in the regular planning and execution of a DR plan. You design a DR plan, then you test it to make sure it’s going to work. Here are some very simple steps to take: 1. Write down the components that make up your server farms. Write

down each server’s name, its critical configuration information, the apps and services running on it, and its hardware configuration. You need to know what was on the servers in order to recreate them. 2. Get your backup jobs running in a very trustworthy fashion. If you

have problems with the backup jobs, figure out why and fix the problem. Make sure that your backups are executing as planned, day in and day out. That’s a very tall order and may require a dedicated person in larger enterprises. Backups require a regular calendar, documentation of the jobs that are set up on the system, and absolutely rigorous attention to maintenance and detail of the system. Make sure the tapes are routinely rotated offsite. 3. It would be wonderful if you had image CDs that you’d burned for

each box and could use in a DR pinch to get servers quickly back up and running. My problem with image CDs is that you have to regularly update them so they’re current, and you must have an offsite copy of the image software, just in case you need it to create a boot disk to restore the image from. 4. OK, so you know what’s on the servers, and you know for sure you’re

backing them up. Now test that theory. Set up a couple of restoration servers that closely mimic the real-world environment and practice restorations on those computers. (A restoration that’s directed to a different computer is called a redirection.) This step may require that you have users standing by ready to test the redirected application to assure that it works OK. Schedule a restoration drill every quarter or so, just to make sure that you’re in top form. 5. Finally, write down the steps you’ll take if there ever is a disaster.

Detail exactly what you’ll do, how you’ll recreate the servers, where the tapes are, what applications need to be restored first, and how you’ll validate that things are working correctly.


www.sybex.com


329

Some companies use third-party DR specialists to help them with all the details involved in a complete DR plan. But no matter how you do it, somebody needs to take charge of DR in your network. The more complicated the net becomes, the more you need a DR plan.

Design Scenario: Retrofitting Windows NT 4 Servers to a Fault-Tolerant Windows 2000 Network You’ve taken a serious look at your network, every piece: servers, infrastructure, apps, everything. You find that a couple of your more important servers are woefully lacking in fault tolerance. (Never mind disaster recovery—you haven’t even started down that road yet!) Specifically, you have an Exchange server that you’re very worried about. It has SCSI drives in it, but they’re not on any kind of RAID array whatsoever. Furthermore, your print server is on a desktop PC—not even a server—and it has one single, solitary IDE drive in it! Upgrading the Exchange box is going to be really ugly. You first have to back the computer up to tape. Then you must take the heart-stopping leap of faith by installing the RAID card, then formatting the drives using the RAID card’s utility. Next, you restore from tape. Sounds like it’s fairly easy, but there’s so much to go wrong! The print server’s a challenge as well. About 80 printers are set up on the server, and you have to do basically the same thing as with the Exchange server—format and start over. How do you get the print queues moved over? That’s actually pretty simple; you copy over two registry entries and a directory. Should you handle this work before or after the Windows 2000 upgrade? Opinions are like belly-buttons in that everybody has one, but I’d say that it’s better for you to bring the servers up on HCL-compliant gear, then upgrade them to Windows 2000.


www.sybex.com

330

Chapter 8


Establishing Fault Tolerance and Disaster Recovery for the Network

F

inally, we dive into the techniques you can use to provide fault tolerance and disaster recovery (DR) on the network and the infrastructure. The techniques are somewhat similar; redundancy is the primary key to network fault tolerance, but there are other techniques that you wouldn’t apply on the servers that you would on the network.

Implementing Fault Tolerance on the Network The key component for routers, switches, and hubs are redundant parts. Think for a minute about a switch sitting inside a switch closet like the one in Figure 8.2—one that’s connected to your core switch back in the main computer or network room. What’s the main SPOF that this switch is likely to experience? FIGURE 8.2

A common switch closet layout

Fiber-optic multi-mode (MM) cable Server or network closet

MM uplink card

Closet switches, 100Base-T

To users

100Base-T Cat5 cables

Typically you purchase uplink cards that match the type of cabling you have for the backbone. In the illustrated case, you’re running multi-mode fiber from one closet switch to the core switch in the server room. The core switch is usually a chassis-based cabinet that has multiple cards in it for different purposes. In this instance, you have at least one multi-mode card in the chassis so that it can accept multi-mode cables coming in from the closets. Beneath the main 100Base-T switch that has the uplink card in it, you have


www.sybex.com


331

two other 100Base-T switches. You run a cable from the RJ-45 port on each switch to the 100Base-T port on the uplink switch; the other ports go out to users. Everything on the switches comes in at 100Base-T speeds and, in this case, leaves the uplink port at gigabit headed for the chassis switch. The switches mix the incoming data, keep the collision domains down, and guarantee each user 100 megabits per second bandwidth. It’s a pretty cool setup. Note that some switches have regular cables that allow the switches to stack one on top of another, as shown in Figure 8.2. In either case, the result is the same—users talk to the switches at 100 megabits per second, and all data that is not destined for another user on the switch is uploaded to the core switch (and possibly out to a router). But the question remains: where is the SPOF in this design? That’s right! The uplink card definitely presents the biggest problem with this design. If the uplink card goes, three switches and multiple users are out for the count until you get things fixed. Perhaps there’s an Exchange or a SQL Server at the other end of the line; users won’t be able to hit it until you repair that uplink card. Now, you know what the next question is: How do you add some fault tolerance to this network design? The fiber optic cable has multiple pairs inside its sheath, so that if one goes out you can easily change pairs. The switches have multiple ports, so if one went out, it might be possible to just move the cable over one port and be on your way. But that uplink card—there’s only one of them and that’s where your problem lies. Probably the best fix for this design would be to purchase multiple uplink cards, perhaps even one for each switch (though that’s going overboard), and then have two fiber optic runs going into the closet. This way, if one uplink card went out, the other could pick up the slack and users wouldn’t notice the outage. Figure 8.3 shows the new setup. FIGURE 8.3

Adding a redundant uplink card to the switch layout

Fiber-optic multi-mode (MM) cable

Server or network closet

MM uplink cards Second uplink card and cable

Closet switches, 100Base-T 100Base-T Cat5 cables

To users


www.sybex.com

332

Chapter 8


Some patch panels provide multiple backbone ports that allow for redundant links to other closets. Switches often provide a redundant link capability that you can implement to provide extra fault tolerance.

The closet switches should also have some redundancy built into them. For example, it might be to your benefit to purchase a redundant or uninterruptible power supply for the closet switches. The core switch would provide even more fault-tolerance design issues. You’d want to have redundant cards in it, redundant power supplies, and possibly even redundant switch engines. Your goal with network gear is to look for SPOFs, spend the extra money to eradicate them, and assure yourself that the boxes you place in the network will remain up and functional. This isn’t always possible, of course, but with just a few extra bucks and some planning you can greatly decrease the amount of downtime your network users run into.

Unless you’re a network expert, go very carefully with VLANs and their implementation. VLAN technology is really cool and provides abundant methods for you to segment users, but if you don’t know exactly what you’re doing, you can get yourself and your users so hosed you’ll have to hire professional help to come in and bail you out. Take a class on your switch gear and understand VLAN technology before you dive in!

Implementing DR on the Network The DR rules you have in place for your network aren’t going to be nearly as important as the ones you use for your servers. Why? Because if your building gets caught in an earthquake, you can always purchase more servers and restore from images and backup tapes. But a destroyed network infrastructure isn’t something you can provide much DR readiness for. Your main concern with DR on networks and network infrastructures will be in the area of redundant links on your backbone (including WAN backbones, if necessary) and with your routers and hardware firewalls. When thinking about DR for your network in the event your company’s building completely craters, ask yourself what part of the business needs to come up first… and what next, and next after that. In other words, if your company is completely Web-oriented, after you get the basic cable plant


www.sybex.com


333

back up, chances are your link to your ISP is the first thing you need to establish. That means that you need a router that’s pre-configured and acting as a cold standby, probably offsite. It also means the same thing for any firewalls you may have had in operation at crater-time. Sound expensive? Oh, yeah! But how much is a day of your company’s downtime worth anyway? With some companies, it could mean the corporation’s demise, not to mention your job. With other companies, getting the financial servers back up on a solid infrastructure will be the primary goal. But always, your primary DR question is the one about what needs to be brought back up if the company’s physical structure completely goes away. It can’t be stressed enough that you need to practice, at least once a year, a mock DR run. You need to know what steps you’re going to take if the ultimate ever happens. Not that it will, but it’s better to be prepared for nothing than to be unprepared for something.

Design Scenario: Chassis Switches with Redundant Switch Engines Working with core switches can be really scary. With an average cost of anywhere between $50,000 and $250,000, you don’t want to mess around with these things. That’s the way I felt when I configured a 3Com ATM CELLPlex switch (now called CoreBuilder). We purchased all the parts; they arrived in separate boxes, and I had to take an hour and put them together. Although it was easy, it was frightening too, because I knew I was working with delicate electronic equipment that would cost thousands to replace if I somehow goofed up. We purchased redundant switch engines for this switch. They were really narrow little things, each fitting into a half-height slot. I put them in the very top two bays of the switch. The trick was that you left one switch engine unseated and sitting a half-inch out of the chassis when you first began configuring the switch. I configured the first switch engine, then plugged the second one in. In just a few seconds, I saw a steady flashing on switch engine two and I realized that the database on the top engine had downloaded itself to the second engine! How cool! They shared the same MAC and IP addresses. If the first engine failed for any reason, the second one would kick in right away, log the failure, and send traps to the network monitoring system.


www.sybex.com

334

Chapter 8


The switch also had redundant power supplies (which we fed into an RPS for good measure). There were tons of cooling fans in the chassis, so a cooling failure wasn’t as big a concern. But I felt much safer knowing that the extra money we spent ($16,000) for that redundant switch engine was going to waste! Every day that the engines didn’t have to transfer was a great day because the gear was working as it was supposed to. It was kind of like buying a fire extinguisher: you hoped you never had to use it, but you were sure glad it was there if you ever needed it. Good fault-tolerance design means sniffing the SPOFs and then wiping them out the best as you can.

Summary

F

ault tolerance and disaster recovery (DR) are two big topics in any network environment. The larger the network gets, the more intensive your fault-tolerance and DR regimens have to be. Fault tolerance is making sure that devices are safe from any kind of problem that might occur to them, and carries with it the ideas of redundancy, backups, clustering, power conditioning, RAID, and other techniques that can keep computers up and running. Disaster recovery is all about answering the question, “What happens if this network goes completely away, and I have to recover it from scratch?” This primarily involves backups and disk images, but doesn’t delve into the fault-tolerance genre as much as actual fault tolerance does. I then discussed fault tolerance and DR on client computers. With client computers, you’re first forced to get users accustomed to saving data to backed-up network drives and not their local drives. Next, you identify computers that are used by power users who do indeed need local fault-tolerance methodologies. Users like these might wind up with a power workstation hooked up with a RAID array controller card and SCSI drives. Windows 2000 IntelliMirror will help both non-power and power users to keep copies of their work even if there is a network outage. Policies will help you lock down computers where cowboys have had a tendency to play in ways they shouldn’t. Fault tolerance and DR on servers involves highly proactive measures: hardware RAID, UPS systems, power conditioning, backups, and clustering.


www.sybex.com

Summary

335

DR on servers means maintaining a server image library and practicing a disaster simulation from time to time. Network fault tolerance amounts to redundancy in both the network gear and the backbone links that connect the closets together. DR on a network would include replacing the parts that were affected by a disaster.

Key Terms The following key terms are aspects of system protection you should know to understand the exam objective in this chapter. clustering disaster recovery (DR) failover fault tolerance redundant power supply (RPS) uplink card VLAN Windows File Protection


www.sybex.com

336

Chapter 8


Review Questions 1. Two computers are hooked together, sharing a common set of data or

applications, with the ability to take over the operation in the event the other fails. What type of fault tolerance is this? A. RAID array B. Power conditioning C. Cluster D. UPS 2. Rotating backup tapes offsite is often a very good disaster-recovery

approach. Why is this? A. Tapes that are offsite can’t be stolen as easily. B. Tapes that are offsite can be used to restore computers in the event

of a disaster. C. Tapes that are offsite aren’t as likely to suffer from potential

erasure. D. You won’t be as prone to try to re-use a good tape if it’s offsite. 3. You have an engineer user who keeps very private patent information

on his local hard drive. He absolutely will not allow you to force him to keep the files on the server, insisting that there are lots of prying eyes on the network. How can you protect this person’s data without forcing him to save it to the network? Choose all that apply. A. Purchase a workstation with a RAID controller, 2 SCSI drives, and

local tape backup. B. Talk to his manager. C. Insist that he write the files to the network. D. Use a tape backup agent to back up his personal workstation.


www.sybex.com

Review Questions

337

4. You have network switches in two closets. There are six or eight

switches in each closet, with one uplink switch that is connected to the backbone. How could you apply fault tolerance to this setup? Choose all correct answers. A. Redundant link B. Multiple fiber backbones C. Resilient links D. RPS 5. What are the two fault-tolerant RAID levels? A. RAID 0 B. RAID 1 C. RAID 6 D. RAID 5 6. What is the single most important disaster recovery methodology that

you can implement? A. Redundancy B. Tape backup system C. UPS D. RAID 7. One of your power users, an executive who travels a lot with his lap-

top, understands your plea for keeping his data on a backed-up network drive, but he also needs to take a current copy of his work with him on the road. What Windows 2000 feature will help you (and him) answer this need? A. Windows File Protection B. Terminal Server C. IntelliMirror D. RADIUS


www.sybex.com

338

Chapter 8


8. What Windows networking feature will allow you to keep users from

changing settings on their Windows 2000 Professional computers? A. Profiles B. Registry entry C. Group policies D. Windows Installer download 9. How do you implement clustering with Windows 2000 servers? A. Clustering is included as a configurable service with all Win-

dows 2000 server products. B. Clustering is included as a configurable service with Win-

dows 2000 Advanced Server and Datacenter Server. C. Clustering is included as a configurable service only with Win-

dows 2000 Datacenter Server. D. Clustering is an add-on product that you must purchase separately

from Windows 2000 Server, Advanced Server, or Datacenter Server. 10. Is a firewall considered part of a fault-tolerant design? Choose all cor-

rect answers. A. Yes, because it keeps hackers out of the private network B. Yes, because it prevents servers from breaking C. No, because it’s used in the security arena, not fault tolerance D. No, because it requires fault-tolerance measures to be applied to it

as well


www.sybex.com


339

Answers to Review Questions 1. C. Clustering is a very sophisticated fault-tolerance technique where

two computers share the same data or application. If the computer that’s currently involved in user activity goes down, the second computer sees the event and a failover occurs, allowing the second computer to take the place of the first. 2. B. A set of backup tapes that are stored offsite is an excellent disaster

recovery measure. You’re insured that some sort of data is available for recovery in the event of a catastrophe. Of course, this all depends on the data that is on the tapes being good. 3. A, C, D. All three are good answers, depending on the money you

have to spend and on your personal attitude toward the whole situation. He’s probably right that there might be users with “inherited” permissions they shouldn’t have and who could potentially view the information. But these kinds of things are easily controlled with NTFS if time is devoted to the problem. 4. A, B. A redundant link is a second link to the backbone, as is a resilient

link—the difference is more rhetorical than technical. A redundant power supply (RPS) would be a good fault-tolerance methodology to implement as well, though it wouldn’t help with the single uplink card. 5. B, D. RAID 0 is striping without parity and isn’t fault tolerant. RAID

1 is mirroring and RAID 5 is striping with parity, so both are fault tolerant. There is no such thing as RAID 6. 6. B. Answer A is good, but it reflects fault tolerance, not disaster recov-

ery. It’s critical that you have a backup system in place, back up your network data regularly, and check to make sure that the backups are correctly working. This is by far the most elemental and supreme fault-tolerance procedure that you can implement. Then, after you’re done with that, the others are great ideas as well! 7. C. The Windows 2000 IntelliMirror feature provides this function.


www.sybex.com

340

Chapter 8


8. C. You’ll use group policies to make sure users can’t get to certain crit-

ical parts of their Windows 2000 Professional computers. 9. B. Clustering is a service that’s available for you to install and config-

ure with Windows 2000 Advanced Server and Datacenter Server. 10. C, D. Firewalls are security tools, not fault-tolerance tools—even

though you might think that, because they’re keeping hackers off of the network, they do in a fashion protect the integrity of the servers. Firewalls require their own fault tolerance to make sure they’re safely up and running at all times!


www.sybex.com

Performing a DR Test

341


Current System Your boss, the CIO, has given you the mandate to come up with a disaster recovery methodology that can be used in the event of a catastrophic event at your company. There is no current DR methodology in place. You will be the bellwether for such an implementation at your company. The current system covers two campuses connected by T1 frame relay. You have a central server room at each campus and about 15 different servers, 10 in one server room and five in the other. All switch closets in each building are served with resilient links over a fiber backbone. The switches connect to RPSs in each closet. Each server room has a large, room-size UPS and power conditioner that serves the entire room. There is no backup generator at either site. Your tape backup system is one that enjoys industry-wide acceptance. You had quite the time getting it configured and running at first, but now that the bugs are worked out, you don’t seem to have many problems with it. You have four DLT tape drives that are connected to a dedicated backup server. You must come up with a complete disaster recovery plan and make a formal presentation to the CIO and his managers.

Envisioned System Overview The tape backup software you use has an optional disaster recovery module that you can buy. You propose that the company purchase the DR module as an add-in to the current tape backup system. You tell the CIO that with this new module, you can burn an entire server image to tape and keep it offsite. If that tragic day ever comes, you’d simply have to procure another DLT drive and the backup software (a copy of which you propose keeping offsite); you could then have the computer back in business in a matter of hours. You also propose identifying all mission-critical servers and workstations that need to be privy to the DR process. CIO “The idea is a solid one. I want you to be sure that you set up regular tests of the system to make sure it works as advertised.”


www.sybex.com

CASE STUDY


CASE STUDY

342

Chapter 8


Security A team of two individuals handles the network security for the company. They say, “It’s probably advisable to password-protect the tapes before they go offsite.”

Availability Overview The CEO has told the CIO that she thinks the company would be able to get by with a week to rebuild in the event of a catastrophe. Any longer than that simply wouldn’t be tolerable in the volatile market the company plays in. CEO “Whatever system you come up with, you have to assure me that you can have us back up in one week’s time.”

Maintainability Overview It’s important that you settle on a holding place for your offsite tapes so that they’re carefully watched and maintained. You’re considering a simple bank safe deposit box, to avoid the expense of a regular company that specializes in storing offsite tapes, but you’re not sure yet. CIO “If the safe-deposit box idea will work and you can keep up with the demand, that’s fine, but we have to be able to rely on the integrity of the tapes that are stored.” CEO “The cost for the specialty company is pretty steep, but I’ll defer to your judgment. If you think we need to use them, then we need to use them.”

Performance You’re mostly concerned about the procurement of replacement servers, in the event that a catastrophe took out all of the servers. You’re not sure how to handle this situation. Suppose, for example, that you experienced a disaster in which all servers were lost. You purchase upgraded computers as replacements, and you’re ready to reinstall the image onto the new computer. Will it work? The CIO’s comment is, “You’ll need to test this to make sure it works OK.”


www.sybex.com


343

Overview Money’s always tight in your company of 500 users. But the CEO has been very generous to you when it comes to spending IT dollars, and you know that if you need her to commit to a big purchase, she’ll go along with it as long as the backup requirements and system detail documents are there. CEO “Money is no object—as long as you stay under $100. Just kidding. Let’s see what kind of budget you come up with, and we’ll go forward from there.” CIO “I have other things in my budget that I need to buy as well, so go easy if you can.”

Questions 1. What are two problems with keeping the tapes in a safe-deposit box at

a bank? A. Reliability of regular changeout of tapes B. Tapes could potentially be in an electrically charged environment

that might accidentally erase them C. Banks can’t be trusted to keep data D. Tapes not readily accessible on weekends 2. Look at the chart below. Reorder the tasks from the right column into

the left, to make a task list in the order that you should begin working on this project. (Note: These tasks are certainly not all-inclusive. In a real deployment you’d have many more tasks than this!) Tasks

Tasks Set up safe-deposit box for offsite tape storage Install DR agents on computers Hire company to help with offsite backup tape rotations


www.sybex.com

CASE STUDY

Funding

CASE STUDY

344

Chapter 8


Tasks

Tasks Test DR backup to tape of a server—restore to test server Obtain DR module for tape backup system Prepare budget information for CEO & CIO Make recommendations Add DR rotation to the current backup calendar Purchase a test computer that’s newer than the servers to test the DR module Set up quarterly DR tests

3. Why would quarterly testing be important in a DR program? Choose

all reasons that apply. A. Annual testing is too long between tests B. Helps you remember what to do if a disaster ever occurs C. Helps you to figure out if the offsite vendor you’re using is too

expensive D. Allows you to periodically revisit the plan to make sure nothing’s

changed or needs to be updated


www.sybex.com


345

could you use? A. Image software would allow you to take an image of each com-

puter and burn to CD B. Offsite service could obtain the backups for you C. Copying the server’s files to another server’s hard drive D. Creating a mirror, then breaking the mirror and keeping the sec-

ond hard drive offsite


www.sybex.com

CASE STUDY

4. What other method, besides a DR module for tape backup software,

CASE STUDY ANSWERS

346

Chapter 8


Answers 1. A, D. The changeout of the tapes is relative to the system you set up.

When you hire a company, they deliver the tapes to you and pick up the new tapes. Banks aren’t typically accessible for safe-deposit box access on weekends. B might well be an issue, you just never know. 2. See chart below

Tasks Prepare budget information for CEO & CIO Make recommendations Obtain DR module for tape backup system Purchase a test computer that’s newer than the servers to test the DR module Test DR backup to tape of a server—restore to test server Install DR agents on computers Add DR rotation to the current backup calendar Set up quarterly DR tests Set up safe-deposit box for offsite tape storage You told the CEO and CIO you’d keep costs down if you could, so you’re going to try the safe-deposit box method for awhile. If that doesn’t work, you can always try to procure the money and go with the service. 3. B, D. Remembering what to do is the hardest part of DR. Having

quarterly or semiannual tests allows you to freshen up your documentation and remember what you’re going to do during a DR session. It’s also good for forcing you to revisit the systems and make sure everything’s being taken into consideration as it needs to be.


www.sybex.com


347

software and using it to create images of each of the servers. The problem with this is that it’s time intensive and you’ll need to regularly update the images. You could retain an offsite storage service to keep your tapes, but not to do backups for you. Copying the server’s files to another server’s hard drive isn’t good DR; what if the other server fails at the same time? The mirror idea is unique but fraught with problems, such as what to do if you get the hard drive back during a real disaster and find out that it too has failed. Wrap-up: In a smaller shop such as this one, with only 15 servers, a few of which are probably not mission-critical, you could easily get away with the suggested DR methodology of backing the identified servers up to a DR tape, then storing the tape offsite in a bank’s safe-deposit box. The important part here is the practice part; pay special attention to the question about what you’ll do if a disaster happens and the gear you need to restore to is much better than the gear you originally took the DR tape from. All of these kinds of questions need to be answered ahead of time, not during a crisis.


www.sybex.com

CASE STUDY ANSWERS

4. A. In smaller shops, you could get away with purchasing disk imaging

Chapter

9

Designing a Management and Implementation Strategy for Windows 2000 Networks MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Modify and design a network topology. Design a strategy for monitoring and managing Windows 2000 network services. Services include global catalog, Lightweight Directory Access Protocol (LDAP) services, Certificate Services, DNS, DHCP, WINS, Routing and Remote Access, Proxy Server, and Dfs. Design a load-balancing strategy. Design network services that support application architecture. Design a plan for the interaction of Windows 2000 network services such as WINS, DHCP, and DNS. Design a resource strategy.


Plan for growth.



www.sybex.com

C

ongratulations! You made it through what I would call the project management chapters of the book. Microsoft has changed its testing paradigm quite a bit, so we had to write chapters that dealt with the project management aspect of deploying Windows 2000—stuff that didn’t really get into the meat of the OS itself. But you know what? I’m very glad that Microsoft has changed its testing strategy and is now insisting that MCSEs understand the ramifications of deploying huge software OSs and applications. It’ll make us better MCSEs, and it’ll help Microsoft’s code run better. I hope you noticed that at the top of each chapter we’ve included the exam objectives. We have tried to match the chapters to the end result of those objectives. Now the reading course diverts and moves into the actual Windows 2000 product itself. From here on out, the book will talk about the meat of the product, especially designing a Windows 2000 infrastructure. We start by talking about the design and modification of a network topology; then we shift into the stuff that drives Windows 2000, predominantly TCP/IP in nature. This chapter also talks about load balancing and about designing network services that support application architecture. You’ll see how legacy clients and Windows 2000 clients interact with Windows 2000 services such as WINS, DHCP, and DNS. And finally, we talk about developing a resource strategy, planning for the management of the resources on your network. (There is more information on the “Design a resource strategy” objective in Chapters 5 and 7.) It’s a busy chapter, so let’s get moving!


www.sybex.com

Understanding Windows 2000 Networking Services

351


T

his chapter starts with a very brief overview of Windows 2000 networking services. This book assumes that you’ve been through the basic Windows 2000 training so, of necessity, we’re not going to spend a lot of time on Windows 2000 networking services. But it’s good to take a moment and refresh your thinking about what is meant by the phrase “Windows 2000 networking services.”

TCP/IP Rules the Windows 2000 Protocol World We start out by making a bold statement: Windows 2000 works best on TCP/IP. Yes, some legacy protocols are given to you for the sake of keeping older clients or applications going, but TCP/IP rules the roost in the Windows 2000 world, and well it should. But what does TCP/IP buy you? For starters, it’s your passport into the Internet world. I don’t know about your company, but mine is going headlong into Internet and intranet development in a big way. It’s amazing how much time and effort it takes to create a Web site that runs efficiently and doesn’t interfere with internal day-to-day business. Part of this is attributable to the magic of TCP/IP and part to the magic of routers and routing protocols. Nonetheless, TCP/IP is the protocol of the Internet, and Windows 2000 is very Internet-centric. TCP/IP also buys you vendor-independence. If you’re running TCP/IP, you can purchase gear from a wide variety of vendors and not have to worry about funky proprietary protocols that may not be supported in the future. TCP/IP is very scalable. Lots of networks that outgrew their Class B or Class C “official” network numbers have simply purchased a firewall and installed a proxy server and are using the reserved TCP/IP network numbers that are never supposed to go out onto the Internet. The Class A 10.xxx .xxx.xxx network number (255.0.0.0 subnet mask), for example, provides a network with the capability of over 16 million hosts! The only caveat is that the machines using these numbers can never natively go out onto the Internet. They must be behind a firewall and/or a proxy server.


www.sybex.com

352

Chapter 9

Designing a Management and Implementation Strategy for Windows 2000 Networks

The other three private numbering addresses are as follows: 169.254.0.0 (255.255.0.0 subnet mask, more than 65,000 hosts): This range is used for Automatic Private IP Addressing (APIPA), a private subnet that Microsoft owns for the purpose of giving out an IP address when no other source is available. APIPA is something that NT 4 folks might not be accustomed to. 172.16.0.0–172.31.0.0 (255.255.0.0 subnet mask, more than 1 million hosts) 192.168.0.0–192.168.255.0 (255.255.255.0 subnet mask, more than 65,000 hosts) TCP/IP, while eminently hackable, has undergone some security revisions that were subsequently brought into Windows 2000. For example, Internet Protocol Security (IPSec), which we’ll talk about in Chapter 16, uses machine-based data-encryption and -authentication with TCP/IP. IPSec has been brought into the Windows 2000 OS. In fact, part of the exam you’re studying for will test you on IPSec. Furthermore, Windows 2000 Proxy Server’s capabilities include the ability to filter out unwanted traffic based on various criteria. Proxy Server is a separately purchased add-on product. Network Address Translation (NAT), which is included with Windows 2000 RRAS, does IP filtering as well. For example, you can filter out specific TCP ports, UDP ports, or even different protocols in the TCP/IP protocol suite. And within Windows 2000, Connection Sharing allows users in small offices to request an Internet site from the Connection Sharing server.

Both Connection Sharing and Proxy Server are technically Network Address Translation (NAT) devices, because they translate IP addresses that are “legal” for the Internet to addresses destined for internal users and vice versa. Addresses that have been run through a NAT are said to be “NATted.”

TCP/IP, combined with multiple routers, allows you to create redundant route paths to LAN segments. Remember how we talked about redundancy being the key to network fault tolerance? Redundant route paths would help bring about such an environment. Windows 2000 uses the same sorts of TCP/IP services that Windows NT 4 used: DNS, DHCP, and WINS. There have been improvements to the code, especially with respect to DNS, but the services are essentially the same as they were in the old NT 4 days.


www.sybex.com


353

Enhanced Support for Telecommuters Do some of your users want you to set up a virtual private network (VPN) so they can use their DSL connection from home? That would be a godsend to thousands of users who don’t really need to show up at a physical workplace each day—if only they had a solid, high-speed connection to the network from home. Windows 2000 has stepped up to this plate and has greatly improved the telecommuting protocols that you can use. The Extensible Authentication Protocol (EAP) is a protocol designed for clients to authenticate with servers. This protocol is envisioned as being used with smart cards (which use Transport Layer Security [TLS]), biometric scanners such as fingerprint or retina, the MD5-CHAP algorithm, and token cards, cards which pass in a password to the system for you. Another new protocol in Windows 2000 RAS is Remote Authentication Dial-In User Service, or RADIUS. The diversity of hardware and OSs has led to people trying to find a vendor-independent authentication scheme. RADIUS can validate users from a variety of computing hosts and has two pieces, the client and the server. When Windows 2000 is configured as a RADIUS client, it accepts the logon from the dial-in user and forwards the request to a RADIUS server for validation. Windows 2000 can also be equipped as a RADIUS server by installing and running the Internet Authentication Service. Also new to the RAS protocol roster is the Layer 2 Tunneling Protocol (L2TP). Recall from your OSI model training that layer 2 is the data link layer, typically the layer that switches operate at. L2TP is somewhat similar to PPTP in that it tunnels through an untrusted network. But L2TP doesn’t encrypt data like PPTP does. Instead you would use other encryption methodologies such as IPSec to provide the encryption. L2TP can be used in a virtual circuit with a variety of network protocols such as IP, ATM, frame relay, and X.25. PPTP can only be used on IP networks. While L2TP supports layer-2 tunnel authentication, that isn’t used when IPSec is installed because IPSec handles the encryption and authentication. L2TP provides header compression, which gives you a little smaller header size (4 bytes instead of 6). Remember the Windows NT 4 PPP Multilink protocol? The idea was that if you had several modems hooked to a computer running Windows NT Server, you could use Multilink to trick Windows NT into thinking the separate lines were all one big chunk of bandwidth. You had to have Multilink installed on both sides of the connection. The Bandwidth Allocation Protocol (BAP) is very similar to Multilink but goes a step beyond by adding or


www.sybex.com

354

Chapter 9


dropping links as needed. BAP works in harmony with Multilink; PPP Multilink has to be installed before you can enable BAP. Remote access policies can then be set to drop a link if the usage falls below a certain level.

Windows 2000 and Routing Techniques Windows NT 3.51 and 4 support the Routing Information Protocol (RIP). This protocol is best suited for small to medium networks because of the kind of routing it does. RIP is a distance vector router, meaning that it announces its distance and direction from its neighbor routers to its neighbors. These periodic announcements—every 30 seconds by default—can create lots of extra traffic on a large network and thus be unsuitable there. RIP was introduced in the Windows NT 3.51 and 4 worlds for interlinking private networks with the Internet and dial-in clients and with different LAN topology types. RIP is still supported in Windows 2000 and can be used as a router on your network. Windows 2000 has also added a more sophisticated routing protocol, Open Shortest Path First (OSPF), to its suite. OSPF is a link-state routing protocol; it communicates its link status information to adjacent routers. In this way, a map of the entire network is built and paths can be calculated. OSPF and Cisco’s IGRP are probably the two most widely used routing protocols. Also included in the Windows 2000 suite are several routing augmentations that, while not truly routing protocols, are designed to assist with routing tasks on the network. Demand-dial routing, connection sharing, and multicasting—all topics in later chapters of this book—are additions to Windows 2000 routing protocols.

IP Security in the Windows 2000 Environment The new development in the IP world, IPSec, is included in Windows 2000. The acronym stands for IP Security and forms a very valuable function. Most network implementations of TCP/IP allow clear, unencrypted text to flow across the network from one place to another. This may not be a very big problem on a small network, but on a larger one, where you have no idea what kind of people might be trying to watch, you need to assure your users that the data they send is encrypted and safe. IPSec is designed to do this. You can use it server to workstation (or vice versa), server to server, and you can run it on an intranet, extranet, or across the network.


www.sybex.com

Designing and Modifying a Network Topology

355

Managing User Internet Access Windows 2000 includes several new benefits in the Internet access arena, some of which are particularly relevant for smaller networks. For example, if you’ve ever thought about what it would take to hook a small network of just a few users up to the Internet, you’d realize that you had a challenge ahead of you. For starters, a router and CSU/DSU might be overkill for a small office. On the other hand, it might be cost-prohibitive for all the users in the office to access the Internet via modem from each of their PCs. Microsoft Internet Connection Sharing (ICS) is a new Windows 2000 technology that allows you to create a server that users connect to. This server provides very basic DHCP, WINS, and DNS services, and acts as a NAT device for the users, translating their internal address and port to external ones. Like Proxy Server, the Connection Sharing method also is capable of filtering packets (I’ll get into the drawbacks of ICS in later chapters). Though not included with Windows 2000, Microsoft Proxy Server is a product that you’ll want to consider including with your deployment. You might think of NAT as a Proxy Server Lite, useful only in non-routed, SOHO environments, whereas Proxy Server can work with thousands of users. Proxy Server serves many functions for the network. It restricts certain users from accessing the Internet; it can also act as a packet filter, preventing unauthorized packets from being allowed onto the internal network. Proxy Server’s biggest feature is that it caches Internet pages so that the speed of Internet access appears higher to users. Most of the things that we’ve just talked about, routing support, managing user Internet access, IP security, and telecommuting user support will be talked about in more detail later in this book. But I wanted to give you a feel for the kinds of enhancements you can expect with Windows 2000 as you move forward into this brave new world.


W

hat is a topology? I think of it as the way the network is wired up and the IEEE standard that it uses. But a more succinct way of putting it would be that a topology is the set of rules that are made for physically connecting and then going about the business of computing on a given medium.


www.sybex.com

356

Chapter 9


The topology determines how the computers are going to connect to each other (a physical component) and the rules that are going to be used when they talk to each other (a logical component).


Modify and design a network topology.

Physical Components of a Topology There are three basic physical topologies that are important to us: bus, star, and ring topology. You can think of the bus topology much like a string of Christmas tree lights; the wire essentially runs in a straight line and has nodes off of it that connect to the PCs or servers on the network. The old 10Base-2 network scheme used a bus topology, starting with a string of coaxial cable. At a point where you wanted to attach a PC, you simply introduced a T connector. The T plugged into the NIC on the back of the user’s computer (as seen in Figure 9.1). Each end of the wire had a terminator (which frequently went bad). The problem with this method was that if any one part of the bus went out, all users on the network were out as well, and sometimes finding the problem meant that you had to go from PC to PC trying to isolate the source of the difficulty. FIGURE 9.1

A bus topology PC

PC T connectors

Coaxial cable

Terminators


www.sybex.com


357

In star topologies, each PC or server on the network connects to a central device such as a hub or a switch (preferably a switch). You can then hook these switches or hubs together to form a larger network. This is the standard formula for the Ethernet networks of today; Figure 9.2 shows a typical star topology. The distinct advantage to a star topology is that any one computer (or port in the switch or hub) can fail and it won’t take down the entire network. Of course, if the hub or switch fails, that’s a different story. FIGURE 9.2

A star topology 100Base-T switch

Workstation

Workstation

Server

Ring topologies enjoyed a real heyday in the late ’80s and early ’90s; then Ethernet star topologies sort of took over. But, just when it appeared that the battle had totally been won, FDDI and ATM surfaced and recaptured the ring concept, this time on a wide area network basis. A ring merely consists of devices arranged in a ring with the cable passing in one side of each device’s network card and out the other. The network has a token (or sometimes two), hence the original name Token Ring network. The token circles around the network, in the receiving side of each NIC and out the transmit side (Figure 9.3), looking for a user that has data to send. The only computer that is allowed to send data to another computer is the one that currently owns the token. When that computer relinquishes the token, it’s free for the next computer to grab if needed.


www.sybex.com

358

Chapter 9


FIGURE 9.3

A ring topology

PC Transmit side of NIC

Server Receive side of NIC

PC Token

Fault-tolerant implementations of ring topologies have two tokens counter-rotating on two different rings. If one ring breaks, the other ring is used as a fallback. This is quite common in Switched Optical Network (SONET) implementations where extremely reliable WAN connectivity is desired. The standard internal Token Ring network was capable of running at 4Mbps or 16Mbps; however, these days 100Mbps Token Ring network gear is available. All of the various topologies have problems. For example, a ring topology is very fault-tolerant, as long as it’s used on moderately loaded networks, but as soon as the network approaches being heavily loaded, it slows way down. On the other hand, Ethernet networks function well when more heavily loaded, but have a lot of overhead associated with the acknowledging (ACK) and negative-acknowledging (NACK) that goes on when a packet is received or, worse, when it isn’t received. I haven’t personally worked with a Token Ring network in many years, but I’m sure they’re still out there. One of the chores you might face as a Windows 2000 network designer is the aspect of making two disparate networks (such as Ethernet and Token Ring) talk to each other. What device could make that happen? A Token Ring-to-Ethernet topology conversion bridge.

Logical Components of a Topology The Institute of Electrical and Electronics Engineers (IEEE) heads up standards specifications for new networking technologies. The IEEE numbers


www.sybex.com


359

are good to know (for cocktail parties and tests), because they identify the different logical topologies that can be used with a physical topology. For example, IEEE 802.5 defines the Token Ring topology; IEEE 802.3, 802.3u, 802.3x, and 802.3ab define Ethernet topologies, 10Base-T, 100Base-T, fullduplex Ethernet, and 1000Base-T, respectively. Note that logical topologies define more than just the speed of the network. They define aspects like the type of switching that takes place (circuit, message, or packet), the media that they can run on, and the types of connections that can be made. The logical definition of a topology defines a set of rules about how a topology is implemented. Now that we know what we’re looking at, the trick for you is to figure out what kind of network you’re involved with. Chances are very very good that you have an Ethernet network, though, as I said, some Token Ring implementations are still out there. You have two difficulties ahead of you in figuring out what the network topology is about. First, you need to determine the physical topology, then you need to determine its logical topology— loosely associated with the speed at which the network is supposed to operate. There is one potential third challenge: figuring out whether the backbone of the network is faster than the user connections.

The Cable Plant—Backbone and User Connections We talked about this concept in an earlier chapter, but let’s cover it again, this time in a bit more detail. Let’s say that the building housing your network is fairly large. Maybe you have two or three different closets where you have network gear, hubs, or switches. Typically these closets have a wiring rack with a patch panel and the network gear. The wires come in from one or more closets and attach to the patch panel. The wire running from closet to closet is called the backbone. Then you run jumper cables from the patch panel to the hubs or switches. The wiring that runs between closets could be fiber optic wire, in which case you very likely have a 100Base-T or (remotely possible) 1000Base-T (gigabit Ethernet) backbone. These speeds are 100 megabits per second (Mbps) and 1000 megabits per second, respectively (not megabytes, which would be MBps). Ethernet is based on a method called Carrier Sense Multiple Access with Collision Detection (CSMA/CD). In other words, when a host is ready to send data out onto the wire, it listens for carrier; multiple packets are allowed out onto the wire, and there is a collision-detection mechanism.


www.sybex.com

360

Chapter 9


The last element provides that if there is a collision (and there will be), the packet is re-sent after a random period. Because multiple packets can be running around, there are liable to be lots of collisions. As you might imagine, 100Base-T and 1000Base-T consist of fast collision domains. The IEEE has done some work toward trimming down the amount of collisions, but Ethernet is nonetheless a collision-based networking environment. So you have this 100Base-T fiber optic backbone. That means the packets are traveling at roughly 100Mbps, and you can expect fairly reasonable throughput, provided you have ordinary users who don’t put a lot of traffic out onto the wire by generating large reports from a server, downloading huge graphics, and so forth. The next question is this: Are your users also connected at 100Base-T? If so, everybody’s data is moving at 100Mbps, trying to get onto a 100Mbps wire. It’s sort of like several cars going 60 miles per hour trying to merge onto a highway where all the other cars are also going 60, but nobody is yielding to anybody else. You’re bound to have a collision! So how do you help this predicament? It might seem intuitive to you that the speed of the backbone should be much faster than the user connections. That’s the purpose of the uplink ports provided on the back of most switches. Users connect at a certain speed, and the switch intelligently manages the incoming and outgoing bandwidth. The data going out through the uplink card onto the backbone can travel faster than the data coming into it from users, hence you’ve reduced one bottleneck. Uplink cards are somewhat expensive, as are switches, but the gain in throughput is phenomenal and is well worth the investment dollars.

Just because you upgrade your network closets and backbone does not mean you’re guaranteed improved bandwidth from users or servers. You could still have a bottleneck at the user or server computer. There are several bottlenecks to consider: slow IDE or SCSI hard drives, slow processors, not enough RAM, NICs that are set for a slow speed. You must remember that the entire path that the data travels has to be examined when you’re considering bandwidth improvements. Server NICs on 100Base-T or 1000Base-T networks should always be set at 100Base-T full-duplex, as should the receiving switch port.


www.sybex.com


361

Dealing with Disparate Topologies What happens if your building has several floors and some of the floors are still on 16Mb Token Ring while others have gone through a conversion to 100Base-T Ethernet? You’ve run a fiber optic backbone up the wiring chase to all floors, and you have a termination in the patch panel at a central wiring closet on each floor. But how do you connect an Ethernet to a Token Ring network? You need a Token-Ring-to-Ethernet topology conversion bridge, my friend. These are devices that hook in between two disparate networks, allowing for the conversion of one topology to another. Now, in this example, you might have to purchase the bridge for each floor before you can officially hook them to the Ethernet segment of your LAN. But that’s a design issue, one that needs solved and planned out before you move forward. Or you might choose to convert each floor to Ethernet before you implement the rest of your network upgrades. It’s up to you, but a topology conversion bridge will help you get this done. AS/400 computers from IBM work on Token Ring networks as well as Ethernet. There are tons of AS/400s in the world, so it’s remotely feasible that you’re facing the problem of Token-Ring-to-Ethernet topology conversion. Maybe it has been solved for you by a previous administrator or designer (in which case the technology might be outdated), maybe not. Nevertheless, tools have been created for you. Use your favorite search engine (mine’s WebFerret—get it at www.vironix.com) and key in the phrase “Token Ring to Ethernet”. You’ll get lots of hits for companies that specialize in Token-Ring-to-Ethernet conversion bridges. Problem solved.

Dealing with Old Topologies Unless you have an office of fewer than five users, 10Base-2 coaxial networks are not going to cut it in the Windows 2000 world. You just won’t have enough bandwidth to feel like things are moving along quickly. You’ll have to resign yourself to upgrade the network cable plant and infrastructure to at least 10Base-T, and probably 100Base-T. Upgrading the cable plant and installing switches means money and probably lots of it. That’s the commitment you’ll have to make if you’re going to go forward with Windows 2000 servers and workstations. Hub-based 10Base-T networks (called “shared-10” networks because users are sharing 10 megabits of bandwidth) also need to die a big death. Hubs were fine in the Novell NetWare 3.11 days, when people were running


www.sybex.com

362

Chapter 9


WordPerfect 5.1 and Lotus for DOS and were using servers for files and printing. But today’s world is a big, bad client/server world that uses huge quantities of bandwidth. Admit that your network needs to enter the switched world, where your backbone is faster than your client connections, where your servers (at the very least your big application servers) connect to high-speed ports on the switch, where routers are up to date, and where users have NICs that are capable of talking to the network at robust speeds. What good does it do you to install fast-processor computers on a user’s desktop and then have the user try to pull data off of a terribly slow network? For all but the smallest of networks, shared-10 networks have got to go before you enter the Windows 2000 world.

Design Scenario: What About Your Macs? Macintosh services are still supported in Windows 2000 (and even substantially improved). You’ll have to load the AppleTalk protocol on the servers that Macintoshes are going to talk to. But what about those old AppleTalk or TokenTalk networks? Do you have to convert them? No, because the Macintosh is considered an independent entity to Windows 2000, an individual client. Each Mac user logs on to the network just like each Windows 2000 Professional user, so you don’t need to have your Mac administrator dismantle the network; Mac users can connect just fine as they are.

Monitoring and Managing Windows 2000 Network Services

T

his section is about designing a strategy for dealing with various Windows 2000 Network Services. Within this section, the operative word in network services is network. For example, how does one monitor and manage the global catalog? Or LDAP? You can see the importance of why we would want to monitor such services. If they crater, we need to know why they did and how to put things back to normal.


www.sybex.com



363

Design a strategy for monitoring and managing Windows 2000 network services. Services include global catalog, Lightweight Directory Access Protocol (LDAP) services, Certificate Services, DNS, DHCP, WINS, Routing and Remote Access, Proxy Server, and Dfs.

When we begin to talk about each of the items below, their separate monitoring and managing needs, there are three things we need to keep in mind: Events and Alert Notification You should know what service events are important enough that you need to be alerted right away.

Windows 2000 includes what was called Performance Monitor in the NT 4 days and is now called System Monitor. Use System Monitor and its alerting capabilities to provide specific machines with alerts as to an errant behavior. Or you might consider purchasing enterprise management system (EMS) software such as ManageX (an HP product found at www.hp.com) or NetIQ (found at www.netiq.com) to increase the number and detail of alerts that you can receive.

Anticipating Design Changes Undoubtedly some systems will outgrow their initial design, or managers in your company will make a decision that changes the design somewhat. There are probably numerous conditions that might require a design change; that’s not hard to imagine. Anticipating how to react in a design change, that’s more meaningful— and spotting the design change can be very difficult. Verifying Design Compliance Is the design being used the way that you actually planned and anticipated that it would? If not, why not? If not, do you need to correct people on the method used (probably not), or do you need to manage changes to the design so it complies with its current use (probably)?


www.sybex.com

364

Chapter 9


Global Catalog Perhaps when you begin your Windows 2000 deployment, you start out with a Windows 2000 domain controller in a single domain. After some time, study, and involvement with your one domain, you find a need for additional domains. You come up with two more domains in your Windows 2000 forest. For the sake of simplicity, let’s say that within each domain there is only one domain controller (keeping in mind that a oneDC domain is a bad idea—you need an additional buddy for each DC in each domain). The very first domain controller installed within your forest has the duty of being the global catalog server for the entire forest. A global catalog server is a domain controller that has a complete list of all the objects in an entire forest, but is only aware of a subset of the attributes of the objects outside its own domain. (All domain controllers are aware of all attributes for all objects within their own domain.) The advantage of this is that a user or application can search the entire forest for an object without knowing in which domain the object exists. The subset of attributes included in the global catalog are the attributes most often searched on for each type of object (name and address are included for example, but not SID or GUID). Here’s the idea: The domain controller in each domain is responsible for keeping track of changes to the replicas in the Active Directory database. Delete a username? That’s a replica change, one that must be replicated to the global catalog. The domain controller that does the replication to the global catalog is said to have the function of infrastructure master. This server forwards replica changes to the global catalog. There is only one infrastructure master per domain. Suppose that a domain controller in another domain has old data. The infrastructure master compares its data with that of the global catalog, uploads changes to its replicas, and downloads changes from other domains. But it is the global catalog that is always up to date. Figure 9.4 shows this elementary structure. The replicas that are stored from other domains are said to be partial replicas in that not all of the properties for every object are replicated and stored in the global catalog. You can adjust Windows 2000’s default settings for the kinds of replica information an infrastructure master can upload to the global catalog, but this is not recommended because it could seriously add to the bandwidth used on the network.


www.sybex.com


FIGURE 9.4

365

The global catalog in a three-domain controller

Global catalog

Domain 1 Infrastructure master Domain 2

Domain 3

Infrastructure master

Unless you’re in a single domain controller environment, you should not have one domain controller serve as both the global catalog server and an infrastructure master. In this case, the infrastructure master will never receive updates (because the global catalog server is on the same box), so it won’t know about the latest and greatest changes to the objects in AD. Multiple global catalogs are possible, depending on the size of your network, geographic complexity, and other contributing factors. While this is a great thing, it’s important to keep good design principles in mind and not just load up on global catalog servers. Recall that replication of AD object information is being performed on each global catalog server, so not only are you adding unneeded complexity to the system with excess global catalog servers, you’re also complicating any problems that arise. Like WINS servers, keep the global catalog servers to a minimum, one global catalog server in each site that doesn’t have guaranteed WAN connectivity.


www.sybex.com

366

Chapter 9


Domain admins will always be able to log on to the network, even when the global catalog is not available. This is not necessarily true for regular users. If the global catalog isn’t available, they’ll probably only be able to log on to the local workstation.

You can access the location where you set the global catalog by going to the domain controller you want to configure and clicking Start Programs Administrative Tools Active Directory Sites and Services Sites name of site Servers name of server. Figure 9.5 shows this screen. From there find the NTDS Settings item and right-click it. Select Properties and you’ll find an NTDS Site Settings properties window where you can enable the global catalog. FIGURE 9.5

Assigning the global catalog function to a domain controller

Following are the planning and design rules for global catalog placement:

There should be at least one domain controller per site.

You can have multiple domain controllers per site.

Each site should have at least one domain controller configured as a global catalog server, especially when the sites are connected by slow links. This way, users will receive current forest information from a local domain controller.


www.sybex.com


367

You can adjust the replication of objects across slow links to happen during off-peak hours.

Too many global catalog servers means too much replication and could potentially be a bottleneck for your network.

Adding replica attributes to the objects that are already being replicated will add time and bandwidth to the network. Better to leave things as configured.

There are some issues that revolve around the Internet Authentication Service (IAS) and the global catalog. We’ll discuss these issues in Chapter 17.

When we think about event notification, can you think of alerts you might like to get when the global catalog has a problem? I’d like to know when a global catalog server goes down. I’d also like to be apprised when too many queries are hitting any one global catalog server, which would imply that it needs a friend to help it out in the site it’s in, meaning that you’ve triggered a design change. Then too, it could be just that people are trying to get used to the system and are performing frequent queries against it.

Lightweight Directory Access Protocol (LDAP) Access to the global catalog and to the domain controllers running it is accomplished through the Lightweight Directory Access Protocol (LDAP version 3—RFC 2251). Active Directory clients need LDAP to access shared resources on the network. LDAP is an Internet Engineering Task Force (IETF) communications protocol that defines how directory clients access a directory service and how queries and sharing of directory data are performed. LDAP, which has been in use with Microsoft server products for several years now, is light, efficient, and preferred over other, more rotund, directory service protocols. Because LDAP is a universal standard, Active Directory can work with other directory systems via a programming interface that’s included with AD, called Active Directory Service Interfaces (ADSI).


www.sybex.com

368

Chapter 9


The directory is made up of objects and their attributes. LDAP uses a hierarchical structure, somewhat similar to what you may have seen in Exchange Server, to uniquely identify each object in the active directory. Object attributes can be inherited and populated by several different objects. Let’s consider an LDAP example. Suppose that you have a user named Ralph in the domain. Ralph will have an LDAP common name: CN=Ralph. Since Ralph is a member of the Users container, he will also have a container designator (using the same CN designation): CN=Users. Suppose that Ralph is affiliated with the Sales group that is located in the California domain, and the domain root is VeryBigCompany.com. Then, in addition to the common name and distinguished name, you’d also have an organizational unit (OU) and four domain components (DC): one each for the domain and the tree and two for the domain root. These would be represented as DC=California and DC=VeryBigCompany,DC=com. Thus the entire distinguished name would be CN=Ralph,CN=Users,OU=Sales,DC=California,DC=PaperProducts,DC=VeryBigCompany,DC=com. A different way of representing this name is via a canonical name. Instead of using the distinguished name CN and DC delimiters, you simply put a slash in front of the various components. Also, you start with the domain root first, then proceed down the hierarchy. So the canonical equivalent of the distinguished name here would be VeryBigCompany.com/PaperProducts/California/Sales/Users/Ralph. Additionally, Ralph would personally have what is referred to as a user principal name (UPN)—his username followed by the @ sign and the company name (just as an e-mail address might appear). So Ralph’s UPN would be [email protected]. The UPN is automatically created by AD and isn’t something you need to worry about. Nor should you try appending an @ sign to his username in the hopes of helping create a UPN. The relative distinguished name is that part of the distinguished name that represents an attribute of an object. In the example above, Ralph is the relative distinguished name for the parent object Users. Figure 9.6 shows where Ralph might fall in a typical AD hierarchy.


www.sybex.com


FIGURE 9.6

369

The AD hierarchy of Ralph’s network

Forest = VeryBigCompany.com

Tree

Tree

Paper Productio

Domain

n

Domain

Domain California

Domain

OU=IT OU=Sales

California

User = Ralph

The cool thing about LDAP is that no name will be duplicated anywhere. On top of that, users will be able to see anybody in the catalog at a glance, providing access to what could literally be millions of objects grouped according to logical layout of your network. There are two caveats to managing AD database. Number one is this: Don’t mess with the database schema. While the schema is extensible, it’s best to leave it alone and not modify it. Some applications might do that (Exchange 2000, for example, will change the schema), but you should not.


www.sybex.com

370

Chapter 9


Second, plan, plan, plan the layout of your future Windows 2000 network, making sure you’ve designed the logical splits correctly. It would not be a bad idea to try to plan for any future changes the managers might want to incorporate that would subtly change the layout. If you could somehow anticipate those changes, you’d be light years ahead of where you need to be.

Certificate Services There are two authentication services in Windows 2000, Internet Authentication Services (IAS) and Certificate Services. IAS is used for dial-in users, and we’ll talk about that in Chapter 17. Certificate Services is a software service used for the authentication of entities that are requesting access to the network. Certificate Services can work with secure e-mail, digital signatures, Web-based authentication, and smart-card authentication. Windows 2000 Certificate Services use public key encryption as their method for guaranteeing the reliability of the entity that is requesting authentication. When you use Certificate Services, you create a certification authority (CA). The CA is responsible for vouching for the authenticity of the entity requesting to get onto the network. The CA receives certificate requests, verifies that the one presenting the certificate is the one entitled to use it (via the matching of the public and private keys), revokes certificates, and maintains published lists of revoked certificates (a certification revocation list or CRL). The CA acts as the holder of the public keys. When a user wishes to request a certificate, she uses either a Web browser or a certificate Microsoft Management Console (MMC) snap-in to connect to the CA and request a certificate. A cryptographic service provider (CSP) software component running on her computer generates a public key and a private key. The private key stays at the computer, the public key is forwarded to the CA and, if the criteria for granting a certificate is met, she gets the certificate. If there are criteria set up to expire her certificate at some time (such as when a contractor will finish working for the company), her certificate would be put on a CRL upon expiration and she’d no longer have access to the network. Certificates and groupings of CA servers (called a CA hierarchy) can be used in place of a username and password to gain access to the network, as in the case of users gaining access with a smart card. In large enterprises, you


www.sybex.com


371

couldn’t get away with just one CA server (nor would it be practical from a security standpoint!), so you must design in several CA servers. While the reasons for using a CA server are valid, there are many things to think about when considering Certificate Services. First, does your company do work so top secret and important that it’s paramount that you keep track of who’s getting on? If so, then Certificate Services are for you. But what if you’re on an ordinary work-a-day network where that kind of security isn’t needed? Then I think you need to ask yourself whether it’s possible that somebody from the Internet, or a contractor, or another partner relationship of some kind could conceivably get on the network and do some damage. If so, it’s still worth your time to consider Certificate Services, because with a public and a private key (and the certificate) you’re validating that the resource requesting to get onto the network is actually that resource, not somebody spoofing as that resource. Another consideration is that of protecting the security of the CA servers. Since they contain keys that could potentially be very valuable to those who surreptitiously gain access to them, it’s highly important that CA servers be strongly secured. What happens if the computer augers in and you lose the keys? How will you restore them? Fault tolerance becomes extremely important when discussing CA servers. Third-party certificate providers (such as VeriSign) can be used in place of Windows 2000 Certificate Services. Is it worth the money, time, and effort of putting a separate CA entity in place? And finally, it’s paramount that the designers and administrators of Certificate Services in Windows 2000 networks completely understand how public key encryption (PK) works and, more important, how Windows 2000 uses PK and certificates.

Name-Resolution Services One of the more popular questions being asked by administrators everywhere is: What happens to WINS with Windows 2000? The question requires a dual answer. If you’re migrating a legacy Windows NT 4 network over to Windows 2000, then WINS is available and there is backwardcompatibility with other WINS servers. You can maintain some legacy name-serving while performing your cutover. If, on the other hand, you’re starting from scratch, you can use DNS and don’t need WINS at all.


www.sybex.com

372

Chapter 9


Windows 2000 is designed to work with DNS and not WINS. (WINS may be needed for legacy apps such as Exchange 5.5.) The Windows 2000 WINS interface (Figure 9.7) looks remarkably different from the old NT 4 interface, but functions about the same. In Figure 9.8, we’re asking WINS to find a computer named Barney; Figure 9.9 shows the resulting display of the WINS records that the system found for Barney. FIGURE 9.7

The Windows 2000 WINS interface

FIGURE 9.8

Looking for Barney


www.sybex.com


FIGURE 9.9

373

Barney’s WINS records

Notice that the resulting records for Barney look very similar to the way they’d look in the Windows NT 4 environment. Like the NT 4 environment, you can establish WINS load balancing by implementing push/pull partners with other WINS servers. You can also scavenge the database, create static mappings, and import LMHosts just as you could with the old WINS. WINS retains the old ability to use WINS Proxy agents (agents that garner a NetBIOS name resolution from a WINS server for a non-Windows host). New to Windows 2000 WINS is the ability to use IP packet forwarding to service a name request from a WINS server across a router—thus avoiding a broadcast that the router would not forward. WINS services can now be secured across public lines either by IPSec or by VPN. Also, Windows 2000 WINS can be put on a cluster server for redundancy and fault tolerance. Windows 2000 WINS supports a burst mode capability. WINS uses this when a large influx of registrations happens. At such times, the WINS server sends an ACK with a time to live (TTL). The client must then re-register after the time expires. The theory is that by the time the client re-registers, the burst is over and the server won't be so bogged down. The TTL is increased 5 minutes for each additional 100 registrations, starting at 500—that is, if the server receives 500 simultaneous registration requests, burst mode kicks in and the registration TTL is 5 minutes. If there are 600 requests, the TTL is set for 10 minutes instead, and so on. WINS strategies include the judicious placement of WINS servers, creating pull partners across slow WAN links, and setting up push/pull times after hours for slow links. It will be important to use an alerting method to notify you when WINS has stopped working, for whatever reason. You’d also want to know when replication times were taking longer than expected and if the number of queries or times to resolve queries had gone up. All of these imply a heavily loaded WINS system that needs to be dealt with. DNS looks very similar to the way it looked in Windows NT 4 except that, like WINS, it too uses the MMC interface. Figure 9.10 shows what the


www.sybex.com

374

Chapter 9


DNS screen looks like with the three computers on my mini-network: 2000guy, NT-MAN, and Barney. FIGURE 9.10

The Windows 2000 DNS screen

Several new or enhanced features of Windows 2000 DNS make it more valuable:

DNS in Windows 2000 has a load-balancing feature, where you can group several computers together that have a common name but different IP addresses under one DNS entry. When a DNS request comes in for that name, the DNS service can answer the request either via a pre-prioritized list or in round-robin fashion. You’d use this primarily with Web or cluster servers that were load-balancing off of one another.

Recursive forward lookups allow a DNS server to forward requests for computer records it does not have, using other WINS or DNS servers to satisfy a client’s name lookup request.

Multiple Windows 2000 DNS servers can be configured to redundantly support one DNS database (for fault tolerance) or to contain separate parts of the database.

Secure zone transfers of encrypted DNS data can be sent over public lines using IPSec or VPN technology.

Incremental zone transfers consisting of just the updated parts of the DNS database can take place. These reduce the bandwidth used by DNS servers replicating with one another.

DHCP and WINS can be used by DNS for name lookups.


www.sybex.com


375

If you like, you can run DNS on Windows clustering for full redundancy and fault tolerance.

Windows 2000 supports SRV records.

It supports dynamic DNS.

Deciding how to implement DNS in the Windows 2000 site is going to be your hardest job. Chances are, unless you’re starting with a brand new installation of Windows 2000, you’ll have to pick up some legacy DNS implementation, probably based on Unix. If the BIND version of the Unix servers isn’t up to date (supporting SRV records and dynamic updates), then your desire may be to cut the entire DNS operation over to Windows 2000. Why? Because dynamic DNS will make your life so much easier by getting rid of the necessity of manually keying in all different sorts of DNS records. If you’ve ever maintained static DNS and reverse lookup tables, you know what a monstrously great achievement this new dynamic DNS thing is. Windows 2000 DNS can reference the Active Directory and get what it needs from there. Unix hosts still have to be manually keyed in (they’re not a part of AD), but your job is made much simpler. You can make use of the security and speed of zone transfers and use all of the cool AD reference functions of Windows 2000 DNS. But getting your Unix admins to part with their DNS is going to be tough; you have a political fight ahead of you. There are several good reasons for going forward with an AD-integrated zone DNS design, though:

It’s much more difficult for rogue DNS servers to impersonate others in an AD environment.

The DNS replication follows that of the AD replication.

There is no single point of failure in the design (because the DNS zone is a part of AD, the failure of one DNS computer would not compromise the others).

An AD-based DNS server appears to others as a primary DNS.

A second issue is the actual DNS design. You have two basic models you can draw on. You’d use a hierarchical model in a large site with many remote locations. You set up your first DNS box as the primary zone, to house all of the records for the site. Then you would set up other DNS servers with secondary zones in the other areas, making them secondary to the primary zone


www.sybex.com

376

Chapter 9


back at HQ. As the secondary zones replicate their data upward to the primary, it contains a complete listing of all computers on the network, and the secondaries only have information pertaining to their parts of the network. One potential downfall to this design is that you almost must have a DNS administrator on site at each of the secondary locations. You could opt for a flat design with one or two DNS servers that share the DNS database. Use this design for smaller networks with fewer users, or where the name-resolution services might take place anywhere on the network and not be so geographically separated. Managing the DNS environment is going to require some serious planning. There are several questions you have to ask yourself. For starters, how will you be notified if a DNS server goes down? Some sort of alerting methodology, such as an EMS like ManageX, NetIQ, or HP OpenView, might help you with this. You also need to figure out whether the current DNS structure can handle the number of requests coming in. As the system grows and requests start to labor it, you’d need to put extra systems into place to help balance out the load. Heavy load will also affect the amount of time it takes to replicate the database to other computers.

Internet and Remote Access Services The management of RAS has gotten very sophisticated in recent years. Not only is the list much longer of network protocols that you might have to support, but you’re also faced with new technologies. RADIUS and VPN technologies are among the new concepts that are being used more and more widely in today’s networks. Planning for and managing these RAS and Internet services are an important design component of Windows 2000 networks. Your first consideration, one that your users will be asking of you, is whether you’re going to institute conventional dial-in RAS or go with a VPN solution. With conventional dial-in you’d provide a bank of modems (and possibly a toll-free number or two) that users could dial to get into the system. Conventional network protocols and authentication methods are available for dial-in users and if added security is needed, you could institute a call-back methodology where the user must key in his phone number and then have the system call him back. This kind of RAS is widely in use today under Windows NT 4 and it works well. Standard telecommuting type users would benefit from a regular RAS installation.


www.sybex.com


377

But there are questions. Can you afford to purchase the modems and pay for the additional monthly cost of the phone lines? If so, how many lines do you think you’ll need? Should you purchase a RAS server device that can use RADIUS or some other method, or should you just go with set of modems that are connected to a RAS server? With VPN connections, a user dials his or her ISP (through whatever kind of connection he or she is paying for) and then tunnels into your network over the Internet via a secure VPN protocol. With this method you have a lot more planning to do. You need a high-speed connection with an ISP that supports this kind of thing. Then you’re going to have to determine whether you want to try to accomplish this kind of telecommuting connectivity with hardware or with Windows 2000 software. If you select a hardware option, you’ll wind up purchasing special VPN switches and routers that can handle the interaction with the client. Windows 2000 supports NWLink, TCP/IP, NetBEUI, and AppleTalk as its network protocols. It accepts a variety of authentication protocols, among them the standard MS-CHAP that has been in use for many years plus an encrypted version specifically made for Windows 2000, MS-CHAP v2. EAP-TLS is an authentication protocol used for smart-card support. SPAP is an authentication method used for Shiva LAN Rovers, and PAP will work for clients who are RASing in and have no other authentication capability. RADIUS (covered in Chapter 17) allows authentication with a nonWindows 2000 methodology. You also have a choice of encryption methods such as Microsoft Point-toPoint Encryption (MPPE) for PPP or PPTP protocols. IPSec (talked about in Chapter 16) is used in conjunction with L2TP for VPN connections. Internet connections fall into three categories: keeping users inside and not letting them out onto the Internet, acting as an ISP, and being a “poor man’s ISP” for employees who RAS in and use the Internet. Proxy Server will allow you to keep users who should only be using your intranet off of the Internet. Network Load Balancing will help keep Web servers functional. Group policy objects will allow you to control who gets to do what. Event notification in RAS is easy through System Monitor. There are specific counters geared toward this function (RAS Port and RAS Total). With Web servers, you have Index service counters and event log notifications. Nowhere is your installation more likely to quickly go out of design compliance (or to require a complete design change) than with Web servers. What a dynamic hotbed of activity managing Web servers is!


www.sybex.com

378

Chapter 9


Distributed File System Distributed File System (Dfs) has been in use for many years in the Windows NT 4 environment and has now found a permanent home in Windows 2000. Its idea is: Instead of having users memorize tons of different shares spread across many servers, why not have one server host a program that links to the appropriate server and share when the user requests it? For example, suppose you have a server called Fred and a share on it called Files. The UNC to get to this share is \\Fred\Files. Suppose you have another server called Wilma and it has a share on it called Shared. That UNC would then be \\Wilma\Shared. How many of these specific UNCs does a user have to memorize before she’s completely confused? I’d say two would be the limit for most average users. So, it’s more convenient to appoint one server as the Dfs host server and have links on it pointing to the various shares out on the network. Suppose your host server was named Dino. Now your users would point to \\Dino\Files and \\Dino\Shared for their directories, but Dfs would link them to the appropriate servers and shares. This feature spells one-stop shopping for the users, but more complicated maintenance for you. You can highly scale Dfs, creating multiple Dfs root volumes, which then replicate with one another. Since the data is published in AD, it’s available immediately after replication for all users enterprise-wide. Any one path is limited to 260 characters (a Windows 2000 limitation), the only Dfs link limitation that you’d run into. As far as managing this service, the pre-installation design of Dfs is probably the most important step you can take. Where will you place your Dfs servers, and what are the shares that they’ll link to? This is all done in a common DNS namespace, so management is easy, but it’ll take time to set up. Event notification would lie more within the third-party EMS realm than the System Monitor environment, because you’ll want to specifically filter for Dfs event log problems.

Network Load Balancing

C

lustering has gone through several iterations at Microsoft. In the early stages of Microsoft clustering (the WolfPack days—a code name for a product that ultimately wound up being called Microsoft Cluster Server), the


www.sybex.com


379

product was a separate add-on of NT Enterprise Server. Then, somewhere along the line, its name was changed to Windows Load Balancing (WLB), and today in Windows 2000 it is called Network Load Balancing. You’ll still find traces of the old Windows Load Balancing terminology; in fact, the executable is still called wlbs.exe. That said, in the rest of this book, if I refer to cluster, Windows Load Balancing (WLB), or Network Load Balancing (NLB), I’m referring to one and the same thing. There are two types of clustering: NLB, which provides scalability and availability for IP-based services (such as Web services, for example); and server clusters, which provide high availability for applications thorough a failover mechanism.


Design a load-balancing strategy.

You use clustering for high-availability, strongly fault-tolerant situations where you cannot afford for an application or service to go away for any length of time at all. You set up the application, then set up server clustering so that if the computer that the application is on fails, a failover occurs and the entire operation is transferred to another computer. If everything goes right, users should not see even a blip on their screens. Alternatively, you can set up NLB so that every server computer in the cluster runs a copy of the application simultaneously. Clusters are not suited to just any old application on the network. They are especially suited for things like Web sites, where you don’t have a lot of data being transferred into a system by users. If you do have a SQL server that gets information posted to it through a Web site, and you have multiple Web sites on a cluster, then all Web sites can post to the same Web server. But the SQL server itself is a standalone unit, or makes use of SQL Server replication; it does not work well in a clustered environment. Every computer in the cluster is called a node. You have to look for applications that are cluster-aware, meaning that they’ll work on a cluster—for example, some of the BackOffice products, such as Exchange 2000. The Windows 2000 services—WINS, DHCP, DNS, and others—while not cluster-aware, can still work in a cluster server environment. Keep in mind that if an application requires specialized hardware


www.sybex.com

380

Chapter 9


or customized configurations, then for each clustered server you must duplicate that hardware or configuration component. For example, if you decide to cluster an enterprise fax system, and your first fax server has a 24-port T1 fax card in it, then each computer will have to have that same T1 fax card as well. You can’t failover to a new computer and expect it to use hardware or configurations on a dead computer! Which is why, even though Windows 2000 VPNs are cluster-aware, you must make sure you duplicate the hardware and settings required on each computer so that failover can occur. Nodes that operate simultaneously with one another in a cluster are said to be members of an active/active cluster. Nodes that are active and failover to inactive nodes are members of an active/passive cluster. After failover in an active/passive cluster, once the problem is repaired, the application can go through a failback to put it back on the primary node.

Please keep in mind that when a node in a cluster fails, subsequently causing a failover, the failover might take anywhere between a few seconds to a few minutes, depending on the type of server gear the cluster is configured on and various other components. My verbiage above about “a blip on the radar screen” may not be accurate in all cluster failover scenarios.

There are two ways of describing client interaction with NLB, both referring to the state that the client is in when an interaction takes place. (In fact, you’ll often see this referred to as a stateful connection.) The first is an interclient state, where multiple clients are working on a system and updates are synchronized. SQL Server is good at interclient state connections. The second means of client interaction is an intraclient state, where a client is by itself but may be hitting several different connections. A famous example is when a customer buys something from a Web site and uses the shopping cart metaphor. Here the client may be hitting several simultaneous sites, but there is only one client state going on. NLB is good with intraclient states but should never be used with interclient states. You install NLB from the Local Area Network properties just as you would any other network driver component. It installs over TCP/IP and no other protocol, and will work on FDDI or Ethernet network segments. You have two choices for NLB installation: unicast mode or multicast mode. Multicast mode is preferred because it’s more efficient. If you’re going


www.sybex.com


381

to use unicast mode, you must have two NICs in the cluster computer: one will be used by the client in accessing the cluster computer, the other by the cluster computer talking to the rest of the cluster. Multicast mode doesn’t required two NICs, but it will modify the MAC address on the NIC so that it shows up as a multicast NIC. Some NICs do not allow these kinds of modifications; if yours doesn’t, you’ll have to replace the NIC with one that does. Configuration is very straightforward; Figures 9.11 and 9.12 show the initial configuration screens. (Get there by right-clicking My Network Places Properties. Right-click Local Area Network Connection Properties, then check the Network Load Balancing option.) You key in the IP address and subnet mask, then fill in a few boxes, including the Multicast Support check box. Another check box (Initial Cluster State) allows you to make the cluster active right away and at each reboot; if it’s unchecked, you must manage the cluster through the command line. You can apply a password that allows you to connect remotely to the cluster server. FIGURE 9.11

NLB cluster parameters


www.sybex.com

382

Chapter 9


FIGURE 9.12

NLB host parameters

Port rules, as shown in Figure 9.13, allow you configure the way that cluster traffic is handled per port. When you configure a port, you’re said to have set up a filtering rule. FIGURE 9.13

NLB port rules


www.sybex.com

Supporting Application Architectures

383

You can use the cluster administrator program, installed on every Windows 2000 or Windows NT 4 SP3 node in the cluster. Alternatively, you can use the cluster administrator from a separate computer to manage the entire cluster. To see a list of commands used in clustering, grab a command prompt and type cluster /?. You can use clustering with two different design scenarios. You can choose to use two or more nodes that are hooked to a common shared storage device, such as a RAID tower; or each node in the cluster can have its own disk array. Intuitively, failover on a node that has its own array takes longer than failover on a node that is hooked to a shared storage array.


A

s with almost everything else we’ve discussed relative to a Windows 2000 deployment, there are two things you must consider when thinking about how to support application architectures: legacy applications and new Windows 2000 applications. But before we dive into those two things, we need to define what the term architecture might imply.


Design network services that support application architecture.

Where I work, some people are the architects for the enterprise. That means they’re given a charge by management to find out what software and hardware can meet a company goal. We have Windows, Unix, network, and Oracle DBA architects. Suppose that one of the mandates was that the architects were to find out what the best high-level (H.323) videoconferencing system is, and then make a determination as to what software and hardware is required to make the system active and viable. Network changes might need to be wrought. New computers might be to be brought in, or training might have to take place so that the stakeholders, the owners of the new system, understand how it works. Likely, several components would be involved in bringing this new system online, not just one.


www.sybex.com

384

Chapter 9


That’s what the framers of the Windows 2000 infrastructure test are getting at when they put up an objective like “Design network services that support application architecture.” We need to look at the whole picture to figure out how best to support a given application. Some applications are fairly non-intrusive—meaning that they live on one box, they’re used by a handful of users, and they don’t get in the way of the enterprise, so to speak. Others are massive, requiring many hours of planning, conversation, and engineering to make sure they work correctly.

Designing Network Services to Support Legacy Applications This is most likely going to be the bone of contention for you and your stakeholders that will slow down your Windows 2000 deployment. Suppose that you have an application that’s used daily by hundreds of users. The application runs just fine on a Windows NT 4 server computer, though it has taken you a bit of fiddling to make sure it works correctly. You’ve gone through a couple of service pack installations and special registry hacks, but the app has proven to be rather non-error-prone and a very dynamic tool for your enterprise. You couldn’t live without it. But now you want to introduce Windows 2000 to the network. What sort of reaction do you think the owners of the legacy app will have when you tell them about your plans? My guess would be that they’ll want you to set up a test environment and rigorously test the application on the new OS before you even consider putting Windows 2000 into production. Back to the architecture drawing board. First you have to find out whether the company that wrote the software even supports it on Windows 2000 or, if your in-house coders wrote it, you need to find out from them whether they think the code will operate on the Windows 2000 OS. Maybe, but then again maybe not. I would guess that some applications—Web pages, for example—will not be allowed to be ported to Windows 2000 until coders have had a chance to adequately test their performance in a test environment before giving you the go-ahead to update the OS.


www.sybex.com


385

There are hardware considerations as well. Recently I purchased an HP CDWriter Plus so I can save my writing materials to CD. It’s an external box that plugs into a USB port. I didn’t realize that Windows 95 does not support USB so, while I waited until I got a chance to upgrade my computer to Windows 98, I plugged the device into my Windows 2000 server. The server saw the device just fine through the USB port and installed the Windows 2000 software driver for it, thinking it was just another CD. But I couldn’t actually install the software that came with the device and use it as a CD burner, because the software wasn’t written for Windows 2000. Checking the HP Web site revealed that the software wouldn’t be available, they thought, until several weeks later. Is there a chance that specialized hardware that runs just fine in your Windows NT 4 environment won’t work at all in Windows 2000?

I would say that there is a much higher chance of having to delay your complete Windows 2000 deployment if you have legacy apps that are complicated and used by lots of people. First, stakeholders are reluctant to migrate to a new OS just because it’s the cool thing to have, especially when the old OS works just fine. Second, there are millions of rabbit trails that you must go down when you’re figuring out how big applications work, and it’ll take some time to get all of the workarounds and special new methods in place before you can proceed. Moral of this story? In shops with legacy apps that are complicated to convert, plan on spending extra time re-architecting the app so it’ll work with Windows 2000 or maintaining legacy Windows NT 4 servers for the app. Now what does it mean to “Design network services to support applications”? Looking at the previous section where we detailed some of the network services, and thinking about enterprise applications you have in place today, can you think of network services in Windows 2000 that might give you a hard time? I can think of several, but one specific one that I have in mind is an application that needs to check the Windows NT 4 SAM for a user list. RAS server authentication software and enterprise fax software might both need to do this, right? But if you’re on Windows 2000 AD, how does this app check a user list? Answer: it doesn’t. This is the kind of thinking that you have to go through when considering legacy apps participating in a Windows 2000 network.


www.sybex.com

386

Chapter 9


Designing Network Services to Support New Applications Supporting new applications is much easier because you’re starting with a known infrastructure framework—the stuff has to run on Windows 2000. Exchange 2000, for example, is designed to run with the AD and, if you architect the computer it’s going to live on correctly, shouldn’t give you any problems. But imagine the huge training investment companies will have to make so that coders understand how AD works and is different from the old NT 4 SAM. What Kerberos is all about. How certificate services work. What role LDAP plays in a Windows 2000 environment. For independent, nonMicrosoft coders, it’s going to be a big paradigm shift. Some apps might port just fine; others will need to be completely rewritten. Being aware of the core network services that Windows 2000 provides will help you know whether a new application will play nicely in the new OS sandbox. I’d be very cautious of vendors who maintain that their code will live just fine on a Windows 2000 box when you can read the software package’s label and clearly see that it was written for Windows NT 4. I’d test this kind of code in a lab environment before putting it into production.

Design Scenario: The Call Routing Application Cisco Corporation recently purchased a company called GeoTel. This company writes call-routing software. The idea behind call routing is this: In companies that have large customer service centers with thousands of people on the phones answering customer queries, you must have some intelligence built into the call router so that the system knows when a queue is empty and can route a call to it. Conceptually, if you can make intelligent decisions and get calls to customer service people faster, hold times won’t be as long and neither will hangups, the bane of the customer service industry.


www.sybex.com

Planning for the Interaction of Windows 2000 Networking Services

387

GeoTel runs on Windows NT 4 server computers (SP5) against a SQL Server (6.5 SP2) database. These are high-end (Tier 1), multiple-processor computers with lots of RAM. Many computers are involved in a typical call-router design, plus lots of specialized telephony circuits and cards. When you purchase a GeoTel system, a great deal of the expense goes toward hiring contract system engineers from Cisco who know how to set up the GeoTel system and make it work. These people live with you for months while the project is kicked off, tuned, and made to run. What do you think? Do you think you could get Cisco and GeoTel to allow you to go in with a set of Windows 2000 computers instead? When we asked them about SQL 7, we were told that we’d have to wait for the next revision of GeoTel (version 5) before we could go to that version of SQL Server. Chances are highly probable that you won’t be able to get GeoTel on Windows 2000 servers until version 6 or better. But that’s the idea behind these apps—you have to check it out and ask those kinds of questions. Then, if the answer from the vendor is no, you must come up with some sort of legacy contingency plan.


T

he previous section leads us to our final section of this long chapter. How do you plan for the interaction of the new Windows 2000 networking services? How will AD work with the old Windows NT 4 SAM, for example?


Design a plan for the interaction of Windows 2000 network services such as WINS, DHCP, and DNS.


www.sybex.com

388

Chapter 9


You know what? I love questions like these, because they’re good at forcing you to probe deep into applications that you have running on your enterprise—applications you may have never considered before. I find that once you understand an enterprise application’s functionality, especially if it’s integrated with other systems (which is frequently the case), you can make some great design decisions about how to upgrade or migrate the application to make it work better. Plus, you’re on the ball when it comes to deciding whether an upgrade of the software is necessary. Some applications don’t ever need to be upgraded (at least not according to standard software product life cycles); others need routine upgrade. Understanding an enterprise app helps you understand its context on your network, which in turn will help you make good Windows 2000 deployment decisions.

Backward Compatibility with NT 4 Networks and NameResolution Services NT 4 networks will work just fine with Windows 2000. You can do one of two things when it comes to deciding what to do with legacy NT 4 networks: set up a trust relationship, or make the NT 4 box join the new domain. With member servers, the latter option might be the best; with PDCs and BDCs, you’ll need the trust relationship. Here’s how it works. Bring up your new Windows 2000 domain and configure it as you did in your initial Windows 2000 design. Set up AD. Now simply go into Active Directory Domains and Trusts for the domain you’re interested in participating with, right-click the domain you’re interested in, and select Properties. A window similar to the one in Figure 9.14 will show up; in the figure you can see that I’ve set up a trust relationship with an existing Windows NT 4 domain called FREELANCE. Windows 2000 DHCP servers must be authorized for AD. Windows NT 4 DHCP servers don’t have this kind of capability, but you can monitor their scopes from within the Windows 2000 DHCP program. Figure 9.15 shows that I’ve added a Windows NT 4 computer called nt-man to the list of DHCP servers that I’m monitoring from my Windows 2000 server. Figures 9.15 and 9.16 show the differences in the properties you can adjust for the two servers. The top server, 2000guy, is the Windows 2000 DHCP server, nt-man on the bottom is the Windows NT 4 server.


www.sybex.com


389

FIGURE 9.14

Setting up a Windows NT 4 trust relationship with a Windows 2000 server

FIGURE 9.15

Windows 2000 DHCP server adjustable properties


www.sybex.com

390

Chapter 9


FIGURE 9.16

Windows NT 4 DHCP server adjustable properties

The same is true of WINS servers. There is some added functionality in Windows 2000 WINS, namely the burst mode feature we spoke of earlier, but getting NT 4 and 2000 WINS servers to talk to each other is a piece of cake. They can act as replication partners with one another and can be manipulated from the same Windows 2000 WINS interface (found in Control Panel Administrative Tools). Figure 9.17 shows my 2000 server (2000guy) and NT 4 server (nt-man) in the Windows 2000 WINS interface. Notice that I have push/pull replication turned on between the two servers. FIGURE 9.17

Viewing Windows 2000 and Windows NT 4 WINS servers from the Windows 2000 WINS interface


www.sybex.com


391

The Windows 2000 DNS interface will not work with the old Windows NT 4 DNS. If you’re in an environment where Unix sources do DNS, the BIND version may need reviewed in order to support dynamic DNS. A primary zone running dynamic DNS can, however, talk to a secondary zone that isn’t doing dynamic DNS. Thus your Windows 2000 dynamic DNS servers could talk to non-dynamic-DNS-compliant BIND servers, though some re-architecting of the DNS environment may be needed. But I’d advise that if your Windows 2000 boxes were originally doing DNS, perhaps you should either move DNS to Windows 2000, or upgrade the DNS server boxes to Windows 2000 almost before any other boxes are done. That way you can take advantage of the new DNS. If AD is the heart and soul of Windows 2000, DNS is the bread and butter.

Design Scenario: Things Really Do Work If You Understand TCP/IP I was trying to get my Windows NT 4 server and my Windows 2000 Advanced Server to talk to each other so I could write these sections of the book. But I could not for the life of me get it to work. The trust relationship acted as if it went into place, but it would not activate itself. Something was clearly amiss. I couldn’t ping the Windows 2000 computer from the NT computer and vice versa. I don’t have a huge network—only four nodes—so it wasn’t like there was an infrastructure issue. I even went into work one day and asked a few of the others I work with about it; they had no clue either, but told me to go back and recheck DNS. Then one day it dawned on me. I was looking through DNS, no help there. WINS? No problems there. I couldn’t ping the boxes by name or number. I pulled up the properties sheet for my Windows NT 4 server. Doh! The subnet mask for my little 10.xxx.xxx.xxx network was a class B mask (255.255.0.0), not class A (255.0.0.0). As soon as I changed all the subnet masks to class A, I was able to nail up the trust relationship and could begin pinging all the other computers. I was able to manage both WINS and DHCP from Windows 2000. In new, highly complex systems, perhaps it’s the simple things that are the most likely to confuse you as you try to solve a problem.


www.sybex.com

392

Chapter 9


Pure Windows 2000 Networks and Name-Resolution Service Interaction Running name-resolution services, WINS, and DNS in a pure Windows 2000 environment will be easy to set up. But you could run into problems if you decide to implement some of the fault-tolerance or security features, such as encrypted zone transfer (via IPSec), for example, in the new DNS. Probably the best and wisest design scenario is to bring up your new name server services, get them running, and monitor them for incongruities or weaknesses. Then, when you’re sure you have things nailed, go forward with the security measure that you’d like to implement. Especially with Windows 2000, I think I’d take a phased-in approach to getting name services working correctly.

Designing a Resource Strategy

W

e arrive at the bottom of this chapter, having thought and talked about an awful lot about various network resources: WINS, DHCP, DNS, AD global catalog servers, LDAP, RAS, and Internet services, among others. Does your design plot out the various things you need to know about the resources involved in making these things happen?

Planning for Placement and Management of Resources


Design a resource strategy. Plan for the placement and management of resources.

Here are some examples of questions to think about in designing a resource strategy that will adequately handle the new network:

Are the computers you intend to use for the new purpose on the Windows 2000 HCL, and are they able to adequately handle the task?


www.sybex.com


393

Do you have enough displacement of computers? In other words, if your enterprise covers large geographic distances, do you have redundant computers to handle things like name server services and AD? You can handle the replication issues over slow links later on at deployment time, but you need to make sure you have the enterprise covered in terms of componentry at all hot spots.

Will geographically separated sites run RAS? If so, will their RAS servers be local to them or to you? If local to you, will you have a toll-free number?

What about the Web servers? Are they on a DMZ? Is there firewall protection for them? Will they participate in Windows 2000 (thinking that perhaps because they’re in a separate domain they might not need to, if there’s a fear about moving to the new OS)? What is the firewall protection like? If users need to use the intranet, where and how will they access it?

Will you have to support legacy applications and be backwardcompatible with Windows NT 4 servers for a time? If so, do you know how long? What about name server services—can you bring them up on Windows 2000 right away, or do you have to use legacy name server support for a time?

Which sites will have global catalog servers? WINS servers? DNS servers?

Will you use dynamic DNS and the various security methodologies that are supported in the new DNS?

How will you monitor events and provide alerting for yourself and other administrators when a component has a problem? Will you strictly try to use System Monitor? Will you try to implement a thirdparty EMS?

How will you handle design changes, both pre- and post-deployment? Do you think you can spot trouble spots before they become big flameouts? If so, what will your design-compliance strategy be?

All of these questions (and I’m sure you’ll come up with dozens or hundreds more) come into play when you begin to consider the placement of network services resources on a Windows 2000 network. Making sure the TCP/ IP design works and is solid will go a long way toward helping you get the answers you need to the above questions. Trying to figure out something that


www.sybex.com

394

Chapter 9


you think is a network services problem, when in fact you have a TCP/IP issue, will not be a happy time in your deployment life. Weak WAN circuits need to somehow be dealt with. The Microsoft literature mentions ways that you can work around weak links, and that’s fine; I understand why you might have to. Companies are not often in the habit of upgrading WAN links just because you say they need to be upgraded— they’re expensive! But a Windows 2000 design, with all of this network services activity taking place across many different servers in different locations, might require that you take another look at the WAN connectivity and spruce it up before you go forward with the rollout. The people resources required in order to manage these various network services servers might present another problem to you. For example, you know that you’re probably going to have to place a second DNS box out in your Johannesburg, South Africa, site. But you don’t have any skilled Windows NT or Windows 2000 administrators there who can help troubleshoot the computer if it has a problem. You have some junior people there whom you could work with over the phone, but they’re 10 hours away from you in Kentucky, and you’ll be working in the middle of the night!

Design Scenario: Remote Possibilities for Johannesburg In addition to connecting to the Johannesburg DNS server using the DNS MMC snap-in, I have three other methods you could use to work on the above problem. The first would be to install SMS 2 and use Remote Tools to remote into the South Africa computer. This works well over marginally slow links, and you’ll have no problems with it, but SMS has a big learning curve if you haven’t used it before. Second, I’d consider a freeware product available through AT&T called VNC (Virtual Network Computing). This handy product installs on servers and runs as a service. You then RAS in to the network, open your browser, type in http://computer_name:5800 (connecting to the computer you want to connect to on port 5800), supply a password, and you’re in remote control land. It works wonderfully, my administrator buddies are smitten with it, and you’ll like it if you try it. (The URL for the VNC software is www.uk.research.att.com/vnc.) Third, you could consider a Windows Terminal Server (WTS) computer local to the network where you want to run the admin software. You’d RAS into the network you wanted to administer, then bring up the WTS client software, and away you go.


www.sybex.com


395

Planning for Growth Not only do you have to plan for the initial placement of resources, you must also plan for the growth of various sites.



Plan for growth.

Certain sites are probably going to be more prone to growth than others. If you could somehow figure out what those sites might be ahead of time, you could allocate additional resources to those sites in anticipation of that growth.

Planning for Decentralized or Centralized Resources Decentralized resources that are geographically far away from one another present a unique challenge. You might have administrator problems (either by virtue of not having any administrators in the remote site or not being sure of who the administrator is), and you might have connectivity issues with slow or nonexistent WAN circuits. You can use Windows 2000 dial-up connections to provide RAS connectivity between sites. The more subjective problem might be pinpointing and solving the administrator issues.




Centralized resources are easier to plan and manage, but unless you have great WAN connections to outside sites, users will become frustrated with the slowness associated with trying to use the resources. A decentralized model is hard to administer but easier on users, while the opposite is true with a centralized model. This, of course, has everything to do with the speed


www.sybex.com

396

Chapter 9


of the connecting WAN circuits (if any). Windows Terminal Server is a great workaround to some of the problems associated with a centralized methodology, because users RAS in with their own computers and run the applications they need from centralized servers. You might encounter other issues, such as the placement of DHCP and DNS servers. Slow WAN circuits, lack of administrative resources, and the need for redundancy and backups might force you to design in added servers at other sites. Then the question becomes: Who’s going to manage these new resources? In a centralized environment, you would handle that chore. In a decentralized environment, somebody else might have to.

Summary

W

hew! Big chapter, huh? There was a lot of information to cover here. Our thoughts and goals are still on the modification and design of various components of the Windows 2000 network. Specifically in this chapter, we were drilling in on Windows 2000 networking services. This chapter started by taking a quick overview of Windows 2000 networking services. TCP/IP is the big-dog protocol in the new OS; AppleTalk, NetBEUI, and NWLink are still supported for RAS, but the big protocol is TCP/IP. It has to be, because today Active Directory uses it, no to mention that there is so much Web integration that we could not get along without it. RAS components are greatly enhanced with the addition of protocols like L2TP, EAP, and BAP. RADIUS is also supported in Windows 2000. Next up were the two routing protocols included with Windows 2000. The legacy routing protocol that started in the Windows NT 4 server world was the Routing Information Protocol, and it’s included in Windows 2000. But the more exciting inclusion (that was also supported with NT 4 RRAS) is a worldwide standard routing protocol, Open Shortest Path First (OSPF). Does this mean that smaller shops can forego the purchase of an expensive dedicated router? Maybe. I also talked about a new feature with Windows 2000 Internet support, Connection Sharing. Connection Sharing provides very basic name server services and acts as a Network Address Translation (NAT) device, translating internal IP addresses to those used on the public Internet and vice versa. Another objective was to talk about the network topology. I started by defining what we meant by a topology and defined the star, ring, and bus


www.sybex.com

Summary

397

topologies. But a topology is more than its physical description; it also consists of a logical description as set down by the IEEE. IEEE 802.3, for example, describes the Ethernet standard. In talking about topologies and their support (especially when considering a new Windows 2000 deployment), we discussed the cable plant and how important it is, especially its backbone. We also discussed dealing with older topologies and with disparate topologies (such as Token Ring and Ethernet). The chapter then presented a discussion of designing a strategy for monitoring and managing various network services. The network services that we were interested in specifically include the AD global catalog, LDAP, Certificate Services, name-resolution services, Internet and RAS services, and Dfs. All of these services have three criteria that need watching: events and alert notification, anticipating design changes, and verifying design compliance. Next we discussed the support of application architectures. I defined what is meant by architecture: the sum total of the hardware, infrastructure, software, and management resources needed to make an application come to fruition and work well on a daily basis. We also discussed how to support legacy apps and what to think about with new apps. The chapter covered name server services and how legacy Windows NT 4 networks integrate with new Windows 2000 nets, and some ideas about managing new Windows 2000 name server services. Finally, we talked about a resource strategy and presented a list of important questions to ask when considering the inclusion of various Windows 2000 networking services in a network.

Key Terms These terms are important for understanding Windows 2000 protocols and network services. Some terms will undoubtedly be common to you while others might be new and unexpected. active/active cluster active/passive cluster canonical name common name domain component (DC) failback


www.sybex.com

398

Chapter 9


filtering rule global catalog server infrastructure master interclient state Internet Authentication Services (IAS) intraclient state Network Load Balancing (NLB) organizational unit (OU) partial replicas relative distinguished name topology user principal name (UPN)


www.sybex.com

Review Questions

399

Review Questions 1. Your three-domain Windows 2000 deployment has a domain control-

ler in each domain. You establish a global catalog server in one of the domains. What function will the other domain controllers serve, in terms of updating the global catalog? A. Infrastructure master B. Intranet master C. Extranet master D. Partial replica 2. There are two different methods of implementing a two-computer

cluster. What are they? A. Shared storage B. Separate storage C. Shared network cards D. Separate network cards 3. What key feature allows you to send Windows 2000 DNS data across

public environments such as the Internet? A. Public key encryption B. Dynamic DNS C. Secure zone transfers D. Recursive forward lookup 4. You have a set of clustered servers running some applications. The

servers each have separate IP addresses but a common logical name. What method does DNS use for forwarding requests to such an application server setup, either round-robin or by prioritized list? A. Cluster load balancing B. Server clustering C. DNS load balancing D. Recursive forward lookup


www.sybex.com

400

Chapter 9


5. Your WAN uses SONET. What kind of topology does this use? A. Bus B. Star C. Modified star D. Ring 6. There are two methods of configuring the method that server clusters

will use to communicate with the nodes in the cluster. What are they? A. Shared storage B. Separate storage C. Multicast mode D. Unicast mode 7. Only a small portion of the entire Active Directory database is repli-

cated from an infrastructure master to the global catalog server. What are these tidbits of information called? A. Partial replicas B. IM fractals C. Periodic updates D. AD components 8. A certification authority (CA) server issues certificates to users on the

network. What cryptographic methodology does this service use? A. PGP B. CHAP C. PK D. MS-CHAP


www.sybex.com

Review Questions

401

9. Instead of using PPTP, you could use the Layer 2 Tunneling Protocol

(L2TP) to set up an encrypted VPN session over the Internet to your internal servers. What protocol does L2TP work hand-in-hand with? A. PPP B. RRAS C. IGRP D. IPSec 10. You have a very small network of just a few users. You want to set

them up on the Internet. What one Windows 2000 component will handle name-resolution and NAT services for you so you don’t need multiple computers for the job? A. Proxy server B. Connection sharing C. Internet authentication services D. CA Hierarchy 11. What are the two stateful connections you might encounter in a cluster

implementation? A. Interclient B. Interserver C. Intraclient D. Intraserver


www.sybex.com

402

Chapter 9


12. You work for a company that has offices in New Zealand, Hong

Kong, and Los Angeles; you’re based in the L.A. office. The offices are connected together by slow WAN links. What would your resource strategy revolve around? A. Decentralized resources B. Centralized resources C. Connection-sharing resources D. DCOM object resources 13. What are three details you should keep in mind when planning your

network services in your new Windows 2000 network? A. Events and alert notification B. Log file settings C. Redundancy of servers D. Anticipating design changes E. Verifying design compliance F. Legacy network backward compatibility


www.sybex.com


403

Answers to Review Questions 1. A. A domain controller that is not designated as the global catalog

server automatically takes on the role of infrastructure master; there is only one infrastructure master per domain. They upload and download changes with the global catalog server. 2. A, B. If you set up a RAID tower that both servers hook to, you can

then set up a cluster that includes the two computers. When the primary server fails, only the server operation is failed over to the new computer. In a separate storage environment, you’d have two computers, each of which had its own RAID storage. When the first computer failed, all of the information on the RAID storage would have to be transferred as well in order for the data to be picked up by the new computer. Much more time would be used up in failover with this second method. 3. C. A secure zone transfer using the new IPSec protocol will make this

happen. 4. B. You’re using a process called server clustering. 5. D. Switched Optical Network (SONET) is a form of ring topology. 6. C, D. When you configure server clustering, you’re asked what mode

you’d like to use to communicate with the other nodes. Multicast mode changes the MAC address on the computer’s NIC and then allows it to communicate simultaneously with all the nodes in the cluster. This may be a problem for NICs that don’t allow the updating of their MAC address. Unicast mode requires that each node in the cluster have two NICs, one for client access to the node and one for the cluster computer to be able to talk to the other nodes in the cluster. 7. A. By deliberate design, not all parts of the Active Directory database

are uploaded to the global catalog server when there are changes. Such a thing could use serious bandwidth on the network. Instead, just key pieces of data are uploaded, called partial replicas.


www.sybex.com

404

Chapter 9


8. C. CA servers use public key encryption. 9. D. In order to use L2TP, you can also use IPSec. 10. B. Connection sharing acts as a NAT device and provides elementary

name server services for small networks. 11. A, C. The first connection state you might see is an interclient state

where several clients may be simultaneously updating one system. The second, an intraclient state, happens when one client goes across several systems to accomplish some transaction. 12. A. Slow WAN links mean only one thing—distributed resources. That

may open up a whole can of administrative worms, but name server services are much better served by drawing local resources than by tying up WAN circuits. 13. A, D, E. The other answers certainly are good things to keep in mind,

but the things to watch out for as you plan your Windows 2000 network services environment revolve around how the system will alert you with a problem, the contingency plans you’ll have for growth, and the way that the design gets deployed and is complied with after deployment. The last item—design compliance—may present the most difficult challenges.


www.sybex.com

The Multinational Winery

405


Background You work for one of the largest wineries in the world—Old Vines Wine. Old Vines has vineyards in California, Washington, Italy, France, Germany, and Argentina. Additionally the winery has wine preparation facilities in Napa Valley, California, Sonoma, California, and southern France. The vineyards have an average of five employees, only two or three of whom use computers. Each of the wineries has about 100 employees, most of whom use computers. All computers running anything other than Windows 2000 Professional will be upgraded (or if too old, replaced and then upgraded). You had an old Invisinet network in one winery, but management has opted to scrap any old legacy network and go forward with a new network that would connect their holdings together. Your charge as a contract network architect is to create a new network that will allow, at a minimum, for the three wineries to interconnect, and ideally for the vineyards to have the capability of connecting as well. The current system consists of an old 10Base-2 Invisinet system that you’re going to scrap. You’ll rip out the old coaxial cable and replace it with Category 5 Ethernet cable.

Problem Statement The main problem is that you’ll only have one administrator working for Old Vines, in their main Napa Valley office. She cannot possibly handle the network administration for the entire enterprise. A second problem is that you need to suggest to the winery some enterprise application that will allow them to track inventory and financials.

Envisioned System Overview You’ve taken your proposal to the CEO of the winery. You suggest a series of servers installed at the Napa, Sonoma, and southern


www.sybex.com

CASE STUDY


Chapter 9


France offices, with RAS interconnection for the vineyards. You’ll run Terminal Services in the southern France office for the European vineyards that need to connect and work on the financials software. You’ll also have a WTS box in the Napa office for the remainder of the vineyards. The users that are WAN-interconnected will be able to connect to the financials and inventorying package over the WAN. You’ll use, of course, Windows 2000 for your OS. You also present the plan to your manager.

CASE STUDY

406

CEO “I have no idea what you’re talking about. But you came highly recommended and I trust your judgment.” Manager “Looks like a good plan. I’m a little concerned about the WTS thing. Do you think it might be better to put a server at each vineyard?” Funding The design will be expensive, especially the Napa–southern France frame relay connection. Your design includes top-quality, HCLcompatible, known good hardware for the servers. You design in several fault-tolerance measures. The CEO says, “I’m not so much interested in how much you spend as how well you design the network. Unlike a fine wine, I’m sure networks don’t get better with age. I’d rather spend a little more now to make sure it’s upgradable and enhanceable in the future.”

Security You’ll set up AD and have the Napa office be the global catalog server. You’ll train the administrator in Napa how to add users. She says, “Is this setup going to be secure so that people from the outside cannot get in and look at our data?”

Availability Because of the worldwide aspect of this deployment, you need the servers available 24×7. The CEO tells you, “Don’t forget that our people in Germany are eight hours ahead of us! This system needs to be available for them.”


www.sybex.com


407

Overview The administrator has read a little bit about Windows 2000, and she’s somewhat intimidated by its size and complexity. She wants to be able to assure her boss that she can maintain problems that go wrong. CEO “Make sure you train her on what you know.” Administrator “I’ll take some classes. Will you be available on a call-out basis if we need you?”

Performance Overview Your biggest concerns are the European RAS circuits. You know nothing about European telephony, and you’re not certain how reliable they are. You’ll recommend to Old Vines that they purchase as fast a WAN circuit as they can afford between their various sites, and you’re comfortable with that. But you’re not sure whether to forge ahead with the RAS/WTS solution or consider a dedicated server at each site with a WAN connection to each. CEO “Whatever you decide, if it’s reasonable, we’ll do it. I want to be sure that my people can communicate with one another and use the applications.” Administrator “I really think we should consider dedicated circuits to each site. I know it’s more servers to maintain, but I’d feel more comfortable.”

Questions 1. Which way should you go with the deployment—RAS or dedicated

servers connected by WAN circuits? A. RAS B. WAN


www.sybex.com

CASE STUDY

Maintainability

CASE STUDY

408

Chapter 9


2. Look at the chart below. From the task lists on the right, create a tree

that includes the tasks you’ll undertake for setting up the winery servers and the vineyard RAS connections. Task Categories

Tasks

Name Server Tasks

Install and configure DNS

Telecommuting Tasks

Configure and enable RRAS

Windows 2000 Tasks

Purchase, configure, and install servers and RAS hardware Provision European telephony circuits for RAS server Provision American telephony circuits for RAS server Install Windows 2000 Install and configure WINS Assign global catalog Configure Terminal Server Procure and install inventory and financials application Install and configure AD Train RAS users

3. Where should the global catalog server(s) be located? A. Napa B. Sonoma C. Southern France D. All three E. Napa and southern France


www.sybex.com


409

VPN solution be a good alternative for setting up your vineyard users? Use the chart below to order the steps you’d take in setting up a VPN for the vineyards. Step

Step Meet with users at each vineyard; determine a viable ISP for each Configure user computers for VPN connectivity Provision a corporate ISP for Napa office Test connectivity Install and configure L2TP and IPSec on servers

5. If you go forward with the VPN approach that you detailed above in

question 4, could you use the VPN for secure DNS zone transfers? There may be more than one correct answer. A. Yes, you could, but you’d have a more difficult time setting it up. B. Yes, you could, but you’d need connectivity with the winery

offices. C. No, you could not do this because you have no DNS server. D. No, there’s really no point in doing this.


www.sybex.com

CASE STUDY

4. OK, so you don’t like either the RAS or the WAN design. Would a

CASE STUDY ANSWERS

410

Chapter 9


Answers 1. A. With only two or three users at each winery, it’s not worth your

while to put a dedicated server out in the field. You’re better off installing RAS on the main servers and having users RAS in and use WTS. Yes, there’s a training component there, but if you put a dedicated server in each site, your poor administrator might have a very difficult time troubleshooting them when and if they break! 2. See chart below.

Task Categories Name Server Tasks Install and configure DNS Telecommuting Tasks Provision European telephony circuits for RAS server Provision American telephony circuits for RAS server Purchase, configure, and install servers and RAS hardware Configure and enable RRAS Train RAS users Windows 2000 Tasks Install Windows 2000 Install and configure AD Configure Terminal Server You don’t use “Install and configure WINS.” Why not? We’re starting from a Windows 2000 baseline and don’t need WINS (though if you had legacy apps requiring WINS you may find yourself needing it). Also notice that the step to “Configure and enable RRAS” didn’t include the “Install” piece. Why? Because RRAS is a done deal with Windows 2000—only configuration is necessary.


www.sybex.com


411

server in Sonoma. However, it would benefit you to have a global catalog server in both your European and Napa office. 4. See chart below.

Step Provision a corporate ISP for Napa office Meet with users at each vineyard; determine a viable ISP for each Install and configure L2TP and IPSec on servers Configure user computers for VPN connectivity Test connectivity 5. C, D. First, you have no DNS servers at the vineyards, so there’s no

point in trying to do secure zone transfers over VPN circuits to users. So, there’s no point in thinking about this. Use your WAN circuits for DNS zone transfers. Wrap-up: All in all, even though the administrator sounds as though she’s afraid of what you’re suggesting, this kind of network is used every day by thousands of people. WTS works just fine and is perfectly appropriate for geographically distant users who need to access applications over RAS. No, it’s not the fastest connection in the world, but then again, it doesn’t have to be; these are vineyard caretakers, not coders! The Windows 2000 deployment will be very small and very smooth. You’ll exchange name server and AD information with your Napa, Sonoma, and southern France domain controllers, and everyone will be happy.


www.sybex.com

CASE STUDY ANSWERS

3. E. With quality WAN circuits, you shouldn’t need a global catalog

Chapter

10

Designing TCP/IP into Your Network MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Design a TCP/IP networking strategy.

Analyze IP subnet requirements.

Design a TCP/IP addressing and implementation plan.

Measure and optimize a TCP/IP infrastructure design.

Integrate software routing into existing networks.

Integrate TCP/IP with existing WAN requirements.


www.sybex.com

I

said in the previous chapter that TCP/IP is the king of theWindows 2000 world. Do you have a pretty thorough understanding of TCP/IP? It’s good if you do, because you’re going to need it. If you don’t, then you need to hunker down and get yourself very familiar with it. This chapter is about TCP/IP—coming up with good subnet designs, knowing how your infrastructure looks, and how your network should logically be segmented. I’ll first give a very brief overview of the advantages you’ll have with Windows 2000 TCP/IP, then we’ll segue into the good stuff and talk about practical applications of what you’ve learned. My experience with TCP/IP has shown me that it’s a lot like tying fishing flies. It looks very easy, but putting it into practice is a whole ’nother story.

The Advantages of Windows 2000 TCP/IP

T

here are a few extremely good reasons to consider Windows 2000 for your main network OS and as a replacement for the TCP/IP functions that you may have originally had Windows NT 4 or Unix doing. Let’s list some things that are new to Windows 2000 to see whether you, too, think they’re worth the change:

Perhaps the biggest change is the introduction (beginning with Windows 98) of Automatic Private IP Addressing (APIPA, pronounced “uh-peep-uh”). This is somewhat similar to DCHP in that an IP address is automatically assigned. The difference is that this feature kicks in when there are no DHCP servers to service the IP address requestor. No other configuration information apart from the IP number and subnet mask are supplied, so this is essentially a poor man’s DHCP, but it’ll do in a pinch. Please note that the 169.254.0.1–169 .254.255.254 set of addresses is used for APIPA and no others. This is a completely non-configurable thing.


www.sybex.com

The Advantages of Windows 2000 TCP/IP

415

This feature is surely going to cause you more trouble than it’s worth, because users will, for one reason or another, be unable to connect to the DHCP server. The user will gleefully (and unknowingly) pick up an APIPA number. The problem is that APIPA works with a standard Class B subnet mask of 255.255.0.0, and you probably won’t be using that subnet mask or that IP range, so your users won’t be able to talk to anything anyway.

Windows 2000 supports filtering of specific TCP/IP protocols. Don’t like users coming in to a box on port 80? Filter it out.

Windows 2000 also supports encryption over TCP/IP using IPSec or MPPE connections.

Windows 2000 supports large TCP windows. The more packets that go out over the wire before the receiver has to send a positive acknowledgment, the faster things will move along due to increased performance. This is called TCP Windows, and Windows 2000 supports larger TCP windows than earlier versions.

Another feature that wasn’t part of NT 4 is TCP Selective Acknowledgment (TCP SACK). The receiver can determine which data is actually missing and request a re-send of only that data. This saves much retransmission time.

Windows 2000 computers running RRAS can automatically find routers, even if they have no entry for a default gateway, by virtue of ICMP router discovery (RFC 1256). Although you’ll probably configure a default gateway with your RRAS DHCP addresses, in the event you don’t, ICMP discovery will handle retrieving that missing information for Windows 2000 computers coming in over a RAS line.

You can disable hosting NetBIOS over TCP/IP; this is especially relevant for proxy servers and firewall hosts. This is a security feature, because it keeps NetBIOS names from being available to edge servers that participate in internal/external Network Address Translation (NAT)-type work.

So there’s a lot that’s new in the Windows 2000 TCP/IP world, and a lot that’s old—or at least old hat to people who have been around TCP/IP for a while. Is that you, or are you a newbie to TCP/IP? Either way, it will pay you


www.sybex.com

416

Chapter 10

Designing TCP/IP into Your Network

to go on, review the upcoming sections, and make sure that your TCP/IP skills, especially in the area of subnetting, are everything they’re cracked up to be. You’ll be tested extensively on your ability to analyze a subnetting situation and make a comprehensive recommendation. Now that we’ve reviewed some neat stuff new to Windows 2000 TCP/IP, let’s see if we can put it to practical use.

Analyzing IP Subnets

W

hat exactly is a subnet anyway? It seems that you can have awfully large subnets, even though the subnet masks that you sometimes work with only allow a few hosts. How does this whole subnetting thing work, and why is it so confusing?


Design a TCP/IP networking strategy.

Analyze IP subnet requirements.

Design a TCP/IP addressing and implementation plan.

Measure and optimize a TCP/IP infrastructure design.

Well, let’s first start off by saying that the concept of TCP/IP subnets is pure genius. The framers of TCP/IP (Douglas Coombs of Purdue was one of them) were brilliant mathematicians and logicians to figure this whole thing out. I’ll begin with some basic stuff and see if I can really complicate it.

Subnetting Principles To use TCP/IP, you must understand its various classes; Table 10.1 lays out the various network numbers in each class. Class A ranges from 1.x.y.z to 126.x.y.z (127 is reserved for loopback diagnostic testing and will never be given out). There is also a private reserved range, 10.x.y.z, that will never


www.sybex.com


417

be allowed on the Internet and that you can use in your private network. The standard Class A subnet mask is 255.0.0.0. Obtaining a Class A network number from an ISP or Internet authority would provide your company with more than 16 million TCP/IP numbers! Problem is, there are no Class A addresses left that will work on the public Internet. So, if you need the kind of granularity that a Class A network address provides, nowadays you’re forced to use the 10.x.y.z number, which grants you the same 16 million+ IP numbers and heavyweight subnetting capabilities that you’d have with public addresses. You can dole these out as private IP numbers any way you like, as long as they never see the light of the Internet day. TABLE 10.1

Available Network Numbers by TCP/IP Class

Class

Public

Private

Standard Subnet Mask

A

1.x.y.z–126.x.y.z

10.x.y.z

255.0.0.0

B

128.x.y.z– 191.x.y.z

172.16.0.0– 172.31.0.0 (also, 169.254.0.0 reserved for APIPA)

255.255.0.0

C

192.x.y.z– 223.x.y.z

192.168.0.0– 192.168.255.0

255.255.255.0

Second, Class B ranges from 128.x.y.z to 191.x.y.z. You can use 172.16.0.0–172.31.0.0 as your private Class B range, because it too will never be allowed out on the Internet. A single Class B network number provides you with 65,534 IP addresses. If you choose to use the entire private range (172.16 through 172.31, along with a standard Class B subnet mask), you’ll have more than 1 million numbers.


www.sybex.com

418

Chapter 10


Remember the special Class B network number, 169.254.0.0, used for APIPA. Test questions will undoubtedly try to sneak this network number in on you.

Third is Class C, ranging from 192.x.y.z to 223.x.y.z. Each Class C network number can fit you with 254 network addresses you can use for printers, servers, users, and what have you. If you choose to use the entire private suite of Class C numbers (along with a Class C subnet mask), you’ll have 65,534 numbers at your disposal. Now the question is: What size is your company, and what size do you think it will grow to be? Do you work for a company of, say, 5,000 client computers? If you were to somehow obtain a regular Class B network number (from either your ISP or an Internet authority), you could use 65,000+ numbers. But you might tell me that you’ll never live to see the day that your company grows beyond 6,000 clients, let alone 65,000! You don’t need all those numbers—they’ll go to waste. On the other hand, at 254 numbers per Class C address, you’d need about 20 of those standard Class C network numbers to give you enough IP addresses to work with for all your users, printers, routers, switches, and other gear. They’re expensive to obtain and keep, plus they’re not widely available anymore due to the rush of people getting on the Internet these days. So, there’s got to be a better way… and there is. All you really need to put your company on the Internet is to obtain four, solitary Class C addresses (not an entire range of addresses such as 192.168.y.z, but a few addresses— for example, 192.168.13.23, .24, .25, and .26) from your ISP. Your ISP’s router uses these as pointers to you for any requests that are destined for your company. You have a router that has one of the external IP addresses you’ve been given. The router points to a firewall, which has the second address, and the firewall points to a proxy server with the third address. The firewall keeps out unwanted hacker traffic. The proxy server can filter both incoming and outgoing traffic. Figure 10.1 shows what this setup looks like.


www.sybex.com


FIGURE 10.1

419

A conventional TCP/IP connection from an ISP to a business Request destined for you comes in to your ISP. The ISP’s DNS server has an entry that points to your router for any requests that pertain to you. Public part of network

Outsider

ISP

ISP’s router

Your router (ISP-supplied Class C number)

Private part of network

Your firewall (ISP-supplied Class C number)

Public IP address

Private IP address

Your users

Your proxy server (one NIC has an ISP-supplied Class C number and one has an internal number) This is where your network separates from public to private and vice versa.

Note that the router typically would have an Ethernet cable coming out of it going into a hub or a switch. All requests for your network would be programmed on the router to go straight through to the firewall. The firewall may or may not have two network cards in it (depending on whether it’s a hardware firewall), but it in turn points your proxy server. Your proxy server is dual-homed, with one NIC on the private network and one on the public. The proxy server acts as a NAT device that can take your internal IP numbers (never ever to be put out on the Internet) and make the requests look as though they came from a public IP number. Your users are protected, because none of the internal IP numbers are revealed. The private part of the network stays private, and the public goes on being public. This whole setup, depending on how many NICs you’ll have in the various public devices, will require three or four IP numbers from an ISP, making it much cheaper and easier to manage than obtaining several valid Class C network ranges. You just don’t need ’em.


www.sybex.com

420

Chapter 10


Well, you have this setup working; now what about your inside users? It’s simple, really. Just pick one of the private TCP/IP network number ranges (probably the Class B range, in this company’s case) and begin to use them instead of public IP addresses. The proxy server and firewall will handle the security and NAT-ting of the users, so you have that covered—but then it really gets interesting in terms of subnetting. Let’s say, just for simplicity’s sake, that you have only one geographic location and no WAN connections to other sites that you have to worry about. You have this huge private network number, 172.16.0.0–172.31.0.0, which gets you 1,048,576 IP addresses you can use any way you like. There are several ways that you could disperse these numbers in order to logically segment the users. For example, suppose that your accounting department would get one block of numbers, your sales people another, and so on, as in Table 10.2. TABLE 10.2

Sample IP Segments Group

Network Number

Servers/Printers

172.16.1.z

Marketing

172.17.1.z

Sales

172.17.2.z–172.17.4.z

IT

172.17.5.z–172.17.6.z

Accounting

172.18.1.z–172.18.2.z

Assembly/Manufacturing

172.19.1.z–172.19.4.z

We’re assuming here that the subnet mask is 255.255.0.0 for all users, making it a nice, flat TCP/IP implementation, and that we have a router serving as an intermediary between these networks. (Without a router, none of the networks could communicate with one another.) In this demonstration, you’ve allocated 254 IP addresses for servers and printers, another 254 for your marketing folks, about 700 for the sales people, about 500 for the IT people, and so on. It doesn’t take much to extrapolate how you’d fit in the


www.sybex.com


421

rest of your company into this design. You’ve done some very basic rudimentary subnetting. If you were to add a second network on the other side of a WAN connection, your drawing wouldn’t differ much from Figure 10.1 You’d have to add a second router (all WAN connections require two routers, one on each side), but you’d probably divvy up the network numbers in much the same way as in Table 10.2. Figure 10.2 shows what this network might look like; here you can see that users in Network B have to pass through two routers to Network A, then through the proxy server and the firewall if they need to get out onto the Internet. That sounds like a lot of traveling, but if the WAN connections are OK, it’s really no big deal. Thousands of networks are set up exactly like this. FIGURE 10.2

Adding a second network to the system Public part of network

Outsider

ISP

ISP’s router

Your router

Firewall Public IP address

Private part of network Private IP address

Your proxy server

Your users Network A

Your users Network B

The problem with either of these setups is that they’re too flat. Everybody’s on one big, flat network. There’s a lot of broadcasting going on, and though most internetworking specialists don’t allow routers to forward broadcasts, there’s still a lot going on within either network.


www.sybex.com

422

Chapter 10


So what do you do about this? Or do you actually need to do anything about it? You probably do need to attend to this situation, trying to cut down the number of broadcasts. You can do this by using subnet masks to logically segment your network in a more granular fashion. Suppose that you’re going to use the same Class B private network numbers, but you’re going apply some unique subnet masks. You settle on 172.20.y.z as the network number of choice. If you choose not to apply the 255.255.0.0 subnet mask and instead opt to apply 255.255.240.0, you’ll only be allowed a range of 16 network numbers with your starting point number. Here are the allowed network numbers you could use with this particular subnet mask:

172.20.0.z–172.20.15.z

172.20.16.1–172.20.31.254

172.20.32.1–172.20.47.254

172.20.48.1–172.20.63.254

172.20.64.1–172.20.79.254

and so on, to the last range: 172.20.224.1–172.20.239.254

You could put Network A in the first network range and Network B in the second. You’ve logically segmented your users into categorical groups—subnets. When broadcasting goes on within a subnet, it doesn’t leave that subnet. Because routers don’t forward broadcasts, you’re effectively keeping the network traffic within a specific group isolated from another group. You could apply even more granularity than this—putting servers and printers in the 172.20.0.z–172.20.15.z subnet, marketing in the 172.20.16.z–172.20 .31.z subnet, and so on, effectively isolating individual groups from one another’s broadcast traffic. This is provided, of course, that you’re using the 255.255.240.0 subnet mask. You have a problem with all this special subnetting, though. DHCP is broadcast-based. If you have a DHCP server on the 172.20.16.z subnet and a marketing person trying to get a DHCP lease from the 172.20.32.z subnet, it won’t happen! The 255.255.240.0 subnet mask keeps the marketing folks from broadcasting to the servers. How could you counteract this? You’d handle this with a DHCP relay agent computer on each subnet that needed to participate in DHCP.


www.sybex.com


423

Alternatively, you simply set up a private Class A network, using a separate number for each physical network and a 255.255.0.0 mask. This would also effectively isolate each network from the other. It’s easier to set up, and much neater to implement.

Design Scenario: Flat Vs. Specialized Subnet Masks If you opt for a design like this, you’ll have to be really careful to make sure that you implement valid specialized subnet masks on each network and not use a flat subnet mask. I once ran into a problem where a company had implemented some special subnet masking such as this. On Network A, they put the correct special mask into place. But on Network B, they made a mistake and set up a plain, flat Class B mask. This made the Network B clients figure that they were a part of the entire network, while the Network A clients were effectively isolated. (When I say clients in this context, I’m not talking about users—I’m talking about client software.) This didn’t seem to create a whole lot of problems (that we were able to absolutely put our fingers on), but when we brought SMS 2 in, it was very clear that there was a problem. SMS clients in Network B (the one with the flat mask) appeared to alternately decide to join the SMS site in Network B, then the one in Network A, then the one in Network B, and so on. The best way I could describe the SMS clients would be to say that they were confused and were never really sure which site they were to join. If you implement some specialized subnet masking (a perfectly normal and fine thing to do, by the way), please remember that the mask needs to be carried forward on all networks.

Advanced Subnetting In the early days of TCP/IP, a router wouldn’t support an unusual subnet mask like 255.255.240.0. You had to go with standard flat masks. But then came along the advent of Classless Inter-Domain Routing (CIDR) and Variable Length Subnet Masks (VLSM) for routers. Single subnet mask networks


www.sybex.com

424

Chapter 10


are called class-based networks. In a class-based network, you can only run one subnet mask on the network, as in the example earlier in the previous section.

RFC 1518, 1519, and 1878 present more information on CIDR (pronounced just like the autumn drink—cider) and VLSM.

But suppose you wanted to use the 255.255.240.0 subnet mask on one network and 255.255.192.0 on the other? Older router protocols would not support multiple subnets. The Routing Information Protocol (RIP) version 1 was an example of an older routing protocol that couldn’t support multiple subnet masks and hence wouldn’t be useful in today’s complex IP environment. Routers that support CIDR or VLSM—those running RIP version 2, Border Gateway Protocol (BGP), or OSPF—allow you to run multiple subnet masks on a network. Why would this be useful? Well, to see that we need to take a look at what I’d call the “subnet mask ruler,” as shown in Figure 10.3. FIGURE 10.3

The subnet mask ruler More hosts

255

.

More subnets

0

.

0

.

0

You can see that there is some sort of TCP/IP axiom at work in this illustration. If your network were to use the 10.x.y.z reserved network number (the one that’s not allowed out to the Internet), you’d have a wide variety of choices for subnet masks. The farther to the left of the ruler you go, the more hosts you add; the farther to the right, the more subnets you create. Suppose that, as in Figure 10.2, you have a couple of networks connected by a WAN circuit. Let’s now further assume that 4,300 of your 5,000 users are in Network A, the remaining 700 in Network B. Looking at the subnet mask ruler, you can see that if you choose a subnet mask using fewer bits (subnetted on the first or second octets), something like 255.255.0.0 (a Class B mask running on a Class A network), you’ll get more hosts—more bang for the buck. But if you want more subnets, you use a subnet mask that’s farther to the right of the ruler (subnetted on the second or third octet) and generate more subnets. Use lots of subnets where you need to distinguish


www.sybex.com


425

between various entities, and lots of hosts where you don’t particularly care about geographic or business class segmentation and where you’re more interested in keeping everybody within the same TCP/IP pool.

Designing a TCP/IP Implementation When we talk about TCP/IP implementations, generally we’re talking about something more than a flat little network with a few hundred hosts. In a situation like that, you could simply use one or two of the reserved Class C network numbers with a vanilla Class C subnet mask. But what about a more complicated little site, something on the order of the site in Figure 10.2, only maybe with one or two more networks connected to it? Take a look at Figure 10.4 to see what I’m talking about. FIGURE 10.4

Networking four geographic regions

ISP

Site A 2,000 users

Site B 500 users

Site C 750 users

Site D 1,750 users

Figure 10.4 shows four sites separated by routers. The router at Network A has three ports and accepts input from Networks B, C, and D; the other networks each have a single port router that connects to Network A. Note the number of hosts (here, users) on each network. Network A also has a proxy server, firewall, and a link to the company’s ISP.


www.sybex.com

426

Chapter 10


Now suppose that you’re going to use the reserved Class A 10.x.y.z network for your users. What would be the best way to apply subnetting so that your users were logically segmented and yet able to effectively work? Let’s start by making things fairly easy. We’ll select 10.1.y.z for Network A, 10.2.y.z for B, 10.3.y.z for C, and 10.4.y.z for D. You could plan on having a DHCP server in each location, but that may become cost prohibitive, so for our illustration, let’s plan on only having one DHCP server, in Network A. That means that we’ll have to install the DHCP relay agent on a computer in each of the other three networks and, if we decide to break the networks up any further, one for each segment. The largest network is Network A with 2,000 users. We could opt to use the 255.255.0.0 subnet mask and have enough IP addresses to handle all of Network A. But that’s a flat mask and may not be the best choice for a geographically diverse network. A subnet mask of 255.248.0.0 would still supply ample hosts, but would not be an enterprise player on the other networks. Let’s take this a little further. What if Network A consisted of 1,500 office workers—people who were responsible for the care and feeding of the business—and 500 sales people? In a case like that, maybe you’d want to segment Network A even further by supplying a subnet mask of 255.255.248.0. This would provide you with 8 separate network segments in the 10.1.y.z network, each with 254 hosts. You’d use 10.1.0.z–10.1.6.z for the 1,500 and 10.1.7.z–10.1.8.z for the 500, effectively segmenting one group from another. Alternatively, you could simply enlarge your 10.x.y.z set to include 10.1.y.z–10.2.y.z for Network A, and use a 255.248.0.0 subnet mask to keep the clerical staff separated from the sales people. Either way would work, though the former would be more cumbersome than the latter. (Despite using this as a practical example of subnetting, in reality you wouldn't need to do this because of the number of hosts provided by the 10.x.y.z address.)

Question: In either case, would you have to have a DHCP relay agent on the segment that doesn’t have a DHCP server? No! Why? Because all eight segments (in the case of the former example) or both segments (in the case of the latter) are in the same network behind a router. They’re not traversing routers; that’s the key. You need to have a DHCP relay agent whenever a network is behind a router and the DHCP server is on the other side of the WAN.


www.sybex.com


427

You should plan your subnets with growth in mind. I ran into a problem with this when I worked for a governmental agency. We were given an special subnet mask to use, one with only 128 hosts. Unfortunately, the 129th host was out of luck when he tried to obtain an IP address! We were using a public Class B address. I urge you to get away from public numbers and go with private numbers in almost every circumstance. Judicious planning and use of the 10.x.y.z reserved number will provide you ample growth room.

Designing Remote Subnets Remote subnets are somewhat different to design than regular LAN/WANbased networks. There are three categories of remote subnets to worry about. Point-to-Point and Multi-Point Connections Standard 56K and fractional T1 or full T1 frame relay connections each require their own dedicated subnet. Each router connecting the points must, of course, have its own static IP address. These circuits cannot be seen on public networks. X.25 Networks X.25 networks, which use packet-switching and multiple points, only require one subnet. Virtual Private Network Connections VPN connections are not entirely “private,” although of course one side of the connection is definitely private. The other side is very public, typically being connected to an ISP.

Quality of Service Circuits At last, a Windows implementation supports quality of service (QoS). This long-time bastion of ATM networks now can be implemented in Windows 2000 networks. What is QoS? It’s a standard made up of a couple of different services, a protocol, and a tuning mechanism. You have the QoS Admission Control Service (QoS ACS), a service that manages subnet bandwidth resources in order to maximize QoS throughput to a server. Subnet Bandwidth Management (SBM) is a service that manages segment bandwidth. There is also a special protocol, the Resource Reservation Protocol (RSVP), that is used by senders and receivers to set up a QoS circuit. Note


www.sybex.com

428

Chapter 10


that you must have RSVP-aware routers in order to use this protocol (and hence to use QoS). Finally, Traffic Control is a set of two services: the Packet Classifier, which manages which packets are destined for the QoS queue and which are not; and the Packet Scheduler, which sends the packets out to the QoS queue. Installing QoS is easy. Navigate to Control Panel Add/Remove Programs Add/Remove Windows Components Components Networking Services and click the Details button. Select QoS Admission Control Service, then click OK. Finally click Finish. Configure as needed. Don’t use QoS unless you need to and you have the routers that can support this feature. Network services such as desktop videoconferencing, streaming video, and VoIP might be able to make use of QoS circuits.

Choosing Software Routing



Integrate software routing into existing networks.

I

once worked for a very small start-up company of about 100 users. We had no routers; we didn’t even have an Internet presence. The Internet was just getting going then, but I knew that it wouldn’t be long before we were going to want to have a Web site. I also knew that I wasn’t the only one who would have preferred to surf over a fast corporate connection to the Internet than use a slow dial-up connection as I had been doing—several others in the company were doing the same thing. So as the systems administrator for the building, I began doing some research into what we needed to do to get going. Our ISP was UUNET, a company that several years later has become a major competitive force in the ISP business. At the time, we were only using them for dial-up SMTP access for our Microsoft Mail servers. But once we had the OK to go ahead with an Internet connection, I requested a dedicated 56K connection for our company with them, and after a period of a few weeks (waiting for the check to clear) we got our approvals to hook up to UUNET’s Web backbone.


www.sybex.com


429

Getting started was very problematic. At the time, Windows NT 3.51 was in its late stages and Windows NT 4 was out as RC1 but still very new. There were lots of issues, and connectivity to the Internet in the NT world … well, let’s just say it almost didn’t exist. Still, I forged ahead and tried to get things going. I installed a copy of Windows NT 4 server on the computer we were going to use, but it wouldn’t work over the Internet. I finally called the tech support people at UUNET, and they were able to help me work through the majority of problems, but we were missing one unique component—a router. It was then that I happened to read a brand new article in Windows NT magazine by Mark Minasi, all about how to create a RIP router on Windows NT 4 computers. We couldn’t have afforded a formal hardware router at that time, so I was glad that the RIP solution was there for us. We did get our Internet presence working, sort of, but I left the company soon after that, and it wasn’t long after that that they went out of business. This section is about an amazing thing. Were you aware that Windows 2000 can be a router? If you are in an environment where you can’t afford a router, or you don’t want to mess with the overhead that comes with routers (things like paying for the time and expertise of an internetworking expert to set up your routing), you can easily install Windows 2000 RRAS on a computer with a couple of NICs in it and you’ll have yourself a router. And it would work just fine. RRAS can be used for more than setting up VPN connections to the network. A VPN connection, of course, is one where you as a potential telecommuter connect with your ISP and then use a secure tunnel to log on to your corporate network so you can work remotely. Using the older VPN protocol, the Point-to-Point Tunneling Protocol (PPTP), or the newer L2TP, you can set up a VPN using RRAS. You can use RRAS to set up several different kinds of routers using different routing protocols:

Routing Information Protocol (RIP) is very old and has been in wide use for 20 years. It’s simplistic and meant for only the most basic of networks. Windows 2000 supports both version 1 and 2. RIP for IP and RIP for IPX are both supported in Windows 2000 RRAS.

Border Gateway Protocol (BGP) was designed for use within autonomous systems, which are (according to RFC 2328) a “group of routers exchanging routing information via a common routing protocol.”


www.sybex.com

430

Chapter 10


A much more efficient protocol than RIP, Open Shortest Path First (OSPF) was designed by the Internet Engineering Task Force (IETF) for the purpose of routing over the Internet. This is one of the two most widely used routing protocols around today, the other one being Cisco’s proprietary Interior Gateway Routing Protocol (IGRP). IGRP isn’t supported by RRAS, but according to the Windows 2000 help files, because RRAS is extensible, “other vendors can create additional IP routing protocols such as” IGRP and BGP.

Use Internet Group Management Protocol (IGMP) when you need to do some multicasting, as in setting up NetMeeting connections or Windows Media Viewer applications. IGMP is designed strictly for use with multicasting applications.

Service Advertisement Protocol (SAP) is used on IPX-based networks.

Network Address Translation (NAT) hides internal addresses from external networks by translating internal addresses to public external ones.

But with all these choices, you’re probably going to only need to use either RIP or OSPF, depending on the size of your network. RIP generally is best used in smaller networks because it’s a point-to-point routing protocol. RIP knows about its neighbors, but doesn’t know anything else beyond that. OSPF, on the other hand, has the ability to “learn” about other routers that are not next-door neighbors to itself, making it more dynamic and useful in larger networks. There are four kinds of routing methods at your disposal with RRAS: Static Routing Within this method, you actually key in the routes to the other routers on the network. This works fine for routers and routes that aren’t updated very frequently, but it wouldn’t be at all useful in large, dynamic networks. Auto-Static Routing This rather bizarre feature is available to you in RIP for IP, RIP for IPX, and SAP for IPX. You set up your routers to perform a periodic request for an update to their route tables. You’d do this if you were using expensive dial-up lines that were connecting the two routers. This, too, would be useful for smaller networks or home offices. These types of clients are usually grouped together under the phrase small office/home office (SOHO).


www.sybex.com


431

Dynamic Routing Routers that use dynamic routing have algorithms that detect changes to the network environment and update themselves. This is handy for times when the link arbitrarily goes down for some reason, for additions or deletions to the network, and so on. It’s useful for larger networks. Demand-Dial Routing I’ve seen small offices use this kind of connection for times when they want to send e-mail or connect to the Internet. When the links are expensive and you’re better off having the routers dial up the connection on the other side only when needed, you’re better off using demand-dial routing.

Protocols Near and Far When you work with RRAS, you work with both the supported network protocols and the protocols that are used to connect to RRAS (called access protocols). The RRAS-supported network protocols are TCP/IP, IPX/SPX, NetBEUI, and AppleTalk. While you might want to support IPX if you had a legacy NetWare network that dial-in users needed in order to hit NetWare servers, you probably don’t want to use this protocol in native Windows 2000 or Windows NT environments. Ditto for AppleTalk, a protocol you’d only use for your Macintosh users. NetBEUI is a protocol that needs to go away, so I’m not convinced you’d want to support it either. For dialin clients, you’d probably want to use TCP/IP. Fortunately, RRAS supports DHCP, so when you set it up, you can give it a range of IP addresses that your dial-in users can use. RRAS is installed automatically with the normal installation of Windows 2000 Server, but in a disabled state. I’m assuming this is because you may need to install a modem, a multi-port serial adapter, a WAN connection, or some other detail that you might have been missing before you were ready. When you get ready to configure RRAS, simply open Control Panel Administrative Tools Routing and Remote Access and you’ll be presented with the initial RRAS screen. Select the server you wish to configure, click the Action button, and select Configure and Enable Routing and Remote Access. You’ll be presented with a wizard that will walk you through the configuration of RRAS for the type of activity you’d like to do, as shown in Figures 10.5 and 10.6. Note that you can opt to configure this server as an Internet connection server, a RAS server, a VPN server, or a network router, or you can simply turn the service on and come back to enable it later.


www.sybex.com

432

Chapter 10


FIGURE 10.5

The opening RRAS configuration wizard screen

FIGURE 10.6

Configuration options within the RRAS configuration wizard


www.sybex.com


433

Suppose that you wanted to configure this server as a router; you’d select the network router option shown in Figure 10.6. You’re given a list of network protocols that are currently installed on this box; if you required a protocol that wasn’t on the list, you could add it at this time. Next, you’re asked whether you’d like to configure demand-dial connections, for connecting with remote networks (Figure 10.7). Note that you can opt to configure demand-dial connections later. Finally, you’re presented with the Finish box as shown in Figure 10.8. Note that at this point you’d want to install and configure the appropriate routing protocols on each interface, as noted in the box. FIGURE 10.7

Choosing whether to set up demand-dial connections


www.sybex.com

434

Chapter 10


FIGURE 10.8

The router installation Finish box

The final RRAS screen looks like Figure 10.9. You can now key in static routes, configure remote access policies, and perform other RRAS functions within this window. FIGURE 10.9

The finished RRAS screen, ready for configuration

Supported RRAS access protocols are the industry standards, Point-toPoint Protocol (PPP) and Serial Line Internet Protocol (SLIP), and several others:

Point-to-Point Protocol (PPP) is actually a suite of protocols that provide services such as encapsulation of the data, compression, multilinking of two or more WAN links, and other features.


www.sybex.com


435

Point-to-Point Tunneling Protocol (PPTP) is also a set of protocols designed to allow telecommuters to access their local networks via an encapsulated secure Internet connection with a local ISP (a VPN circuit).

Layer 2 Tunneling Protocol (L2TP), used in conjunction with IPSec (covered in more detail in Chapter 19), is designed more with dial-up connections than site-to-site connections. L2TP has wide, standardized acceptance among vendors.

Serial Line Internet Protocol (SLIP) is included for backward compatibility with older systems, and is only supported as a client in Windows 2000. It is an older encapsulation protocol.

In addition to knowing the supported network protocols and access protocols, it’s important to know what authentication methods RRAS supports (Figure 10.10); you arrive at these methods through the Security tab of the Properties for the server in question. RRAS servers authenticate remote systems using these methods, in the preferred order Microsoft would like to see you use authentication methods: FIGURE 10.10

The supported Windows 2000 authentication methods


www.sybex.com

436

Chapter 10


Extensible Authentication Protocol (EAP) allows for authentication by smart cards, certificates, one-time passwords, and token cards. Click EAP Methods for the details on the various authentication methods in use with EAP. EAP-Message Digest 5 (MD5) CHAP works much like CHAP but sends the challenges and responses as EAP messages. EAP-Transport Level Security (TLS) is the most secure of the authentication methods and is required for smart cards.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). This and its newer version, MS-CHAP v2, expect to see a valid Windows 2000 username and password; both are pre-selected defaults. This particular authentication method is backward-compatible with older NT systems. All three of the following (MS-CHAP, MS-CHAP v2, and CHAP use an encrypted password).

MS-CHAP v2, the other default

Encrypted authentication (CHAP)

Shiva Password Authentication Protocol (SPAP), used with Shiva RAS systems

Unencrypted password, Password Authentication Protocol (PAP)

No authentication required

You can view the authentication methods by going to the RRAS screen, right-clicking the server you want to configure, choosing Properties Security, and then clicking the Authentication Methods button. Once everything is installed, you can view and modify your RRAS settings at any time. Simply open the Routing and Remote Access program from Start Programs Administrative Tools (or alternately from Control Panel Administrative Tools). Find the server you want to modify, rightclick it, and select Properties. General Tab In Figure 10.11 you can see that the General tab shows you how an RRAS server is currently configured. The server can act as a router or a RAS server or both. If you’ve chosen for a server to act as a router, then you can opt whether the router will do only LAN routing or will also act as a demand-dial router. Recall that demand-dial routing simply means that when a router needs a connection refreshment, or when a host is connecting to an outside source, the router dials the number needed to connect to another router. This cuts down on the costs of circuit connectivity. However, it’s safe to say that, with the exception of SOHOs or smaller networks, you probably won’t be using Windows 2000 as a router.


www.sybex.com


FIGURE 10.11

437

The General tab of the RRAS configuration window

Security Tab As I said, the Security tab (Figure 10.12) is where you select the authentication method you’d like to use, the authentication provider (there is also a RADIUS choice here), and the type of accounting you’d like to do. FIGURE 10.12

The Security tab of the RRAS configuration window


www.sybex.com

438

Chapter 10


IP Tab This section of the RRAS Properties window (Figure 10.13) allows you to enable IP routing. You can tell the system that IP can be used for both incoming RAS and demand-dial connections, and you’re given a choice of using DHCP for your IP pool or typing in a pool of static addresses. FIGURE 10.13

The IP tab of the RRAS configuration window

AppleTalk Tab If you have Macintosh computers that need to RAS in and connect to the network (and you have the AppleTalk protocol loaded on the server), the AppleTalk tab (Figure 10.14) is where you enable those clients. By default, this check box is enabled.


www.sybex.com


FIGURE 10.14

439

The AppleTalk tab of the RRAS configuration window

PPP Tab The PPP tab (Figure 10.15) is where you configure the types of PPP connections you’ll use or that you’re going to allow. Check Multilink Connections to allow several like circuits to make a connection, thus fooling the system into thinking you have more bandwidth than you actually do. It’s the coagulate of several connections. Bandwidth Allocation Protocol (BAP) and the Bandwidth Allocation Control Protocol (BACP) are used for more effective management of multilink bandwidth. Prior to BAP, you had a large pool of bandwidth and no way to manage it when a link dropped off or a new one was added. Link Control Protocol (LCP) is used to establish a PPP connection with another entity. Here you’re enabling the extensions to PPP, not PPP itself. You can apply software compression in addition to NCP by selecting the Software Compression check box. By default all of these check boxes are enabled.


www.sybex.com

440

Chapter 10


FIGURE 10.15

The PPP tab of the RRAS configuration window

Not included in this configuration box is the other strong arm of the PPP suite, the Network Control Protocol (NCP). While LCPs handle the connectivity with a PPP receiver, NCP sets up the network parameters such as encapsulation and compression.

Event Logging Tab This tab (shown in Figure 10.16) is where you select how much logging you’d like the system to do. Here, too, you can turn on PPP logging. You’d use PPP logging for troubleshooting connections you were having a problem with.


www.sybex.com


FIGURE 10.16

441

The Event Logging tab of the RRAS configuration window

Design Scenario: Internet Connection Sharing A new, invaluable feature in Windows 2000 is Internet Connection Sharing (ICS). This will turn out to be an extremely handy utility for SOHOs. With ICS enabled, you can set up a Windows 2000 server so that all machines connecting to that server can go out to the Internet through it. This way, you can share one inexpensive ISP connection among several computers. This feature is ideal for SOHOs that have two or three computers that need to get to the Internet, but don’t want to pay for several connections. The obvious drawback is that when the connection is being shared, throughput is going to be much slower than if you were using it by yourself.


www.sybex.com

442

Chapter 10


ICS is very easy to set up. From the Network and Dial-Up Connections window, simply right-click the dial-up connection you have configured and select Properties, then select the Sharing tab. Check Enable Internet Connection Sharing for This Connection and you’re all done. Next set up your ISP phonebook connection so that it dials on demand and then, when anyone connected to the network requests a Web page, the ICS connection handles the rest. ICS would handily run within the context of NAT or Proxy. Watch out, dentist offices, hair salons, three-person tax preparation offices, and all the rest of you SOHO types! ICS is going to make your life much easier. Oh, and for you budding consultants, I can see where there’s some money to be made in going around helping offices convert to “mini-networks” using a small Windows 2000 server as the backbone to their ISP.

Integrating TCP/IP into Existing WAN Environments



Integrate TCP/IP with existing WAN requirements.

D

epending on the size, legacy environments are very likely to have many installed routers and some full-time internetworking experts to handle the routing. I see Windows 2000 routing fitting into SOHO environments and smaller offices that cannot afford a router (although, to be fair, today’s routers with embedded CSU/DSUs can cost less than $2,000). A scenario I can envision would be one with a remote site that you’ve always wanted to connect to the rest of your network. You set up a Windows 2000 server for the users in this site and make it a Windows 2000 router, in addition to the other server duties that it performs. Then you connect it with the other routers in your community, providing server services for these users and a connection to the rest of the network.


www.sybex.com

Summary

443

Microsoft has done a wonderful job of including backward compatibility for legacy systems, including the (probably unnecessary) inclusion of SLIP as an access protocol. PPP is the universal standard, so I’m not convinced that there’ll be too much need to support SLIP clients, though undoubtedly some installations out there will need to make use of this. Note that RIP version 1 is the default routing protocol installation; if you want to use the enhanced capabilities of RIP version 2, you’ll have to add it to the list, as I said above. OSPF is in wide use, so it’s wonderful that Windows 2000 includes it. Probably the biggest legacy compatibility issue you’ll run into will be with your authentication protocols. I’ve fiddled with these things for hours before in the Windows NT 4 environment, and I’ve often found that whether the RAS client was a Windows client or not, MS-CHAP authentication was difficult to establish; I had to backpedal into clear-text authentication. With the new client software such as Dial-Up Networking (DUN) 1.3, maybe those problems have gone away, but I’m not so sure. At any rate, MSCHAP and MC-CHAP v2 are the automatically enabled authentication methods, and I’d recommend that you do lots of testing with the various flavors of clients that you’ll have connecting to you (and that you’ll be connecting to in a routing environment) to make sure that these methods will work. If you’re nailing up any VPN circuits, suffice to say that additional testing will be required for the advanced authentication methods used with those circuits.

Summary

I

n this chapter we’ve talked about subnets and subnetting, how Windows 2000 does routing, and how it might incorporate into legacy networks. When you set up subnets, it’s important to figure out how many hosts you’re going to have per subnet, then set up your IP addressing and subnet masking accordingly. It used to be that you could request a Class A, B, or C network address from an Internet authority and use that on your network. Today you’re better off just using the reserved IP numbers for your network and then relying on a proxy server and firewall to provide NAT-ting with the Internet community. This saves you money and gives you millions of IP numbers to work with.


www.sybex.com

444

Chapter 10


The subnet mask is key to your TCP/IP subnet design. The farther to the left of the mask you go, the more hosts you add; the farther to the right, the more subnets. Variable length subnet masks (VLSM) give you the ability to customize the number of subnets and hosts you have on a network, but you must have routers that support VLSM or CIDR (most of today’s routers do). Good subnet design means there are ample numbers for all hosts on the network and that you plan for growth. Software routing is a very viable alternative with Windows 2000 computers. Windows 2000 supports RIP v1, OSPF, and BGP, and presumably there will be third-party support for IGRP and other routing protocols at some point. You can use software routing to set up an internal network of routers that communicate with one another, or you can set some routers to also communicate with the Internet. You also have the ability to set up demanddial routing, where a distant router isn’t dialed into until it is required to do so. Supported routed protocols include TCP/IP, AppleTalk, and IPX. Microsoft has provided backward compatibility with most of the things you might be using in your Windows NT 4 network, things like MS-CHAP and RIP version 1 support. Chances are that you probably won’t implement software routing in a legacy environment because hardware routing is in place already, though there may be some opportunity to leverage software routing in those remote sites that don’t merit the full WAN complement of a router and server.

Key Terms There are lots of terms to get familiar with here. Routing has its own entire language subset that you might not speak, so here are some terms that are characteristic of Windows 2000 routing and TCP/IP techniques. Automatic Private IP Addressing Border Gateway Protocol (BGP) Classless Inter-Domain Routing (CIDR) Interior Gateway Routing Protocol (IGRP) Link Control Protocol (LCP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)


www.sybex.com

Summary

Network Control Protocol (NCP) Open Shortest Path First (OSPF) Password Authentication Protocol (PAP) Point-to-Point Protocol (PPP) private reserved range quality of service (QoS) Resource Reservation Protocol (RSVP) Routing and Remote Access (RRAS) Routing Information Protocol (RIP) Serial Line Internet Protocol (SLIP) Service Advertisement Protocol (SAP) Shiva Shiva Password Authentication Protocol (SPAP) small office/home office (SOHO) TCP Selective Acknowledgement (SACK) Variable Length Subnet Masks (VLSM)


www.sybex.com

445

446

Chapter 10


Review Questions 1. What two routing protocols are installed by default with Win-

dows 2000 RRAS? A. IGMP B. RIP C. IGRP D. OSPF 2. How do you install RRAS? A. Control Panel Add/Remove Programs B. Control Panel Modems C. It’s not necessary to install it. D. Control Panel Networks 3. You’re going to use the reserved Class A network address in your new

network. What subnet mask will give you a range of 8 networks of 32 subnets, and 4,094 hosts per subnet? A. 255.255.248.0 B. 255.255.224.0 C. 255.248.0.0 D. 255.224.0.0 4. You're going to use the reserved Class A network address in your new

network. You wind up using a unique subnet mask, 255.224.0.0, but users in one site cannot communicate with users in another. What could be the problem? A. The routers don’t support VLSM. B. The routers don’t support IGRP. C. The routers don’t support BGP. D. The routers don’t support EAP.


www.sybex.com

Review Questions

447

5. Why is the use of the reserved IP network addresses recommended for

private networks? Choose all reasons that apply. A. Security—external networks cannot “see” internal clients B. Lack of availability of valid IP network numbers C. Scalability D. Can’t use proxy servers without using reserved network addresses 6. When would EAP be used as a routing protocol? A. EAP is used for optimum security. B. EAP is used for smart cards. C. This is one of the default routing protocols. D. EAP is not a routing protocol. 7. Why isn’t the Password Authentication Protocol (PAP) authentication

method as secure as MS-CHAP? A. The username is clear text; the password is encrypted. B. The password is clear text; the username is encrypted. C. Both the username and password are encrypted, but are not vali-

dated against a Windows 2000 list of valid users. D. Both the username and password are clear text. 8. You’re planning your TCP/IP implementation strategy. What is the

number-one thing that you must plan for? A. An ample number of subnet masks B. An ample number of network numbers C. An ample number of host IP addresses D. An ample number of proxy servers


www.sybex.com

448

Chapter 10


9. You have a DHCP server on one side of your two-sided network that’s

connected by routers that don’t forward broadcasts. You want all users on both sides of the network to automatically receive an IP address from the DHCP server. Therefore, you install a DHCP proxy agent on a Windows 2000 computer on the network that doesn’t have the DHCP server. What type of protocol is this agent functioning as? A. Authentication method B. Routing protocol C. Network protocol D. WAN (access) protocol 10. Suppose your SOHO has only three users in it. You want to give your

users access to the Internet, and you want your Windows 2000 server to act as a router in the connection to your ISP as well. What RRAS feature will you use? A. NAT B. ICS C. Proxy server D. Demand-dial routing


www.sybex.com


449

Answers to Review Questions 1. B, D. Windows 2000 provides support for IGMP, but it is not loaded

by default. RIP (version 1) and OSPF are the two default protocols. You’ll have to get third-party support for IGRP. 2. C. RRAS is installed automatically when you install Windows 2000

server. 3. D. We start with Class A, so we know that the first and second octet

of the subnet mask will be occupied. But what number does that second octet contain? Subtract 224 from 256 (256 – 224) and you get 32. So we know the answer is D. 4. A. Routers need to support Variable Length Subnet Masks (VLSM) in

order for “unusual” subnet masks like this one to be valid across the network. 5. A, B, C. By using the reserved network numbers, you gain security

and scalability. It’s true that there probably aren’t many Class A or Class B addresses left, though you might be able to pick up a few Class C addresses. But why go through the headaches and expense when you can just as easily set up a reserved network number for your internal network and then use a proxy server and firewall for access to the big, bad Internet world? You can certainly use proxy servers with valid external IP network numbers, but that sort of defeats the purpose of a proxy server, doesn’t it? 6. D. EAP isn’t a routing protocol. It’s an authentication protocol for a

variety of purposes, most notably for smart-card access. 7. D. The only thing that’s remotely secure about the PAP method is that

you’re required to supply a password. But everything is in clear text, and a sniffer could easily pick up and allow you to read both.


www.sybex.com

450

Chapter 10


8. C. In the TCP/IP world, every device (including your users’ comput-

ers) has an IP address. If you’re neglectful about the design of your subnets, there won’t be an ample number of host IP addresses available for all your users. 9. B. Microsoft thinks of the DHCP relay agent as a routing protocol. To

see this, go into the RRAS window. Highlight the General tab, rightclick and select New Routing Protocol; there it is. 10. A. The NAT provides both routing and internal client Internet access

capabilities. It acts as sort of a poor man’s proxy and router all in one. You install the NAT as a routing protocol within RRAS. ICS is used strictly for sharing of an Internet connection, and demand-dial routing is for router-to-router dial-up connectivity in order to cut costs.


www.sybex.com

The New Network Subnet Design

451


Background You’ve been hired as the network architect for a new Internet start-up company. It’s a fairly large company, even though it hasn’t made a nickel yet. Although nobody has started to work yet, there are plans for about 700 users spread out over three campuses. Since good Internet coders are so hard to find, the company has had to resort to hiring people who insist on telecommuting, so providing a VPN connection for these people is very much in the picture. You don’t know anything about routers and have no internetworking background. Your biggest challenge is going to be setting up a routed network without having to resort to outsourced consulting help, for which no funding is authorized.

Envisioned System Overview The envisioned system includes a campus in La Jolla, California, one in Boulder, Colorado, and one in Philadelphia. You’ll use a common carrier to provision the WAN circuits. You’ll select an international carrier that also acts as an ISP so that your Internet connectivity will be incorporated with your telephony and WAN circuits. You’ll need to provide some VPNs for telecommuters from places such as Delhi, Vancouver, Miami, and Charlotte, North Carolina. You develop an initial circuit plan with a 256K fractional T1 circuit between the Boulder and La Jolla offices and a 128K fractional T1 circuit between the Boulder and Charlotte offices. You also obtain 10 Class C IP addresses from your ISP. Boulder will be the headquarters office. All servers are from a tier 1 vendor, and all will be running Windows 2000 server. All users will be running Windows 2000 Professional. Your intent is to use the reserved network addresses for your internal clients.


www.sybex.com

CASE STUDY


CASE STUDY

452

Chapter 10


CEO “It’s important that we get going as quickly as possible. I want to use state of the art equipment and software. In the same breath, I need to tell you that whatever you do is funded at this time by venture capitalists, so we have to carefully watch our dollars!”

Security Overview Security is of great importance in this environment. You have a hot new Internet service that you’re going to roll out, and you don’t want scurrilous spies stealing things like new ideas or designs! CEO “This company is founded on ideas. It’s important that you carefully manage the security of the network at all times.” Operations Manager “Our international coders who will be coming in through the VPN aren’t allowed to use anything stronger than 40-bit security. Nevertheless, I want to make sure that all people connecting to this network are valid. We don’t want outsiders managing to hack in.”

Availability Availability is important because of the telecommuting coders. Since some are internationally based, it’s important that the network be consistently up and running. The operations manager reminds you, “Some of the coders are going to be working while the rest of us are in bed. For example, the woman who’s going to be doing some of our Web-page development is in Delhi. It’s important that the network be up at all times.”

Performance Overview Your biggest concerns are the VPN circuits. Should you put in a DSL connection, ISDN, or some other connection? And what about the developers that will connecting over slow ISPs? You decide that while there’s little you can do about them, you can certainly make sure that the network is well designed and functional. Operations Manager “Every component of this design must be well thought out. For example, if we’re going to grow as fast as I think we’re going to, the IP design will have to be large enough to accommodate everybody.”


www.sybex.com


453

1. In terms of anticipated growth, what reserved network address would

work the best, based on the number of users you have at each site? A. Class A: 10.x.y.z B. Class B: 172.16.y.z–172.31.y.z C. Class B: 169.254.y.z D. Class C: 192.168.0.z–192.168.255.z 2. What will you use for routers? A. Purchase some routers and hope to figure out how they work by

reading the manuals. B. Hire a consultant to install and configure the routers. C. Use a Windows 2000 server at each site for routing. D. Routers are not needed since the carrier provisioned the frame

relay connections. 3. Are the carrier-provisioned frame relay circuits between the sites

necessary? A. No B. Yes C. Maybe 4. You need to set up the VPN circuits. Reorder the tasks from the right

column into the left column in the logical order that they should take place to configure a VPN. Task Order

Tasks Install VPN software on client computers Configure IPSec Configure an IP tunnel Configure RRAS


www.sybex.com

CASE STUDY

Questions

CASE STUDY

454

Chapter 10


5. What routing protocols should be used for your routing connections?

Choose all that apply. A. OSPF B. RIP version 1 C. RIP version 2 D. EAP


www.sybex.com


455

1. B. The Class A address will work fine, and it’s easy to manage, but in

terms of size the Class B address (172.16.y.z–172.31.y.z) is adjustable by subnet mask and probably makes the most sense. The Class B address in option C is reserved for APIPA. You’d need too many separate Class C networks with option D. 2. C. The business rules stipulate that you’re not allowed to use consult-

ants. And we’ve already said that you don’t know anything about routing. The best bet here would be to set up three Windows 2000 servers, one each in La Jolla, Boulder, and Charlotte. Since RRAS and OSPF are already installed on all servers by default, it’s a simple thing to enable the routers and statically point them at each other: La Jolla to Boulder, Boulder to Charlotte, and so forth. The Boulder server would have to have three frame relay interface cards in it: one for the route to La Jolla, one for the route to Charlotte, and one for the route to the ISP. The other two would only need one frame relay interface card apiece. This does not necessarily imply that these are the only servers on the network. Indeed, it’d be foolish to have one server doing routing and all of the other functions of the network such as e-mail, file and print services, and application serving. But in this example, we’re only talking about the routing servers. 3. A. With Windows 2000–based routers, you could simply set up a

demand-dial connection (that is, a regular phone line) with the other routers in the network. You won’t get the performance you need, but the option is definitely there.


www.sybex.com

CASE STUDY ANSWERS

Answers

CASE STUDY ANSWERS

456

Chapter 10


4. See table.

Task Order Configure an IP tunnel Configure IPSec Configure RRAS Install VPN software on client computers First, configure an IP tunnel, then set up IPSec. RRAS is not enabled or configured, so you have to do that step. Finally, you’re ready to install VPN software (such as DUN 1.3 on Windows 9x clients), and you’re done. Note that we don’t need extra extravagances such as VPN switch gear or notification to our ISP that we’re doing VPN. Windows 2000 makes it super simple. 5. A, C. While B is a valid answer and is installed with RRAS, it is more

primitive than RIP version 2. Both versions of RIP are static address– based, which works fine in smaller networks but wouldn’t work well in a large network. EAP is only used for things like smart cards, onetime password logons, and so forth. Wrap-up: There’ll be some work getting the servers up and running and configured. But this project, on the whole, is made vastly easier by the presence of Windows 2000 networking services such as software routing. Caution should be taken with the subnet design so that the number of clients doesn’t outgrow the number of subnets available.


www.sybex.com

Chapter

11

Building a Multi-Protocol Strategy MICROSOFT EXAM OBJECTIVE COVERED IN THIS CHAPTER: Design a multi-protocol strategy. Protocols include IPX/SPX and SNA.


www.sybex.com

W

ithin this chapter lies a single exam objective with as much meat on its bones as some other, complex, run-on objectives. This chapter talks about systems that use protocols other than the standard TCP/ IP. Many networks need to communicate with other platforms and other systems; Windows 2000’s ability to cooperate in this process will be important. The good news is that it was very necessary in Windows NT as well, so many of the techniques that were developed in NT have been enhanced and brought forward in Windows 2000. We’ll talk about three different platforms that require support: Novell NetWare, Apple Macintosh, and Unix-based systems. We’ll also talk briefly about support for SNA Server.

NetWare Systems

N

ovell NetWare was a huge presence in the late ’80s and early ’90s, until Windows NT managed to get a foothold in the industry. Today, many legacy NetWare 3.11 and 3.12 servers are still running in corporations all over the world, and there’s a good deal of NetWare 4.x and now 5.x as well. NetWare servers are highly reliable, though from an applications standpoint some may argue that they lack the functionality that Windows NT and Windows 2000 servers provide. Because of all this, Windows 2000 support for legacy NetWare systems is crucial. There are two types of NetWare installations: the older Bindery mode and the new NetWare Directory Services (NDS) system. You’ll find NDS running on NetWare 4.x and 5.x systems, while Bindery-mode systems will center around NetWare 3.x and some 4.x systems. It is vital that Windows 2000 supports both kinds of installations, and it does. Moreover, it’s important that you understand what implementation of NetWare server you are dealing with when you get ready to set up your connectivity options with the server.


www.sybex.com

NetWare Systems


459

Design a multi-protocol strategy. Protocols include IPX/SPX and SNA.

Early installations of NetWare used a protocol called Internetworking Packet Exchange (IPX). Later renditions of NetWare are TCP/IP-compliant. Microsoft wrote an IPX protocol implementation called NWLink in order to provide connectivity with NetWare servers running the IPX protocol. This protocol is available in Windows 2000 as an add-on protocol, but you’re urged to convert any old NetWare IPX installations over to TCP/IP instead. When you install NWLink, be prepared to supply the NetWare network number (available through the administrative interfaces) and the frame type. Windows 2000 can auto-detect the frame type (this is recommended).

In shops running versions of NetWare that use different frame types (such as NetWare 3.11 and 3.12), Windows 2000 will not detect both frame types and will opt for one over the other. Here, it’s better to manually select the frame types. See Knowledge Base article Q254113 for more detail.

NetWare clients use a protocol called NetWare Core Protocol (NCP) to request services from NetWare Servers; NCP runs over IPX and over TCP/ IP. On the other hand, Windows clients use Server Message Blocks (SMBs) to communicate with servers. Since the two are not compatible, we must account for the discrepancy when we try to make Windows 2000 computers talk to NetWare servers or have clients obtain data from either server. Windows 2000 clients use the new Common Internet File System (CIFS) protocol instead of SMB; CIFS is an enhanced version of SMB. In the Windows NT environment, three installable services were introduced to help the two server platforms intercommunicate. These services were brought forward into the Windows 2000 platform: Gateway Service for NetWare (GSNW) This service, introduced in the Windows 3.51 era, was very powerful. It has continued through Windows NT 4 to Windows 2000. It works about the same as it did in the 3.51 days.


www.sybex.com

460

Chapter 11

Building a Multi-Protocol Strategy

Client Services for NetWare (CSNW) This is the client component that Windows 2000 Professional computers can install in order to act as a NetWare client. File and Print Services for NetWare (FPNW) This is an optional purchase for Windows 2000 computers and provides the computer with the ability to provide NetWare file and print services to machines running the NetWare client. All three of the services require that the NWLink protocol be installed on the computer they’re running on. If NWLink isn’t installed at the time the service is installed, Windows 2000 goes ahead and installs it with the service. Now, I find this a bit confusing, because even if I go to all of the work to convert my NetWare network to TCP/IP, I still have to have NWLink installed. But that’s the way it works. This has been the methodology with NetWare compatibility services for many years and has not changed with Windows 2000.

Gateway Service for NetWare GSNW was a lifesaver in the early NT 3.51 days because numerous shops had at least one NetWare 3.11 box sitting around performing a myriad of activities. This service is still available with Windows 2000 servers today. Here’s the idea: set up a NetWare group called NTGATEWAY. Then, create a user with the appropriate permissions to the NetWare resources you want to share out and make it a member of the NTGATEWAY group. (The name NTGATEWAY cannot be changed, by the way. This is a hardwired name that Windows 2000 is looking for.) GSNW is installed through the Local Area Connection Properties window. Choose Client, then select the appropriate service.

Think of GSNW as a pipe to the NetWare server. As such, if an inordinate number of users try to access it all at once, throughput will suffer. GSNW is not the ideal way to share out NetWare directories to lots of folks! Also, you can create licensing issues because the NetWare server thinks that the connection consists of only one user, whereas many users may be utilizing the pipe.


www.sybex.com

NetWare Systems

461

Client Services for NetWare Windows 2000 Professional users who will access NetWare servers will use the same methodology to install CSNW as for GSNW. By default, Windows 2000 computers have the Client for Windows Networks installed. As such, the Client Services for Windows component runs as the workstation service and the File and Print Services for Windows component runs as the server service. But if you have clients that access NetWare servers, you’ll have to add the NetWare client. This will also install NWLink, though the NetWare servers may well be using TCP/IP. When the client is installed on the Windows 2000 computer, you can go to Control Panel CSNW and configure the client much the same way that you initially configured the GSNW client, by keying in the preferred server or default tree and context. The user is then prompted, at next logon, for the information needed to access the NetWare server.

File and Print Services for NetWare This optional, separately purchased component fools NetWare clients into thinking they’re connecting to a NetWare 3.12 server. The client can then interact with the Windows 2000 server as though it were an ordinary NetWare server. Keep in mind that NetWare 3.12 servers are bindery servers, not NDS. This won’t matter much to a client, but may crop up in troubleshooting calls with clients.

Microsoft Directory Synchronization Services Finally, I should mention that Microsoft has supplied a service that you can install and manage, called the Microsoft Directory Synchronization Services (MSDSS). This service allows you to manipulate NetWare NDS trees and AD forests at the same time. Independently, NetWare administrators can also manage the NDS trees as well. After installing NetWare components, MSDSS can be added and managed through the MMC. This service is considered to be a meta-directory service, because of its ability to manage two different directory services within the same console.


www.sybex.com

462

Chapter 11


Macintosh Systems


Design a multi-protocol strategy. Protocols include IPX/SPX and SNA.

I

n every company, it seems that at least a handful of people require Macintosh computers. These people are typically in the graphics arts areas of the company, such as marketing departments or publishing areas; Macs are fine computers for work such as this. But for the network administrator or designer who has to support thousands of PCs and servers, supporting Macintoshes can be a nontrivial event. For example, when graphic artists create files, they’re usually mammoth in their proportions, and a typical Windows-network need of Mac users is to save these huge files to a file server somewhere on the net. In the company I work for, as an example, we only have eight Macintosh users, but they have files taking up 50GB in a RAID cabinet! Macintosh computers are designed, out of the box, to work on a network, but the network they were originally designed for is a proprietary one called a LocalTalk network. Macintoshes natively use the AppleTalk protocol when connected to a LocalTalk network. In the last few years Macintosh experts have modified and improved this design, so today we also have the TokenTalk and EtherTalk topologies in addition to LocalTalk. Macintosh computers can dial in to Windows 2000 RRAS servers using AppleTalk Control Protocol (ATCP). ATCP is a connection protocol that uses AppleTalk–based PPP connections. With it a remote user can access Web pages over TCP/IP, print to an AppleTalk printer, and connect to an AppleTalk server, either through TCP/IP or AppleTalk, all while using the same dial-up connection over PPP. Now, it’s possible for you to run Windows 2000 on a native LocalTalk network. (Incidentally, Windows 2000 is supported over not only LocalTalk, but Token Ring, FDDI, and ATM as well.) But you probably wouldn’t want to do this. Instead, you have to find a way for the Macintosh users to work their way out to the network and thence to a file server.


www.sybex.com

Macintosh Systems

463

This is done with an Ethernet adapter for the Macintosh computer. Macs plug into a switch or hub in a switch closet, just like any other computer on the network. But how will you support your Mac users when they begin looking for a file server to store their files on? Your Windows 2000 computers won’t recognize Macintosh computers until you prepare them to do so. It’s easy to install the Services for Macintosh (SFM), which installs the AppleTalk protocol if it’s not already on the system; do this through the Network and Dial-Up Connections window by editing the properties of the Local Area Connection.

AppleTalk Zones While we don’t use AppleTalk zones in the company I work for, if you have several groups of Macintoshes, you may want to enable AppleTalk routing and then set up zones. You seed zones with multiples of 253 nodes. You supply some simple information, the zone name, and the seed range, and the zone then becomes visible in the Macintosh user’s Chooser screen. Configure an AppleTalk zone under Administrative Tools Routing and Remote Access.

Enabling Macintosh RAS Usage Enabling Macintosh users for RAS usage is quite easy. After you’ve installed and enabled the AppleTalk Protocol, go to the RRAS Properties window and enable AppleTalk Remote Access. Macintosh users use ATCP to access RAS servers. ATCP works hand in hand with PPP to negotiate a connection for the Mac user. RFC 1378 has more information on how ATCP is implemented.

Macintosh User Authentication Methods If you’ve installed the Windows NT 4 SFM, you’ve probably wondered what the UAM volume was after you rebooted the machine and began checking out what was new as a result of the installation. UAM stands for User Authentication Module. Installing File Services for Macintosh automatically creates a UAM volume that’s available to Macintosh users.


www.sybex.com

464

Chapter 11


When a Macintosh user logs on, he opens the Chooser, clicks the AppleShare icon, and selects the zone that you configured previously. Macintosh users can log on as one of three different users: Guest “Guest” allows basic users without proper credentials to log on. Macintosh Authentication The user types in a valid username and password, which are both passed across the wire as clear text. Note that the built-in Random Number Exchange security paradigm isn’t supported by Windows 2000. Microsoft UAM Authentication Windows 2000 provides a more secure authentication method for Macintosh users through its UAM. If a Macintosh client is running the AppleShare Client 3.8 or greater, or the MacOS version is 8.5 or greater, the new Microsoft UAM version 5 is used. If the Mac user’s software doesn’t fit these criteria, the older Microsoft UAM version, version 1, is used; both UAM versions are included with Windows 2000. Macintosh users will have to open the Microsoft UAM Installer to install the UAM software for this purpose. Installing File Services for Macintosh is a different operation than installing the AppleTalk protocol, but it’s still quite easy. Open Control Panel and double-click the Add/Remove Programs applet. Click the Add/Remove Windows Components button on the left side of the screen shown in Figure 11.1. FIGURE 11.1

The Add/Remove Programs window


www.sybex.com

Macintosh Systems

465

Click the Other Network File and Print Services item, then click the Details button. In the next window (Figure 11.2), check File Services for Macintosh and click OK. FIGURE 11.2

Adding File Services for Macintosh

Using the Computer Management Program You will no longer use the File Manager or Explorer to view or modify File Services for Macintosh; instead, you use a new Windows 2000 program called Computer Management. It’s easy to get to: Start Programs Administrative Tools Computer Management. Highlight the Shares node, and you’ll see the Microsoft UAM volume show up in the Details pane, as illustrated in Figure 11.3.


www.sybex.com

466

Chapter 11


FIGURE 11.3

Viewing the File Services for Macintosh UAM Volume

By highlighting the UAM volume and clicking Properties, you pull up its properties sheet, which has two tabs, General and Security (Figures 11.4 and 11.5). You can apply a security password for the UAM volume and set permissions to the folder. Security is very robust for Macintosh UAM volumes. FIGURE 11.4

General properties of the Macintosh UAM Volume


www.sybex.com

Macintosh Systems

FIGURE 11.5

467

Security properties of the Macintosh UAM Volume

You can use the Computer Management program to adjust the Macintosh file server’s settings. Right-click the Shared Folders node and select Configure File Server for Macintosh to access the three Properties tabs shown in Figures 11.6, 11.7, and 11.8. Unless you have some highly specialized implementations, you’ll probably use this program to set up a logon message to Macintosh users logging on to the system and to select an authentication method (both of these options are found on the Configuration tab), and you’ll use it to send a message to all logged on Macintosh clients (through the Sessions tab).


www.sybex.com

468

Chapter 11


FIGURE 11.6

Configuration properties of File Server for Macintosh

FIGURE 11.7

File Association properties of File Server for Macintosh


www.sybex.com

Unix Systems

FIGURE 11.8

469

Sessions properties of File Server for Macintosh

You can create additional Macintosh shares in the Computer Management program. Highlight the Shared Folders node, right-click the Shares icon in the right pane, and select New File Share. A Create Shared Folder wizard appears; you can browse to the folder that you’d like to share. Type a share name and description, and apply a Macintosh name for the share. Very easy stuff. The wizard will also prompt you to apply the appropriate permissions to the share.

Unix Systems

F

ortunately, Unix computers have used TCP/IP for years, so as long as you have TCP/IP configured as your main Windows 2000 protocol (hopefully your only Windows 2000 protocol), Unix machines can participate in several aspects of your network. Printing Unix computers can print to Windows 2000 printers quite easily. It’s a two-part process. First, you install Print Services for Unix,


www.sybex.com

470

Chapter 11


through Control Panel Add/Remove Programs. Then you configure a printer that’s on your network with an additional port, a line printer (LPR) port. When Unix computers send a print job to a computer, they contact a line printer port. When they’re set up to receive a print job, they use the Line Print Daemon (LPD). To create an LPR port, click Start Settings Printers. Double-click the Add Printer icon to call up a wizard. The Add Printer wizard allows you to define the printer as Local or Network and select an LPR port and IP address. File Sharing Unix users sometimes need to pull files off of Windows servers and vice versa. The company I work for has an enterprise fax system. When we send faxes, sometimes they come from work orders that are generated from an Oracle database system residing on a Unix box. It’s an interesting paradigm, if you think about it. A worker sitting at a Windows 9x computer keys in an order that posts to an Oracle database. The database spits out a text file that “prints” to an LPD port destined for an NT fax server, where the order is faxed out. Talk about going around the world the long way! How about in your company? Do you have big Unix servers holding information that needs to be shared with Windows computers? Do you often need to put Windows-based data onto Unix computers? As I said earlier, nonWindows 2000 computers use SMBs to talk to servers (Windows 2000 computers use CIFS), but Unix computers use the Network File System (NFS) method of posting files to computers. So we need a translation method that allows us to put our files on the other type of computer. Fortunately, lots of third-party work has been done along this line. Samba, an SMB client software program available at samba.anu.edu.au/samba, is available for Unix computers that need to mount Samba volumes for NT (and Windows 2000) computers. Other companies, such as Hummingbird, manufacture NFS software for Windows servers in order to mount an NFS volume that Unix users can post their files to.

Services for Unix includes a full NFS client.


www.sybex.com

What About SNA Support?

471

Telnet One of the missing components in Windows NT environments is a robust Telnet server service. While this service isn’t started automatically in Windows 2000, it is installed and allows you to open a secure Telnet session to Windows 2000 computers. After starting the Telnet service, simply open a command prompt and type Telnet computer_name to connect to the Windows 2000 computer with which you’d like to open a Telnet session. Remote Execute Windows 2000 lacks an important Unix tool: remote execute. But you can obtain a Remote Execute executable (REXEC) from the Windows 2000 Server Resource Kit, thus rounding out your Unix toolbag. Remote Access Services The Internet browser has revolutionized RAS for Unix users. Now they can RAS into Windows servers, open a browser, and grab their Exchange server e-mail. As long as a browser is available and the applications that Unix users need to run on Windows servers is Webenabled, there is no longer a cross-platform issue. Perhaps the most important job that an administrator in a platform-disparate shop faces is the interaction between Unix servers and Windows servers. Fortunately, third-party vendors and the advent of Windows 2000 have made this cross-platform work much easier.

What About SNA Support?

I

f you don’t know what SNA Server does, then you’re likely not working for a company that needs to use it. The Systems Network Architecture (SNA) protocol, invented by IBM in the early 1970s, was used to connect Multiple Virtual Session (MVS) mainframe processors; since then the protocol has been ported to AS/400 and OS/2 servers. While some mainframes have converted to the mainframe version of TCP/IP (IBM 3270-E), lots of companies out are still running native SNA. Since it’s important to be able to fetch data from these servers using SNA, there had to be some sort of methodology for this. Microsoft’s implementation of SNA server has been around for years. It’s a highly technical and specialized software component that doesn’t exactly occupy top drawer in the minds of most MCSE candidates, but there’s still a huge demand for people that are “SNA server–aware,” and it’s a very good product to know about.


www.sybex.com

472

Chapter 11


It’s important for you to understand one new jargon phrase that might confuse you if you hear it used the wrong way. If you’re talking in TCP/IP terms, a host is any computer that’s out on the Internet (or TCP/IP network anywhere in your company). For example, any Windows 98 user on your network that has an IP address is said to be “a host.” But when we talk about a mainframe, we often call it “the host.” Think of “the host” as the big, bad piece of computing iron hiding out in a highly secure building somewhere in your company. You’ll see as you read on why it’s important that you are able to differentiate between a TCP/IP host and “the host.” Microsoft has been working feverishly in the background to prepare a brand new SNA server that is both Windows 2000– and Windows NT 4– compliant. Code-named “Babylon,” this brand new version of SNA server, now called Host Integration Server 2000, is now ready for prime time. Visit Microsoft’s SNA server Web site at www.microsoft.com/sna.

Now do you see why Microsoft calls it Host Integration Server 2000? It’s because this new version of SNA server facilitates the ability to communicate, either through a 3270 or 5250 session, with “the host.”

Third-Party Protocols

D

ozens and dozens of protocols have been written by software developers so that computers, devices, programs, and people can communicate. Most of the protocols are highly proprietary and never see the standardization light of day. Nevertheless, if you’re running a program that requires a strange protocol—one that’s not in the usual administrator dialog—you need it to make your application run correctly. One such protocol that comes to mind is the one that used to run on Banyan Vines servers, the VINES protocol. Microsoft doesn’t provide native support for this in Windows 2000, so if you had to integrate your Windows 2000 servers with VINES, you’d have to try going to Banyan to see if you could get some support for the protocol there. The long and short of non-standardized protocols that are somewhat proprietary or specialized is this: Microsoft is depending on the vendor of that protocol to supply updates to Windows 2000. Expect native support for


www.sybex.com

Summary

473

TCP/IP, IPX, and AppleTalk; don’t expect support for exotic protocols that aren’t in use much.

Summary

T

his chapter has been about foreign-protocol integration into Windows 2000 servers. Two key computer systems that use protocols foreign to Windows are Novell NetWare and Apple Macintosh. In the older NetWare days, the only standard protocol was IPX. Microsoft, ever vigilant about maintaining interoperability support with NetWare servers, developed its own version of the IPX protocol, NWLink. NWLink is included with Windows 2000 for compatibility with legacy NetWare systems (of which many are still out in the wild). You have three additional services that you can use with Windows 2000 for interoperability with NetWare:

Gateway Service for NetWare (GSNW), a pipe that allows for a connection with either a bindery or NDS NetWare server

File and Print Services for NetWare (FPNW), a separately purchased option that allows Windows 2000 servers to emulate NetWare 3.12 servers

Client Service for NetWare (CSNW), a client component for Windows 2000 Professional computers, allowing them to connect to NetWare servers running in either bindery or NDS mode

Macintosh computers use the AppleTalk protocol. You can install the Services for Macintosh (SFM) on a Windows 2000 server. Doing so automatically installs the AppleTalk protocol as well. You can seed a zone in the newly installed SFM volume, thus giving Mac users a zone to connect to from the Chooser. Mac users have the choice of guest, AppleShare authentication, or Microsoft UAM authentication. Mac users can RAS in to Windows 2000 networks equipped with the AppleTalk Control Protocol (ATCP). Unix computers have few interoperability issues anymore. Microsoft has purchased a company called Interix that writes software for the maintaining of a Unix-to-Windows network conversion. Samba is Unix software that allows Windows users to put files on Unix servers; NFS is a Unix file-mounting software system. Windows 2000 includes a full NFS client. You can set up


www.sybex.com

474

Chapter 11


LPR ports for Unix users to print to Windows 2000 printers and LPD daemons for Windows 2000 users to print to Unix printers. Since TCP/IP is the Unix protocol (there are no others), Unix interoperability will be the easiest (and most in demand) of all of the Windows 2000 cross-platform needs. Microsoft has written a brand new SNA server implementation called Host Integration Server 2000. This software runs the SNA protocol for interoperation with MVS mainframes, AS/400, and OS/2 servers. Other specialized protocols, such as Banyan VINES, require third-party support.

Key Terms Newbies to the NetWare, Unix, or Macintosh scene will have some interesting terms to remember. Probably the most exotic set of terms will come from the mainframe terminology associated with SNA Server (now, of course, called Host Integration Server 2000). 3270 5250 AppleShare AppleTalk AppleTalk Control Protocol (ATCP) AppleTalk zones Chooser EtherTalk host Host Integration Server 2000 Internetworking Packet Exchange (IPX) LocalTalk Microsoft Directory Synchronization Services (MSDSS) Network File System (NFS) Samba seed


www.sybex.com

Summary

Systems Network Architecture (SNA) Telnet TokenTalk User Authentication Module


www.sybex.com

475

476

Chapter 11


Review Questions 1. When you populate a Macintosh zone with node numbers, what is this

technique called? A. Populating a zone B. Seeding a zone C. Perpetuating a zone D. Creating a zone 2. You have several Macintoshes that need to access your Windows 2000

file server. What is the most secure authentication method they can use once you get everything set up? A. Guest B. MS-CHAP C. AppleTalk Authentication D. User Authentication Method 3. You’d like to set up a volume on a Unix server where Windows users

can place files for use by the Unix administrators. What software will you need for this? A. NFS B. File sharing for Unix C. Samba D. Interix 4. You have several legacy NetWare servers that are running file and

print services. You’ve set up a new Windows 2000 network, and users are now logging on to it. What feature can you use that will allow your users to see the NetWare services? Select the best answer. A. Client Services for NetWare B. Gateway Service for NetWare C. File and Print Services for NetWare D. Latest client downloaded from the Novell site


www.sybex.com

Review Questions

477

5. Starting with NetWare 5 and up, what protocol will be the default? A. TCP/IP B. RPC C. IPX D. Extensible NetWare Protocol (ENP) 6. When a Macintosh user RASes into one of your Windows 2000 RRAS

servers, what two protocols is he using to accomplish this? A. ATCP B. AppleTalk C. TCP/IP D. PPP 7. Windows 2000 Professional clients that natively log on to a NetWare

server will need what service installed? A. GSNW B. CSNW C. FPNW D. NWLink 8. What two types of NetWare servers are supported with Windows 2000

NetWare interoperability? A. Bindery B. NDS C. intraNetWare D. Borderwise


www.sybex.com

478

Chapter 11


9. You have a legacy Token Ring network where you work, and there are

several Macintosh computers hooked to this network that you did not set up. What topology are they likely using? A. LocalTalk B. EtherTalk C. TokenTalk D. AppleTalk 10. You want Unix users to be able to print to Windows 2000 printers.

What two steps will you have to provide for them to do this? A. Print services for Unix B. LPD C. LPR D. NFS


www.sybex.com


479

Answers to Review Questions 1. B. To populate a zone with node numbers is to seed a zone. 2. D. Microsoft’s User Authentication Method (UAM) is the most secure

method of authenticating in the Windows 2000 system. 3. C. Samba, a freeware third-party application, is required for mount-

ing an SMB volume on Unix servers that can be seen by Windows users. 4. A. Answers A and D will get the job done, but realize that you’ll have

to visit each of your client PCs and set up the CSNW (provided they’re running Windows 2000 Pro or Windows NT) or the latest NetWare client; lots of work involved there. GSNW only supports one NetWare pipe, so you can’t have multiple NetWare servers involved (unless, of course, you have multiple installations of GSNW). GSNW can be throughput-intensive with multiple users. The best answer is A, CSNW. 5. A. Novell was very good, even in NetWare 4, with providing TCP/IP

interoperability. But it was in version 5 that the TCP/IP integration started taking a front seat. Novell’s latest offerings are completely TCP/IP-oriented. 6. A, D. Recall that the protocol Mac users use to access RAS is the

AppleTalk Control Protocol (ATCP), but ATCP works through a PPP link to get the user connected. 7. B. The Windows 2000 Professional Client Service for NetWare

(CSNW) will need to be installed. Note that if NWLink isn’t present at the time you install CSNW, it will be added as well. 8. A, B. When configuring the NetWare interoperability services, you’ll

have to provide either the name of the Bindery server or the tree and context of the NDS server.


www.sybex.com

480

Chapter 11


9. C. While LocalTalk is the default for Macintoshes (they’re prepared to

do networking right out of the box using LocalTalk), in a Token Ring environment it’s highly probable that whoever set up the network set up TokenTalk for these users. 10. A, C. You’ll provide an LPR port when you set up the printer. NFS

volumes are a place where files are stored. LPD is a service (daemon) that Unix admins set up for their printers.


www.sybex.com

The Multi-Platform Network

481


Background You’re the network administrator for a small network of about 500 users. This network has been around a while, and it started out on Novell NetWare 3.11. Your predecessor had been hired several years earlier as a NetWare administrator and left the job about a year ago, leaving the network in the middle of a NetWare-to-Windows NT conversion. You were hired for your NT knowledge, not necessarily for your NetWare expertise (which is fairly minimal), and you’ve been given the charge to convert the network. Windows 2000 is now out, so your conversion will now not only include finishing up the NetWare conversion, but also converting all Windows NT computers to Windows 2000.

Current System The current system consists of three NetWare 4.x file and print servers. You have five Windows NT servers in one domain, one of which is running Exchange server 5.5. The PDC runs WINS and DHCP, and a BDC shares those responsibilities. The rest of the servers are either running applications or performing file and print duties. Two of the file servers that you intend to use are not nearly up to date enough to handle Windows 2000 and the extended duties that they’d inherit from the NetWare servers going away, so you have to do something about that problem. The applications you run are certified for Windows NT 4 and are specific to your company’s line of business. You’ve checked with the vendors of these software applications, and you don’t think you have anything to worry about by migrating to Windows 2000. You also have about six Macintosh users that work in the desktop publishing unit of your company. You have no Unix equipment, but the company does keep most of its important databases on an AS/400; a couple dozen people use host emulation software running over SNA Server to access these databases.


www.sybex.com

CASE STUDY


CASE STUDY

482

Chapter 11


Envisioned System Overview You need to maintain connectivity with the files and printers on the NetWare servers until such time as your conversion is complete. Users need to be able to access these servers up to the bitter end. Also, you’re sure you have way too many protocols running on this network and would like to get rid of one or two, if possible. The envisioned system has five Windows 2000 servers and all users running Windows 2000 Professional. You’ll continue to run Exchange 5.5 for the time being. You want to simply power down and re-deploy the old NetWare servers because they’re on such marginal equipment by today’s standards that they wouldn’t even make good desktops. You want to take this opportunity to upgrade the servers that need to be improved and to consolidate your file and print services so that they’re more centralized, not so spread out across many servers. You discuss the plan with your boss, the IT manager. IT Manager “Looks like a pretty good plan. We need to be sure that we provide connectivity for the users who still need files from the NetWare boxes as long as they’re around. Make sure you coordinate with the AS/400 administrators so that host users don’t lose their connectivity. By the way, I like the increased security of Windows 2000. Is there a way that we can identify which Mac users are logged on?” AS/400 Administrator “It took us a long time to get SNA Server tweaked and working correctly. I don’t care what you do with the network as long as you don’t break the work we’ve done in getting our users communicating with the host!”

Availability Overview The company is a basic 8-to-5 corporation with very few people working after regular hours. The NetWare servers have been reliable with remarkable uptime statistics. The NT boxes have not fared so well, but you believe that’s because of all the different applications that have been loaded on them over the years. IT Manager “I’d like to see much more reliability out of the Windows 2000 servers. NetWare doesn’t work very well as an application server, but it’s sure reliable for file and print services!”


www.sybex.com


483

Overview Standardization and trimming down to only one NOS is a big plus. Care needs to be taken to make sure that you don’t run into any gotchas as you get ready to take your old NetWare network down and replace it with Windows 2000 servers. IT Manager “It’ll be great to not have to figure out when we have to update an NLM and when we need to start a service! Keeping up with multiple NOSs is a pain.”

Performance One of your concerns is the Windows 2000 GUI, which brings a lot of added freight to haul in terms of server load. NetWare servers run very fast and economically. You want to make sure that you visit each server, ascertain whether it’s on the Windows 2000 HCL, and then make a determination as to its ability to play well in the Windows 2000 sandbox, in terms of performance.

Questions 1. Using the chart below, order the steps that you’ll have to take to pro-

vide continuous support for your Macintosh computers as you go through your migration. Step

Step Uninstall SFM from NT servers Prepare Mac clients with pointer to new zone Seed new SFM zone Install SFM on Windows 2000 server Install AppleTalk protocol on Windows 2000 server Copy files from old UAM volume to new one


www.sybex.com

CASE STUDY

Maintainability

CASE STUDY

484

Chapter 11


2. What two things are you required to set up on the NetWare server

before you install GSNW? A. IPX Network number B. Update CLIB.NLM C. Create an NTGATEWAY group D. Create a user that has rights to the directories you’re sharing 3. What will you recommend for the SNA Server component of this

upgrade? A. Immediately purchase Host Integration Server 2000 as a replace-

ment B. Keep the legacy installation, initiate a study on migrating to Host

Integration Server 2000 C. Keep the legacy installation as long as possible D. Migrate the AS/400 to TCP/IP and forget SNA 4. What two pieces of information will you need when validating

through CSNW with a NetWare NDS server? A. Default gateway B. Context C. Network number D. Tree


www.sybex.com


485

1. See table.

Step Install SFM on Windows 2000 server Seed new SFM zone Prepare Mac clients with pointer to new zone Copy files from old UAM volume to new one Uninstall SFM from NT servers Note that you don’t have to install the AppleTalk protocol because it’s installed automatically when you install SFM on the new server. Your last step will be to uninstall SFM from the old server. 2. C, D. You have to create an NTGATEWAY group, then create a user

that is a member of this group and has rights to the directories you’re going to share out in GSNW. 3. B. Answer A isn’t correct, though it sounds like it might be. Migrating

to any new program requires testing and project management. In this, you’ll have to work carefully through issues right alongside the AS/ 400 manager. Production systems should not migrate to new code until you’re sure the new code works and has a bit of a track record that you can be comfortable with. 4. B, D. The context and tree of your login are required.

Wrap-up: Cross-platform work in Windows 2000 isn’t difficult. You’ll experience some “unusualness” as you work with the Microsoft method of communicating with other computers, but the systems can definitely talk to each other. You’ll need training on SNA Server if you’ve never used it before, and experience working with mainframes is a huge plus with this software.


www.sybex.com

CASE STUDY ANSWERS

Answers

Chapter

12

Designing a DHCP Solution MICROSOFT EXAM OBJECTIVES DISCUSSED IN THIS CHAPTER: Design a DHCP strategy.

Integrate DHCP into a routed environment.

Integrate DHCP with Windows 2000.

Design a DHCP service for remote locations.

Measure and optimize a DHCP infrastructure design.


www.sybex.com

W

hat once was merely a proposed addition to the original concepts behind the design of TCP/IP, Dynamic Host Configuration Protocol (DHCP), is now a must-have in most networks. DHCP allows you to set up a range of IP addresses, called a scope, and add to that range other configuration items that are necessary for clients to have—things like router info, DNS, and WINS pointers. Then, during the user-computer boot process. the TCP/IP software goes in search of a DHCP server and obtains an IP address and all of the add-on information that was applied. Why is this service so valuable? Because if you didn’t have DHCP, you’d have to go to each PC on your network and key in a static IP address, plus all of the associated default gateway, DNS, and WINS information. On top of that, when anything changed (such as a new WINS server), you’d have to go back around and update that information. DHCP is the singular TCP/IP godsend that makes administrators’ lives drastically easier. This chapter talks about coming up with a good DHCP design, the additions that come with Windows 2000 DHCP, and how DHCP needs to be set up in a routed environment.

Introduction to DHCP

You’ve probably had training in DHCP already, either through your NT experience, Windows 2000 classes, or third-party books like this one, so I won’t go into a full-length discussion. But I will touch on some notions that are important to you as you consider the DHCP objectives outlined for the test.


www.sybex.com


489

Message-Based System Chances are you might not think about DHCP in this way, but it’s truly a client/server system. When you install the TCP/IP protocol on a Windows client computer, the client component is smart enough to know how to go looking for a DHCP server and obtain its IP address (unless you configure it otherwise). The client broadcasts, looking for a DHCP server that can fulfill its needs; this step is called DHCPDISCOVER. DHCP is a message-based system that involves the sending of messages back and forth between the client and the server, and DHCPDISCOVER is only one of several trans– actional messages that might take place. When a DHCP server answers the client’s request, it offers the client an IP address (and associated configuration information); this step is called DHCPOFFER. (Seems pretty easy so far, huh?) If the DHCP server’s scope was all used up and it couldn’t supply the client with an IP address, it would send a DHCPNAK (NAK is an abbreviation for “negative acknowledgement”). As the client receives an IP address, it ARPs for any duplicates. If one is found, the client sends a DHCPDECLINE to the server that issued the bad address. You might be asking yourself how the client computer makes this decision. It’s simple: the server that gets there first provides the client computer with its IP address. It’s all a matter of timing. Once the client has accepted an offered IP address, the DHCP server sends a DHCPACK back to the client so that the client knows the server has acknowledged it. A couple of special DHCP messages are sent when certain circumstances occur. DHCPREQUEST is used by client computers to request or renew a lease. It is used to request a lease from one DHCP server when two or more have offered a lease, to renew a already-owned lease at system startup, or to extend a currently held lease. DHCPREQUEST does this every time the client reboots after already being assigned a non-reserved address; DHCPRELEASE is used by client computers to release a currently held IP address.

Changes to Windows 2000 DHCP Some subtle changes have been made to DHCP in Windows 2000. If you’re coming from an NT 4 environment, it might be important for you to understand the updates that have been made.


www.sybex.com

490

Chapter 12

Designing a DHCP Solution

Manual Allocation of IP Addresses In the Windows NT 4 world, if you had a diskless workstation (sometimes called a NetPC), you had to have installed the BootP protocol on one or more of the NT boxes in order to answer BootP requests. Recall that BootP, a predecessor to DHCP, is a method whereby client computers request an IP address. BootP does not provide for renewal of the IP address at regular intervals the way DHCP does. Instead, the NT 4 administrator has to key in the IP data for his BootP machines on the server. This way each requesting computer can obtain a unique IP address and associated configuration information.

DHCP Integrated into DNS Since Windows 2000 is very DNS-oriented, DHCP had to be modified so that it notified DNS of its registered clients. This feature is enormously handy for non-Windows 2000 computers participating in DHCP. In the old days if, say, a Windows 95 computer was participating in DHCP and you had DNS running, you’d have to manually key in the DNS information for that client. Today, if your DHCP server is so configured (the feature doesn’t automatically turn itself on—you have to enable and configure it), when a non-Windows 2000 client grabs an IP lease from the DHCP server, a DNS record is created as well. This is a revolutionary feature that’s going to put to rest the common argument, “We can’t use DHCP because we’ve got DNS.” Now the two can interoperate just fine, thank you.

DHCP Integrated into RRAS Microsoft has done something completely cool in the RRAS world. Suppose that you set up an RRAS server with several modems and phone lines. You want to give your telecommuters automatic IP address information. DHCP and RRAS are now integrated in such a way that the RRAS server merely requests a block of IP addresses and is given 11, one for itself and 10 for clients! Then, if the IP addresses are all given out by the RRAS server, it merely requests another block of ten addresses so it can handle additional RAS clients. In the NT 4 world, you would’ve had to configure a range of addresses for the RAS server to use. In the Windows 2000 world, you don’t have to go through this step. You’ll need to take an important extra step, however. If you install the DHCP relay agent service on your RRAS servers, your telecommuting clients


www.sybex.com


491

will be given the full cadre of configuration information that you set up when you configured your DHCP server. But if you don’t, your telecommuting users will only get the IP address and subnet mask as provided by DHCP. I’d recommend that you use the DHCP relay agent configuration so that your clients are equipped with the full name-resolution information they need to work.

DHCP Integrated into Active Directory Maybe you’ve had this experience before; I have not. But suppose that you work in a large environment where there are lots of administrators trying to get their job done. Your responsibility is to handle the DHCP server services for the network. One day you’re surprised to find that clients aren’t able to perform name-resolution functions and aren’t acting as they should. After a little digging (OK, maybe a lot of digging), you find that an administrator has set up her own DHCP server, thinking she could somehow bypass the system and do her own thing. As I say, I’ve never run into this problem, but it must be common because Microsoft has set Windows 2000 DHCP server service up so that it has to be authorized within AD in order to work. The purpose of this is to keep rogue DHCP servers off of the net. The caveat here is that if you’ve installed DHCP server and you think your job is done, it’s not! You have to then authorize in AD each DHCP server you set up.

DHCP Server has to be installed on at least one Windows 2000 server (either DC or member) in order for DHCP to work in AD.

The SMS 2 Network Monitor program has a monitor object that can watch for rogue DHCP servers coming on line on the network.

Support for Multicast Suppose that one of your charges is to set up a training Web server, where users from various geographic locations within your company can download a training class that consists of heavy multimedia content. Some of these programs are set up to use IP multicasting as opposed to the much more


www.sybex.com

492

Chapter 12


bandwidth-intensive model of IP broadcasting. In other words, the program knows that it’s sending data only to a list of requesting stations and therefore not broadcasting to every station on the network. It’s multicasting, but the targets it is sending the data to are known. The new Windows 2000 DHCP server service provides support for the Multicast Address Dynamic Client Allocation Protocol (MADCAP). This allows multicast clients to join multicast groups and is an independent service of DHCP. Some special IP ranges are used by this service: 239.253.0.0–239.253.255.255 239.254.0.0–239.254.255.255 239.255.0.0–239.255.255.255

In the throes of a Windows 2000 design, determining the needs of the various departments in the corporation for this kind of technology will greatly assist you in the planning, placement, and configuration of your DHCP services.

RFC 2132 Support An unusual yet very timely RFC, number 2132, provides for so-called VendorSpecific Options. Microsoft has provided support for RFC 2132 in Windows 2000 DHCP. Following are the features that RFC 2132 brings to Windows 2000 DHCP server service:

The ability to disable NetBIOS over TCP/IP (NetBT). While you can’t do this on your Windows 9x and 3.x clients, you can with your Windows 2000 clients. Why would you want to? I guess I’d reverse the question and ask, Why would you want to keep the overhead of NetBIOS around if you don’t need it? Remember that Windows 2000 clients don’t use NetBIOS names; they use DNS FQDNs instead. Why consume unnecessary bandwidth? This feature alone will probably make you consider upgrading your user computers to Windows 2000 Pro before you go forward with your server rollout, and I’d recommend that approach.


www.sybex.com


493

The ability to force clients to release their DHCP lease on shutdown. This is very “BootP-like” and might be handy for regular automatic clean-up and maintenance of the DHCP database. It’s especially valuable for dispensing with leases held by telecommuters.

Supplying clients with a default router metric base. You supply a number (in hexadecimal) that represents the optimal router hop count to get to default gateways. This provides a method for calculating the fastest, most reliable, least expensive route to DHCP servers. Values are 1–9,999 (the default is 1).

To apply these attributes, simply click Start Programs Computer Management. When the Computer Management screen comes up, drill down to Services and Applications. Open DHCP; right-click Server Options and highlight Properties. The window shown in Figure 12.1 opens. Note that in this figure, we’re looking at the Router Metric Base setting, but all of the above are listed in the drop-down as well. FIGURE 12.1

Setting the router metric within the Server Options for DHCP server


www.sybex.com

494

Chapter 12


Cluster-Server Support When DHCP goes down or runs out of available addresses to give out as leases, it creates havoc all over the network. It’s important to come up with some kind of fault-tolerance mechanism to cover these potential problems. Windows 2000 DHCP will work with a cluster server in order to provide failover fault tolerance for the DHCP scopes—but the caveat is that it works with Windows 2000 Advanced or Datacenter Servers, not regular Windows 2000 Server. We’ll talk a bit more about providing fault tolerance on DHCP servers later in this chapter.

Enhanced Security Windows 2000 provides enhanced security. Not just any administrator can go in and manage the DHCP scopes. They have to be made a member of the DHCP Administrators local group (created at DHCP installation time) in order to have this privilege. Note that a person must be a member of the Enterprise Admins group in order to authorize DHCP servers, but only a member of DHCP Admins to make changes to DHCP settings.

Superscopes A superscope is combination of scopes that are being offered to a single subnet. Suppose you know that a given network segment will have tons of users added to it. Several disparate subnets are currently free that you could use for these new users. Simply create several scopes—one for each of the subnets— then create a superscope that includes all of these scopes and apply your scope and global attributes.

Minor Changes You might want to be aware of some minor updates from Windows NT 4 to Windows 2000 DHCP. The default lease expiration time in Windows NT 4 was three days; in Windows 2000 it’s eight days. If you’re an NT 4 administrator considering a Windows 2000 upgrade, this information is good to know. Also, it’s important to understand that BootP is supported with Windows 2000 DHCP server, but the pool of addresses they use must be separately configured from the standard DHCP database. But this is good news for administrators who have RFC 951–compliant BootP hosts on their network.


www.sybex.com


495

Methods of Allocating IP Addresses I fear that I may have left you confused about the various IP address allocation methods that Windows 2000 DHCP server possesses, so I’d like to take a few sentences to describe these choices. They are as follows:

Manually allocating an IP address range. You’d use manual allocation for your BootP client by designating a pool of addresses designed specifically for your BootP clients. Note that even though you manually configure the pool, once you’ve done so, BootP clients compliant with RFC 951 can obtain IP configuration information from the DHCP server and reclaim the address at each new boot. You have to key in the range of addresses and configuration information that’s going to be used by BootP stations, and this information is subsequently stored on the DHCP server.

Automatically allocating a range. Automatic allocation happens when you key in a static pool that’s going to be used by servers. Just as with the manual allocation method, you’ll key in a range of addresses and configuration information for use by the servers. (Note that the servers might already possess this information, and you’re merely moving the information from a statically entered address to a Windows 2000 DHCP address that never expires.)

Allocating dynamically. The standard DHCP method—the one that you’re accustomed to if you’ve used NT 4 DHCP—is called dynamic allocation. Client computers use the DHCP message system to retrieve dynamic IP addresses and configuration information.

Design Scenario: APIPA Hoses the DHCP Administrator You’re an administrator for a medium-sized network. You’ve already installed Windows 2000 Professional on the majority of your client computers, and now you’re ready to get the new Windows 2000 DHCP server services going. It’s late at night, or you’ve somehow misplanned your steps, but for whatever reason, you neglect to do your subnet planning. When you bring up your new DHCP server, you start getting weird calls from your help-desk support people saying that clients on one particular subnet aren’t acting correctly. They can’t connect to resources. But when your help-desk folks have the client run IPConfig, it appears that they have a valid IP address. What on earth could be going on?


www.sybex.com

496

Chapter 12


Since you somehow missed the subnet when you were configuring DHCP, Windows 2000 didn’t leave your clients out in the weeds. Nope; in fact, APIPA kicked in and gave the clients an IP address. No matter that the address it gave the clients was part of the Microsoft reserved address or that it had a vanilla Class B subnet mask—that client got an IP address! I hope you’re thinking what I’m thinking: If you don’t plan your DHCP design, it’s very possible that APIPA could sneak up and misconfigure your network clients. You wouldn’t even know this had happened for a while.

You can turn off this automatic client-configuration feature by adding a new value to the DHCP server’s registry. Bring up the registry editor with the REGEDT32 command. Navigate to HKEY_Local_Machine\System\ CurrentControlSet\Services\Tcpip\Parameters\Interfaces\network_ adapter. Add the Reg_DWORD value IPAutoConfigurationEnabled and set it to 0. In a machine with multiple NICs, this value can be added to ...\Tcpip\Parameters to disable on all NICs.

Interoperability with Routers

I

n networks with WAN links going across routers, you might run into some interesting difficulties when you consider your DHCP design.


Design a DHCP strategy.

Integrate DHCP into a routed environment.

Both DHCP and BootP have the ability to operate across routers, but the majority of the world’s routers have this capability turned off. Remember that DHCP and BootP are broadcast-based, message-oriented protocols.


www.sybex.com

Designing and Placing Servers

497

Suppose that you have a bunch of computers on a subnet in a remote office, all of which have their leases expire at the same time. That kind of broadcast traffic could quickly saturate a router and create a lot of trouble on the network. Though the problem might be short-lived, internetworking experts are not going to be inclined to support the forwarding of DHCP or BootP requests because of this potential for problems. Internetworking experts have enough problems as it is!

Routers aren’t the only devices that could create problems for you in terms of not passing DHCP or BootP requests. International Standards Organization (ISO) Layer 2 switches have the capability of ruling out these requests as well. If you’re not the infrastructure/internetworking person for the network, you need to set up a meeting with that person or persons and find out if these situations could possibly exist.

So what do you do with a router that doesn’t pass DHCP and BootP requests? You have two choices. You can either set up multiple DHCP servers or install the DHCP relay agent on Windows 2000 computers in each subnet. Either way will work, and there are pros and cons to both.


S

o, knowing that we have this routing issue—that is, that we’re generally not allowed to route DHCP or BootP requests—how can we handle this situation? You have two choices at your disposal, and the decision that you make will revolve around issues of money, connectivity, and configuration. In fact, we’re describing a much larger design issue, that of adequate DHCP server placement. Look at Figure 12.2. Here you see a site that consists of four geographically separated campuses connected by a 128K frame relay circuit. Note that you’ve used the reserved Class A network with Class B subnet masks to effectively segment the subnets within each campus.


www.sybex.com

498

Chapter 12


FIGURE 12.2

A simple network layout we’re going to configure with DHCP Site A (HQ) 10.1.0.0 255.255.0.0 1,500 users

Site B 10.2.0.0 255.255.0.0 1,200 users

128K frame relay circuits

Site C 10.3.0.0 255.255.0.0 1,750 users

Site D 10.4.0.0 255.255.0.0 1,300 users

Now that we have our sites set up, we want to begin doing some DHCP service within the network. This is a large network, with 5,750 users and an equal distribution of users across the campuses. So if the routers were configured to pass DHCP requests, then even though a well-equipped single DHCP server could handle the load, it may not be realistic to have all of the DHCP requests coming across relatively slow wires to a single point. (I think 128K is a slow link on a network this size.) Never mind the lack of fault tolerance; we’ll get to that a little later. For now, let’s just look at the issue of thousands of users crossing routers to obtain or renew their IP lease. That sets up a problematic amount of router traffic, something that we may not want and the reason that this capability is normally turned off on the routers.



Design a DHCP service for remote locations.

We have two methods of countering this difficulty: We can set up more than one DHCP server and do some scope-splitting for fault tolerance, or we can set up a DHCP relay agent. Let’s examine both methods to see the pros and cons.


www.sybex.com


499

Multiple DHCP Servers and Scope-Splitting In large networks, it might not be a bad idea to provide a localized DHCP server at each location. You could handle this in a couple of different ways. For example, working from Figure 12.2, couldn’t we place a DHCP server at each location and simply make the scope the appropriate subnet for each campus, as shown in Figure 12.3? FIGURE 12.3

Multiple DHCP servers in a network Site A (HQ) 10.1.0.0 255.255.0.0 1,500 users

Site B 10.2.0.0 255.255.0.0 1,200 users DHCP server

DHCP server


Site C 10.3.0.0 255.255.0.0 1,750 users

Site D 10.4.0.0 255.255.0.0 1,300 users DHCP server

DHCP server

In campus A, for example, our scope would be 10.1.0.0–10.1.255.255 with a subnet mask of 255.255.0.0. In campus B, our scope would be 10.2 with the same subnet mask, and so on. This would effectively rule out the possibility of one subnet running out of leases to give out (though with the Class A design you won’t run into that problem anyway) and would also provide faster lease renewal times for clients on the subnet (because they don’t have to go across a slow wire to get the new lease). I don’t think multiple subnets and DHCP servers are such a bad idea in a big environment, especially one with slow WAN links. The downside is that it presents an administrative hassle, not so much because of the management of the scopes (DHCP is surprisingly hands-off in terms of its day-to-day administration—it’s very much a set-it-and-forget-it service) but because, if the computer craters, you have to send someone out


www.sybex.com

500

Chapter 12


to work on it (or rely on somebody there). With a localized DHCP server, you only have one problem to worry about. Alternatively, if bucks were an issue, or we didn’t want to populate the world with DHCP servers, we could also place only two servers in our site— one at campus A, for example, and one at campus D. Then, we’d split up the scopes so that one DHCP server handled half of the subnets (10.1.0.0–10 .2.255.255) and another one handled the other half (10.3.0.0–10.4.255 .255). That would work very effectively, wouldn’t it? Oops! If you think about it, that strategy might not work after all. Why not? Well, it’s not stipulated in the figure, but it’s very possible that the internetworking folks don’t allow DHCP and BootP requests to go across the routers. Campuses B and C would be lost in the woods in a case like that, wouldn’t they? They’d diligently send out DHCPDISCOVER messages, but they’d never get an answer back. So instead, if they were Windows 2000 clients, they’d resort to APIPA, and if they weren’t, they’d be totally out of luck.

DHCP Relay Agents If we had the need to avoid placing so many DHCP servers, due to costs or manageability, we could install the DHCP relay agent instead. In the sample network above, we could install the DHCP relay agent on Windows 2000 Server computers in campuses B and C, and then configure the services so that their scope falls within the scope of their associated DHCP servers (campus B would use campus A’s scope, and so forth). Figure 12.4 shows this new setup. FIGURE 12.4

Two DHCP servers and two DHCP relay agent computers in a network Site A (HQ) 10.1.0.0 255.255.0.0 1,500 users

Site B 10.2.0.0 255.255.0.0 1,200 users DHCP server

DHCP relay agent


Site C 10.3.0.0 255.255.0.0 1,750 users

Site D 10.4.0.0 255.255.0.0 1,300 users

DHCP relay agent


DHCP server

www.sybex.com


501

The DHCP relay agent isn’t a full-blown DHCP server, but it does have to be configured with a pointer to its DHCP server. Well, if the DHCP relay agent isn’t a full-blown DHCP server, then what does it do? It requests a DHCP lease on a client’s behalf by sending a unicast message across a router to a DHCP server on the other side. Relay agents can be configured to talk to multiple DHCP servers or single servers. If relay agents are configured to talk to multiple DHCP servers, you can set up a delay so that multiple DHCP serves aren’t simultaneously hit with the same requests for a lease.

Design Scenario: Handling Multiple Class C Addresses Suppose that you work for a company that fortuitously purchased several Class C network numbers from the InterNIC several years ago (back when the InterNIC was doing the Internet address licensing). Suppose further that your company has now grown beyond the proportions of one, or even two, Class C addresses. You’re still in the same building you were always in, and you have no further geographic segmentations, but you’ve added a ton of users to the list. Now you’re considering a Windows 2000 upgrade. What one Windows 2000 DHCP feature will really augment DHCP for you? Superscopes, of course. When you get ready to implement your Windows 2000 rollout, you simply add in all of the Class C addresses you have to the DHCP server and create one superscope. You also add appropriate reservations for static IP addresses, of course. How do superscopes work? Well, as users draw leases, they begin filling up the first designated network number, then move on to the second, and so on. DHCP is very linear in the way that it draws the number out of the pool. This would be a fabulous way to combine lots of class C network numbers into one valid pool of IP addresses, forgetting for now that you have security issues to deal with in terms of legitimate class C addresses somehow getting out onto the Internet.


www.sybex.com

502

Chapter 12


DHCP Server Security

Microsoft has done lots of work with regard to DHCP security. Doubtless you’ll be asked numerous questions on the test relative to these new features. I need to take a moment or two and discuss the new things that have been implemented, not only so you’ll pass the test, but also so that you can secure your network.



Integrate DHCP with Windows 2000.

Specialized DHCP Groups We start with groups. I mentioned earlier that a special local group, DHCP Administrators, is created for the purpose of allowing only certain individuals the ability to administer the DHCP scopes. My experience has been that neophyte administrators have a tough time understanding the configuration of DHCP, so securing its configuration by only adding knowledgeable (and authorized) persons to the DHCP Administrators group is a wonderful thing. But there is also a second group, DHCP Users. This group is intended to be populated with the user accounts of those who need read access to the DHCP scopes, such as your junior administrators. They can read all about how the scopes are set up, but they can’t go in and gum them up! Now that’s wonderful, too. But there’s more. Remember the set of DHCP messages we spelled out earlier in this chapter? We can now add a new message, one that’s unique to Windows 2000 DHCP servers: DHCPINFORM. We have special need for this message, and you’ll understand why in just a few more sentences.

Active Directory and DHCP Integration Working with Active Directory presents some new challenges with DHCP. We’ve already said that Windows 2000 DHCP servers must be authorized in AD to be considered a valid DHCP server. This prevents rogue DHCP servers


www.sybex.com


503

from coming online and giving out invalid DHCP addresses to users. A special object is created in the Active Directory at its creation time. The object, DHCPServer, contains the list of all authorized DHCP servers in the forest. Any server that you authorize within AD shows up in this object.

If there’s an unauthorized DHCP server, clients don’t give a rip and will likely get their DHCP configurations from rogue servers anyway. You need to have a flat Windows 2000 Server DHCP server base for this to work. Windows NT 4 servers running DHCP will not be able to check to see whether they’re authorized and could cause lots of trouble, handing out addresses to anyone that asks. If you’re planning on using the authorization security technique, you need to plan on upgrading your DHCP servers to Windows 2000 and then authorizing them.

There’s a little more to this story, though, and you’ll make mistakes if you don’t understand what’s required. These two very special rules need to be followed when setting up Windows 2000 DHCP:

Rule 1: The very first DHCP server you set up must be on a Windows 2000 DC or member server. At least one of the DHCP servers must be able to communicate with AD so it can read the list of authorized DHCP servers. This implies that you can have NT 4 DHCP servers on the network. This is not a valid implication because they cannot participate in AD, nor can they use the new DHCPINFORM message.

Rule 2: The DHCP relay agent must be able to pass the DHCPINFORM message to the DHCP server on the other side of the network. This means that all relay agent computers must be Windows 2000– based.

Both of these rules apply whether you’re in mixed or native mode. It should be apparent to you that Windows 2000 DHCP is a Windows 2000 thing and only a Windows 2000 thing. This rules out third-party implementations of DHCP (such as on routers or switches), Unix DHCP, NetWare DHCP, or any other form of DHCP. Since none of these implementations can communicate through the Active Directory Services Interface (ADSI), they cannot query the DHCPServer object, nor can they become an authorized DHCP server.


www.sybex.com

504

Chapter 12


This will undoubtedly present some very unusual design scenarios for people as they try to work out conversion scenarios. My guess is that most folks will opt to keep their legacy DHCP services working until such time as all servers and workstations are up and running DHCP, then cut the network over to Windows 2000 DHCP. Until then, you’re stuck with the security risk that pre-Windows 2000 DHCP imposes.

High-Availability Scenarios Unlike WINS, there is no backup server for a DHCP server. If a DHCP server augers, users that are up for lease renewal are not going to get a new lease. So are there workarounds for this potentially disastrous situation? It turns out that there are two: one that won’t work very well, and another that will work well but require lots of extra configuration.

Splitting of Scopes I’ve already discussed splitting the scopes a bit, but let’s take it just a bit further. Splitting scopes requires that you have at least two DHCP servers running in your environment. For example, suppose that you have a large single campus of 2,500 users. You could set up two DHCP servers in this singular environment. Then you’d have the choice of setting up two different scopes—one for each server—or, more appropriately, setting up a single scope. On the first DHCP server, you’d put a reservation on half of the scope. Let’s say, for example, that you decided to use 172.20.y.z with a subnet mask of 255.255.0.0. You might go to the first DHCP server and set up the scope with 172.20.1.0–172.20.15.255 and then reserve 172.20.8.0–172 .20.15.255. This way, the first DHCP server would only use the first half of the scope. Then you’d go to the second DHCP server and configure exactly the same scope, but this time you’d reserve the first half. If the first DHCP server goes down, the second can begin picking up the slack. Note that users who were trying to renew their lease when the first server went out would now have an address from the second server’s valid pool, but that’s OK because they could continue to work. Then, when you bring the first server back up, at next lease renewal time they’d possibly switch back. Now here’s an interesting question for you. How does a client computer know which server to go to? It doesn’t! The first server to answer the broadcast is the one that winds up giving the user his IP address. So in the scenario described above, your users are just as likely to have an IP address from the


www.sybex.com


505

second server as they are from the first. It’s all a matter of the health of the servers and the amount of work that they’re doing at the time they get the IP address request from a client. If they can’t answer as fast as the other server can, the client will get the second server’s response to the request. Now let’s ask ourselves another interesting question. What happens if the first server’s scope is completely used up and there are zero available IP addresses? If this server was the first one to answer the client’s request for an IP address, it would send a DHCPNAK, wouldn’t it? The second server would eventually reply with an offer and the client would be in business, but this kind of situation is possible, which is why I recommend making the scopes far over-valued for the number of clients being supported. In fact, one could go so far as to say that for complete fault tolerance, the scope should be at least twice as large as the amount of clients supported, right? Because if the first server failed and all of the users leases had expired (not a very likely scenario) then the server that’s still alive would have to service all of the requests and hence have a large enough scope to handle all of them. The tactic of splitting scopes will also work well across WAN links, as long as the routers are forwarding broadcasts or there is a DHCP relay agent present to forward requests to a DHCP server. But in situations like these, Microsoft recommends that you may not want to do a full 50/50 split on the scopes. You might instead want to do an 80/20 split, with 80% being on the network that’s more heavily loaded. The goal here is to whittle down the number of requests that have to go across a slow WAN link.

Cluster Server The concept with Windows 2000 cluster server is fairly straightforward: You provide two servers that are both dedicated to a single server’s function so that if the first server goes away for any reason, the second server sees the fault and performs a failover. Users aren’t supposed to even see a blip on the radar screen when the failover occurs; they can keep working. You can set up a cluster server in many ways, but all the methods are fairly hardware-intensive. For example, in most cluster server implementations, there is some sort of “heartbeat” monitor—typically a dedicated switch of some kind that has its own connections to each server, to watch the heartbeat of the currently operational server and to trigger a failover should something happen. This is the stuff of fibre channel cards and dedicated cluster server gear. You can have two servers that talk to one RAID array cabinet


www.sybex.com

506

Chapter 12


(thus making the array the SPOF), or you can have two separate servers, each with their own disk arrays. What I’m getting at here is that it’s wonderful that DHCP server will work with cluster server. But you’re probably not going to be inclined to set up a cluster server simply for DHCP. More likely, you’ll set up a cluster server for other critical apps that you have running on the network (they have to be cluster-aware apps or they won’t failover correctly) and then decide to add DHCP as well. DHCP isn’t a heavily intensive process, so I don’t think designing it into your cluster server is a problem, as long as you are careful to over-engineer the box with CPU, disk, and RAM enough to handle everything expected of it. Then, of course, with cluster server you duplicate the scenario with a second box configured exactly the same way. This is a very expensive proposition, and one that’s going to take extra design time and decision-making on your part. Don’t design a cluster server just for DHCP. Splitting the scopes (and other methods talked about in the next section) is just as effective.

Optimizing and Tuning DHCP

Are there ways that you can optimize and tune your DHCP configuration? Indeed there are. There are three different methods that we’ll talk about, the first of which has to do with tuning a single DHCP server. The other two have to do with steps that you can take across your entire DHCP implementation.



Measure and optimize a DHCP infrastructure design.

Single-Server Optimization Single DHCP servers can handle thousands of DHCP lease requests. You can measure this using a “poor man’s measure” by going to a client computer with a stopwatch. Bring up WINIPCFG by clicking Start Run and then


www.sybex.com


507

typing WINIPCFG /ALL for Windows 9x or 3.x computers. Alternatively, for NT and 2000 computers bring up a command prompt. In the WINIPCFG screen, click the Release All button. The IP address will go away. Now, get ready to start your stopwatch and see how fast the IP address gets renewed. Ready? Then click the Renew All button. This is the time that it takes for your client computer to renew its lease with the DHCP server. Generally this kind of activity goes very fast and you won’t have problems with the renewal of your lease. You can do the same thing with NT or 2000 computers by typing in the command IPCONFIG /RELEASE and then IPCONFIG /RENEW. Note that this works for NT and 2000 computers that are participating in DHCP and don’t have statically wired-in IP addresses. Slow response from a DHCP server might be the server’s problem or might be the network’s. Since DHCP is message-based and the messages are tiny, there’s a good chance that unless the network is absolutely saturated, it’s not going to be the slow part of this process. DHCP servers involved with other activities, such as Exchange, SQL Server, or file or print serving, can drastically slow down the response time of the server giving out a lease to a client. Here are some ideas you can use to spruce up your DHCP server’s capabilities:

Offload any other activities from your DHCP server other than providing DHCP.

In multiple-subnet environments, multi-home your DHCP server by installing two or more network interface cards (NICs) and pointing each to a different subnet.

Since Windows 2000 DHCP is multi-threaded, it can use multiple CPUs: Add a second CPU to your DHCP server.

Change out those old 7,500rpm SCSI hard drives for 10,000rpm drives running on a hardware RAID adapter.

If you have a gigabit backbone, add a gigabit-rated NIC to the DHCP server and put it on the backbone.

Steps like these will greatly increase the efficiency and throughput of your DHCP computer.


www.sybex.com

508

Chapter 12


You can use System Management Server’s Network Monitor 2 to monitor DHCP traffic across your network.

Increase Lease Length Perhaps the biggest thing that administrators neglect to think about when designing DHCP deployments is the lease renewal time. Some time should be spent on deciding what the scope should be and its associated reservation(s). But what about that eight-day lease expiration time? DHCP is a pretty funny animal. The client doesn’t begin renegotiating its lease as it expires. Instead, the client negotiates a renewal on the lease at 50% expiration time. So at day four, clients try to renegotiate their lease. In the days of cluttered networks (prior to sophisticated firewalls and proxy servers), lease expiration times had to be short. But today we can set up huge pools of reserved IP addresses for our scopes, and we don’t have to worry so much about the expiration of leases. Perhaps one of the best tuning steps you can take with DHCP is to create long (or unlimited) lease times for your clients.

Set Up Multiple DHCP Servers By setting up more than one DHCP server, you do two things: You offload each of your servers from having to work so much, and you keep DHCP traffic from crossing slow WAN links. DHCP isn’t necessarily a heavily computingintensive operation, so if you decide to put a dedicated DHCP server out in each of your remote sites, you don’t need to go overboard with the hardware (unless, of course you have 10,000 clients at a site!). But I’d still recommend that DHCP can and should live on a computer all by itself, dedicated to the process. You could also have WINS occupy the same server (while in transition from a Windows 9x/NT network to a native Windows 2000 network), but that’s about all I’d consider. It’s important in a setting like this to make sure that you provide an ample supply of IP numbers in your scope so that no one is in danger of their lease expiring and not being able to get new one.


www.sybex.com


509

Design Scenario: The Network That Ran Out Suppose that you work for a large endeavor that employs very many people, on the order of 50,000 or more. A centralized network management group handles all of the IP addressing, and they use a public Class B network number. You’re one of many administrators spread out over a variety of departmental entities, so you have very little say-so in the subnets that you’re given. You manage a building that has seven floors and about 500 users. You’ve been given 2~HF subnets to work with (two full Class C subnets and one Class C subnet with which you’re required to use a 255.255.255.192 mask). The network team has run low on IP numbers, and they’re starting to split out the remaining subnets by forcing administrators to use unusual subnet masks to basically chop the subnets in half, thus providing you with less hosts and them with more places to spread the subnet around. The good news is that you’re using VLAN technology on your recently installed switch gear. You set up three VLANs, one for each subnet. Three of the floors in your building use VLAN1, another three use VLAN2, and the top floor uses VLAN3 (which has the scaled-back subnet). You can do this because it’s possible to share VLANs between switches, as long as there’s a router in the building that the VLANs can route between. There is, but you don’t maintain it; the network people do that. Then one day, it happens. One of your help-desk people runs downstairs and says “We’re completely out of IP addresses for floor 7! Cindy just logged on and she’s getting a DHCP error message. I checked the scope for that floor, and it’s 100% full.” Now what? You’ve got APIPA turned off, so that’s not going to save you, even if it could. You check the scopes of the other two subnets and find that the one serving VLAN1 is almost as full as the top floor’s VLAN. You make a mental note to yourself that you have to get with the network folks very soon and beg, borrow, or steal another subnet. You then look at the scope serving VLAN2 and find that it has 70 IP addresses left! Now, using the technology of VLANs, you can take all of the ports from one of the seventh-floor switches and apply them to VLAN2 instead of VLAN3, thus freeing up an entire switch’s ports, 24 IP numbers in all. You then trace out which users are on these ports, cause them to run a WINIPCFG Release and Renew, and you’re back in business. The next day you call your network folks and request another subnet.


www.sybex.com

510

Chapter 12


Summary

Within this chapter we’ve discussed some interesting topics relative to Windows 2000 DHCP. If you’ve used Windows NT 4 DHCP, you might be surprised (in a good way) at the additions that have been made to this extremely helpful protocol. DHCP provides IP address information to clients that log on to the network. It is a message-based system wherein the client requests an IP address at start-up, and any DHCP server capable of responding replies with an IP address. The client accepts the first DHCPOFFER (in the form of a DHCPREQUEST packet); any subsequent DHCP servers that send DHCP– OFFER receive no reply. DHCP’s predecessor was BootP, a protocol that doesn’t have as many advantages as DHCP. DHCP clients have a lease on their IP address (the default being eight days for Windows 2000 vs. three days for Windows NT 4). Unless configured to do so, DHCP clients do not give up their lease (called “releasing” the lease) at shutdown, but BootP clients do. BootP is useful for diskless workstations (so-called NetPCs) that need to boot from the network; DHCP can be used for almost any device capable of sending DHCP messages. For example, today’s printers and CD towers are also capable of grabbing a DHCP lease—something to watch for! Both DHCP and BootP are supported in Windows 2000 DHCP Server. In Windows NT 4 Server, you had to install and configure the BootP service. Windows NT 4 SP2 DHCP servers provided some support for BootP clients, but required more configuration than Windows 2000 DHCP servers. Windows 2000 DHCP provides some exciting new features. It supports a new multicast protocol, MADCAP, with a special IP range for multicast devices. You also now have the ability to provide a range of static IP addresses that DHCP can manage for devices that require a static address, such as servers. One problem to watch for is, if a Windows 2000 client cannot obtain a DHCP lease, it will use APIPA and possibly fall outside the valid range of IP addresses you have set up in DHCP! Some new client configuration options have been added as well. A default router metric base can be configured for clients so that a cost, in terms of router hops, can be allocated for finding default gateways across routers. This feature is used for calculating the fastest, most reliable, and least expensive router. You can set clients so that their DHCP lease is released at shutdown. You have the ability to disable NetBIOS over TCP/IP (NetBT) for


www.sybex.com

Summary

511

DHCP clients. You would only disable in a complete Windows 2000–based environment, as Windows 2000 computers are the only Windows-based computers that can function without NetBIOS. DHCP and BootP are typically not allowed to cross routers because of their broadcast nature, an internetworking configuration that is set when someone configures a router. For that reason, in your Windows 2000 DHCP design, you’ll have to make some arrangement for users on the other side of a router to be able to obtain an IP lease from a DHCP server. There are a couple of different methods for doing this. The first, most expensive, one is to provide a DHCP server on every subnet. Second, you could set up a DHCP relay agent on a Windows 2000 computer on the subnet that does not have a DHCP server. (You cannot set up DHCP server and a relay agent on the same computer, because they use the same UDP port.) The DHCP relay agent takes a DHCP request from a client computer and passes it in a unicast fashion across the router to the DHCP server on the other side. The DHCP server responds with an IP address, sending it back to the DHCP relay agent which, in turn, passes the address to the client. This process describes some potential for latency, and you should be aware that slow WAN links can create poor DHCP lease-renewal performance. In situations like this, you’re better off providing a DHCP server at each site. DHCP relay agents can point to more than one DHCP server in their configuration. You can increase a DHCP server’s availability by setting up an additional DHCP server and splitting the scope. Single DHCP servers can be optimized by multi-homing them, providing faster disks, CPUs, and more memory for them. You can provide fault tolerance for DHCP servers either by splitting the scope or putting them on a cluster server. Windows 2000 DHCP servers must be authorized within the DHCPServer object in Active Directory to be able to provide leases. As a result of this, all DHCP servers in a Windows 2000 environment must be Windows 2000–based, and at least one Windows 2000 DHCP server must be participating in Active Directory (in order to provide the list of DHCP servers to the other DHCP servers on the network).

Key Terms Some terms that are unique to DHCP server language are provided below. automatic allocation default router metric base DHCP relay agent DHCPACK


www.sybex.com

512

Chapter 12


DHCPDECLINE DHCPDISCOVER DHCPINFORM DHCPNAK DHCPOFFER DHCPRELEASE DHCPREQUEST dynamic allocation Dynamic Host Configuration Protocol (DHCP) IPConfig manual allocation multicast Multicast Address Dynamic Client Allocation Protocol (MADCAP) NetBT NetPC router hop superscope unicast WINIPCFG


www.sybex.com

Review Questions

513

Review Questions 1. DHCP servers working within Active Directory have to be: A. Enumerated B. Declared C. Authorized D. Populated 2. You’ve been given a requirement to set up some training servers that

will have computer-based training (CBT) software on them that streams multimedia content over the intranet to students that request it. What DHCP protocol will the DHCP servers need to be configured with to use a correct delivery method? A. MADCAP B. MS-CHAP C. Unicast D. ADCAST 3. What is a superscope? A. A collection of many subnets combined into one scope B. A collection of many scopes combined into one scope C. A collection of many DHCP servers’ scopes combined into one

scope D. A collection of Windows NT 4 and Windows 2000 servers’ scopes

combined into one scope


www.sybex.com

514

Chapter 12


4. You have a site that is made up of two campuses separated by a geo-

graphic distance. There are two Cisco 1000 routers connecting the WAN circuit. Clients currently use statically entered addresses, but you’ve read about DHCP Server’s conveniences and decide to set up a server. But when you set up your Windows 2000 DHCP server, clients in the other campus can’t seem to negotiate a new IP lease. What could be the matter? Pick the best answer. A. You need to add the new DHCP server to LMHOSTS. B. Clients must be Windows 2000 Professional workstations to par-

ticipate in Windows 2000 DHCP. C. Routers are configured to not allow DHCP or BootP requests

across. D. The scope is not correctly set up. 5. Which benefits can Windows 2000 Professional workstations partake

of with Windows 2000 DHCP? (Choose two.) A. Obtain an IP address from a Unix Samba server B. Disable NetBIOS over TCP/IP (NetBT) C. Obtain automatic logon information D. Release DHCP lease on shutdown 6. When RRAS is configured to obtain DHCP addresses from a Win-

dows 2000 DHCP server, how many leases is it initially given? A. 10 B. 11 C. 12 D. 13


www.sybex.com

Review Questions

515

7. Your network has three campuses connected by routers. Two of the

campuses have Windows 2000 DHCP servers in them, but the third does not. In order to facilitate DHCP in the third campus, you install the DHCP relay agent on one of your DHCP servers, but users cannot obtain an IP lease from the server. What could be the problem or problems? (Choose all that apply.) A. You cannot have the DHCP relay agent and DHCP server on the

same server. B. Routers are not configured to pass DHCP or BootP requests. C. DHCP server or DHCP relay agent isn’t installed on the correct

side of the router. D. Routers won’t forward UDP broadcasts. 8. What fault-tolerance methods can you apply to a Windows 2000

DHCP server? (Choose all that apply.) A. Multi-home it B. Put it on a cluster server C. Split the scope with a second DHCP server D. Back up its databases 9. You are trying to authorize both of your Windows 2000 DHCP serv-

ers but cannot seem to figure out how to make this happen. What’s the most likely cause of the problem? A. Neither DHCP server is participating in Active Directory. B. Neither DHCP server is a domain controller. C. Neither DHCP server is in the correct AD TCP/IP boundary. D. Neither DHCP server is running TCP/IP.


www.sybex.com

516

Chapter 12


10. Sarah, one of your domain administrators, is trying to modify a Win-

dows 2000 DHCP scope but for some reason isn’t allowed to. What could be the problem? A. She’s not a member of the DHCP Users local group. B. She’s not a member of the Schema Admins global group. C. Her Group Policy Object does not allow her to manipulate DHCP

scopes. D. She’s not a member of the DHCP Administrators local group.


www.sybex.com


517

Answers to Review Questions 1. C. In order to prevent rogue DHCP servers from giving out IP

addresses to clients, you must authorize all DHCP servers in Active Directory. 2. A. The Multicast Address Dynamic Client Authentication Protocol

(MADCAP) is used by DHCP servers configured to provide multicast support. Remember that this protocol uses a special set of subnets, 239.253.0.0–239.255.255.255, for this work. 3. B. A feature of Windows 2000 DHCP server is the concept of the

superscope. Using this technique, you combine many scopes into one. 4. C. While answer D is certainly a possibility and one that you’d check,

the most likely answer is C. Routers generally are configured to not allow the passage of DHCP or BootP broadcast requests. 5. B, D. Two new features to Windows-based DHCP is the idea of dis-

abling NetBIOS over TCP/IP (NetBT) and releasing a held DHCP lease on computer shutdown. The first benefits you because you get rid of the overhead of NetBIOS and go to native TCP/IP, but only Windows 2000 Professional workstations can participate in this process. The second is useful for grooming the DHCP database from leases that are held. 6. B. The RRAS server is given 11 addresses: 10 for clients and 1 for

itself. As clients use up the addresses, the DHCP server will supply 10 more at a time. 7. A, B, C. First, you cannot have both the DHCP server service and the

DHCP relay agent service installed on the same server. These services both use the same UDP port, and the server will get very confused. Second, the routers are probably configured to not allow the passage of DHCP and BootP requests across them. Finally, in order to facilitate DHCP on the third campus, you need to either install a DHCP server or the DHCP relay agent on that side of the router, not the other! Note that the DHCP Relay Agent uses unicast and doesn’t require broadcasts to be configured on the routers.


www.sybex.com

518

Chapter 12


8. B, C. Backups are not considered to be fault-tolerance measures;

they’re disaster-recovery steps. Multi-homing a DHCP server will allow you to address more subnets, but doesn’t have anything to do with fault tolerance. Answers B and C are correct. 9. A. In order for the DHCP servers to be authorized, at least one of them

must be a domain controller or server that’s participating in the Active Directory process for the network. 10. D. Even though she’s a member of the Domain Admins group (which

we know because the question told us so), she still cannot control DHCP scopes until she’s made a member of the DHCP Administrators group.


www.sybex.com

Building a New DHCP Infrastructure from an Old One

519

Y


Background You work for VeryLargeNetworks.com, a business-to-business (B2B) Web integration company that specializes in helping businesses work with one another through Web site connections. The company is about a year old, large, and growing larger, thanks to the phenomenal growth of the B2B business. The company has facilities in Chicago, New York, Miami, and Denver, with a new site being planned in Los Angeles very soon. (The Los Angeles office will not be very big at start-up—only about a dozen users—but the anticipation is that it’ll grow to roughly the size of the others over time: 200– 300 users.) The headquarters office is in Denver, and the other sites are connected to it by T1 frame relay. You have several Windows NT 4 servers at each site, some of which are involved with core business application, print, and file serving, others of which are performing Web activities. Currently there is only one DHCP server while the rest of the sites are using a DHCP relay agent server. You’re using the reserved 10.x.y.z network number. You have about 200 users in Chicago, 250 in New York, 200 in Miami, and 300 in Denver.

Problem Statement Your boss, the chief technology officer (CTO), has told you that he wants to convert the network to Windows 2000 as soon as is possible. There are some huge benefits to be gained from Windows 2000 Server in a Web environment, and this is seen as a solid business decision, based on the kind of work the company is involved with. You’re told that you’ll also need to figure out an IP address allocation system for the Los Angeles office, and to come up with a reliable, fault-tolerant allocation system for the users on the network. Users cannot, under any circumstances, experience outages due to not being able to obtain an IP lease. Servers, printers, routers, and associated LAN gear will continue to use static IP addresses.


www.sybex.com

CASE STUDY


CASE STUDY

520

Chapter 12


Envisioned System You design a system that uses a DHCP server at each location, including the Los Angeles site. The CTO isn’t happy and wants you to come up with other recommendations, saying, “While it’s important that we spend the money we need to spend to acquire good resources to handle our B2B infrastructure, I just can’t justify spending the $8,000 it’s going to take to provide a DHCP server in L.A.”

Security Overview Because of the competitive nature of the B2B business, security is of great importance in this environment. CTO “I want you to make sure that no other servers can participate in the DHCP process.” Security Admins “We’ll need to be able to modify DHCP administrative rights as necessary. This should be an ongoing administrative task that we handle.” Internetwork Team “We’re sorry, but we do not allow DHCP or BootP requests across the routers.”

Availability Availability is important because of the nature of the business. Since it’s not known when a user might come in, whether at night or on a weekend, plus the fact that the campuses cross time zones, the DHCP servers (more accurately the DHCP scopes) need to be reliably available at all times. The CTO tells you, “The system needs to have 24×7×365 availability.”

Performance Overview Since your design calls for mostly local DHCP hosting, you expect that the relatively small WAN circuit sizes won’t impact the business. CTO “Keep in mind that we only have T1 frame relay circuits between our sites. I have the internetwork team working on beefing up those circuits, but that upgrade won’t happen for a few months. In the meantime, anything we do cannot put a strain on circuits that are already heavily loaded.”


www.sybex.com


521

1. Which two design alternatives would work the best in this situation at

the Los Angeles site? A. Set up a DHCP relay agent for now, provide a DHCP server later B. Set up a DHCP server immediately C. Set up a DHCP relay agent immediately and do not plan for a

DHCP server later D. No need for either a DHCP relay agent or a DHCP server at this site


www.sybex.com

CASE STUDY

Questions

CASE STUDY

522

Chapter 12


2. In order to accomplish a good fault-tolerance model, consider using

the splitting scopes method so that any one DHCP server going down doesn’t affect any users. While this might mean that users have to come across the WAN link to renew their lease, at least they won’t experience a denial because of unavailability. In the diagram, connect each site to another site that that will devote a scope to backup IP addresses for it. Los Angeles

Connection Types: Backed up by

Denver

Chicago

New York

Miami

3. Can you disable NetBT? A. Yes B. No C. Not enough information to make this determination


www.sybex.com


523

in this scenario? A. No B. Yes C. Maybe 5. In order to provide greater security for the setup, you want to use AD

for your DHCP installation. Which site or sites should contain a member server? Choose all that apply. A. Chicago B. Denver C. Los Angeles D. Miami E. New York 6. How do you set it up so that the Security Team can administer the

scopes? A. The Security Team doesn’t need to administer the scopes. B. Add the Security Team group to the DHCP Administrators group. C. Add the Security Team group to the DHCP Users group. D. Add each Security Team member’s account to the DHCP Admin-

istrator’s group one at a time.


www.sybex.com

CASE STUDY

4. Would a cluster server environment provide additional fault tolerance

CASE STUDY ANSWERS

524

Chapter 12


Answers 1. A, B. Potentially the most cost-effective method would be to set up a

DHCP relay agent for now, then provide a full-blown DHCP server later if needed. Since the other WAN circuits are T1 frame relay circuits, you have no reason to believe that the Los Angeles circuit will be anything less, and a dozen or so initial users won’t kill a wire like that by requesting DHCP addresses from a host in another campus. On the other hand, since you know that the site will eventually have 200–300 users, and the time frame for that is relatively quick, there might be ample justification for providing a DHCP server right away. The only problem with this justification is that you might be tempted to put other applications or services on it as well, just because it is so lightly loaded. While this server could easily host WINS or something like that, putting SQL Server on a box that is lightly loaded today but will be far more loaded later isn’t wise. On top of that, if you put a DHCP server out on your network and the only thing it does is DHCP serving, you don’t need a powerhouse computer, so you save some bucks. There are lots of considerations relative to this question.


www.sybex.com


525

Los Angeles

Chicago

Backed up by

Backed up by

Backed up by

Denver

Backed up by

New York

Backed up by

Miami

What’s the deal with the 80/20 rule anyway? Well, you can anticipate that in a network with mature DHCP usage (i.e., people have been using DHCP for a long time now), you won’t have everyone coming to the trough for an IP address renewal all at once. Users go away on vacation and shut their machines down, or a machine is out of commission for a day or two… whatever. In any case, sooner or later the renewals get spread out. So it’s safe to imagine that only 20% of your users might renew their lease at any one time. Thus, you design your scope so that 80% of the IP addresses are used by the local net, and the other 20% are fallback for the remote users. Chicago and New York have two scopes, and each devotes 20% of its addresses to the other.


www.sybex.com

CASE STUDY ANSWERS

2.

CASE STUDY ANSWERS

526

Chapter 12


In the Denver case, since we have not one but two fault-tolerance servers, we have to split up our Denver scopes more finely (which means we’ll have to have a much larger scope than the other sites). The good side of this arrangement is that only one of the sites, either Miami or Los Angeles, needs to provide the 20% backup. You could opt for both Miami and Los Angeles to provide 20%, giving Denver double coverage, or—since Los Angeles is newer and less populated (for now)—you could simply set it up as the fault-tolerance site for Denver. Now, why two scopes? Well, let’s suppose for a minute that Denver’s scope is 10.1.0.0 and Los Angeles’ is 10.2.0.0. You don’t want Denver to get 10.2.0.0 addresses, so you create a scope for Denver and a scope for Los Angeles on the Denver server. Then you do the same thing on the Los Angeles server. When you set up the DHCP relay agent, you point it to the Denver server. 3. C. Since the disabling of NetBT is only the stuff of Windows 2000

computers, and we’re not told what the client computers are in the text, we can only say that we don’t have enough information to make that determination. 4. B. The answer is a definitive yes. Of course, we could set up cluster

servers at each site for the purpose of providing a DHCP failover. But the cost would be enormous, the added advantage very little, and the decision just does not make practical sense. 5. A, C, D, E. We’re not told what the domain layout is, but it doesn’t

really matter all that much because of the nature of AD. What we do know is that there must be at least one DC or member server participating in AD. Since Denver is the HQ, we’ll assume that the Denver server is the likely candidate for this duty. The other servers do not necessarily have to participate in AD in order to be authorized. But all Windows 2000 DHCP servers must be authorized. If they’re not, their service is shut down.


www.sybex.com


527

don’t need to be added to either one of the special DHCP groups. All they need to do is add DHCP administrators to those groups, which does not require DHCP administrative rights. On the other hand, when you’re set to give DHCP administrative privileges to other administrators, you’ll ask the Security Team to add that person’s account to the DHCP Administrators group. You can add groups to the DHCP Administrators group—there is no need to add one account at a time. Wrap-up: This is a fairly straightforward design, as are most DHCP implementations. The problem with DHCP design is that a plethora of geographic sites creates administrative confusion. You must have a clear picture in your mind as to what you’re doing. If I were designing this particular network’s DHCP setup, I’d set up a DHCP server in Los Angeles immediately, but then you probably gathered that from question 2, huh?


www.sybex.com

CASE STUDY ANSWERS

6. A. Since the Security Team doesn’t need to administer the scopes, they

Chapter

13

Planning a DNS Implementation MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Design name resolution services.

Create an integrated DNS design.

Create a secure DNS design.

Create a highly available DNS design.

Measure and optimize a DNS infrastructure design.

Design a DNS deployment strategy.


www.sybex.com

I

f you’re coming from the Windows NT 4 arena, there’s a very good chance that you’ve never messed around with Domain Name Server (DNS). Especially in big shops, odds are that DNS was hosted by the Unix servers and not NT. There really was an NT 4 DNS service that you could install and configure, and I’ve talked to people who liked it quite well and others who said it didn’t work at all. Lots of Microsoft-only shops never went into DNS, but stayed in nice, safe, understandable WINS instead. But now we enter an environment where you don’t have a choice about running DNS. Active Directory and Windows 2000 clients (both servers and workstations) must use DNS. The computer name is based on a fully qualified domain name (FQDN), and DNS is referenced heavily for lots of Windows 2000 work. If you’re new to DNS, now’s the time to hunker down and really get a good solid overview of what it’s about (this book assumes that you’ve gone through some DNS training in your entry-level Windows 2000 classes and that you know the basics of DNS). The Windows 2000 Resource Kit has an excellent chaper on the inner workings of DNS. If you’re not new to DNS, you still have some things to learn with Windows 2000 DNS because, like other services such as RRAS or DHCP, it has added new features that you need to know about. Note that more exam subobjectives are listed under “Design name resolution services” than just what you see here. The rest are covered in Chapter 14.

Why DNS?

DNS is an Internet and intranet standard because it works hand-inhand with TCP/IP. The purpose of DNS, like WINS, is to resolve names to IP addresses and vice versa. WINS resolves NetBIOS names into IP address; DNS resolves fully qualified domain names (FQDNs) into IP addresses.


www.sybex.com

Why DNS?

531

DNS uses the concept of a zone for its IP address mapping. A zone, also called a namespace (not to be confused with an Active Directory name– space), is a collection of records that have been entered into a DNS database. A zone can contain a partial domain, a complete domain, or a combination of domains. Each host in a zone has an IP address plus a host name that describes the organization to which the host is a member. The basic difference between DNS and WINS (besides the fact that WINS resolves NetBIOS names and DNS resolves TCP/IP) is that FQDNs include a hierarchical name that pinpoints the host right down to the OU and hostname. Computer_ name.company_name.com is a grammatic example of an FQDN. You’re probably familiar with this if you’ve keyed in host and domain names in the DNS dialog of a Windows 9x or NT computer. In addition to the concept of a zone, there is the notion of a forward lookup and a reverse lookup. Suppose you’re performing an ordinary ping test. In a forward lookup, you pass the name of the host you’re looking for and get back the host’s IP address. For example, suppose you want to ping a host named mycomputer in the domain mycompany.com. You’d type the command ping mycomputer.mycompany.com. That’s a forward lookup. Reverse lookups are built from PTR records and a special table in the DNS database; they allow you to use the NSLOOKUP command to find an FQDN if you know the IP address. Painfully, in the old days of DNS you had to key in both the forward lookup table and the reverse lookup table in order for the system to work correctly. Today, Windows 2000 populates most of this information into the database automatically. Since Windows 2000 DNS is compliant with TCP/IP RFCs, it is quite independent of computer platforms and thus very suitable for Internet and intranet work. Windows 2000 contains updates that reflect the attention that Microsoft paid to very recent RFCs. Windows 2000 DNS has many new features that bring extra versatility to it. Of course, some of the newer features rely on the Windows 2000 OS for implementation. For example, a Windows 2000 computer can automatically report its DNS information (IP address and FQDN) to DNS servers instead of administrators having to key the data in, as they would with older versions of DNS. Also, as in Windows NT 4 DNS servers, the reverse lookup table is automatically created (provided you use DCPROMO to promote a Windows 2000 server to a domain controller—DCPROMO automatically installs DNS and includes a reverse lookup database). Windows 2000 DNS supports incremental zone transfers, instead of having to fully copy the DNS zone databases to secondary DNS servers as earlier DNS versions had


www.sybex.com

532

Chapter 13

Planning a DNS Implementation

to. Support for the SRV resource record, somewhat analogous to the MX record, allows a single DNS record to list multiple servers offering similar TCP/IP services. SRV records are very important in a Windows 2000 environment, because they are pointers to the servers providing crucial networking services such as Active Directory (for the LDAP service), Kerberos, the global catalog, and others. Other new record types include the AAAA record, similar to an A record but used for IPv6 IP addresses. The WINS and WINS-R records are provided for WINS lookups, and the ATMA record is included for the ability to reference ATM addresses. So here we have a highly robust service that is compliant with Berkeley Internet Name Domain (BIND) versions up to and including 8.2.2.

Key Sub-Zones Key sub-zones are required for the support of AD. The SRV records for these sub-zones need to be included:

_msdcs.ADDomainName.suffix

_sites.ADDomainName.suffix

_tcp.ADDomainName.suffix

_udp.ADDomainName.suffix

Windows 2000 Dynamic DNS (DDNS) can be integrated into Active Directory and can allow DHCP, domain controllers, DNS servers, and client computers to update it automatically. Some very new and great features to Windows 2000 DNS include the ability to scavenge old DNS records from the database (á la WINS) and to age them out. Also, a monitor tool is featured with the DNS interface in Windows 2000 so you can test your zone configurations. Another cool feature of Windows 2000 DNS is the concept of negative caching. The DNS server remembers host names that are invalid so as not to waste time searching for them. And speaking of the Window 2000 Resource kit, a utility called DNSCMD is available that provides you a nice command-line utility for the purpose of configuring DNS servers.


www.sybex.com

Creating an Integrated DNS Design

533


Up until now, it’s safe to say that the majority of DNS servers in large enterprises ran on Unix computers (though in moderate-size networks, NT 4 DNS was and is popular). But there are so many advantages to using Windows 2000 DNS that it’s very possible that many administrators will want to move their main DNS server services to their Windows 2000 servers instead. There are many advantages to this, the most obvious of which is the integration with AD. Wherever your AD database winds up getting replicated to, there will be your DNS records as well. This means no more crossing slow WAN links for DNS services as you might’ve had to do before. (Dedicated Unix DNS servers are not cheap, so they tend to stay put in a centralized location.) AD-integrated DNS also means that you have the ability to provide secure control over which client computers can update the DNS database for that zone. Furthermore, you no longer have a SPOF in your primary zone database. Since the DNS database is replicated to all AD servers, each DC has an active copy of the DNS database, one that you can edit at will.


Design name resolution services.

Create an integrated DNS design.

But there’s more to it than that, especially if you have Windows 2000 clients throughout your enterprise. You save yourself tons of work by not having to maintain a manually edited DNS database. Any non-Windows 2000 clients might require that you create a manual entry in the DNS system for them, depending on whether you’ve enabled your Windows 2000 DHCP servers to automatically update DNS at lease-renewal time. You would do this by clicking Start Programs Administrative Tools DHCP, rightclicking the DHCP server you’re interested in configuring, and selecting Properties. Click the DNS tab (shown in Figure 13.1) and check the “Enable updates for DNS clients that do not support dynamic update” option. (Clients that do not support dynamic update would be any non-Windows 2000 clients.) This change requires that dynamic updating be turned on.


www.sybex.com

534

Chapter 13


FIGURE 13.1

Updating a DHCP server

It’s a fairly safe bet that your migration to Windows 2000 is going to take a long time in a large, disparate environment. Therefore, a pragmatic design alternative would be to make a Windows 2000 server running DNS a secondary server to the Unix BIND servers in the network. (Unix BIND servers must be running, at a minimum, BIND 4.97, and the preferred BIND version is 8.2.2.) Recall from your previous DNS studies that secondary servers obtain read-only copies of the DNS databases, and they know they’re supposed to pull down a new copy by comparing their serial number to the primary’s. If their serial number is less than the primary’s, they know an update has occurred and they copy the primary’s database. This is not an incremental download as other Windows 2000 DNS servers would obtain (i.e., only the changes that have been made are downloaded), but it would provide a method for you to maintain your Unix DNS servers until such time as you’re ready to cut over to Windows 2000.


www.sybex.com


535

A Windows 2000 DNS server can host several different types of zones: ADintegrated, primary, or secondary. In the case of an AD-integrated zone—one that replicates its DNS information to other DCs—that zone can also act as a primary to other non-integrated zones being hosted on non-Windows 2000 servers. This is how a design (albeit a complex design) that included Unix BIND, Windows NT, and Windows 2000 servers could let them interoperate with one another.

To create a new Windows 2000 Active Directory–integrated DNS zone, click Start Programs Administrative Tools DNS. Right-click the DNS server you’re interested in adding to and select New Zone. You’ll be presented with a wizard, shown in Figure 13.2, that will guide you through creating an AD-integrated, a standard primary zone, or a standard secondary zone. FIGURE 13.2

Adding an Active Directory–integrated zone using the DNS New Zone Wizard


www.sybex.com

536

Chapter 13


You don’t have to have Unix servers to be facing the need to work with a combination of older DNS servers and new AD-integrated servers. Windows NT 4 DNS servers cannot integrate with AD, but they can participate as a secondary zone to a Windows 2000 DNS server. So your plans for older NT DNS boxes would be identical to the Unix computers: make your primary DNS servers the AD-integrated ones and your NT servers the secondary. Windows 2000 DNS AD-integrated servers can work in mixed-mode environments and can act as primary servers to Windows NT 4 secondaries.

When setting up Windows 2000 AD-integrated zones, at least one of the servers must be a Windows 2000 DC.

Creating a Secure DNS Design

W

indows 2000 DNS permits very fine distinctions of who is allowed to manage the DNS database.



Create a secure DNS design.

In the Administrative Tools DNS window, right-click the server whose properties you want to view and select Properties. Select the Security tab and you’ll see a window similar to the one in Figure 13.3.


www.sybex.com


FIGURE 13.3

537

Viewing the Security Properties for a given DNS server

Certain groups are automatically given administrative authority over the DNS servers, among them Domain Admins, Enterprise Admins, DNS Admins, and the Administrators group. The Administrators group lacks Full Control and Delete All Child Objects rights, but retains great control over the DNS databases. You can opt for more security by tightening up on the rights that some of the groups have, but be careful not to take rights away from the DNS Admins group.

The DNS Admins group, by default, is empty. If you’re going to use it to tighten the security and control over who can maintain your Windows 2000 DNS implementation, be sure you add their names to this group.

Furthermore, you can click the Advanced button from within this Properties window and configure properties such as Permissions, Auditing, and Owner. Permissions (Figure 13.4) lists the users and groups who have permissions to the object that’s being viewed at the time. Auditing (Figure 13.5) lists the users or groups who are being audited; and Owner (Figure 13.6) lists the users or groups who own the object.


www.sybex.com

538

Chapter 13


FIGURE 13.4

The Permissions tab of the Advanced Control Settings window of the DNS Properties box

FIGURE 13.5

The Auditing tab of the Advanced Control Settings


www.sybex.com


FIGURE 13.6

539

The Owner tab of the Advanced Control Settings

The main decision you’ll have to make when setting up security for DNS is about who you want to be able to administer the DNS database. There’s not a whole lot of manual entry work to be done to the database, especially if you’ve set DHCP to forward client information to DNS. But realize that there are several places where you can add permissions. You can set the permissions in the screen I showed you in Figure 13.4. Using this method allows you to apply permissions to a user, a group, or a computer. You can also use the DNS program in Administrative Tools to update permissions for an entire zone or for a single entry! You can manage permissions on a zone and its individual records only if the zone is AD-integrated. A second important decision is whether to allow dynamic updates to the DNS database. If you’ve enabled dynamic update of DNS, then Windows 2000 clients can update the DNS database, as can DHCP. You’ll find that you need to make very few specific entries in the DNS databases. If you're going to use AD-integrated DNS, you have to install DNS on at least one Windows 2000 DC, and you must purposely set the dynamic updating of the database to Yes. To do this, navigate to the zone you’re interested in updating, right-click it, and select Properties. Under the General tab, set the Allow Dynamic Updates? option to Yes. Setting this pull-down to Only Secure Updates implies an environment in which all of the DNS servers are set for AD-integrated.


www.sybex.com

540

Chapter 13


Do not set up DHCP and DNS on the same computer if using the Only Secure Updates option. This could cause a security compromise if DHCP is updating DNS on behalf of the clients.

Secure Zone Transfers You can set up your DNS zones so they transfer only to DNS servers that you designate. There are a few different options for this. To view them, navigate to the zone that you’re interested in working with, right-click it, and select Properties. Click the Zone Transfers tab, as shown in Figure 13.7. You can choose to transfer to any server in the domain (probably not a great idea for security reasons); you can choose to transfer to servers that are keyed into the Name Servers list found on the Name Servers tab of this same Properties sheet; or you can set it up so that zones are transferred to only those servers that you list. Note that you can click the Notify button to notify secondary servers of a zone change. Again, the secondary servers you can choose to notify of zone updates can be keyed into the Name Servers section of the Properties sheet, or you can enter specific IP addresses for DNS servers. FIGURE 13.7

Setting up zone transfers


www.sybex.com


541

When setting up zone transfers across the Internet, use either a VPN or IPSec to encrypt and secure the traffic. A screened subnet is one that lies between two firewalls—the private network is on one side of a firewall, the screened subnet is in the middle, and the public (Internet) network is on the other side of the second firewall (see Figure 13.8 for a picture of this unique setup). You’d encounter this kind of situation if you had a set of Web servers out in a demilitarized zone (DMZ), a semi-public, semi-private zone where Web servers can reside to provide Web services to Internet viewers but prevent access to internal networks; here you need more public access than your private network would allow. In a case such as this, you would configure the outside firewall (Firewall B) to allow incoming DNS queries from the Internet. You’d configure DNS replication from the private network to go only one way, from inside to the DMZ, and you’d not allow any DNS queries past Firewall A.

Some of today’s firewall products allow for only one firewall on a screened subnet. Traffic bound for the screened subnet is routed differently than traffic bound for the private network.

FIGURE 13.8

Zone transfers in a screened subnet Private network

Public network

Screened subnet

Firewall A

Firewall B

Screened subnets should contain only secondary DNS data, never primary data. Active Directory integration will allow you to apply additional security to the zone transfers between the internal and the screened subnet. Encryption can be provided with a VPN or IPSec. Since a secondary DNS server contains a replica of its primary, your DMZ secondary would contain references to internal computers, something you may not desire. An optional,


www.sybex.com

542

Chapter 13


more secure configuration, might be to create a primary DNS zone on your DNS server in the DMZ, thus assuring yourself that the DMZ DNS server doesn’t contain records that reference internal computers.

Redundancy of DNS Servers

I

n the old days of DNS, when you had to statically enter all of records into the DNS database, redundancy was highly important. In a case like that, you set up a primary DNS server and then had at least one, if not more, secondary DNS servers throughout your enterprise.



Create a highly available DNS design.

Active Directory integration creates an environment where you don’t have as much to worry about in terms of DNS availability (because DNS information is integrated into the directory). But what happens if a WAN circuit goes down for an extended time? You’ll not only have problems getting AD replicated to outlying sites, but your DNS will crater as well. For this reason, it’s key that you target weak points in your site that may require a second DNS server and then set up servers at those points. You have two choices for the way in which you set these up. You can create Active Directory–integrated zones between these servers, or you can set up a primary/secondary zone replication scheme. One Microsoft recommendation I saw implied that at least one DNS server at every site, and potentially a second one (for redundancy’s sake), would be a very good design. In sites where you have slow or troublesome WAN links, I think a second DNS server is a great idea. But for sites where the WAN link is robust and not overcrowded, this solution may be overkill.


www.sybex.com

Designing a DNS Implementation

543

Design Scenario: Delegated Domains A second redundancy technique—one that might work well for you—is the concept of delegated domains. Here’s how the concept works. Suppose that you’re an administrator for a company, LargeCompany, with a couple of different sites; let’s call them SiteA and SiteB just to be clever. SiteA is pretty large and might very well merit its own domain: SiteA.LargeCompany.com. Ditto for SiteB: SiteB.LargeCompany.com. What you can do is set up two DNS servers: one at SiteA, one at SiteB. SiteA will have as its primary zone SiteA.LargeCompany.com, while SiteB will have as its primary zone SiteB.LargeCompany.com. Site A will have an NS and an A record for Site B; Site B will have an NS and an A record for Site A. In a case like this, you’ve delegated the domain for SiteA to the DNS server at SiteA and vice versa for SiteB. Users at Site A requesting name server services for a host in Site B will reference Site B’s DNS, which then points them to Site A for the final lookup. Note that this kind of DNS setup doesn’t have anything to do with Active Directory, though each of these DNS servers could very well forward their incremental zone updates to an AD-integrated server. Suppose that what you’re striving for isn’t necessarily a delegated domain situation, but a redundancy environment where you provide a modicum of fault tolerance without having to go to AD-integrated zones. What you can do in a situation like this is set up two DNS servers: one at SiteA, one at SiteB. SiteA will have as its primary zone SiteA.LargeCompany.com, while SiteB will have as its primary zone SiteB.LargeCompany.com. Then, each server will have the opposite server as its secondary. In a case like this, you’ve delegated the domain for SiteA to the DNS server at SiteA and vice versa for SiteB. You have redundancy built into the mix because each site replicates its data to the other site, but you don’t kill your WAN circuits, because the primary zone lives in the site that it’s serving.


N

ow we begin to drill in and take a look at the various circumstances you might run into as you finalize your Windows 2000 DNS design. One important component to keep in mind, one that’s very often overlooked, is


www.sybex.com

544

Chapter 13


the capacity for growth in a given design. I work for a company that is going through a period of frenetic growth, and in some cases we haven’t done our best work in designing an upward migration path for that growth. In the DNS sense, not only do you need to keep an eye on today, but you also need to think about tomorrow



Measure and optimize a DNS infrastructure design.

Design a DNS deployment strategy.

Selecting the Correct DNS Infrastructure for Your Network Several key components need to be looked at when considering the correct DNS infrastructure for your design. Perhaps the most key question you’ll have to ask yourself is whether it will be desirable to replace the BIND (Unix) DNS servers running in your Windows 2000 environment. This decision will drive everything else in your project. If it’s not acceptable for Windows 2000 to do the DNS work, that’s no big deal. The BIND servers will be the primary DNS servers and your DNS boxes will be the secondaries. Note that the BIND servers must support SRV records (BIND 4.9.7) and should support dynamic updates (BIND 8.1.2). On the other hand, some things aren’t supported in BIND and Windows NT 4 DNS that are supported in Windows 2000 DNS—things like forwarding to WINS for name resolution, and DHCP dynamically updating DNS— so you might want to consider a completely Windows 2000–based set of DNS servers. The chart below shows some common BIND versions and the updated support they provide: BIND Version

Supplies

4.9.7 or later

Support for SRV records

8.1.2 or later

Support for dynamically updated DNS zone database

8.2.1 or later

Support for incremental zone updates

8.2.2

Additional DNS features like negative caching


www.sybex.com


545

The main point here is that you’ll have to assess your legacy DNS environment, make sure you talk with the people who are running the current DNS implementation, and come up with a design that everyone likes.

DNS in a Routed Environment You have two considerations here. The first we’ve already discussed: slow WAN links. The answer for that is a DNS server at each site. But more interesting is the concept of Internet users being able to get into your DNS servers and update records that they find. How would they be able to do that? If a DNS server was a standard primary server and it was out on the DMZ (the admin’s term for the screened subnet described above), then it might be very possible for someone to hack in and update or change the DNS tables, which would subsequently replicate to the secondary servers. You fight this problem by keeping your primary DNS server in the private network, replicating only certain zones to the secondary DNS server in the DMZ. Since secondary DNS servers have read-only databases, they can’t be messed with. In either of these cases, the router is going to pass the name lookup request to a DNS server. If the local DNS server doesn’t know the information requested, the name resolution request is passed to the forward lookup zone (if one has been provided), a DNS server typically out on your ISP’s network that then takes a stab at the lookup. If the information is unknown there, the request is passed upward to a higher-level DNS server and so on. If no forward lookup zone exists, the name lookup stops at the root DNS server in your network. Routers are typically configured to pass all DNS requests and clients are usually configured with the network’s valid DNS IP addresses.

Zone-Replication Security You can handle zone-replication security in several ways. Perhaps the most risk when transferring zone information will be when you’re passing it across the Internet from one of your DNS servers to another. Microsoft recommends that you set up a VPN when sending data of this sort over the Internet and that you encrypt the data either through IPSec or VPN technology.


www.sybex.com

546

Chapter 13


On zone replications that take place inside the internal network, the best and easiest way to secure the replication is to set up Active Directory–integrated zones. This data is encrypted as it’s passed along and is highly secure.

High-Availability Scenarios You have several options for providing highly available DNS servers. Perhaps the easiest and cheapest method is to provide lots of redundancy in your DNS design. This kind of technique requires that you sit down and think hard about your delegated domains, how you’re going to split things out among several DNS servers. A second question is whether you provide a backup DNS server at each site. You can see how you can get into some pretty expensive scenarios when you begin to dedicate computers strictly to managing DNS. Since these computers are referenced quite often by computers performing name lookup tasks, you won’t want to be stingy with the hardware makeup of the computers. You’ll want to provide ample CPU power, plenty of RAM, and enough disk to make sure that as the network grows, so can the DNS database on the computer. A 100Base-T full-duplex network link would be extremely helpful as well. For really important sites that require very fault-tolerant installations, you’ll want to consider a cluster server for your DNS installations. When you begin to consider cluster server, your setup and installation times increase, your administrative tasks become much more complex (due to the complex nature of clustering), and costs soar. But in a server outage, that failover will pay for itself the very first time it’s needed. I don’t see that many corporations will need or want cluster server for their DNS environments. Windows 2000 DNS server is not cluster-aware, but will work in a cluster server setting. You won’t be able to justify cluster server for DNS strictly for DNS’ sake. You’ll probably want to have other cluster-aware apps that can make very good use of a cluster—such as Exchange 2000—to justify such an implementation.

Optimization and Tuning of DNS The most basic technique you can use for testing how well DNS is doing is to grab a command prompt, get your stopwatch out, and ping an FQDN to see what kinds of response times you’re getting out of the system. You’ll also


www.sybex.com


547

want to time reverse name lookups with NSLOOKUP so you have a feel for how fast the DNS box can respond to those kinds of queries as well. The question then becomes, what’s acceptable to you? This is a purely subjective call, but one that will be driven by users complaining about the slowness of the net. You can also use System Monitor to evaluate the performance of your DNS servers. A DNS object and several DNS-related counters are provided with System Monitor as soon as you install DNS on a Windows 2000 computer.

In a setting where the network is really fast, but users are complaining about slow DNS response times, I’d take a look at the computer itself to make sure it’s capable of performing well in the environment it’s expected to work in. Also check to see whether LMHOSTS or HOSTS files aren’t being referenced before DNS gets a chance to answer.

You can set Windows 2000 DNS Servers up for fast replication, which should provide you with better performance. You’ll also want to make sure that the overall network infrastructure can handle what’s being asked of it. Routers with 10Mbps uplink ports cannot possibly perform well in 100Base-T networks that deliver the data faster than they can take it in. This is all very common-sense stuff, but often overlooked as well. Finally, to speed up DNS requests across slow WAN links, you can consider setting up a DNS server to act strictly as a caching-only server. Cachingonly DNS servers do not host any zones of their own, but cache all lookup requests forwarded to DNS servers that do have valid zones. This way the cache often responds before the request has a chance to be sent across the wire. If the DNS information doesn’t change very frequently or if you have slow or saturated WAN links, this is the ticket for speeding up those name resolution requests.

Backward Compatibility Issues Certain key benefits from Windows 2000 DNS are not supported in older versions of BIND. For example, the SRV resource record wasn’t supported until BIND version 4.9.6 or later. Support for dynamically updated BIND databases wasn’t provided until BIND version 8.1.2. A relatively obvious concept, incremental zone updates, wasn’t provided until BIND 8.2.1. A


www.sybex.com

548

Chapter 13


visit with your friendly Unix DNS admin is in order so that you ascertain exactly where you’re at in terms of BIND versions. Windows NT 4 DNS servers don’t support dynamic DNS updates, period, so in terms of backward compatibility with them, you’ll have to make sure that they’re always a secondary to your Windows 2000 primary DNS server. Neither BIND or Windows NT 4 DNS servers support Unicode character sets, only ANSI. This could be a problem with foreign-language DNS implementations that use characters not found in the ANSI character set. If the chances are that you’ll encounter such sets, you’ll have to set your Windows 2000 DNS servers for RFC-compliance (ANSI) and avoid the Unicode issue. Some vendors supply non-RFC-compliant resource records in DNS. For example, suppose that a manufacturer of a voice card for fax systems decided to include a record such as DSP in the DNS database. This is not a recognized record type. In BIND and Windows NT 4 implementations, zone replication would cease. Stop. Kaput. But, through the magic of Windows 2000 DNS, you can instruct the DNS server to simply ignore strange resource records such as this. If you’re using BIND DNS servers and you decide to set up WINS forward lookup zones, your BIND servers will croak on the WINS and WINS-R records. The decision to use WINS as a forward lookup zone with Windows 2000 or Windows NT 4 DNS automatically indicates that BIND DNS drops out of the picture.

Summary

Domain Name Server (DNS) provides an IP address when it is given an FQDN. Windows 2000 DNS server has improved things greatly over traditional Unix DNS (BIND) or Windows NT 4 DNS. For example, you can choose three different “flavors” of DNS when setting up a DNS server in a Windows 2000 environment: standard primary zone, standard secondary zone, and Active Directory–integrated zone. Standard primary and standard secondary are compatible with BIND or Windows NT 4 servers. There are some exceptions to the above statement. Windows 2000 DNS supports new record types such as the SRV record (actually not a terribly new type but new to Windows DNS), the WINS and WINS-R records, the AAAA record, and the ATMA record. Since BIND servers can’t hang with


www.sybex.com

Summary

549

records they don’t understand (replication stops when these are encountered), make sure you don’t have those kinds of compatibility issues before forging ahead. You can prevent records that are not supported by BINDbased secondaries from being transferred to them by choosing the Do Not Replicate This Record when setting up the WINS properties for a zone. Windows 2000 DNS supports incremental (partial) zone transfers, which Windows NT 4 does not, so if you have a design that includes backward compatibility with old NT 4 DNS, you’ll have to work with full zone replication. Neither BIND servers earlier than version 4.9.4 nor NT DNS servers support fast replication. The good news is that you can support a legacy environment and have a Windows 2000 Active Directory–integrated DNS server. AD-integrated servers must be on at least one domain controller, and you must configure that server so it uses an AD-integrated zone. With Windows 2000 DNS, you gain several key features: DHCP can automatically update DNS (this feature is configurable by administrators), and DNS can forward unresolved queries to WINS for further resolution work. Windows 2000 Pro computers can automatically register their information with DNS, while non-Windows 2000 computers require Windows 2000 DHCP to do so. Windows 2000 supports redundancy of DNS servers and clustering, though DNS is not a cluster-aware application. Microsoft recommends that you place a DNS server at each remote site. You can provide secondary servers as well for backup and redundancy. Delegated domains are DNS servers that are authoritative for a given sub-domain (the primary DNS server contains an NS and an A record that points to the sub-domain DNS server). Using this technique, you could set up a DNS server to host one domain and a second to host another, then have the two use each other as secondaries for their zone information. This is a clever way of providing redundancy and segmentation. A screened subnet, sometimes called a DMZ, is one that lives between two firewalls, typically used for Web servers that the Internet public will access. A DMZ DNS server should not be set up as a primary, because the data will be write-accessible by people from the outside. Instead, make it a secondary server so its data is read-only. You can set up caching-only DNS servers so that resolution requests are cached, speeding up name resolution requests across slow WAN links. Alternatively, to prevent outsiders from seeing private network DNS records, simply make your DMZ DNS server a primary.


www.sybex.com

550

Chapter 13


Key Terms DNS has a few unique terms that aren’t used anywhere else in the computer biz. They are as follows: AAAA ATMA Berkeley Internet Name Domain (BIND) delegated domains demilitarized zone (DMZ) DNSCMD forward lookup zone namespace negative caching NSLOOKUP resource record screened subnet SRV standard primary zone standard secondary zone Unicode WINS WINS-R zone


www.sybex.com

Review Questions

551

Review Questions 1. Your corporate direction is that DNS services must continue to be

hosted on BIND (Unix) servers. But you’d like to take advantage of AD integration. How is this possible? Choose as many answers as apply. A. Set up a DNS server in a Windows 2000 standard primary zone B. Set up a DNS server in a Windows 2000 AD-integrated zone C. Set up a DNS server in a Windows 2000 standard secondary zone D. Install the latest version of BIND (8.2.2 or higher) to assure that

the BIND servers will interoperate with the Windows 2000 servers 2. For what purpose would you use the WINS and WINS-R source

records? A. For WINS integration B. To point to the network’s WINS servers C. For WINS integration into BIND DNS D. So Windows 2000 WINS servers act as the DNS servers for the

network 3. You have a single namespace on your BIND DNS server; the name–

space is called mycompany.com. Your company has recently purchased an engineering firm that’s going to act as the R&D wing of your corporation. In an effort to move toward Windows 2000 DNS integration with the BIND servers, you’re instructed to set up a private namespace called engineering.mycompany.com. How would you handle this situation with Windows 2000 DNS? A. Install a Windows 2000 AD-integrated DNS server and set up a

zone strictly for the engineers. B. Get rid of all BIND servers and upgrade to Windows 2000 DNS

for your name serving needs. C. Set up a Windows 2000 DNS server that acts as a delegated

domain server for the engineering group. D. This cannot be done.


www.sybex.com

552

Chapter 13


4. You work for an ISP that requires a very fault-tolerant DNS imple-

mentation so its customers will never go without name resolution services. What method would be the most effective to apply when using Windows 2000 DNS? A. Configure the DNS server so it’s on two different switch ports B. Configure at least one additional standard primary DNS server

with a duplicate zone C. Configure the DNS services on a cluster server D. Use AD-integrated zones with your Windows 2000 DNS servers 5. How can you measure the performance of a DNS server? Choose all

the methods that apply. A. System Monitor B. DNSCMD C. NSLOOKUP D. PING 6. There’s one big difference between Windows 2000–based DNS clients

directly updating the DNS database and DHCP updating the DNS database on behalf of clients. What is it? A. DHCP updates the DNS database with both an A and a PTR

record. B. Windows 2000 DNS clients update the DNS database with both

an A and a PTR record. C. The DHCP update is unsecure. D. The Windows 2000 update is unsecure.


www.sybex.com

Review Questions

553

7. You have a mixture of BIND and Windows NT 4 DNS servers. Your

design calls for a Windows 2000 DC to be the primary DNS server for the entire site. But as you add new zones, you find that your primary Windows NT 4 DNS server does not get the updates. What could be the problem? A. You’ve not yet configured your Windows NT 4 DNS server as a

secondary server to the new Windows 2000 DNS server. B. Windows NT 4 DNS servers do not support dynamic zone

updates. C. The Windows NT 4 DNS servers are secondary to the BIND

servers. D. Windows NT 4 DNS servers must be primary to all other DNS

server types. 8. Name two methods that you can use to speed up Windows 2000 DNS

across a WAN link. A. Set up caching only on the DNS server on the opposite side of

the link B. Enable fast replication C. Put the DNS services on a cluster server D. Disable DHCP updating of DNS 9. What is the single best method for creating a secure DNS

environment? A. Set up password protection on all DNS databases B. Set up Windows 2000 AD-integrated DNS for the entire network C. Require BIND servers to log on to Windows 2000 servers D. Disable Windows NT 4 DNS servers


www.sybex.com

554

Chapter 13


10. Sarah, a member of the Domain Administrators group, is trying to

modify a Windows 2000 DNS server zone but for some reason isn’t allowed to. What could be the problem? A. She’s not a member of the DNS Admins group. B. She’s not a member of the Schema Admins global group. C. Her Group Policy Object does not allow her to manipulate DNS

zones. D. The Domain Administrators group has been removed from the

security permissions for DNS.


www.sybex.com


555

Answers to Review Questions 1. B, D. Thankfully, Windows 2000 DNS servers can interoperate with

legacy BIND servers. So though the corporate direction is to continue with BIND DNS, you can supply AD integration with DNS by simply installing a Windows 2000 AD-integrated DNS server and making it a secondary to the BIND servers. 2. A. Once a Windows 2000 server has been converted to a domain con-

troller and DNS has been installed on it (which happens automatically when using the wizard associated with DCPROMO), you are in a position to set DNS up so it forwards name resolution requests that it cannot resolve to the network’s WINS computers. The WINS record is the forward lookup record for the WINS servers; the WINS-R records is the reverse lookup record. 3. C. On the Windows 2000 DNS server, set up a zone called engineer-

ing.mycompany.com. On the BIND server, set up NS and A records pointing to the Windows 2000 box as the authority for this subdomain. Queries sent to the BIND server for mycompany.com will be answered by the BIND server. Queries for engineering.mycompany.com will be forwarded to the Windows 2000 machine. 4. D. Since all DCs will subsequently have a copy of the zone data, you’ll

provide inherent fault tolerance. 5. A, C, D. There are several System Monitor counters you can use for

evaluating the performance of your DNS servers. PING and NSLOOKUP are useful utilities for timing the response of DNS servers. PING an FQDN and see how long it takes to respond. Do the same with a reverse lookup using NSLOOKUP. The DNSCMD utility is found in the Windows 2000 Resource Kit and is used for configuring new DNS servers.


www.sybex.com

556

Chapter 13


6. B. The security of a DNS update is based on AD-integrated DNS. Here

we’re told nothing more than that a client is trying to update a DNS server. Interestingly, if a Windows 2000–based DNS client updates the DNS database, both an A and a PTR record are supplied, whereas DHCP only supplies a PTR record. 7. B. A drawback to the Windows NT 4 DNS server service is that it does

not support dynamic zone updates. You’ll have to manually configure any zone updates on these computers. 8. A, B. Two optimization methods are setting up a caching-only DNS

server on one side of a slow WAN link and enabling fast replication across the entire DNS system. Neither of these techniques require ADintegrated DNS to work. Enabling fast replication happens by unchecking the BIND Secondaries check box under the Advanced tab of the DNS server’s Properties box (enabled by default). 9. B. The very best, most secure method you can use is to set up Windows

2000 AD-integrated DSN service on your network and bag both BIND and Windows NT 4 DNS. You’ll gain faster replication times across the network because of AD’s ability to replicate the zone data; the database will be far less hackable because it’s not text-based; and DHCP servers will require permissions to update the database. On the other hand, you’ll probably not be able to just “bag BIND and Windows NT 4 DNS” because of the holy war you’ll cause due to your belief in this new, advanced DNS. 10. D. By default, the Domain Administrators group is allowed to admin-

ister DNS. But if somebody removes that group by modifying the security properties of a DNS server, she could lose her ability to manage the DNS zones. That may be a good or a bad thing, depending on your DNS design.


www.sybex.com

Integrating Windows 2000 DNS into a Legacy Environment

557

Y


Background You’ve been hired as a consultant to work for a medium-sized business, Acme Shoelaces (their motto being “We have our competitors all tied up.”). Acme is converting its network from a combination of Windows NT, NetWare, and Unix to Windows 2000. Your job is to design this entire integration project. You’re now on the DNS design component of this project.

Current System Overview The company is situated in a single city but has two sites, one that houses the actual manufacturing plant and the other for the corporate offices. The Unix servers provide the manufacturing and financials for the company, but you’ve come up with a Windows 2000–based solution that’ll provide both environments on Windows 2000, allowing you to get off of the Unix servers. NetWare, which was providing simple file and print services, will be dismantled first, leaving you with Unix for a time. The goal is to get to native Windows 2000 throughout the company. Problem Statement The Unix administrators want to retain DNS on their BIND 4.9.6 servers.

Envisioned System Overview You report directly to the CIO of the company. The plan you create is to set up a Windows 2000 DNS server at both sites, make them secondary to the BIND servers for the interim period that you’re involved with converting off of Unix to Windows 2000 for the financials and manufacturing side, then migrate to an AD-integrated DNS plan. CIO “I like the idea very much. Go forward and implement.” Unix Admins “What’s wrong with the legacy system?”


www.sybex.com

CASE STUDY


CASE STUDY

558

Chapter 13


Security Overview Security will be somewhat limited until you migrate to ADintegrated DNS. CIO “The Unix admins will be phased out as we go forward with this project. I need you to make very sure that the new system is secure from potential disgruntled admin intervention.” Security Admins “What modifications will have to be made for us to be able to say who is allowed to administer DNS?” Unix Admins “No, you cannot be given root access to the servers!”

Availability DNS resolution has never been an issue with the legacy BIND servers. They run just fine. The CIO asks, “Will Windows 2000 AD-integrated DNS be as reliable as the Unix DNS servers have been?”

Maintainability You inform the CIO of the capability of DHCP interacting with Windows 2000 DNS so that it’s more dynamic, plus you talk about the capability of forwarding unresolved names to WINS. She thinks this is fantastic, saying, “The less intervention we have to do, the better. Will WINS be going away when we cut over to Windows 2000?”

Performance The two sites are connected by a 256K frame relay WAN link; you’ve had this link evaluated and it’s highly underutilized. You don’t think that the link will take a performance hit by adding DNS. The CIO’s response? “If you need to upgrade the circuit speed, now is the time!”


www.sybex.com


559

1. What’s the first step that needs to be taken in this DNS upgrade

project? A. Set up a Windows 2000 DNS server on one of the Win-

dows 2000 DCs B. Upgrade the BIND servers to 8.2.2 C. Dismantle Windows NT 4 DNS D. Detail on paper how the current zone structure is set up 2. What can you do to make sure that the Unix admins are not allowed

to administer the Windows 2000 DNS servers and still allowed to administer the Windows NT 4 DNS boxes? A. Take the Unix admins out of the Domain Admins group (if they’re

a member). B. Remove Domain Admins from the list of valid administrators in

the Windows 2000 DNS settings. C. Unix admins shouldn’t have NT or 2000 admin privileges. D. Set the NTFS permissions on the Windows 2000 DNS databases so

they restrict the Unix admins from modifying them. 3. Is there any advantage to getting off of the old DNS servers and onto

the Windows 2000 servers? A. Yes B. No C. Maybe 4. Would a cluster server environment provide additional fault tolerance

in this scenario? A. No B. Yes C. Maybe


www.sybex.com

CASE STUDY

Questions

CASE STUDY

560

Chapter 13


5. Looking at the table below, pick tasks from the right column and place

them in the left column in the order they should be deployed so that you come up with a completed DNS installation. Tasks

Tasks Point DHCP scopes DNS properties to new servers Create Windows 2000 DNS zones to act as a secondary to BIND servers Disable Windows NT 4 DNS services on all NT 4 DNS servers Set up permissions on Windows 2000 secondary DNS Servers Change Windows 2000 secondary DNS zones to AD-integrated Dismantle BIND servers Update BIND version on legacy Unix servers Await completion of Windows 2000 upgrade Obtain a schema of current zone layout

6. Will WINS be required once the network is completely cut over to

Windows 2000? A. Yes, WINS will always be required. B. No, WINS will not be required. C. We don’t have enough information to make a determination.


www.sybex.com


561

1. D. In integration situation such as this, the first thing you’ll need to do

is examine the DNS databases and see how the zones are currently configured. Then you might have to make decisions about the namespaces, especially if you’re going to support some clients on Windows 2000 DNS and the BIND servers will support others. The second step will be to upgrade the version of BIND on the Unix boxes so they can interact with Windows 2000. 2. B. The quickest and easiest method would be to simply remove the

Domain Admins group from the list of users qualified to administer the Windows 2000 DNS database. This would keep the Unix admins from being able to administer the new DNS servers but would continue to allow them the capability to administer the NT 4 DNS servers. Of course, since they’re domain admins, there’s not much keeping them from granting themselves this right again whenever they like. 3. C. Dynamic DNS: the ability of servers (DHCP, DC, and DNS) and

client computers to update resource records in DNS databases. And while BIND 8.1.2 DNS can support dynamic updates, maybe it’s better to move DNS to Windows 2000. The AD-integration component is wonderfully helpful, because you have built-in fault tolerance due to AD’s inherent replication to all DCs. Nevertheless, neither of these reasons give you the clout you need to go in and demand that the company immediately dismantle its BIND DNS and go forward with Windows 2000. More realistically, your Windows 2000 DNS servers will probably play some hybrid role in the overall DNS environment. Delegated domains—designating your Windows 2000 servers to act as DNS servers for a subdomain—will most likely be the solution. 4. A. The company is not in the kind of situation where immediate name

resolution services are required and would crater the business if they went away for a brief time. You’re going to install a second DNS box on the other side of the WAN link, so you have redundancy built in; a cluster server isn’t needed and would waste the company’s money.


www.sybex.com

CASE STUDY ANSWERS

Answers

CASE STUDY ANSWERS

562

Chapter 13


5. See table.

Tasks Obtain a schema of current zone layout Update BIND version on legacy Unix servers Create Windows 2000 DNS zones to act as a secondary to BIND servers Set up permissions on Windows 2000 secondary DNS servers Point DHCP scopes DNS properties to new servers Disable Windows NT 4 DNS services on all NT 4 DNS servers Await completion of Windows 2000 upgrade Change Windows 2000 secondary DNS zones to AD-integrated Dismantle BIND servers 6. C. We’re told that the servers will all be migrated to Windows 2000.

We’re not told whether the users will be brought up on Windows 2000 Professional workstations or not. Thus we don’t know if WINS will be able to go away or not. In a truly native Windows 2000 environment, there is no need for WINS because it is for the purposes of NetBIOS name resolution and in native Windows 2000 networks we’re using DNS instead. Wrap-up: The singular biggest issue you’ll face in any Windows 2000 upgrade design that currently contains BIND-based servers is the holy war that will doubtless ensue when you begin to talk about the wonders of Windows 2000 DNS. And the Unix advocates will be right when they say that Microsoft DNS has some weaknesses (or at least had some weaknesses until Windows 2000 came out). But the tables have turned, and now it’s up to the BIND folks to hurry up with RFC compliance. All of Windows 2000’s DNS updates are based on recent RFCs, and Microsoft is merely coding to the standard. Nevertheless, I’m betting that the majority of sites will retain legacy BIND servers until the next glacial age.


www.sybex.com

Chapter

14

Designing a WINS Implementation MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Design name resolution services.

Create a WINS design.

Create a secure WINS design.

Measure and optimize a WINS infrastructure design.

Design a WINS deployment strategy.


www.sybex.com

A

h, the Windows Internet Name Server, also lovingly known as WINS. This is the acronym that some administrators have come to love to hate. This tool, crafted by Microsoft and following the RFC 1001 and RFC 1002 guidelines, has been the source of complaints by many an administrator over the years. The goal of using WINS in a network is to resolve NetBIOS names to IP addresses. If you ping mycomputer.mycompany.com—an FQDN—you’re going to a DNS server, looking up the IP address based on the DNS name you have, and then pinging the IP address. But when you ping mycomputer—a NetBIOS name—you’re going to a WINS server, looking up the IP address based on the NetBIOS name you have, and then pinging the IP address. I’m not sure that WINS should get beaten up as badly as it has. There are some very explicit guidelines for WINS, and not much has changed with the Windows 2000 implementation of WINS over Windows NT 4. So if you’re careful to follow some basic instructions, I believe that you’ll find WINS to be an extremely reliable tool for your network. The exam objective “Design name resolution services” includes more subobjectives than the ones listed here. They’re discussed in Chapter 13.

Creating a WINS Design

I

f you started a network from scratch with new apps and Windows 2000 Professional workstations for the users and Windows NT 4 servers for your server farm, you’d never have to use WINS on the network. It’s when you


www.sybex.com


565

have legacy apps requiring WINS, or legacy Windows computers on the network (and Windows NT servers), that WINS must be involved. If you’re working in that kind of environment and you’re planning a Windows 2000 upgrade, you’ve almost undoubtedly got a WINS server or two (or three or four… we’ll talk more about how “less WINS is more” later in this chapter).



Create a WINS design.

The whole purpose of WINS is to resolve NetBIOS names to IP addresses by sending unicast messages across routers. In other words, WINS is designed to work with the shortcomings of broadcasting across a router (just as DNS does). So, on a flat little network where you don’t have any routers to cross, you probably really don’t need WINS at all. If you have 100 clients and a couple of servers, you really don’t need to care very much if clients are broadcasting for name resolutions. But if you have hundreds or thousands of users spanning multiple geographic segments, then you’ll have to be interested in maintaining WINS servers. When we design WINS servers, there are several things that we need to know: Pushing and Pulling Suppose that you have two WINS servers on the network. One of the servers has resolved several names and has its database dynamically updated through client registrations so that it can continue to resolve these names in the future. Ditto for the other server. How do you replicate the contents of each so that each server knows about the other’s databases? You set up what is called a push/pull partner relationship. If the first server sends its contents to the second, that’s called a push. If the first server obtains the contents of the second server on its own, it’s a pull. You can (and should) set up WINS servers so they update one another’s database regularly. You can adjust the time that elapses between pushes and pulls and regularly check the database’s consistency. Microsoft strongly recommends, and I agree, that you set up your WINS servers in a push/pull relationship with one another. I don’t recommend that one server pushes to another or pulls from another—you want a full push/pull relationship so that you’re sure the databases update one another on a timely basis.


www.sybex.com

566

Chapter 14

Designing a WINS Implementation

WINS Proxy Agents Some (non-Microsoft) NetBIOS clients are not able to work with WINS servers, but require the capability of performing NetBIOS name resolution. A good example of such a client is a CD tower that uses NetBIOS but is not a WINS participant. In such a case, you’d have to set up a WINS proxy agent that would resolve names on behalf of this client. In my career, I’ve never had to work with such a strange quirk of physics, but I’m confident that you’ll encounter a non-WINS client question on the test. Any Windows computer can act as a WINS proxy agent. Windows 2000 Computers Support Multicast WINS Server Discovery Windows 2000 computers have the capability of discovering new WINS server partners via multicast on 224.0.1.24. The default time delay between multicasts is two hours. Order of Name Resolution WINS uses the concept of a node type. These are hexadecimal numbers that you enter in DHCP scopes and that tell the WINS client the order of name resolution to use. The most common type, node type H or hybrid node, will check a WINS servers first, then broadcast for the name, then check the local LMHOSTS file (discussed in the next section). I’ve had issues before where it was important to remember the order that name resolution happens based on node type, so it’s something the prudent person would commit to memory. Though there are other node types, they are virtually unused in Windows computerdom. When a client computer is configured for H-node (probably through DHCP settings), it will try to resolve a computer name in the following order. It’s not a bad idea to commit this order to memory, because you’ll find that you’ll use it quite a bit when you’re troubleshooting nameresolution problems. H-Node Search Order NetBIOS cache on client computer WINS Broadcast LMHOSTS file HOSTS file DNS


www.sybex.com


567

Note that a client computer trying to resolve a computer name will first check its cache to see if the name is listed there. (You can check the current listings in your cache, plus obtain the time to live for cache entries, by simply going to a command prompt and entering the command NBTSTAT -c | more.) If the cache can’t resolve the request, WINS is checked next. If WINS can’t resolve it (which should not be the case very often), a broadcast is made for this host. If you’re broadcasting for a host, generally you’re going to find it unless it’s offline or unavailable in some other way. If broadcasts don’t work, the client checks the local LMHOSTS file, then the Hosts file (if it exists—hosts files are used for FQDN to IP address resolution and aren’t often used in the Windows world), then finally DNS. By the time you get to DNS, your chances are highly unlikely of finding this host, because you’ve already attempted a broadcast for it. Nevertheless, I’ve had occasions where the IP address has changed and was correctly keyed into DNS but not WINS, and DNS finally got around to answering the request. There is a long delay in finally getting to the DNS request, because of various timeouts and file checking going on along the way. LMHOSTS File In the \Windows directory of Windows 3.x or 9x computers and the %systemroot%\System32\Drivers\Etc directory of NT computers, you’ll find a file called LMHOSTS. The file is very easy to use: each line includes the IP address of a server that the client may need to connect to, a tab, then the server’s NetBIOS name. You can include keywords such as #PRE, which loads the entry into memory for dynamic cache allocation; #DOM, which designates that computer as a domain controller; and #INCLUDE, which references a global LMHOSTS file on a server somewhere. The file is easy to set up but difficult to maintain, especially if you have many users referencing it. The most effective way that I’ve seen LMHOSTS files used is to have one master LMHOSTS file on a shared directory on a server—one with sufficient rights so that all computers can access it. Then, in the logon script for the clients, you simply download a copy of LMHOSTS at logon. You can put some logic in to do some date checking on the client’s LMHOSTS file versus the server file, but that’s not usually necessary since these are mostly tiny files. Optionally, you could use the #INCLUDE keyword to reference the server file from the client’s file. Instructions for using LMHOSTS can be read by directly editing the file. You edit LMHOSTS.SAM and then rename it to LMHOSTS (with no extension) on most clients. Note that LMHOSTS


www.sybex.com

568

Chapter 14


is similar to HOSTS—where the HOSTS file is used for computer names, the LMHOSTS file is used for NetBIOS names. I know lots of administrators who like to populate an LMHOSTS file on all clients just in the off chance a WINS server isn’t available. You can install the WINS Server service on Windows 2000 domain controllers, member servers, or stand-alone servers. These WINS servers are backward-compatible with any Windows NT 4 WINS servers you currently have in your network, including acting as push/pull partners with Windows 2000 servers.

Design Scenario: With WINS, Less is More One time I had a WINS problem. People on a remote subnet were not able to resolve names via the WINS server. It turned out that the problem was pretty elementary and we had it solved in no time, but at the time I was new to TCP/IP and WINS and had to open up a Service Request ticket (SRX) with Microsoft technical support in order to get the problem solved. The support technician (an extremely knowledgeable one) told me two interesting things. One was that you should not overburden your network with a plethora of WINS servers. In the WINS arena, less is truly more. While Windows 2000 clients can support up to 12 WINS servers, most networks can get by with one or two. You typically want two WINS servers so that you have a backup in case the primary server croaks. (Which one is the primary? The first one referenced in the DHCP scope global properties, of course.) This man said that two servers was about all that was ever needed, and I’ve found that to be true over and over again. Don’t overcomplicate your life by introducing scads of WINS servers on your network. Stick with two, make them push/pull partners with one another, and leave them alone. In big networks, put them on dedicated WINS server computers that have enough CPU, RAM, and disk to keep up with the endeavor.


www.sybex.com


569

He also told me that in the Advanced properties of Windows NT 4 WINS configurations, there is an option called Migrate On/Off. The Windows NT 4 version of this check box is shown in Figure 14.1 and the comparable Windows 2000 version in Figure 14.2. The deal with this check box is that, once in a while a computer will fail, for whatever reason, to register itself with WINS. You can key in static mappings, but that’s not the way that things were designed to work. You want WINS to be dynamic, and you don’t want to have to worry about inputting static entries all the time. When, and if, you run into a computer that you need to type in manually, first of all turn on Migrate. Then key in the entry. Wait 30 minutes or so, then turn off Migrate. The entry will disappear from the static list and appear in the regular WINS database.

FIGURE 14.1

The Windows NT 4 Migrate On/Off setting


www.sybex.com

570

Chapter 14


FIGURE 14.2

The Windows 2000 Migrate On setting

Creating a Secure WINS Design

Y

ou can secure WINS servers very much the same way that you secure DNS boxes. If you have WINS traffic crossing the Internet, remember that the data is ASCII text and fully readable—probably not a good thing to have going out over a public network. You can get around this problem by setting up a VPN between your sites or by using IPSec to encrypt the data and then send it out. Tunneling the data via VPN or IPSec makes it much more secure.



Create a secure WINS design.


www.sybex.com

Tuning and Optimizing the WINS Infrastructure Design

571

In a screened subnet design, where you desire to allow Internet clients to be able to reference names registered with corporate WINS servers, consider making the WINS server in the screened subnet a pull partner with the corporate WINS server on the other side of the firewall, as shown in Figure 14.3. FIGURE 14.3

WINS servers on a screened subnet Screened subnet (DMZ)

Private network

Web server

Internet

Firewall

WINS server

Firewall

WINS server

You’ll need to open ports 137 (for both UDP and TCP), 138 (for UDP), and 139 (for TCP) in order to facilitate any WINS traffic between firewalls.

WINS servers can be put on a cluster for fault-tolerance purposes.


Microsoft has done you several favors in terms of tuning and optimizing your WINS deployment. While WINS isn’t the “most favored nation” that it once was in the Windows genre, it is still required for backward compatibility, and there is still a need for making sure that adequate performance tuning techniques are available for admins who need to use this system.


www.sybex.com

572

Chapter 14




Measure and optimize a WINS infrastructure design.

Server Optimization Techniques We start with the fact that WINS is now multiprocessor-aware. This means that you can either purchase a dual-processor system for each of your WINS server computers or, if possible, you can upgrade your current WINS servers to dual-CPU. Believe it or not, in this day and age of super high-speed networks, a dual-CPU computer running symmetric multiprocessing (SMP)aware apps can improve the performance and throughput of your servers. If you have multiple hundreds or thousands of users hitting your WINS servers daily, I’d consider upgrading the servers to dual-CPU boxes. Four-way or more? Nah, I don’t think you need to go there. But two-way computers would be an advantageous thing to think about. Take a look at Task Manager on either your Windows 2000 or your Windows NT 4 WINS servers. Right-click anywhere in the gray matter of the task bar that isn’t occupied by an open app; select Task Manager. Click Performance and take a look at the physical memory section, noting how much physical memory you have. Then compare it to the amount of MEM Usage. Got more MEM Usage than physical memory? You have a RAM-starved box, my friend, and you need to add some RAM to it. Is your physical memory marginal? Add some RAM to it. Don’t have any more room for RAM? Replace the computer. Get the point? RAM is everything to Windows servers. Is your WINS box old? Then you’ve probably got some old SCSI drives running at 7,500rpm. You can do your system a big favor by replacing them with 10,000rpm SCSI drives. Don’t have SCSI? Why the heck are you running WINS on IDE drives? Get a SCSI adapter and get some SCSI drives in that unit! You can’t do server work very well on IDE drives; they’re made for desktop computers, not servers. If your network infrastructure can support it, set the network card to 100Base-T full duplex. Make sure the switch port is set for 100-Full as well. Don’t trust auto-negotiation of these ports! Verify with your own two eyes that the switch port and the NIC port are set at 100-Full. If your NIC doesn’t support 100-Full but your network infrastructure does, upgrade the NIC


www.sybex.com


573

and get it to 100-Full. If your infrastructure doesn’t support it, you need to go back a few chapters and get the network infrastructure beefed up first. Here’s a network axiom that I’ve seen developing the last few years and that will definitely keep growing: Network infrastructure isn’t something—it’s everything! Windows 2000 WINS servers support a new concept called burst-mode name registration. Suppose that you have gajillions of users who log on Monday morning and all need to reference some computers from the WINS server. The WINS server gets really backed up and can’t handle the mode. Well, a new feature for Windows 2000 is that it counts how many requests the WINS Server component is getting and, when the number exceeds 500, sets the time to live (TTL) for the clients making and caching the request to five minutes. For every 100 client registration requests over 500, the TTL has 5 minutes added to it: 600 clients, 10 minutes TTL; 700 clients, 15 minutes TTL. This is a very smart way of making sure that bursting doesn't happen again very soon. (Burst handling is available in NT 4 WINS with current service packs.) Supply enough servers for the network to support all of its users without going overboard on the number of WINS servers you have installed. Too many WINS servers can create as many problems as not enough. For faulttolerance purposes, figure out where your WAN SPOFs are and place a WINS server at each location. For instance, if you have three sites separated by three routers, for fault tolerance you’ll need three WINS servers. That way, if one of the WAN links craters, users can fall back on the local WINS server—not to mention that users will consult their local WINS server for name resolution before they ever cross the network. This can create problems if you don’t time your database replications so they’re frequent enough for users to have current data, so plan accordingly.

Another way to optimize servers is to take advantage of persistent connections for push partners; this cuts down on network traffic by cutting out the session-creation traffic on each push replication event.

Client Optimization Techniques There is one crucial thing you can do in order to increase the client’s performance. When a client registers with a WINS server, WINS waits a certain


www.sybex.com

574

Chapter 14


time (which is configurable); if a computer name doesn’t renew its WINS entry within that time, the entry is “tombstoned.” Tombstoning allows the entry to live for a little longer, but it’s practically, officially dead and will be removed very soon. If the client renews before the renewal time, then the WINS server retains the client information in the database. In Windows NT 4 WINS and Windows 2000 servers, the renewal interval is six days. See Figures 14.4 and 14.5 to see what this screen looks like when editing a WINS server’s properties. It’s important for you to understand that WINS clients act just like DHCP clients: at 50 percent of the renewal period, the WINS client goes out and re-registers its name with the WINS server. So the client tries to renew at three days. This, as you might imagine, creates network activity. If you extend this renewal period, you’ll do your network a favor by not hammering it so often with WINS renewals, although Microsoft estimates that only about 1 percent of the network on a typical network is taken up by WINS. Lengthening this renewal period will likely not produce noticeable results unless you’re on an already cram-packed network, in which case you need to review your infrastructure. FIGURE 14.4

The Windows NT 4 Renewal Interval setting


www.sybex.com


FIGURE 14.5

575

The Windows 2000 Renew Interval setting

You can also provide multiple WINS servers for redundancy. Suppose that WINS server A is down when the client renews. WINS server B will pick up the renewal request and register the client’s name in WINS. Then, when WINS server A comes back on line and a push/pull happens, WINS server A will also know about the client computer. Check the DHCP scope settings to make sure the node type is set to “0x8, h-node”. If it’s set to some other value, change it back. You want your clients referencing WINS first, broadcasts second, LMHOSTS last. If need be, make sure clients have an updated LMHOSTS file on their local machines.

Windows 2000 clients can talk to up to 12 WINS servers, where older Windows 3.x, 9x, and NT computers could only talk to 2. This is probably due to the need to pick up legacy Windows NT 4 multiple-WINS-server environments.


www.sybex.com

576

Chapter 14


Measuring WINS Server Name Resolution Performance First, you should be aware that when WINS is installed on a computer, a System Monitor object is added, and there are several counters that you can use to measure the performance of your WINS servers. This is probably the best and most factual way of ascertaining how loaded your WINS boxes are. Both Windows NT 4 and Windows 2000 have this feature. Remember that you shouldn’t usually run System Monitor from the computer that’s doing the work, lest you skew the results. Run System Monitor from a different computer that’s monitoring the activity of the computer in question. This, of course, means that if you’re going to monitor WINS activity, you’ll have to monitor a computer from another computer that already has WINS on it. You can also do a poor man’s test simply by measuring PING times. PING a NetBIOS name and time how long it takes to return the reply. The

MCSE: Windows 2000 Network Infrastructure Design Study Guide (with CD-ROM)

MCSE: Windows 2000 Network Infrastructure Design Study Guide

MCSE: Windows 2000 Network Infrastructure Administration Study Guide (2nd edition)

MCSE: Windows 2000 Network Security Design Study Guide

MCSE: Windows 2000 Network Management Study Guide with CD-ROM

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE Training Guide Windows 2000 Network Infrastructure GERMAN

MCSE: Windows 2000 Network Security Design

MCSA-MCSE Windows 2000 network management study guide

MCSA MCSE: Windows 2000 Network Management Study Guide

MCSE: Windows 2000 Server Study Guide

MCSE Windows 2000 professional study guide

MCSE Training Kit Microsoft Windows 2000: Network Infrastructure Administration

MCSE: SQL Server 2000 Design Study Guide

MCSE: Exchange 2000 Design Study Guide

MCSE : Windows 2000 Network Infrastructure Administration Exam Notes

MCSE: Windows 2000 Web solutions design study guide

MCSE Windows 2000 Network Infrastructure Exam Cram 2

MCSE: Windows 2000 Directory Services Design Study Guide, 2nd Edition

MCSE SQL Server 2000 design study guide

MCSE: Windows 2000 Network Security Design Study Guide Exam 70-220 (With CD-ROM)

MCSE: Windows Server 2003 Active Directory and Network Infrastructure Design Study Guide (70-297)

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE: Windows 2000 Server Study Guide Exam 70-215

MCSE: Windows Server 2003 Network Security Administration Study Guide

MCSE: Windows 2000 Migration Study Guide (Exam 70-222)

MCSA-MCSE Windows Server 2003 network security administration: study guide

MCSE: Windows 2000 Server Study Guide (2nd edition)

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: Windows 2000 Network Infrastructure Design Study Guide (with CD-ROM)