255_70_293_ch02.qxd 9/10/03 10:58 AM Page 58
58
Chapter 2 • Planning Server Roles and Server Security
Before setting up a server role (as we will do in Exercise 2.1, later in this chapter), it isimportant to understand each of the roles that can be applied to Windows Server 2003. Inthe sections that follow, we will discuss these roles in greater detail and examine how theyare installed with the Configure Your Server Wizard and other tools.
Domain Controllers (Authentication Servers)
Domain controllers are a fundamental part of a Microsoft network because they are used tomanage domains. A domainis a logical grouping of network elements, including computers,users, printers, and other components that make up the network and allow people to per-form their jobs.When a server is configured to be a domain controller (DC), it can be usedto manage these objects and provide other capabilities for configuring and controlling yournetwork.An important function of a domain controller is user authentication and access control.
Authenticationis used to verify the identity of an object such as a user, application, or com-puter. For example, when a user logs on to a domain, he or she will enter a username andpassword, which is compared to information that is stored on the domain controller. If theinformation provided by the user matches data in the user account, the domain controllerconsiders the person to be authentic.The process continues by giving an appropriate levelof access, so the user can utilize resources on the network.
Access controlmanages which ser-vices and resources users (or other objects) are permitted to use and how they can usethem. By combining authentication and access control, a user is permitted or denied accessto network services and resources.
Active Directory
To perform these functions, the domain controller must have information about users andother objects in a domain. In Windows 2000 and Windows Server 2003, this data is storedin Active Directory (AD), which is a directory service that runs on domain controllers. A
directoryserves as a structured source of information, containing data on objects and theirattributes.
Objects in the directory represent elements of your network (including users,groups, and computers).
Attributes are values that define an object (such as its name, loca-tion, security rights, and other features). Using tools that access AD, an administrator canmanage an object’s attributes to provide information that is accessible to users and controlsecurity at a granular level. By serving as a data store of information about a domain, AD isthe means by which administrators achieve greater and more flexible control over a network.When AD is installed, the server becomes a domain controller. Until this time, it is amember server that cannot be used for domain authentication and management of domainusers or other domain-based objects.This does not mean, however, that AD can be installedon every version of Windows Server 2003. It can be installed on Standard Edition,Enterprise Edition, and Datacenter Edition, but servers running the Web Edition ofWindows Server 2003 cannot be domain controllers.Web Edition servers can be onlystand-alone or member servers that provide resources and services to the network.
https://traloihay.net
