活动目录设计（14）

A.8.1 WINS

Windows Internet Name Service (WINS) is a naming service used to resolve NETBios name in a Windows environment.

A WINS service should be implemented in Xxx environment for backward compatibility in to support any application or OS feature necessitating WINS.

Xxx Asia WINS design relies on the following statements:

          WINS servers are consolidated at the Head Office

          The first DC in the Head Office acts as the secondary WINS server for the country, in order to reduce the workload on the PDCE

          The secondary DC in the Head Office act as the primary WINS server for the country

          Push/Pull replication is enabled between the two WINS servers

          Workstation WINS settings are configured via DHCP

          There is no replication of the WINS database between countries

          WINS server configuration use Windows Server 2003 default settings

 

A.8.2 DHCP

The objective for the Windows Server 2003 DHCP service is to provide the automatic assignment of IP addresses and other TCP/IP configurable settings for the client computers.

By default, Windows 2000 and higher clients are configured to register their A records themselves and ask the DHCP server to register their PTR record. As there are no legacy clients or Unix machines to support with DHCP, there is no requirement to change this behavior in Xxx environment.

 

DHCP service on a Domain Controller

When a DHCP service is installed on a domain controller, and it is configured to perform Dynamic Domain Name System (DDNS) update of the records on behalf of its clients in the DNS zones with secure dynamic update, the DHCP Server may overwrite the records for which the DHCP Server did not have write permissions.

This is due to the DHCP service running with the SYSTEM account on the Domain Controller. It is possible to bypass this name hijacking to impersonate the DHCP service with a dedicated service account.

Therefore, generally, it is not recommended to run DHCP service on a Domain Controller.

 

 Design Decision

 

A.8.3 Time Service

Time synchronization is important with Windows 2003, XP and 2000 operating systems because Windows 2003/XP/2000 implements Kerberos v5 as the authentication protocol. When authenticating, the client ticket is time stamped.

For authentication to work, the maximum time skew between two computers in the forest must be less than 5 minutes. This time value is also configurable, allowing for smaller thresholds.

Failure to authenticate using Kerberos protocol prevents user logon and access to Windows resources in the domain.

Windows Time Service (W32Time) is the service that provides network clock synchronization on Windows 2003 Server within milliseconds without the need for extensive configuration and additional software.

 

Time synchronization uses the Windows Time Service which is started on all Windows 2000/XP/2003 computers. Synchronization is carried out according to 3 levels in single domain architecture:

1.       The PDC emulator in the domain synchronizes from an external time source, if it exists.

2.       Domain Controllers synchronize with the PDC emulator of their domain.

3.       The workstations or the member servers synchronize with the Domain Controllers of their Domain.

When there is no external time source, the PDC Emulator in the root Domain is the time reference for all the Windows machines. Its internal clock reliability is critical for the right operability of the Active Directory. Therefore, it is recommended to have an authoritative external time to synchronize the PDCE with. As an example, this time source may rely on Atomic Computer Clock or well-known NTP servers on the Internet.

See http://www.ntp.org/ and http://ntp.isc.org/bin/view/Servers/NTPPoolServers

The list of public NTP Servers for Asia is maintained at http://www.pool.ntp.org/zone/asia

 

 Design Recommendation

 

Configuration

On the PDCE, execute the following commands in a Command Prompt: