Contents Overview Module 3: Designing a Highly Available Network Services Infrastructure Lesson: Designing a Highly Available Active Directory Solution Lesson: Designing a Highly Available DNS Solution 10 Lesson: Designing a Highly Available WINS Solution 23 Lesson: Designing a Highly Available DHCP Solution 28 Lab: Designing a Highly Available Network Services Infrastructure 35 Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2001 Microsoft Corporation All rights reserved Microsoft, MS-DOS, Windows, Windows NT, Active Directory, BackOffice, FrontPage, Outlook, PowerPoint, Visio, Visual Studio, Win32, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Module 3: Designing a Highly Available Network Services Infrastructure iii Instructor Notes Presentation: 180 minutes Practices: 30 minutes Lab: 60 minutes This module provides students with the knowledge and skills that are needed to design a highly available network services infrastructure As a Web infrastructure designer, students will be required to design a highly available Active Directory™ directory service solution that meets their business needs while providing flexibility and easy management of the implemented design The network services infrastructure design will also include basic services for Internet Protocol (IP) networks, such as DNS and Microsoft® Windows® Internet Name Service (WINS), to provide name resolution services, and DHCP servers to provide address allocations Students must ensure that these services are correctly positioned to avoid impacting network availability After completing this module, students will be able to: Design a highly available directory services solution by using Active Directory Design a highly available DNS solution Design a highly available WINS solution Design a highly available DHCP solution Select the appropriate Microsoft technologies for designing a highly available network services infrastructure Required materials To teach this module, you need the following materials: Microsoft PowerPoint® file 2088A_03.ppt Delivery Guide Trainer Materials compact disc Preparation tasks To prepare for this module: Read all of the materials for this module Complete the practices and the lab iv Module 3: Designing a Highly Available Network Services Infrastructure How to Teach This Module This section contains information that will help you to teach this module Ensure that students understand that each lesson in this module is a critical task in the design process and that, at the end of the module, they will complete a lab that helps to tie all of the lessons (tasks) together This knowledge will help students to stay focused during instruction The instructional strategy for this module is to provide the students with the knowledge and skills needed to design a highly available network services infrastructure by using Microsoft technologies Lesson: Designing a Highly Available Active Directory Solution This section describes the instructional methods for teaching each topic in this lesson The overview page for this lesson introduces the need for a highly available Active Directory solution in a Web infrastructure The instructional strategy for this lesson divides the design of an Active Directory solution into two parts: addressing the needs of the User Services tier and addressing those of the Business Logic and Data Services tiers The topic pages for this lesson and the appropriate instructional strategies are listed as follows: Process for planning an Active Directory structure The purpose of this page is to refresh students about the process of planning an Active Directory structure Much of the information presented here is prerequisite knowledge for the students However, tell students that they need to provide a separate forest for the User Services tier when designing an Active Directory solution for a Web infrastructure Availability of domain controllers This page emphasizes the importance of the availability of domain controllers to make an Active Directory solution highly available Students can ensure that an Active Directory solution is highly available by creating a design that has sufficient domain controllers to provide redundancy Emphasize the best practices for improving the availability of domain controllers in a Web infrastructure Guidelines for designing a highly available Active Directory solution The guidelines page provides students with the action steps that they must address before they can design a highly available Active Directory solution for a Web infrastructure Review these action steps with the students and ensure that they understand how these steps map to the task Emphasize the importance of addressing all of these requirements Practice: Design a Highly Available Active Directory Solution You will divide the class into design teams Give the students five minutes to read carefully through the scenario and the design considerations before they answer the questions Tell the class that each team must be prepared to justify their answers Module 3: Designing a Highly Available Network Services Infrastructure v Lesson: Designing a Highly Available DNS Solution This section describes the instructional methods for teaching each topic in this lesson The overview page for this lesson introduces the need for a highly available DNS solution in a Web infrastructure The instructional strategy for this lesson divides the design of a DNS solution into two parts: addressing the needs of the User Services tier and addressing those of the Business Logic and Data Services tiers The topic pages for this lesson and the appropriate instructional strategies are listed as follows: A highly available DNS solution The purpose of this page is to introduce the characteristics of a highly available DNS solution and the criteria that affect its design You must emphasize the importance of using at least two DNS servers to service client requests Explain to the students why it is recommended to use two Active Directory integrated DNS servers inside the firewall and to use a minimum of two external secondary DNS servers hosted by an Internet service provider DNS services in the User Services tier This page explains the different DNS zone types and the criteria for choosing a zone when designing DNS services for the User Services tier Explain the best practices to provide highly available DNS services for the User Services tier DNS services in the Business Logic and Data Services tiers This page tells students the reason for using Active Directory integrated DNS zones for the Business Logic and Data Services tiers Explain the best practices to provide highly available DNS services for the Business Logic and Data Services tiers Active Directory in a DNS solution The purpose of this page is to explain the characteristics of Active Directory integrated DNS zones and how they compare with traditional DNS zones Explain to students the best practices for using Active Directory in a highly available Web solution Guidelines for designing a highly available DNS solution The guidelines page provides students with the action steps that they must address before they can design a highly available DNS solution You should review these action steps with the students and ensure that they understand how these steps map to the task Emphasize the importance of addressing all of these requirements Practice: Design a Highly Available DNS Solution You will divide the class into design teams Give the students five minutes to read carefully through the scenario and the design considerations before they answer the questions Tell the class that each team must be prepared to justify their answers vi Module 3: Designing a Highly Available Network Services Infrastructure Lesson: Designing a Highly Available WINS Solution This section describes the instructional methods for teaching each topic in this lesson The overview page for this lesson introduces the need for a highly available WINS solution in a Web infrastructure The instructional strategy for this lesson is to explain to students that they need to design a highly available WINS solution if their Web infrastructure includes server clusters because the network names associated with virtual servers are registered with WINS The topic page for this lesson and the appropriate instructional strategy are listed as follows: Guidelines for designing a highly available WINS solution The guidelines page provides students with the action steps that they must address before they can design a highly available WINS solution for a Web infrastructure Review the action steps with the students and ensure that they understand how these steps map to the task Emphasize the importance of addressing all of these requirements Review: Designing a Highly Available WINS Solution Give the students five minutes to read carefully through the questions before they answer them Tell students that they must be prepared to justify their answers Lesson: Designing a Highly Available DHCP Solution This section describes the instructional methods for teaching each topic in this lesson The overview page for this lesson introduces the need for a highly available DHCP solution in a Web infrastructure The instructional strategy for this lesson is to explain to students that they can use DHCP to automate IP address management and reduce manual administrative tasks The topic page for this lesson and the appropriate instructional strategy are listed as follows: A highly available DHCP server architecture This page introduces the characteristics of a highly available DHCP server architecture Emphasize both the importance of using multihomed DHCP servers to ensure the availability of DHCP services and why DHCP servers must always run Microsoft Windows 2000 in an Active Directory domain Explain to students how to provide highly available DHCP services by using multihomed domain controllers with interfaces located on each separate network segment DHCP lease duration The purpose of this page is to explain that students must specify a lease duration that is short enough that the rate of failed host replacement does not exhaust the address pool specified for the subnet Also, stress the importance of specifying lease duration that is long enough that temporary failures of the DHCP servers will not affect the management of existing clients, but short enough to ensure that changes to scope options are rolled out in a timely manner Module 3: Designing a Highly Available Network Services Infrastructure Guidelines for designing a highly available DHCP solution vii The guidelines page provides students with the action steps that they must address before they can design a highly available DHCP solution for a Web infrastructure Review these steps with the students and ensure that they understand how these steps map to the task Emphasize the importance of addressing all of these requirements Review: Designing a Highly Available DHCP Solution Give the students five minutes to read carefully through the questions before they answer them Tell students that they must be prepared to justify their answers Lab: Designing a Highly Available Network Services Infrastructure In this lab, students will design a highly available network services infrastructure to meet the needs of the Government Portal scenario Their design will include components that meet directory services requirements, name resolution requirements, and IP address configuration requirements of the given scenario The students will then make appropriate high availability recommendations for the design where required As with the practices, you will divide the class into design teams Give the students 30 minutes to read carefully through the scenario and the design considerations before they answer the questions If white board space is available, require that each team put their design on the board If Microsoft Visio® is available and the students are comfortable using it, you could have them forward their design to you for display on the screen Each team must be prepared to justify their answers Depending on team experience, the Web infrastructure designs can be relatively simple or quite complex You may also discover that some features of their Web infrastructure design may be incomplete or wrong because they not have the prerequisite knowledge You must only focus on the part of the design that addresses the lesson component being taught You can allow other teams to critique each design, but it is important that you explain to the students that there are no wrong or right answers What they must take from this exercise is the opportunity to practice their design ideas and get peer review in a lab environment Depending on business requirements, their actual designs may vary Module 3: Designing a Highly Available Network Services Infrastructure Overview Designing a Highly Available Network Services Infrastructure Start End Designing a Highly Available Active Directory Solution Designing a Highly Available DNS Solution Designing a Highly Available WINS Solution Designing a Highly Available DHCP Solution *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This module introduces the Microsoft technologies that you can use to design a highly available network services infrastructure for your Web solution To design a highly available network services infrastructure, you must design a highly available Active Directory™ directory service solution that meets your business needs and provides flexibility and easy management of the implemented design Your design must also include basic services for both Internet Protocol (IP) networks, such as DNS and Microsoft® Windows® Internet Name Service (WINS), to provide name resolution services, and DHCP servers to provide address allocations You must ensure that these services are positioned correctly to avoid impacting network availability Objectives After completing this module, you will be able to: Design a highly available directory services solution by using Active Directory Design a highly available DNS solution Design a highly available WINS solution Design a highly available DHCP solution Select the appropriate Microsoft technologies for designing a highly available network services infrastructure Module 3: Designing a Highly Available Network Services Infrastructure Lesson: Designing a Highly Available Active Directory Solution Designing a Highly Available Active Directory Solution Process for Planning an Active Directory Structure Availability of Domain Controllers Guidelines for Designing a Highly Available Active Directory Solution *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The need for enhanced security and better manageability of your Web infrastructure can make the availability of Active Directory essential in your Web infrastructure You can also use Active Directory to store user information if your Web infrastructure has a separate domain in the Business Logic and Data Services tiers for your Web applications To design a highly available Active Directory solution for a Web infrastructure, you must be familiar with the process for planning an Active Directory structure In addition, you need to know both the best practices for improving the availability of domain controller in a Web infrastructure and the guidelines for designing a highly available Active Directory solution Lesson objectives After completing this lesson, you will be able to: Describe the process for planning an Active Directory structure Describe the considerations for improving domain controller availability Design a highly available Active Directory solution for a Web infrastructure 26 Module 3: Designing a Highly Available Network Services Infrastructure Run the WINS service on two domain controllers Because the WINS service does not affect the performance of the computer on which it is running, you can run the WINS service on a domain controller However, it is recommended that you run the WINS service on a minimum of two domain controllers for redundancy If you run the WINS service on two domain controllers, configure the WINS clients with the TCP/IP addresses of both WINS servers to enable the clients to communicate seamlessly with the alternate WINS server if either WINS server fails Note Apart from WINS, there are two more NetBIOS name resolution methods, broadcast packet and Lmhosts file However, as compared to WINS, they are not recommended for a Web infrastructure Module 3: Designing a Highly Available Network Services Infrastructure 27 Review: Designing a Highly Available WINS Solution Guidelines for Designing a Highly Available WINS Solution *****************************ILLEGAL FOR NON-TRAINER USE****************************** How many WINS servers will you create when designing a highly available WINS name resolution solution? Why? Create two WINS servers and configure them with push/pull replication between them Replication not only provides for a backup of the WINS database, but it also reduces the load on a single WINS server What is the recommended client configuration for designing a highly available WINS solution by using two WINS servers? Why? Configure the WINS clients with the TCP/IP addresses of both WINS servers By configuring the WINS clients with the TCP/IP addresses of both WINS servers, you enable the clients to communicate seamlessly with the alternate WINS server if either WINS server fails Why is it recommended to run the WINS service on at least two domain controllers in a highly available WINS name resolution solution? You must run the WINS service on a minimum of two domain controllers to create redundancy 28 Module 3: Designing a Highly Available Network Services Infrastructure Lesson: Designing a Highly Available DHCP Solution Designing a Highly Available DHCP Solution A Highly Available DHCP Server Architecture DHCP Lease Duration Guidelines for Designing a Highly Available DHCP Solution *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Although the DHCP service is not critical to the operation of Web applications, it is important for operations management, especially when you are deploying, relocating, or replacing failed servers A management network interface must be accessible, without manual configuration of IP addresses, to perform management tasks or to build a new server If you add computers to support increased application load or to replace failed computers and you not use DHCP, you must manually manage IP addresses Therefore, if your network interface does not need statically assigned IP addresses, use DHCP service DHCP automates IP address management and reduces manual administrative tasks Lesson objectives After completing this lesson, you will be able to: Identify the features of a highly available DHCP server architecture Specify the appropriate lease duration for a DHCP service Design a highly available DHCP solution for a Web infrastructure Module 3: Designing a Highly Available Network Services Infrastructure 29 A Highly Available DHCP Server Architecture Multihomed DHCP servers DHCP servers in Active Directory domains Management Network Management Network DHCP servers DHCP servers DHCP services on domain controllers Highly available DHCP services User Services Tier User Services Tier Business Logic and Business Logic and Data Services Tiers Data Services Tiers *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In your highly available Web Infrastructure, you will have both statically assigned and dynamically assigned IP addresses To minimize address administration, it is recommended that you use DHCP services to assign addresses dynamically to interfaces that not require manual configuration Manual configuration of the IP address, mask, and default gateway addresses is required by some hosts on a network, such as special function servers, routers, firewalls, and network address translation (NAT) devices For example, the WINS servers and DNS servers in your Web solution must have static IP addresses and be manually configured If you only need one DHCP server to ensure that DHCP services are highly available, you can install the DHCP service on a highly available server that is running cluster service DHCP is cluster-aware and will failover if the node fails When a cluster server is not available to support DHCP in your infrastructure, your Web design may include multiple DHCP servers If your design includes multiple firewalls, you must provide multiple DHCP servers in each isolated tier of your Web infrastructure Multihomed DHCP servers Whereas a DHCP server requires only one network interface adapter to provide services, a multihomed DHCP server can provide services without requiring additional components A multihomed DHCP server has multiple network interface adapters that provide DHCP services to multiple subnets simultaneously The advantage of a multihomed DHCP server is that relay agents are not required to forward client address requests, and therefore DHCP services are available when routing paths fail To ensure that an interface is always provided with the same IP address, you can define reservations in the DHCP scope for a subnet The reservations map the media access control (MAC) address to the IP address The reserved IP address is issued to the interface when a DHCP request is made by that host 30 Module 3: Designing a Highly Available Network Services Infrastructure You can create reservations on the DHCP server to ensure that a host interface receives the same IP address every time However, this is not recommended because reserved IP addresses will not be released by a host if the host fails suddenly, and the IP address will not be reused by the DHCP server You need to define a larger range of addresses in the subnet scope to allow for failures of hosts on the subnet if you decided to use reservations DHCP servers in Active Directory domains Always use DHCP servers that are running Windows 2000 in an Active Directory domain to ensure that only authorized servers are permitted to start DHCP servers that are running Windows 2000 request authorization from Active Directory before starting and providing DHCP service You can reduce the risk of unauthorized DHCP servers in your solution by authorizing each valid server in Active Directory Unauthorized DHCP may disrupt services by providing erroneous DHCP allocations to hosts Note It is recommended that you not run the DHCP service on the domain controllers that are running Active Directory integrated DNS For details about installing DHCP on a domain controller, search for article q255134 on the Microsoft Web site at http://www.microsoft.com DHCP services on domain controllers Because the number of DHCP addresses in your Web infrastructure is relatively low (a few hundred maximum), you can provide DHCP services on an Active Directory domain controller without affecting the performance of the domain controller To provide redundancy without using relay agents, use multihomed domain controllers with interfaces located on each separate network segment It is recommended that you have at least two DHCP servers, with each server authorized in Active Directory to run It is convenient to use domain controllers to provide DHCP services because the DHCP server requires authorization to run Installing the DHCP service on a domain controller ensures that the DHCP server will be authorized even if the network routers fail In addition, cost and management are reduced compared to providing dedicated DHCP servers To reduce the dependency on the relay agents and routers, select domain controllers on different network segments to run DHCP services Also, you must ensure that the domain controllers are installed on network segments with maximum demand for services To provide redundancy for DHCP services with this architecture, you must provide relay agents to forward DHCP requests if the domain controller on a subnet fails Highly available DHCP services DHCP services must be available at all times You can improve DHCP service availability in several ways Consider the following points when designing a highly available DHCP service for your Web solution: Install the DHCP service on at least two servers You will typically use domain controllers if available You can create a highly available DHCP service by installing the DHCP service on an existing server cluster (where one highly available DHCP server may suffice) Configure DHCP servers to have scopes for a given subnet with no overlapping address ranges for that subnet You must design the network subnets so that there are enough IP addresses available for a DHCP server with half of the address range to satisfy all of the client leases for the subnet Configure routers to be DHCP/Bootstrap Protocol (BOOTP) relay agents to forward requests from the subnets to both DHCP servers Module 3: Designing a Highly Available Network Services Infrastructure 31 DHCP Lease Duration Ensure that the lease duration is short enough so that the rate of failed node replacement does not exhaust the address pool Configure the lease duration to be long enough so that temporary failures of the DHCP servers not affect the management of existing clients *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When a host receives an IP address allocation from a DHCP server, lease duration is specified as part of that allocation The host always requests a renewal halfway through the lease period As part of your DHCP server design, you can specify infinite lease duration to reduce requests to the DHCP server If servers suddenly fail, DHCP-allocated IP addresses are not released as they would be during a normal server shutdown This situation can result in a shortage of IP addresses on a subnet To avoid this situation, use non-infinite lease durations to ensure that the IP addresses that are allocated to servers that fail suddenly are reclaimed after an acceptable period of time DHCP lease duration You must ensure that the lease duration is short enough that the rate of failed host replacement does not exhaust the address pool specified for the subnet If the lease duration is not short enough, the failed hosts will not release the IP address from the DHCP server You can manually delete leases, but it is recommended that you configure the lease duration so that the DHCP server will delete the leases automatically when they expire You must configure the lease duration to be long enough so that temporary failures of the DHCP servers will not affect the management of existing clients, but short enough to ensure that changes to scope options are rolled out in a timely manner Note It is recommended that you use a lease duration of 14 days A 14-day lease period will ensure that option modifications are applied by the DHCP server in seven days Leases for any failed or relocated hosts will be released by the DHCP server 14 days from the last lease renewal 32 Module 3: Designing a Highly Available Network Services Infrastructure Guidelines for Designing a Highly Available DHCP Solution Select the appropriate number of DHCP servers Determine the high availability Microsoft technology for the DHCP servers Determine the position of the DHCP servers *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In your highly available Web infrastructure, you will have both statically assigned and dynamically assigned IP addresses To reduce the amount of address administration, use DHCP to assign addresses dynamically wherever possible A highly available DHCP service is required to ensure that dynamic IP addresses can be allocated at all times Design guidelines As you design a highly available DHCP solution, apply the following guidelines: Select the appropriate number of DHCP servers • Use DHCP to allocate all out of band management, monitoring and build interfaces Avoid the use of reservations as they can impact the number of available IP addresses if equipment fails • Use multihomed DHCP servers wherever possible, but not compromise any firewall isolation in place • Install the DHCP service on a domain controller or other suitable Windows 2000 server where DHCP services must be provided on a single subnet or logical tier Determine the high availability Microsoft technology for the DHCP servers • Use DHCP servers running Windows 2000 and ensure that all DHCP servers are authorized in Active Directory • When a Server cluster is available, it is recommended that you install DHCP server on a cluster to provide high availability for a single DHCP server • When multiple servers are required, create scopes on each server for each subnet in your solution This step requires that more address space be allocated to each subnet, and it may require that relay agents be installed Module 3: Designing a Highly Available Network Services Infrastructure Determine the position of the DHCP servers • Position multihomed DHCP servers in each tier of your solution, which requires multiple subnets • Use a single DHCP server where firewall isolation prevents multiple subnets from being serviced by a multihomed DHCP server 33 34 Module 3: Designing a Highly Available Network Services Infrastructure Review: Designing a Highly Available DHCP Solution A Highly Available DHCP Server Architecture DHCP Lease Duration Guidelines for Designing a Highly Available DHCP Solution *****************************ILLEGAL FOR NON-TRAINER USE****************************** What steps will you take to ensure that your Web solution design provides for a highly available DHCP service? Install the DHCP service on at least two servers Configure DHCP servers to have scopes for a given subnet with no overlapping address ranges for that subnet Configure routers to DHCP/BOOTP relay agents to forward requests from the subnets to both DHCP servers Identify two ways in which you can ensure that your DHCP service will have the appropriate lease duration Make the lease duration short enough so that the rate of failed node replacement does not exhaust the IP address pool Make the lease duration long enough so that temporary failures of the DHCP servers not affect the management of existing clients, but short enough to ensure that any changes to scope options are rolled out in a timely manner Module 3: Designing a Highly Available Network Services Infrastructure 35 Lab: Designing a Highly Available Network Services Infrastructure Lab overview Directory services requirements Name resolution requirements IP address configuration requirements Other technical requirements and considerations Lab questions *****************************ILLEGAL FOR NON-TRAINER USE****************************** Lab overview In this lab, you will evaluate the Government Portal’s requirements for directory services, name resolution, and IP address configurations for the Web infrastructure You will then recommend a design that provides the required high availability for each of the necessary services Directory services requirements Public users of the Government Portal will require that individual user accounts authenticate to the portal and access personal information It is estimated that 300,000 accounts will be created during the first year of operation Certain government employees require access to add or update personal information in many of the portal’s back-end systems There is an existing Active Directory forest based on a forest root domain called corpnet.government Employees must be able to sign in once to the internal network and gain necessary access to different portal systems, depending on their job function Name resolution requirements Both Internet users and employees need to resolve the name www.portal.gov to access the Web site DNS name resolution is required between many of the servers in the Web infrastructure, but Internet users must only be able to resolve names for Web sites The main government data center currently uses two BIND-based DNS servers for Internet name resolution for the government top level DNS domain DNS in the Web infrastructure must be highly available for name registration and updates 36 Module 3: Designing a Highly Available Network Services Infrastructure IP address configuration requirements Administration staff need to be able to add capacity to the Web and COM+ application tiers as quickly as possible by loading operating system and application images to new servers with the minimum amount of manual configuration Administration staff would also like to control advanced IP configuration options centrally for servers added to any tier Centralized IP addressing should be highly available Other technical requirements and considerations Your solution should include Microsoft technologies where possible Lab questions How many new Active Directory forests and domains are required? In addition to the existing Active Directory forest of corpnet.government, you must establish a single domain Active Directory forest to contain the accounts of public users and the frontend Web servers in the User Services tier You must create another Active Directory forest for the servers in the Business Logic and Data Services tiers You may consider establishing multiple domains for this forest, including a domainlet exclusive to the SQL Server database cluster How many manual trust relationships must be established and in what direction? Establish a one-way manual trust from the portal.government forest root to the appropriate domains for the back-end forest Establish a one-way manual trust from the portal.government forest root to the appropriate internal network domains to satisfy employee access requirements Module 3: Designing a Highly Available Network Services Infrastructure 37 How you propose to make directory services highly available? Active Directory domain controllers use a multimaster architecture and communicate all of the changes that are made to Active Directory to synchronize all of the domain controllers High availability is achieved by creating multiple domain controllers for each domain and by positioning them in the infrastructure to provide reliable Active Directory services to each subnet There must be a minimum of three domain controllers for each domain so that the environment remains highly available in the event of scheduled or unscheduled downtime of one of the domain controllers Performance reasons may dictate the need for even more domain controllers to be deployed for the portal.government domain so that user authentication does not become a bottleneck If insufficient domain controllers exist to provide adequate performance, services can be technically available, but users will consider them to be unavailable if the response time is too long Note that while Active Directory is based on multimaster creation and replication of accounts, certain domain controller roles are single master Of the single master roles, the relative identifier (RID) master will be the most important to re-establish in the event of a failure in the portal.government domain The RID master must be online because many new user accounts will be created each day, particularly during the first year of operation The RID master role can be manually seized and assigned by a domain administrator to another domain controller if the original RID master cannot be brought back online in a timely manner It is important that you thoroughly document both the process for seizing the role, and the process for rebuilding the original RID master A failed RID master whose role has been seized due to failure of the server must be rebuilt and should not be brought back on to the network If your design includes server clusters, you will want to configure each server in the cluster as a domain controller This configuration ensures that the computer nodes can authenticate and start the cluster service even if network failures occur The server cluster may be configured in its own domain called a domainlet How would you design the organizational unit hierarchy for each forest? For the front-end forest, use the default domain controller organizational unit and create separate organizational units for Internet user accounts, IIS Web server computer accounts, and administrators For the back-end forest, use the default domain controller organizational unit and create separate organizational units for application user accounts and administrators You will also create an organizational unit for each type of server that requires unique Group Policy objects (GPOs) 38 Module 3: Designing a Highly Available Network Services Infrastructure What additional organizational unit configurations would you recommend? You must configure the No Override setting for Group Policy links to any site, domain, or organizational units defined in your Active Directory infrastructure You will also want to set the Group Policy loopback option to “Replace” on any organizational units that contain servers so that no user GPO settings are installed on production servers In this case, the GPO list for the user is replaced in its entirety by the GPO list already obtained for the computer at computer startup What name resolution services are required in the Web infrastructure? DNS is required for name resolution in an Active Directory network It is also required on the Internet for public users to resolve www.portal.gov to an IP address How many and what types of DNS zones are required? Because there is already a DNS zone on the external BIND servers for the government DNS domain, you could use that zone for the Internet name resolution to www.portal.gov The BIND servers would already be configured with one BIND server hosting a primary zone and the other hosting a secondary zone You will require a new DNS zone for the portal.government Active Directory single domain forest It is recommended that the external BIND servers not be used for resolving the Active Directory names because you not want name records for internal servers visible on the Internet You must use the domain controllers for portal.government to host the DNS zone to take advantage of Active Directory integrated zones The DNS name portal.government must be registered with the InterNIC Likewise, you will require a new DNS zone for each new domain in the Business Logic and Data Services tiers You must configure these zones to be Active Directory integrated If you have multiple domains, you must also configure secondary zones for the forest root domain on each DNS server in each child domain You may also consider setting up secondary zones for portal.government on the internal network for faster name resolution for employees accessing the portal Module 3: Designing a Highly Available Network Services Infrastructure 39 How you propose to make DNS highly available? The two existing external BIND servers can provide highly available DNS resolution for www.portal.gov With BIND, only one DNS server contains a writeable copy of the zone database, but having only one writeable copy will not be an issue because the external DNS records will rarely require updating You can achieve additional fault tolerance for external DNS by creating more secondary DNS servers or having ISPs host secondary zones The best way to achieve high availability for the portal.government Active Directory zone is by leveraging the high availability design for the domain controllers You can configure each domain controller as a DNS server, and each one can contain a writeable copy of the DNS zone by using Active Directory integrated zones How you propose to make NetBIOS name resolution highly available, if needed? NetBIOS name resolution is not needed If NetBIOS name resolution were needed, you could place a WINS server running Windows 2000 in the Web infrastructure You can configure WINS to be highly available by using Microsoft Cluster service or native WINS replication between two or more servers and assigning multiple WINS servers to the WINS clients Providing WINS services allows the flexibility of adding other components to the Web infrastructure that may also rely on NetBIOS name resolution 10 How many DHCP scopes are required? Create a scope for each subnet that requires DHCP services The logical design of your Web infrastructure network will dictate the number of DHCP scopes required 40 Module 3: Designing a Highly Available Network Services Infrastructure 11 How many DHCP servers you propose to use and what techniques can you use to make DHCP highly available? A single DHCP server can service multiple subnets and thousands of clients The DHCP client traffic in the Web infrastructure will be minimal, so a maximum of two DHCP servers for high availability is most likely all that is required The impact of DHCP services in this environment will be so low that you can add the service to other servers in the Web infrastructure, such as domain controllers or database servers running SQL Server Two domain controllers can provide highly available DHCP service in the User Services tier by creating scopes with mutually exclusive address ranges for the same subnets on each server A SQL Server database cluster can be used to make DHCP services highly available for the back-end network adapters for the application servers in the Business Logic tier All of the network adapters on the server clusters, DNS servers, WINS servers, DHCP servers, and the adapters on the Web servers that are running Network Load Balancing must have manually configured IP parameters The requirement that the administrator centrally manage IP address configurations implies that shorter lease durations are necessary to ensure that any changes are issued to clients in a timely manner 12 What are the additional considerations for DHCP? Where multiple subnets are contained in the same firewalls, you can configure a multihomed DHCP server or you can provide remote subnets with DHCP services by either using DHCP relay agents or enabling BOOTP forwarding on the routers ... may vary Module 3: Designing a Highly Available Network Services Infrastructure Overview Designing a Highly Available Network Services Infrastructure Start End Designing a Highly Available Active... high availability Module 3: Designing a Highly Available Network Services Infrastructure What are the considerations for making domain controllers highly available in a Web infrastructure? Create... domain controllers to create redundancy 28 Module 3: Designing a Highly Available Network Services Infrastructure Lesson: Designing a Highly Available DHCP Solution Designing a Highly Available