Group Scopes in Active Directory
Scope is the range that a group will extend over a domain, tree, and forest. The scope is used to determine the level of security that will apply to a group, which users can be added to its membership, and the resources that they will have permission to access.As we'll discuss in the sections that follow, Active Directory provides three different scopes for groups Universal groups have the widest scope of any of the different group scopes. Members of this group are able to contain accounts and...
Understanding Group Types and Scopes
In an Active Directory environment, there are two basic group characteristics type and scope. The group type identifies the purpose of the group. There are two group types for Active Directory-based groups in Windows Server 2003 Group scope refers to how the group can be used. Three group scopes can be specified for a group that resides within the Active Directory database Two types of groups can be created in Windows Server 2003 Distribution groups Distribution groups are used for distributing...
Domain Trees 1
A domain tree can be thought of as a DNS namespace composed of one or more domains. If you plan to create a forest with discontiguous namespaces, you must create more than one tree. Referring back to Figure 4.1, you see two trees in that forest, Cats.com and Dogs.com. Each has a contiguous namespace because each domain in the hierarchy is directly related to the domains above and below it in each tree. The forest has a discontiguous namespace because it contains two unrelated top-level domains.
Locating the Domain Naming Operations Master
1. Log on as an Enterprise Administrator in the forest you are checking. 2. Click Start Run, type mmc, and then click OK. 3. On the menu bar, click File Add Remove Snap-in, click Add, doubleclick Active Directory Domains and Trusts, click Close, and then click OK. 4. Right-click Active Directory Domains and Trusts in the top left pane, and then click Operations Masters to view the server holding the domain naming master role as shown in Figure 4.37. Figure 4.37 Locating the Domain Naming...
Controls the Primary DNS Suffix for the Computer
There are a few ways to determine whether Group Policy controls the primary DNS suffix for the computer. Log on to a representative member computer and do one of the following Open a command prompt and type gpresult. Look in the output to see if Primary DNS Suffix is listed under Applied Group Policy objects. Open Active Directory Users and Computers, right-click the computer object you want to check, and click All Tasks Resultant Set of Policy L gging . Perform the steps in Exercise 4.19. If a...
Organizational Units
When looking at domain trees, you might think that the only way to create a directory structure that mirrors the organization of your company is to create multiple domains. However, in many companies, a single domain is all that's needed. To organize Active Directory objects within this single domain, OUs can be used. As we mentioned earlier, OUs are containers that allow you to store users, computers, groups, and other OUs. By placing objects in different OUs, you can design the layout of...
Moving Account Objects in Active Directory
Windows Server 2003 provides a number of tools that allow you to move objects within domains and between them.The tools that can be used for moving objects include Active Directory Users and Computers, and two command-line utilities. As we've seen, Active Directory Users and Computers is an MMC snap-in that allows you to interact with Active Directory through a graphical interface. The DSMOVE and MOVETREE are command-line tools that allow you to move objects by entering textual commands at the...
Understanding Forest and Domain Functionality
A Windows Server 2003 domain is group of networked computers that share a common Active Directory database, and a common namespace.You can think of a domain as a limited boundary of network security and administrative control.A namespace is a hierarchical collection of service and object names, typically stored within DNS and Active Directory. There are some similarities between the Active Directory namespace and the DNS namespace, both of which are required by Windows Server 2003. For example,...
Raising the Functional Level of a Domain and Forest
Before increasing a functional level, you should prepare for it by performing the following tasks. First, inventory your entire forest for earlier versions of DCs.The Active Directory Domains and Trusts MMC snap-in can generate a detailed report should you need it.You can also perform a custom LDAP query from the Active Directory Users and Computers MMC snap-in that will discover Windows NT DC objects within the forest. Use the following search string Version 4 There should be no spaces in the...
Raising the Domain Functional Level
1. Log on locally as a Domain Admin to the PDC or the PDC Emulator FSMO of the domain you are raising. 2. Click on Start Administrative Tools Active Directory Domains and Trusts, or use the MMC preconfigured with the Active Directory Domain and Trusts snap-in. 3. Locate the domain in the console tree that you are going to raise in functional level. Right-click the domain and select Raise Domain Functional Level. 4. A dialog box will appear entitled Select an available domain functional level....
Administering Application Directory Partitions
1. Log on as an Enterprise Administrator. 2. Click Start Run, type ntdsutil, and click OK. 3. At the ntdsutil command prompt, type domain management. 4. At the domain management command prompt, type connection. 5. At the connection command prompt, type connect to server servername, where servername represents the DNS name of the DC where you want to create the application directory partition. 6. At the connection command prompt, type quit. 7. At the domain management command prompt, consult the...
Managing User Accounts
Managing user accounts is done through the properties of the object, which is accessible by using Active Directory Users and Computers.You can access the properties of a user object by selecting the object, and then clicking on Action Properties.You can also right-click on the object and select Properties from the context menu. Upon opening the Properties of the user, you will see a number of tabs that allow you to set various options and provide information dealing with the account General...
Creating Shortcut Trust Relationships
Interaction between domains in your forest is based on the establishment of trusts among the domains. The Active Directory Installation Wizard creates most of these trusts automatically during the domain creation process.Through the manual creation of shortcut trusts, you can maintain that interaction after the domains are renamed. It is only necessary if the forest structure will change as result of the manipulation of the namespace. If you are renaming a domain in place without changing its...
Raising the Forest Functional Level
1. Log on locally as an Enterprise Administrator on the PDC Emulator FSMO of the forest root domain you are raising. 2. Click on Start All Programs Administrative Tools Active Directory Domains and Trusts, or use the MMC preconfigured with the Active Directory Domains and Trusts snap-in. 3. In the console tree, right-click the Active Directory Domains and Trusts folder and select Raise Forest Functional Level. 4. Where it asks you to Select an available forest functional level, click Windows...
Summary of Exam Objectives
Active Directory is a database with a hierarchical structure, storing information on accounts, resources, and other elements making up the network. This information is stored in a data source located on the server and replicated to other DCs on the network. The information pertaining to Active Directory is organized into the schema, domain, and configuration partitions, and can also have additional information for programs stored in the application partition. This data can be accessed over the...
Exam Overview
In this book, we have tried to follow Microsoft's exam objectives as closely as possible. However, we have rearranged the order of some topics for a better flow, and included background material to help you understand the concepts and procedures that are included in the objectives. Following is a brief synopsis of the exam topics covered in each chapter Active Directory Infrastructure Overview In this chapter, we will start with the basics defining directory services and providing a brief...
Seizing the FSMO Master Roles
2. Click Start Run, type ntdsutil in the Open box, and then click OK. 3. Type roles, and press Enter. 4. In ntdsutil, type at any prompt to see a list of available commands, and press Enter. 5. Type connections, and press Enter. 6. Type connect to server servername, where servername is the name of the server that will receive the role, and press Enter. 7. At the server connections prompt, type q, and press Enter. 8. Type the appropriate seizing command as shown next. See the example in Figure...
Using Group Policy to Predefine the Primary DNS Suffix Prior to Domain Rename
To prepare for the application of Group Policy, you need to create groupings of member computers for incremental rollout. Perform the following steps for each domain to be renamed. 1. Estimate the largest number of computers that can be renamed in your environment without adverse affects. Microsoft's recommendation is to define groups of 1000 or less for a normal healthy LAN environment. Adjust this number for local conditions. 2. Define rollout groups of the chosen size. 3. Create a schedule,...
Naming Conventions and Limitations
In looking at the relationship between security principals and SIDs, it becomes apparent that it would be difficult to use SIDs as the sole method of identifying an account.While SIDs uniquely identify users, computers, and groups, trying to remember the SID of users and computers you commonly access through the directory would be almost impossible. For this reason, various naming conventions are used to distinguish objects in Active Directory. Every object in Active Directory has a name to...
Before Applying Group Policy
The purpose of applying this group policy is to avoid replication and DNS update traffic caused by the automatic update of the primary DNS suffix on all member computers following a domain rename. Use Group Policy to revise the primary DNS suffix of all computers in stages to the new domain name before the procedure. That way, domain computers are manually updated and already have the correct primary DNS suffix at the time you perform the domain rename. After you apply the group policy, the DNS...
NT LAN Manager
Versions ofWindows earlier than Windows 2000 used NTLM to provide network authentication. In a Windows Server 2003 environment, NTLM is used to communicate between two computers when one or both of them is running a pre-Windows 2000 operating system. NTLM will also be used by Windows Server 2003 computers that are not members of a domain. For example, NTLM authentication would be used in the following communications Windows 2000 workstations and Windows Server 2003 stand-alone servers that are...
Security Group Best Practices
Microsoft has a number of different recommended methods for using groups in a domain environment.You should expect to be asked a number of complex questions about the appropriate use of groups. Most of their recommendations fall into one of two models 0 There are three group scopes in a Windows Server 2003 domain domain local, global, and universal. 0 Additional group nesting and universal security groups are only available at the Windows 2000 native and Windows Server 2003 domain functional...
Technical Reviewer
Martin Grasdal MCSE I, MCSE W2K MCT, CISSP, CTT , A is an independent consultant with over 10 years experience in the computer industry. Martin has a wide range of networking and IT managerial experience. He has been an MCT since 1995 and an MCSE since 1996. His training and networking experience covers a number of products, including NetWare, Lotus Notes, Windows NT,Windows 2000,Windows 2003, Exchange Server, IIS, and ISA Server. As a manager, he served as Director of Web Sites and CTO for...
Setting up a Smart Card for User Logon
1. Log on to your workstation with a user account that has permissions to the appropriate certificate template in the domain where the user's account is located, and permission to enroll other users for certificates. The account used for Exercise 3.04 has these permissions. 2. Open Internet Explorer, and browse to http servername certsrv , where servername is the name of the CA on your network. 3. Select Request a certificate for a smart card on behalf of another user by using the smart card...
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.
Creating Group Accounts
In addition to the built-in groups that are created when Active Directory and other services are installed on DCs, you can also create group accounts to suit the needs of your organization. To create group accounts, you can use either Active Directory Users and Computers or the DSADD command-line tool. Regardless of the method you use, only members of the Administrators group, Account Operators group, Domain Admins group, Enterprise Admins group, or another user or group that's been delegated...
PreCreating Multiple ParentChild Trust Relationships
If you need to restructure a domain that is both a child domain and a parent domain, you will need to create shortcut trust relationships in two places. For example, suppose you want to restructure the Zoo.net forest, shown in Figure 4.48, so that the Striped.angel.fish.zoo.net domain becomes a direct child of Fish.zoo.net, and the Angel.fish.zoo.net domain becomes a child of Catfish.net. This restructure operation calls for four shortcut trusts that will become the two parent-child trust...
Forest and Domain Functional Levels
Functional levels are a mechanism that Microsoft uses to remove obsolete backward compatibility within the Active Directory. It is a feature that helps improve performance and security. In Windows 2000, each domain had two functional levels which were called modes , native mode and mixed mode, while the forest only had one functional level. In Windows Server 2003, there are two more levels to consider in both domains and forests. To enable all Windows Server 2003 forest and domainwide features,...
Creating a New Domain Tree in an Existing Forest
1. Log in as a local Administrator. 4. Click OK to start the Active Directory Installation Wizard. 5. In the Welcome to the Active Directory Installation Wizard window, click Next. 6. In the Operating System Compatibility window, click Next. 7. In the Domain Controller Type window, click Domain controller for a new domain Next, as shown in Figure 4.18. Figure 4.18 The Domain ControllerType Dialog Box Used for a New Domain Tree in an Existing Forest Figure 4.18 The Domain ControllerType Dialog...
Using ADSI Edit to Add DNS Suffixes To msDSAllowedDNSSuffixes
1. Click Start Programs Windows Server 2003 Support Tools Tools ADSI Edit. 2. In the scope pane, right-click ADSI Edit and select Connect to. 3. under Computer, click Select or type a domain or server name, and then click OK. 4. Double-click the domain directory partition for the domain you want to modify. 5. Right-click the domain container object, and select Properties. 6. In the Attributes box, on the Attribute Editor tab, double-click the msDS-AllowedDNSSuffixes attribute. 7. In the...
CommandLine Tools
Windows Server 2003 provides a number of command-line tools that you can use for managing Active Directory. These tools use commands typed in at the prompt, and can provide a number of services that are useful in administering the directory. The command-line tools for Active Directory include Cacls Used to view and modify discretionary access control lists DACLs on files. Cmdkey Used to create, list, and delete usernames, passwords, and credentials. Csvde Used to import and export data from the...
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 1. An employee has retired from the company, and you have just disabled his account so no one can log on to the domain as this user. When this change is made, where will it be stored in the directory 2. Your company's employees are represented by two unions. Management has a union...
Logical vs Physical Components
The components making up Active Directory can be broken down into logical and physical structures. Logical components in Active Directory allow you to organize resources so that their layout in the directory reflects the logical structure of your company. Physical components in Active Directory are similarly used, but are used to reflect the physical structure of the network. By separating the logical and physical components of a network, users are better able to find resources, and...
PreCreating a TreeRoot Trust Relationship with the Forest Root Domain
When you restructure a domain to become a new tree root, you must pre-create two oneway, transitive trust relationships with the forest root domain. For example, suppose you have a three-level deep tree and you want to shorten it by creating a new tree. This will move the lowest domain to become a new tree-root domain. Figure 4.50 shows the two one-way shortcut trusts you create, and Figure 4.51 shows the tree-root trust relationship after the restructuring. Stripedangel.fish.zoo.net becomes...
PreCreating a ParentChild Trust Relationship
While repositioning domains, the necessary shortcut trust relationships must be created between the domain you want to reposition and its new parent domain. These pre-created trust relationships substitute for the required parent-child trust relationships that will be missing in the restructured forest. For example, suppose you want to restructure the Zoo.net forest, shown in Figure 4.46, so that the Cat.fish.zoo.net domain becomes a child of the Zoo.net domain.You must create two one-way,...
Locating Transferring and Seizing the Infrastructure RID and PDC Operations
The Infrastructure Master is responsible for updating references from objects in the local domain to objects in other domains. There can be only one Infrastructure Master DC in each domain. The RID Master processes Relative ID RID pool requests from all DCs in the local domain.There can be only one RID Master DC in each domain.The PDC Emulator is a DC that advertises itself as the PDC to workstations, member servers, and BDCs running Windows NT. It is also the Domain Master Browser, and handles...
Using the New System State Backup Method
Windows 2000 only offered two choices when deploying DCs and GC servers for remote sites, and neither choice was ideal for many companies. The first choice was to build the server at the home office where it could replicate over the LAN, and ship it to the remote location. This worked, as long as you got the new server online within the 60-day tombstone lifetime. If you didn't, the DC or GC could reanimate previously deleted Active Directory objects, including user accounts. The second choice...
BuiltIn Group Accounts
As we saw when we discussed user objects, a number of built-in accounts are automatically created when you install Active Directory. This not only applies to user accounts, but group accounts as well. Many of these groups have preconfigured rights, which allow members to perform specific tasks. When users are added to these groups, they are given these rights in addition to any assigned permissions to access resources. The groups that are created when Active Directory is installed can be...