Evaluating Your Environment

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before you establish an authentication strategy for your organization, you must become familiar with your current environment, including the structure of your organization; the users, computers, and services in your organization that require authentication; and the applications and services that are in use. Specifically, identify the following:

• The number of domain controllers in your organization. Ensure that you have enough domain controllers in your environment to accommodate your users’ authentication requests. If the number of domain controllers is insufficient, a large volume of client requests can result in failed authentication attempts. If you determine that you have an insufficient number of domain controllers, deploy more domain controllers to meet the logon needs of your users.

• The type of network connectivity between site locations in your organization. Domain controllers must be well connected to users to ensure reliable access for authentication. Clients that do not have access to local domain controllers might be unable to access resources if the network connection is unavailable. If the connectivity between domain controllers in remote sites is insufficient, deploy more domain controllers in those sites or improve the connectivity between the sites.

• The number of CAs that are available in your organization and their locations. As with domain controllers, a sufficient number of CAs must be available to handle client requests and they must be well connected in order to provide timely responses. For information about creating a CA infrastructure, see "Designing a Public Key Infrastructure" in this book.

• The number of users, groups, and computers in your organization and where computers are located. This impacts the number of domain controllers and CAs that are required to ensure consistent authentication.

• The number and locations of users who access the network by means of RADIUS and RAS servers.

  Note

  • Windows Server 2003 provides for remote user authentication by means of RADIUS and RAS servers. For more information about using RADIUS servers, see "Deploying IAS" in Deploying Network Services of this kit. For more information about using RAS servers, see "Deploying Dial-up and VPN Remote Access Servers" in Deploying Network Services.

• Whether your organization includes clients running versions of Windows earlier than the Microsoft® Windows® 2000 operating system or other non-native operating systems, or applications that require authentication protocols other than the Kerberos V5 authentication protocol or require special configuration to interoperate with the Kerberos authentication protocol. The operating systems and applications in use in your environment impact the authentication protocols that you can enable by means of authentication policy. For example, versions of Windows earlier than Windows 2000 require NTLM authentication or anonymous access. If clients in your environment are running these operating systems, you must configure the LAN Manager authentication level policy to enable those clients to access resources in your system.

  Note

  • When you enable LAN Manager authentication, you cannot take advantage of all of the security benefits that are available in Windows Server 2003. Therefore, if you do not need to support versions of Windows earlier than Windows 2000, it is best to use the Kerberos authentication protocol.

• The number and location of smart card users in your organization, if applicable, and any security-sensitive tasks or users, such as administrators, that might require smart cards in the future. The number of current and planned future smart card users in your organization impacts the number of CAs that you require.