TPC-C2003/5

*

UP 100%; 2P 98%; 4P 102%; 8P 139%181624324048566472808896540287268UP

*

Windows Server 2003.NET91%34%70%http://www.middleware-company.com/documents/j2eedotnetbenchmark.pdf

Chart2

64118311082112

114127429193914

156933540556883

J2EE Application Server A

J2EE Application Server B

.NET 1.0/W2K

.NET 1.1/Windows.NET

Pages/sec

Web (image download on)

Sheet1

2CPU4CPU8CPU

J2EE Application Server A275457655

J2EE Application Server B77138161

.NET 1.0/W2K4778351140

.NET 1.1/Windows.NET4828931447

2CPU4CPU8CPU

J2EE Application Server A350060008000

J2EE Application Server B100017502250

.NET 1.0/W2K60001050014000

.NET 1.1/Windows.NET60001150016500

0%10%18%

2CPU4CPU8CPU

J2EE Application Server A64111411569

J2EE Application Server B183274335

.NET 1.0/W2K110829194055

.NET 1.1/Windows.NET211239146883

91%34%70%

2CPU4CPU8CPU

J2EE Application Server A225035005200

J2EE Application Server B7508001100

.NET 1.0/W2K350065009000

.NET 1.1/Windows.NET4500900013000

29%38%44%

2CPU4CPU8CPU

J2EE Application Server A73135178

J2EE Application Server B90146218

.NET 1.0/W2K284494699

.NET 1.1/Windows.NET314579947

11%17%35%

2CPU4CPU8CPU

J2EE Application Server A90020002200

J2EE Application Server B110017502500

.NET 1.0/W2K350062009000

.NET 1.1/Windows.NET4200750012000

20%21%33%

2CPU4CPU8CPU

J2EE Application Server A117186189

J2EE Application Server B88182207

.NET 1.0/W2K147240333

.NET 1.1/Windows.NET295472675

101%97%103%

2CPU4CPU8CPU

J2EE Application Server A150022502000

J2EE Application Server B120022502500

.NET 1.0/W2K180031004500

.NET 1.1/Windows.NET350061007500

94%97%67%

Sheet1

000

000

000

000

2CPU

4CPU

8CPU

Pages/Sec

Web Application Benchmark (no images)Peak Throughput

Sheet2

000

000

000

000

2CPU

4CPU

8CPU

Concurrent Users

Web Application Benchmark (no images)Maximum User Load

Sheet3

000

000

000

000

2CPU

4CPU

8CPU

Pages/sec

Web Application Benchmark (image download on)Peak Throughput

000

000

000

000

2CPU

4CPU

8CPU

Users

Web Application Benchmark (image download on)Maximum Supported Users

000

000

000

000

2CPU

4CPU

8CPU

pages/sec

Web ServicePeak Throughput

000

000

000

000

2CPU

4CPU

8CPU

Users

Web ServiceMaximum Supported Users

000

000

000

000

2CPU

4CPU

8CPU

pages/sec

Web Service via Proxy to Remote WS HostPeak Throughput

000

000

000

000

2CPU

4CPU

8CPU

Users

Web Service via Proxy to Remote WS HostMaximum Supported Users

*

Active Directory ADMT 2.0 ()schema GCLDAP

*

Active Directory - Update & Add User, LDAPWS03 vs. Win2KUpdate throughput improvementUP: 74%4P: 292%8P: 345%Update UP to 8P scaling2.4x on Windows Server 20031.2x on Win2KAdd User throughput improvement4P: 281%LDAP: Search and Add up to 4x improvementLDAP Sub-tree Search 1 Attribute12,00010,0008,0006,0004,0002,0000UP4P8PSearches/sec1057226032137567340011628

*

Active Directory

AD KerberosIntranetDivision B ForestDivision C ForestDivision A ForestUsersTrust

*

Application Specific Directory Scenarios

*

GPMC

(GPMC) RsOP Many End UserResultsMany ComputerResults

*

DNSStub Zone

*

A centralized store of enterprise information.

Single Sign-onCentralized ManagementBackOffice apps store Account DB info 1 placeCustomers can extend DB to store interesting infoHR InfoBusiness ProcessesObject is resourceAttribute of the Object is the information of the objectA template defining the objects and attributes that can be stored in the Active DirectoryA class is the list of attributes that the class must or may containDefines required vs. optional attributes First Name is required for a user accountAddress is optional Extensible: new objects and attributes can be added (NT4 schema was fixed)

Explain the different schema of Windows NT 4 domain and the Windows 2003 domain.

C++:Class vs instance

Explain the tree structure of the LDAP

Also introduce the WINNT provider and LDAP provider in scriptingSRV RecordsNetlogon, check dns zones to see if it supports dynamic update

Single label domain ( test instead of test.com) win2k sp4 or win2k3 will not register SRV records automatically, need to modify some registry settings manually.

The domain concept is (in part) unchanged from Windows NT 4.0A unit of partitioningA unit of authenticationA unit of domain-level policyManifested by domain controllers

Most important thing to remember about Windows 2000 Domains is they are the same as a DNS domain. DNS Tree structure is used and DNS naming is used.

Windows NT is using the SAM database as the authentication database while Windows 2003 is using NTDS as the database.

Introduce Microsoft the largest AD database can be 10M+ user accounts with 1000+ domain controllers in the whole domain environment.

================================================NT4winnt/system32/config/SAMWin2k3: windows/NTDS/ntds.dit ( Jet database), so eseutil.exe can be used to fix AD database

Windows 2003 server: media replication

Performance issueActural performance = Desired performance * 1.5

Definition: Domain TreeOne or more domains with contiguous namesmicrosoft.COM &fareast.microsoft.COMDefinition: ForestOne or more domain trees (DEC.COM & Compaq.COM)Each domain shares common:SchemaSite and service configurationGlobal catalogUse Internet-standard charactersA-Z, a-z, 0-9, and - (RFC 1123)Microsoft DNS supports wider range

OU20

Administrative Control Assigned to an OU Includes Control of the Objects Within the OU

Explain how we can define the OU. It is touching how the company tries to manager the users and computers. Explain the benefit of the OUs.

In Windows NT, all the system policies and scripts are under Netlogon folder as .POL or .BAT file. All the client machines in the domain have to applied to domain policies. In Windows 2003, we can apply different policies to different OUs. So it can help us to make the management more flexible. A domain tree is one or more domains with:A common schema, configuration, and global catalogTransitive trustA contiguous namespace A forest is one or more domain trees with:A common schema, configuration, and global catalogTransitive trustA non-contiguous namespace

+

A service and store that contains a replica of every object in the Active Directory throughout the forestContains a subset of the object attributes, those that are most frequently used for searchesAttributes indexed in the GC can be looked up fasterAutomatically built by Active Directory replicationFirst DC in tree is a GC, more can be addedAdministrators can specify attributes to be indexed, if desiredEnables users to find objects of interest quickly, without knowing in which domain they are located

A global catalog server must have the capacity to hold all objects from all other domains in the forestInitial global catalog configuration should have the capacity to support the number of objects in your Active Directory, with some room for growthThe best query performance is when you place a domain controller (at a small site) with a global catalog server, enabling the server to fulfill queries about objects in all domains on your networkAdding a Global Catalog Server increases the amount of data to be replicatedDo not want every DC to be a Global Catalog Server

The reason that a Global Catalog must be available for the domain logon process is that the membership for universal groups is not stored on all domain controllers. Because the membership of all universal groups is replicated to Global Catalog servers, the complete universal group membership of a user can be determined by querying a Global Catalog server. Universal groups are available only when a domain is in native mode.

The user principal name format (@) is resolved by the Global Catalog server. If a company has more than one forest and uses trust relationships between the domains in the different forests, a user principal name cannot be used to log on to a domain that is outside the forest because the user principal name is resolved in the Global Catalog of the forest.

A Domain Tree contains Domains, child domains and Organizational Units. OUs contain Users, computers, and other objects.

The Forest is simply a trust linking two domains in the enterprise. A single domain tree is also referred to as a Forest. You cannot "Graft" domain trees together. Must join a domain during DCPROMO(brings new DC into the Schema)

Enterprise Namespace Design is perhaps the single most important task of designing a Windows 2000 Enterprise.

* Design structure - Domains, OUs, organization of users, groups, etc. * Single or multiple domains * Consider application of Group Policy * Consider Site DesignExplain how the domain controllers keep the same AD database, and the difference between the Windows NT PDC/BDC and Windows 2000 DCs.

Collection of one or more subnets, defined by the administrator. It is assumed that they are "well-connected high bandwidth LAN connections. Sites may contain multiple domains Domain may span more than one site. Sites are limited to a single Forest Inter-Site Replication onlyAll configured by default. Replication will happen without any Admin intervention

By default, all servers will be put into Site Default-First-Site-Name, using TCP/IP as a transport, and connection objects built between them. This would put all servers in the same site for intra-site replication - no matter where they are physically located.

ConnectionsA one-way, inbound route from one DC, the source, to another DC, the destinationSiteDefine sets of DC that are well connected together, in terms of speed and costA site can contain more than one subnetA site can contain more than one domain and one domain can span more than one siteWithin a site, the replication topology is generated by KCC automaticallySite LinksBetween sites, site link have to be established in order for the KCC to generate the topology across the sitesSite link contains the schedule which determines when replication can take place as well as an assigned costSite Link BridgeWhen more than 2 sites are linked for replication and use the same transport, all of the site link are bridgedSite link bridge are transitiveBridgehead ServerDesignated server to perform site-to-site replication, for each directory partitionBridgehead servers can be designated by the administrator or automatically assigned by KCCInter-Site Topology Generator (ISTG)Within a site, KCC will run on each DC to generate the topology for the siteBetween sites, a DC will be designated as the ISTG to generate the topology for inter-site replicationThe first DC for the site automatically becomes the ISTGISTG need not necessary be a bridge head serverThink of Inter-Site Replication in Layers. Each of these is configured differently and are mostly independent, but all have interrelationships that affect the other layers. This is a conceptual model only and does not physically exist.

1. Phyxical Network - This assumes a well routed, well connected WAN.

2. Site Model. Sites, Site Links, Connections, link costs, subnets, site servers and transports are used to build a site topology that closely represents or models the actual physical network. This is up to the administrator and depends on his/her knowledge to build an accurate model.

3. Domain Structure - this is the structure of Parent/child domains in the enterprise - Domains, OUs, users, groups, etc. Remember this is a naming context that behaves somewhat differently in the site model than the Configuration or Schema NC (will see how later).Directory Partition ReplicasA directory partition replica can be a full (master) replica or a partial replica.A full replica contains all attributes of all directory partition objects and is both readable and writable. Each domain controller stores at least three full, writable directory partition replicas as follows:The schema partition, which contains all class and attribute definitions for the forest. There is one schema directory partition per forest. The configuration partition, which contains replication configuration information (and other information) for the forest. There is one configuration directory partition per forest. The domain partition, which contains all objects that are stored by one domain. There is one domain directory partition for each domain in the forest. A full replica of a domain's partition is stored on all domain controllers of that domain (and nowhere else); a full replica of a forest's configuration and schema partitions is stored on all domain controllers of that forest (and nowhere else).A partial replica contains a subset of the attributes of all directory partition objects and is read-only. Partial replicas are stored only on Global Catalog servers. An attribute is contained in a partial replica if and only if the attribute's attributeSchema object has isMemberOfPartialAttributeSet equal to TRUE.

Pull ReplicationActive Directory uses pull replication. In pull replication, a destination replica requests information from a source replica. The request specifies the information that the destination needs, based on its knowledge of changes already received from the source and from all other domain controllers in the domain. When the destination receives information from the source, it applies that information, bringing itself more up-to-date. The destination's next request to the source excludes the information that has already been received and applied.The alternative is push replication. In push replication, a source sends information to a destination unsolicited, in an attempt to bring the destination more up-to-date. Push replication is problematical because it is difficult for the source to know what information the destination needs. Perhaps the destination has received the same information from another source. If a source sends information to a destination, there is no guarantee that the destination is going to apply it; if the source assumes otherwise, the system is unreliable.Schema / configuration: FSMO Role: Schema master/ Domain naming master )Domain:

Each DC stores a writeable copy of the active directory databaseAD Database is stored in one physical file NTDS.DITMade up of 3 logical partition replicas Schema, Configuration & DomainSchema class and attribute definition for the forestConfiguration replication configuration, sites, topologiesetc for the forestDomain all the objects stored by the domain 1 domain partition for each domain in the forestSchema & Configuration => Forest-wide, Domain => Domain-specificEach DC will store a full replica of the schema, configuration as well as the domain that it belongs toGlobal Catalogue server full replica + partial replica of all other domains in the forestPartial replica subset of attributes, read-onlyReplicas are also know as Naming Context or NCDifferences from NT4, PDC->BDC

The replication ring in the same site. KCC Topology Generation ProcessAssume that we have one domain with just DC no replications will happen at this stage.A second DC, DC2, is added to the domain.During the DCPROMO process, the KCC on DC2 will creates a connection object and translate the connections into 2 replications agreement (1 for Schema & Configuration and 1 for Domain partition)Similarly, the KCC on DC1 will generate the connections to DC2 and replications can start to take place between the 2 DCs.Another DC is added to the domain, DC3.As with DC2, the KCC on DC3 will generate the connection objects with DC1 and DC2.In our animation DC3 joins the domain via DC2. Why is that? Wasnt it DC1 that performed the initial connection?During the DCPROMO process, DC3, contacts DNS and asks all the domain controllers belonging to the microsoft.com domain.DNS responds with DC1 and DC2, using the SRV records registered by DC1 and DC2. DC3 will then broadcast the two DCs to find out which one is currently available. Lets assume that DC2 is faster to respond.DC3 contacts DC2, creates the connection object for the two topologies, schema/configuration and domain.Replication is performed and DC3 joins the domain.DC2 will then create its own replication topologies from DC3 and will notify DC1 that a new DC has joined the domain.The notification is done by replicating the configuration NC, which contains the information about the new DC.DC1 and DC3 will then create connection objects necessary for replication to happen between each other.A 4th DC is then added to the domain.DC2 and DC3 will create connection objects to DC4.Subsequently the KCC on each DCs will continue to monitor the replication topology. And they will update, modify or delete the connection objects deem as necessary.Within a site, KCC will try to establish a bi-direction ring to achieve optimized replication,, reducing replication latency without configuring redundant connections.KCC will also ensure that each DC is no more than 3 hops away from any other DC. If necessary, it will add additional connection objects to ensure this. (i.e. max of 7 DCs for bi-direction ring)In this example, we have only 4 DCs, which means that any DC can reach any other DC within 3 hops. Therefore the connection objects between DC3 and DC2 are not necessary and therefore will be deleted subsequently.The final outcome will be a bi-direction ring within the DCs.When another domain is added to the siteDuring the DCPROMO process, DCA for sales.microsoft.com will use DNS to contact any domain within the microsoft.com forest. (Assume that DC2 responded to it)DCA will create a connection object with DC2 and convert the connection into an agreement for replication of the Schema & Configuration ONLY, as they are in different domains.The KCC on DCA (sales) and DC4 (microsoft) will learn of each other, thru replication and create the necessary connections to complete the ring.Another DC, DCB is then added to the sales domain.This DCB will generate the necessary connections with DCA (for all the 3 partitions) and with DC4 (microsoft) for the Schema & Configuration partitionOn subsequent run the connections between DCA (sales) and DC4 (microsoft) will be removed as it is not required. Ultimately, we will have 3 rings of replication. The Red ring for the Schema & Configuration for the forest, the Blue ring for the microsoft domain and the Yellow ring for the sales domain.NOTE:For GCs and Inter-site replication, the process will be similar with added complexity, namely the partial replicas for the GC, site links and bridgehead servers configuration

RPC synchronous, SMTP asynchronousWithin site always use RPC over IPBetween sites, either RPC over IP or SMTP over IPSMTP is only supported for DC of different domainsIf domain spans sites, synchronous RPC must be available

rpcThis slide shows a typical Bridgehead server configuration. Note that we have a BHS for every domain (B.com and A.B.com). A single BHS is required at all sites to replicate Schema and Configuration to all sites in the forest.

Multiple BH servers share the same site link and cost. Note that a single DC for domain A.B.com is placed in Chicago to allow domain replication for that domian to NYRID Pool Allocation - one domain controller is responsible for assigning pools of relative Ids to other domain controllers. RIDs are used in association with a domain ID to make up the SID for each security principal created in Active Directory. To ensure uniqueness in a forest, RIDs are assigned from a single RID pool by a single DC - this is assumed by NT4 domain controllers.

Schema Management - schema changes can only be made ON the Schema Master. It contains the master copy of the schema.

PDC - acts as PDC for NT4 BDCs and WS. NT4 CANNOT join a Windows 2000 domain without upgrading the PDC to Windows 2000 - mixed mode.

Infrastructure - when objects are moved or deleted, a single domain controller must keep track of references to the object.

Domain Naming - A single domain controller is responsible for ensuring that domain names are unique in the forest and that cross reference objects to external directories are maintained.

Temporary loss of the schema master, domain naming master, or RID master is ordinarily not visible to end users, and does not usually inhibit your work as an administrator. Therefore, this is usually not a problem worth fixing.However, if you anticipate an extremely long outage of the domain controller holding one of these roles, you can seize that role to the "Standby operations master domain controller." But, seizing any of these roles is a drastic step; one that you would take only when the outage is permanent, as in the case when a domain controller is physically destroyed and cannot be restored from backup media.A domain controller whose schema master, domain naming master, or RID master role is seized must never come back online. Before proceeding with the role seizure, you must ensure that the outage of this domain controller is permanent by physically disconnecting the domain controller from the network.The domain controller that seizes the role should be fully up-to-date with respect to updates performed on the previous role owner. Because of replication latency, it is possible that the domain controller might not be up-to-date.Explain time synchronization:KerberosClient -> Logon DCDC->PDC

For windows 2000/xp client: DCPDC Emulator, DCPDC EmulatorPDC Emulator

Case: PDC security log, dcDCsecurity log,

Time server:

SID = NT authority + Domain SID + RID

500

Case1: RID master down, then restore old backup, may cause RID pool assignment inconsistency.Case2: RID pool used up, but cannot get new RID pool ( for acquiring new RID pool need a RID too) , need to manually modify pool assignment on both RID master and DC

Register the dll file:

Regsvr32 schmmgmt.dll

KerberosInfrastructure masterGC1all DCs are GC2. Single domain

- Place the RID and PDC emulator roles on the same domain controller. Good communication from the PDC to the RID master is desirable as downlevel clients and applications target the PDC, making it a large consumer of RIDs. It is also easier to keep track of FSMO roles if you cluster them on fewer machines. If the load on the primary FSMO load justifies a move, place the RID and Pdomain controller emulator roles on separate domain controllers in the same domain and active directory site that are direct replication partners of each other.

- As a general rule, the infrastructure master should belocated on a nonglobal catalog server that has a direct connection object tosome global catalog in the forest, preferably in the same Active Directorysite. Because the global catalog server holds a partial replica of every objectin the forest, the infrastructure master, if placed on a global catalog server,will never update anything, because it does not contain any references toobjects that it does not hold. Two exceptions to the "do not place theinfrastructure master on a global catalog server" rule are:

-Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain.

-Multidomain forest where domain controller holds the global catalog: If every domain controller in the domain also hosts the global catalog, then there are no phantoms or work for the infrastructure master to do. The infrastructure master may be placed on any domain controller in the domain.

- At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the domain naming master FSMO should also be a global catalog server.

Most importantly, confirm that all FSMO roles are available using one of the management consoles (such as Dsa.msc or Ntdsutil.exe).

Use Group to manage ACL to resource

Global group can be added to Domain local groupGlobal group can be added to global groupDomain local group cannot be added to global group

Manually edit .adm file: check MSDN: administrative template, specific registry setting can be modified via Adm. tempalte

Check KB: password filter, replace default pwdfilter.dll

Specify operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned application options, and application settingsApply when the operating system initializes and during the periodic refresh cycle

Specify operating system behavior, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and user logon and logoff scripts Apply when users log on to the computer and during the periodic refresh cycle

http://support.microsoft.com/default.aspx?scid=kb;en-us;818742

ibm274server1000gbsqlThe percentage figures are the performance improvements moving from Windows 2000/.NET Framework 1.0 to Windows Server 2003/.NET Framework 1.1

KEY MESSAGE: Windows Server2003 + .NET Framework v1.1 the fastest combination.

SLIDE BUILDS: None

SLIDE SCRIPT:The Middleware Company recently developed a fully optimized version of the Java Pet Shop to compete against the Microsoft implementation. As you can see, the .NET implementation was significantly faster. But thats not the focus of this slide. Normally, later versions of products are larger and slower than previous versions. Notice that Microsoft .NET v1.1 running on Windows Server2003 runs significantly faster than Microsoft .NET v1.0 running on Windows 2000. This is especially evident on multiprocessor systems.

SLIDE TRANSITION: In addition to performance improvement, Windows Server2003 is more secure.

ADDITIONAL INFORMATION FOR PRESENTER:

Branch offices with domain controllers can provide user logon through cached credentials without first contacting the Global Catalog, improving system performance and robustness over unreliable wide area networks. Windows Server 2003 more efficiently manages the replication and synchronization of Active Directory information. Administrators can better control the types of information that are replicated and synchronized between domain controllers both within a domain as well as across domains. In addition, Active Directory provides more features to intelligently select only changed information for replicationno longer requiring updating entire portions of the directory. Windows Server 2003 introduces enhancements to several Active Directory management interfaces. Administrators may now edit multiple user objects simultaneously, reset ACL permissions to the default, show effective permissions on a security principal and, indicate the parent of an inherited permission. In addition, more than 100 Group Policy settings have been added to simplify and improve the ability of administrators to apply a consistent policy within the enterprise. From account management to computer configuration, the new policies provide a high degree of granularity for configuring your environments. As the principal means to manage enterprise identities, objects, and relationships, improved interfaces increase administration efficiency and integration capabilities. Microsoft Management Console (MMC) plug-ins now include drag-and-drop capabilities, multi-object selection, and the ability to save and reuse queries. Migration is more efficient with the improved Active Directory Migration Tool (ADMT), allowing administrators to copy passwords from a Windows NT 4.0 or Windows 2000 environment or between forests in a Windows 2000 environment. Active Directory includes several new features that increase dependability such as Health Monitoring, which allows administrators to verify replications between domain controllers, improved Global Catalog replication, and an updated Inter-Site Topology Generator (ISTG) that scales better by supporting forests with a greater number of sites than Windows 2000. Additional security features make it easier to manage the multiple forests and cross domain trusts. A new credential manager provides a secure store of user credentials and X.509 certificates. In addition, Forest trust provides a new type of Windows trust for managing the security relationship between two forestsgreatly simplifying cross-forest security administration and authentication. Users can securely access resources in other forests, using either Kerberos or NTLM, without sacrificing the single sign-on and administrative benefits of having only one user ID and password maintained in the users home forest.

Slide Objective: To show the most likely use for cross-forest trusts in the Windows.NET Server timeframeDirectory designs can be limited by:Organizational independenceInternal politics for controlManagement concernsLack of tools to change structureFear of schema issues

Net result: Directory deployment stalled

By being able to connect forests together, businesses can now enjoy the best of both worlds: organizational independence and connectivity to continue to leverage the concepts of AD on a global basis.ADAM allows an application to store private directory data that is relevant only to the application in a local directory service, perhaps on the same server as the application, without requiring any additional configuration to the NOS directory. The personalization data, which is only interesting to the portal application and does not need to be widely replicated, is now stored solely in the ADAM directory associated with the application. This solution also reduces replication traffic on the network between domain controllers.

Avoid schema conflicationLocal Management in the Enterprise

GPMChttp://www.microsoft.com/downloads/details.aspx?FamilyId=C355B04F-50CE-42C7-A401-30BE1EF647EA&displaylang=en