Additional Resources1

Chapter 9

Deploying a Simple Managed Environment

Microsoft® IntelliMirror® management technologies and Group Policy combine the advantages of centralized computing with the performance and flexibility of distributed computing. This chapter incorporates the use of these technologies, described throughout this book, in a cohesive plan for creating a simple managed environment.

In This Chapter

Overview of Deploying a Simple Managed Environment...... 430

Deploying the Network Infrastructure...... 435

Deploying the Logical Infrastructure...... 447

Preparing Shared Folders...... 452

Installing Software...... 458

Setting Policies to Manage User Data and Settings...... 462

Testing and Deploying Your Configuration...... 470

Additional Resources...... 478

Related Information
  • For more information about how to use IntelliMirror technologies to create a managed environment, see “Planning a Managed Environment” in this book.
  • For more information about Group Policy, see “Designing a Group Policy Infrastructure” in this book.
  • For more information about user profiles, folder redirection, disk quotas, and offline files, see “Implementing User State Management” in this book.
  • For more information about using Group Policy to deploy application software to your users, see “Deploying a Managed Software Environment” in this book.

Overview of Deploying a Simple Managed Environment

This chapter provides a blueprint for deploying a simple managed environment. While it provides a complete end-to-end management solution for a small computing network, larger organizations can also use this chapter as a starting point for their configuration, and scale out as needed.

You can leverage the information in this chapter in two ways.

Create a small production environment

If you are the system administrator of a small organization that wants to deploy a new network based on servers running the Microsoft® Windows® Server2003 operating system, use the instructions here to build your initial production environment from the ground up, adding client computers and additional servers as needed. Be sure to follow all of the testing procedures included in “Testing and Deploying Your Configuration” later in this chapter, before inviting users to start their production work in the environment.

Create a test environment

If you are part of a large organization’s IT management team, use the guidelines and procedures in this chapter to build a test network for testing various implementations of Active Directory® directory service and Group Policy in Windows Server2003. After the structure is in place and your work has been tested, staged, and deployed to your production network, you can continue to use this small network for modeling and testing new Group Policies.

Process for Deploying a Simple Managed Environment

By performing the procedures in this chapter, you will deploy a domain controller (DC) within your intranet, create a logical infrastructure, assign and publish application software, and set up policies to manage your users and computers. You will use Microsoft Software Update Services (SUS) to review, approve, and test critical operating system updates before deploying them to your clients, so that you are secure in the knowledge that the clients are fully protected from the latest security risks. The steps for deploying a simple managed environment are illustrated in Figure9.1.

Figure9.1Deploying a Simple Managed Network

Chapter Assumptions and Sample Configuration

A sample configuration has been devised to illustrate the various steps in creating a simple managed environment. This sample consists of a fictional organizational unit (OU) structure. You might want to go through each step using the sample data before implementing your own design; or, you might prefer to work through this guide, replacing the samples with your actual OUs and user accounts.

Organizational Units in the Sample Configuration

The chapter steps you through the creation of the OU structure and the users described in Table9.1.

Table9.1Example of an OU Structure for a Simple Managed Environment

User Name / User Requirements / Security Group / Organizational Unit / Computer Type
Florian Voss / Domain Administrator; roaming profile; offline files; redirected folders / Administrators
RUPUsers / IT / Mobile
Hung-Fu Ting
Christie Moon / No roaming profile; offline files; redirected folders; needs access to the Microsoft® Office productivity suite only. / Bookkeeping / Desktop
Nicole Holliday
Tzipi Butnaru / Roaming profiles; offline files; redirected folders; needs access to Microsoft Office only. / RUPUsers / Sales / Mobile

The following common characteristics and groupings are important to remember when applying policies (discussed in “Setting Policies to Manage User Data and Settings” later in this chapter):

  • All users have redirected folders and offline files, and need access to Microsoft® Office applications.
  • All users exceptthe members of the Bookkeeping OU have roaming user profiles (RUP).
  • The users in the IT and Sales OUs have mobile computing needs, but they almost always connect to the local area network (LAN) over a fast link.
  • The users in the IT OU need access to the Windows Server2003 Administrative Tools Pack.

This fictitious OU exists in a fictitious company named A.Datum Corporation with the domain name of adatum.com.

Hardware Configuration and Assumptions

Certain hardware and network assumptions are made in this chapter, which might not be true of your own environment. Read this chapter with the understanding that you need to reject assumptions if they do not apply to your organization.

The hardware configuration outlined here is intended to supply the basic needed components for a simple environment. The infrastructure includes one mobile client computer and one desktop client computer to demonstrate management techniques for these two common types of client computers. One server is deployed, which takes on several roles: Active Directory domain controller, Domain Name System (DNS) server, secure software distribution point using Distributed File System (DFS), and Software Update Services (SUS) distribution server. This computer also contains all of the application software, user state, and user data files for the organization.

Organizations frequently deploy a second server to host applications, SUS, and user data and settings. With this configuration, the DC can maintain the highest possible performance in its primary role. However, for a small organization, one server usually can fulfill all of these roles.

It is highly recommended that, if possible, you deploy a second DC to provide backup and redundancy. With two domain controllers, if one DC becomes unavailable, users still can log on and access their data using the second domain controller. By default, if no DC is available, only users with cached credentials can log on to the network.

Having a second DC already in place provides a much faster method of restoring service to users than having to create a new DC and populate its information from an external backup source. The second DC contains a complete and up-to-date replica of the entire Active Directory database; if the hard disk or data is corrupted on one DC, the second DC ensures that you will not have to rebuild your OU structure or repopulate your Active Directory database. The addition of a second DC should be a primary upgrade consideration for scaling your initial network and keeping it highly available.

If you choose to add a second DC to your network, consider the following:

  • Replication affects network traffic. Place both DCs on the same network segment for best replication performance.
  • A client computer can retrieve Group Policy objects (GPOs) from a DC to which a recent change has not yet been replicated.
  • In a simple environment, it is recommended that you leave the operations master roles on one DC.

Note

For complete information about deploying multiple domain controllers in an Active Directory environment, see “Part 1: Designing and Deploying Directory Services”in Designing and Deploying Directory and Security Services of this kit.

Because this chapter’s goal is to explain how to use change and configuration management techniques to manage a simple environment, the configuration that is presented does not include a second domain controller. The following assumptions and configuration are used in this chapter:

  • Your network infrastructure does not include a secondary server or DC.
  • The DC has one physical drive with two partitions. The first partition is logical driveC, and it will contain the Windows Server2003 operating system. The second partition is logical driveD, and it will contain all software and user data that is not part of the operating system.
  • The CD-ROM for the DC is logical driveE.
Minimum Hardware and Software Configurations for a Simple Managed Environment

To begin building your simple managed environment, use the minimum hardware and software configurations listed in Table9.2. Your hardware list will expand to fit your organization’s computing needs.

Table9.2Minimum Hardware and Software Configuration for a Simple Managed Environment

Device / Requirements
Domain controller running Windows Server2003 / See the Windows Server2003 System
Requirements link on the Web Resources page at
One desktop client computer running the Microsoft® Windows®XPProfessional operating system / See the Windows XP Professional System
Requirements link on the Web Resources page at
One mobile client computer running WindowsXPProfessional / See the Windows XP Professional System
Requirements link on the Web Resources page at
Network Address Translator (NAT)enabled router / Standard 5port router recommended.
Broadband (cable or DSL) modem / No requirements.

Deploying the Network Infrastructure

Before implementing any management techniques, you must deploy your network infrastructure. In the chapter example, a Network Address Translation (NAT) router provides Dynamic Host Configuration Protocol (DHCP) addresses to all computers on the network, including the domain controller. Microsoft highly recommends the use of static IP addresses for domain controllers; however, in the sample configuration, the router does not continually release and renew leases, so the dynamic IP assigned to the domain controller is stable and essentially complies with that recommendation. If you want to assign a static IP address to your DC you can do so; however, this requires additional configuration that this chapter does not cover.

Figure9.2 illustrates the steps involved in setting up the network infrastructure.

Figure9.2Deploying the Network Infrastructure

Setting Up the Physical Network

The components that you use in setting up your physical network will vary depending upon the equipment that you already have in place, your organization’s specific needs, and the purpose of this network — that is, whether you are building a test LAN or an initial production LAN. The configuration documented here is that of a basic small network, which can be easily scaled to fit your computing needs. The router used here is a standard 5port NAT router with a built-in firewall. Specific router instructions are not included, as those depend on the router that you have purchased.

To configure your router

Follow the directions in the documentation for your router to configure the router to these specifications:

  • Ensure that port53 on the router is enabled to support DNS. (This is the default state of many routers.)
  • If the router is wireless, enable 128bit WEP security.
  • Set a strong administrator password on the router.
  • Use the instructions that you received with your router to configure the router to receive its IP configuration from your ISP using DHCP (this is the default state for many routers).

To configure your LAN-router connection

1.Connect the LAN cable from the computer that is to be the DC to an available port on the NAT router.

2.Connect the LAN cable from the broadband modem to the WAN port on the NAT router.

3.Turn on the router and the modem.

Your network should be similar to the one illustrated in Figure9.3.

Figure9.3LAN Router Connection for a Simple Managed Environment

Deploying a Domain Controller Inside the Intranet

You must deploy a domain controller (DC) in order to establish a top-level domain and forest on your private LAN.

For more information about domains and forests, see “Designing a Group Policy Infrastructure” in this book, and “Part 1: Designing and Deploying Directory and Security Services” in Designing and Deploying Directory and Security Services of this kit.

To deploy the DC, perform the following tasks:

  • Install and configure the DC.
  • Synchronize the timeserver for the domain controller with an external source.
  • Format additional drive partitions.

Install and Configure the Domain Controller

To install and configure the domain controller, you will perform the following tasks:

  • Install the Windows Server2003 operating system.
  • Install Active Directory on the domain controller, and configure the server role.
  • Configure DNS.
  • Install the Application Server role (Internet Information Services [IIS], ASP.NET). This step is only necessary for servers hosting Software Update Services (SUS) and is not a core requirement for a DC.

To install Windows Server2003

1.Boot from your Windows Server2003 operating system CD-ROM. Follow the instructions in the documentation for Windows Server2003 to install the operating system on the computer that is to be your domain controller. Create disk partitions with the following properties.

Partition / Use / File System / Size
Primary / Operating System / NTFS / At least 2 gigabytes (GB)
Secondary / Applications / NTFS / Remaining space

Note

If your LAN includes a second server, you can choose to create only one partition on the domain controller’s hard drive, to store the operating system, and use the other server for storing additional software and data.

2.During Windows Setup, enter the following values:

  • Computer Name: Enter DC01.
  • Administrator Password: Enter a strong password.

Important

Computer security requires the use of a strong password for your administrator account. A strong password has from 7 through 14 characters, and contains letters (both uppercase and lowercase), numerals, and symbols (all other characters, such as $%*&). The password should contain at least one symbol character in the second through sixth positions.

  • Network settings: Select typical settings.
  • When prompted about whether this computer is part of a Workgroup or Computer Domain, select Workgroup and accept the default name of Workgroup.

3.After the computer restarts, log on as Administrator.

4.Click Start, point to All Programs, and click Activate Windows. Follow the prompts to activate and register your copy of Windows Server2003 through the Internet.

If you cannot access the Internet, refer to your router and modem instructions for troubleshooting assistance.

To configure the server as a domain controller

1.Click Start, and click Manage Your Server. Select Custom Configuration. Click Add or remove a role, and then click Next. Wait for the wizard to review the computer’s current configuration.

2.Select the Domain Controller (Active Directory) role. Proceed to run the Active Directory Installation Wizard. Use the following values as you are prompted for them:

a.Select Domain controller for a new domain.

b.Select Domain in a new forest.

c.Enter your domain name (in the sample configuration, this is adatum.com).

d.Accept the default values for Domain NetBIOS name, Database folder, Log folder, and SYSVOL folder location.

Because DNS has not yet been installed on this server, the DNS Registration Diagnostics will indicate that none of the DNS servers used by this computer responded within the timeout interval.

e.Select Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server.

f.Select Permissions compatible only with Windows2000 or Windows Server2003 operating systems.

g.In the Directory Services Restore Mode Administrator Password field, enter a strong password.

The wizard will notify you that the computer has a dynamically assigned IP address. Typically you would not assign a dynamic IP address to a domain controller. However, this configuration is acceptable for this simple network in which the router is used as the DHCP server.

h.When the Local Area Connection Properties page displays, click Cancel.

i.When the wizard finishes configuring Active Directory, select Restart Now. After the computer has restarted, click Finish.

To configure the server as a DNS server

1.From the Manage Your Server screen, click Manage this DNS server.

2.Right-click DC01, click Configure a DNS Server, and then click Next.

3.Select Create aForward Lookup Zone.

4.Select This server maintains the zone. Type your domain name for the zone; for example, adatum.com.

5.Select Allow dynamic updates.

6.Select Yes, forward queries to DNS servers with the following IP addresses, and type the IP address of the NAT router.

7.Exit the Manage DNS Server snap-in.

Note

You will receive a message that the forward lookup zone cannot be added to the server, because the zone already exists. This is because the zone was created when the DNS server role was initially configured. This message does not indicate an error condition.