Microsoft Windows XP Networking Inside Out
.pdf
3: Network Connectivity
Part 3: Network Connectivity
Controlling Traffic by Using Sites
In networks where different sites are used, controlling traffic is very important, and this is one reason that Active Directory enables network administrators to define sites.
Consider this example: Your network consists of one domain, but you have offices in New York and Tampa. A WAN link connects the two offices so that resources can be shared, but the WAN link is expensive and often unreliable, so you want to keep traffic local as much as possible. In addition, suppose that Sally, a user in Tampa, needs to log on to her Windows XP Professional computer. Her logon request is sent to a domain controller, but without site definitions, a domain controller in the New York office might authenticate her. Rather than having what should be local traffic bounce around between New York and Tampa, sites help define the locations and make sure that user logons and resource traffic stay local. In Sally’s case, because she resides in Tampa, she would never be authenticated by a domain controller in New York unless all domain controllers in Tampa were unavailable. Sites allow Active Directory to act as a traffic cop so that precious WAN bandwidth is used only when necessary.
Domain Name System
You understand that sites, domains, and OUs are used to structure the Windows network and that different servers are used to manage that structure and the available resources. However, how does each computer keep track of other computers and users as well as shared folders and other resources? In an Active Directory environment, domains are named just like Internet sites. For example, if your company is named TailSpin Toys, your network name might be tailspintoys.com. Tailspintoys.com can be an Internet Web site, but it can also be the name of your internal network. A user, Sally, can have the logon name of sally@tailspintoys.com, which functions as an e-mail address as well. DNS integration simplifies naming strategies and makes private network and Internet naming schemes the same.
11 Chapter
Using Unique DNS Names for Multiple Domains
In environments where multiple domains are used, different domain names must also be used. For example, your company might have a New York domain and a London domain. The domain names can be completely different, such as tailspintoys.com and wingtiptoys.com, but this isolates the two domains from each other into two separate forests in Active Directory nomenclature. An alternative would be to set up two domains named newyork.tailspintoys.com and london.tailspintoys.com. Because these two domains share the same root domain name (tailspintoys.com), they are said to be in
318
3: Network Connectivity
Chapter 11: Understanding Domain Connectivity
the same tree as well as in a single forest. Domains that share a common root name in this way automatically have a trust established between them, which makes the sharing of resources and the maintenance of the network much easier. In this example, london.tailspintoys.com and newyork.tailspintoys.com are considered child domains, and tailspintoys.com is the parent domain. It’s possible to continue creating child domains to whatever depth is needed, although more depth adds more complexity.
If a new production plant opens in New York and needs to be a separate domain, it might be called production.newyork.tailspintoys.com. Carrying the example further, if the production plant needs to again divide into another domain, it could be named division.production.newyork.tailspintoys.com. Naming structures can become long and complex, so a lot of planning has to be done by network administrators to keep the domain structure as simple as possible. Using OUs within a domain can often avoid the need to create an excess of child domains.
note Only domains are named using the DNS naming structure. OUs are logical containers and do not use DNS names.
Active Directory
Active Directory is the Windows directory service introduced with Windows 2000 Server. A directory service catalogs network resources and data, such as user accounts, computer accounts, OUs, shared printers, folders, and just about anything else that might be available on the network. Active Directory manages the entire network environment, and all domain controllers maintain a copy of the Active Directory database. So, where is Active Directory located? Active Directory maintains its catalog on each domain controller, and each domain controller replicates with partner domain controllers to keep the database synchronized, to provide fault tolerance, and to provide low latency.
In the past, Windows NT networks used a Primary Domain Controller (PDC) and multiple Backup Domain Controllers (BDCs) to manage the network, but all domain controllers in Active Directory domains function as peers. Instead of one PDC, each domain controller can be used to manage the network, and Active Directory data is replicated to other domain controllers.
Domain administrators manage Active Directory through three Microsoft Management Console (MMC) snap-in tools, namely Active Directory Sites And Services, Active Directory Trusts, and Active Directory Users And Computers. All user accounts, computer accounts, and even OUs are created and managed from within Active Directory. Figure 11-1 on the next page shows you the Active Directory Users And Computers tool found on a Windows 2000 domain controller.
Chapter 11
319
3: Network Connectivity
Part 3: Network Connectivity
Figure 11-1. Active Directory Users And Computers is one of three Active Directory MMC tools used to administer Active Directory.
11 Chapter
Group Policy
Group Policy was introduced with Windows 2000. Group Policy is a management tool that enables domain administrators to centrally control a number of settings on client computers. For example, you can configure specific security settings, applications, desktop settings, and even desktop wallpaper on each domain user’s computer. Using Group Policy, network administrators can standardize all of the computers in a site, domain, or OU in any way that is desirable.
Group Policy is applied at the site, domain, and OU levels—in that order. Policies can also apply to individual computers or to user accounts, as appropriate. Computer policies are applied before user policies
For example, if a computer account resides in the Dallas site, in the tailspintoys.com domain, and in the Production OU, computer policies from the Dallas site are applied when a user starts the computer. The domain computer policies are applied next, and then OU computer policies are applied. When a user logs on, any user policies at the Dallas site are applied, then the domain user policies, and then the OU user policies. In the event that a conflict occurs between different policies, higher-level policies supersede lower-level policies (for instance, OU policies override those defined on the local computer).
Group Policy also applies to a Windows XP Professional client computer connected to a Windows 2000 domain. In fact, Windows XP Professional contains a local Group Policy console where you, as the local computer administrator, can apply certain settings to anyone who logs on to your computer. For example, you can apply certain Microsoft Internet Explorer settings and additional logon settings; these are mentioned
320
3: Network Connectivity
Chapter 11: Understanding Domain Connectivity
throughout this book where applicable. However, when your Windows XP Professional stand-alone computer joins an Active Directory domain, any conflicting local policies are superseded by any site, domain, or OU policies. In other words, local Group Policy is the weakest form of Group Policy when your computer resides in a domain environment, but it becomes active again whenever the computer is disconnected from the domain and operates as a stand-alone computer.
Protection in a Domain Environment
Windows XP’s support of Internet Connection Firewall (ICF) and the security features included in Internet Explorer 6 are designed for home networks and small offices. However, what about security in a domain-based network? In domain environments, servers handle the connections to the Internet as well as e-mail. Typically, devices such as proxy servers are used to function as the proxy or agent between internal network clients and the Internet. The proxy server’s job is to retrieve information from the Internet on behalf of network clients, so as not to expose those network clients to the Internet directly. In this case, some of the local security features available in Windows XP are not needed because the proxy servers provide the necessary security. In fact, if you enable one of those features, such as ICF, in a domain environment, you might lose connectivity. You can learn more about proxy servers, firewalls, and ICF in Chapter 5, “Internet Connection Firewall.”
Running Windows XP Professional
in a Domain Environment
To take advantage of the previously mentioned domain services, it’s important to understand the fundamental differences of how authentication is handled by domains and workgroups.
When you are a member of a workgroup, the user accounts are stored locally on the computer. For example, you might have a user account called Diane and a password for that account. If you want to log on to each Windows XP computer in the workgroup, each computer must be set up with the Diane account in User Accounts or Computer Management. You cannot move from computer to computer and log on with the Diane account until each computer has the account set up in its local security database. This isn’t a major problem when your home network or small office has a few computers and a few users, but imagine how complex and time-consuming it would be to set up a network for a company with hundreds of employees.
Chapter 11
321
3: Network Connectivity
Part 3: Network Connectivity
11 Chapter
In a domain environment, the domain controllers hold the local security database, and network administrators manage user and computer accounts. A network administrator assigns you a user name and password, and configures an account for you in Active Directory. When you log on to any Windows XP Professional workstation in the domain, a Windows logon dialog box appears, and you enter your assigned user name and password. The user name and password are sent to a domain controller for authentication. You are then logged on to the workstation, and your computer and user account are active on the network. Because the user accounts are not configured on each local computer, you can log on to any workstation using your user name and password.
Once you are logged on to the domain, all of the features of a domain environment, including Group Policy, are available to you on your Windows XP Professional workstation. In short, when you log on to a Windows domain, a network administrator becomes the administrator for your local computer and can invoke settings and configurations, even without your permission. The workgroup environment where you call the shots is quite different than a domain environment where network administrators are in control.
Joining a Domain
To join a Windows domain, you’ll need a few essential items set up and ready before you can actually join:
●A network administrator must create a computer account for you. Contact your network administrator for assistance.
●A network administrator must create a user name and password for you. You’ll need this information, along with the name of the domain, when you configure your computer to join a domain. When the network administrator creates the user account, he or she must make certain that the account has the right to add a computer to a domain. By default the Domain Admins group has this right, but in Active Directory domains the administrator can assign the right to any user or other group. Unless told otherwise by your network administrator, you should assume that only a user with administrative privileges can join the computer to the domain.
●In most cases your computer’s network connection to the domain should be set to obtain its IP address automatically so that a domain server known as a DHCP server can provide an available IP address for your computer. For more information about DHCP, see “Dynamic and Static Addressing,” page 27.
●Your computer must be configured with a network interface card (NIC) and be physically connected to the network. See “Installing NICs” on page 68 for details.
●You must be using Windows XP Professional. Windows XP Home Edition cannot join a Windows domain.
322
3: Network Connectivity
Chapter 11: Understanding Domain Connectivity
Joining a Domain with Wizard Help
Windows XP Professional can help you join a domain with the help of the Network Identification Wizard. You can also manually join the domain, which you can learn more about in “Joining a Domain Manually” on page 327. To join a Windows domain using a wizard, follow these steps:
1 Log on to Windows XP Professional with an administrator account.
note You cannot join a domain unless you first log on to the local computer with an account that has administrative privileges. If you don’t have access to such an account, contact your network administrator to help you.
2Choose Start, Control Panel, and open System.
3In the System Properties dialog box, select the Computer Name tab. This tab contains the Computer Description box, the Network ID button, and the Change button, as shown in Figure 11-2.
Figure 11-2. The Computer Name tab of the System Properties dialog box is the starting place for joining a domain.
4Click the Network ID button to open the Network Identification Wizard, which will guide you through the rest of the process. Click Next on the first page that appears.
5The Connecting To The Network page asks you if the computer will be part of a business network or if it is a home/small office computer, as shown in Figure 11-3 on the next page. To join a domain, select This Computer Is Part Of A Business Network, And I Use It To Connect To Other Computers At Work. Click Next.
Chapter 11
323
3: Network Connectivity
Part 3: Network Connectivity
Figure 11-3. Select the first option if you want your Windows XP Professional computer to join a domain-based network.
6On the second Connecting To The Network page, select My Company Uses A Network With A Domain and click Next.
7The information provided tells you what you’ll need to join the domain. You’ll need a user name, a password, the domain’s name, and possibly some computer name information. After reading this page, click Next.
8On the User Account And Domain Information page, shown in Figure 11-4, enter the user name, password, and domain name created for you by the network administrator. Keep in mind that the password is case sensitive. Click Next.
11 Chapter
Figure 11-4. Enter your user name, password, and the name of the domain
you want to join.
324
3: Network Connectivity
Chapter 11: Understanding Domain Connectivity
9If the Computer Domain page appears, you will also need to enter your computer’s name (displayed on the Computer Name tab in the Full Computer Name field) and the computer’s domain. (It is possible for a computer to belong to a different domain than the user account.) If the page appears, enter the requested information and click Next.
note If you attempt to join the domain with the name and password of a user account that doesn’t have administrative privileges or that hasn’t been explicitly delegated permission to add the computer to the domain, you will see the Domain User Name And Password dialog box. Either you or a network administrator will have to type the user name, password, and domain of a user with administrative privileges to complete the process of joining the domain. Click OK to continue.
10On the User Account page, shown in Figure 11-5, you can choose the account you just registered (or another user account in the domain), so that the user account can gain access to local system resources as well as the network resources. Click Next to continue.
Chapter 11
Figure 11-5. Use this page of the wizard to add a user to the local computer. Only users with a domain account can be added on this page.
11If you choose to add a user, the Access Level page, shown in Figure 11-6 on the next page, appears. Select the level of access that you want the user to have to local computer resources: Standard User, Restricted User, or Other.
This feature lets you limit what the user can do on the local machine or lets you give the user administrative privileges on the local computer (by selecting
325
3: Network Connectivity
Part 3: Network Connectivity
Other and selecting Administrator from the list). Although the user’s privileges on the network are centrally set in Active Directory by a network administrator, this page lets the user access the local computer with the same user name, even though the level of access on the local computer can be different than the permissions the user has on the network. Make a selection and click Next.
note If the network isn’t running, users can’t be authenticated on the domain, but they can still log on locally because Windows XP keeps a cached copy of the domain account.
Figure 11-6. The Access Level page lets you set the level of access the user will have on the local computer.
12Click Finish on the final page of the wizard, and restart the computer when prompted.
11 Chapter
Understanding the Syntax for Signing on to the Domain
Microsoft Windows NT networks use the NetBIOS naming scheme for user accounts, which uses short names to represent computers and network objects. For example, a NetBIOS domain name might be Xprod. Users logging on to a Windows NT domain use the domainname\username convention, such as xprod\csimmons. However, Windows 2000 networks use the Domain Name System (DNS) naming standard, as
326
3: Network Connectivity
Chapter 11: Understanding Domain Connectivity
does the Internet. For example, a company with a public URL of www.tailspintoys.com might have a corporate domain name of xprod.tailspintoys.com (unlike the URL, this domain is not visible to the public). DNS user names use the popular form of e-mail addresses, such as csimmons@xprod.tailspintoys.com. For this reason, you can type your user name in the form username@domainname when you are first joining a network or when logging on. If you choose to use this format for your user name when you log on, the dialog box that normally lists the domain will become grayed out because you have already specified the domain name as a part of the user name.
Joining a Domain Manually
The Network Identification Wizard helps you join a domain, but you can also join a domain by clicking the Change button on the Computer Name tab of the System
Properties dialog box. This option reduces the wizard to a single dialog box, shown in Figure 11-7. Enter your computer’s name in the Computer Name box and make sure Member Of is set to Domain. Type in the domain name if it isn’t already listed in the box. Click OK. In the dialog box that appears, enter the user name and password of your domain account. You’ll need to restart your computer once you complete the joining process.
Chapter 11
Figure 11-7. Enter the domain name and click OK to manually join the domain.
327