By Don Benage
Setting up a single, stand-alone Windows NT computer is a straightforward task. Things become more complicated, however, when you must connect a server to an enterprise-wide network. The need for cooperation with others and coordination with the work they are doing becomes important. Decisions that were previously somewhat arbitrary become critical issues.
This chapter discusses the most important considerations facing an administrator involved in creating an enterprise network and setting up servers to run in such an environment. When you finish this chapter, you will understand how computers on a large network are organized, the basics of network protocols, and Windows NT security.
Administrators, managers, and users should work together to define the organization's needs with respect to a Microsoft BackOffice network. To determine the requirements, the administration team must perform the following activities at regular intervals (at least annually):
Each of these activities is described in the sections that follow.
The first area of emphasis in analyzing the organizational requirements is the user community. The administration team should begin with a thorough inventory of the users connected to the network. The following areas should be documented as a basis for making implementation decisions:
After the user characteristics are understood, it is possible to analyze their requirements to determine which network services are needed. The administration team should map user requirements to the available server applications.
Each Microsoft BackOffice Server product provides a different set of network services, as follows:
See "Commercial Internet Server," [Ch. 1]
See "Build Your Network," [Ch. 3]
Microsoft BackOffice Server applications run on a server attached to the network. Deciding how many servers to operate and where to place each server application is the next step in preparing for your Microsoft BackOffice Server implementation.
Two schools of thought exist on server organization: the super-server school and the distributed computing school. Both approaches have strengths and weaknesses. You must weigh the tradeoffs and decide which approach makes sense in your organization.
The super-server approach involves buying one (or few) very large computers with multiple processors and a large amount (for example, 256M or more) of random-access memory (RAM). This concentrated power can be easier to physically secure than multiple smaller machines. It also offers the advantage of letting one application make full use of the super server if other applications are not yet active, or if they experience a reduced load during off-peak hours. By careful scheduling, you can bring a tremendous amount of computing power to bear on your server application.
The distributed computing approach favors multiple, redundant servers each performing a portion of the overall delivery of service. This redundancy reduces the impact of a single machine failure. In a geographically distributed network, it can aid in the placement of server resources on the same fast LAN with client workstations. But it does make physical security a greater challenge and reduces your ability to easily apply a lot of computing power to one task.
See "Building WANs," (Ch. 15)
Of course, your approach need not be one or the other. You can adopt a largely distributed approach, applying an occasional super server if concentrated power is needed for a very demanding application. There is no single correct approach that fits the needs of all organizations.
It makes sense to provide some logical organization for the network. Microsoft has developed several mechanisms for organizing groups of servers and desktop computers. This not only makes it easier to manage the network, but can also simplify things for the user community by making it easier to find a particular shared resource. These logical network structures can also provide a span of control for a security authority.
Some of these structures are used for only one of the BackOffice Server products. An organization is only used when setting up Exchange servers, for example. Only Systems Management Server (SMS) uses machine groups. SMS and Exchange Server both use sites. SQL Server uses server groups. In addition, these structures don't necessarily map directly into the domain structures Windows NT uses to manage security. At first, this may seem arbitrary and needlessly complex. After you understand each of the products better, however, you should see the logic behind some of these differences. The products do different things and different structures are appropriate to manage them.
There is one more thing to remember that may help make sense of all this. Don't make things any more complicated than they need to be. The capability to break computers and users into groups makes it easier to manage them. If natural divisions don't suggest themselves, perhaps you don't need to take advantage of these capabilities. On smaller networks (fewer than 100 users) you may only need the following:
The simplest structure you can use to provide some order on a network is the workgroup. A workgroup, for the purposes of Microsoft networking, is nothing more than a convenient way to restrict browsing for shared resources to a small group of computers. If you want to use a shared laser printer, for example, you don't need to look at a list of all the printers on your entire network. You can simply check through a much smaller list of computers in your workgroup, which are usually in close physical proximity. Therefore, workgroups perform much the same function for networks as subdirectories (or folders) perform for hard disks. They enable you to logically group related items into smaller, more manageable groups.
A workgroup has no role in authenticating a user's identity or enforcing security. Windows NT Servers in a workgroup each have their own account database. If you want to use resources on two different Windows NT Servers in a workgroup (not a domain), you need to have an account on both computers, as shown in Figure 4.1. If you change your password on one server, it does not automatically change on the other.
FIG. 4.1
In a workgroup environment, Microsoft BackOffice servers have separate user
accounts and security policies, which means no replication of account information
occurs from one server to another.
When you log on to a computer that is part of a domain, you still enjoy all the capabilities of a workgroup. In addition, domains build upon the browsing help offered by workgroups by adding significant security features. All the servers in a domain share the same user account database. As a result, you only need one user account ID and its corresponding password to access shared resources anywhere in the domain.
To establish a domain, you must configure at least one Windows NT Server as a domain controller. This computer contains the master copy of the user account database. It is kept in an encrypted form so that it cannot be read by unauthorized persons, and permissions are set such that it cannot be tampered with or accidentally deleted. The domain controller also keeps the master copy of the policy information regarding passwords. It is possible, for example, to require that all passwords be at least six characters long, and a new password be selected every 90 days.
Unless you have a very small network, you will also want one or more additional domain controllers, sometimes referred to as backup domain controllers. These computers are automatically updated whenever a user account is added, modified, or deleted. If any changes are made to the security policy of the domain, they are also forwarded to all domain controllers, as shown in Figure 4.2. By default, this occurs approximately every five minutes.
FIG. 4.2
In a domain environment, account and security policy information is automatically
replicated from the primary domain controller to all other domain controllers.
TIP: A common mistake made by people new to Windows NT Server is to assume that the five-minute interval is too long. In practice, five minutes is usually plenty fast. Try using the network this way for at least a week before going to the trouble to change it. You'll probably find that it is adequate.
After you establish a domain, you can create user accounts and organize users into groups that reflect their computer needs or departmental affiliation in your organization. For example, you might create a group containing everyone who needs to use a particular application or a group containing everyone in the Research Department. After you create accounts and groups, you can use them to assign permissions to access shared resources on your network.
TIP: In general, it is a good idea to assign permissions to groups rather than individual accounts. As new users are added, you simply add them to the appropriate groups, and they will inherit the necessary permissions to use the resources they need. A user can belong to many groups.
An additional feature provided by Windows NT Server is the capability to establish trust relationships between two domains. A trust relationship is set up by the domain administrators for two domains. If domain B trusts domain A, then user accounts and groups from A can be assigned permission to use resources in B. In a very real sense, the administrators of B are trusting the administrators of A to be responsible about security policy and assigning users to particular groups. In Figure 4.3, the domain GAS_STL_EXHIBIT trusts the domain GSULLIVAN.
FIG. 4.3
Establishing a trust relationship between domains involves an exchange of passwords
between administrators for the two domains.
NOTE: It is common for a domain to correspond to a geographic location or an organizational structure, such as a department.
A single domain can span geographic locations, if necessary. More complex domain models also can be created, using domain trust, to accommodate large numbers of computers and users. A utility included in the Windows NT Resource Kit offers guidance for domain planning. This is an essential activity that should ideally take place before installing your first server. Although it is possible to reorganize your domain design later, it is not a simple process.
NOTE: The Windows NT Resource Kit is a separate product available from Microsoft. It does not ship as a part of the Windows NT package or the Microsoft BackOffice Server package. The Windows NT Resource Kit is a useful product for Windows NT network administrators and should be included as a part of the implementation and administration toolset.
In addition to the workgroups and domains understood by Windows NT, several other structures are used by the other server-based applications in BackOffice Server.
Another structure used by one of the BackOffice Server products is the organization. It is the largest logical entity understood by Exchange Server. An organization usually corresponds to an entire corporation, educational institution, or other similar entity.
Two of the BackOffice Server products, SMS and Exchange Server, enable you to create sites. These do not necessarily correspond to domains, although they can. Sites almost always correspond to a physical site at one geographic location. For Exchange Server, the entire site must be on the same high-speed network; incorporating slower, wide area links into a site causes problems. For SMS, a site corresponds to a group of computers that all report their inventory information to the same site server.
In addition to sites, SMS includes the idea of machine groups. This is a mechanism to form an arbitrary group of computers that need to be managed in the same way. They can be scattered among several sites in disparate geographic areas. Their only relationship is that they are managed together. In a large organization, you might have a single member of the Human Resources department in each regional office, for example. The computers for these users would all likely require the same applications and would, therefore, be good candidates for inclusion in a machine group.
SQL Server enables you to group servers together for administrative purposes. Database administrators (DBAs) can create their own server groups to organize servers for which they are responsible. These groups are set up only at the computer on which they are created. Other administrators can create their own groups on the computers they use to do their work.
When you install Windows NT Server, you configure it to take on a certain role. With version 4.0 of Windows NT Server, the current version, you can either designate a server as a domain controller or a server. These roles are described in the following sections.
As previously discussed, each domain has one or more domain controllers. These servers each have a copy of the user account database and security policy for the domain. When a user logs on, a logon request is sent out on the network. Whichever domain controller receives the request first checks its copy of the account database and attempts to validate the user's ID and password.
The exact mechanics of the conversation are somewhat more complicated, and the particulars vary depending on how the network is set up. The important things to remember are the following:
Although it can be somewhat confusing, there is a role called server for a Windows NT server in a domain. So a server, running the operating system called Windows NT Server, can be configured as the server role in a domain. With this role, it is possible to configure a computer to participate in domain security without itself validating logons. This role is particularly useful for computers running server-based applications, such as SQL Server. These computers can easily be added to, or removed from, a particular domain because they don't play an active role in account validation. By making a server a member of a domain, you can use accounts from that domain, or any trusted domain, to assign permissions to resources on that server.
When two computers communicate on a network, they need to speak the same language. Just as an American and a native of Japan can't understand each other unless they share a common language, so computers must also use the same language, or protocol, if they are to transmit information to one another.
A network protocol is a detailed recipe for taking information, breaking it into groups or packets, adding some additional control information, and sending it over a wire (or even through the air with some equipment!) to another computer. A variety of network protocols have been developed over the years with different characteristics. The main features of the most widely used protocols supported by Windows NT are outlined in the following sections.
An important factor in deciding how to organize your network and what protocol to use is the size of the network. It is relatively simple to communicate with other computers in physical proximity to your computer over cables specifically designed for computer networking. This type of network is referred to as a local area network or LAN.
If you need to be able to communicate with computers at another geographic locationóin another city or country for exampleóyou will certainly not be able to run your own cable to the other site. You will probably need to arrange to use a cable owned by a telecommunications company (your local phone company for example) or another service provider. This requires special equipment designed for communication over such lines, and you then have a wide area network or WAN. It is also possible to create a Virtual Private Network (VPN) and connect to your private network over the Internet. See Chapter 9, "Using TCP/IP with Windows NT Server," for more discussion on this topic.
The computer programs implementing a network protocol for a particular operating system are commonly referred to as a protocol stack. When LANs were first developed, it was common to have a single program handle all networking issues. This type of program was called a monolithic stack. Now it is more common for a protocol stack to have separate program components for the network adapter installed in your computer and the particular type of network protocol (for example, TCP/IP) you are using. These specific network protocols are sometimes referred to as transport stacks.
Protocol stacks have the three following significant characteristics:
On computers running DOS or DOS/Windows, the size of the protocol stack is an important issue. DOS-based computers must operate within the constraints of a 640K address space. On more powerful operating systems, such as Windows 95 or Windows NT, this limitation has been eliminated. Therefore, the relative size of a particular protocol stack on Windows NT, for example, is not very important.
The speed of a protocol stack isn't always important, but may be an issue with certain applications where response time is critical. It is difficult to measure the actual speed of a protocol stack because many things affect their performance. Relative performance characteristics are well understood, however, and can help you decide which transport stack to use.
If a transport stack can be used on a WAN to send packets of information across routers to remote network segments, the stack is said to be routable. Routable stacks generally have better error handling capabilities and are, therefore, more resilient when used over slow lines of poor quality. They also carry additional information indicating which network segment they are bound for and may indicate the best path to get there.
NetBEUI (NetBIOS Extended User Interface) is a network protocol developed by IBM and Microsoft for use on LANs of 250 nodes or fewer. It is a small, fast stack, but is not routable. Many people confuse NetBIOS and NetBEUI. NetBIOS is a method of writing network aware applications that includes a naming scheme, programmatic interface, and messaging protocols. It can be implemented over any transport protocol and is supported by Microsoft on NetBEUI, IPX/SPX, and TCP/IP.
In recent years, NetBIOS based networks have occasionally been criticized for their use of broadcasts: network packets that are addressed to essentially all devices on the network. Although many networks that implement support for NetBIOS use broadcasts for name propagation and discovery, the use of NetBIOS naming does not necessarily imply an abundance of broadcast traffic. In particular, Microsoft networks implemented on TCP/IP (see a following section, "Transmission Control Protocol/Internet Protocol (TCP/IP)") can use other methods, such as the Windows Internet Name Service (WINS) and a "browsing" protocol, which dramatically reduce the amount of broadcast traffic on the network.
NetBEUI is NetBIOS based, and does use broadcasts rather heavily for name resolution. It is a good choice for small networks, the environment for which it was designed.
This transport stack was made popular by Novell with their NetWare network products. In its initial incarnation, it did not meet strict requirements for routability; however, Novell has enhanced the transport over the years. Also, because of NetWare's popularity, many WAN vendors adapted their equipment to work with Novell's IPX/SPX. It can, therefore, be successfully used in many WAN environments.
Microsoft networks can be run exclusively over IPX/SPX if you so desire. Early versions of Windows for Workgroups did not support peer networking over IPX/SPX (they required NetBEUI to share files and printers), but the 3.11 release fixed that limitation, and both Windows 95 and Windows NT can provide full network functionality over IPX/SPX. The network protocol that is outpacing all others in the breadth of its use and the richness of it features is TCP/IP.
TCP/IP is a protocol whose time has come. This protocol was developed through the cooperative efforts of the Internet community over the past ten years. As corporations began connecting the many small LANs they had built to form one large WAN, a routable protocol became essential. With the explosion of interest in the Internet, it was inevitable that TCP/IP would become widely used. Many corporations want to attach their corporate WAN to the Internet, and TCP/IP is the protocol of choice.
In comparison to other transports, TCP/IP is generally bigger and slower. Recently, however, improved stacks have been developed that are not much slower than NetBEUI. As a rule of thumb, the latest stacks included with Windows NT and Windows 95 are on the order of 5 to 20 percent slower than NetBEUI. Perform controlled tests in your own environment if you need more exact performance comparisons.
The real benefit to using TCP/IP is, of course, it is designed for wide area networking and is routable. It performs as well as possible under poor conditions, using slow lines with a lot of extraneous noise. TCP/IP is essential if you want to connect your computer or your entire network to the Internet. It is also the protocol of choice if you intend to use the rich set of Internet tools (e.g., Web servers, chat servers, and streaming media servers) to create a private intranet. For more information, see Chapter 16, "The BackOffice I-Net Toolbox."
The security provided on a Microsoft BackOffice network is potentially controlled by a number of different sources. Basic user logon validation is provided by the network operating system (NOS). This could be either Windows NT Server, Novell NetWare, or another NOS. There are advantages to using Windows NT Server, and it is the only NOS discussed in this section, but some organizations add Windows NT Server as a platform to run server-based applications and continue to use another NOS for user validation and file and print services. The rest of this section describes different security elements provided by Microsoft BackOffice. For a more thorough discussion of Microsoft BackOffice security, see Chapter 7, "Administering Windows NT Server."
It is possible, and even desirable, for users to have a single user ID and password for all Windows NT-based services. By using a single domain, or implementing a master domain model using domain trust, a single account can be granted access permissions on any computer in your organization. Planning for and implementing a domain structure is covered in Chapter 8, "Windows NT Server Directory Services." A domain account enables users to do the following:
This list is just a sample of the kinds of Windows NT-based services that can be accessed with a single ID and password. Being able to integrate the security for all these services with the native Windows NT security subsystem is certainly a powerful feature. This capability is very popular with users who quickly get tired of managing and remembering multiple IDs and passwords. There are reasons, however, that you may not want to allow a single ID and password to be used for everything. If a user ID and password combination is discovered and misused, the results are obviously more traumatic if the compromised account has permissions to many resources.
In some organizations, it makes sense to give the authority over database resources to a separate group of people. The database administrators may feel a need to create a separate set of user accounts that are used solely for database access. SQL Server allows either choice.
See "Using SQL Server Security," (Ch 35) in Special Edition Using Microsoft BackOffice, Volume 2
NOTE: SQL Server also offers the capability, as an option, to encrypt data as it is transmitted over the network.
There are special security considerations for e-mail. The information included in messages may be extremely sensitive. Exchange Server offers powerful capabilities that augment the simple access control provided by an ID and password. It is possible to encrypt your message to another individual using a public key algorithm. It is also possible to digitally sign your message so that the recipient knows the message came from you, and it has not been altered in any way.
See "Using Exchange Server Advanced Security," (Ch. 31) in Special Edition Using Microsoft BackOffice, Volume 2
Special procedures are also required to enforce security in an I-net environment. There are specific products and protocols that have been created to enable you to send information over the public Internet in encrypted form so that only the intended recipient can understand the information. This is very important in electronic commerce applications where credit card numbers must be transmitted. Methods for identifying yourself and authenticating the fact that you are who you claim to be through the use of certificates are also available. Certificate technology can also be used by an organization to authenticate the identity of its Web site, its servers, and its content.
Proxy servers play a role in securing the network by controlling access to the Internet. By implementing some controls on who can use the Internet, and what services are available, you can decrease the chances that a virus will be inadvertently downloaded to your private network. Please see Chapter 22, "Implementing Microsoft Proxy Server," for more information on Microsoft's proxy server. You can also use proxy servers in conjunction with packet filtering (or screening) routers to limit incoming Internet traffic to just the traffic addressed to the proxy server. This focuses any potential intruder's attack on a single machine, and can make the difficult task of securing your private network against outside access somewhat easier.
See "Network Security," (Ch. 46) in Special Edition Using Microsoft BackOffice, Volume 2
As discussed earlier, a service is a special type of program designed to run unattended on a Windows NT server. Every service runs in its own security context. In other words, a service runs in the context of a particular account just as regular users do. You can run services using a special type of account, called a system account, or you can define an account specifically for use by a service.
A system account has access privileges only on the computer on which it is defined. This can be a problem if it is a service that needs to communicate with other similar services on other computers. Clearly in an e-mail system some services need to have access privileges on more than one computer. This is also true in a SQL Server environment where data replication is desired. In addition, some Web site implementations use a member of the BackOffice family called the Content Replication System to move information among I-net servers. In these situations, it is important to define a service account that is used as the security context for the service.
If you have a single domain, your service account is a regular domain account. In a master domain environment, you would want to create your service accounts in the master domain, even though most services are likely to be run in a resource domain.
See "Creating a Service Account," [Ch. 7]
On many networks, it is important to provide access to users who need to connect from their homes or from a hotel as they travel. Windows NT Server includes the Remote Access Service (RAS). With this service, and the addition of some specialized hardware, you can attach up to 256 modems to a single Windows NT server. Remote users can then use a modem to dial this server and attach to the network. They do not need to have a network adapter in their computer because they will not be attached directly to the network cable plant. A modem connection is slower than typical network speeds, even with high-speed modems using compression technology. You can think of them as full-fledged users attached to the network through a slow line. Users connected in this way are usually able to access all network services.
TIP: To attach 256 modems to a single server, you would need a relatively powerful computer with more than one processor. It makes sense to use two or more computers with fewer modems to provide some redundancy and eliminate single points of failure.
RAS is a powerful service that can greatly extend the reach, and the usefulness, of your network. By enabling users to connect from remote locations, you can offer them network services almost anywhere. RAS supports connectivity through multiple mechanisms. The most common are as follows:
For more information, see Chapter 11, "An Inside Look at Remote Access Service (RAS)."
By far the most common means of connecting is the thirdóstandard telephone lines. With relatively high-speed modems (14.4K baud or better) you can get very acceptable performance. Many modems now available include the capability to compress and decompress information on the fly. This can yield an effective throughput rate that is approximately double the rated speed, or better, depending on the type of information you are transmitting.
RAS access is particularly suited to client-server applications that minimize the amount of information transmitted from one computer to another. For example, in a typical database operation, a small query is sent to the database engine on the server. Only the resultant answer set is sent back over the wire. Large indexes are kept and used on the server and need not be transmitted to the (remote) desktop client.
Another method for providing network connectivity to remote users is available from other vendors. This method enables one computer to remotely control a network-attached computer's mouse, keyboard, and display over a modem connection. An advantage of this configuration is improved speed because only typed keystrokes and the resulting screen changes need to be transferred across the wire. The downside is the need to have two computers dedicated to a single user's activity for the duration of the connection. If you need ten active connections, you must have twenty computersótwo for each connection.
With the design of RAS, on the other hand, the remote access connection takes the place of the network attachment. No additional locally attached computer is required. All network traffic destined for the client computer is transmitted over the RAS connection. Using RAS to provide ten active connections would require only eleven computers: the server and ten workstations. RAS therefore provides a cost-effective method for remote network access.
To connect to a RAS server, you must use special RAS client software. You cannot use standard asynchronous communications software. Fortunately, the RAS client software is included with Windows NT, Windows 95, and Windows for Workgroups. RAS software for Windows and DOS-based systems is included on the BackOffice Server CD.
The procedures for setting up RAS are covered in more detail in Chapter 12, "Implementing Remote Access Service (RAS)," but an overview is presented here to aid in planning, as follows:
After you have made a connection, you can access and use any of the services on the network, including shared resourcesósuch as files and printers and server-based applications like SQL Server databases.
You should now have a better picture of the way Windows NT Server can be used to build a large enterprise network and how individual servers participate. You've also learned some important terminology as well as the basics of Windows NT and BackOffice security. In Chapter 5, "Implementing Windows NT Server," you learn exactly how to set up Windows NT Server on a computer, and how to configure it to perform the tasks you've been learning about. For more information on some of the topics addressed in this chapter, consult the following chapters:
© Copyright, Macmillan Computer Publishing. All rights reserved.