BUILDING A SAFE, SECURE & FRIENDLY
DOMAIN USING WINDOWS 2003 AD Part 1
BY: Ian Trump
20 March 2009
SUMMARY
Windows 2003 is found working in small home based business and corporate data centers around the world, it is an incredibly versatile and flexible operating system which when combined with free Microsoft and Third Party tools can provide an excellent and safe computing platform. The robust flexibility and versatility can sometimes be difficult to fully understand and the volume of information can be overwhelming, especially to those IT folks working and supporting multiple small and medium sized business.
THE PLACE TO START
To start with I believe in creating and building networks using a solid foundation. I don’t believe in “one product is better than another” I have direct experience on a lot of different hardware and I can help you choose what you need based on some simple rules of thumb.
My experience begins with cable remediation; before one goes out and purchases a whole pile of new servers and IT gear you have to have a solid look at the cable in the walls. Many problems with networks originate from the less than excellent sate of the physical infrastructure. The cables that run your network are like the arteries and veins that run through your body! They absolutely need to be at a standard. CAT5, CAT5e and CAT6 are standards which are designed to ensure that data transmitted at one end is received at the other, un-mangled. Mangled data is bad for servers, workstations and users. Many of the hardest to diagnose intermittent problems originate at the physical network layer. The best money you can spend is to bring the cabling in your network up to a standard that works for you. If you have a very busy or heavily used network you may need to upgrade to CAT5e or CAT6 to support high data rates, VoIP and/or video conferencing.
Spending the money to monitor a network with lousy cabling is akin to fixing a boat by continually pumping out the water, eventually the pump will burn out and the boat will sink. This is not far from the truth when it comes to responding to support requests or monitor alerts generated by cable nightmares; your support resources will burn out quickly
Now that we know that the cabling is solid we can now being to build or construct a network which is worthy of monitoring.
A WORD ABOUT WIRELESS
Wireless is great and I hate it. If your business involves activities other than surfing the net and connecting to terminal services; do yourself and your employees a favour and spend some money on decent copper. A couple of people like say 5 or 6 using a Wireless Access point for day to day business activities will work and provide ok performance. If your business involves anything CAD, In-Design or the creating of any large print jobs an “in-expensive SOHO wireless Access point” will kill you. I like the idea of wireless and for a limited number of people like a few executives doing email it is a great solution, but as soon as someone sends a 135 MB PDF to the network printer over wireless or streams video the other users will proclaim “THE NETWORK IS SLOW” if the person screws up “I wanted duplex...silly me” and sends the job AGAIN the users will proclaim “THE NETWORK IS REALLY SLOW”. Low bandwidth consumers like our executives who are doing email are a great customer for wireless, CAD Lab is not. Your network at some point is going to or already contains wireless the convenience sometimes outweighs the security and infrastructure costs but here are some ideas I have around wireless deployment.
· Consider locating the access point in the DMZ and providing firewalled internet access and force users to VPN into the actual network if they want corporate resources. This protects the connection from being intercepted by a promiscuous receiver in close proximity; the VPN connection effectively encrypts the traffic to a greater extent than WEP or WEPA.
· Use MAC Address authentication WEP or WEPA and turn off the Broadcast of the network name
· Plug the Wireless Access Device into a managed switch and turn down the bandwidth on the port it is plugged into.
MORE POWER
Before we discuss hooking up the cables into a switch to start passing packets around we need to consider protecting our investment. Power Supply from a Hydro provider can vary in quality and reliability. Under the right circumstances any piece of IT gear, plugged into any outlet is susceptible to “fry and die” from over or even under voltage problems. Most IT folks protect the server with a decent UPS. UPS’s vary in size and sophistication but the inexpensive $ 150.00 to $200.00 can be a real life saver when you purchase one for your switches and routers as well. These workhorses need protection from Hydro problems just as much as a server. A single switch or can run for hours on a 500 watt UPS. I always try and find a UPS which will provide 15 to 20 minutes of run time in the event of failure. The last word on UPS’s is this – Test them. Batteries decay over time and lose the ability to hold and provide a charge; you need to test before the emergency to ensure that they will provide run time. Many companies provide an enterprise software solution to automate the test function to ensure there will be no surprises when the lights go out.
SWICTH ON/SWITCH OFF
No other piece of IT gear is as neglected and forgotten as the network switch; that is until it fails to show up for work some day and no one can get anything done, and then everyone remembers it. I say neglected and forgotten as the network switch is stuffed in closets, jammed in desks, hangs perilously from power or network cables or is in fact placed in the unheated sub-basement or attic. It is time for the network switch to come out of the closet. (As it were) Your network switch needs to mounted securely and have adequate ventilation. When you are copying GB’s of a user’s personal MP3 files over the network you don’t want to have the switch lock up. I like to mount my network switches right under the patch bay of where all the network cables terminate. I like to be able to see the activity lights (I take comfort in the blinking, it means the network is networking) blinking so I can visually see if something is red.
TO MANAGE or NOT TO MANAGE
Smart or managed switches used to be extremely expensive (they still can be) and were used in large corporations almost exclusively. Today many companies offer a solid switch with all the management features for round $300.00. For me this was a huge! Managed switches allow for excellent port level security, monitoring for performance and management features including SNMP. This allows excellent network troubleshooting capabilities as well as VLAN’s for corporate workstations or guest users. Most of them have built in web browsers and are very easy to setup. Many models can warn if they are close to overheating or getting close to being maxed out on bandwidth. Supporting IT in a managed switch environment where you can turn off an individual port becomes critical for isolating a problem.
SWITCH X CABLE = NETWORK
This equation is really true! Switch without cable or cable without switch is not going to make a network. Properly sizing your switch for the network is really important; the rule of thumb I use here is that work is work and home is home. I mean that home products are meant for home use! Don’t expect a home switch to have the same tolerance and reliability as a switch that rhymes with Nabisco. Can you use home gear at work and vice versa? Of course, but my point here is that work gear costs a little more but is a little bit more reliable. I use intelligent switches almost exclusively as they have the special features which I find invaluable for troubleshooting, they also have the added bonus of being a little bit more industrial then gear made for the SOHO market. The rule of thumb here is: When it comes to network switching, you (more or less) get what you pay for. Spend a little bit more for managed features and a UPS for your switch. Treat it right and it will keep showing up for work day after day.
YOUR FIRST SERVER
You need two. I’m not kidding. Windows 2003 AD is complex and one server, despite MS’s best efforts with SBS, cannot do everything you need to do on a network; without seriously impacting the performance and reliability of your network. Additionally, once you start thinking about ISA, ISS, SQL, MS Exchange, Share Point, DNS, DHCP, Virtual Server, Backup, Remote Access, File & Print services, you will soon realize that having all eggs in one basket is in the “Danger Zone”. If you lose one server with all these services, that is the ball game, everyone and everything is down. Restore Re- installation and Re-configuration (My three R’s) could take days! Two servers and a separation of duties is the way of sleeping soundly at night. The two servers do not necessarily need to be top of the line; or of the same calibre. I’m going to suggest that whatever you call a “server” is going to subscribe to some basic principles, such as:
· A Server based Operating System, Such as Windows 2003
· RAID 1 (Hardware Preferred) Hard Drives 40Gb storage (Minimum)
· 1 to 2 GB’s of RAM (minimum)
· 100 MB (1GB Preferred*) NIC
· Protected by a UPS
* Obviously if you don’t have a 1GB network, you don’t need a 1GB NIC
Unlike AIX, Windows 2003 Server Standard Edition will install on almost any AMD or Intel Platform available. This flexibility is great but also a bit of a curse. My rules of thumb hear is that you’re only as good as your hardware. If you definition of Server tends towards the thrifty, re-used, white box then you would do very well to run extensive hardware diagnostics on the box you are contemplating elevating to the level of server. Any hiccup in diagnostics could result in catastrophic consequences in Active Directory so it is not worth the risk. Go solid or go home. Just like the discussion on network cabling the server hardware is the foundation for successfully building and keeping a server up and running.
New Servers have the advantage of shipping with a scripted install disk, which after choosing a few options and entering some data perform an install of the selected OS. This can be a huge time saver as the install frequently includes all the hardware drivers you need for any of the specialised NIC’s or RAID controllers that your server may or may not include. Beware of installing un-needed services at this point as we will cover the installation of services and sub-services that we will need later on.
There is no right or wrong way to set up your servers on a network; it becomes apparent that your user activity and day to day operations will dictate how you see the division of labour unfolding across the two servers. I’ve selected what I think is a decent load for both. Each one of these “Servers” has 2GB of RAM a pair of SATA II 80GB Hard drives in a mirrored RAID setup and are connected to a 1GB Switch. For Internet connectivity a router/firewall provides a default gateway for both servers (and all workstations once we get DHCP and DNS up and running) Servers like the above could be purchased for around $ 700.00 each including the Windows 2K3 software license. These two servers would provide a good solid computing environment for 10 to 25 users.
|
Server 1 |
Server 2 |
|
DNS |
IIS |
|
DHCP |
SQL |
|
File & Print Services |
Windows Update Services |
|
MS Exchange |
Backup File & Print Services |
|
DOMAIN CONTROLER |
Backup Application and Hardware |
|
Remote Access |
MS Virtual Server |
There are some great advantages to this setup and I will try and explain my
rational. Windows Active Directory is completely dependent on DNS and for
members of the domain, RPC. The most common AD problem I have found is related
in some way shape or form to DNS, the 2nd most common problem I have
found is related to connectivity. Hopefully the connectivity issue is resolved
by your cable remediation and upgrade program so you have awesome copper or
decent wireless connection to your clients and servers. So that leaves us DNS to
worry about.
A LITTLE BIT MORE ABOUT HARDWARE
I going to suggest that that you, gentle reader, are comfortable with the installation of a basic Windows 2003 install on a server; I am also going to suggest that you are also comfortable with using Microsoft update to patch and update your newly installed OS. I recommend that you deselect everything when installing Windows 2003, I don’t like extra services running on boxes and I install the services when and if I need them at the time I need them. The other thing I really like to do is to create a C:\ drive partition of about 25 to 30 MB and a D:\ or E:\ Drive for data of about 50GB. I don’t like drive shares living on the C:\ drive (other than SYSVOL) as it complicates NTFS and Share permissions later on. Having four separate drives is really awesome; 2*80GB for the OS and 2*80GB for the data with both of them hardware mirrored is optimal.
We are going to concentrate on the installation of Server-1; this server will be the primary business server and provide the absolute basics for day to day business activities. Server-2 is where the secondary (but still vital) business activity will take place. Ideally these two servers should be identical so that you can turn off and loot Server-2 for parts in the event of a hardware failure on server-1. This keeps critical business activities; File & Print, Email & Access/Authentication up and running while you open up a frantic warrantee call on your broken server ASAP. One more thing to consider is some on site spares; specifically SATA Hard drives. Hard drives die it’s a fact of life; having hardware to “Hot swap” or “Cold swap” is a life saver; and in most cases the RAID Array can re-build without the users even realising that a drive went Boom.
AND NOW BACK TO DNS
The first thing to install on SERVER 1 is DNS, Don’t configure it at this point just install it by using the add windows components under control panel, Add remove programs, windows components. DCPROMO the windows Active directory will install and configure it for you inside your network, you don’t’ want to try and do a manual install, The Windows 2003 DCPROMO wizard does an awesome job of configuring it for you so that it works, and as I pointed out earlier DNS is the key for a solid AD. A key point to understand is that Server’s IP address especially for DNS Servers needs to be static, in large AD implementations changing a DNS server IP address can lead to catastrophic consequences unless you really know what you are doing. Please take a moment to study the diagram below; there will be a quiz later on:
->INTERNET->FIREWALL/ROUTER->DMZ PORT-> WIRELESS ACCESS POINT
->INTERNAL NETWORK->MAN. SWITCH->SERVERS->CLIENTS
Looking at the diagram from clients to the Internet we can see a clear path. When it comes to network traffic, Internal DNS and AD configuration I believe that Clients should receive direction from Servers and Servers should receive direction from routers. Networking is based upon default gateways and DNS to find locations both external and internal. I am a strong advocate that the client default gateway should be the server and not the Firewall/Router and that the Server’s default gateway should be the firewall/ Router’s IP. I will explain why. The most common destination address on a network with business clients should be the file print and AD server, if it is not then you may have an human resources issue and not a networking one, with too many people surfing the net and not enough people working on their work. So if the client default gateway is the same as the server’s the Firewall/Router and DNS lookup will spend a great deal of time routing traffic from client to server. By configuring internal DNS and setting up a DNS forward to the router’s IP you can change the clients default gateways to the server and set the primary DNS of the clients to the Server. This should reduce internal traffic pounding on the router/firewall’s internal interface.
When you configure DHCP on your server, set it to send out the IP address of the DHCP server as the default gateway for your clients and the primary DNS. You can set the secondary DNS server to the internal IP address of the router/firewall if you like. You will thank me later for this.
TIME FOR A PROMO
You launch DCPROMO from a command prompt by typing in DCPROMO. The wizard will then start up. There are two rules of thumb hear. The first is to have a clue about what the internal domain will be called both as a FQDN and NetBIOS. I don’t use the same domain as the external domain name as having the same two domain names both external and internal can lead to DNS cache poising attacks and potential infiltration by rogue clients. I usually add an i or l (for internal or local) So if my external DNS name for the corporate website and MX record is redcrock.com I use redcrocki.com or redcrockl.com for the internal FQDN, for NetBIOS I use –INT or –LOC for the domain like REDCROCK-INT or REDCROCK-LOC. This keeps things simple and safe. A couple of other points to ponder is this: The AD restore password does not have to be complicated, the word password is fine and I recommend it as if you are in the midst of an AD restore crisis the last thing you want is the stress of having to type ^%GghI75% every time. Besides if AD restore is the day’s activity the least of your worries are password security! Anytime the DCPROMO AD wizard recommends or provides the option to “automatically configure” take that option!
There is one critical task to perform after the reboot of a successful AD install, before you do anything further.
TIME GENTLEMAN, PLEASE!
I am annoyed by error messages in event log, and even after a fresh install and completely error free install of Windows 2003 and a flawless AD install there are errors in the event log. A frequently overlooked and potentially critical AD and RAS problem can be time, or more specifically a difference in the time between server and clients. I recommend that you make sure that your router uses the same time source as your server and make the following changes on the Domain Controller:
You want to ensure that the clock on your Domain Controller is more accurate in terms of absolute (and not just relative) time; you can sync the Domain Controller in your domain to one of the reliable time servers available on the Internet. The procedure for doing this on a Domain Controller running Windows Server 2003 is as follows. Open Registry Editor (regedit.exe) and configure the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the SERVER synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 192.5.41.209 instead.
Now stop and restart the Windows Time service using the following commands:
net stop w32time
net start w32time
It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC.
Time becomes critical in a network for a number of reasons. Access and audit logs, SQL transactions, AD synchronization and even remote access clients all depend on a common and accurate time source as well the users have to know when to take break, go on lunch, and go home after a hard day’s work. From the IT troubleshooting perspective accurate time can really help in determining a chain of events when trying to figure out who erased the entire accounting file share.
THE FIRST AND LAST WORD ABOUNT PRINTERS
In the early days of IT, Printers and printer related problems comprised the majority of service calls and frustration for IT Technicians and Users as well. Times have not changed; a new frustration has emerged which the printer industry has failed (miserably) to address. Yes gentle reader I am talking about the devastating combination of PCL6 and the windows spooler service especially on terminal services. Combined with locally connected in-expensive USB Printers the situation stinks for users and IT trouble shooters. Here are some musings on the problem and what I see as the potential solution.
Printers as it turns out are the biggest cash cow in the IT industry, they are easily the least reliable part of the IT network, and cost a fortune to keep fed with toner cartridges, maintenance kits and even cleaning! In the early days of IT, printers were relatively un-sophisticated ribbon and impact devices; but with the introduction of the (Hated) Ink jet and then personal laser jet platforms the requirements for sophistication were pushed up. The un-reliability, absurd cost and offloading of the rendering functions to the CPU of the computer spelled disaster for the 486 and early Pentium based computers. Ink Jet cartridges would dry out during vacation and the myriad types of ink jet cartridges’ insured that the IT department had to have an inventory rivalling a Staples to support the different “model of the quarter” cranked out by the Ink Jet manufactures. I know of one IT department which refuses to support Ink Jet Printers and delights in a “Toss the Desk jet” contests when one is de-commissioned, they tend to explode pretty spectacularly on impact on cement surfaces.
Enter the personal laser printer, after the introduction of the HP Series II to VI, and the beloved HP IIP things started to go downhill; the early HP printers were built to withstand nuclear war they were the relief from the hell that was the Desk Jet era for both IT Techs and users. Why did it go wrong? Two words friends “Spread Sheet”. It had nothing to do with the quality of the printer but the collective failure of IT to manage the expectations of the user community. To print a spread sheet on an impact or Ink jet printer required a commitment and endurance (read: wait time) on the part of the user. Users expected a spread sheet to roll out just like a text document, poor users. Due to the limited processor and at the time extremely expensive memory chip capacity the Personal Laser Printer was not up to graphical tasks, it was great with text, but one 600DPI spreadsheet became the death sentence of many a personal laser printer. At this point in recent IT history is where the most scandalous poor decision in the history of IT companies happened. Someone, somewhere thought it was a good idea (read: cheap for printer manufacturers) to move most of the rendering and formatting functions to the Desktop or Server CPU! This was a BAD, very BAD idea and the people responsible should never admit that they were in the room when this decision was made. The decision had two extremely positive results; the cost of a personal laser printer dropped rapidly, now everyone could have a printer! And good for the IT industry, more IT staff was now required to fix and trouble shoot printers and printer related problems.
For the end user it was horrible, print jobs would lock up workstations, servers and even networks. Printing became the bane of an IT user’s existence and remains the cry that sends IT techs scurrying “I Can’t Print”.
Today, things are much better, with one minor exception. The sophistication power and memory of workstations and laptops are now easily up to the task of rendering graphics to laser printers as are most file print servers. Where it seems to fall apart was the introduction of terminal servers to host applications and print information out to printers. The problem is with the printer drivers and performance consistency. Drivers with memory leaks kill the spooler service on Terminal servers and end up taking down many users as opposed to just one user. The size and formatting in the information of PCL6 causes the Spooler Service to take a vacation and due to the architecture of locally attached USB printers the information is rendered on both the Terminal Server and then again on the local workstation.
The solution is a simple one –
Printing directly to network printers and installing printers as local IP
printers is the way to go. Network printers have the processing capability,
memory capacity, speed and in some cases dedicated hard drive storage to be the
“fire and forget” printing system of a network. In the terminal service
environment it eliminates the need to render on the server and workstation; it
fires the print job directly out to the printer which is optimised to print.
Terminal Servers are not optimized as print servers and rendering print jobs on
terminal servers impact the other connected user experience negatively. I
believe it is easier to support and maintain a couple of network printers,
rather than supporting and maintaining a personal LaserJet on everyone’s desk.
It might also prove more cost effective.
TRY THE PATCH
Eventually we will have WUS running on this network to provide some control and reporting on the status of updates for both servers and clients. Now would be an excellent time to patch and update the windows 2003 OS. This can take a very long time as the patches and updates are large and the patch and update progress can be slow. I patch everything and immediately upgrade to Microsoft Update as opposed to Windows Update as MS Update will patch other stuff (Like MS Exchange, Coincidence? I think not) I also recommend that you take the time to install both the windows 2003 resource kit and the windows support tools off the CD. These will help in the setup and configuration of other programs like MS Exchange, Again Coincidence? I think not)
ARE YOU SENSITIVE MR. EXCHANGE?
The MS Exchange Email server is the last major installation that we are going to put on our Domain Controller. Due to the complexity of MS software best practices usually recommends that the email server sit on a box other then the Domain Controller, especially in the case of a hard working email server. My advice here is to think long and hard about how to keep critical business functions up and running. With mirrored hard drives if you have a hardware failure on Server-1 you can pull a hard drive out and be up and running with Server-2 in minutes. If you have spread the services across our two boxes then you need to make a choice between file and print or e-mail. Ultimately, a third server dedicated to email is ALWAYS desirable, but for a “thrifty” oriented small business, 3 servers to support an office of 5 to 25 people might be bordering on the extravagant. You will further notice that the Server-2 box has IIS and SQL and something (free) called MS Virtual Server installed along with Windows update services installed. Due to the “sensitive nature” of IIS and MS Exchange I believe it is important to have the IIS install on Server-1 dedicated to the MS Exchange, I discuss this IIS/MS Exchange relationship in depth below.
The first install of MS Exchange 2003 is always the best install of MS Exchange, if things are not set up perfectly you could have a really rough go. MS Exchange requires IIS, .ASP and other Windows Core Services like NNTP and SMTP. Installing and configuring MS Exchange, even in a simple network is a long process.
IIS can be very troublesome for the MS Exchange install if IIS was not installed correctly. The good news is that MS Exchange will walk you through all the steps that need to be taken in order to get it set up properly. You’re newly installed and configured DNS and Active Directory need to be solid, rock solid or MS Exchange may install but it will not work as you expect it to if there is a problem.
The bad news is the most common problem I have encountered is an issue with IIS and MS Exchange. Just to clear up any misconception with MS Exchange 2003 you must have IIS working, To do external email (like from the Internet) to the Exchange services you need the SMTP extension to the IIS service which is a part of IIS. This is where things may come off the rails for you. If you are dealing with a server where IIS was installed at one time or was removed it is nearly impossible to get MS Exchange 2003 set up properly. The reason is that the IIS metabase is ‘extended” by the MS Exchange install to include X verbs to send email. You can tell a healthy exchange server by going to a command prompt and typing telnet 127.0.0.1 25 then type EHLO after hitting Enter you will view a list of the command verbs if you don’t have command verbs with “X” in front of them, you are dead in the water. Perhaps someone with many more years of education and editing the registry could figure out how to get this functionality back.
MS Exchange will install fine with no errors, and everything will look to be fine. When you examine the services that should be running you will find that the MS Exchange SMTP routing service will not be started, you will try starting it and it will puke. You will then spend a whole pile of time searching the internet looking for a solution, you will try some things, they will (most likely) not work and you will then realise (after some TUMMS) that it will be a long night as you do a fresh install of the OS, re-load IIS and re-install Exchange.
There is plenty of advice out on the web about setting up MS Exchange and configuration of the Recipient Policy to allow for the flow of email is relatively simple; but before we bring on everything we need to have a serious talk.