Configuring Windows 2000 without Active Directory P2

Chia sẻ: Thach Sau | Ngày: | Loại File: PDF | Số trang:10

0
36
lượt xem
4
download

Configuring Windows 2000 without Active Directory P2

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Armed with this information and a clear view of what is possible with Windows 2000 when running it outside an Active Directory domain (and what isn’t possible without Active Directory) you will then be better equipped to dive into the standard Microsoft documentation and build on this knowledge.

Chủ đề:
Lưu

Nội dung Text: Configuring Windows 2000 without Active Directory P2

  1. 12 Chapter 1 • Why Not Active Directory? environment, but without having to also take on Active Directory. All too often, standard Windows 2000 literature discusses new features only in the context of Active Directory so that you may not be aware of what features and services you can use (and how) independently from Active Directory.Therefore, you’re being asked to learn Active Directory, the new features, and the new interface all at once—which usually relegates it to a testing environment or your home study network.This book aims to provide the information you need to start using Windows 2000 productively in your current working environment. Armed with this information and a clear view of what is possible with Windows 2000 when running it outside an Active Directory domain (and what isn’t possible without Active Directory) you will then be better equipped to dive into the standard Microsoft documentation and build on this knowledge.This then may or may not include Active Directory features—but the choice will then be yours, rather than having it decided for you. By knowing what is possible without Active Directory and how to imple- ment it, you should gain a level of knowledge and a perspective that is difficult to obtain from the standard Microsoft documentation.Throughout the book we will have special information sidebars for IT implementers where the topic identifies a relevant Configuring & Implementing consideration to help provide addi- tional technical information. Microsoft Certified Professionals and System Engineers Although not specifically aimed at MCPs and MCSEs, this book may also be of benefit to MCP/MCSE candidates looking to supplement their Windows 2000 exam knowledge and extend it into the realities of the workplace. It may also help NT professionals transition their skills to Windows 2000 because new features can be learned within the context of a Windows NT 4.0 domain, instead of trying to take these on board at the same time as learning Active Directory.There’s nothing so reassuring as starting from familiar ground rather than feeling as if you’re starting everything from scratch again. Interestingly, Microsoft’s fairly recent addition of exam 70-244, “Supporting and Maintaining a Microsoft Windows NT Server 4.0 Network” (available since April 2001), shows its acknowledgment that Windows NT 4.0 domains are still prevalent in the workplace and as such need to be supported by competent professionals. While the other Windows 2000 exams assume an Active Directory context, in reality MCP/MCSE professionals will find it the exception and not the norm that they will be given Active Directory Enterprise permissions—so they must know which features they can configure and use independently from Active www.syngress.com
  2. Why Not Active Directory? • Chapter 1 13 Directory in a typical departmental setting. Note, however, that this book is not written as a MCSE study guide for a specific Microsoft exam; there are plenty of good alternatives for these already. What This Book Will Cover This book will cover a wide range of topics that encompass a diversity of the new features and services that Windows 2000 offers.This will include everything from features particularly relevant for workstations, laptops, and servers, to specific services such as IIS and Certificate Services,Terminal Services, and Remote Access to networking services such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP), Internet Protocol Security (IPSec), and Network Address Translation (NAT). All these and more will be explained outside the context of Active Directory—clearly outlining what is pos- sible and what isn’t, and also what is possible with certain limitations. Additionally, each chapter contains a walkthrough that includes step-by-step information on how you might implement some of the features covered in the chapter.These are practical exercises that reinforce some of the chapter contents and that should be useful on most production environments to help provide some hands-on experience. Chapter 2:Workstations Many people have Windows 2000 now as their standard desktop operating system, but they might not realize how to make the most of the new features it offers. In fact, I’ve often seen people treat Windows 2000 as if it were Windows NT 4.0 with the interface annoyingly changed, totally unaware of the new features and benefits “under the hood,” just there for the taking! The new interface isn’t to everybody’s liking, but it is highly configurable—if you know where to look. Windows 2000 is often chosen for stability and reliability reasons, and it has certainly earned its reputation for better stability and reliability than previous operating systems. Are you aware, though, of how that is accomplished and how you can configure and fine-tune this? For example,Windows File Protection helps to address the “DLL hell” we got used to seeing with incompatible versions of files, but it comes at the cost of disk space. Knowing how this works and how you can configure it gives the choice back to you, rather than relying on the operating system to make choices for you.When disk space on the operating system partition is tight (often an issue if upgrading), knowing how to configure the DLL cache can make the difference between being able to upgrade to Windows 2000 without repartitioning your disk and not being able to install it. www.syngress.com
  3. 14 Chapter 1 • Why Not Active Directory? Active Directory Group Policies have had a lot of coverage as being one of the biggest reasons to migrate to Active Directory so that you can centrally con- trol and secure users’ and computers’ environments.They offer far more extensive configuration options than System Policies ever did—and they do so without tattooing the registry. But did you realize that you can use them outside Active Directory, even within a Windows NT 4.0 domain? Local Group Policies are one of Windows 2000 best-kept secrets! Using them together with security tem- plates, you can centrally configure and deploy your security and administrative templates on Windows 2000 computers—for example, you can lockdown desk- tops for users and enforce tight security configurations. Chapter 3: Laptops It’s not difficult to see why the laptop market was the first to embrace Windows 2000. It offered the Plug and Play (PnP) features and Device Manager loved in Windows 9x, but with the secure logon and NTFS security that was needed for a mobile existence. Added onto that, EFS, the Encrypting File System in Windows 2000, offered increased protection, which was a new security feature that was easy to use immediately without Active Directory. But you do know how to best use EFS and what restrictions and limitations it has? Do you want to disable it to ensure that you don’t end up with inaccessible files, but you are not sure how to do that without Active Directory? Those are some of the best-known features and reasons for running Windows 2000 on laptops, but it also offers some great new features for integrating a mobile environment with the corporate network—including automatic hardware profiles and a Synchronization Manager. Files and content can be cached when the laptop is online, which can then be used when the laptop is disconnected and synchronized when next online.This can greatly improve productivity, reduce bandwidth, and help eliminate the problems of lost modifications when multiple versions are used. Other new features applicable for the laptops include the new Power Management options and general Windows 2000 maintenance and trou- bleshooting utilities that are particularly relevant for laptop users—such as the Task Scheduler and advanced boot options for when the laptop is urgently needed but many miles away from the IT Help Desk! www.syngress.com
  4. Why Not Active Directory? • Chapter 1 15 Chapter 4: File and Print Services The workhorses of the network that fulfill various file and print services have a lot to gain from Windows 2000. Storing and retrieving data can be made easier with features such as Distributed File System (Dfs) to help you reorganize shares without actually moving any data, an Indexing service that lets users search for files and content across the network, and disk quotas to help you control and plan disk storage and capacity. Disk management has become easier with the new dynamic disk storage pro- viding on-the-fly changes without rebooting. Remote disk management is now possible, and the Remote Storage service can provide instant increased disk storage by dynamically migrating less often used data to tape.The built-in backup utility has an improved interface with an inbuilt graphical scheduler, and you can now leave Performance Monitor running as a service to help keep an eye on the general health of your servers (for example, emailing the administrator when crit- ical factors such as low disk space and memory are identified). There’s plenty of printing improvements too, including support for the new Internet Printing Protocol (IPP), which allows intranet and Internet users to install and manage their printers through a browser. Chapter 5:Terminal Services I think Windows 2000 Terminal Services earns its spot as my favorite feature in the Windows 2000 feature set. Now part of the base operating system rather than a separate product,Terminal Services is installed as a service just like any other operating system service. Best of all, it comes in two flavors: Administrator Mode and Application Mode. Administrator Mode requires no additional licensing considerations with the only drawback being the maximum simultaneous connections being restricted to two. It allows administrators to remotely log onto a Windows 2000 server (run- ning this service) and remotely administer it as if they were sitting in front of it. It’s ideal for low-bandwidth connections because all the programming execution stays on the server—only screen and mouse/keyboard data is transmitted. And it’s secure because you can use 128-bit encryption, and it’s firewall friendly in that it doesn’t use remote procedural calls (RPC) that most firewalls block. It’s difficult to see why you wouldn’t install this on all Windows 2000 servers. Application Mode is how most people currently think of a terminal server— servicing applications to users in a true multiuser environment. It’s an easier envi- ronment to control and maintain because everything is held centrally in one www.syngress.com
  5. 16 Chapter 1 • Why Not Active Directory? place. Conversely, there may be times when you want to integrate that environ- ment with the user’s local operating system, so you need to know whether this is possible and how.Terminal Services means that any Windows 32-bit user can have a Windows 2000 operating system environment—without having to change his or her hardware.This could be a permanent arrangement in an attempt to centralize all applications and administration or a stepping-stone as you slowly migrate users’ desktops to Windows 2000. There are some great new features and improvements in Windows 2000 Terminal Services that previously were possible only with the Citrix add-on, Metaframe—for example, improved throughput, mapping of local printers and drives, copying files between the two systems, and, of course, shadowing (which Microsoft calls Remote Control), which lets an administrator see and take over a user’s session. Particularly for remote sites, the last feature can be a godsend for IT Help Desks and dramatically reduce user problems and increase the turnaround of logged calls. I found that additional features supplied with Service Pack 1 (interestingly no longer included with Service Pack 2 but downloadable from the Microsoft site), and from the Windows 2000 Server Resource Kit were indispensable for produc- tion use of Terminal Services, and so I’ve included these in this chapter. The only fly in the ointment with Windows 2000 Terminal Services is the new requirement for running Terminal Services Licensing.You must run these when running Windows 2000 in Application Mode.They require consideration before installation, and for this you have to know exactly how they work and what configuration options you have. Once you have identified Terminal Services as a possible resource for your company, learn about Terminal Services licensing requirements before you make any deployment plans! Chapter 6: Networking Services— DNS, DHCP,WINS, and NLB At the heart of any network lie the networking services that make it possible for computers to communicate with each other.With the acceptance that not all networks have high bandwidths and must often integrate with other networks (including the Internet) and non-Windows computers,Windows 2000 net- working services such as DNS, DHCP, and WINS have had a vital overhaul. Microsoft has had to do this because Active Directory has been its focus of Windows 2000, and Active Directory relies on a reliable networking infrastruc- ture. Quite simply, if there are TCP/IP problems there will be Active Directory www.syngress.com
  6. Why Not Active Directory? • Chapter 1 17 problems. Although you might not be ready to move to Active Directory, there is no reason why you can’t benefit from those networking services improvements. Although DNS, DHCP, and WINS are independent services, they work so closely together to produce the same goal of computer-to-computer communica- tion that it is difficult to talk about one in isolation from the others. Each involves central management, configuration control, and security.The Network Load Balancing (NLB) built into Windows 2000 Advanced Server (and Datacenter Server) also offers high availability and load balancing of networking services.With a view to distributed networking, scalability, and reliability, Network Load Balancing complements the Windows 2000 networking services very well. Chapter 7: Internet Services— IIS5 and Certificate Services There are some great improvements to IIS, which no doubt help to account for some of the Windows NT 4.0 server upgrades to Windows 2000 outside Active Directory.There are improvements in reliability, administration, security, and per- formance—all good news for standalone public Web servers. Many of these are hidden, behind-the-scenes changes, so it pays to know exactly what they are and how they function. There are also improvements for the intranet environment with WebDAV (Web Distributed Authoring and Versioning), as Microsoft continues to blur the distinction between Web servers and file servers, making the browser a universal desktop interface. Certificate Services is a separate service to IIS, but it’s easy to see how the two complement each other—particularly outside Active Directory. Certificate Services complements IIS by offering server and user certificates for a highly secure form of authentication and encryption. IIS5 complements Certificate Services by offering its Web-based certificate forms for requesting and receiving certificates.These certificates can be for both user authentication (for example, used with Web authentication) and also computer authentication (for example, used with IPSec). When installing and configuring Certificate Services outside Active Directory, you have the choice only of installing it in Standalone mode, not in Enterprise mode, which requires Active Directory. Most Windows 2000 docu- mentation that covers Certificate Services assumes an Enterprise installation, and so it can be frustratingly difficult to try to use Certificate Services and associated www.syngress.com
  7. 18 Chapter 1 • Why Not Active Directory? utilities outside Active Directory.This chapter is the exception, where it assumes and concentrates on a Standalone installation. Chapter 8: Secure Communication—IPSec This chapter builds on the previous chapter because it covers using computer certificates that are requested and granted with Certificate Services and IIS5. Computer certificates are an alternative authentication method to Kerberos when using IPSec, and although Kerberos is the default authentication (except with L2TP/IPSec) you cannot use Windows 2000 Kerberos outside Active Directory. Computer certificates make IPSec possible and secure when used outside Active Directory. In addition to explaining the authentication methods, this chapter explains how the built-in IPSec policies work and how you must modify them when out- side Active Directory. It also explains the various components and utilities that support IPSec. Additionally, it covers how to build your own custom policies so that you are firmly in control of what traffic you accept and block and how to track and monitor it. This chapter is very much a need-to-know and hands-on, practical look at implementing IPSec rather than offering a theoretical exploration of how cryp- tography-based security works. I’ve found this level of detail very difficult to find elsewhere, particularly when implementing IPSec outside Active Directory. And yet to me, this is what network administrators should focus on as a starting point in implementing IPSec. Chapter 9: Remote Access— RAS,VPN, IAS, and CMAK The improved VPN support is well known in Windows 2000, and it’s usually L2TP/IPSec that grabs the limelight for this. I think the new remote access policies are the greatest improvement for securing and fine-tune configuring a server for remote access connections.These apply for dialup, for PPTP and L2TP/IPSec VPN connections, and when using IAS (Internet Authentication Service). Somehow remote access policies have earned the reputation of not being applicable outside Active Directory, and this is just not true.What is true is that they must be config- ured slightly differently when used on a Windows 2000 member server within a Windows NT 4.0 domain, so it’s vital to understand exactly how they work. Although L2TP/IPSec can offer greater security, it will not be the best choice for everybody because it has greater overhead in terms of server resources www.syngress.com
  8. Why Not Active Directory? • Chapter 1 19 and administrative overhead (server and remote computer both need computer certificates, for example). Not all platforms support IPSec either.When L2TP/IPSec is not an appropriate choice, you need to know how to configure PPTP with the tightest security. When L2TP/IPSec can be used, this chapter explains how this can be config- ured outside Active Directory, exactly what security is being used, and how you can monitor it.You may be surprised by some of the defaults Microsoft selects for you, and you may want to change them. CMAK is the Connection Manager Administration Kit, which allows admin- istrators to deploy central connection details bundled into a dialer.This means remote users have to run only your supplied executable to easily connect to your remote access services.You can use either a static phone book to supply the actual connection details or a dynamic phone book that the user checks each time he or she connects and automatically downloads any changes. Not only can this look very professional—for example, by customizing the dialer with com- pany logos and a personalized message with Help Desk details—but it can also dramatically reduce Help Desk calls from remote users trying to set up and/or amend the required connection details. For example, although Windows 2000 Professional can automatically prompt for an underlying ISP connection to be made before a VPN connection, down-level clients do not. Many users simply do not understand or forget that they should first connect to their ISP and then make an additional connection to the VPN server.The custom dialer can be con- figured to do this automatically for the user. Chapter 10: Internet Connectivity— ICS, NAT, and ISA Server All three of these Microsoft solutions—Internet Connection Sharing, Network Address Translation on RRAS, and the Internet Security and Acceleration Server—offer different solutions for connecting multiple workstations on a local area network to the Internet, by means of one computer that is connected to both the internal and external network. Obviously, they differ in complexity and functionality, and it’s important to know their differences as well as similarities so that you can better judge which of these solutions (if any) is suitable for your network’s Internet connectivity. ICS as the poor relation often gets bad press because of its simplicity, but when you look at its actual abilities, it’s surprisingly adept at meeting many connectivity needs. NAT, it is true, does offer much better monitoring facilities and more www.syngress.com
  9. 20 Chapter 1 • Why Not Active Directory? flexibility in configuration—for example, it is able to take advantage of multiple public addresses and reserve certain addresses for specific services. Neither, how- ever, can accommodate controlling access by users—and to do this you’ll need something more like ISA Server, which is the Windows 2000 upgrade to Microsoft Proxy Server 2. ISA Server has a lot more to offer than just controlling user access—highly configurable caching, bandwidth control, and firewalling features are only some of its impressive feature set. As an additional product (not built into the operating system like ICS and NAT), it’s important to appreciate exactly how this product works with its limitations and restrictions as well as its features. For example, although it was written to integrate with Active Directory, unlike Exchange 2000 it can be used both inside and outside Active Directory. Some of the features you might want to use may be available only when it’s integrated with Active Directory, and it’s important to realize this if you are currently running a Windows NT 4.0 domain.This is particularly important if you’re planning to upgrade Proxy Sever 2 while Microsoft is offering an attractive upgrade deal. If you are not installing ISA Server into Active Directory you may lose some of the functionality you had (such as arrays). It’s very important to realize all the impli- cations of upgrading, and I’ve found that Microsoft documentation generally assumes that an ISA Server that is required for caching will be installed in Active Directory, and that only the firewall features will be installed on computers out- side Active Directory.While this chapter cannot cover each ISA feature and how to configure it, it will outline the new features and cover upgrading issues and how to configure/install it outside Active Directory. Appendix A:The Windows 2000 Microsoft Management Console Common to most Windows 2000 graphical configuration utilities is the Microsoft Management Console (MMC). In my experience, most people find this intuitively easy to use at its basic level, and so throughout the book I’ve made the assumption that step-by-step instructions are not required on how to navigate around the MMC when using the built-in Administrative tools. Some people, though, may not be as comfortable with creating custom MMCs, and these can make an administrator’s life much easier—for example, having one MMC configuring/monitoring one service that is running on mul- tiple servers. Or conversely, monitoring multiple services from the same computer www.syngress.com
  10. Why Not Active Directory? • Chapter 1 21 that are logically linked—for example, DNS and DHCP, or the Security event log with IPSec policies so that you can easily monitor which policies are being used. I don’t understand why administrators don’t use custom MMCs like this more often and logically group together tools that they frequently use. It’s so much easier to call up a single MMC with everything you need rather than having to load lots of different MMCs and then on each having to navigate to the correct level. It’s incredibly quick and easy to create custom MMCs, so I can only conclude that most administrators are not aware or forget that this is pos- sible.This technique also works well with remote administration and the pow- erful RunAs command that lets you call up an application with an administrator’s privileges while still logged on with a standard user account. Other people may not be aware of the true flexibility and power of the MMC—for example, creating and using Taskpads as simpler GUI utilities that can be easily distributed for delegated administration or integrated into applications. ISA Server, for example, makes good use of MMC Taskpads, as Chapter 10 shows.With its Web-based support, I suspect using MMC Taskpads is another area that Microsoft and vendors will continue to develop, in line with the PC-to-Web integration concept that is prevalent throughout Microsoft’s new features and platforms.This appendix serves as a good introduction to creating your own Taskpads without any programming knowledge so that you too can leverage the simplified user interface. What This Book Won’t Cover Because this book is aimed at explaining and highlighting what is possible without Active Directory, it won’t cover the basics of Active Directory architec- ture, how to migrate to Active Directory, or how to configure features within Active Directory. It will not concentrate on Windows 2000 features that rely on Active Directory, although these may be pointed out where applicable. For example, we may cover features that can be used outside Active Directory but in a limited form or that will be enhanced or changed once running in an Active Directory environment.These can then be flagged as considerations for a future migration—for example, influencing your Active Directory design or timescales. Or you may need to add to the Active Directory deployment additional reconfig- uration to ensure that the new features can be used. One example of this is making full use of dynamic name registration with Windows 2000 DNS and DHCP, which is possible even if you’re running down- level clients in a Windows NT 4.0 domain.Without Active Directory you won’t www.syngress.com
Đồng bộ tài khoản