Presentation on theme: "Module 12: Strategies for Combining Networking Services."— Presentation transcript:
Module 12: Strategies for Combining Networking Services
Overview Benefits of Combining Services Constraints of Combining Services Securing a Design by Combining Services Discussion: Combining Networking Services Enhancing Availability by Combining Services Optimizing Performance by Combining Services Discussion: Enhancing Combined Services Solutions
By combining multiple networking services on a single Microsoft® Windows® 2000-based computer, you simplify the network and use hardware resources efficiently. Dedicating individual computers to single networking services increases the number of computers in the network. When more computers are added to the network, the administration and ongoing support for a network becomes more complex. In addition, by combining certain networking services, you improve the security, availability, and performance of the networking services design. In this module, you will evaluate and create designs that combine networking services on a single computer.
At the end of this module, you will be able to: Identify the benefits of combining networking services on a single computer. Improve the networking services design by specifying the appropriate combinations of networking services. Secure a networking services design by specifying the appropriate combination of networking services. Enhance the availability of networking services by specifying the appropriate combination of services. Optimize the performance of networking services by specifying the appropriate combination of services.
Benefits of Combining Services Reducing the Number of Computers Improving Security, Availability, and Performance Subnet A Server A1 Internet Server A2 Router Subnet B Screened Subnet D Screened Subnet C Server B1 Server D1 Server D2 Server C1 Server C2 Proxy Servers Server Cluster
You can combine multiple networking services on a single computer to reduce the network management. When combining networking services on a single computer, you must also consider its impact on the security, availability, and performance of the network.
Reducing the Number of Computers You can optimize your network design by combining multiple networking services, which reduces the number of computers in the design. Combining services on a computer also reduces the management of the network because there are fewer computers to monitor and maintain.
Combine services to reduce the number of computers in your network design if: Combining the services improves or achieves the design criteria for the security, availability, and performance of the network. The existing computer hardware resources can support the combined services. The organization's goal is to reduce the number of computers that it must manage and maintain.
In the preceding illustration, Server A1 is running DNS and Server A2 is running DHCP. If the hardware resources of Server A1 are sufficient to support DNS and DHCP, you can combine DNS and DHCP on Server A1. This eliminates the requirement for Server A2, or allows Server A2 to act as a redundant server to Server A1.
Improving Security, Availability, and Performance The goal of combining networking services is not just to reduce the number of computers in your network design, but to also optimize your network design. You can optimize your networking services design to improve the security, availability, and performance of network resources.
The following table describes the situations in which combining networking services on the same computer can improve the security, availability, and performance of your network resources. To improve Combine the services to Example SecurityIsolate the networking services that manage confidential data When combining a remote access server with a DNS server that contains public zone data in a screened subnet AvailabilityReduce the probability of a failure that results in the loss of the networking service When combining WINS and DHCP on a server cluster PerformanceReduce the network traffic, or optimize the computer resources that are underused When combining WINS and DNS on the same computer
You need to identify the primary reason for combining the networking services, and then prioritize secondary reasons accordingly. Ensure that you always achieve the primary reason, even at the expense of one of the secondary reasons. For example, in network designs in which security is a primary concern, ensure that the combination of networking services enhances the security of the network. After you have dealt with the security concerns, you can address the availability and performance concerns accordingly.
Constraints of Combining Services Hardware Resources Physical Networks Applications
The architecture of Windows 2000 allows you to combine the networking services on a single computer. Typically, you can set up any combination of networking services on a single computer by following a few guidelines.
Hardware Resources The computer hardware resources are the most common constraint in combining networking services on a single computer. Each networking service requires different hardware resources. Some services require a large amount of memory resources, whereas other services are processor-intensive. Tip: As a best practice, you can combine services on a single computer until the hardware resources of the computer are fully used.
Physical Networks The physical network can constrain the combination of networking services because combining the networking services can create an increase in network traffic. The increase in network traffic can saturate intermediary routers or wide area network (WAN) segments.
You can combine services on the same computer in your network design if: The clients that access the combined services reside in the same geographic location as the computer that runs the combined services. The intermediary routers and network segments can support the increase in traffic when clients access the combined services from a remote segment.
Applications Applications running on existing computers can prevent you from combining some networking services. Applications may consume all of the hardware resources and may require periodic restart of the computer for updates to the application. Tip: As a best practice, avoid combining networking services on the same computer as application servers such as Microsoft SQL Server™ or Microsoft Exchange Server.
Securing a Design by Combining Services Subnet A Internet Server A2 Subnet B Server B1 Server Cluster Server C1 Server C2 Proxy Servers Server D1 Server D2 Router Server A1 Screened Subnet D Screened Subnet C
In your networking services design, you include combinations of networking services that improve network security. Usually, you combine services on a computer that is within the private network. Combining networking services on computers that establish or reside within screened subnets can compromise the security of your network design. Proxy servers and routers are examples of these computers.
Combining Services Within the Private Network Any computer that resides within the private network is at the lowest security risk within the organization. The risk is low because access to these computers is granted to only authenticated users within the organization. Because the computer resides within the private network, the security risks for combining services on this computer are addressed by the private network security.
Combining Services Within Screened Subnets Any computer that resides within a screened subnet is at a higher security risk than a computer within the private network because access to the computers within screened subnets is granted to users outside the organization.
Within screened subnets, combine services on the same computer if all of the users that access the computer: Are at the same security level. Require access to all of the networking services running on the computer.
When combining services on the same computer within a screened subnet, consider that: After a user can communicate with that computer, all services are potentially at risk to unauthorized access. Most networking services store configuration information in the Windows 2000 registry, or in files on the computer. Without proper security measures, unauthorized users can gain access to the registry or these configuration files and modify the configuration of the networking service.
In the preceding illustration, consider combining DHCP, Routing and Remote Access, and Remote Authentication Dial-In User Service (RADIUS) on Server D1. If the users accessing Server D1 require access to only Routing and Remote Access and RADIUS, the DHCP service is at risk from unauthorized access. To prevent unauthorized access to DHCP, you must remove the DHCP services.
Isolating Services That Define Screened Subnets Computers that run services used in defining screened subnets (such as Microsoft Proxy Server or Routing and Remote Access), are at the highest security risk in your design because unauthorized users can access them. When combining services on these computers, you must consider the risks involved in unauthorized users accessing these services. Tip: On computers that connect to public networks, combine only those services that are required to define the screened subnet. In the preceding illustration, consider combining Microsoft Proxy Server and DNS on one of the proxy server computers. The DNS service on the Proxy Server will be at risk because unauthorized users outside the private network might be able to access the DNS zone database.
Discussion: Combining Networking Services Seattle Los Angeles Dallas Winnipeg Toronto Montreal New York Washington DC Atlanta Kansas City
To create designs in which you combine networking services, you need to determine the networking services to include in the design and how you will combine the networking services. The following scenario describes the current network configuration of a telemarketing company.
Scenario A telemarketing research company conducts studies to collect demographics on potential consumers for other organizations' products and services. At each location, a group of market research analysts conduct telephone interviews to determine the purchasing decisions of the target consumer profile. Each location has a dedicated T1 or T3 connection to the Internet. The market research analysts use a Web-based application for call tracking and recording of the consumer responses. The organizations that are funding the study can examine the results over the Internet by using a Web-based application, or they access the data directly from a Microsoft SQL Server™ located in the Kansas City location.
Enhancing Availability by Combining Services Combining with Signed Drivers and Third-Party Software Combining with Windows Clustering
If you combine multiple services on a single computer, the availability of that computer becomes essential for network operation. If you combine services to meet the high availability requirement of specific networking services, you must select a combination of services that ensures the availability of the required services.
You can increase the availability of services combined on a single computer with hardware fault-tolerance solutions. You can also enhance the availability of the networking services by: Combining services on computers that have signed device drivers, signed applications, signed services, and stable, third-party software. Combining the networking services with Windows Clustering technologies.
Combining with Signed Drivers and Third-Party Software Signed Software Third-Party Software Subnet A Server A1 Internet Server A2 Router Subnet D Subnet C Server D2 Proxy Servers Server Cluster Subnet B Server B1 Server D1 Server C1 Server C2
You can enhance the availability of the networking services by combining services on computers that have signed device drivers, signed applications, signed services, and stable, third-party software. Signed software is tested and certified by Microsoft to be reliable.
Combining Services with Signed Software Windows 2000 supports signed device drivers, signed services, and signed applications. Signed software contains a digital key that identifies the manufacturer of the software. When unsigned software is loaded, Windows 2000 issues a warning. Tip: As a best practice, load only signed device drivers and services on the computers that require high availability.
In the preceding illustration, consider combining the DNS and WINS services on Server B1. Because Server B1 provides DNS and WINS name resolution for all users on Subnet B, the design requires these services to be highly available. Load only signed drivers on Server B1 to reduce the risk of an unsigned driver becoming unstable and forcing a restart of the computer.
Combining Services with Third-Party Software Windows 2000 signed device drivers, applications, and services are tested and certified to run on the same computer. Unsigned third-party device drivers, applications, or services are not necessarily tested and certified to run on the same computer. An unstable, third-party device driver, application, or service can force a computer restart. Combine networking services with unsigned third-party software when the software is proven to be stable. In the preceding illustration, consider a scenario in which Server D1 runs an unsigned, third-party gateway service that periodically becomes unstable. To reduce the risk of the service becoming unstable and forcing a restart of the computer, avoid combining services that require high-availability on Server D1.
Combining with Windows Clustering Cluster-Aware Networking Services Cluster-Unaware Networking Services Subnet A Server A1 Internet Server A2 Router Subnet D Subnet C Server D2 Proxy Servers Server Cluster Subnet B Server B1 Server D1 Server C1 Server C2
Certain networking services, such as DHCP and WINS, directly integrate with Windows Clustering technologies and are known as cluster-aware services.
Combining Networking Services That Are Cluster- Aware Cluster-aware services, such as WINS, automatically store any necessary data on the cluster-based drives. Cluster-aware services automatically fail over when the primary server in the cluster fails.
When combining networking services that are cluster- aware, ensure that: Both servers in the cluster have the services installed and configured for automatic failover. The networking services select different primary servers to improve performance.
In the preceding illustration, consider distributing DHCP and WINS within the server cluster by assigning Server C1 as the primary server for DHCP and backup server for WINS. You would then assign Server C2 as the primary server for WINS and backup server for DHCP.
Combining Networking Services That Are Cluster- Unaware When combining networking services that are cluster- unaware, ensure that: Both servers in the cluster have the services installed and configured for automatic fail over. Any data used by the networking service is stored on a shared cluster drive. For example, for DNS, you would store the DNS zone files on the shared cluster drive. The networking services select different primary servers to improve performance.
Optimizing Performance by Combining Services Combinations That Reduce Network Traffic Combinations That Avoid Resource Contention
By combining networking services on a single computer, you increase the resources used on that computer. The performance of each networking service is based on the availability of resources to the service. The performance of a service can deteriorate if the availability of critical resources is constrained. You can optimize performance by using combinations that reduce network traffic and avoid resource contention.
In this lesson you will learn about the following topics: Combinations that reduce network traffic Combinations that avoid resource contention
Combinations That Reduce Network Traffic Subnet A Internet Router Subnet B Server C2 Proxy Servers Server Cluster Server A1 Server A2 Server D2 Server D1 Screened Subnet D Screened Subnet C Server C1 Server B1
Within your network, many networking services may frequently exchange information. If the services are on separate computers, the information must travel across the network, thereby increasing the network traffic.
Combine services on the same computer to reduce network traffic in your design if:
The networking services exchange a large amount of information over a period of time. In the preceding illustration, assume that Server D1 is a remote access server and Server B1 is a DHCP server. Server D1 and B1 exchange only 200 Kilobytes (KB) of information in a 24-hour period of time. Combining these services on the same computer would result in a negligible reduction of network traffic. In the preceding illustration, consider another example in which Server A1 runs DHCP and Server A2 runs DNS. The DHCP service on Server A1 performs dynamic updates to the DNS service on Server A2. You can combine DHCP and DNS on Server A1 to reduce the network traffic on Subnet A.
You can combine many instances of the networking services. In the preceding illustration, Servers A1, B1, and C1 are DHCP servers that dynamically update a DNS server running on Server D2. Combining Server A1 and D2 would result in a minimal reduction of traffic. However, combining Servers A1, B1, C1, and D2 would result in a significant reduction of traffic because all instances of the DHCP services and DNS services are running on the same computer.
Combining the networking services does not cause the network design's functionality, availability, or performance to fall below the design specifications.
Combinations That Avoid Resource Contention Subnet A Internet Router Subnet B Server B1 Server C1 Server C2 Proxy Servers Server Cluster Server A1 Server A2 Server D2 Server D1 Screened Subnet D Screened Subnet C
The performance of each networking service is based on the resources available to the service. Certain services use more of a specific resource than other resources, such as a service that consumes a lot of memory, but very little processor, disk, or network resources. Tip: As a best practice, combine networking services on a single computer to improve performance if the computer has sufficient resources for all services.
You can optimize the performance of networking services by: Combining networking services on computers that have sufficient resources as required by the services. In the preceding illustration, place services that heavily use disk resources on Server D1, which has a large-capacity, high-speed disk subsystem to improve performance. Isolating networking services that consume the resource that is limited on a server. In the preceding illustration, you can move services that heavily use processor resources from Server D1 to Server D2, which has multiple high-performance processors.
Discussion: Enhancing Combined Services Solutions Seattle Los Angeles Dallas Winnipeg Toronto Montreal New York Washington DC Atlanta Kansas City
After you have provided a basic combined services solution, you need to examine the availability and performance requirements for the solution. The following scenario describes the requirements for enhancing the combined services design of a telemarketing company.
Scenario After you have optimized the combined services solution to reduce the number of computers, you will revisit the design to improve the availability and performance of the solution. You will re-evaluate the design for each location. The market research company is now expanding to include a new profit center for inbound telesales. Customer service agents will collect orders from television commercials. During the period of time between 7:00 P.M. and 9:30 P.M., 85 percent of all sales occur.
Objectives After completing this lab, you will be able to: Evaluate an existing scenario to determine the requirements that affect a combined services design. Design a combined services solution for the given scenario.
Prerequisites Before working on this lab, you must have: Knowledge of the design decisions required to create a combined services design. Knowledge of combined services strategies to enhance the security, availability, and performance.
Exercise 1: Designing a Combined Services Solution In this exercise, you are presented with the task of creating a combined services solution for an insurance firm. The insurance firm has a central office and multiple regional offices. You are assigned to the central office. You will design a combined services solution that supports the organization's Internet connectivity requirements. You will record your solution on a specific design worksheet. Review the scenario, the design requirements, and the diagram. Follow the Design Worksheet Instructions to complete the Combined Services Design Worksheet.
Scenario An insurance firm is evaluating its existing network in preparation for the deployment of Windows 2000. As a consultant to the firm, you have been assigned the task of evaluating and redesigning the current network. The insurance firm has a central office that handles billing and accounting for the firm. In addition, the firm has six regional offices that support the insurance agents within each region. The insurance agent offices are independently owned and operated. The agent offices can consist of an individual agent or a group of agents working at a single location.
Design Limitations and Requirements Investigation of the current network, user traffic patterns, and future network requirements reveals additional information that must be considered when making your design decisions.
Applications The insurance firm uses a number of applications to conduct the day-to-day operations. To create a solution for the insurance firm, your design must provide: Support for a mission-critical Web-based application that manages customers and their policies. Support for a mission-critical Web-based application that allows customers to check on the status of claims and historical claim payment information over the Internet. Private network access to all shared folders and Web-based applications from the central office and regional offices. Internet access from the central office and the regional offices. Support for all mission-critical applications to be available 24-hours- a-day, 7-days-a-week
Connectivity The applications used by the insurance firm require connectivity between the central office and regional offices. When creating the design for the insurance firm, remember that your design must provide: Support for the regional offices to connect to the central office by using dedicated connections over the Internet. Isolation of the central office and the regional offices from the Internet.
Review Benefits of Combining Services Constraints of Combining Services Securing a Design by Combining Services Discussion: Combining Networking Services Enhancing Availability by Combining Services Optimizing Performance by Combining Services Discussion: Enhancing Combined Services Solutions