VPN Design Guidelines

If you must allow Internet traffic inside your inner firewall and into the private network, implement
a VPN solution. Using a VPN server, only clients that can establish a secure connection with the
VPN server can access resources on the private network. The following graphic shows one way
to configure a firewall to accomodate VPN traffic.
In this eample, the !"# contains an $TP and !%N server available to the public as well as the
VPN server. &llow the following traffic to pass through the eternal firewall, re'ecting all other
traffic(
$TP traffic sent to )*+.,).)).)
!N% traffic sent to )*+.,).)).-
VPN traffic sent to )*+.,).)).* .the protocol type allowed depends on whether /-TP or
PPTP is used for the tunneling protocol0
Note: 1ith a VPN connection, incoming VPN traffic is encapsulated and is sent to the VPN
server, even if the final destination is on the private network. The outer firewall will inspect the
incoming VPN traffic and find it addressed to the VPN sever, not to the private network. $or this
reason, the outer firewall should not allow incoming traffic directed to network )2-.)34.).++.
To complete the configuration, configure the following items on the VPN server.
5onfigure the VPN server with the appropriate VPN tunneling protocol.
5onfigure addressing on the VPN server for clients. 1hen a VPN connection is initiated,
the remote client gets an IP address on the private network so it can communicate with
hosts on the private network. 6ou can configure the VPN server to assign IP addresses in
one of two ways(
o 5onfigure the VPN server to get IP addresses for clients from a !75P server on
the private network. 1ehn using !75P, !75P traffic does not pass through the
eternal firewall because all communication between private hosts and the VPN
server appears as VPN traffic to the firewall.
o 5onfigure the VPN server with a range of IP addresses that it can assign.
In this eample, the VPN server will pass out IP addresses from the )2-.)34.).8 network.
If the private network has more than one subnet, configure static routes on the VPN
server. This allows eternal clients to access all subnets in the private network.
Active Directory Structure Facts
6ou should know the following facts about the &ctive !irectory logical structure(
& domain is a security and replication boundary.
&ctive !irectory uses !N% for domain naming and to identify the relationship between
domains.
& tree is one or more domains with a contiguous !N% namespace.
& forest is one or more domains that have a common schema, directory configuration,
and global catalog.
&utomatic, two9way, transitive trusts eist between all domains in a forest.
!omains in a forest might be in multiple trees .in other words, domains in a forest might
not form a contiguous namespace0.
:rgani;ational units .:Us0 are containers within a domain that you use to organi;e the
&ctive !irectory structure.
6ou should know the following facts about the &ctive !irectory physical structure(
The physical structure is completely separate from the logical structure.
<ach forest has a single site topology.
Sites represent well9connected networks. %ite links identify connections between sites.
%ites are primarily used to control &ctive !irectory replication. :ther applications can use
sites as well to make efficient use of 1&N link bandwidth.
& bridgehead server is a domain controller that communicates across a site link.
Logical Structure Design Guidelines
Designing Forests
1hen you plan an &ctive !irectory structure, you should always assume that the final structure
will be a single domain. <ven when there are multiple domains, they will almost always be in the
same forest. The following table lists some things to consider in designing forest boundaries.
Reasons to Create Multiple Forests Disadvantages to Having Multiple Forests
To connect two independent
organi;ations. This can result from
a merger or ac=uisition, and it can
be temporary .until one forest is
migrated to the other0 or
permanent.
To create a completely
independent unit .for testing or
administration0. &dministration
does not cross forest boundaries.
It>s more difficult to find resources because
there is more than one global catalog, and
users must specify which forest to look in.
User>s must be taught how to use the default
principal name when logging onto computers
outside of their forest.
"ultiple forests often re=uire more IT staff
which raises costs. &dministrators must
manage multiple schemas, !N% name
To maintain different &ctive
!irectory schemas.
resolution across forest boundaries needs
special attention, and trusts between domains
in the forest must be created.
1hen you have multiple forests, you must configure trust relationships between the forests to
allow cross9forest access. Use one of the following trust types between forests or domains in
different forests.
rust ype C!aracteristics
$orest
Trust
5an be one9way or two9way.
<stablished between the forest root domains in each forest.
Transitive within domains of both forests, but non9transitive to other forests.
.$orest & trusts forest ?, and forest ? trusts forest 5, but forests & and 5 do
not share trust.0
@e=uires all forests to be raised to 1indows -88* functional level .all domain
controllers in all forests must be running 1indows %erver -88*0.
<ternal
Trust
5an be one9way or two9way.
<stablished between two domains in separate forests.
&re non9transitive with other domains in the forest.
Designing rees
In most cases, the tree structure within your forest is a by9product of other design considerations.
"ultiple trees eist when the !N% namespace within the forest is not contiguous. $or eample,
you might have a non9contiguous name space if part of the company already has a registered
!N% namespace in use, or if two companies merge but want to support both !N% namespaces.
Designing Do"ains
1ith &ctive !irectory, domains can hold a large number of ob'ects. $or this reason, most
implementations can use a single domain. &dministration within the domain is delegated by using
:rgani;ational Units .:Us0.
Reasons to Create Multiple Do"ains
Disadvantages to Having
Multiple Do"ains
To permit implement different domain9level security
policies. $or eample, account lockout and password
policies can only be configured once per domain. If
separate parts of a company have separate account
lockout and password policies, you>ll need multiple
domains to enforce them.
To create nearly independent administrative boundaries.
7owever, in most cases, you will use :rgani;ational
Units .:Us0 to delegate administrative control.
To use different namespaces for different parts of an
organi;ation.
To retain an older, eisting architecture, like 1indows NT.
To put the %chema "aster in its own domain.
&dded cost of the
increased number of
domain controllers.
Increased administration
in establishing domain
account policies.
The possibility of having
to create shortcut trusts
to make resource
access more efficient.
The need to grant,
monitor, and manage
multiple sets of domain
To allow for cultural and geographical differences.
To compensate for poor 1&N links that inhibit replication.
If 1&N links can>t handle replication between sites in a
domain, it may be better to create multiple domains.
administrative rights.
rust Design Guidelines
1indows %erver -88* creates automatic, two9way, transitive trusts between parent and child
domains. &utomatic, two9way transitive trusts are also created among all tree root domains within
a single forest. The automatic trusts are ade=uate for most situations, but there are other types of
trusts you should be aware of. The table below lists each trust and its characteristics.
rust Description
<ternal
Used to create a trust with an NT domain .for eample to establish a trust
relationship with an NT ,.8 domain prior to migrating NT domain ob'ects into
&ctive !irectory0
:ne9way
Two one9way trusts can simulate a two9way trust
Non9transitive
%hortcut
Used to create a direct trust between domains that might already be linked
through a series of transitive trusts
&llows =uicker response between the domains
&llows the domains to pass authentication re=uests directly between themselves
@ealm
Used to create a trust with a non91indows realm
Non91indows realm must use Aerberos V+
Transitive or non9transitive
:ne9 or two9way
$orest
"akes multiple forest management easier
&ll forest domain controllers must be at -88* functional level
Non9transitive between other forests .forest & trusts forest ? and forest ? trusts
forest 5, but forests & and 5 don>t share trust0
User logon can have an impact on trust design when you have multiple forests. In addition, you
should understand how to customi;e user logon using eplicit .or custom0 UPN .User Principal
Name0 suffies.
The implicit, or built9in, UPN suffi is configured as usernameBdomain.com.
6ou can manually configure an eplicit UPN suffi .usernameBanystring0 to make the
logon string consistent throughout the forest or to make logon more intuitive to the user.
If you design the system to use eplicit UPN suffies to log on to the network, users must
have access to a Clobal 5atalog server.
1hen using eplicit UPN suffies, make sure all user names in the forest are uni=ue.
1hen using eternal trusts between two forests, users cannot use UPN logons because
the Clobal 5atalog servers cannot communicate with one another. Users must log on
using Net?I:% compatible logons.
If a forest trust has been established, users can log on using the UPN logon from
anywhere in either forest. Net?I:% logons can only be used to log on in the root
domains.
Functional Level ypes
The table below shows the domain functional levels.
Do"ain
Functional
Level
Do"ain Controller
#perating Syste"s Features
-888 "ied
NT
-888
-88*
The following features are available in -888 "ied(
Universal groups are available for distribution
groups.
Croup nesting is available for distribution groups.
-888 Native
-888
-88*
The following features are available in -888 Native(
Universal groups are available for security and
distribution groups.
Croup nesting.
Croup converting .allows conversion between
security and distribution groups0.
%I! history .allows security principals to be
migrated among domains while maintaining
permissions and group memberships0.
-88* -88* The following features are available in -88*(
&ll features of -888 Native domains.
!omain controller rename.
Update logon time stamp.
User password on Inet:rgPerson ob'ect.
$orest functional levels depend on the domain functional levels. The table below shows the forest
functional levels.
Forest
Functional
Level
Do"ain
Functional Level Features
-888 -888 "ied
or
-888 Native
The following features are available in -888(
Clobal catalog replication improvements are available
if both replication partners are running 1indows
%erver -88*.
-88* -88* The following features are available in -88*(
Clobal catalog replication improvements
!efunct schema ob'ects
$orest trusts
/inked value replication
!omain rename
Improved &! replication algorithms
!ynamic auiliary classes
Inet:rgPerson ob'ect5lass change
FSM# Design Guidelines
The following table lists the operation masters at the domain and forest levels. Only one domain
controller in the domain or forest performs each role.
Forest$level FSM# Function and C!aracteristics
!omain Naming
"aster
<nsures that domain names are uni=ue.
"ust be accessible to add or remove a domain from the forest.
In a multiple domain environment, it must also be a global catalog server.
%chema "aster
"aintains the &ctive !irectory schema for the forest.
&ny schema updates must be performed by a member of the %chema
&dmins group.
Do"ain$level FSM# Function and C!aracteristics
@I! "aster
<nsures domain9wide uni=ue relative I!s .@I!s0.
The @I! master allocates pools of I!s to each domain controller.
1hen a !5 has used all the I!s, it gets a new pool of I!s.
P!5 <mulator
<mulates a 1indows NT ,.8 primary domain controller .P!50.
@eplicates password changes within a domain.
<nsures synchroni;ed time within the domain .and between domains in the
forest0.
Infrastructure "aster
Tracks moves and renames of ob'ects.
Updates group membership changes.
6ou should know the following facts about operation master roles(
?y default, the first domain controller in the forest holds all operation masters.
1hen you create a new domain, the first domain controller holds the three domain
operation masters .@I! master, P!5 emulator, infrastructure master0. If you retain this
configuration .recommended0, the first domain controller cannot host the global catalog,
or if it does host the global catalog, every other domain controller in the domain must host
the global catalog as well.
1hen you have multiple sites in a domain, place the operations masters in the site with
the most users. If all sites have roughly e=ual numbers of users, make sure the $%":s
are in a site that all of them can access.
1ith a few eceptions, the infrastructure master should not be located on a global catalog
server. .If it is, all !5s in the domain must host the global catalog.0
:ne design option is to create the forest root domain without any other resources .users
or computers0. This allows you to separate the forest9wide masters from any other
domains.
Auto"ated %nstallation
&s part of the implementation plan, you should consider whether to use an automated installation
method to install client and server operating systems and install domain controllers. Not only will it
save time, but by automating the install you are more likely to have consistent settings throughout
the enterprise. The following table compares various automated installation methods.
Met!od C!aracteristics &se o'''
Unattended Install
5reate an answer file to automate responses to
installation =uestions.
To install, start the installation and point to the
response file location.
To install a domain controller, set the @un:nce
option in the answer file to run !cpromo after
the installation has completed. Use a script file
to automate domain controller installation.
Perform a clean install or an
upgrade of client or server
operating system.
&utomatically install a domain
controller.
%ysprep
5reate a disk image.
!eploy the disk image to multiple servers with
similar hardware.
Perform a clean install of
client or server operating
system on computers with
similar hardware.
%yspart
5reate a disk image and a script file to
accommodate uni=ue hardware.
Perform a clean install of
client or server operating
system on computers with
dissimilar hardware.
&dvanced
!eployment
%ervices .&!%0
&n enterprise disk imaging solution .similar to
%ysprep or %yspart0.
Perform a clean install of
client or server operating
system.
@emote
Installation
%ervices .@I%0
Prepare the operating system image and place it
on a @I% server.
& PD<9enabled network card on the computer
boots and searches the network for a @I%
server.
Perform a clean install of
client or server operating
system.
The installation can take place
without an administrator
The installation image is downloaded and
automatically installed.
@e=uires high bandwidth for copying the
operating system image.
present.
%ystems
"anagement
%erver .%"%0
:ne component of %"% lets you upgrade
software over the network.
Use to schedule updates from a central location.
Perform an upgrade of client
or server operating system.
Note: If you are installing a domain controller, the only fully automated option is to use an
unattended installation. 5onfigure the installation to launch !cpromo with a script to complete the
installation. Using any other method of automated installation, you must either manually complete
!cpromo or combine the installation method with a scripted install of the domain controller.
Site Design Guidelines
%ites are used to control domain controller replication, to locali;e access to resources, and to
speed up logon and resource access. "ore specifically, sites allow you to control(
&ctive !irectory replication between locations.
1orkstation logon traffic.
/ocating ob'ects in &ctive !irectory.
!istributed $ile %ystem .!$%0 resource access.
$ile @eplication %ervice .$@%0 characteristics.
Properties for any site9aware application.
$or site topology design, you need to know the following(
The geographic locations of the company>s offices.
<ach location>s /&N specifications.
<ach location>s T5PEIP subnets.
1&N specifications between each location.
The following table shows special considerations for designing site characteristics.
Co"ponent Considerations
%ites
& site is a collection of well9connected computers.
%ite boundaries typically follow /&N boundaries. If a 1&N link connects
two locations, you would have two sites.
%ites must contain a domain controller. 6ou cannot create a site if there is
no domain controller in that location, regardless of the presence of a 1&N
link.
If a location does not have many users, you might not need a separate
site. .Users log on through local domain controllers.0
%ite /inks & site link identifies connections between sites .and identifies the path
replication traffic can use0.
%ite links typically follow 1&N links .but you are not re=uired to create a
site link for every 1&N link0.
@eplication
%chedule
The replication schedule determines when replication can take place.
"odify the replication schedule to prevent replication from taking place
during periods of high91&N traffic.
"ake sure your replication schedule allows for enough replication so that
all &ctive !irectory data gets replicated within allowed tolerances.
@eplication
Interval
The replication interval determines how often replication occurs during
scheduled times.
"ake sure the replication schedule allows for sufficient replication between
all sites within allowed tolerances. $or eample, if the schedule only allows
replication during a three9hour period, make sure replication happens often
enough during that time frame so that all data gets replicated throughout
the network.
/ink 5ost
The link cost controls which link is used for replication.
& lower link cost identifies a more desirable link.
/ink costs of all site links are added to obtain a total link cost between
multiple sites. 1hen replicating between multiple sites, the path with the
lowest total cost is used .even if that path has more physical links0.
Use a high link cost to identify backup links that should only be used when
the primary link is unavailable.
?ridgehead
%ervers
?ridgehead servers are the domain controllers that will communicate
across site boundaries.
&ctive !irectory will automatically identify bridgehead servers is you don>t.
6ou can control which server is the bridgehead server by manually
designating the bridgehead server.
The bridgehead server compresses the information before it forces it
across the site link. ?ecause compression can be 5PU intensive,
designate a server with a high9end 5PU as the bridgehead server.
Two reasons to use sites is to improve logon .by placing domain controllers closer to users and
decreasing 1&N traffic0 and speeding up &ctive !irectory =ueries. Two tools you can use for
these purposes are global catalog servers and universal group membership caching.
Solution Guidelines
Clobal 5atalog
%erver
& global catalog server contains a partial listing of &ctive !irectory
ob'ects and attributes.
The global catalog server allows users to access resources from
anywhere in the domain or forest without giving the specific location of
the resource. Use global catalog servers in sites that have applications
that need to search fre=uently for information in &!.
"icrosoft recommends that each site with more than )88 users have at
least one global catalog server.
&ll domain controllers in a single domain forest should be global catalog
servers.
6ou should not make a domain controller both the infrastructure master
and a global catalog server .unless all domain controllers in the domain
are global catalog servers0.
Universal Croup
"embership
5aching
Improves logon by caching logon credentials.
<nabling the universal group membership caching feature for a site will
let users who are members of a universal group log on in the event of a
1&N link failure. If the only need is to obtain universal group
membership information, enabling this feature for a site is a better
solution than creating a global catalog server in the site.
&ll servers in a site must be running 1indows %erver -88* for universal
group membership caching to work.
Multicast Routing
&s part of your routing design, you might need to plan for multicast traffic. 6ou should know the
following facts about multicast routing(
"ulticasts allow devices such as streaming video servers to deliver packets to a group of
hosts, as opposed to sending packets to all hosts .broadcasting0 or to one specific host
.unicasting0.
"ulticasts are used by applications such as "icrosoft>s Net"eeting or 1indows "edia
viewer.
@IP v- routers can also use multicasts for routing updates.
The @outing and @emote &ccess service in 1indows -88* server supports the IC"P
routing protocol.
The Internet Croup "anagement Protocol .IC"P0 is used by routers to identify multicast
group members .register hosts as a member of a group0 and to forward multicast packets
onto the segments where groups reside.
To receive all multicast traffic on a network, the network interface adapters in a router
must support multicast promiscuous mode.
6ou should be familiar with the multicast routing process(
). ?efore a host can receive multicast traffic, it sends a multicast registration re=uest. This
registration re=uest contains information about the multicast group the host wants to 'oin.
-. 1hen the multicast re=uest arrives at intermediary routers, multicast9capable routers
identify the multicast group and keep track of the network segment where the host
resides. They then forward the re=uest on to other routers, which do the same thing.
*. @eceiving multicast traffic begins when the multicast server transmits its data stream on
to the internetwork.
,. @outers in the path receive the traffic, and check their multicast group membership
tables. They identify all connected segments that have group members, and forward the
data stream on to those segments.
+. <ach intermediary router performs the same tasks until the data stream eventually
reaches the multicast client.