Who should be tested?
The number of people included in the Program Test Group depends to a large extent on the complexity of the design, the specified time limit, and potential business opportunities. People with recognized, deep technical skills should lead the group. Ideally, the test team should also include some personnel responsible for technical support for products after product deployment. As an overall group, it should be very understanding of the reason behind the industry, industry objectives and deployment. The team should also have the ability to communicate with individuals responsible for design, and can exchange views on the problem discussion.
If possible, the operator or the actual manager of the production environment should have a habit of testing in the laboratory because they will finally take over the operation. These people will also become the people who know the programs, they know where they are most applicable, where is the most unable to apply.
How to perform test
The best way to test is to start only testing the least function, and gradually increase the complexity after success. After each test is completed, the test results should be edited as a document and the results are required to test the results. And should survey and resolve any problems.
To achieve its test objectives, the MSM test team built an integrated test environment for MSM solution integration testing. This test laboratory is designed to be as similar to the actual production environment. The MSM program is then installed in the Microsoft System Architecture (MSA) Enterprise Data Center, the data center simulates a network of enterprises and to verify the function.
This test scheme is formed after confirming the IT field of MicrosoftS Operations and Technical Group (OTG) and customer feedback of the MSM Joint Developer Program (JDP). The MSM Test Panel then performs the various test cases in the test scheme described earlier as described in the management architecture guide and product operation and program guidelines, and ensures feedback IT field issues. These programs were tested using the test procedure and the automatic load test client, revealing the issues raised by customers in the plan.
Test case Details spreadsheet
The Microsoft Management Program provides additional, special guidance for completing the MSM scheme accelerator recommended test.
Test case details The spreadsheet can provide special test case documents for test engineers, engineers can use it to perform the recommended test programs. For more information on test settings, steps, and results, see the included MSM test case details spreadsheets, which can be downloaded at the following URLs..
Where to perform a test
The test laboratory should be strictly imitated, and the production environment should be copied under ideal. The degree of similarity that can be achieved depends on the complexity of the production environment, and the institution is prepared to test the amount of funds and time provided by the test laboratory.
If your organization uses a standard client and server hardware configuration, use these configurations in the lab. To use the same hardware, software, network, and login scripts as much as possible, then apply it to the production environment. If the computer in the production environment has little disk space, filled with abandoned and rarely used software, or various network adapter cards, then the laboratory's computer should also be the same. If there is a router or low-speed production network, then copy these situations in the laboratory.
This method ensures that design related matters are determined in the laboratory, rather than exposing during deployment.
Organization should appoint a laboratory manager or coordinator to monitor installation and test activities. After the laboratory is configured correctly, the organization should perform "Change Control Process" to prevent conflicts in the laboratory group. This process ensures that the laboratory team is to be approved by the laboratory manager before changing the laboratory soft and hardware, and preventing a team from changing soft and hardware to other groups.
"Change Control Process" ensures that all test teams can get notifications of laboratory soft, hardware changes, and agree to change. The test requested a team should be predetermined to the laboratory manager. The laboratory manager should post soft, hardware conditions, and test schedules so that testers can know the activities of the laboratory. The laboratory manager should also develop processes to restore the laboratory to its initial state.
The goal of the test is to obtain approval (or proof), and this product will be deployed in the production environment. If the laboratory environment simulates the production environment, the system and applications can be verified, ie the laboratory test results can accurately reflect the predicted conditions in the production environment. Test laboratory environment
In order to verify the MSM solution, the MSM test team has set up the following environment:
• Unit test environment. The environment in the test laboratory is mainly used by the development team in the project development phase to test components and proof views. This environment is generally not the size of the original environment, often in need to be dismantled and rebuilt, and is not a well-controlled environment. Once the program development team is completed, after the unit test is completed, the unit is completed, the program will be transferred to the test team, and the test team will further test it in an integrated test environment. • Integrated test environment. In the project test phase, only the test team can use the test laboratory environment to perform BVT, integration, system, program, pressure, and safety test processes. This environment is generally as close as possible to the production environment and strictly control. It will not be dismantled and rebuilt frequently. • The original environment in the Pre-production Environment Test Lab is required to perform a test operation before starting production, and it is necessary to match the production environment as much as possible. The control of this environment is more strict than the integrated test environment, and should be operated by the production team.
The unit test is carried out by the development team in a unit test environment. The morphological test and decline test is performed in an integrated test environment. Finally, the pre-production test is to be implemented in a pre-production environment. Models are built in integrated test environment and pre-production environments. The test team is designed to design the core infrastructure for the example organization according to the best practices recommended by the MSA. The logical design of the core infrastructure of the organization is shown in Figure 8.
Figure 8: Example MSM logical architecture View full image.
As shown in the process, the organization consists of a company data center located in Seattle, which has an peripheral network that connects it to the Internet (that is, DMZ, network isolation zone, or shielded subnet). Organizations also have another company data center in Europe, in the branch office of Asia, satellite division in Tacoma, Washington. Please refer to the chart in the appendix. Review some test programs from the Management System Guide and Site Management Guide, this basic enterprise network adds another domain (South America).
The design of different services is described later.
Active Directory
The Active Directory design of the Contoso organization is shown in Figure 9.
Figure 9: Active Directory design View full image.
The team decided to use the multi-forest model for Active Directory. This model is used as isolation between external service and internal services. By using a separate forest using a separate forest for the peripheral network and internal services, it can be managed by Active Directory when exposed to the security of the internal infrastructure. This is in line with the design of MSA Active Directory.
In order to manage forest infrastructure, the internal Active Directory design can perform a single forest root domain (sometimes called empty forest root domain). The number and organization of forest inner areas are affected by many factors, including management structures, security policies, network bandwidth and business / political reasons: Due to these factors, it is decided to divide North America, Asia and Europe into three separate domains.
From the information collected above, the recommended practice is to achieve root domain (corp.contoso.com) and 3 subdomains (na.corp.contoso.com, asia.corp.contoso.com ).
Planning peripheral Active Directory requires a single, non-empty forest root zone. The Active Directory exists separately for peripheral management and server hosts. Because the requirements are not high, the peripheral network only needs to plan a single domain. The next step is to create an organizational unit (OU) design for organizations. The organizational unit is a directory object for other directory object containers. OUs can include users, groups, computers, printers, shared folders, and other organizational units in a single domain. OU provides logical containers for objects in the domain.
It is recommended that the organizational unit structure is basically constructed in accordance with management requirements, but in order to make it more clear, it is more modified to use the group strategy. This design drives the following:
• Centralized users and group management. • Can be easily mobile resources between sites and departments. • Application of Group Policy. • Software release.
OU design is shown in Figure 10
Figure 10: Tissue unit design See the actual size picture.
Domain name server
The efficient operation of Active Directory depends on whether the computer can quickly identify and locate the key service. For example, when the domain member's computer restarts, it must contact the domain controller to obtain the information of its domain, if the first domain controller does not provide a global directory service, may also contact another domain controller. The location of these services is included in DNS, so DNS design and implementation are critical to successfully deploying Windows Server 2003.
MSM laboratory design
To simplify the MSM test model, the DNS architecture assumes that the DNS architecture has not been set in the enterprise. DNS architecture is designed to be included in DNS service. In this type of configuration, the architecture consists of an external DNS server that provides a name resolution service, which provides an internal namespace resolution service for the Internet client and the internal DNS server.
The DNS server in the MSM architecture is working in a way in the Active Directory integration area. Active Directory integrated DNS area gives an additional space outside of the basic area of the data center standard. By using the Active Directory integration area, DNS stores its record in Active Directory, performs multi-host update and replication, and uses secure dynamic updates.
Figure 11: Design of a domain name server
The internal forest root DNS server (SEA-RDC-01 and SEA-RDC-02) designed two Active Directory integrated areas. Corp.contoso.com is located in the Active Directory Forest DNS area. This area contains information for locating the server and service within the root field. Msdcs.corp.contoso.com namespace contains records for positioning domain controllers throughout the Active Directory forest. The client is a lot of access to the _msdcs.corp.contoso.com to locate domain controllers in the forest. By creating a secondary file in all DNS servers in the forest, the running load of the forest root will decrease, and the client's inquiry response time for this area will be shortened. All Internet sites and services are requested by the Internet agent.
Sitesna.corp.contoso.com, Europe.corp.contoso.com and asia.corp.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.contoso.com are included to locate the server and services in the subdomain. Sub-domain controllers in North American domain SEA-CDC-01 except host na.corp.contoso.com, while also have msdcs.corp.contoso.com secondary and read-only copies. The configuration in Europe and Asian domain is similar.
Safety dynamic update
In a secure dynamic update, the authorized name server only accepts the client and server update to which the DNS area and the DNS node object security update is available. Note that only the Active Directory integration area can be configured to be securely updated. Regional file maintenance
In MSM, laboratory cleaning can perform all forward and reverse regional queries in the area maintained by Windows Server 2003. Refresh interval and no refresh interval are set to be 14 days, which is recommended for DHCP lease time.
Dynamic host configuration protocol
Dynamic Host Configuration Protocol (DHCP) centrally centrally centrally assigns client IP address assignments.
MSM laboratory design
Although the MSA design specifies that DHCP is configured as a cluster, because the availability is not one of the key test objectives, the MSM test team decided not to design DHCP services into groups. All servers allocate static IP addresses, and client computers at all sites get IP addresses from their respective DHCP servers. Every site has its own DHCP server.
Configuration option
To facilitate management, the configuration option can be divided into two options for global scope and local ranges. The global range option is based on settings per server and should include options that can be used in all DHCP scope. The local range options include options used in a particular subnet.
The DHCP scope is defined as follows:
• Seattle: 10.1.201.x / 24 • Tacoma: 10.1.211.0/27, New Delhi: 10.2.201.x / 24 • London: 10.3.201.x / 24
Table 6 lists the DHCP options configured in the MSM network.
Table 6 DHCP scope options
DHCP Option Description Recommended value lease interval is valid for the TCP / IP address in the host system. 14 days. The IP address specifies the length of the IP address lease interval to be assigned to the client. The value in the scope of field properties. The subnet mask specifies the subnet mask of the network segment belonging to the client computer. The value in the actual domain properties. 003 Router Specifies a column IP address used by the router in the client network segment. This value is the default gateway that is known. This value in each network segment will be different. 006 DNS Server Specifies a column IP address of the DNS server that can be used by the client. Different from the location of the client in the network, the value will be different. 044 WINS server Specifies a column IP address for the WINS server for NBT name registration and parsing. Depending on the client position in the network, the value will be different. 046 WINS Node Type Specifies the NBT name resolution method used by the client. The name resolution location of the across the wide area network is also available. This value will be set to 0x8 (Hybrid). For other sites, this value should be set to 0x4 (Mixed).
Integrated with DNS
The DNS server can limit the dynamic update of the client IP address by only the DHCP server to modify the area. By default, the DHCP server is responsible for assigning an IP address, so it is seen as an IP address, and the DHCP server updates the reverse query record (PTR) in the DNS. Because the client is seen as a name representing his identity, the client will update the address (a) record in DNS normally. This is the recommended configuration.
Safety
The DHCP service deployed in the Windows Server 2003 server is not working as a domain controller because the DHCP service is running on the domain controller, which is capable of overwriting any existing DNS records. This causes DHCP to overwrite the DNS records owned by other computers, including static records. For more information, see Knowledge Base Article 255134.
management
The DHCP service is installed on a stand-alone member server. DHCP servers must first be authorized in Active Directory before providing services for the client. Creating a new DHCP server in the Windows Server 2003 Forest requires the default enterprise administrator privilege.
Private Address Automatic Assignment (APIPA) By default, Windows Server 2003 clients are automatically assigned an address in the range of 169.254. X.Y (here x.y is the unique identifier generated by the client), that is, the DHCP server cannot be used, this function is used for a small local area network environment, but in this environment will result in connectivity issues.
During the network disconnection, make sure that the client can continue to access local resources, you should disable this feature by changing all DHCP client registry sub-keys, as shown below:
HKEY_LOCALMACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / Parameters / ipautoconfigurationenable
The value of the REG_DWORD item should be set to 0 to disable the automatic addressing function.
Wins
Although the successful deployment of Windows Server 2003 no longer needs WINS name resolution services, there are some older software products and network services depend on NetBIOS. In this case, all of these applications are updated (or replaced) to provide WINS services before using the application of DNS.
MSM laboratory design
In the MSM laboratory, the design of the axles and spokes is used because it is easy to manage and reduces the time required for aggregation. Because the aggregation time is short, there is less the case where the connection between the replication partners is small for the client.
Each site that provides WINS Name Services has a WINS server for a site axle, which is pushed / pulled with other axle WINS servers. The company's axle WINS server is located in Seattle Site. The axle WINS server is responsible for maintaining the replication link inside the site and the aggregated database entry.
To manage replication traffic, each WINS server should be configured to draw a change to a total of 1000 records to perform a change and make changes every 60 minutes. Note These values may need to change based on the needs of network bandwidth and availability and database coherent.
File service
The function of the distributed file system (DFS) allows development of unified file system namespaces, which masks the physical location of the potential shared from the end user.
MSM laboratory design
The classification of MSM storage needs will be described in the following sections.
Local information store
Local information, as its name prompt, exist in a single site and update and maintain by the user of this site, except for the file created by the administrator. Although users in other locations have read-only privileges for a particular file and folder, the sharing of information between the site will be implemented using a central information storage area. Each site has its own local storage area in the MSM test environment. They are:
• // na / root / seattle • // na / root / newdelhi • // europe / root / london
Central Information Storage Area
The central information store is used to store files and folders that can be used by users without considering the physical location of the user. This information is created and maintained by administrators. Each domain has only one central information store:
• // na / root / central / department / common
In the MSM laboratory environment, the file service architecture takes a domain DFS architecture. DFS Copy is an integrated service to automatically copy content between DFS copies through file replication services (FRS).
Print service
The print design in the MSM laboratory architecture is used to plan the deployment of the print service, and search for the customer and administrator's print service needs. The network client requires quickly and seamlessly to find and install the printer. They require printing with consistent and available services.
In order to accurately test, the print server must connect a large number of printers; however, the real printer is not used during the print test. After the test print task is sent to the port, the port can simulate the physical printer, but only after the print data is transformed into the print job, it will completely discard it. Internal firewall
In the MSM laboratory, the internal firewall uses a Cisco PIX device. The firewall is configured to 3 legs: a leg in the internal network, the second legs in the peripheral network, the third legs in the Microsoft proxy server network segment. The firewall allows the Seattle internal site and the Tacoma branch office to perform full exchanges. The following is the port on the internal firewall:
Table 7 Port on the internal firewall
From Network to Network Opening Port Description Peripheral Network 389 LDAP Peripheral Network Internal Network Netlogon Fixed Port Update Registry Key Values Enables Fixed Port (MSA Recommended) Peripheral Network TCP 135 Analysis Peripheral Network UDP 88 Kerberos Peripheral Network Internal network TCP, UDP 53 DNS peripheral network internal network TCP 1270 MOM peripheral network internal network TCP 445` Microsoft SMB internal network peripheral network UDP 88 Kerberos internal network peripheral network WWW SUS Windows update internal network peripheral network TCP 139/445 MBSA SCAN internal network Peripheral Network UDP 137 138 MBSA SCAN SBO Internal Network All Port MSA Design Internal Network Proxy TCP 8080 Internet Web Service Request
Proxy server
A typical challenge for all companies is how to benefit from the Internet while maintaining the security of the internal network. The MSA design provides proxy server services to meet this needs. The MSM laboratory obtains Internet access to the MSA guidance. These proxy servers are available by Microsoft Internet Security and Acceleration Server 2000 (ISA Server).
The proxy server is not part of the peripheral network (MSA recommended). Set port and filtering rules in accordance with MSA 2.0 to allow http access to outbound and outbound.
VPN server
The VPN site to the site is schema (in the Internet) is the connection mechanism specified by the MSA, the purpose of providing a remote access between the Seattle branch office to the company data center.
In order to implement a site to site, a secure channel is created between the VPN remote server and the company's data center VPN server in IPsec and the L2TP package in IPSec. These two VPN servers verify each other on the basis of IPSec and L2TP before establishing access to the site to the site and performs access between the two sites. This design uses Windows Server 2003, RRAS, L2TP / IPSec and computer certificates to form a VPN solution.
Since the site to site VPN connection is configured using L2TP, the computer certificate is installed on each RRAS server. In order to achieve this, the SEA-RDC-02 computer configuration becomes an independent root certificate authority. The server authentication certificate is issued to two RRAS servers. This will bring adverse effects in the production environment, but it is conducive to testing.
The IP address scheme of each site is shown in Figure 8 (MSM Logical Architecture Map).
