Microsoft's slogan of
- 'Easy to deploy, use, and manage' - does have a ring of truth. However,
it does rely on you having the knowledge and skill to
make your Windows Server 2003 fulfil its potential. I must confess that even though I am familiar with the different types of server, every time I checked
with the 'Configure Your Server Wizard', I found at least one
feature that I would otherwise have missed, so my mantra became - 'Give the wizard
a chance'.
Certain server roles are best combined, for example domain controller, DNS, and DHCP, whilst
other roles are better on their own server, for example I would separate email
(Exchange) from Terminal Services.
Active Directory is a huge topic in itself. While DCPROMO is easy
to run, planning of both the physical and the logical structure is the key to a
trouble free
active directory.
Good news, in Server 2003 you can rename the both the domain itself and the
domain controller (Renaming was greyed out in Windows 2000).
Domain controllers do not have to be your most powerful machines, however
they must be reliable and always available to answer logon requests.
Decide which DCs will hold which FSMO (Flexible single master operations) role.
By default, only the first server is a GC (Global Catalog). Having at least
one GC on each site will improve any service which makes and LDAP request for
Active Directory names.
Install the Replication Monitor from
the Support folder of the Server CD
Active Directory absolutely relies on DNS, this is why you must become an expert on
configuring DNS. Once DNS is setup, it runs
itself thanks to the new dynamic component hence DDNS. TCP/IP knowledge plus
understanding of how DNS works is essential when troubleshooting connectivity
problems.
What DNS does is enable
client machines to resolve servers IP addresses. Once the client finds the
server, Active Directory uses LDAP to locate services
like Kerberos, Global Catalog that clients request.
Your first domain controller can be tricky to setup. To begin with plan
then check the Computer Name found in the System Icon. Before you run
DCPROMO make sure you have the correct Primary DNS Suffix, drill down through
the More.. button.
My tactic is to do as little configuring of the forward lookup zone as possible
and leave it all to the DCPROMO wizard. Once Active Directory creates the
forward lookup zone, I configure Active Directory integration to to replicate DNS
records to the other servers. Then I manually create the reverse lookup
zone, add PTR records and check with NSLOOKUP.
If you are troubleshooting DNS _SRV
records, try stopping and starting the Netlogon service.
Make it your reflex to install DNS on domain controllers.
(All I want to say about WINS is plan to phase it out, you only need it for
Windows 9x clients.)
I used to think you needed a DHCP server on every Subnet, but now I recommend
just two DHCP servers to share each scope, with a DHCP relay agent on each subnet.
DHCP fits in well with DNS and domain controllers, so I would install DHCP on
selected domain controllers.
Once you have installed DHCP, there is much configuration work. But before you do
anything else, you
must Authorize the DHCP servers in Active Directory. I believe this
authorization is a
device to make you stop and think 'do I need another DHCP server?'
Officially the authorization is to prevent rogue techies installing an extra
DHCP server when it takes their fancy.
Now you are ready to decide which of the numerous Scope
Options to configure e.g. 003 Router,006 DNS Servers.
More Information. As an MCT trainer, I can thoroughly endorse TrainSignal because they
deliver practical hands on training. In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module,
for example File Server or go for a combination of modules.
See more about Windows 2003 training here
Unlike the above roles, file servers should be member servers, installing Active Directory here would be a disadvantage. Here are is your checklist of
features for a file server that you might wish to deploy.
Disk Quotas - NTFS partitions
Share and NTFS Permissions - Share Wizard, here is a wizard I really like
Offline Settings for laptops
DFS and or RAID
Indexing service (Forgotten Service)
RAID and or DFS?
New feature - Shadow Copies
File servers have always combined well with print servers.
Print servers probably show the greatest variation of machine, from dedicated
print servers, you get printers hanging off domain controllers to 'Jet Direct' printers with
their own network cards. In my experience there is a contrast between the
software settings which are easy to configure and the hardware which constantly
cries for attention e.g. paper jam, 'out of toner'. Here is a checklist to
for the software components of your print server:
The sort of applications that I mean are database, e.g. SQL or web e.g. IIS.
There is rarely any advantage in installing Active Directory on Application
servers, and often this combination creates problems as Active Directory and application
services fight for resources or control of components. So install Application servers on
their own member server.
Authentication is important for all server roles, but fail to tie down permissions on
an application server and you could get sensitive company information being
made available to everyone. Failure to control security could also invite hackers
to attacking your data.
So, delve into all aspects of security on your database servers.
There are extra hardware considerations for your application server.
Pamper your database 'crown jewels' with hardware RAID. Get a trial of
clustering. Clustering is technically interesting, is the way of the
future and it will take reliability to another level. Convince who ever
holds the purse strings that the greater availability and less downtime will pay
for clustering.
Guy
recommends: The SolarWinds ipMonitor
My attraction to
ipMonitor is
because it inhabits that zone of part work, part
play; Guy just could not put the dashboard away. This excellent performance
monitor will get you started in the quest to remove bottlenecks on your network. SolarWinds provides this fully-functioning product free for 21 days. So
download
and install ipMonitor, then start scrutinizing your computers CPU, memory and disk
performance. You can also select from zillions more performance counters such as
fan temperature and battery level.
Installing ipMonitor is a breeze, but learn from gung-ho Guy's mistake and install SNMP
on each computer that you wish to monitor. What sealed my unreserved
recommendation of SolarWinds is their support team, you will get expert help even
when you are evaluating the ipMonitor. One last point, SolarWinds are offering a
40% discount until Sept 26th.
Mail servers benefit from being on their own server, separate from domain
controllers and separate from database servers like SQL. Your checklist
should include:
Authentication
DNS (MX) record
Site Connectors, SMTP connectors
SMTP service, SMTP virtual server object
POP3 and IMAP server objects
Fire Wall
Configuring Mailboxes
OWA (Outlook web access)
(Client's Outlook)
Install WinRoute from the
Exchange 2000 CD to check mail routing
Rather exotic perhaps, but if you do need to support clients who need audio or
video services, then there is a separate Windows Media Service to install
through Add Remove Programs, Windows Settings.
Terminal services is Microsoft's thin client solution. The Windows 2003 server does
all the processing, and the clients connect from a machine which essentially
becomes a dumb terminal. Terminal Services is built into Windows Server
2003, it is not a separate product as it was in NT 4.0. However it lies
dormant and you need to install it thought the Add or Remove Programs / Windows
Components. You will also need to install Terminal Service Licensing
on one of your servers. Check out special group for Terminal Server
Licencing in Built-in
folder of Active Directory Users and Computers.
The main question is which mode will you run terminal? Remote Desktop for
Administration or Application mode.
When you install the programs for Terminal Services check out - special 'Transforms' method. 32 Bit programs should
be o.k. Also search websites for scripts to make any non Microsoft applications operate
in multi session mode.
Group Policy. There are Group Policies just for Terminal services, e.g. Do not let users accidentally Shut Down the terminal server
when they think they are shutting down their own machine!
Permissions. By default every user can access a terminal server, perhaps
you wish to change this.
The RAS or Routing and RAS has come along way from its NT 4.0 days. The
fact that it is now built in and installed by default is in an indication of its
more robust nature and greater importance. There are lots of components
and technologies to understand and configure to make a successful RAS server:
RAS hardware or a fast internet connection if you are relying on VPN.
DHCP Relay agent or a special IP range for clients.
Extra 'Remote Access Policies' to control dial up users
User properties, Dial-up tab to allow and control Remote Access Permission
Other optional considerations NAT (Network Address Translation), RADIUS service
with your ISP.
Install the Replication Monitor from
the Support folder of the Server CD
