Windows DNS Servers

The Domain Name System is the Internet-standard name service used by Windows 2000 to help clients resolve host names to IP addresses and find services on the network. Before getting into the details of what is new in Windows 2000 DNS, I think we should first review how DNS itself works.

DNS is a distributed system of name servers. In this system, groups of name servers are responsible for records relating to hosts in domains and or subdomains. These groups are called zones. Zones are authoritative, or responsible for, the records relating to a given domain or group of domains. For example, Microsoft might have a few servers responsible for the microsoft.com domain, and all associated subdomains might be part of the same zone. The DNS servers that carry the host records relating to Microsoft.com are said to have authority for that domain. As such, if these servers could not provide an answer for the IP address associated with bluescreen.microsoft.com, it is assumed not to exist.

Name servers hold what are referred to as resource records. A resource record maps a hostname to an IP address, or a particular service to a hostname. For example, a DNS server might contain a host record (called an A record) for a server called server2 that resolves to IP address 147.2.3.45. If a client or another DNS server were to ask for the associated IP address, it would be found and returned. By the same token, a mail server might query DNS looking for the mail server associated with the win2000trainer.com domain. In this case, it is querying DNS for the mail exchanger record (an MX record), which would provide the fully qualified name of the mail server, which could then be resolved to an IP address and contacted.

Windows DHCP Servers

The Dynamic Host Configuration Protocol is a core networking service offered in Windows 2000 Server used to dynamically allocate IP addresses and associated information to TCP/IP-based clients. Although the function provided by DHCP is similar to what was provided in NT 4, a number of minor changes have taken place that you should be aware of. Again, note that this section is meant as an introduction to DHCP, and is provided as a basis for the Server portion of the exam. A much more detailed explanation of the configuration of DHCP will be covered during the networking services exam portion of the series.

The DHCP Server service is installed automatically by Windows 2000 Server, but is not configured (and may even be disabled) without further input. It can be removed or added if necessary, using the Add/Remove Windows Components option in Add/Remove Programs in Control Panel (it falls under Networking Services). Once installed, the DHCP server is configured using the DHCP MMC snap-in, which can be found under Administrative Tools. If the server running Windows 2000 is part of a workgroup or non-Windows 2000 domain, the DHCP service will be started, but you will need to manually configure scopes of addresses for the DHCP service to hand out (more on this in a bit). If DHCP is installed on a system that is part of a Windows 2000 domain, the DHCP service cannot be started until the DHCP server is authorized in Active Directory.

The authorization of a DHCP server in Active Directory can only be done by a member of the Enterprise Admins group. This is meant to be used as a control mechanism in order to alleviate the problems caused by people (such as other administrators) installing ‘rogue’ DHCP servers which end up having an impact on the configuration of a TCP/IP-based network (since a client receives an IP address from the first server that responds to its request). In a Windows 2000 Active Directory domain, only authorized Windows 2000 DHCP servers can hand out IP addresses. Note that this only works in conjunction with Windows 2000. A Windows NT 4 DHCP server can (and will) still hand out addresses, and will not be impacted by authorization. However, if another administrator tried to install a Windows 2000 DHCP server and start the service without it being authorized, the server would query AD, and then not start the service since it would find it is not authorized on the network. Note that an unauthorized DHCP server appears in the DHCP tool with a downwards-pointing red arrow (which can also mean that the service is not started, or a scope is not configured).
In order to authorize a DHCP server, right-click on the server and choose Authorize. To manage authorized DHCP servers (including adding or removing authorized servers), right click the DHCP icon, and choose Manage Authorized Servers.

Gateway Services for NetWare and Client Services for NetWare

Often referred to by its acronym CSNW, Client Services for NetWare is a client redirector, which allows a Windows 2000-based system to connect and authenticate to a NetWare-based server and access the file system. CSNW should be installed when clients need to regularly access NetWare file or print servers. Often, CSNW is not installed in favor of the native Novell client for NetWare, which ships with the Netware product. Installing CSNW is accomplished by choosing to install a Client in the properties of a connection object.

It is worth noting that the installation of CSNW on a Windows 2000 Server is actually done as part of the installation of Gateway Services for NetWare, or GSNW. GSNW will also automatically install NWLink if it hasn’t already been installed on the system. On a Windows 2000 Professional system, an option exists for installing CSNW alone.

Once installed, configuration of the client and gateway elements is actually handled via the GSNW applet in Control Panel. The configuration includes the selection of either a preferred server (in a bindery-based NetWare environment) or of a default tree and context (in an NDS-based environment).

Gateway Services for NetWare is meant to be used in environments in which clients require less frequent access to NetWare-based servers. GSNW makes a Windows 2000 Server act as a gateway (or access point) to resources located on a NetWare server. Using GSNW allows you to eliminate the need for each client system to have CSNW or NWLink installed. Instead, clients access a shared folder on the Windows 2000 system running GSNW, which in turn allows them access to files and folders on the associated NetWare server. In order to configure Windows 2000 as a gateway, a gateway account must be configured using GSNW in Control Panel.

The account used must exist on the NetWare server, and must be a member of a group created on the NetWare server called NTGATEWAY. You must also ensure that the NTGATEWAY group has appropriate trustee rights to access resources on the NetWare server. Once the account has been set up, one or more shares must be created that access the netware server.

In this example, when users access the share called ‘netware’ on the Windows 2000 server, they will actually be accessing the folder ‘resources’ on NetWare server NW1.

NetWare Connectivity in Windows

Windows 2000 still supports some of the NetWare connectivity elements that you may be familiar with from Windows NT 4. The three main elements that you’ll need to be aware of are the configuration of NWLink, Client Services for NetWare (CSNW), and finally Gateway Services for NetWare (GSNW).

NWLink

NWLink is Microsoft’s version of Novell’s IPX/SPX transport protocol, the native transport protocol in releases of NetWare prior to version 5. Since IPX/SPX is still run in many enterprise networks, it is important to know how Windows 2000 communicates with systems running the IPX/SPX protocol. NWLink is configured in Windows 2000 by choosing to install the protocol in the properties of a connection object, such as a Local Area Connection.

Once the protocol is added, it can be configured by accessing its properties. Note that adding NWLink to a system only makes that computer capable of communicating with another IPX/SPX or NWLink-based system. It does not mean that this computer can access the file system of another IPX based system. That level of access requires that an appropriate client redirector be installed, which will be discussed in a moment.

Once NWLink has been installed, it might be appropriate to check your network binding order, in order to ensure that it is optimized correctly for your network. For example, if TCP/IP is listed first in your binding order and NWLink second, a client will always try to communicate using TCP/IP first, followed by NWLink. If IPX/SPX is the primary protocol used on your network, this may not be appropriate, and may cause unnecessary network traffic. The binding order for a connection is set via the Advanced Settings option under the Advanced menu item in Network and Dial-up Connections. The binding order is controlled according to the adapter and then the client or service, and can be changed via the up or down arrows to the right.

Upgrading to Windows 2000

You should be familiar with the process of upgrading a domain from Windows NT 4 to Windows 2000 for the Server portion of exam. Creating your new Active Directory domain involves upgrading your existing domain controllers to Windows 2000. Note that member servers and workstations can be upgrading at any time, whether before or after the domain upgrade takes place.

When upgrading a domain, the first machine to be upgraded should be the current PDC. Upgrading the domain will allow all user, group, and computer information that currently exists to be migrated to Active Directory. Before you upgrade the PDC however, Microsoft recommends that you do a full domain synchronization, and then take one BDC offline. If the upgrade were to fail, you could then place the BDC back on the network, promote it to the PDC, and be back to where you originally started.

After you upgrade the PDC and get Windows 2000 installed, dcpromo will run automatically to turn the system into a domain controller. Your domain will now be in something referred to as Mixed mode, or a state where NT 4 BDCs can continue to exist, using the upgraded PDC (who is now the PDC emulator) as their domain synchronization source. Once all domain controllers have been upgraded to Windows 2000, you can switch the domain to Native mode. The differences between Mixed and Native mode are discussed below:

Mixed Mode: A mode that allows for NT BDC to continue to exists, and allows you to revert to an NT 4 domain if necessary. Even in a non-upgrade scenario, Windows 2000 automatically creates new domains in Mixed mode, requiring you to explicitly switch the domain to Native mode.

Native Mode: In Native mode, all domain controllers run Windows 2000. The switch to native mode provides the ability to create Universal groups, nest groups, and control remote access via RAS policy amongst other things.

Note that changing from Mixed mode to Native mode is a one-way process and cannot be reversed. Some possible problems / issues with respect to upgrading domains that you should be aware of:

  • All domain controllers running Windows 2000 require at least one NTFS partition to house the SYSVOL folder. This is the folder structure that needs to be replicated amongst domain controllers.
  • A system being upgraded must be configured to use a DNS server that supports SRV (service) records.
  • If no DNS server is available, Windows 2000 will create one for you, making the system an Active Directory Integrated DNS server (more on this later in the series).
  • If the dcpromo process fails or returns an error, ensure that domain names provided are entered correctly, that proper network connectivity exists, and that there is enough disk space (dcpromo requires approximately 250 MB of space total).

Active Directory Physical Structure

The physical structure of Active Directory relates to two main types of objects – sites and domain controllers.

Sites

Unlike NT 4, Windows 2000 Active Directory provides for the concept of physical locations within its design. In Active Directory, a site is a collection of TCP/IP subnets connected at high speed. Though ‘high-speed’ is relative, usually it refers to a collection of subnets connected at LAN-type speeds. You define sites in Active Directory to control replication, authentication, and the location of services. Once sites have been defined, a client computer will attempt to authenticate to a domain controller that is part of the same site, instead of sending the request over the WAN.

Sites also allow you to control when replication can occur between domain controllers. For example, in NT 4, all BDCs replicated with their PDC using a 5-minute interval change notification process. Since there wasn’t any easy way to control replication between physical locations (it was possible by batch scripting to the registry), replication traffic often saturated links and degraded performance. Once you have defined sites in Active Directory, you can also specify the times and days at which replication between sites can occur, how often during these times, and the preferred path that replication should follow. You should note, however, that only one site exists by default, and until you define more sites, replication will continue to occur on the same old 5-minute change notification interval. It is also important to note that sites are another element that allow large companies to have only a single domain – since there is no correlation between the logical and physical structures of Active Directory, you could have one domain and hundred of sites. The ability to control replication traffic is a big part of what makes this more manageable than in the past.

Active Directory Logical Structure

The logical structure of Active Directory will vary based on the needs of an organization. Logical elements include forests, trees, domains, and organizational units.

Domain

A domain in Windows 2000 is very similar to what a domain was in NT 4. For all intents and purposes, a domain is still a logical group of users and computers (objects) that forms an administrative and replication boundary. That means two things. First of all, a domain is an administrative unit. As such, an administrator from one domain is only the administrator of that domain, and not necessarily any others. Secondly, all domain controllers in the same domain must replicate with one another. We refer to this as a replication boundary. In Windows 2000, domains are named according to DNS naming conventions, instead of conventions based on Netbios. An example of an Active Directory domain name would be 2000trainers.com. In Windows NT, domains had a restriction on how large they could grow, based on the size of the domain SAM database (40MB or thereabouts). As such it was often necessary to create multiple domains if a company had tens of thousands of users and computers. By comparison, multiple domains wouldn’t actually be required in such a scenario under Windows 2000, since Active Directory can contain literally millions of objects. In the same manner that a user account existed within a domain in Windows NT, the same is true in Windows 2000. A given user should be given only one account, and that account exists within only one domain, even if multiple domains exist. Active Directory does allow you to have multiple domains, forming structures referred to as trees and forests, to be discussed next.

Active Directory Object Naming

Active Directory is uses the Lightweight Directory Access Protocol (LDAP) as its primary access protocol. LDAP runs over TCP/IP, and defines a way to reference and access objects between an Active Directory client and server. Under LDAP, every object has a distinct Distinguished Name, and this name distinguishes the object from every other object in Active Directory, while also telling us where the object exists. The two main components of a distinguished name are a CN (common name) and a DC (domain component). The common name identifies an object or the container in which it exists, while the domain component references the domains within which the object exists. For example, a distinguished name could be as follows:

CN=Dan DiNicolo, CN=Users, DC = 2000trainers, DC=com

In the above example I have a user called Dan DiNicolo, who exists within a container called Users, in the domain 2000trainers, which is a subdomain of com. The distinguished name of an object must be unique within a given Active Directory forest (more on forests in a bit).

While a distinguished name tells us about the complete context of an object, a relative distinguished name uniquely identifies an object within its parent container. For example, if I were searching within the Users container, the relative distinguished name of the object I identified above would be Dan DiNicolo.

Introduction to Active Directory

Certainly the biggest single change between Windows NT 4 and Windows 2000 is the inclusion in Windows 2000 of an important new service – Active Directory. Active Directory is the native directory service in Windows 2000. Unlike Windows NT 4, when domains were pretty much stand-alone islands that we connected with trust relationships as necessary,

Active Directory is a full-featured directory service. But what is a directory service? Well, a directory service is actually a combination of two things – a directory, and services that make the directory useful. Simply, a directory is a store of information, similar to other directories, such as a telephone book. A directory can store a variety of useful information relating to users, groups, computers, printers, shared folders, and so forth – we call these objects. A directory also stores information about objects, or properties of objects – we call these attributes. For example, attributes stored in a directory for a particular user object would be the user’s manager, phone numbers, address information, logon name, password, the groups they are a part of, and more.

To make a directory useful, we have services interact with the directory. For example, we can use the directory as a store or information against which users are authenticated, or as the place we query to find information about an object. For example, I could query a directory to show me all the color printers in the Frankfurt office, the phone number of Bob in the Delhi office, or a list all of the users accounts whose first name starts with the letter ‘G’. In Windows 2000, Active Directory is responsible for creating and organizing not only these smaller objects, but also larger objects – like domains, organizational units, and sites. In order to fully comprehend what Active Directory is all about, we need to take an initial look at a number of concepts. A deeper discussion on Active Directory will be covered once we get to the AD Implementation and Administration portion of the series.

Introduction to Windows 2000 Server

Windows 2000 Server and Professional are fundamentally quite similar, both in terms or interface and architecture. As such, they often get lumped together when discussed, and for the purpose of the exams, this is very much the case. However, there are a number of fundamental differences between the two. The two main differences between Server and Pro are in terms of optimization as well as services offered. Professional is optimized as a desktop operating system where one runs user applications, while Server is optimized to service a variety of requests from client systems. In terms of services offered, Server provides many more than Professional, providing the ability to run WINS, DNS, Active Directory, and so forth. Since we’ve already covered the Professional materials, let’s begin taking a look at what the Server product itself is all about.

First off, we can’t just talk about the Server product, because there are actually three: Windows 2000 Server, Advanced Server, and Datacenter Server. There seems to be some debate over the differences between these three, when in fact the only differences are in terms of scalability and availability.

Be aware that the minimum support CPU for Server is a Pentium 133, and recommended minimum for RAM is 256 MB, although 128 MB is the minimum supported. The scalability elements outlined in the table above are obvious – Advanced and Datacenter Server can utilize more RAM and CPUs than the basic Server version. However, both of these versions also support two types of clustering, which are availability technologies. When servers are clustered, more than one server (called a node) is connected to a common storage device, and work together as a single system to ensure availability of mission-critical applications. Should one of the nodes in a cluster fail, the services are still available, since the other nodes continue to handle requests. In a Network Load Balancing (NLB) cluster, client requests are distributed amongst a number of systems that provide access to a single application. For example, you could have up to 32 servers configured with identical copies of your website, and the NLB will distribute requests across the NLB cluster, increasing performance, availability and reliability. Just a note, but any suggestion that Windows 2000 Server cannot act as a domain controller is absolutely false.