12 Chapter 1 • Why Not Active Directory?
environment, but without having to also take on Active Directory. All too often,
standard Windows 2000 literature discusses new features only in the context of
Active Directory so that you may not be aware of what features and services you
can use (and how) independently from Active Directory.Therefore, you’re being
asked to learn Active Directory, the new features, and the new interface all at
once—which usually relegates it to a testing environment or your home study
network.This book aims to provide the information you need to start using
Windows 2000 productively in your current working environment.
Armed with this information and a clear view of what is possible with
Windows 2000 when running it outside an Active Directory domain (and what
isn’t possible without Active Directory) you will then be better equipped to dive
into the standard Microsoft documentation and build on this knowledge.This
then may or may not include Active Directory features—but the choice will then
be yours, rather than having it decided for you.
By knowing what is possible without Active Directory and how to imple-
ment it, you should gain a level of knowledge and a perspective that is difficult to
obtain from the standard Microsoft documentation.Throughout the book we will
have special information sidebars for IT implementers where the topic identifies
a relevant Configuring & Implementing consideration to help provide addi-
tional technical information.
Microsoft Certified Professionals and System Engineers
Although not specifically aimed at MCPs and MCSEs, this book may also be of
benefit to MCP/MCSE candidates looking to supplement their Windows 2000
exam knowledge and extend it into the realities of the workplace.
It may also help NT professionals transition their skills to Windows 2000
because new features can be learned within the context of a Windows NT 4.0
domain, instead of trying to take these on board at the same time as learning
Active Directory.There’s nothing so reassuring as starting from familiar ground
rather than feeling as if you’re starting everything from scratch again. Interestingly,
Microsoft’s fairly recent addition of exam 70-244, “Supporting and Maintaining a
Microsoft Windows NT Server 4.0 Network” (available since April 2001), shows
its acknowledgment that Windows NT 4.0 domains are still prevalent in the
workplace and as such need to be supported by competent professionals.
While the other Windows 2000 exams assume an Active Directory context, in
reality MCP/MCSE professionals will find it the exception and not the norm
that they will be given Active Directory Enterprise permissions—so they must
know which features they can configure and use independently from Active
www.syngress.com
Why Not Active Directory? • Chapter 1 13
Directory in a typical departmental setting. Note, however, that this book is not
written as a MCSE study guide for a specific Microsoft exam; there are plenty of
good alternatives for these already.
What This Book Will Cover
This book will cover a wide range of topics that encompass a diversity of the
new features and services that Windows 2000 offers.This will include everything
from features particularly relevant for workstations, laptops, and servers, to specific
services such as IIS and Certificate Services,Terminal Services, and Remote
Access to networking services such as Domain Name System (DNS) and
Dynamic Host Configuration Protocol (DHCP), Internet Protocol Security
(IPSec), and Network Address Translation (NAT). All these and more will be
explained outside the context of Active Directory—clearly outlining what is pos-
sible and what isn’t, and also what is possible with certain limitations.
Additionally, each chapter contains a walkthrough that includes step-by-step
information on how you might implement some of the features covered in the
chapter.These are practical exercises that reinforce some of the chapter contents
and that should be useful on most production environments to help provide
some hands-on experience.
Chapter 2:Workstations
Many people have Windows 2000 now as their standard desktop operating system,
but they might not realize how to make the most of the new features it offers. In
fact, I’ve often seen people treat Windows 2000 as if it were Windows NT 4.0
with the interface annoyingly changed, totally unaware of the new features and
benefits “under the hood,” just there for the taking! The new interface isn’t to
everybody’s liking, but it is highly configurable—if you know where to look.
Windows 2000 is often chosen for stability and reliability reasons, and it has
certainly earned its reputation for better stability and reliability than previous
operating systems. Are you aware, though, of how that is accomplished and how
you can configure and fine-tune this? For example,Windows File Protection
helps to address the “DLL hell” we got used to seeing with incompatible versions
of files, but it comes at the cost of disk space. Knowing how this works and how
you can configure it gives the choice back to you, rather than relying on the
operating system to make choices for you.When disk space on the operating
system partition is tight (often an issue if upgrading), knowing how to configure
the DLL cache can make the difference between being able to upgrade to
Windows 2000 without repartitioning your disk and not being able to install it.
www.syngress.com
14 Chapter 1 • Why Not Active Directory?
Active Directory Group Policies have had a lot of coverage as being one of
the biggest reasons to migrate to Active Directory so that you can centrally con-
trol and secure users’ and computers’ environments.They offer far more extensive
configuration options than System Policies ever did—and they do so without
tattooing the registry. But did you realize that you can use them outside Active
Directory, even within a Windows NT 4.0 domain? Local Group Policies are
one of Windows 2000 best-kept secrets! Using them together with security tem-
plates, you can centrally configure and deploy your security and administrative
templates on Windows 2000 computers—for example, you can lockdown desk-
tops for users and enforce tight security configurations.
Chapter 3: Laptops
It’s not difficult to see why the laptop market was the first to embrace Windows
2000. It offered the Plug and Play (PnP) features and Device Manager loved in
Windows 9x, but with the secure logon and NTFS security that was needed for a
mobile existence. Added onto that, EFS, the Encrypting File System in Windows
2000, offered increased protection, which was a new security feature that was
easy to use immediately without Active Directory. But you do know how to best
use EFS and what restrictions and limitations it has? Do you want to disable it to
ensure that you don’t end up with inaccessible files, but you are not sure how to
do that without Active Directory?
Those are some of the best-known features and reasons for running Windows
2000 on laptops, but it also offers some great new features for integrating a
mobile environment with the corporate network—including automatic hardware
profiles and a Synchronization Manager. Files and content can be cached when
the laptop is online, which can then be used when the laptop is disconnected and
synchronized when next online.This can greatly improve productivity, reduce
bandwidth, and help eliminate the problems of lost modifications when multiple
versions are used.
Other new features applicable for the laptops include the new Power
Management options and general Windows 2000 maintenance and trou-
bleshooting utilities that are particularly relevant for laptop users—such as the
Task Scheduler and advanced boot options for when the laptop is urgently
needed but many miles away from the IT Help Desk!
www.syngress.com
Why Not Active Directory? • Chapter 1 15
Chapter 4: File and Print Services
The workhorses of the network that fulfill various file and print services have a
lot to gain from Windows 2000. Storing and retrieving data can be made easier
with features such as Distributed File System (Dfs) to help you reorganize shares
without actually moving any data, an Indexing service that lets users search for
files and content across the network, and disk quotas to help you control and
plan disk storage and capacity.
Disk management has become easier with the new dynamic disk storage pro-
viding on-the-fly changes without rebooting. Remote disk management is now
possible, and the Remote Storage service can provide instant increased disk
storage by dynamically migrating less often used data to tape.The built-in backup
utility has an improved interface with an inbuilt graphical scheduler, and you can
now leave Performance Monitor running as a service to help keep an eye on the
general health of your servers (for example, emailing the administrator when crit-
ical factors such as low disk space and memory are identified).
There’s plenty of printing improvements too, including support for the new
Internet Printing Protocol (IPP), which allows intranet and Internet users to
install and manage their printers through a browser.
Chapter 5:Terminal Services
I think Windows 2000 Terminal Services earns its spot as my favorite feature in
the Windows 2000 feature set. Now part of the base operating system rather than
a separate product,Terminal Services is installed as a service just like any other
operating system service. Best of all, it comes in two flavors: Administrator Mode
and Application Mode.
Administrator Mode requires no additional licensing considerations with the
only drawback being the maximum simultaneous connections being restricted to
two. It allows administrators to remotely log onto a Windows 2000 server (run-
ning this service) and remotely administer it as if they were sitting in front of it.
It’s ideal for low-bandwidth connections because all the programming execution
stays on the server—only screen and mouse/keyboard data is transmitted. And it’s
secure because you can use 128-bit encryption, and it’s firewall friendly in that it
doesn’t use remote procedural calls (RPC) that most firewalls block. It’s difficult
to see why you wouldn’t install this on all Windows 2000 servers.
Application Mode is how most people currently think of a terminal server—
servicing applications to users in a true multiuser environment. It’s an easier envi-
ronment to control and maintain because everything is held centrally in one
www.syngress.com
16 Chapter 1 • Why Not Active Directory?
place. Conversely, there may be times when you want to integrate that environ-
ment with the user’s local operating system, so you need to know whether this is
possible and how.Terminal Services means that any Windows 32-bit user can
have a Windows 2000 operating system environment—without having to change
his or her hardware.This could be a permanent arrangement in an attempt to
centralize all applications and administration or a stepping-stone as you slowly
migrate users’ desktops to Windows 2000.
There are some great new features and improvements in Windows 2000
Terminal Services that previously were possible only with the Citrix add-on,
Metaframe—for example, improved throughput, mapping of local printers and
drives, copying files between the two systems, and, of course, shadowing (which
Microsoft calls Remote Control), which lets an administrator see and take over a
user’s session. Particularly for remote sites, the last feature can be a godsend for IT
Help Desks and dramatically reduce user problems and increase the turnaround
of logged calls.
I found that additional features supplied with Service Pack 1 (interestingly no
longer included with Service Pack 2 but downloadable from the Microsoft site),
and from the Windows 2000 Server Resource Kit were indispensable for produc-
tion use of Terminal Services, and so I’ve included these in this chapter.
The only fly in the ointment with Windows 2000 Terminal Services is the
new requirement for running Terminal Services Licensing.You must run these
when running Windows 2000 in Application Mode.They require consideration
before installation, and for this you have to know exactly how they work and
what configuration options you have. Once you have identified Terminal Services
as a possible resource for your company, learn about Terminal Services licensing
requirements before you make any deployment plans!
Chapter 6: Networking Services—
DNS, DHCP,WINS, and NLB
At the heart of any network lie the networking services that make it possible for
computers to communicate with each other.With the acceptance that not all
networks have high bandwidths and must often integrate with other networks
(including the Internet) and non-Windows computers,Windows 2000 net-
working services such as DNS, DHCP, and WINS have had a vital overhaul.
Microsoft has had to do this because Active Directory has been its focus of
Windows 2000, and Active Directory relies on a reliable networking infrastruc-
ture. Quite simply, if there are TCP/IP problems there will be Active Directory
www.syngress.com
Why Not Active Directory? • Chapter 1 17
problems. Although you might not be ready to move to Active Directory, there is
no reason why you can’t benefit from those networking services improvements.
Although DNS, DHCP, and WINS are independent services, they work so
closely together to produce the same goal of computer-to-computer communica-
tion that it is difficult to talk about one in isolation from the others. Each
involves central management, configuration control, and security.The Network
Load Balancing (NLB) built into Windows 2000 Advanced Server (and
Datacenter Server) also offers high availability and load balancing of networking
services.With a view to distributed networking, scalability, and reliability,
Network Load Balancing complements the Windows 2000 networking services
very well.
Chapter 7: Internet Services—
IIS5 and Certificate Services
There are some great improvements to IIS, which no doubt help to account for
some of the Windows NT 4.0 server upgrades to Windows 2000 outside Active
Directory.There are improvements in reliability, administration, security, and per-
formance—all good news for standalone public Web servers. Many of these are
hidden, behind-the-scenes changes, so it pays to know exactly what they are and
how they function.
There are also improvements for the intranet environment with WebDAV
(Web Distributed Authoring and Versioning), as Microsoft continues to blur the
distinction between Web servers and file servers, making the browser a universal
desktop interface.
Certificate Services is a separate service to IIS, but it’s easy to see how the
two complement each other—particularly outside Active Directory. Certificate
Services complements IIS by offering server and user certificates for a highly
secure form of authentication and encryption. IIS5 complements Certificate
Services by offering its Web-based certificate forms for requesting and receiving
certificates.These certificates can be for both user authentication (for example,
used with Web authentication) and also computer authentication (for example,
used with IPSec).
When installing and configuring Certificate Services outside Active
Directory, you have the choice only of installing it in Standalone mode, not in
Enterprise mode, which requires Active Directory. Most Windows 2000 docu-
mentation that covers Certificate Services assumes an Enterprise installation, and
so it can be frustratingly difficult to try to use Certificate Services and associated
www.syngress.com
18 Chapter 1 • Why Not Active Directory?
utilities outside Active Directory.This chapter is the exception, where it assumes
and concentrates on a Standalone installation.
Chapter 8: Secure Communication—IPSec
This chapter builds on the previous chapter because it covers using computer
certificates that are requested and granted with Certificate Services and IIS5.
Computer certificates are an alternative authentication method to Kerberos
when using IPSec, and although Kerberos is the default authentication (except
with L2TP/IPSec) you cannot use Windows 2000 Kerberos outside Active
Directory. Computer certificates make IPSec possible and secure when used
outside Active Directory.
In addition to explaining the authentication methods, this chapter explains
how the built-in IPSec policies work and how you must modify them when out-
side Active Directory. It also explains the various components and utilities that
support IPSec. Additionally, it covers how to build your own custom policies so
that you are firmly in control of what traffic you accept and block and how to
track and monitor it.
This chapter is very much a need-to-know and hands-on, practical look at
implementing IPSec rather than offering a theoretical exploration of how cryp-
tography-based security works. I’ve found this level of detail very difficult to find
elsewhere, particularly when implementing IPSec outside Active Directory. And
yet to me, this is what network administrators should focus on as a starting point
in implementing IPSec.
Chapter 9: Remote Access—
RAS,VPN, IAS, and CMAK
The improved VPN support is well known in Windows 2000, and it’s usually
L2TP/IPSec that grabs the limelight for this. I think the new remote access policies
are the greatest improvement for securing and fine-tune configuring a server for
remote access connections.These apply for dialup, for PPTP and L2TP/IPSec VPN
connections, and when using IAS (Internet Authentication Service). Somehow
remote access policies have earned the reputation of not being applicable outside
Active Directory, and this is just not true.What is true is that they must be config-
ured slightly differently when used on a Windows 2000 member server within a
Windows NT 4.0 domain, so it’s vital to understand exactly how they work.
Although L2TP/IPSec can offer greater security, it will not be the best
choice for everybody because it has greater overhead in terms of server resources
www.syngress.com
Why Not Active Directory? • Chapter 1 19
and administrative overhead (server and remote computer both need computer
certificates, for example). Not all platforms support IPSec either.When
L2TP/IPSec is not an appropriate choice, you need to know how to configure
PPTP with the tightest security.
When L2TP/IPSec can be used, this chapter explains how this can be config-
ured outside Active Directory, exactly what security is being used, and how you
can monitor it.You may be surprised by some of the defaults Microsoft selects for
you, and you may want to change them.
CMAK is the Connection Manager Administration Kit, which allows admin-
istrators to deploy central connection details bundled into a dialer.This means
remote users have to run only your supplied executable to easily connect to your
remote access services.You can use either a static phone book to supply the
actual connection details or a dynamic phone book that the user checks each
time he or she connects and automatically downloads any changes. Not only can
this look very professional—for example, by customizing the dialer with com-
pany logos and a personalized message with Help Desk details—but it can also
dramatically reduce Help Desk calls from remote users trying to set up and/or
amend the required connection details. For example, although Windows 2000
Professional can automatically prompt for an underlying ISP connection to be
made before a VPN connection, down-level clients do not. Many users simply do
not understand or forget that they should first connect to their ISP and then
make an additional connection to the VPN server.The custom dialer can be con-
figured to do this automatically for the user.
Chapter 10: Internet Connectivity—
ICS, NAT, and ISA Server
All three of these Microsoft solutions—Internet Connection Sharing, Network
Address Translation on RRAS, and the Internet Security and Acceleration
Server—offer different solutions for connecting multiple workstations on a local
area network to the Internet, by means of one computer that is connected to
both the internal and external network.
Obviously, they differ in complexity and functionality, and it’s important to
know their differences as well as similarities so that you can better judge which
of these solutions (if any) is suitable for your network’s Internet connectivity. ICS
as the poor relation often gets bad press because of its simplicity, but when you
look at its actual abilities, it’s surprisingly adept at meeting many connectivity
needs. NAT, it is true, does offer much better monitoring facilities and more
www.syngress.com
20 Chapter 1 • Why Not Active Directory?
flexibility in configuration—for example, it is able to take advantage of multiple
public addresses and reserve certain addresses for specific services. Neither, how-
ever, can accommodate controlling access by users—and to do this you’ll need
something more like ISA Server, which is the Windows 2000 upgrade to
Microsoft Proxy Server 2.
ISA Server has a lot more to offer than just controlling user access—highly
configurable caching, bandwidth control, and firewalling features are only some
of its impressive feature set. As an additional product (not built into the operating
system like ICS and NAT), it’s important to appreciate exactly how this product
works with its limitations and restrictions as well as its features. For example,
although it was written to integrate with Active Directory, unlike Exchange 2000
it can be used both inside and outside Active Directory. Some of the features you
might want to use may be available only when it’s integrated with Active
Directory, and it’s important to realize this if you are currently running a
Windows NT 4.0 domain.This is particularly important if you’re planning to
upgrade Proxy Sever 2 while Microsoft is offering an attractive upgrade deal. If
you are not installing ISA Server into Active Directory you may lose some of the
functionality you had (such as arrays). It’s very important to realize all the impli-
cations of upgrading, and I’ve found that Microsoft documentation generally
assumes that an ISA Server that is required for caching will be installed in Active
Directory, and that only the firewall features will be installed on computers out-
side Active Directory.While this chapter cannot cover each ISA feature and how
to configure it, it will outline the new features and cover upgrading issues and
how to configure/install it outside Active Directory.
Appendix A:The Windows 2000
Microsoft Management Console
Common to most Windows 2000 graphical configuration utilities is the
Microsoft Management Console (MMC). In my experience, most people find
this intuitively easy to use at its basic level, and so throughout the book I’ve made
the assumption that step-by-step instructions are not required on how to navigate
around the MMC when using the built-in Administrative tools.
Some people, though, may not be as comfortable with creating custom
MMCs, and these can make an administrator’s life much easier—for example,
having one MMC configuring/monitoring one service that is running on mul-
tiple servers. Or conversely, monitoring multiple services from the same computer
www.syngress.com
Why Not Active Directory? • Chapter 1 21
that are logically linked—for example, DNS and DHCP, or the Security event log
with IPSec policies so that you can easily monitor which policies are being used.
I don’t understand why administrators don’t use custom MMCs like this
more often and logically group together tools that they frequently use. It’s so
much easier to call up a single MMC with everything you need rather than
having to load lots of different MMCs and then on each having to navigate to
the correct level. It’s incredibly quick and easy to create custom MMCs, so I can
only conclude that most administrators are not aware or forget that this is pos-
sible.This technique also works well with remote administration and the pow-
erful RunAs command that lets you call up an application with an administrator’s
privileges while still logged on with a standard user account.
Other people may not be aware of the true flexibility and power of the
MMC—for example, creating and using Taskpads as simpler GUI utilities that can
be easily distributed for delegated administration or integrated into applications.
ISA Server, for example, makes good use of MMC Taskpads, as Chapter 10
shows.With its Web-based support, I suspect using MMC Taskpads is another area
that Microsoft and vendors will continue to develop, in line with the PC-to-Web
integration concept that is prevalent throughout Microsoft’s new features and
platforms.This appendix serves as a good introduction to creating your own
Taskpads without any programming knowledge so that you too can leverage the
simplified user interface.
What This Book Won’t Cover
Because this book is aimed at explaining and highlighting what is possible
without Active Directory, it won’t cover the basics of Active Directory architec-
ture, how to migrate to Active Directory, or how to configure features within
Active Directory. It will not concentrate on Windows 2000 features that rely on
Active Directory, although these may be pointed out where applicable. For
example, we may cover features that can be used outside Active Directory but in
a limited form or that will be enhanced or changed once running in an Active
Directory environment.These can then be flagged as considerations for a future
migration—for example, influencing your Active Directory design or timescales.
Or you may need to add to the Active Directory deployment additional reconfig-
uration to ensure that the new features can be used.
One example of this is making full use of dynamic name registration with
Windows 2000 DNS and DHCP, which is possible even if you’re running down-
level clients in a Windows NT 4.0 domain.Without Active Directory you won’t
www.syngress.com
Copyright by webtailieu.net