Beruflich Dokumente
Kultur Dokumente
Reference Architecture
Lab Implementation
Abstract
Lab Implementation 1
Introduction
Any reference architecture is only as good as the level of testing and proving that goes into
it. Without this, it would be just a whitepaper as opposed to a proven reference architecture.
Windows Server System Reference Architecture (WSSRA) fully embraced this sentiment and
performed extensive build and test procedures to ensure that the value of the resultant
documentation could be maximized.
With a problem space as complex and diverse as that addressed by WSSRA, it would be
naive to think it can be described in a “one size fits all” fashion. As a result, it is always the
case that the Reference Blueprints are the right starting point to understand the architectural
principles and design options used to meet the established requirements and business
scenarios.
The process used is inherently reusable. The resultant design is one that meets the
requirements of a particular fictitious organization, and it is not expected that any
organization could or should implement exactly as per this lab implementation. Having said
that, there is a large amount of reusable best practice guidance in terms of specific
implementation details, and it is encouraged that these are reused. To that extent, the lab
implementation is a great way to redistribute implementation best practice; it just should not
be seen as some kind of “ultimate” solution that all must comply with.
This document explains the process used to design, build, and test the lab implementation,
and provides as appendixes in most cases, all the design and configuration specifics. Most
configuration specifics and all configuration files can be found in the Deployment Kit
associated with this document.
Knowledge Prerequisites
Readers of this document must have a broad understanding of IT infrastructure design and
implementation issues. It is recommended that the other overview documents available in
WSSRA are read first, because relevant information has not been repeated here for the sake
of brevity. This document may also be read in conjunction with the Reference Blueprints to
better understand the foundational principles for all service design. Understanding the
concepts in this document will improve understanding of the service implementation
guidance provided as a significant portion of WSSRA.
Design Strategy
The lab implementation of WSSRA was designed by following a strategy of meeting
predetermined business requirements, understanding technical constraints, following a
structured and consistent process, and testing from bare metal devices to full functionality
across multiple service streams.
The primary business requirements that had to be addressed in the design strategy were:
The architecture must be inherently secure.
The architecture must provide for high availability.
The architecture must be manageable using commonly available management tools.
The architecture must be predictable in design, deployment, and operations.
The architecture must facilitate interoperability with partner solutions and
components.
The architecture must be supportable in a sustainable, cost effective way.
To meet these business requirements, the lab implementation made use of the Microsoft
platform and partnered with Microsoft development and service partners to plan, build,
deploy, and test a WSSRA lab environment against business scenarios defined by the
fictitious Contoso Corporation, a wholly owned subsidiary of Woodgrove Holdings. The
document sets that compose WSSRA were followed sequentially and by service to perform
the detailed design, planning, build, and operations used to meet the business goals
established in the design and supporting lab functional test scenarios.
Design Process
When planning the design process for the test lab environment, the design team prioritized
the following six primary business drivers into three components:
Security: The design used threat modeling techniques and applied a mitigation
strategy called defense-in-depth.
High availability: Every component in the architecture had a failover strategy
applied to ensure that there is no single point of failure. This included redundant
Lab Implementation 3
components, parallel capabilities, hardware load balancing, and software failover
through clustering amongst others.
Predictability: It was important to be predictable in design through high degrees of
standardization and policy-based principles, predictable in deployment through
high degrees of automation, and predictable in operation through lab proving, which
includes load and functional stability tests and verification.
Manageability: Management tools and process were included in the design process
tests.
Interoperability with partner technologies: Networking, server, and storage devices
from Microsoft partners were used extensively throughout WSSRA lab
implementation, as well as partner software products for capabilities that were not
provided by the Microsoft platform.
Supportability: Supportability is a primary cost factor and was measured as a factor
in determining the best practices. All involved partners, as well as Microsoft, had the
resultant design ratified by their respective support organization.
Each individual service's blueprint was developed to be as autonomous as possible.
However, dependencies on other services or tasks within another service were necessary.
Tasks across all blueprints were inspected for dependencies on other tasks and the WSSRA
sequence was optimized to do as much as possible in parallel to help reduce the overall lab
implementation time.
Creation of comprehensive and usable enterprise infrastructure design documentation is a
complex endeavor. Frequently, information that ought to have been in the documentation
never makes it there remaining stuck within the heads of the various systems architects and
design engineers. This can lead to several serious problems, such as poor understanding of
the design rationale and incomplete configuration details. Worst of all, an incomplete or
incorrect understanding of systems design or maintenance procedures might even result in
downtime or data loss in the implemented IT infrastructure.
The Implementation Guides are organized around IT services so that IT professionals can
rapidly access the information relevant to a desired service and from there, understand
related and/or dependent services. In addition, WSSRA comprises a number of scenarios that
are designed to address the key business requirements in an enterprise. This release focuses
on the centralized data center (CDC) and satellite branch office (SBO) scenarios.
The IT service guides document the whole lab design and the build and test processes. For
each IT service currently included within WSSRA, there are three guides called the Planning
Guide, Build Guide, and Operations Guide. Customers and partners may use this
documentation for a detailed understanding of the test lab environment, what decisions
were made and why. These three guides can be explained as follows:
The Planning Guide can be used as a starting point for future instantiations based on
the Architecture Blueprints and the Service Blueprints. By following the planning
processes and design decisions provided, an organization can create a design plan
quickly and efficiently to accelerate an information technology (IT) infrastructure
project.
The Build Guide is designed to clarify the sequence of events and procedures that are
required to build the IT infrastructures for each of the WSSRA scenarios in a secure
Design Scenario
Each IT service specific guide is organized into a number of sections. Each section addresses
the required design information and processes for that specific service (or technology
components within the service, for example DNS, DHCP, and WINS within “Network
Services”) in the following scenarios:
Centralized Data Center (CDC): This scenario supports enterprise-level services for
employees of the organization (for example, directory services and file and print
services). It is also the hub for the implementation of enterprise-wide strategies (for
example, security and management). The CDC scenario may also contain a basic
Internet presence.
Satellite Branch Office (SBO): This scenario addresses the geographically
distributed nature of an organization through a physically decentralized
environment. A branch office that does not have local services is referred to as SBO.
The IT services addressed in the documentation have considerations that span the entire IT
life cycle. Therefore, there is separate guidance on planning, building, and operating each
service in customer solutions.
The following table lists the services documented in this release.
Service Technologies
Network Devices Routers, switches, virtual local area network (VLAN), load balancers
Computing Devices Server classes, hardware requirements
Storage Devices Direct-attached storage (DAS), network-attached storage (NAS),
storage area network (SAN)
Deployment Services Installing and configuring operating systems WinPE, SysPrep, and RIS.
Network Services DNS, DHCP, and WINS.
Firewall Services Perimeter and internal firewalls and Web proxy service (ISA Server).
Directory Service Active Directory® directory service.
File and Print Services Distributed File System (DFS), printing configurations, and print
Lab Implementation 5
Service Technologies
devices.
Data Services Microsoft SQL Server™ 2000, Windows clusters.
Web Application Microsoft Internet Information Services (IIS) 6.0.
Services
Infrastructure Debug facilities, deployment capabilities, and remote management
Management Services and tools.
Backup and Recovery Data and systems backup and recovery infrastructure.
Certificate Services Public key infrastructure (PKI).
Remote Access Site-to-site virtual private network (VPN), Client VPN, routing and
Services remote access service (RRAS), Internet authentication service (IAS).
Middleware Services .NET Framework.
Messaging Services Microsoft Exchange Server 2003
Network Design
The process of designing these services in the CDC and SBO scenarios resulted in a complete
and fully functional network infrastructure. This infrastructure was then tested and
documented in the Network Services Build Guide. To illustrate the high-level network view of
this design, a logical network diagram has been created. The legend for this diagram is as
follows.
The following figure is the CDC and SBO network design overview, a detailed view of the
complete physical infrastructure is available in the appendix at the end of this document.
Naming Standards
The physical and logical equipment names use the following format:
LLL-DD-[FFFF-SS | VVVVVV]
Where:
Lab Implementation 7
Code Meaning Description
DD Domain 2 alphabetic characters (for example, NA, AS, EU).
FFFF Function 2-4 alphanumeric characters (for example, DC, SQL1, FIL,
WEB).
SS Sequence 2 numeric characters (for example, 01 through 99).
VVVVVV Virtual Name 1-6 alphanumeric characters (for example, SQL2I3, WEBC4).
Lab Implementation 9
Code Location Office Type Office Size
TOR Toronto, Canada Sales office 25
WSG Washington, DC USA Government sales 75
Code Domain
AM Americas
AS Asia
CP Corporate Perimeter
DV Development
EU Europe
EF Extranet Forest
HR Human resources
ID IDC interior
IP IDC perimeter
ND Network device
RT Root
SA Standalone, no domain affiliation
Code Meaning
APP Application Servers (Middleware Servers)
BAK Backup
CA Certificate authority server
DC Domain controller (generic)
DEP Deployment server
DHCP DHCP Server
DNS Domain name server (generic)
DNSA Domain name server (announcer)
DNSR Domain name server (resolver)
DSL Definitive Software Library server
EXB Exchange bridgehead server
EXDC Exchange specific GC (DC with GC enabled)
EXF Exchange front-end server
EXI Exchange Internet server
EXM Exchange mailbox server
EXP Exchange public folders server
EXR Exchange routing server
FAAC SAN Fabric A Core Switch
Lab Implementation 11
Examples
Following are some of the examples:
FFL-AS-DC-02
This server is the domain controller 02 for the Asia domain located in the Fairfield,
CT USA location.
LON-EU-SQL2I3
This is a cluster virtual server name located in the London site, and is part of the
Europe domain. From the virtual server name, it is SQL Server instance 3 in the SQL2
failover cluster.
Build Process
When planning the build process for the test lab environment, the development team
worked with the following three primary business drivers:
Reduce the build time: To verify the build documentation, the test team planned to
build the environment three times focusing on the efficiency of the build
documentation. It was necessary to reduce the build time as much as possible to
reduce the overall test cycle time to validate the efficiency of the complete,
documented process.
Use different roles to perform different tasks: An IT organization typically has
different people performing various parts of a build process. The overall build
strategy needed to account for the separate roles that perform tasks within and
across the different service build guides.
Environment is in production mode: Although the environment was built in a test
lab, the build process needed to accommodate a secured, existing production
environment. This consideration allowed the build guidance for each service to be
more relevant for implementation in an existing production environment.
Each individual service's build guide was developed to be as autonomous as possible.
However, dependencies on other services or tasks within another service's build guide were
necessary. The tasks across all the build guides were inspected for dependencies on other
tasks and the build sequence was optimized to do as much as possible in parallel to help
reduce the build time. For example, most of the device configuration tasks were done in
parallel because they were not dependent on each other or on other services. Because the test
team consisted of ten people or more, the build process could further take advantage of
many people performing various tasks in parallel to shorten the build time.
Each task in each build guide identifies the role that performs the task, and the test team
assigned a lead person for building each service and one or more persons for support. In this
way, each person performed a different role for building the various services. The task
sequencing was coordinated between the service leads to ensure that a task was not
performed prematurely.
Build Sequence
The network and foundational infrastructure services such as Active Directory, DNS, DHCP,
WINS, and Firewall already exist in most IT production environments, which are also
Lab Implementation 13
secured following the organization's security policies. The build process put the
environment in this configuration as soon as possible.
The tasks used to build the environment in the test lab can be grouped into the following
series of phases, each of which contains the build for one or more services:
Configure and secure the network.
Configure the computing and storage devices.
Deploy the operating system.
Build the foundational infrastructure services.
Build the remaining services.
Within (and in some cases across) each phase, tasks can be performed in parallel or serial.
Parallel tasks are those that can be accomplished without affecting other services. For
example, the operating system can be installed on any or all servers without waiting for any
one server build to be completed.
Serial tasks are those that must be accomplished in a specific sequential order and cannot be
executed until a previous task has been completed. For example, the first domain controller
in the forest must be installed before installing any subsequent domain controllers in the
same forest.
The build process for most of the services is dependent on the successful installation and
configuration of one or more other services. The service dependencies are identified in the
individual build guide. For more information on the dependencies for each individual task,
refer to "Appendix 1.5—Build Sequence Details" at the end of this document and
BuildOrder.mpp in the Deployment Kit.
The following subsections describe each of the listed phases in detail.
Lab Implementation 15
At this point, the network was built and secured, the SAN storage was configured and ready
for servers to work with, all computers had the operating system installed, the Active
Directory domains were built, the firewalls and proxy servers were built, and DNS, DHCP,
and WINS were built.
Lab Implementation 17
12. Perform all the tasks in the Infrastructure Management Services Build Guide.
13. Perform the tasks in the "File Service" sections in the File and Print Services Build
Guide.
14. Perform the tasks in the "Print Service" sections in the File and Print Services Build
Guide.
15. Perform all the tasks in the Data Services Build Guide. In addition, complete the
remaining tasks in the "EMC SAN Storage Devices" section in the Storage Devices
Build Guide.
16. Perform all the tasks in the Web Application Services Build Guide.
17. Perform all the tasks in the Middleware Services Build Guide.
18. Perform all the tasks in the Certificate Services Build Guide.
19. Perform all the tasks in the Remote Access Services Build Guide.
20. Perform all the tasks in the Backup and Recovery Build Guide.
21. Perform all the tasks in the Messaging Services Build Guide.
Test Objectives
WSSRA tests are designed to reduce or eliminate uncertainty in the performance and
capabilities of the services provided by WSSRA to support both Microsoft-originated
solution offerings and customized solutions developed for individual customers. This results
in direct time and cost savings to WSSRA documentation users because they can more easily
debug their implementations knowing that fundamental environmental issues have already
been solved.
The specific test objectives for the testing efforts were:
To validate the documentation quality by ensuring that the content of the guidance
was clear, accurate, consistent, easy to use, and met the requirements of defined
customer scenarios.
Customers should be able to rely on the documentation to design, implement, and
operate data center instantiations based on WSSRA.
To verify that the architecture for each service met design requirements for
availability, security, manageability, recoverability, and usability.
The architecture should provide the highest degree of system and network-level
security without interfering with the ability of any system to carry out its key
functions. All systems in the architecture should be manageable both locally and
remotely without any security risks.
To ensure that all the services worked together concurrently in the integrated
WSSRA environment.
System integration testing was used to uncover any coexistence issues between the
mix of Microsoft and third party services and components used in the test lab
instantiation.
To describe performance levels of key network and operating system services both
on a service-by-service basis and as an integrated whole without tuning or
optimization.
Test Process
The test team began by formulating high-level plans, schedule estimates, and stratagems
based on the project scope document, customer scenarios, initial services lists, and existing
architectural and design documentation. As the project progressed, these plans were
adjusted to meet updated technical information, scope changes, and operational realities.
Lab Implementation 19
The test team used knowledge gained from their involvement in reviewing all stages of
architectural and design development as well as their experience from previous releases to
derive initial test case specifications. Later, planning documentation was evaluated to
determine what claims were being made and which of those claims would require specific
testing by the test team. The following figure depicts a defined process.
Lab Implementation 21
This process is supported by the following templates, which are available in the \Testing
folder of the Deployment Kit:
Claims Document - Template.doc
Relevant Claims Document - Template.doc
Test Design Specifications Document - Template.doc
These templates were used to extract and develop relevant claims into refined test case
specifications, which were then used to create test cases in a test case management tool.
The process of deploying the test lab was used to ensure the quality of prescriptive guidance.
It began with verification of the lab’s hardware as assembled, racked, and wired compared
against the ConfigurationMatrix.xls file (available in the Deployment Kit). Once it was
established that the lab hardware was conformant, the test team built the lab from the
ground up following the build guidance exactly as written. This allowed testers to uncover
errors in sequencing, omissions, and accuracy of the build guidance at the earliest stage in
the test process. Once the lab system was built, short configuration audits and simple build
verification tests (BVTs) were performed to ensure that all systems were functional and no
human errors had crept into the deployment process. Upon ensuring that the systems as-
built conformed to the prescriptive guidance, the in-depth functional, load, and security tests
were performed.
To verify the accuracy of the documentation, the test team designed specific test cases to
validate statements made within the documentation. Any claims that described specific
functions or performance levels for a service in the Planning Guide that were not already
substantiated through published test results or case studies from Microsoft or partners were
validated in the test labs during functional, load, or security testing.
The test team devised various user scenarios with corresponding exerciser applications to
stress the key systems. Exercising these scenarios activated a suite of interdependent services
across the environment, which exposed integration and interoperability issues that were
corrected.
The test team applied the same loads to the system while testing for availability during the
outage of various system components. Each redundant component was failed so that its
backup component carried the full load. Performing these tests under heavy load exposed
issues that would not have appeared if the failover tests had been performed with only
nominal loads.
Security penetration tests were run by both the test team and by Microsoft Foundstone
security assessment experts to ensure that known cracking exploits would fail against
WSSRA. These tests were performed while load tests were also running to better simulate
hacking attempts against a working system. The published Foundstone assessment can be
found at the following URL:
http://www.foundstone.com/index.htm?
subnav=resources/navigation.htm&subcontent=/resources/whitepapers.htm
Each service was built and tested independently. After all services had passed independent
testing, integrated testing was performed against all services at once. Any errors that were
uncovered in documentation, system components, interoperability, or failure to meet design
goals were entered and tracked as bugs.
Test Methodology
This section describes overall test methodology in testing. It first defines the types of testing
and then describes the sequence of test executions and test cycles.
Types of Testing
The focus of testing WSSRA guidance is different from that of product testing. Product
testing focuses on the individual product and its features, while testing of WSSRA guidance
emphasizes on system integration as well as interoperability and product coexistence; this
testing is an extension to product testing, because it bridges product development and
customer deployment in the field. The test team considered the following types of testing for
each area of coverage:
Document verification testing: This testing preceded all other formal testing to
ensure that subsequent test phases were carried out on a system that was configured
exactly as documented. Documentation verification began with a critical review of
planning and deployment documentation with an eye towards identifying any errors
in accuracy, consistency, readability, or clarity. Once the identified errors were
corrected and the lab hardware was ready, the lab was built by following the
deployment documentation exactly as it was written. Build guide verification
ensured that the instructions and guidance on how to deploy the services was
correctly sequenced, clear, accurate, and unambiguous.
Build verification tests (BVTs): BVTs included configuration audits and short or
quick tests that verified basic core functionality of the systems and services to ensure
that services were functional and deployed per documentation. These tests were
useful because they exposed human errors that occurred during the build process.
Availability testing: This testing helped ensure that network adapter teaming (NIC
teaming), Network Load Balancing, Windows Clustering, and other services’
Lab Implementation 23
primary or secondary availability features were available and working under
varying conditions. Availability tests were typically carried out by causing a failure
in one of the redundant components and verifying that the backup component took
up the functionality with no unexpected interruption of service. Availability tests
were first run without significant load on the target server, and then rerun with near
saturation loads.
Recoverability testing: This testing was done to aid production support in ensuring
that adequate procedures were in place for restoring the system should a disaster
occur. Different services of the architecture had different backup and restoration
needs. Each service was tested with both backups under high system load and
restoration to blank systems.
Manageability testing: This testing was performed to prove that the environment
had adequate monitoring and alerting mechanisms. Each key service had its own set
of metrics to monitor and command capabilities to verify. Additionally,
manageability tests were almost always performed through Administrator virtual
private network (VPN) connections to ensure remote accessibility.
Security testing: Security testing in WSSRA was performed to ensure that only users
with the appropriate authority were able to use the applicable services of the
architecture and that system entry points were appropriately protected from
hacking. Two approaches were used for security testing: audits and penetration
testing. Audit tests were run during the build and installation phases to ensure that
security-related configurations were correctly documented in the build guidance and
that they had been correctly carried out by the system builders. Penetration tests
were carried out after the whole environment was completely built and all account
policies and network security had been applied and locked down. Penetration tests
were conducted in depth, with each defense-in-depth layer of the architecture
successively probed for vulnerabilities and threats using hacking tools and
approaches that are known to the security community. Penetration tests were
performed by the test team, Microsoft security experts and Foundstone security
assessment teams.
Performance load testing: This testing was necessary to understand system’s
capacity and behavior under overloaded conditions. Once the capacity of each server
or group of servers and attached hardware is known, a system designer can make
better scaling decisions. Understanding the system’s behavior under abnormally
high loads at or near system saturation allows a system designer to decide whether it
is appropriate to design in excess capacity where compromised responsiveness is not
acceptable.
Scalability load testing: Scalability is a qualitative measure of how easy it is to
expand the infrastructure. Scalability testing was performed to determine how
system’s overall capacities would change due to changes in component capacities
within the system.
Stability load testing: Stability testing is designed to ensure that the architecture is
stable when exposed to prolonged load tests. This type of testing frequently exposes
memory leaks and other cumulative error conditions in the products and services.
Some degree of stability testing could be achieved through performance load testing
Test Sequence
The test team executed three test cycle passes. Within each cycle, a sequence of five distinct
test phases took place. The build phase was followed by BVT phase, which was always
completed before moving on to the functional test phase. There was greater flexibility in the
later test phases, but for the most part, functional tests were substantially completed before
moving on to any load tests. Security penetration tests were performed concurrently with
load tests. Execution of individual test cases within each phase, depended on individual
details of each case, but allowed for greater flexibility in general. Each phase is described in
more detail as follows:
Build phase: Each test cycle began with this phase. At the beginning of this phase,
hardware was in place and racked but all servers and device configurations were
blank. The exact steps outlined in the existing build guidance were then used to
build and configure servers, networking, SAN, and other devices. Any problems
encountered with regard to sequencing, clarity, accuracy, or ambiguousness of the
build guidance were logged and corrected as bugs.
Build verification testing phase: Following the build phase, the test team performed
a set of configuration audits and BVTs to ensure that hardware and software
components were operational as well as built and configured per documentation.
BVTs quickly exposed human errors made during deployment as well as errors in
deployment guidance that resulted in services not functioning properly. BVTs caught
these errors early so that later tests were not run against improperly built or
configured systems.
Functional testing phase: Once BVTs were completed, the test team focused on
verifying key design goals of WSSRA including high availability, recoverability, and
manageability. Functional testing of various security features was also confirmed at
this stage. Each service had its own specific test cases that were used to verify that
functional design requirements were met for that service. Many functional tests were
performed both with and without loads placed on the service components being
tested.
Load testing phase: After functional testing, the lab team focused on load tests.
There were four distinct types of load tests that took place during this phase:
performance, scalability, stability, and integrated systems load tests. Within this
phase, the test sequence was generally to understand the performance behavior first,
Lab Implementation 25
then test the scalability of the design, and finally test the integration with all other
system components. Stability testing typically occurred at mixed points throughout,
often in conjunction with one of the other load test types.
Security penetration testing phase: While load tests were running, the test team and
the Microsoft security teams conducted security penetration testing using publicly
available tools.
Test Cycle
The test team completed three complete test cycle passes following the sequencing outlined
above. Each test pass began with blank server computers. While all three test passes shared
common testing activities, each had its own additional unique testing themes that can be
explained as follows:
The theme of the first test pass cycle was to validate service build guidance. A
strategy of building and testing service components in a layered approach was used;
the approach was to build and test the overall system in sections that consisted of
coherent sets of servers and services. Before moving on to additional sections, a
concentrated effort was made to resolve and regress any significant bugs. By
following this methodology, each subsequently added section was assured of a
stable foundation. Each additional section was added to the services provided by the
previous sections so that by the time the complete system was built, it had been
substantially tested for all but a few load tests and the remaining entire systems
integration test.
The themes of the second test pass cycle included validation of service build
guidance again (although a different strategy was used) as well as additional
independent security testing.
The build strategy used for the second test pass was to build/rebuild the lab entirely
before executing any test cases. This allowed a more integrated testing of the
updated build guidance.
The third pass focused on regression testing and closing remaining bugs. In addition,
a final complete integrated systems test was performed.
Lab Implementation 27
If a test case failed, it was not assumed that the feature was necessarily defective. For
example, misinterpretation of project documentation, incomplete documentation, or
inaccurate documentation could cause failures. Each failure was analyzed to discover its
cause, based on actual results and the results described in project documentation. Further
pass criteria were as follows:
All processes ran without unexpected errors.
All processes finished in accordance with benchmarks defined in the functional
specification.
Load tests showed that a satisfactory level of capacity was in place and that
appropriate steps could be taken to scale out the system when necessary.
Severity Description
1 Fatal Bug. System did not work. Significant parts of the system were
inoperable. There was no viable workaround.
2 Serious Bug. Primary business requirements could not be met with the
system. There were no easily apparent viable workarounds. Performance,
functionality, or usability was seriously degraded.
3 Normal Bug. Business requirements can be met with the system. Any needed
workarounds are apparent. Performance, functionality, or usability is not
seriously degraded.
4 Minor Bug. Minor typos, wish list suggestions, a “nice to have,” but not
required change. Would not affect release accuracy or usability in any
significant way.
The Fairfield location was built with all WSSRA services and design redundancies
incorporated. The London location, however, was a minimal subset of the Fairfield
deployment that allowed testing of site-to-site functionality, such as directory replication.
The London site of the test lab was not meant to host all services, only those that required
more than one site to adequately test. The Pittsburg location allowed testing of SBO
functionality, and as such contained no servers—only a firewall and test clients. Pittsburg
clients consumed services provided in the Fairfield location through VPN tunneling through
the Internet and site firewalls. Fairfield was represented in the naming convention used in
the lab as FFL, London as LON, and Pittsburg as PIT.
For a detailed breakdown of the network, SAN, servers and test clients configuration in this
environment, refer to the Test Lab Environment document in the Deployment Kit.
Test Tools
Applications that were used to stress test our scenarios included the following:
Application Center Test (ACT): Was used to test the intranet and extranet Web tier
along with various Web application services.
Nile 3.0: Was used in conjunction with ACT to test the intranet and extranet Web tier
along with various Web application services.
Lab Implementation 29
Fitch and Mather Stocks: Fitch and Mather Stocks version 7.0 (also called FMStocks)
was used as the sample application for testing the .NET Framework technologies.
Load Harness: This is a tool set that was developed and used by the test team for
load testing Active Directory and file services. It comprised modules such as
ADLogon and FileCopy.
WSSRA-OLTP: The WSSRA-OLTP tool is used for generating load on the data
services in WSSRA.
Mirror: This tool was used to facilitate security testing for our scenarios. Mirror
behaves like a generic service that opens a range of TCP and UDP ports and accepts
incoming connections.
PrintStress: Version 2.0.9.0 of PrintStress was used to verify and stress test the print
services running in the test lab.
Scanline: This tool is a command-line network and port scanning utility produced
by FoundStone. Version 1.01 was used in WSSRA to verify the correct settings for the
ACLs and for the per-server port lockdowns.
Virtual Private Networking (VPN) Multi-port Client Simulator: This tool (R5K.exe)
is a client simulator utility that was used to create multiple client connections to test
VPN functionality under load. Version 1.0 of the tool was used.
Functional, load, and integration tests were all performed using these tools. For more
information, refer to the Test Tools document in the Deployment Kit.
Lab Implementation 31
References
The WSSRA documentation has been designed to conform to technical and process best
practices in the IT industry. To this end, the guidance uses and complies with a number of
existing standards. It would be beneficial for the reader to be familiar with the MSF and
MOF standards to understand overall approach of WSSRA. Information on MSF and MOF is
available at the following URLs, respectively:
www.microsoft.com/msf/
www.microsoft.com/mof/
The WSSRA builds on the work of previous guidance that was released as Microsoft Systems
Architecture (MSA), which included the MSA Internet Data Center (IDC) and the MSA
Enterprise Data Center (EDC). For more information on these releases, refer to the following
URLs:
www.microsoft.com/technet/itsolutions/idc
www.microsoft.com/technet/itsolutions/edc
The WSSRA material can be found at:
www.microsoft.com/wssra
Lab Implementation 33
Appendix 1.1—Security Zone Communications
This appendix provides details of the zone and tier communication that were used for the
CDC scenario in the test lab.
The following table details the ports to be allowed between a source zone or tier and
destination zone or tier and shows only the traffic initiated by the source. For example, a
client in the Public tier will initiate specific traffic to the Client VPN tier and the allowed
ports are shown from the initiator’s (Public) point of view. VPN tier does not initiate the
traffic because there is no entry for those ports with client VPN as the source.
If a zone is listed as the source or destination, all tiers in that zone can be expected to comply
with the port filters. The assumption here is to use zones by default unless the filtering
applies to a single tier only.
Usually, it is desirable to restrict port traffic between defined security zones where possible,
and map each security zone to a logical VLAN. The following table lists the source and
destination zones or tiers, which are specifically identified as such. In the case of a tier, a
network adapter may also be specified (/n).
Lab Implementation 35
Source Zone Destinat Port Protocol TCP/UDP Purpose
ion #
Zone
Services
Perimeter SQL Com - TCP/UDP Refer to Table 12 in the
Information tier/1 mon Network Architecture Blueprint
Services, proto for a list of commonly allowed
Perimeter Web col protocols.
Services set
Perimeter Internal 80 HTTP TCP To allow traffic between the
Information Applicati Contoso public application or
Services, ons tier/1 Web server and the internal
Perimeter Web application server over non-
Services encrypted HTTP.
Perimeter Internal 443 HTTPS TCP To allow traffic between the
Information Applicati Contoso public application or
Services, ons tier/1 Web server and the internal
Perimeter Web application server over
Services encrypted HTTPS.
Perimeter Internal 8100 Remoter TCP .NET remoter connection
Information Applicati allowing simple object access
Services, ons tier/1 protocol (SOAP) and XML
Perimeter Web between the corporate
Services application servers and the
public application servers.
Perimeter Internal 1810 DTC TCP DTC statically defined ports to
Information Applicati - allow transit through
Services, ons tier/1 1815 intermediate firewall.
Perimeter Web
Services
Perimeter Internal 80 HTTP TCP To allow traffic between the
Information Web Contoso public Application or
Services, tier/1 Web server and the internal
Perimeter Web Web server over non-encrypted
Services HTTP.
Perimeter Internal 443 HTTPS TCP To allow traffic between the
Information Web Contoso public application or
Services, tier/1 Web server and the Internal
Perimeter Web Web server over encrypted
Services HTTPS.
Perimeter Internal 8100 Remoter TCP .NET remoter connection
Information Web allowing SOAP and XML
Services, tier/1 between the corporate Web
Perimeter Web servers and the public
Services application or Web servers.
Perimeter Internal 1810 DTC TCP DTC statically defined ports to
Information Web - allow transit through
Services, tier/1 1815 intermediate firewall.
Perimeter Web
Services
Perimeter Corporat 119 NTP UDP To allow network time protocol
Information e (NTP) to transit between the
Infrastructure Infrastru perimeter directory tier to the
cture domain controller servers in the
Lab Implementation 37
Source Zone Destinat Port Protocol TCP/UDP Purpose
ion #
Zone
remote site has a valid
authentication certificate.
Perimeter Branch 4500 MS IPSec UDP To allow the site-to-site VPN to
Remote Office, NAT-T initiate the VPN tunnel to allow
Access tier/1 Public remote branch office client
workstations to securely
connect to the Contoso internal
network remotely over IPSec
through a NAT. Note that this
VPN tunnel may be initiated by
either the branch office or the
site-to-site VPN and the tunnel
will only be authorized if the
remote site has a valid
authentication certificate.
Perimeter Branch 500 ISAKMP UDP To allow the site-to-site VPN to
Remote Office, use ISAKMP to build the secure
Access tier/1 Public tunnel for IPSec VPNs. Note that
this VPN tunnel may be
initiated by either the branch
office or the site-to-site VPN.
Perimeter Corporat 3389 RDP TCP To allow administrators to
Management e remotely administer the
tier/1 Manage perimeter management servers
ment through Terminal Services or
Remote Desktop Connection.
Once logged in using Terminal
Services, the administrator can
connect to other Perimeter
servers directly attached to the
CPB VLAN.
Perimeter Corporat 80 HTTP TCP To allow HTTP traffic to traverse
Management e between the perimeter and
tier/1 Manage internal management servers
ment for intercommunication, such
as SOAP (see also port 8100).
Perimeter Corporat 443 HTTPS TCP To allow encrypted HTTPS traffic
Management e to traverse between the
tier/1 Manage perimeter and internal
ment management servers for server
configuration access.
Perimeter Corporat 1036 Unassign UDP To allow specific traffic to
Management e ed transit between the internal
tier/1 Manage registere servers and the management
ment d port servers. This undefined high
port is used by the
management software.
Perimeter Corporat 8400 Unassign TCP To allow backup software traffic
Backup tier/1 e -03 ed to flow between the internal
Manage registere backup servers and the
ment d ports perimeter backup servers. The
backup uses high range ports
to accomplish the transfer. The
Lab Implementation 39
Source Zone Destinat Port Protocol TCP/UDP Purpose
ion #
Zone
Corporate on tier/2 and the application servers for
Management, intercommunication, such as
Corporate SOAP (see also port 8100).
Infrastructure
Corporate Internal 443 HTTPS TCP To allow encrypted HTTPS traffic
Database, Applicati to traverse between corporate
Corporate on tier/2 servers and the application
Management, server for intercommunication.
Corporate
Infrastructure
Corporate Internal 1810 DTC TCP DTC statically defined ports to
Database, Applicati - allow transit through
Corporate on tier/2 1815 intermediate firewall.
Management,
Corporate
Infrastructure
Corporate Internal 8100 Remoter TCP .NET remoter connection
Database, Applicati allowing SOAP and XML
Corporate on tier/2 between the corporate servers
Management, and the internal application
Corporate servers.
Infrastructure
Corporate Internal Com - TCP/UDP Refer to Table 12 in the
Database, Applicati mon Network Architecture Blueprint
Corporate on tier/2 proto for a list of commonly allowed
Management, col protocols.
Corporate set
Infrastructure
Corporate Perimete Stati DCOM TCP To allow DCOM traffic through
Infrastructure r c the firewall, specific ports must
tier/1 Applicati ports be specified for CA traffic. For
on, 1820 more details, refer to the
External - following URL:
Proxies 1825 www.microsoft.com/com/wpape
tier/2 r/dcomfw.asp
Corporate External 80, HTTP TCP To allow HTTP traffic to traverse
Infrastructure Proxies 8080 between the internal and
tier/1 tier/2 external proxy servers for
intercommunication, such as
SOAP (see also port 8100).
Corporate External 443 HTTPS TCP To allow encrypted HTTPS traffic
Infrastructure Proxies to traverse between the
tier/1 tier/2 internal and external proxies for
server configuration access.
Corporate External 20- FTP TCP Allow FTP traffic between the
Infrastructure Proxies 21 internal and external proxies.
tier/1 tier/2
Corporate External 1863 MSNP TCP/UDP Allow Windows Messenger
Infrastructure Proxies traffic between the internal and
tier/1 tier/2 external proxies.
Corporate External Com - TCP/UDP Refer to Table 12 in the
Lab Implementation 41
Source Zone Destinat Port Protocol TCP/UDP Purpose
ion #
Zone
Internal SQL Internal 1433 SQL TCP/UDP To allow SQL traffic to the back-
Web -34 end interface of the internal
tier/2 Web server. This specific LAN
segment is isolated for
database traffic only to offload
the traffic from the front-end
LAN segment.
Internal SQL Internal 1433 SQL TCP/UDP To allow SQL traffic to the back-
Applicati -34 end interface of the Internal
ons tier/2 applications server. This
specific LAN segment is
isolated for database traffic
only to offload the traffic from
the front-end LAN segment.
Corporate Internal 80 HTTP TCP To allow HTTP traffic to traverse
Database, Web between the corporate servers
Corporate tier/2 and the internal Web server for
Management, intercommunication, such as
Corporate SOAP (see also port 8100).
Infrastructure
Corporate Internal 443 HTTPS TCP To allow encrypted HTTPS traffic
Database, Web to traverse between the
Corporate tier/2 corporate servers and the
Management, internal Web servers for
Corporate intercommunication.
Infrastructure
Corporate Internal 1810 DTC TCP DTC statically defined ports to
Database, Web - allow transit through
Corporate tier/2 1815 intermediate firewall.
Management,
Corporate
Infrastructure
Corporate Internal 8100 Remoter TCP .NET remoter connection
Database, Web allowing SOAP and XML
Corporate tier/2 between the corporate servers
Management, and the internal Web server.
Corporate
Infrastructure
Corporate Internal Com - TCP/UDP Refer to Table 12 in the
Database, Web mon Network Architecture Blueprint
Corporate tier/2 proto for a list of commonly allowed
Management, col protocols.
Corporate set
Infrastructure
Corporate Perimete 8400 Unassign TCP/UDP To allow backup software traffic
Management r Backup -03 ed to flow between the internal
tier/1 registere backup servers and the
d ports perimeter backup servers. The
backup uses high range ports
to accomplish the transfer. The
defined ports are exclusive to
the perimeter backup scheme.
Lab Implementation 43
Source Zone Destinat Port Protocol TCP/UDP Purpose
ion #
Zone
Internal
Applications,
Corporate
Web Services
Corporate Internal 80 HTTP TCP To allow HTTP traffic to traverse
Database, Manage between the corporate servers
Corporate ment and the internal management
Infrastructure, tier/1 servers for intercommunication,
Corporate such as SOAP (see also port
Internal 8100) and basic configuration.
Applications,
Corporate
Web Services
Corporate Internal 443 HTTPS TCP To allow encrypted HTTPS traffic
Database, Manage to traverse between corporate
Corporate ment servers and the internal
Infrastructure, tier/1 management servers for
Corporate intercommunication.
Internal
Applications,
Corporate
Web Services
Corporate Internal 1036 Unassign UDP To allow specific traffic to
Database, Manage ed transit between the internal
Corporate ment registere servers and the management
Infrastructure, tier/1 d port servers. This undefined high
Corporate port is used by the
Internal management software.
Applications,
Corporate
Web Services
Corporate Internal Com - TCP/UDP Refer to Table 12 in the
Database, Manage mon Network Architecture Blueprint
Corporate ment proto for a list of commonly allowed
Infrastructure, tier/1 col protocols.
Corporate set
Internal
Applications,
Corporate
Web Services
Corporate File and 515 Print UDP To support print spool traffic to
Database, Print spooler the print servers.
Corporate tier/1
Management,
Corporate
Internal
Applications,
Corporate
Web Services
Corporate File and 1709 Unassign UDP To allow specific file and print
Database, Print ed traffic to transit between the
Corporate tier/1 registere internal servers and the file and
Management, d port print servers.
Lab Implementation 45
Source Zone Destinat Port Protocol TCP/UDP Purpose
ion #
Zone
Client Internal 443 HTTPS TCP To allow encrypted HTTPS traffic
Applicati to traverse between clients and
on tier/1 the internal application servers
for intercommunication.
Client Internal 1810 DTC TCP DTC statically defined ports to
Applicati - allow transit through
on tier/1 1815 intermediate firewall.
Client Internal 8100 Remoter TCP .NET remoter connection
Applicati allowing SOAP and XML
on tier/1 between the clients and the
internal application servers.
Client Internal Com - TCP/UDP Refer to Table 12 in the
Applicati mon Network Architecture Blueprint
on tier/1 proto for a list of commonly allowed
col protocols.
set
Client Internal 80 HTTP TCP To allow non-encrypted HTTP
Web traffic to traverse between the
tier/1 clients and the internal
application servers for
intercommunication.
Client Internal 443 HTTPS TCP To allow encrypted HTTPS traffic
Web to traverse between clients and
tier/1 the internal application servers
for intercommunication.
Client Internal 1810 DTC TCP DTC statically defined ports to
Web - allow transit through
tier/1 1815 intermediate firewall.
Client Internal 8100 Remoter TCP .NET remoter connection
Web allowing SOAP and XML
tier/1 between the clients and the
internal application servers.
Client Internal Com - TCP/UDP Refer to Table 12 in the
Web mon Network Architecture Blueprint
tier/1 proto for a list of commonly allowed
col protocols.
set
Client Internal 1433 SQL TCP/UDP To allow SQL traffic between the
SQL -34 internal SQL Server computers
tier/1 and the clients.
Client Internal 1810 DTC TCP DTC statically defined ports to
SQL - allow transit through
tier/1 1815 intermediate firewall.
Client Internal Com - TCP/UDP Refer to Table 12 in the
SQL mon Network Architecture Blueprint
tier/1 proto for a list of commonly allowed
col protocols.
set
Client Internal 67- DHCP UDP To allow a client (local or
Directory 68 remote) to acquire a DHCP
tier/1 lease address.
Lab Implementation 47
Source Zone Destinat Port Protocol TCP/UDP Purpose
ion #
Zone
Print mon Network Architecture Blueprint
tier/1 proto for a list of commonly allowed
col protocols.
set
Client Internal 20- FTP TCP Allow FTP traffic through the
Proxy 21 proxy server only when
tier/1 initiated from internal clients.
Client Internal 80 HTTP TCP To allow HTTP traffic to traverse
Proxy between the clients and the
tier/1 external proxy servers for
intercommunication.
Client Internal 443 HTTPS TCP To allow encrypted HTTPS traffic
Proxy to traverse between clients and
tier/1 the external proxy servers for
intercommunication.
Client Internal 1863 MSNP TCP/UDP Allow Windows Messenger
Proxy traffic between the clients and
tier/1 the internal proxies.
Client Internal Stati DCOM TCP To allow certificate issue traffic
Proxy c to flow between the internal
tier/1 ports certificate server and the
1820 clients. To allow DCOM traffic
- through the firewall, specific
1825 ports must be specified for CA
traffic as per the Knowledge
Base article available at:
www.microsoft.com/com/wpape
r/dcomfw.asp
Client Internal Com - TCP/UDP Refer to Table 12 in the
Proxy mon Network Architecture Blueprint
tier/1 proto for a list of commonly allowed
col protocols.
set
Branch Office VPN 1723 TCP To allow the branch office to
tier/1 initiate the VPN tunnel as
required to allow remote
branch office client
workstations to securely
connect to the Contoso internal
network remotely over a VPN
through PPTP using protocol
type 47 (GRE). Note that this
VPN tunnel may be initiated by
either the branch office or the
site-to-site VPN and the tunnel
will only be authorized if the
remote site has a valid
authentication certificate.
Branch Office VPN 1701 UDP To allow the branch office to
tier/1 initiate the VPN tunnel as
required to allow remote
branch office client
Note: Messaging services zone configurations are included in the Messaging Services
Planning Guide and the Messaging Services Build Guide.
Lab Implementation 49
Appendix 1.2—Network Architecture Tier
Definitions
This appendix provides the detailed information on the tier definitions that were used for
the CDC scenario in the test lab.
Lab Implementation 51
Tier Tier Services Member of Load- Load-Balancing
Description and Hosts Security Balancing Functional
It Contains Zone Technique Requirements
Internal Proxy Proxy/CA Corporate Round High availability;
Proxy services for servers Infrastructu Robin Session persistence
internal use re
File and Print File and Print File and Corporate N/A None *
services for Print servers Infrastructu
internal use re
Internal DNS and DNS/WINS Corporate Determinis High availability
Name WINS servers Infrastructu tic
Services services for re
internal
name
resolution
Internal Backup Backup Corporate N/A None*
Backup services for servers Manageme
internal use nt
Internal Management Network and Corporate N/A None
Management services for Applications Manageme
internal use Managemen nt
t servers;
Deployment
servers
Internal Application Application Corporate Least Session persistence;
Applications services for servers Internal connected High availability
internal use Application
s
Internal Web Web services Web servers Corporate Least Source IP/SS/URL
for internal Web connected persistence, SSL
use Services termination/offloadi
ng, downstream
service availability
awareness
Branch Corporate Desktops, Branch N/A None
Office remote laptops Office
offices
Client Client access Desktops, Client N/A None
devices laptops
*Note: These servers are clustered for failover and not for load balancing; therefore, they
have no impact on the network design. If multiple server hosts need to be clustered
together to present themselves as one host to the network, the service administrator should
specify the type of load balancing required.
Lab Implementation 53
Segm Purpose Physical Destinatio Reason for Creation
ent ID or n
Logical Segments
Internal zones conversations, or to secure VPN
tunnel traffic from trusted authenticated
sources. Outbound traffic can be sourced from
Internal Client or Corporate zones.
S4 Connectivi Logical S2, S5, S6, To allow traffic to flow from the device
ty and and S7 performing the Perimeter Firewall Services
Security role to the Perimeter DNS, Perimeter
Application, and Perimeter Web tiers through
the device that performs the Perimeter
Switching role. The organization’s security
policy mandated that the device that performs
the Internal Switching role must be physically
separate from the device that performs the
Perimeter Switching role.
S5 Security Logical S4, S6, and To allow the flow of traffic between the device
S12 that performs the Perimeter Firewall Services
role and the Perimeter Application tier
(allowing public access to the tier).
To allow traffic to flow between the Perimeter
Web tier and the Perimeter Application tier.
To allow devices in the Perimeter Management
tier to connect to the servers in the Perimeter
Application tier to remotely administer them.
S6 Security Logical S4, S5, and To allow traffic to flow between the device
S12 that performs the Perimeter Firewall Services
role and the Perimeter Web tier (allowing
Public access to the tier).
To allow traffic to flow between the Perimeter
Web tier and the Perimeter Application tier.
To allow devices in the Perimeter Management
tier to connect to the servers in the Perimeter
Web tier to remotely administer them.
S7 Security Logical S4 and S12 To allow traffic to flow between the device
that performs the Perimeter Firewall Services
role and the Perimeter DNS tier (allowing a
Public access to the tier).
To allow devices in the Perimeter Management
tier to connect to the servers in the Perimeter
DNS tier to remotely administer them.
S8 Security Logical S12 and To allow traffic to flow between Perimeter
or S14 Information Infrastructure zone and the
Connectivi Internal Firewall device; the filters allow
ty specific traffic to flow to the Perimeter
Application, Web, and DNS tiers for directory
services, backups, and management.
Restricted communication is required between
the Perimeter Information Infrastructure zone
and specific devices in the Internal zone,
which are handled by the Internal Firewall
device.
S9 Security Logical S3, S10, To allow outbound traffic to flow from the
Lab Implementation 55
Segm Purpose Physical Destinatio Reason for Creation
ent ID or n
Logical Segments
The Contoso enterprise security policy
mandated that a device that performs at least
the function of stateful packet inspection
firewall control network traffic between the
Perimeter and Internal Zones. In addition, it
mandated that the device that performs the
Internal Firewall Services role be a dedicated
device for this purpose and is physically
separate from the device that performs the
Perimeter Firewall Services role.
S14 Connectivi Logical S12, S13, To allow traffic to flow between the device
ty S15, S16, performing the Internal Firewall Services role
S17, S18, and the device that performs the Internal
and S19 Switching role. This will include traffic
between the Perimeter and the Internal zones.
Note that the Contoso enterprise security
policy mandated that the device that performs
the Internal Switching role must be physically
separate from the device that performs the
Perimeter Switching function.
S15 Connectivi Logical S14, S17, To allow traffic to flow between the device
ty S18, and that performs the Internal Switching role and
S19 the tiers in the Corporate Database zone. This
segment services two zones - Corporate
Database and Private SQL. It is a single VLAN
that has services that require single host-
based security filters.
S16 Security Logical S14, S15, To allow traffic to flow between the device
or S17, S18, that performs the Internal Switching role and
Connectivi and S19 the Corporate Management zone.
ty
S17 Security Logical S14, S15, To allow traffic to flow between the device
or S16, S18, that performs the Internal Switching role and
Connectivi and S19 the Corporate Infrastructure zone. This
ty segment carries the typical client traffic to
this zone and carries the certification and
authentication traffic for the Perimeter
Remote Access zone. This segment services
two zones-Corporate Infrastructure and
Corporate Access. It is a single VLAN that has
services that require single host-based
security filters.
S18 Security Logical. S14, S15, To allow traffic to flow between the device
or The S16, S17, that performs the Internal Switching role and
Connectivi connecti and S19 the Corporate Internal Applications zone.
ty on is
between
two
devices
that
Contoso
owns. It
is
Lab Implementation 57
Appendix 1.4—Address Allocation Information
for the CDC
This appendix provides details of the segments created as part of the CDC network
architecture.
*Note: The messaging services were built as a layered service using the WSSRA
architecture. The build sequence is detailed separately and specifically in the Messaging
Services Build Guide.
The table in this appendix was derived from the BuildOrder.mpp document and describes
textually the build sequence for the services. It is organized according to the build guide that
contains the tasks to be executed and in order. Document names are bolded to make them
easier to identify.
The Task column contains the task section titles from within each build guide. In some cases,
the Task element indicates a range of sections. For example, in the "DHCP" section in the
Network Services Build Guide, one Task element contains "Installing DHCP Services through
Activating Scopes." You should execute all task sections inclusive between "Installing DHCP
Services" and "Activating Scopes."
Some Task elements are a single section name, and it is possible that the task section contains
multiple subsections. For example, the "Build the Deployment Server" section in the
Deployment Services Build Guide contains several task subsections that describe how to build
the deployment server. You should execute all task subsections that are contained within a
main task section. This also applies to ranges of sections where the boundaries may have
task subsections.
The Predecessor and Successor columns contain the Task IDs that either precede or follow
the current task. Before executing a task, you must ensure that its entire list of Predecessor
task IDs has been completed. The Successor task IDs help identify the tasks that can be
performed after the current task. When there are multiple Successor task IDs, it indicates
that the successor tasks can be performed in parallel.
The first few tasks in the table are milestone tasks and have no build steps. They are there to
help define key points during the build process.
To get started, locate the "Start" task and then begin executing its Successor tasks in parallel.
Lab Implementation 59
ID Task Predecessor Successor
Systems Equipment
5 SBO Build - Setting 4
Up and Configuring
the SBO Router
6 BLD Computing Devices.doc
7 Unpack and 1 29
Inventory the
Hardware
through
Configuring Remote
Insight Lights-Out
Edition (RILOE) Card
and Integrated
Lights-Out (iLO)
8 Unisys ES7000 1 31
Computer
Configuration
9 BLD Storage Devices.doc
10 Brocade SAN Devices
11 Cabling the SAN 1 12
Fabrics
through
Setting a Switch
Domain ID
12 Setting a Secure 11, 51 13, 16
Administrator
Password on the
SilkWorm 3800
through
Verifying ISL
Trunking is Available
13 Verifying the Devices 12, 38, 66, 70, 74,
are Attached 93
14 HP SAN Storage Devices
15 Obtaining Required 1 16
Information from
Configuration Matrix
through
Configuring the IP
Address on the SAN
Appliance
16 Configuring the HP 12, 15, 51 17
Enterprise Virtual
Array (EVA) Storage
System
through
Installing Business
Copy on the SAN
Appliance
Lab Implementation 61
ID Task Predecessor Successor
31 Installing Base 8, 30 32
Operating System on
Servers
32 Post-Base Operating 31 46, 54, 62, 103
System Build
Procedures
33 BLD Network Services.doc
34 DNS
35 Configuring NIC 62 39, 97, 101, 117
Teaming
through
Moving Servers to
the Domain
Organizational Unit
36 DHCP
37 Configuring NIC 62 38
Teaming
through
Installing and
Configuring Cluster
Services
38 Configuring SAN 18, 37 13, 39
Connectivity
39 Installing DHCP 35, 38 40, 42, 97
Services
through
Activating Scopes
40 SBO: Configuring 39
Scopes for the
Satellite Branch
Office
through
Activating Scopes
41 WINS
42 Configuring NIC 39 43
Teaming
through
Building WINS
Clustered Resource
43 Building Member 42 97
WINS Servers
through
Moving Servers to
the Domain
Organizational Unit
44 BLD Firewall Services.doc
45 CDC Build Tasks-Perimeter Firewalls
Configuring
Delegation for
ContosoCorp
Organizational Units
63 BLD File & Print Services.doc
64 File Service
65 Verifying the 62 66
Network Cabling and
File System
Configuration
through
Lab Implementation 63
ID Task Predecessor Successor
Joining the Computer
to the Domain
66 Configuring SAN 18, 65 67, 13
Connectivity
67 Installing and 66
Configuring Cluster
Services
through
Moving Servers to
the Domain
Organizational Unit
68 Print Service
69 Verifying the 62 70
Network Cabling and
File System
Configuration
through
Joining the Computer
to the Domain
70 Configuring SAN 18, 69 13, 71
Connectivity
71 Installing and 70 97
Configuring Cluster
Services
through
Moving Servers to
the Domain
Organizational Unit
72 BLD Data Services.doc
73 Configuring and 62 22, 74
Naming the Base
Network Connection
through
Creating Database
Services Groups and
Permissions
74 Configuring HBA 18, 22, 73 13, 75, 78
Cards
through
Configuring SAN
Drives
75 Configuring Service 74 76, 77, 79
Accounts in the
Organizational Unit
through
Configuring the
BackEnd VLAN
76 Installing SQL 75 80
Server 2000 failover
Lab Implementation 65
ID Task Predecessor Successor
to the Tape Devices
through
Enabling Remote
Desktop to the
CommServe
Computer
95 Installing the 94 96
CommServe
Software
96 Installing the 95 97, 98
MediaAgent
Software
97 Installing the 35, 39, 43, 71, 85, 99
idataAgent Software 88, 96, 111, 122
98 Installing the Active 62, 96 99
Directory idataAgent
Software
99 Moving Servers to 97, 98 2
Domain
Organizational Unit
through
Verifying Firewall
Port Security
100 BLD Certificate Services.doc
101 General 35, 62, 88, 85 109, 112
102 Root CA
103 Root CA: Verifying 32 104, 106
Workgroup
Membership
through
Root CA: Copying
the CRL to
Removable Media
104 Root CA: Publishing 85, 88, 103
the CA Certificate
and CRL to An
Internal Facing Web
Server
through
Root CA: Publishing
a Root CA Certificate
in Active Directory
Manually
105 Intermediate CA
106 Intermediate CA: 103 107, 109
Verifying Workgroup
Membership
through
Intermediate CA:
Lab Implementation 67
ID Task Predecessor Successor
for Site-to-Site
Communications
through
Configuring the SBO
router for IPSEC
119 BLD Middleware Services.doc
120 Active Directory 62 121
Tasks
121 System Tasks 120 122
122 Configuring a Server 121 97, 124
to be an Application
Server
123 Additional Configuration Tasks
124 Verifying Network 122 125
DTC Access
through
Moving Servers to
the Domain
Organizational Unit
125 Certificate Tasks 111, 124
*Note: The build sequence for the messaging services was conducted separately from the
foundational WSSRA services and is based on sequential tasks for the individual messaging
service components found throughout the Messaging Services Build Guide.