Planning, Implementing, and Maintaining a Windows Server

256_70-294_FM.qxd
9/6/03
10:19 AM
Page i
Syngress knows what passing the exam means to
you and to your career. And we know that you
are often financing your own training and
certification; therefore, you need a system that is
comprehensive, affordable, and effective.
Boasting one-of-a-kind integration of text, DVD-quality
instructor-led training, and Web-based exam simulation, the
Syngress Study Guide & DVD Training System guarantees 100% coverage of exam
objectives.
The Syngress Study Guide & DVD Training System includes:
■
Study Guide with 100% coverage of exam objectives By reading
this study guide and following the corresponding objective list, you
can be sure that you have studied 100% of the exam objectives.
■
Instructor-led DVD This DVD provides almost two hours of virtual
classroom instruction.
■
Web-based practice exams Just visit us at www.syngress.com/
certification to access a complete exam simulation.
Thank you for giving us the opportunity to serve your certification needs. And
be sure to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/certification
256_70-294_FM.qxd
9/6/03
10:19 AM
Page ii
256_70-294_FM.qxd
9/6/03
10:19 AM
Page iii
Exam 70-294: Planning, Implementing, and
Maintaining a Windows Server 2003
Active Directory Infrastructure
Michael Cross
Jeffery A. Martin
Todd A. Walls
Martin Grasdal Technical Reviewer
Debra Littlejohn Shinder Technical Editor
Dr. Thomas W. Shinder Technical Editor
256_70-294_FM.qxd
9/6/03
10:19 AM
Page iv
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or
other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Mission
Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress
Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of
their respective companies.
KEY
001
002
003
004
005
006
007
008
009
010
SERIAL NUMBER
TH33SLUGGY
Q2T4J9T7VA
82LPD8R7FF
Z6TDAA3HVY
P33JEET8MS
3SHX6SN$RK
CH3W7E42AK
9EU6V4DER7
SUPACM4NFH
5BVF3MEV2Z
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study
Guide & DVD Training System
Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-94-9
Technical Editors: Debra Littlejohn Shinder
Cover Designer: Michael Kavish
Thomas W. Shinder
Page Layout and Art by: Patricia Lupien
Technical Reviewer: Martin Grasdal
Copy Editor: Beth Roberts
Acquisitions Editor: Jonathan Babcock
Indexer: Rich Carlson
DVD Production: Michael Donovan
DVD Presenter: Laura E. Hunter
256_70-294_FM.qxd
9/6/03
10:19 AM
Page v
Acknowledgments
We would like to acknowledge the following people for their kindness and support in
making this book possible.
Will Schmied, the President of Area 51 Partners, Inc. and moderator of www.mcseworld.com
for sharing his considerable knowledge of Microsoft networking and certification.
Karen Cross, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent
Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty
Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug
Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing
their incredible marketing experience and expertise.
The incredibly hard working team at Elsevier Science, including Jonathan Bunkell,
AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert
Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision
remains worldwide in scope.
David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey
Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive
our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow,
Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help
and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar
Book Group for their help with distribution of Syngress books in Canada.
David Scott, Annette Scott, Delta Sams, Geoff Ebbs, Hedley Partis, and Tricia Herbert of
Woodslane for distributing our books throughout Australia, New Zealand, Papua New
Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of Syngress
books in the Philippines.
A special thanks to Deb and Tom Shinder for going the extra mile on our core four MCSE
2003 guides.Thank you both for all your work.
Another special thanks to Daniel Bendell from Assurance Technology Management for his
24x7 care and feeding of the Syngress network. Dan manages our network in a highly professional manner and under severe time constraints, but still keeps a good sense of humor.
v
256_70-294_FM.qxd
9/6/03
10:19 AM
Page vi
Contributors
Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet Specialist /
Computer Forensic Analyst with the Niagara Regional Police Service. He performs
computer forensic examinations on computers involved in criminal investigations, and
has consulted and assisted in cases dealing with computer-related/Internet crimes. In
addition to designing and maintaining their Web site at www.nrps.com and Intranet,
he has also provided support in the areas of programming, hardware, network administration, and other services. As part of an information technology team that provides
support to a user base of over 800 civilian and uniform users, his theory is that when
the users carry guns, you tend to be more motivated in solving their problems.
Michael also owns KnightWare (www.knightware.ca), which provides computerrelated services like Web page design, and Bookworms (www.bookworms.ca), where
you can purchase collectibles and other interesting items online. He has been a freelance writer for several years, and is published over three dozen times in numerous
books and anthologies. He currently resides in St. Catharines, Ontario Canada with
his lovely wife Jennifer and his darling daughter Sara.
Eriq Oliver Neale is an Information Technology manager for a large manufacturing
company headquartered in the southwest. His IT career spans 16 years and just about
as many systems. He has contributed to a number of technical publications, including
several MCSE exam preparation titles. His article on MIDI, still considered one of the
seminal works on the topic, has been reprinted in hundreds of publications in multiple languages. Most recently, he has been focusing on electronic data privacy issues
in mixed platform environments.When not working in and writing about information technology, Eriq spends time writing and recording music in his home studio for
clients of his music publishing company. On clear nights, he can be found gazing at
the moon or planets through his telescope, which he also uses for deep-space
astrophotography.
Todd A. Walls (CISSP, MCSE) is a Senior Security Engineer for COACT, Inc., providing information security support to a government customer in Colorado Springs.
Todd has over 19 years of IT experience spanning the range of micro, mini, and
mainframe systems, running variants of UNIX,Windows, and proprietary operating
systems. His security systems experience includes intrusion detection and prevention,
256_70-294_FM.qxd
9/6/03
10:19 AM
Page vii
firewalls, biometrics, smart cards, password cracking, vulnerability testing, and
secure-computing designs and evaluations. He is currently enrolled in graduate
computer science studies at Colorado Technical University with a concentration in
computer systems security.
Vinod Kumar is an author, developer and technical reviewer specializing in Web
and mobile technologies using Microsoft aolutions. He has been awarded the
Microsoft’s Most Valuable Professional (MVP) in .NET. He Currently works for
Verizon.Vinod is a lead author for the forthcoming title Mobile Application
Development with .NET and has co authored several other books. He had written
many technical articles for sites like ASPToday, C# Today, and CSharp-Corner.
Vinod runs a community site named www.dotnetforce.com which provides content related to .NET. In his free time he likes to spend time with his family and
friends.
Brian Frederick is a Lead Network Analyst for Aegon USA, one of the top 5
insurance companies in the United States. Brian started working with computers
on the Apple II+. Brian attended the University of Northern Iowa and is married
with two adorable children. He is also a technical instructor at a local community
college teaching MCSE, MCSA, A+, and Network+ certification courses. Brian
owes his success to his parents and brother for their support and backing during
his Apple days and in college, and to his wife and children for their support and
understanding when dad spends many hours in front of the computer.
M. Troy Hudson (MCSE NT/2000, MCP, MCP+I, Master CNE, CNE-IW,
CNE-4, CNE-5, CNE-GW4, CNE-GW5, A+) is the computer services manager
for Sodexho at Granite School District Food Services in Salt Lake City, UT. He
currently manages around 90 sites using a lot of remote management tools, internetworking Microsoft Windows desktops with Novell networks and ZENworks
for Desktops.
Troy has been a consultant, trainer, and writer since 1997 and has published
items both on the Internet and with this publisher. He has authored student curricula and helped design training material and labs for students trying to pass the
Microsoft MCSE exams. He holds a bachelor’s degree from the University of
Phoenix in e-Business.Troy currently resides in Salt Lake City, UT with his wife
Kim and eight children: “My family is the reason for taking on extra projects and
vii
256_70-294_FM.qxd
9/6/03
10:19 AM
Page viii
I am grateful for their support! I love you Kim, Jett, Ryan, Rachael, James, McKay,
Brayden, Becca and Hannah.”
Technical Editors
Debra Littlejohn Shinder (MCSE) is a technology consultant, trainer, and writer
who has authored a number of books on networking, including Scene of the
Cybercrime: Computer Forensics Handbook, published by Syngress Publishing (ISBN:
1-931836-65-5), and Computer Networking Essentials, published by Cisco Press. She
is co-author, with her husband Dr.Thomas Shinder, of Troubleshooting Windows
2000 TCP/IP (ISBN: 1-928994-11-3), the best-selling Configuring ISA Server 2000
(ISBN: 1-928994-29-6), and ISA Server and Beyond (ISBN: 1-931836-66-3). Deb is
also a technical editor and contributor to books on subjects such as the Windows
2000 MCSE exams, the CompTIA Security+ exam, and TruSecure’s ICSA certification. She edits the Brainbuzz A+ Hardware News and Sunbelt Software’s WinXP
News and is regularly published in TechRepublic’s TechProGuild and
Windowsecurity.com. Deb specializes in security issues and Microsoft products. She
lives and works in the Dallas-Fort Worth area and can be contacted at
deb@shinder.net or via the website at www.shinder.net.
Thomas W. Shinder M.D. (MVP, MCSE) is a computing industry veteran who
has worked as a trainer, writer, and a consultant for Fortune 500 companies
including FINA Oil, Lucent Technologies, and Sealand Container Corporation.
Tom was a Series Editor of the Syngress/Osborne Series of Windows 2000
Certification Study Guides and is author of the best selling books Configuring ISA
Server 2000: Building Firewalls with Windows 2000 (Syngress Publishing, ISBN: 1928994-29-6) and Dr.Tom Shinder’s ISA Server and Beyond (ISBN: 1-931836-66-3).
Tom is the editor of the Brainbuzz.com Win2k News newsletter and is a regular
contributor to TechProGuild. He is also content editor, contributor and moderator
for the World’s leading site on ISA Server 2000, www.isaserver.org. Microsoft recognized Tom’s leadership in the ISA Server community and awarded him their
Most Valued Professional (MVP) award in December of 2001.
viii
256_70-294_FM.qxd
9/6/03
10:19 AM
Page ix
Technical Editor and Contributor
Jeffery A. Martin (MCSE, MCDBA, MCT, MCP+I, MCNE, CNI, CCNP, CCI,
CCA, CTT, A+, Network+, I-Net+, Project+, Linux+, CIW, ADPM) has been
working with computers and computer networks for over 15 years. Jeffery spends
most of his time managing several companies that he owns and consulting for
large multinational media companies. He also enjoys working as a technical
instructor and training others in the use of technology.
Technical Reviewer
Martin Grasdal (MCSE+I, MCSE/W2K MCT, CISSP, CTT+, A+) is an independent consultant with over 10 years experience in the computer industry.
Martin has a wide range of networking and IT managerial experience. He has
been an MCT since 1995 and an MCSE since 1996. His training and networking
experience covers a number of products, including NetWare, Lotus Notes,
Windows NT,Windows 2000,Windows 2003, Exchange Server, IIS, and ISA
Server. As a manager, he served as Director of Web Sites and CTO for
BrainBuzz.com, where he was also responsible for all study guide and technical
content on the CramSession.com Web site. Martin currently works actively as a
consultant, author, and editor. His recent consulting experience includes contract
work for Microsoft as a technical contributor to the MCP program on projects
related to server technologies. Martin lives in Edmonton, Alberta, Canada with his
wife Cathy and their two sons. Martin’s past authoring and editing work with
Syngress has included the following titles: Configuring and Troubleshooting Windows
XP Professional (ISBN: 1-928994-80-6), Configuring ISA Server 2000: Building
Firewalls for Windows 2000 (ISBN: 1-928994-29-6), and Dr.Tom Shinder’s ISA Server
& Beyond: Real World Security Solutions for Microsoft Enterprise Networks (ISBN: 1931836-66-3).
ix
256_70-294_FM.qxd
9/6/03
10:19 AM
Page x
DVD Presenter
Laura E. Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+,
Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with the University
of Pennsylvania, where she provides network planning, implementation and troubleshooting services for various business units and schools within the University.
Her specialties include Microsoft Windows NT and 2000 design and implementation, troubleshooting and security topics. As an “MCSE Early Achiever” on
Windows 2000, Laura was one of the first in the country to renew her Microsoft
credentials under the Windows 2000 certification structure. Laura’s previous experience includes a position as the Director of Computer Services for the Salvation
Army and as the LAN administrator for a medical supply firm. She also operates
as an independent consultant for small businesses in the Philadelphia metropolitan
area and is a regular contributor to the TechTarget family of Web sites.
Laura has previously contributed to the Syngress Publishing’s Configuring
Symantec Antivirus, Corporate Edition (ISBN: 1-931836-81-7). She has also contributed to several other exam guides in the Syngress Windows Server 2003
MCSE/MCSA DVD Guide and Training System series as a DVD presenter, contributing author, and technical reviewer.
Laura holds a bachelor’s degree from the University of Pennsylvania and is a
member of the Network of Women in Computer Technology, the Information
Systems Security Association, and InfraGard, a cooperative undertaking between
the U.S. Government and other participants dedicated to increasing the security
of United States critical infrastructures.
x
256_70-294_Obj.qxd
9/6/03
10:24 AM
Page xi
MCSE 70-294 Exam Objectives Map and
Table of Contents
All of Microsoft’s published objectives for the MCSE 70294 Exam are covered in this book. To help you easily
find the sections that directly support particular
objectives, we’ve listed all of the exam objectives
below, and mapped them to the Chapter number in
which they are covered. We’ve also assigned numbers to each objective, which we use in the subsequent Table of Contents and again throughout the
book to identify objective coverage. In some chapters,
we’ve made the judgment that it is probably easier for the
student to cover objectives in a slightly different sequence than
the order of the published Microsoft objectives. By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100%
of Microsoft’s MCSE 70-294 Exam objectives.
Exam Objective Map
Objective
Number
1
1.1
1.1.1
1.1.2
1.2
1.2.1
1.2.2
1.3
1.3.1
1.3.2
Objective
Planning and Implementing an Active
Directory Infrastructure
Plan a strategy for placing global catalog
servers.
Evaluate network traffic considerations when
placing global catalog servers.
Evaluate the need to enable universal group
caching.
Plan flexible operations master role placement.
Plan for business continuity of operations
master roles.
Identify operations master role dependencies.
Implement an Active Directory directory service
forest and domain structure. 4
Create the forest root domain.
Create a child domain.
Chapter
Number
1
8
8
8
7
7
7
4
4
4
xi
256_70-294_Obj.qxd
xii
9/6/03
10:24 AM
Page xii
Exam Objective Map
Objective
Number
1.3.3
1.3.4
1.3.5
1.3.6
1.4
1.4.1
1.4.2
1.5
1.5.1
1.5.2
2
2.1
2.1.1
2.1.2
2.1.3
2.2
2.2.1
2.2.2
2.2.3
2.3
2.3.1
2.3.2
Objective
Create and configure Application Data
Partitions.
Install and configure an Active Directory
domain controller.
Set an Active Directory forest and domain
functional level based on requirements.
Establish trust relationships. Types of trust
relationships might include external trusts,
shortcut trusts, and cross-forest trusts.
Implement an Active Directory site topology.
Configure site links.
Configure preferred bridgehead servers.
Plan an administrative delegation strategy.
Plan an organizational unit (OU) structure
based on delegation requirements.
Plan a security group hierarchy based on
delegation requirements.
Managing and Maintaining an Active
Directory Infrastructure
Manage an Active Directory forest and domain
structure.
Manage trust relationships.
Manage schema modifications.
Add or remove a UPN suffix.
Manage an Active Directory site.
Configure replication schedules.
Configure site link costs.
Configure site boundaries.
Monitor Active Directory replication failures.
Tools might include Replication Monitor, Event
Viewer, and support tools.
Monitor Active Directory replication.
Monitor File Replication service (FRS)
replication.
Chapter
Number
4
7
4
5
6
6
6
5
5
5
All chapters
4
5
8
8
6
6
6
6
6
6
6
256_70-294_Obj.qxd
9/6/03
10:24 AM
Page xiii
Exam Objective Map
Objective
Number
2.4
2.4.1
2.4.2
2.5
2.5.1
2.5.2
2.5.3
3
3.1
3.2
3.2.1
3.2.2
3.3
3.3.1
3.3.2
3.4
3.4.1
3.4.2
3.4.3
4
4.1
4.1.1
4.1.2
4.1.3
Objective
Restore Active Directory directory services.
Perform an authoritative restore operation.
Perform a nonauthoritative restore operation.
Troubleshoot Active Directory.
Diagnose and resolve issues related to Active
Directory replication.
Diagnose and resolve issues related to
operations master role failure.
Diagnose and resolve issues related to the
Active Directory database.
Planning and Implementing User,Computer,
and Group Strategies
Plan a security group strategy.
Plan a user authentication strategy.
Plan a smart card authentication strategy.
Create a password policy for domain users.
Plan an OU structure.
Analyze the administrative requirements for
an OU.
Analyze the Group Policy requirements for an
OU structure.
Implement an OU structure.
Create an OU.
Delegate permissions for an OU to a user or
to a security group.
Move objects within an OU hierarchy.
Planning and Implementing Group Policy
Plan Group Policy strategy.
Plan a Group Policy strategy by using Resultant
Set of Policy (RSoP) Planning mode.
Plan a strategy for configuring the user
environment by using Group Policy.
Plan a strategy for configuring the computer
environment by using Group Policy.
Chapter
Number
11
11
11
All chapters
6
7
11
2
3
3
3
3
5
5
5
5
5
5
5
9
9
9
9
9
xiii
256_70-294_Obj.qxd
xiv
9/6/03
10:24 AM
Page xiv
Exam Objective Map
Objective
Number
4.2
4.2.1
4.2.2
4.2.3
4.2.4
4.3
4.3.1
4.3.2
4.3.3
5
5.1
5.2
5.2.1
5.2.2
5.3
Objective
Configure the user environment by using
Group Policy.
Distribute software by using Group Policy.
Automatically enroll user certificates by using
Group Policy.
Redirect folders by using Group Policy.
Configure user security settings by using
Group Policy.
Deploy a computer environment by using
Group Policy.
Distribute software by using Group Policy.
Automatically enroll computer certificates by
using Group Policy.
Configure computer security settings by using
Group Policy.
Managing and Maintaining Group Policy
Troubleshoot issues related to Group Policy
application. deployment. Tools might include
RSoP and the gpresult command.
Maintain installed software by using
Group Policy.
Distribute updates to software distributed by
Group Policy.
Configure automatic updates for network
clients by using Group Policy.
Troubleshoot the application of Group Policy
security settings. Tools might include RSoP and
the gpresult command.
Chapter
Number
9
10
9
9
9
10
9
9
9
9
10
10
10
9
256_70-294_TOC.qxd
9/5/03
6:33 PM
Page xv
Contents
Foreword
xxxi
Chapter 1 Active Directory Infrastructure Overview
1
Introduction …………………………………………………………2
1
Introducing Directory Services ………………………………………2
Terminology and Concepts ………………………………………5
Directory Data Store …………………………………………5
Policy-Based Administration …………………………………9
Directory Access Protocol ……………………………………10
Naming Scheme ……………………………………………11
Installing Active Directory to Create a Domain Controller …15
1
Understanding How Active Directory Works ………………………19
Directory Structure Overview …………………………………19
Sites ………………………………………………………………20
Domains …………………………………………………………21
Domain Trees ……………………………………………………22
Forests ……………………………………………………………24
Organizational Units ……………………………………………25
Active Directory Components …………………………………26
Logical vs. Physical Components ………………………………27
Domain Controllers …………………………………………28
Schema ………………………………………………………31
Global Catalog ………………………………………………31
Replication Service …………………………………………32
1
Using Active Directory Administrative Tools …………………………34
Graphical Administrative Tools/MMCs …………………………35
Active Directory Users and Computers ………………………38
Active Directory Domains and Trusts ………………………40
Active Directory Sites and Services …………………………44
Command-Line Tools ……………………………………………45
xv
256_70-294_TOC.qxd
xvi
9/5/03
6:33 PM
Page xvi
Contents
1
1
Cacls …………………………………………………………46
Cmdkey ………………………………………………………47
Csvde …………………………………………………………47
Dcgpofix ……………………………………………………49
Dsadd …………………………………………………………49
Dsget …………………………………………………………49
Dsmod ………………………………………………………50
Dsmove ………………………………………………………50
Ldifde …………………………………………………………51
Ntdsutil ………………………………………………………53
Whoami ………………………………………………………54
Implementing Active Directory Security and Access Control ………55
Access Control in Active Directory ……………………………55
Role-Based Access Control …………………………………60
Authorization Manager ………………………………………60
Active Directory Authentication …………………………………61
Standards and Protocols …………………………………………62
Kerberos ………………………………………………………62
X.509 Certificates ……………………………………………63
LDAP/SSL ……………………………………………………63
PKI ……………………………………………………………64
What’s New in Windows Server 2003 Active Directory? ……………65
New Features Available on All Windows
Server 2003 Computers ………………………………………68
New Features Available Only with
Windows Server 2003 Domain/Forest Functionality …………69
Domain Controller Renaming Tool …………………………70
Domain Rename Utility ……………………………………70
Forest Trusts …………………………………………………70
Dynamically Links Auxiliary Classes …………………………70
Disabling Classes ……………………………………………70
Replication …………………………………………………70
Summary of Exam Objectives ………………………………………72
Exam Objectives Fast Track …………………………………………73
Exam Objectives Frequently Asked Questions ………………………75
Self Test ………………………………………………………………76
Self Test Quick Answer Key …………………………………………81
256_70-294_TOC.qxd
9/5/03
6:33 PM
Page xvii
Contents
xvii
Chapter 2 Working with User, Group,
and Computer Accounts
83
Introduction …………………………………………………………84
3
Understanding Active Directory Security Principal Accounts ………84
Security Principals and Security Identifiers ……………………85
Tools to View and Manage Security Identifiers ………………90
Naming Conventions and Limitations …………………………92
3
Working with Active Directory User Accounts ……………………99
Built-In Domain User Accounts ………………………………101
Administrator ………………………………………………102
Guest ………………………………………………………103
HelpAssistant ………………………………………………104
SUPPORT_388945a0 ………………………………………104
InterOrgPerson ……………………………………………104
Creating User Accounts ………………………………………105
Creating Accounts Using
Active Directory Users and Computers …………………105
Creating Accounts Using the DSADD Command …………110
Managing User Accounts ………………………………………113
Personal Information Tabs …………………………………115
Account Settings ……………………………………………118
Terminal Services Tabs ………………………………………122
Security-Related Tabs ………………………………………126
3
Working with Active Directory Group Accounts …………………131
Group Types ……………………………………………………131
Security Groups ……………………………………………132
Distribution Groups …………………………………………132
Group Scopes in Active Directory ……………………………133
Universal ……………………………………………………134
Global ………………………………………………………134
Domain Local ………………………………………………135
Built-In Group Accounts ………………………………………135
Default Groups in Builtin Container ………………………136
Default Groups in Users Container …………………………138
Creating Group Accounts ………………………………………140
Creating Groups Using Active
Directory Users and Computers …………………………141
Creating Groups Using the DSADD Command ……………142
256_70-294_TOC.qxd
xviii
9/5/03
6:33 PM
Page xviii
Contents
3
3
Managing Group Accounts ……………………………………143
Working with Active Directory Computer Accounts ………………150
Creating Computer Accounts …………………………………150
Creating Computer Accounts by Adding a
Computer to a Domain …………………………………151
Creating Computer Accounts Using
Active Directory Users and Computers …………………152
Creating Computer Accounts Using the DSADD Command 155
Managing Computer Accounts …………………………………156
Managing Multiple Accounts ………………………………………162
Implementing User Principal Name Suffixes …………………162
Moving Account Objects in Active Directory …………………164
Moving Objects with Active Directory Users and Computers 164
Moving Objects with the DSMOVE Command …………165
Moving Objects with the MOVETREE Command ………166
Troubleshooting Problems with Accounts ……………………168
Summary of Exam Objectives ………………………………………170
Exam Objectives Fast Track …………………………………………171
Exam Objectives Frequently Asked Questions ……………………173
Self Test ……………………………………………………………174
Self Test Quick Answer Key ………………………………………179
Chapter 3 Creating User and Group Strategies
181
Introduction ………………………………………………………182
Creating a Password Policy for Domain Users ……………………182
Creating an Extensive Defense Model …………………………183
Strong Passwords ……………………………………………184
System Key Utility …………………………………………185
Defining a Password Policy ……………………………………187
Applying a Password Policy …………………………………187
Modifying a Password Policy ………………………………190
Applying an Account Lockout Policy ………………………190
Creating User Authentication Strategies ……………………………192
Need for Authentication ………………………………………193
Single Sign-On …………………………………………………194
Interactive Logon ……………………………………………194
Network Authentication ……………………………………195
Authentication Types ………………………………………………195
Kerberos ………………………………………………………195
256_70-294_TOC.qxd
9/5/03
6:33 PM
Page xix
Contents
xix
Understanding the Kerberos Authentication Process ………196
Secure Sockets Layer/Transport Layer Security ………………197
NT LAN Manager ……………………………………………198
Digest Authentication …………………………………………199
Passport Authentication ……………………………………200
Educating Users ………………………………………………202
Planning a Smart Card Authentication Strategy ……………………203
When to Use Smart Cards ……………………………………205
Implementing Smart Cards …………………………………………206
PKI and Certificate Authorities ………………………………206
Setting Security Permissions ……………………………………208
Enrollment Stations ……………………………………………209
Enabling Certificate Templates ………………………………209
Requesting an Enrollment Agent Certificate ………………211
Enrolling Users …………………………………………………211
Installing a Smart Card Reader ……………………………212
Issuing Smart Card Certificates ……………………………213
Assigning Smart Cards ………………………………………214
Logon Procedures …………………………………………215
Revoking Smart Cards ………………………………………215
Planning for Smart Card Support ………………………………216
Planning a Security Group Strategy ………………………………217
Understanding Group Types and Scopes ………………………218
Security and Distribution Groups …………………………218
Local, Domain Local, Global, and Universal Groups ………219
Security Group Best Practices …………………………………224
Designing a Group Strategy for a Single Domain Forest …225
Designing a Group Strategy for a Multiple Domain Forest 226
Summary of Exam Objectives ………………………………………230
Exam Objectives Fast Track …………………………………………232
Exam Objectives Frequently Asked Questions ……………………233
Self Test ……………………………………………………………235
Self Test Quick Answer Key ………………………………………241
Chapter 4 Working with Forests and Domains
243
Introduction ………………………………………………………244
Understanding Forest and Domain Functionality …………………244
256_70-294_TOC.qxd
xx
9/5/03
6:33 PM
Page xx
Contents
1.3.5
1.3/2.1
1.3.1
1.3.2
1.3.3
The Role of the Forest …………………………………………246
New Forestwide Features ……………………………………247
The Role of the Domain ………………………………………254
New Domainwide Features …………………………………256
Domain Trees …………………………………………………259
Forest and Domain Functional Levels …………………………259
Domain Functionality ………………………………………260
Forest Functionality …………………………………………265
Raising the Functional Level of a Domain and Forest ……………270
Domain Functional Level …………………………………270
Forest Functional Level ……………………………………272
Optimizing Your Strategy for Raising Functional Levels …273
Creating the Forest and Domain Structure …………………………275
Deciding When to Create a New DC …………………………275
Installing Domain Controllers …………………………………276
Creating a Forest Root Domain ……………………………278
Creating a New Domain Tree in an Existing Forest ………285
Creating a New Child Domain in an Existing Domain ……288
Creating a New DC in an Existing Domain ………………293
Assigning and Transferring Master Roles ……………………300
Using Application Directory Partitions ……………………313
Establishing Trust Relationships ………………………………315
Direction and Transitivity ……………………………………315
Types of Trusts ………………………………………………317
Restructuring the Forest and Renaming Domains ……………318
Domain Rename Limitations ………………………………318
Domain Rename Limitations in a Windows 2000 Forest …319
Domain Rename Limitations in a
Windows Server 2003 Forest ……………………………319
Domain Rename Dependencies ……………………………320
Domain Rename Conditions and Effects …………………322
Domain Rename Preliminary Steps ………………………323
Performing the Rename Procedure …………………………334
Steps to Take After the Domain Rename Procedure ………354
Implementing DNS in the Active Directory Network Environment 365
DNS and Active Directory Namespaces ………………………367
DNS Zones and Active Directory Integration …………………367
Configuring DNS Servers for Use with Active Directory ……370
256_70-294_TOC.qxd
9/5/03
6:33 PM
Page xxi
Contents
xxi
Integrating an Existing Primary
DNS Server with Active Directory ………………………370
Creating the Default DNSApplication Directory Partitions 371
Using dnscmd to Administer Application Directory Partitions 372
Securing Your DNS Deployment ………………………………373
Summary of Exam Objectives ………………………………………374
Exam Objectives Frequently Asked Questions ……………………376
Exam Objectives Fast Track …………………………………………377
Self Test ……………………………………………………………379
Self Test Quick Answer Key ………………………………………387
Chapter 5 Working with Trusts and Organizational Units 389
Introduction ………………………………………………………390
1.3.6/ Working with Active Directory Trusts ……………………………390
2.1.1
Types of Trust Relationships ……………………………………394
Default Trusts ………………………………………………395
Shortcut Trust ………………………………………………395
Realm Trust …………………………………………………396
External Trust ………………………………………………396
Forest Trust …………………………………………………397
Creating, Verifying, and Removing Trusts ………………………398
Securing Trusts Using SID Filtering ……………………………400
3.3.1/ Working with Organizational Units ………………………………401
3.4.3
Understanding the Role of Container Objects ………………402
……………………402
Applying Group Policy to OUs ………………………………406
3.4.2
Delegating Control of OUs …………………………………407
1.5/1.5.1/ Planning an OU Structure and Strategy for Your Organization ……408
3.4/ 3.4.1 Creating and Managing Organizational Units
3.3/3.3.2
Delegation Requirements ………………………………………409
Security Group Hierarchy ………………………………………410
Summary of Exam Objectives ………………………………………412
Exam Objectives Fast Track …………………………………………413
Exam Objectives Frequently Asked Questions ……………………414
256_70-294_TOC.qxd
xxii
9/5/03
6:33 PM
Page xxii
Contents
Self Test ……………………………………………………………416
Self Test Quick Answer Key ………………………………………423
Chapter 6 Working with Active Directory Sites
425
Introduction ………………………………………………………426
Understanding the Role of Sites ……………………………………426
Replication ……………………………………………………427
Authentication …………………………………………………427
Interactive Logon Authentication …………………………428
Network Authentication ……………………………………429
Distribution of Services Information …………………………429
Relationship of Sites to Other Active Directory Components ……431
Relationship of Sites and Domains ……………………………431
Physical vs. Logical Structure of the Network ………………433
The Relationship of Sites and Subnets …………………………433
1.4/2.2/ Creating Sites and Site Links ………………………………………434
2.2.3
Site Planning ……………………………………………………434
Criteria for Establishing Separate Sites ……………………435
Creating a Site ………………………………………………436
Renaming a Site ……………………………………………438
Creating Subnets ……………………………………………441
Associating Subnets with Sites ………………………………444
1.4.1/2.2.2
Creating Site Links …………………………………………446
1.4.1/2.2.2
Configuring Site Link Cost …………………………………449
2.2/2.2.1/ Understanding Site Replication ……………………………………452
2.5.1
1.4
Purpose of Replication …………………………………………452
Types of Replication ………………………………………453
Intrasite Replication …………………………………………453
Intersite Replication ………………………………………454
Planning, Creating, and Managing the Replication Topology …455
Planning Replication Topology ……………………………455
Creating a Replication Topology ……………………………456
Managing Replication Topology ……………………………456
Configuring Replication between Sites ………………………457
Configuring Replication Frequency ………………………457
Configuring Site Link Availability …………………………458
256_70-294_TOC.qxd
9/5/03
6:33 PM
Page xxiii
Contents
xxiii
Configuring Site Link Bridges ………………………………458
1.4.2
Configuring Bridgehead Servers ……………………………459
2.3
Troubleshooting Replication Failure …………………………459
Troubleshooting Replication ………………………………460
2.3.1
Using Replication Monitor …………………………………461
Using Event Viewer …………………………………………461
Using Support Tools …………………………………………462
2.3.2
Monitoring File Replication Service Replication ……………463
Summary of Exam Objectives ………………………………………465
Exam Objectives Fast Track …………………………………………465
Exam Objectives Frequently Asked Questions ……………………467
Self Test ……………………………………………………………468
Self Test Quick Answer Key ………………………………………474
Chapter 7 Working with Domain Controllers
475
Introduction ………………………………………………………476
1.3.4 Planning and Deploying Domain Controllers ………………………476
Understanding Server Roles ……………………………………476
Function of Domain Controllers ………………………………480
Determining the Number of Domain Controllers ……………481
Using the Active Directory Installation Wizard ………………484
Creating Additional Domain Controllers ………………………494
Upgrading Domain Controllers ………………………………500
Placing Domain Controllers within Sites ………………………502
Backing Up Domain Controllers …………………………………503
Restoring Domain Controllers …………………………………504
1.2/2.5.2 Managing Operations Masters ………………………………………505
Understanding the Operation Masters Roles …………………505
Forestwide Roles ……………………………………………506
Domainwide Roles …………………………………………507
1.2.1
Transferring and Seizing Operations Master Roles ……………509
Transferring FSMOs ……………………………………………510
Transferring the Schema FSMO ……………………………510
Transferring Domain Naming FSMO ………………………514
Transferring RID, PDC, or Infrastructure FSMOs …………516
1.2.1
Responding to OM Failures ……………………………………516
Seizing the PDC Emulator or Infrastructure FSMO ………516
Seizing the RID Master, Domain
256_70-294_TOC.qxd
xxiv
9/5/03
6:33 PM
Page xxiv
Contents
Naming Master, and Schema Master FSMOs ……………517
Summary of Exam Objectives ………………………………………523
Exam Objectives Fast Track …………………………………………524
Exam Objectives Frequently Asked Questions ……………………526
Self Test ……………………………………………………………528
Self Test Quick Answer Key ………………………………………537
Chapter 8 Working with Global Catalog
Servers and Schema
539
Introduction ………………………………………………………540
Working with the Global Catalog and GC Servers ………………540
Functions of the GC ……………………………………………541
2.1.3
UPN Authentication ………………………………………541
Directory Information Search ………………………………542
Universal Group Membership Information …………………543
Customizing the GC Using the Schema MMC Snap-In ………543
Creating and Managing GC Servers ……………………………545
Understanding GC Replication ………………………………547
Universal Group Membership ………………………………547
Attributes in GC ……………………………………………547
1.1
Placing GC Servers within Sites ………………………………548
1.1.1
Bandwidth and Network Traffic Considerations ………………549
1.1.2
Universal Group Caching …………………………………550
Troubleshooting GC Issues ……………………………………552
2.1.2 Working with the Active Directory Schema ………………………551
Understanding Schema Components …………………………553
Classes ………………………………………………………554
Attributes ……………………………………………………555
Naming of Schema Objects …………………………………559
Working with the Schema MMC Snap-In ……………………560
Modifying and Extending the Schema …………………………561
Deactivating Schema Classes and Attributes ……………………562
Troubleshooting Schema Issues …………………………………563
Summary of Exam Objectives ………………………………………564
Exam Objectives Fast Track …………………………………………565
Exam Objectives Frequently Asked Questions ……………………566
Self Test ……………………………………………………………567
Self Test Quick Answer Key ………………………………………573
256_70-294_TOC.qxd
9/5/03
6:33 PM
Page xxv
Contents
xxv
Chapter 9 Working with Group Policy in an Active
Directory Environment
575
Introduction ………………………………………………………576
4/4.2.1
Understanding Group Policy ………………………………………576
4.3.1
Terminology and Concepts ……………………………………577
Local and Non-Local Policies ………………………………577
User and Computer Policies ………………………………577
Group Policy Objects ………………………………………580
Scope and Application Order of Policies ……………………580
Group Policy Integration in Active Directory …………………583
Group Policy Propagation and Replication ……………………583
4/4.1 Planning a Group Policy Strategy …………………………………584
4.2.1/4.3.1
4/4.2.1
4.3.1
4/4.2.1
4.2.2/4.2.3
4.3.1/4.3.2
Using RSoP Planning Mode …………………………………584
Opening RSoP in Planning Mode …………………………584
Reviewing RSoP Results …………………………………587
Strategy for Configuring the User Environment ………………588
Strategy for Configuring the Computer Environment …………590
Implementing Group Policy ………………………………………596
The Group Policy Object Editor MMC ………………………595
Creating, Configuring, and Managing GPOs …………………595
Creating and Configuring GPOs ……………………………596
Naming GPOs ………………………………………………597
Managing GPOs ……………………………………………598
Configuring Application of Group Policy ……………………600
General ………………………………………………………600
Links …………………………………………………………601
Security ……………………………………………………601
WMI Filter …………………………………………………602
Delegating Administrative Control ……………………………604
Verifying Group Policy …………………………………………604
Performing Group Policy Administrative Tasks ……………………608
Automatically Enrolling User and Computer Certificates
……608
256_70-294_TOC.qxd
xxvi
9/5/03
6:33 PM
Page xxvi
Contents
4.1.2/4.1.3
4.2/4.2.4
4.3/4.3.3
Redirecting Folders ……………………………………………609
Configuring User and Computer Security Settings ……………612
Computer Configuration ……………………………………612
User Configuration …………………………………………613
Using Software Restriction Policies ……………………………616
Setting Up Software Restriction Policies …………………616
Software Policy Rules ………………………………………617
Precedence of Policies ………………………………………617
Best Practices ………………………………………………618
Applying Group Policy Best Practices ………………………………619
4/4.2.1
4.3.1/5
4/4.2.1 Troubleshooting Group Policy ……………………………………621
4.3.1/5.1/
5.3
4.1.1 Using RSoP ………………………………………………………622
Using gpresult.exe ………………………………………………623
Summary of Exam Objectives ………………………………………628
Fast Track ……………………………………………………………629
Exam Objectives Frequently Asked Questions ……………………631
Self Test ……………………………………………………………633
Self Test Quick Answer Key ………………………………………639
4.2.1/4.3.1Chapter 10 Deploying Software via Group Policy
641
Introduction ………………………………………………………642
Understanding Group Policy Software Installation Terminology
and Concepts ……………………………………………………642
Group Policy Software Installation Concepts …………………644
Assigning Applications ………………………………………644
Publishing Applications ……………………………………646
Document Invocation ………………………………………646
Application Categories ………………………………………647
Group Policy Software Deployment vs. SMS
Software Deployment ……………………………………648
Group Policy Software Installation Components ………………648
Windows Installer Packages (.msi) …………………………649
Transforms (.mst) ……………………………………………650
256_70-294_TOC.qxd
9/5/03
6:33 PM
Page xxvii
Contents
xxvii
Patches and Updates (.msp) …………………………………651
Application Assignment Scripts (.aas) ………………………652
Deploying Software to Users ………………………………652
Deploying Software to Computers …………………………653
5.2
Using Group Policy Software Installation to Deploy Applications …654
Preparing for Group Policy Software Installation ………………654
Creating Windows Installer Packages …………………………654
Using .zap Setup Files …………………………………………656
Creating Distribution Points ………………………………659
Working with the GPO Editor …………………………………660
Opening or Creating a GPO for Software Deployment ………659
Assigning and Publishing Applications …………………………662
Configuring Software Installation Properties …………………664
The General Tab ……………………………………………665
The Advanced Tab …………………………………………665
The File Extensions Tab ……………………………………666
The Categories Tab …………………………………………666
5.2.1
Upgrading Applications …………………………………………667
5.2.2
Automatically Configuring Required Updates ……………668
Removing Managed Applications ………………………………669
Managing Application Properties ………………………………670
Categorizing Applications ………………………………………673
Adding and Removing Modifications for Application Packages 673
Troubleshooting Software Deployment ……………………………675
Verbose Logging ………………………………………………677
Software Installation Diagnostics Tool …………………………678
Summary of Exam Objectives ………………………………………679
Exam Objectives Fast Track …………………………………………679
Exam Objectives Frequently Asked Questions ……………………681
Self Test ……………………………………………………………682
Self Test Quick Answer Key ………………………………………688
Chapter 11 Ensuring Active Directory Availability
689
Introduction ………………………………………………………690
Understanding Active Directory Availability Issues …………………690
The Active Directory Database …………………………………690
Data Modification to the Active Directory Database …………692
The Tombstone and Garbage Collection Processes ……………694
256_70-294_TOC.qxd
xxviii
9/5/03
6:33 PM
Page xxviii
Contents
System State Data ………………………………………………698
Fault Tolerance and Performance ………………………………699
RAID-1 ……………………………………………………700
RAID-5 ……………………………………………………701
Performing Active Directory Maintenance Tasks …………………701
Defragmenting the Database ……………………………………702
Understanding Active Directory Database Fragmentation …702
The Offline Defragmentation Process ………………………703
Moving the Database or Log Files ……………………………707
2.5.3
Monitoring the Database ………………………………………711
Using Event Viewer to Monitor Active Directory …………711
Using the Performance Console to Monitor Active Directory 713
Backing Up and Restoring Active Directory ………………………720
Backing Up Active Directory …………………………………720
Using the Windows Server 2003 Backup Utility …………721
Backing Up at the Command Line …………………………733
2.4/2.4.1
Restoring Active Directory …………………………………733
2.4.2
Directory Services Restore Mode …………………………733
Normal Restore ……………………………………………734
Authoritative Restore ………………………………………741
Primary Restore ……………………………………………743
2.5.3 Troubleshooting Active Directory Availability ………………………745
Setting Logging Levels for Additional Detail …………………745
Using Ntdsutil Command Options ……………………………747
Using the Integrity Command ……………………………747
Using the recover Command ………………………………750
Using the Semantic Database Analysis Command …………752
Using the esentutl Command ………………………………756
Changing the Directory Services Restore Mode Password ……758
Summary of Exam Objectives ………………………………………759
Exam Objectives Fast Track …………………………………………760
Exam Objectives Frequently Asked Questions ……………………762
Self Test ……………………………………………………………764
Self Test Quick Answer Key ………………………………………769
256_70-294_TOC.qxd
9/5/03
6:33 PM
Page xxix
Contents
xxix
Appendix Self Test Questions, Answers,
and Explanations
771
Chapter 1: Active Directory Infrastructure Overview …………772
Chapter 2: Working with User, Group, and Computer Accounts 781
Chapter 3: Creating User and Group Strategies ………………789
Chapter 4: Working with Forests and Domains ………………797
Chapter 5: Working with Trusts and Organizational Units ……809
Chapter 6: Working with Active Directory Sites ………………819
Chapter 7: Working with Domain Controllers …………………826
Chapter 8: Working with Global Catalog Servers and Schema 840
Chapter 9: Working with Group Policy in an Active
Directory Environment ………………………………………847
Chapter 10: Deploying Software via Group Policy ……………855
Chapter 11: Ensuring Active Directory Availability ……………864
Index
873
256_70-294_TOC.qxd
9/5/03
6:33 PM
Page xxx
256_70-294_Fore.qxd
9/5/03
5:28 PM
Page xxxi
Foreword
This book’s primary goal is to help you prepare to take and pass Microsoft’s exam number
70-294, Planning, Implementing and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure. At the time of this writing, the exam is expected to be released in its beta version in June 2003. Our secondary purpose in writing this book is to provide exam candidates with knowledge and skills that go beyond the minimum requirements for passing the
exam, and help to prepare them to work in the real world of Microsoft computer networking in an Active Directory domain environment.
What is Exam 70-294?
Exam 70-294 is one of the four core requirements for the Microsoft Certified Systems
Engineer (MCSE) certification. Microsoft’s stated target audience consists of IT professionals
with at least one year of work experience on a medium or large company network.This
means a multi-site network with at least three domain controllers, running typical network
services such as file and print services, database, firewall services, proxy services, remote access
services and Internet connectivity.
However, not everyone who takes Exam 70-294 will have this ideal background. Many
people will take this exam after classroom instruction or self-study as an entry into the networking field. Many of those who do have job experience in IT will not have had the
opportunity to work with all of the technologies covered by the exam. In this book, our goal
is to provide background information that will help you to understand the concepts and procedures described even if you don’t have the requisite experience, while keeping our focus
on the exam objectives.
Exam 70-294 covers the basics of managing and maintaining the Active Directory infrastructure in a network environment that is built around Microsoft’s Windows Server 2003.
Objectives are task-oriented, and include the following:
■
Planning a strategy for placing global catalog servers, including evaluating
network traffic considerations and evaluating the need to enable universal group
caching.
xxxi
256_70-294_Fore.qxd
xxxii
9/5/03
5:28 PM
Page xxxii
Foreword
■
Planning the placement of flexible operations master roles, including how
to plan for business continuity of operations master roles and identifying operations
master role dependencies.
■
Implementing an Active Directory directory service forest and domain
structure, including creating the forest root domain, creating a child domain, creating and configuring Application Data Partitions, and installing and configuring an
Active Directory domain controller.This objective also includes setting an Active
Directory forest and domain functional level based on requirements, and establishing
trust relationships such as external trusts, shortcut trusts and cross-forest trusts.
■
Implementing an Active Directory site topology, including configuring site
links and configuring preferred bridgehead servers.
■
Planning an administrative delegation strategy, including planning an organizational unit (OU) structure based on delegation requirements and planning a
security group hierarchy based on delegation requirements.
■
Managing an Active Directory forest and domain structure, including managing trust relationships, managing schema modifications, and adding or removing
UPN suffixes.
■
Managing an Active Directory site, including configuring replication schemes,
configuring site link costs, and configuring site boundaries.
■
Monitoring Active Directory replication failures, using tools such as
Replication Monitor, Event Viewer and support tools to monitor Active Directory
replication and File Replication Service (FRS) replication.
■
Restoring Active Directory directory services, including performing both
authoritative restore and nonauthoritative restore operations.
■
Troubleshooting Active Directory, including diagnosing and resolving issues
related to Active Directory replication, operations master role failure, and the Active
Directory database.
■
Planning a security group strategy.
■
Planning a user authentication strategy, including planning a strategy for
smart card authentication and creating a password policy for domain users.
■
Planning an OU structure, including analyzing the administrative requirements
for an OU and analyzing the Group Policy requirements for an OU structure.
■
Implementing an OU structure, including creating an OU, delegating permissions for an OU to a user or a security group, and moving objects within the OU
hierarchy.
www.syngress.com
256_70-294_Fore.qxd
9/5/03
5:28 PM
Page xxxiii
Foreword
xxxiii
■
Planning a Group Policy strategy, including using Resultant Set of Policy
(RSoP) planning mode, and strategies for configuring the user environment and
computer environments using Group Policy.
■
Configuring the user environment with Group Policy, including distributing
software to users via Group Policy, automatically enrolling user certificates with
Group Policy, redirecting folders via Group Policy and configuring user security
settings using Group Policy.
■
Deploying a computer environment using Group Policy, including distributing software to computers via Group Policy, automatically enrolling computer
certificates with Group Policy, and configuring computer security settings using
Group Policy.
■
Troubleshooting issues related to Group Policy application and deployment, using tools such as RSoP and the gpresult command.
■
Maintain installed software using Group Policy, including distributing
updates to software distributed by Group Policy and configuring automatic updates
for network clients using Group Policy.
■
Troubleshoot the application of Group Policy security settings, using tools
such as RSoP and the gpresult command.
Microsoft reserves the right to change the objectives and/or the exam at any time, so
you should check the web site at http://www.microsoft.com/traincert/exams/70-294.asp for
the most up-to-date version of the objectives.
Path to MCP/MCSA/MCSE
Microsoft certification is recognized throughout the IT industry as a way to demonstrate mastery of basic concepts and skills required to perform the tasks involved in implementing and
maintaining Windows-based networks.The certification program is constantly evaluated and
improved; the nature of information technology is changing rapidly and this means requirements and specifications for certification can also change rapidly.This book is based on the
exam objectives as stated by Microsoft at the time of writing; however, Microsoft reserves the
right to make changes to the objectives and to the exam itself at any time. Exam candidates
should regularly visit the Certification and Training web site at http://www.microsoft.com/
traincert/ for the most updated information on each Microsoft exam.
Microsoft presently offers three basic levels of certification:
■
Microsoft Certified Professional (MCP): to obtain the MCP certification, you
must pass one current Microsoft certification exam. For more information on
exams that qualify, see http://www.microsoft.com/traincert/mcp/mcp/requirements.asp.
www.syngress.com
256_70-294_Fore.qxd
xxxiv
9/5/03
5:28 PM
Page xxxiv
Foreword
■
Microsoft Certified Systems Administrator (MCSA): to obtain the MCSA
certification, you must pass three core exams and one elective exam, for a total of
four exams. For more information, see
http://www.microsoft.com/TrainCert/mcp/mcsa/requirements.asp.
■
Microsoft Certified Systems Engineer (MCSE): to obtain the MCSE certification on Windows Server 2003, you must pass six core exams (including four network operating system exams, one client operating system exam and one design
exam) and one elective. For more information, see
http://www.microsoft.com/traincert/mcp/mcse/windows2003/.
Passing Exam 70-294 will earn you the MCP certification (if it is the first Microsoft
exam you’ve passed). Exam 70-294 also counts toward the MCSE. Exam 70-294 is not a
requirement or elective for the MCSA.
NOTE
Those who already hold the MCSA in Windows 2000 can upgrade their certifications
to MCSA 2003 by passing one upgrade exam (70-292). Those who already hold the
MCSE in Windows 2000 can upgrade their certifications to MCSE 2003 by passing
two upgrade exams (70-292 and 70-296).
Microsoft also offers a number of specialty certifications for networking professionals and
certifications for software developers, including the following:
■
Microsoft Certified Database Administrator (MCDBA)
■
Microsoft Certified Solution Developer (MCSD)
■
Microsoft Certified Application Developer (MCAD)
Exam 70-294 does not apply to any of these specialty and developer certifications.
Prerequisites and Preparation
There are no mandatory prerequisites for taking Exam 70-294, although Microsoft recommends that you meet the target audience profile described earlier, and many candidates will
first take Exams 70-290, 70-291 and 70-293 in sequence before taking Exam 70-294 in their
pursuit of the MCSE certification.
Preparation for this exam should include the following:
■
Visit the web site at http://www.microsoft.com/traincert/exams/70-294.asp to
review the updated exam objectives. Remember that Microsoft reserves the right
to change or add to the objectives at any time, so new objectives might have been
added since the printing of this book.
www.syngress.com
256_70-294_Fore.qxd
9/5/03
5:28 PM
Page xxxv
Foreword
xxxv
■
Work your way through this book, studying the material thoroughly and marking
any items you don’t understand.
■
Answer all practice exam questions at the end of each chapter.
■
Complete all hands-on exercises in each chapter.
■
Review any topics that you don’t thoroughly understand
■
Consult Microsoft online resources such as TechNet
(http://www.microsoft.com/technet/), white papers on the Microsoft web site, and
so forth, for better understanding of difficult topics.
■
Participate in Microsoft’s product-specific and training and certification newsgroups
if you have specific questions that you still need answered.
■
Take one or more practice exams, such as the one included on the CD with this
book.
Exam Overview
In this book, we have tried to follow Microsoft’s exam objectives as closely as possible.
However, we have rearranged the order of some topics for a better flow, and included background material to help you understand the concepts and procedures that are included in the
objectives. Following is a brief synopsis of the exam topics covered in each chapter:
■
Active Directory Infrastructure Overview: In this chapter, we will start with the
basics: defining directory services and providing a brief background of the directory
services standards and protocols.You’ll learn how the Active Directory works, and we
will introduce you to the terminology and concepts required to understand the
Active Directory infrastructure.We discuss the directory is structured into sites,
forests, domains, domain trees, and organizational units, and you’ll learn about the
components that make up the Active Directory, including both logical and physical
components.These include the schema, the global catalog, domain controllers and the
replication service.You’ll learn to use the Active Directory administrative tools, and
we will discuss directory security and access control. Finally, we provide an overview
of what’s new for Active Directory in Windows Server 2003.
■
Working with User, Group and Computer Accounts: This chapter introduces
you to the concept of security principles – users, groups and computers – and the
security identifiers that are used to represent them.You’ll learn about the conventions and limitations for naming these objects.We show you how to work with
Active Directory user accounts, including the built in accounts and those you
create yourself.You’ll also learn to work with group accounts, and you’ll learn
about group types and scopes.You’ll learn to work with computer accounts, and
www.syngress.com
256_70-294_Fore.qxd
xxxvi
9/5/03
5:28 PM
Page xxxvi
Foreword
how to manage multiple accounts.We’ll show you how to implement User
Principal Name suffixes, and we’ll discuss how to move objects within the Active
Directory.
■
Creating User and Group Strategies: This chapter deals with planning effective
strategies for managing users and groups in Active Directory.We will discuss the
creation of user authentication strategies, and we provide an overview of authentication concepts.You will learn to plan a smart card authentication strategy and find
out what’s new in smart card authentication for Windows Server 2003.We will also
discuss how to create a password policy for domain users, and how to plan a security group strategy.
■
Working with Forests and Domains: In this chapter, you will learn all about
the functions of forests and domains in the Active Directory infrastructure, and we
will walk you through the steps of creating a forest and domain structure for a network.You’ll learn to install domain controllers, create the forest root domain and a
child domain, and you’ll find out how to name and rename domains and how to
set the functional level of a forest and domain.We will then discuss the role of
DNS in the Active Directory environment, and you’ll learn about the relationship
of the DNS and AD namespaces, how DNS zones are integrated into Active
Directory, and how to configure DNS servers for use with Active Directory.
■
Working with Trusts and Organizational Units: This chapter addresses two
important components of Active Directory: trust relationships and organizational
units (OUs).You’ll learn about the different types of trusts that exist in the AD
environment, both implicit and explicit, and you’ll learn to create shortcut,
external, realm and cross-forest trusts.You’ll also learn to verify and remove trusts,
and how to secure trusts using SID filtering.Then we discuss the creation and
management of OUs and you learn to apply Group Policy to OUs and how to
delegate control of an OU.We show you how to plan an OU structure and strategy
for our organization, considering delegation requirements and the security group
hierarchy.
■
Working with Active Directory Sites: In this chapter, you learn about the role
of sites in the Active Directory infrastructure, and how replication, authentication
and distribution of services information work within and across sites.We discuss the
relationship of sites and domains, the relationship of sites and subnets, and how to
create sites and site links.You’ll learn about site replication and how to plan, create
and manage a replication topology.We walk you through the steps of configuring
replication between sites, and discuss how to troubleshoot replication failures.We
also address monitoring of the File Replication Service (FRS).
■
Working with Domain Controllers: The focus of this chapter is the Active
Directory domain controller (DC), and how to plan and deploy DCs on your net-
www.syngress.com
256_70-294_Fore.qxd
9/5/03
5:28 PM
Page xxxvii
Foreword
xxxvii
work.You’ll learn about server roles, where domain controllers fit in, and how to
create and upgrade DCs.We discuss placement of domain controllers within sites
and how to back up your domain controllers.Then we get into the subject of
operations master (OM) roles and you learn about the functions of all five OMs:
the schema master, domain naming master, RID master, PDC emulator and infrastructure master.We talk about transferring and seizing master roles and role dependencies, and you’ll learn to plan for the placement of OMs and how to respond to
OM failures.
■
Working with Global Catalog Servers and the Schema: In this chapter, we
take a look at a special type of domain controller: the Global Catalog server.You’ll
learn about the role the Global Catalog (GC) plays in the network, and you’ll find
out how to customize the GC using the Schema MMC snap-in.We show you how
to create and manage GC servers, and explain how GC replication works.You’ll
learn about the factors to consider when placing GC servers within sites. Next, we
address the Active Directory schema itself.You’ll learn about schema components:
classes and attributes, and the naming of schema objects.We show you how to
install and use the Schema management console, and you’ll learn how to extend
the schema and how to deactivate schema objects.
■
Working with Group Policy in an Active Directory Network: This chapter
starts with the basics of Group Policy terminology and concepts, introducing you
to user and computer policies and Group Policy Objects (GPOs).We discuss the
scope and application order of policies and you’ll learn about Group Policy integration in Active Directory.We show you how to plan a Group Policy strategy, and
then walk you through the steps of implementing Group Policy.We show you how
to perform common Group Policy tasks, and discuss Group Policy propagation and
replication.You’ll also learn best practices for working with Group Policy, and we’ll
show you how to troubleshoot problems with Group Policy.
■
Deploying Software via Group Policy: In this chapter, you will learn about
Group Policy’s software installation feature.We’ll show you how to use the components of software installation:Windows installer packages, transforms, patches and
application assignment scripts.You’ll find out how to deploy software to users and
to computers, by assigning or publishing applications.We walk you through the
steps of preparing for GP software installation, working with the Group Policy
Object Editor and setting installation options.You’ll find out how to upgrade applications, configure automatic updates and remove managed applications.We’ll also
cover how to troubleshoot problems that can occur with Group Policy software
deployment.
■
Ensuring Active Directory Availability: The final chapter deals with how to
maintain high availability of your Active Directory services.You’ll learn about the
www.syngress.com
256_70-294_Fore.qxd
xxxviii
9/5/03
5:28 PM
Page xxxviii
Foreword
Active Directory database, and the importance of system state data to AD availability.We’ll discuss fault tolerance plans as well as AD performance issues.You’ll
find out how to perform necessary maintenance tasks, such as defragging the
database, and you’ll learn how to monitor or move the database.We address backup
and restoration of the Active Directory, and show you the different restoration
methods that can be used and when each is appropriate. Finally, you’ll learn to
troubleshoot Active Directory availability.
Exam Day Experience
Taking the exam is a relatively straightforward process. Both Vue and Prometric testing centers administer the Microsoft 70-291 exam.You can register for, reschedule or cancel an
exam through the Vue web site at http://www.vue.com/ or the Prometric web site at
http://www.2test.com/index.jsp.You’ll find listings of testing center locations on these sites.
Accommodations are made for those with disabilities; contact the individual testing center
for more information.
Exam price varies depending on the country in which you take the exam.
Exam Format
Exams are timed. At the end of the exam, you will find out your score and whether you
passed or failed.You will not be allowed to take any notes or other written materials with
you into the exam room.You will be provided with a pencil and paper, however, for making
notes during the exam or doing calculations.
In addition to the traditional multiple choice questions and the select and drag, simulation and case study questions introduced in the Windows 2000 exams, Microsoft has developed a number of innovative question types for the Windows Server 2003 exams.You might
see some or all of the following types of questions:
■
Hot area questions, in which you are asked to select an element or elements in a
graphic to indicate the correct answer.You click an element to select or deselect it.
■
Active screen questions, in which you change elements in a dialog box (for example,
by dragging the appropriate text element into a text box or selecting an option
button or checkbox in a dialog box).
■
Drag and drop questions, in which you arrange various elements in a target area.
You can download a demo sampler of test question types from the Microsoft web site at
http://www.microsoft.com/traincert/mcpexams/faq/innovations.asp#H.
www.syngress.com
256_70-294_Fore.qxd
9/5/03
5:28 PM
Page xxxix
Foreword
xxxix
Test Taking Tips
Different people work best using different methods. However, there are some common
methods of preparation and approach to the exam that are helpful to many test-takers. In this
section, we provide some tips that other exam candidates have found useful in preparing for
and actually taking the exam.
■
Exam preparation begins before exam day. Ensure that you know the concepts and
terms well and feel confident about each of the exam objectives. Many test-takers
find it helpful to make flash cards or review notes to study on the way to the
testing center. A sheet listing acronyms and abbreviations can be helpful, as the
number of acronyms (and the similarity of different acronyms) when studying IT
topics can be overwhelming.The process of writing the material down, rather than
just reading it, will help to reinforce your knowledge.
■
Many test-takers find it especially helpful to take practice exams that are available
on the Internet and with books such as this one.Taking the practice exams not
only gets you used to the computerized exam-taking experience, but also can be
used as a learning tool.The best practice tests include detailed explanations of why
the correct answer is correct and why the incorrect answers are wrong.
■
When preparing and studying, you should try to identify the main points of each
objective section. Set aside enough time to focus on the material and lodge it into
your memory. On the day of the exam, you be at the point where you don’t have
to learn any new facts or concepts, but need simply to review the information
already learned.
■
The value of hands-on experience cannot be stressed enough. Exam questions are
based on test-writers’ experiences in the field. Working with the products on a
regular basis, whether in your job environment or in a test network that you’ve set
up at home, will make you much more comfortable with these questions.
■
Know your own learning style and use study methods that take advantage of it. If
you’re primarily a visual learner, reading, making diagrams, watching video files on
CD, etc. may be your best study methods. If you’re primarily auditory, classroom
lectures, audiotapes you can play in the car as you drive, and repeating key concepts
to yourself aloud may be more effective. If you’re a kinesthetic learner, you’ll need
to actually do the exercises, implement the security measures on your own systems,
and otherwise perform hands-on tasks to best absorb the information. Most of us
can learn from all of these methods, but have a primary style that works best for us.
■
Although it might seem obvious, many exam-takers ignore the physical aspects of
exam preparation.You are likely to score better if you’ve had sufficient sleep the night
before the exam, and if you are not hungry, thirsty, hot/cold or otherwise distracted
www.syngress.com
256_70-294_Fore.qxd
xl
9/5/03
5:28 PM
Page xl
Foreword
by physical discomfort. Eat prior to going to the testing center (but don’t indulge in a
huge meal that will leave you uncomfortable), stay away from alcohol for 24 hours
prior to the test, and dress appropriately for the temperature in the testing center (if
you don’t know how hot/cold the testing environment tends to be, you may want to
wear light clothes with a sweater or jacket that can be taken off).
■
Before you go to the testing center to take the exam, be sure to allow time to
arrive on time, take care of any physical needs, and step back to take a deep breath
and relax.Try to arrive slightly early, but not so far in advance that you spend a lot
of time worrying and getting nervous about the testing process.You may want to
do a quick last minute review of notes, but don’t try to “cram” everything the
morning of the exam. Many test-takers find it helpful to take a short walk or do a
few calisthenics shortly before the exam, as this gets oxygen flowing to the brain.
■
Before beginning to answer questions, use the pencil and paper provided to you to
write down terms, concepts and other items that you think you may have difficulty
remembering as the exam goes on.Then you can refer back to these notes as you
progress through the test.You won’t have to worry about forgetting the concepts
and terms you have trouble with later in the exam.
■
Sometimes the information in a question will remind you of another concept or
term that you might need in a later question. Use your pen and paper to make
note of this in case it comes up later on the exam.
■
It is often easier to discern the answer to scenario questions if you can visualize the
situation. Use your pen and paper to draw a diagram of the network that is
described to help you see the relationships between devices, IP addressing schemes,
and so forth.
■
When appropriate, review the answers you weren’t sure of. However, you should
only change your answer if you’re sure that your original answer was incorrect.
Experience has shown that more often than not, when test-takers start secondguessing their answers, they end up changing correct answers to the incorrect.
Don’t “read into” the question (that is, don’t fill in or assume information that isn’t
there); this is a frequent cause of incorrect responses.
■
As you go through this book, pay special attention to the Exam Warnings, as these
highlight concepts that are likely to be tested.You may find it useful to go through
and copy these into a notebook (remembering that writing something down reinforces your ability to remember it) and/or go through and review the Exam
Warnings in each chapter just prior to taking the exam.
■
Use as many little mnemonic tricks as possible to help you remember facts and
concepts. For example, to remember which of the two IPSec protocols (AH and
ESP) encrypts data for confidentiality, you can associate the “E” in encryption with
the “E” in ESP.
www.syngress.com
256_70-294_Fore.qxd
9/5/03
5:28 PM
Page xli
Foreword
xli
Pedagogical Elements
In this book, you’ll find a number of different types of sidebars and other elements designed
to supplement the main text.These include the following:
■
Exam Warning These focus on specific elements on which the reader needs to
focus in order to pass the exam (for example, “Be sure you know the difference
between symmetric and asymmetric encryption”).
■
Test Day Tip These are short tips that will help you in organizing and remembering information for the exam (for example, “When preparing for the exam on
test day, it may be helpful to have a sheet with definitions of these abbreviations
and acronyms handy for a quick last-minute review”).
■
Configuring & Implementing These are sidebars that contain background
information that goes beyond what you need to know from the exam, but provide
a “deep” foundation for understanding the concepts discussed in the text.
■
New & Noteworthy These are sidebars that point out changes in W2003 Server
from the old Windows 2000/NT family, as they will apply to readers taking the
exam.These may be elements that users of W2K/NT would be very familiar with
that have changed significantly in W2003 Server, or totally new features that they
would not be familiar with at all.
■
Head of the Class These are discussions of concepts and facts as they might be
presented in the classroom, regarding issues and questions that most commonly are
raised by students during study of a particular topic.
The book also includes, in each chapter, hands-on exercises in planning and configuring
the features discussed. It is essential that you read through and, if possible, perform the steps
of these exercises to familiarize yourself with the processes they cover.
You will find a number of helpful elements at the end of each chapter. For example,
each chapter contains a Summary of Exam Objectives that ties the topics discussed in that
chapter to the published objectives. Each chapter also contains an Exam Objectives Fast Track,
which boils all exam objectives down to manageable summaries that are perfect for last
minute review. The Exam Objectives Frequently Asked Questions answers those questions that
most often arise from readers and students regarding the topics covered in the chapter.
Finally, in the Self Test section, you will find a set of practice questions written in a multiplechoice form that will assist you in your exam preparation These questions are designed to
assess your mastery of the exam objectives and provide thorough remediation, as opposed to
simulating the variety of question formats you may encounter in the actual exam.You can
use the Self Test Quick Answer Key that follows the Self Test questions to quickly determine
what information you need to review again.The Self Test Appendix at the end of the book
provides detailed explanations of both the correct and incorrect answers.
www.syngress.com
256_70-294_Fore.qxd
xlii
9/5/03
5:28 PM
Page xlii
Foreword
Additional Resources
There are two other important exam preparation tools included with this Study Guide. One
is the DVD included in the back of this book.The other is the practice exam available from
our Web site.
■
Instructor-led training DVD provides you with almost two hours of virtual classroom instruction. Sit back and watch as an author and trainer reviews
all the key exam concepts from the perspective of someone taking the exam for the
first time. Here, you’ll cut through all of the noise to prepare you for exactly what
to expect when you take the exam for the first time.You will want to watch this
DVD just before you head out to the testing center!
■
Web based practice exams. Just visit us at www.syngress.com/certification
to access a complete Windows Server 2003 concept multiple choice review.These
remediation tools are written to test you on all of the published certification objectives.The exam runs in both “live” and “practice” mode. Use “live” mode first to
get an accurate gauge of your knowledge and skills, and then use practice mode to
launch an extensive review of the questions that gave you trouble.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 1
Chapter 1
MCSA/MCSE 70-294
Active Directory
Infrastructure Overview
Exam Objectives in this Chapter:
1
Planning and Implementing an Active Directory
Infrastructure
Summary of Exam Objectives
Exam Objectives Fast Track
Exam Objectives Frequently Asked Questions
Self Test
Self Test Quick Answer Key
1
256_70-294_01.qxd
2
9/3/03
11:19 AM
Page 2
Chapter 1 • Active Directory Infrastructure Overview
Introduction
The Active Directory is the foundation of an enterprise-level Windows network, and
Windows Server 2003 includes a number of improvements and enhancements to its directory services that will make a network administrator’s job easier. Exam candidates must
understand the basics of how directory services work and the role they play in the network,
and specifically how the directory services concept is implemented in Microsoft’s Active
Directory.
In this chapter, we start with the basics by defining directory services and providing a
brief background of the directory services standards and protocols.You’ll learn how the
Active Directory works, and be introduced to the terminology and concepts required to
understand the Active Directory infrastructure.
We discuss how the directory is structured into sites, forests, domains, domain trees, and
organizational units (OUs), and you’ll learn about the components that make up the Active
Directory, including both logical and physical components.These include the schema, the
Global Catalog (GC), domain controllers (DCs), and the replication service.You’ll learn to
use the Active Directory administrative tools, and we discuss directory security and access
control. Finally, we provide an overview of what’s new for Active Directory in Windows
Server 2003.
This chapter lays the groundwork for the specific Active Directory-related administrative tasks that you will learn to perform throughout the rest of the book.
EXAM
70-294
OBJECTIVE
1
Introducing Directory Services
As anyone familiar with networking knows, a network can be comprised of a vast number
of elements, including user accounts, file servers, volumes, fax servers, printers, applications,
databases, and other shared resources. Because the number of objects making up a network
increases as an organization grows, finding and managing these accounts and resources
becomes harder as the network gets bigger.To make a monolithic enterprise network more
manageable, directory services are used to store a collection of information about users and
resources, so they are organized and accessible across the network.
A directory allows accounts and resources to be organized in a logical, hierarchical
fashion so that information can be found easily. By searching the directory, users can find
the resources they need, and administrators are able to control and configure accounts and
resources easily and effectively. Keeping this information in a centralized location ensures
that users and administrators don’t have to waste time looking at what’s available on each
server, they only have to refer to the directory.
At face value, the concept of directory services seems overwhelming. However, even if
you’re unfamiliar with directory services, you’re probably familiar with directories in general. In a telephone directory, every account a telephone company manages is uniquely
identified by a telephone number, and includes attributes such as the person’s name and
address. Each account needs to be uniquely identified, so one isn’t mixed up with
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 3
Active Directory Infrastructure Overview • Chapter 1
another—you wouldn’t want to dial one person’s telephone number, only to be connected
with someone else.To make it easier to find information, the telephone directory is structured to look up information in multiple ways.You can look up someone’s name and then
view his or her telephone number, or you can search for entries using other attributes, such
as using the yellow pages and viewing categories of businesses.The same basic concept
applies to directory services.
Any directory (regardless of what it’s used for) is a structured source of information,
consisting of objects and their attributes. As in the case of a telephone directory, a network
directory contains uniquely identified objects with different attributes. Such data can be
made available to applications, operating system services, network administrators, and other
authorized users.Those who have access to the directory can look up an object, and then
view its attributes. If they have sufficient rights (as in the case of an administrator), the
object can be modified.These attributes can be used to provide information that’s accessible
to users, or control security at a granular level.
The objects and attributes in a directory can be used in various ways. For example, a user
might need to use a color printer, but not know the printer’s name.To find this printer, the
user might know it is located on the second floor, and search the directory for an attribute
with this information. In the same light, a user account can include attributes such as usernames, passwords, the user’s name, address, telephone numbers, and other relevant information
about the person. If a person has access to view another user object’s attributes, he or she can
access this data and find information on how to contact the other user.
Because a user can access account information from anywhere on the network, directory services allow a user to log on to multiple servers using a single logon. A single logon
is an important feature to directory services, because without it, a user must log on to each
server that provides needed resources.This is common on Windows NT networks, where
the administrator must create a different account on each server the user needs to access.
The user then needs to log on to each server individually.This is significantly different from
the way Windows 2000/2003’s directory services work, where a user logs on to the network once and can use any of the resources to which he or she has been given access.
Sophisticated directory services give administrators the ability to organize information,
control security, and manage users and resources anywhere on the network. Information
resides in a central repository that’s replicated to different servers on the network. It allows
the data to be accessed when needed and saves the administrator from having to visit each
server to manage accounts.This lowers the amount of work needed to manage the network, while providing granular control over rights and permissions.The administrator only
needs to modify a user account or other object once, and these security changes are replicated throughout the network.
Directory services have been used on different network operating systems for years, and
have proven to be a useful and powerful technology. Following suit, Microsoft created its
own implementation of directory services on Windows NT called NTDS, and then followed with Active Directory on newer versions of servers. NTDS used a flat namespace,
which provided limited functionality in comparison with Active Directory’s hierarchical
www.syngress.com
3
256_70-294_01.qxd
11:19 AM
Page 4
Chapter 1 • Active Directory Infrastructure Overview
structure and feature set. Active Directory was first introduced in Windows 2000, and continues to provide directory services to the Windows Server 2003 family of servers. It can be
installed on the Standard, Enterprise, and Datacenter Editions of Windows Server 2003, and
provides a necessary foundation for any network using these servers.
NOTE
Installation of Active Directory on a Windows 2000 or Windows Server 2003 server
makes that computer a DC. Windows Server 2003 Web Edition cannot function as
a DC, and thus cannot have Active Directory installed.
A Brief History of Directory Services
Head of the Class…
4
9/3/03
Directory services have been around long since Microsoft’s implementation of
Active Directory. In 1984, Banyan offered customers the first directory service for
enterprise networking. The product was called StreetTalk, and provided enterprise
directory services for networks running Banyan VINES. Since then, many other network operating systems have evolved to used directory services as a method of
storing information related to the components of a network.
Novell also provided directory services for its network operating system
NetWare. In 1993, NetWare 4 introduced an object-oriented directory called
NetWare Directory Services, which was later named Novell Directory Services (NDS).
NDS used a hierarchical structure and provided the basis for new features in
NetWare. NDS evolved into eDirectory, which provided greater features and interoperability between different operating systems that used its directory services.
Microsoft also incorporated a directory service in its network operating
system. In 1993, the first release of Windows NT Server included the Windows NT
Directory Services (NTDS). NTDS provided a single point of administration that
allowed you to manage up to 25,000 users per domain. When Windows 2000
Server was released, the number of objects supported by directory services jumped
dramatically. Active Directory theoretically supports up to 10 million objects per
domain, with 1 million objects being a more practical estimate. In addition, Active
Directory uses a hierarchical namespace and provides significantly more features
than the directory services in Windows NT.
When directory services were still new to networking in the mid 1980s, there
was a lack of common standards to control the development of directory services.
Different standards were being used to determine how directories should function.
The International Telecommunications Union (which was called the International
Telegraph and Telephone Consultative Committee at the time) was developing a
directory that allowed information (telephone numbers and other data) to be
looked up from a directory service. The International Organization for
Continued
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 5
Active Directory Infrastructure Overview • Chapter 1
Standardization (ISO) was also developing standards for network functions and
applications using the Open Systems Interconnect (OSI). These different specifications came together after a time to become X.500.
Part of the X.500 standard specified how information in directories was
accessed. The Directory Access Protocol (DAP) was developed to allow communication between clients and directory servers, but the number of features in DAP made
it inefficient with personal computers. By removing some of the code from DAP,
and limiting the features, a more lightweight version of DAP was developed, called
the Lightweight Directory Access Protocol (LDAP). This protocol and the X.500 standard are used by Active Directory and other directory services, and provide interoperability between different systems.
Terminology and Concepts
Before delving too far into the specifics of Active Directory, it is important to discuss a
number of concepts and terms to appreciate the features and functionality of a directory
service. As with anything dealing with technology, certain words and phrases associated with
Active Directory and Windows Server 2003 are useful in identifying and defining specific
components of the network.Whether you’re new to Active Directory or experienced from
using previous versions, the information provided here will help you to understand other
topics that follow in this book.
In reading this section, it is important to realize that this is an overview of topics that
we discuss later in greater detail.We define some of the terms used throughout this book,
and look at concepts that we’ll build on in later sections.
Some of the terms and concepts we discuss in the following subsections include:
■
Directory data store
■
Directory partitions
■
Policy-based administration
■
DAP and LDAP
■
Naming schemes used in Active Directory
Directory Data Store
Active Directory isn’t just a service that provides access to directory services; it’s also a
method of storing data about network elements. If you didn’t have a place where configurations and directory data are saved, you’d lose this information every time you shut down
your server.The data store contains a vast amount of information, including data dealing
with users, groups, computers, the resources they can access, and other components of the
network. Because the Active Directory data store is a database of all directory information,
it is also referred to as the directory.
www.syngress.com
5
256_70-294_01.qxd
6
9/3/03
11:19 AM
Page 6
Chapter 1 • Active Directory Infrastructure Overview
When you install the directory on a Windows Server 2003 server, the Active Directory
data source is placed on the server’s hard disk.The file used to store directory information is
called NTDS.DIT, and is located in the NTDS folder in the systemroot (for example,
C:\WINDOWS). Any changes made to the directory are saved to this file.
The presence of Active Directory’s data store on a Windows Server 2003 server has a
major impact on that server’s role in the network. As shown in Figure 1.1, the directory is
stored on DCs, which are servers with writable copies of the data store. A DC is used to
manage domains, which are groups of computers, users, and other objects that share (or are
included in) the same directory. Domains that use different Active Directory data sources
can still communicate with one another, but (as we’ll see later in this chapter) secure relationships between them must be configured.
Figure 1.1 Relationship Between Active Directory, Domain Controllers, Member
Servers, and Clients
Active
Directory
Active Directory is installed
on all domain controllers
Domain controllers use AD
to authenticate users and
determine access to
resources
Domain Controller
Domain Controller
Active Directory
information is replicated
between domain
controllers, so all have a
duplicate copy of AD
Domain Controller
Member Server
Member Server
Member Servers are
Windows 2000 or 2003
Servers that don’t have AD
installed on them
Unavailable
Domain Controller
If a domain controller isn’t
available, clients can log
on to other DCs in the
domain
Client Client Client
Clients log on to domain
through domain
controllers.
Each DC retains its own copy of the directory, containing information on the domain
in which it is located. If one DC becomes unavailable, users and computers can still access
the Active Directory data store on another DC in that domain.This allows users to continue logging on to the network even though the DC that’s normally used is unavailable. It
also allows computers and applications that require directory information to continue functioning while one of these servers is down.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 7
Active Directory Infrastructure Overview • Chapter 1
Because a domain can have more than one DC, changes made to the directory on one
DC must be updated on others.The process of copying these updates is called replication,
and is used to synchronize information in the directory.Without replication, features in
Active Directory would fail to function properly. For example, if you added a user on one
DC, the new account would be added to the directory store on that server.This would
allow the user to log on to that domain controller, but he or she still couldn’t log on to
other DCs until these changes to the directory were replicated.When a change is made on
one DC, the changes need to be replicated quickly so that each DC continues to have an
accurate duplicate copy of Active Directory.
Because replication is so important to making the directory consistent across the network, the data source is organized in a way to make replication more efficient. Not every
piece of data is saved in the same location of the data source. As shown in Figure 1.2, information resides in different areas of the directory, called directory partitions. Because Active
Directory is a logical, hierarchical structure, it has a treelike structure similar to that of the
Windows Registry or folders on a hard disk. Data is stored within subtrees of the directory,
much like data on your hard disk is stored within folders that are nested within one
another. Each contiguous subtree in the directory is a partition. Any data that changes
within a directory partition is replicated as a single unit to other DCs.
Figure 1.2 Active Directory Is a Hierarchical Structure
Directory Root
Forest Root Domain
Directory Partition
Configuration Partition
Domain Trees
Schema Directory Partition
In Active Directory, three partitions exist on any DC and must be replicated, as these
contain data that the Microsoft network needs to function properly:
■
Domain partition
■
Configuration partition
■
Schema partition
www.syngress.com
7
256_70-294_01.qxd
8
9/3/03
11:19 AM
Page 8
Chapter 1 • Active Directory Infrastructure Overview
NOTE
Directory partitions shouldn’t be confused with disk partitions. Disk partitions are
used to logically separate the hard disk so that multiple operating systems can run
from a single hard drive, or to make it appear that a single hard disk is actually
more than one. For example, if you have a single hard disk on your computer, the
C: drive, you might partition it into two logical drives, so that the system now has
C: and D: drives. While this is useful for organizing files stored on the hard disk, it
is unrelated to how Active Directory is partitioned.
A directory is physically a database where information is stored within a
table, and logically, a naming hierarchy made up of containers and objects.
Information is partitioned in this manner to allow data to be stored in different
areas. As we’ll see in the paragraphs that follow, these partitions consist of containers storing domain, configuration, schema, and application information.
The domain partition contains information about the domain.This includes information about users, computers, resources, and attributes associated with each.Without this data
being replicated, any changes would be limited to the server on which the changes were
made, and other servers would use older settings. For example, if the domain data wasn’t
replicated and you disabled a user’s account on one DC, the user would still be able to log
on to other DCs.The domain partition is important because it contains information about
objects and their attributes, which are fundamental elements of your network.
Configuration data deals with the topology of Active Directory, and includes information
about how the domains, domain trees, and forests within a network are configured. A
domain tree is a structure of domains. If more than one domain is in a domain tree, trusts
are set up between those domains so that they can share data and resources between them.
A forest also consists of multiple domains that share directory data. It consists of one or
more trees that are connected through trusts.The configuration partition also includes
information about the locations of DCs and the GC, which is a subset of the data contained in Active Directory that is used to provide search and logon functionality across multiple domains.We discuss each of these topics in greater detail later in this chapter.
Because Active Directory is made up of different objects, and each object has specific
attributes, certain rules must be created to control what objects can exist in the directory,
and the attributes of each. For example, a user account has attributes that include a password, an account name, and the first and last of the person to whom the account belongs.
The types of objects that exist in Active Directory, and which attributes each type has, is
determined by the schema.The schema partition contains information that defines object
classes and attributes used within the domain. It determines what objects can exist within
Active Directory, and what attributes each can have.
Windows Server 2003 servers can also create one or more application partitions, which
are used to store data that is specific to different applications running on the network.
Programs can use this partition to store settings that are needed while the programs are
running on a server.We discuss this in greater detail later in the chapter.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 9
Configuring & Implementing...
Active Directory Infrastructure Overview • Chapter 1
Providing the Best Possible Protection for Your Directory
In addition to Windows 2000 servers, Active Directory can only be installed on
Microsoft Windows Server 2003, Standard Edition; Windows Server 2003,
Enterprise Edition; and Windows Server 2003, Datacenter Edition. When a server is
configured to be a DC on any of these editions, a writable copy of the directory is
stored on the server’s hard disk. Because any file can be damaged, destroyed, or
compromised (such as in the case of a hacking attempt or virus), you should take
steps to ensure that the directory is safe on your server(s).
If only one DC is used, then only one NTDS.DIT file will exist, meaning there is
only one copy of the directory for that domain. Failure of this server or damage to
the NTDS.DIT file will disable the network. Users will be unable to log on, computers will be unable to access needed information from the directory, and any configurations on your network could be lost. Rather than hoping that nothing ever
happens to your one DC, it is wise to use multiple DCs on your network.
If more than one DC exists in a domain, any updates to the NTDS.DIT will be
replicated to other DCs. This will allow multiple copies of the directory to exist on
the network, providing a level of fault tolerance if one server fails. If one fails,
another can continue authenticating users, supplying services, and providing access
to resources.
Because of the importance of the NTDS.DIT file, the drive on which it is stored
should be formatted in NTFS format. NTFS is a file format that allows the best possible level of protection, allowing you to set permissions on who can access the
directory and NTDS.DIT file locally and across the network. Such permissions cannot
be set on hard disks that are formatted as FAT16 or FAT32. Limiting the access to
this file lessens the chance that someone might accidentally or maliciously damage
or delete the data source.
It is also important to remember that any measures you take to protect Active
Directory from harm do not negate the need to perform regular backups. When
backups are performed, the data on a computer is copied to other media (such as
a tape, CD, or DVD), which can then be stored in another location. Should any
problem occur, you can restore any files that were damaged or lost.
Policy-Based Administration
There can be hundreds or thousands of users and computers in a large network. Having to
go through each account and configure settings can be an arduous task. For example,
imagine having to go to each computer to change the desktop so that it displays a company
logo as the background image. Rather than visiting each computer, it would be far easier to
make such changes in one location, and have these settings apply to everyone.This is why
policy-based administration is such a benefit to Active Directory: it makes managing
accounts easier.
www.syngress.com
9
256_70-294_01.qxd
10
9/3/03
11:19 AM
Page 10
Chapter 1 • Active Directory Infrastructure Overview
Group policies allow you to apply default settings to groups of users and groups.
Policies can be used to:
■
Control desktop settings that determine the display properties of a computer.
■
Assign scripts that run at logon, logoff, startup, and shutdown.
■
Enforce password security, such as by setting minimum password lengths, maximum length of time before a password must be changed, and so on.
■
Redirect folders from the local computer to a folder on a networked computer,
such as when the My Documents folder is redirected to use specific folders on a
server.
■
Deploy applications, so that certain members have programs available to them to
install or have them automatically installed.
As we’ll see in the chapters that follow, these are just a few of the options available to
administrators in managing users and computers on a network.
When policies are created, they are stored as Group Policy Objects (GPOs) in Active
Directory.The settings in a GPO can be applied to a site, domain, or OU. An OU is a container in Active Directory that can contain users, groups, computers, or other OUs.We’ll
discuss OUs in greater detail later in this chapter. Because GPOs can be applied at different
levels, you can set different policies for different areas of your company. For example, you
could create a group policy for users in Finance and another for the Sales department (by
placing Finance users in one OU and Sales users in another). If you have different domains
for different branch offices, you could have different settings for the Sales divisions in each
domain. Using GPOs in this manner, you can configure which settings will be used for
specific groups of users and computers.
Directory Access Protocol
For clients to search for objects, update information, and communicate with DCs when
logging on to the network, a directory access protocol must be used. A protocol is a set of
rules that dictate how data is sent over a network. A directory access protocol is used for
the specific purpose of exchanging information with the directory service.
Active Directory uses LDAP for communications between clients and directory servers.
LDAP is a version of the X.500 Directory Access Protocol (DAP), and is considered
lightweight because it uses less code than DAP does.
X.500 is an established standard that defines directory services. It was developed by the
International Telecommunication Union and published by the International Organization
for Standardization. DAP is one of the protocols defined by X.500. Because it contains too
many features to be efficient with personal computers, thin clients, and communication
over the Internet, a more lightweight version was developed that contained fewer features.
As mentioned, this light version of DAP is LDAP.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 11
Active Directory Infrastructure Overview • Chapter 1
The Internet Engineering Task Force (IETF) established industry standards for LDAP,
enabling LDAP to be used over local networks and the Internet by a variety of directory
services. Many network operating systems that use directory services (including Novell
NetWare,Windows 2000, and Windows Server 2003) implement LDAP for accessing the
directory, while other products (such as Internet browsers) support it as a method for
finding resources or managing the directory. Since its inception in 1994, there have been
several versions of LDAP, with features being added to accommodate changing needs. Active
Directory supports versions 2 and 3.
Naming Scheme
Active Directory supports several common formats for naming objects. By using different
methods of naming objects, it allows objects to be accessed in a variety of ways. Providing
different naming schemes also provides backward compatibility to older systems that might
not support one or more of these formats.The naming schemes supported by Active
Directory include:
■
Domain Name System (DNS)
■
User principal name (UPN)
■
Universal Naming Convention (UNC)
■
Uniform Resource Locator (URL)
■
Lightweight Directory Access Protocol Uniform Resource Locator (LDAP URL)
DNS is used to resolve domain names to IP addresses.You’re probably familiar with this
method from using the Internet. It would be difficult or impossible to remember the IP
address for every Web site or server that you want to access. DNS is a hierarchical, distributed database that allows clients to find a particular resource by entering a user-friendly
domain name (such as knightware.ca), and then looks up the IP address for that domain.
In Active Directory, domains are usually given DNS names (such as syngress.com).
Because Windows domains didn’t use this naming scheme prior to Windows 2000, each
domain is also given a name that’s compatible with those used in Windows NT networks.
These pre-Windows 2000 names are NetBIOS names, and are one-word names that users
of older operating systems can use to log on to Active Directory.This allows clients to log
on to domains by entering the domain name and username using the format: domain
name\username.
UPNs are based on the IETF’s RFC 822. Each user account in Active Directory has a
logon name and UPN suffix.The logon name is the account name, and the UPN suffix is
the domain that the user will log on to.The two are connected by the @ symbol, making
the logon appear like an Internet e-mail address (username@domain). After entering a
username, the user will generally be required to enter a password to prove that he or she is
authorized to use this account.
www.syngress.com
11
256_70-294_01.qxd
12
9/3/03
11:19 AM
Page 12
Chapter 1 • Active Directory Infrastructure Overview
When the UPN is created for a user account, Active Directory also suggests a preWindows 2000 logon name that is used by the Security Account Manager (SAM) to log on
to a server.The SAM is a service that stores information about user accounts and groups to
which they belong. Local computer accounts use the SAM to store accounts that are used
to access the local computer, and Windows NT servers use it for allowing network users
access to resources on the server. Although you can create your own logon name, Active
Directory will suggest a pre-Windows 2000 user logon name that’s based on the first 20
bytes of the Active Directory logon name.
Every computer account that is created in Active Directory also has multiple names, so
that the account can be identified and accessed in a variety of ways.When a computer
account is created in Active Directory, you need to enter a name for the computer, which
will uniquely identify it in the domain.This is the host name for the machine, which can
be used by DNS to indicate its place in the domain, and can be used to help find the computer when clients search for it and its resources on the network.
In DNS, the host name is combined with the domain name to create the computer’s fully
qualified domain name (FQDN).This combines the host name with the domain name, and
separates the two with a period. For example, if you have a computer named COMP100 in
the domain called knightware.ca, the FQDN for this computer would be comp100.knightware.ca. No two computers in a domain can have the same name, as this would create conflicts.
When the computer account is created, it will also require the computer be given a
pre-Windows 2000 name, so older clients and servers can identify and access it. As with
user accounts,Windows Server 2003 will suggest a name, which is based on the first 15
bytes of the name used to create the account. If you don’t want to use this default name,
you can enter a new one at any time.
The UNC path is a tried-and-true method of accessing shared resources over a network.
It uses the format of two backslashes, followed by the domain name or server name, the name
of the share, and (where applicable) the name of the resource.The shared resource is often the
name of a shared directory, and might be followed by the name of a file, application, or other
resource on the server. In other words, the format would be \\domain name\share\filename
or \\servername\share\filename. For example, if you were accessing a file named SPREADSHEET.XLS in a shared directory called XLS on a server named FS-GOTHAM, the UNC
to access it would be \\fs-gotham\xls\spreadsheet.xls.You can use UNC names in the address
bar of browsers, from the Run command of the Windows Start menu, or any other place
where UNC names are allowed.
Another common method of accessing resources through a browser is by using URLs. If
you’ve surfed the Web, you’re likely to have used a URL, as they’re entered into the browser’s
address bar to specify Web site addresses (for example, http://knightware.ca/default.htm). By
using a URL, you can access files, applications, or other resources. A URL generally begins
with http (for HyperText Transfer Protocol), a colon, and two forward slashes, followed by a
server name such as www, a domain name such as syngress.com, and a filename path (which
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 13
Active Directory Infrastructure Overview • Chapter 1
can contain a directory name such as files, or just a filename such as file.htm or file.html for
an HTTP document, file.asp for an Active Server Pages document, or file.jpg for a graphic in
.JPG format).
NOTE
Note the difference between a UNC path, which uses backslashes to separate the
components of the name, and URLs, which use forward slashes.
The final naming scheme we’ll discuss is LDAP URL.This method is similar to using
URLs, but uses the X.500 naming structure to locate a resource. An LDAP URL uses the
format LDAP://domain name/CN=common name/OU=organizational unit/DC=domain
component. In this format, the common name is the name of an object in Active
Directory, OU is the organizational unit, and DC is the DNS domain name in which the
object exists.This allows you to specify an object that is uniquely identified in the directory.
As we’ll see in the sections that follow, this information is built on X.500/LDAP standards.
X.500/LDAP standards
Both the X.500 DAP and LDAP work by interacting with the directory.The directory is
designed as a hierarchy, and has a tree-like structure called the directory information tree.
Information in subtrees branch off the trunk, much as folders on the hard disk branch off a
root directory.These subtrees contain objects that represent elements of the network, and
are called directory service entries. Just as there can’t be two files with the same name in a
folder on your hard disk, each object must have a unique name in the directory structure.
Distinguished Name
To accommodate the need for each object being identified with a unique name in the
directory, objects have a distinguished name (DN). A DN represents the exact location of an
object within the directory.This is comparable to a file being represented by the full path,
showing where it is located on the hard disk.With an object in the directory, several components are used to create this name:
■
CN The common name of the object, and includes such things as user accounts,
printers, and other network elements represented in the directory.
■
OU The organizational unit.These are containers in the directory that are used
to hold objects.To continue with our example of files on a hard disk, this would
be comparable to a folder within the directory structure.
■
DC A domain component.This is used to identify the name of the domain or
server, and the DNS suffix (for example, .com, .net, .edu, and .gov).
www.syngress.com
13
256_70-294_01.qxd
14
9/3/03
11:19 AM
Page 14
Chapter 1 • Active Directory Infrastructure Overview
When combined, these components of the DN are used to show the location of an
object. Each DN can be used more than once to fully identify the object’s place within the
directory. For example, let’s say a user account named BobSmith was stored in the
Accounting OU in the syngress.com domain. In this case, the DN of this object would be:
CN=BobSmith, OU=Accounting, DC=syngress, DC=com
Relative Distinguished Name
An RDN is a portion of the DN, and is used to uniquely identify an object with a parent
container. As each object must have a unique name with the directory structure, the RDN
identifies an object within a particular OU.This is comparable to a file in a folder, where
you specify the name of the file and not the full path to it. Just as a file in one folder might
have the same name as a file in another folder, an object in one OU might have the same
name as another object in another OU.While the RDN would be the same, the DN
would indicate that each is in a different OU.
To illustrate this, let’s look at the previous example, which used the DN
/CN=BobSmith, /OU=Accounting, /DC=syngress, /DC=com. In this case,
CN=BobSmith is the RDN of the object. It is a subset of the DN, and the only one by
that name in the Accounting OU. However, you could have a user account named
BobSmith in the Sales OU. Even though the RDNs are identical, the full DNs are unique.
DNS and RDNs apply to user accounts and any other objects within the directory.
When a computer account is created, the name used for the computer is used by LDAP as
the RDN. For example, if a computer were named COMP100, this would be its RDN.
Canonical Name
A canonical name is another way of showing the DN of an object. It contains the same
information, but shows it in a way that is easier to read. Using the example of the
BobSmith object, if we convert its DN to a canonical name, it would read:
syngress.com/Accounting/BobSmith
In the preceding example, the CN, OU, and DC components of the DN have been
removed and replaced with slashes (similar to the way in which a pathname to a file on a
DOS/Windows machine is notated with backslashes).The canonical format also reverses the
information. Rather than beginning with the lowest level component of the DN (in other
words, the object) and moving up through higher levels, it starts at the highest level of the
directory structure and works its way down to the object’s name.While it relates the DN of
an object, it removes the extraneous notations in the name and makes it easier to read.
TEST DAY TIP
To avoid confusion between DNs, RDNs, and canonical names, try to remember
that they’re all related in some way. The DN shows the exact location in the direc-
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 15
Active Directory Infrastructure Overview • Chapter 1
tory, while the RDN identifies the object in relation to its location in the directory.
Canonical names are similar to DNs, but show the information in a different
format.
Installing Active Directory
to Create a Domain Controller
When Windows Server 2003 is installed on a computer, it doesn’t mean that the directory
is also installed. Active Directory is installed when you create a DC. It can be installed as
part of the Windows Server 2003 installation, and can also be installed on member servers,
which are computers running Windows Server 2003 that don’t have Active Directory
installed. A server without Active Directory installed on it can still deliver a variety of services, file storage, and access to other resources, but until Active Directory is installed, it
can’t authenticate users or provide the other functions of a DC. Once Active Directory is
installed, the member server ceases to be a member server and becomes a DC.
To install Active Directory on a member server, the Active Directory Installation Wizard
(DCPROMO) is used. DCPROMO is a tool that promotes a member server to DC status.
Because a DC is a server with a writable copy of Active Directory installed on it, this tool
will install a copy of the directory database on the server, and configure the structure of
Active Directory based on your input. After Active Directory is installed, you can then perform other tasks that will allow users of your network to access resources on the domain.
EXERCISE 1.01
INSTALLING ACTIVE DIRECTORY
As with many of the exercises in this book, this exercise should not be performed on a production server. Moreover, while readers who have previous
knowledge of Active Directory can perform this exercise, those who are new to
Active Directory might want to read the next section to understand how Active
Directory works before attempting to install it.
1. From the Run command on the Windows Start menu, type DCPROMO
and then click OK.
2. A welcome screen will appear that identifies the program as the Active
Directory Installation Wizard. Click Next to continue.
3. An information screen will appear, warning that clients running
Windows 95 or Windows NT 4.0 SP3 and earlier won’t be able to log
on to Windows Server 2003 DCs or access domain resources. Click Next
to continue.
www.syngress.com
15
256_70-294_01.qxd
16
9/3/03
11:19 AM
Page 16
Chapter 1 • Active Directory Infrastructure Overview
4. The Domain Controller Type screen appears after this, allowing you to
specify whether you want the server to be a DC for a new or existing
domain (see Figure 1.3). Selecting the Domain controller for a new
domain will allow you to create a new domain, while selecting
Additional domain controller for an existing domain will add this
server to a domain that already exists. Select the first of these options
to create a new domain. Click Next to continue.
Figure 1.3 Domain Controller Type Screen of Active Directory
Installation Wizard
5. The next screen allows you to configure or install DNS on the server. If
DNS is already running, then select Yes, I will configure the DNS
client. If not, select No, just install and configure DNS on this computer. If you select Yes and DNS is not running, a warning screen will
appear informing you of this. If DNS isn’t running, select the second
option (No), and click Next to continue.
6. Enter the DNS name for the new domain (for example, syngress.com).
Click Next to continue.
7. As shown in Figure 1.4, the screen that appears next asks you to enter
the NetBIOS name for this domain, which older versions of Windows
will use to access the domain. Windows Server 2003 suggests a name
based on your previously entered DNS name. Accept the default value,
and click Next to continue.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 17
Active Directory Infrastructure Overview • Chapter 1
Figure 1.4 NetBIOS Domain Name Screen of the Active Directory
Installation Wizard
8. The next screen, shown in Figure 1.5, allows you to specify where the
Active Directory database and log files will be stored. By default, this
will be a directory called NTDS in the systemroot folder. Accept the
default values and click Next to continue.
Figure 1.5 Database and Log Folders Screen of the Active Directory
Installation Wizard
9. The next screen asks for the location of where public files that will be
copied to other DCs will be stored. By default, this is stored in the
www.syngress.com
17
256_70-294_01.qxd
18
9/3/03
11:19 AM
Page 18
Chapter 1 • Active Directory Infrastructure Overview
SYSVOL directory in the systemroot folder. Accept the default value and
click Next to continue.
10. The next screen is used to set proper permissions based on whether
you will be running server programs that were designed for preWindows 2000 domains. If this were the case, you would select the
first option Permissions compatible with pre-Windows 2000 Server
operating systems. Selecting this will allow anonymous users to read
information on the domain, so it is best to select Permissions compatible only with Windows 2000 or Windows Server 2003 operating
systems whenever possible. Assuming you will not be running such
software, select the second option, and click Next.
11. The following screen asks that you enter a password used when the
server is started in Directory Services Restore mode. This mode is used
to restore Active Directory after it has become damaged. Enter a password in the first field, and then enter it in the field below to confirm
your password. Click Next to continue.
12. The screen that appears next displays all the settings you chose for your
installation of Active Directory (see Figure 1.6). Review the summary
information that’s shown on this screen, and then click Next to continue.
Figure 1.6 Summary Screen of the Active Directory Installation Wizard
13. The wizard will proceed to install and configure Active Directory based
on your choices. Once this is done, click Finish.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 19
Active Directory Infrastructure Overview • Chapter 1
14. To complete the installation, you will need to restart Windows Server
2003. A message box will appear informing you of this, and giving the
options of restarting now or not. Click Restart Now.
Understanding How
1 Active Directory Works
EXAM
70-294
OBJECTIVE
Active Directory provides the ability to manage your network through a single source of
information. Using tools in Windows Server 2003, you can administer users, computers,
printers, and a variety of other resources. Changes made to objects in the directory are
replicated to other DCs.This ensures that each DC has an up-to-date copy of all directory
objects and their attributes.
EXAM WARNING
Because of the logical, hierarchical structure of Active Directory, and the physical
components required for it to work, most of the questions you see on the exam
will indirectly or directly deal with the topics that follow. To understand Active
Directory, it is important that you understand what these components are, so you
can follow other issues discussed later in this book.
Directory Structure Overview
When you compare the directory structure of different organizations, you will find that
they are different. Active Directory is organized in a hierarchical structure that is built from
a variety of different components that represent elements of your network. For example,
there are user objects, computer objects, and various containers to organize them.The way
you organize these elements will make the hierarchical structure of Active Directory in
your company different from other companies.The components that are part of this hierarchy (which we discuss in the sections that follow) include:
■
Sites
■
Domains
■
Trees
■
Forests
■
Objects
■
DCs
www.syngress.com
19
256_70-294_01.qxd
20
9/3/03
11:19 AM
Page 20
Chapter 1 • Active Directory Infrastructure Overview
In addition to these, we will also look at the components of Active Directory that are
used to organize and manage this hierarchy.These components are:
■
GC
■
Schema
Active Directory allows you to administrate your network by dealing with the physical
and logical structure.The physical structure of your network consists of tangible elements
that make up your network, while the logical structure is used to organize components into
a hierarchy that matches the structure of your company. As we’ll see in the sections that
follow, sites represent the physical structure of a network, while domains, trees, and forests
represent the logical structure.
Sites
A site is one or more IP subnets connected by a fast and reliable link.The term subnet is
short for “subnetwork,” and refers to a group of neighboring computers that have been
subdivided within the network. Computers in the subnet use a different network ID from
those in other subnets, essentially becoming a smaller network within the network. Sites are
used to store information about the topology of your network in Active Directory, so that
the directory has information about the physical structure of the network.
Active Directory uses information about the physical elements of a network in a
number of ways. It allows Active Directory to determine the fastest connections between
sites, so that updates in the directory can be replicated to other DCs. Sites contain computer and connection objects, which are used to configure replication between sites,
allowing this information to be copied in the fastest, most effective way to DCs in other
sites. It is also useful to users, as it will allow each user to be authenticated by the DC that’s
closest to that user.
Although not required, it is a good idea to have a DC in each site.When a client logs
on to a domain, a DC must be contacted.The client will search the local site for a DC and
then, if one is not found, attempt to connect to DCs in other sites. If the client has to connect to a DC in a different site, it might take a long time for the user to be authenticated.
Creating different sites will group computers together, so they will authenticate to the DC
that’s closest to them.
An important feature of a site is that subnets are well connected.This means that the links
between sites are reliable and fast.While determining what is fast can be subjective,
Microsoft has traditionally defined a fast link as being at least 512 Kbps, while acknowledging that 128 Kbps or higher is sufficient. Because the bandwidth needed by an organization depends on the amount of data being transferred between sites, some companies will
require a greater bandwidth to meet their needs.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 21
Active Directory Infrastructure Overview • Chapter 1
As shown in Figure 1.7, there can be multiple domains in a site, or multiple sites in a
domain. Because sites represent the physical structure, they are different from domains, trees,
and forests (which we’ll discuss next) that represent the logical structure. Sites are separate
from these entities, and unfettered by issues that determine the logical structure of a
Windows Server 2003 network.
Figure 1.7 Sites Can Contain Multiple Domains, and Domains Can Contain
Multiple Sites
Domain
Domain
Site
Site
Site
Domain
Domains
Domains have been a cornerstone of a Microsoft network since the days of Windows NT. A
domain is a logical grouping of network elements, consisting of computers, users, printers, and
other components that make up the network and allow people to perform their jobs. Because
domains group these objects in a single unit, the domain acts as an administrative boundary, in
which you can control security on users and computers. In Windows Server 2003, a domain
also shares a common directory database, security policies, and (when other domains exist in
the network) relationships with other domains.They are important logical components of a
network, because everything is built upon or resides within the domain structure.
Sites and domains are different structures, and aren’t bound by one another. Just as a site
can include users and computers from multiple domains, domains can include multiple
sites.This allows you to have objects from different areas of your network in the same
domain, even if they’re in different subnets or geographical locations.
www.syngress.com
21
256_70-294_01.qxd
22
9/3/03
11:19 AM
Page 22
Chapter 1 • Active Directory Infrastructure Overview
In serving as an administrative boundary, each domain uses its own security policies.
Group policies can be applied at a domain level, so that any users and computers within
that domain are affected by it.This allows you to control access to resources, password policies, and other configurations to everyone within the domain.These security settings and
policies only affect the domain, and won’t be applied to other domains in the network. If
large groups of users need different policies, you can either create multiple domains or
apply settings in other ways (for example, using OUs, which we’ll discuss later).
When a domain is created, a DNS domain name is assigned to identify it. DNS is used
on the Internet and other TCP/IP networks for resolving IP addresses to user-friendly
names. Because an Active Directory domain is integrated with DNS, this allows users, computers, applications, and other elements of the network to easily find DCs and other
resources on the network.
As you can imagine, a significant number of objects can potentially exist within a
domain.To allow for significant growth in a network, Microsoft designed Active Directory
to support up to 10 million objects per domain.While Microsoft concedes this to be a theoretical estimate, the company provides a more practical estimate that each domain can support at least 1 million objects. In either case, chances are your domain will never reach
either of these limits. If it does, you’ll need to create additional domains, and split users,
computers, groups, and other objects between them.
Earlier in this chapter, we mentioned that updates to the directory are replicated to
other DCs, so that each has an identical copy of the directory database.We’ll explain replication in greater detail later in this chapter, but for now it is important to realize that Active
Directory information is replicated to every DC within a domain. Each domain uses its
own directory database. Because the information isn’t replicated to other domains, this
makes the domain a boundary for replication as well as for administration and security.
Domain Trees
Although domains serve as boundaries for administration and replication, this does not
mean that you should only use one domain until you reach the limit on the number of
objects supported per domain.That depends on your organizational structure.You might
want to use multiple domains for any of the following reasons:
■
To decentralize administration
■
To improve performance
■
To control replication
■
To use different security settings and policies for each domain
■
If you have an large number of objects in the directory
For example, your company might have branch offices in several countries. If there is
only one domain, directory information will have to be replicated between DCs in each
country, or (if no DCs resides in those locations) users will need to log on to a DC in
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 23
Active Directory Infrastructure Overview • Chapter 1
another country. Rather than replicating directory information across a WAN, and having
to manage disparate parts of the network, you could break the network into several
domains. For example, you might create one domain for each country.
Creating separate domains does not mean there will be no relationship between these
different parts of your network. Active Directory allows multiple domains to be connected
together in a hierarchy. As shown in Figure 1.8, a domain can be created beneath an
existing domain in the hierarchy.The pre-existing domain is referred to as a “parent
domain,” and the new domain created under it is referred to as a “child domain.”When this
is done, the domains share a common namespace.They also share a schema, configuration,
and GC, as do all domains in the same forest, whether or not they have a parent-child relationship (we’ll discuss these elements in greater detail later in this chapter).
As seen in Figure 1.8, domains created in this parent-child structure and sharing a
namespace belong to a domain tree. Trees follow a DNS naming scheme, so that the relationship between the parent and child domains is obvious and easy to follow.To conform to
this naming scheme, a child domain appends its name to the parent’s name. For example, if
a parent domain used the domain name sygress.com, a child domain located in the United
Kingdom might have the name uk.syngress.com. Names can also indicate the function of a
domain, rather than its geographical location. For example, the child domain used by developers might use the name dev.syngress.com. Because domain trees use a contiguous namespace, it is easy to see which domains are child domains of a particular parent domain.
Figure 1.8 A Domain Tree Consists of Parent and Child Domains in a
Contiguous Namespace
syngress.com
pub.syngress.com
uk.syngress.com
sales.syngress.com
www.syngress.com
23
256_70-294_01.qxd
24
9/3/03
11:19 AM
Page 24
Chapter 1 • Active Directory Infrastructure Overview
When a child domain is created, a two-way transitive trust relationship between the
parent and child domains is automatically created. A trust relationship allows pass-through
authentication, so users who are authenticated in a trusted domain can use resources in a
trusting domain. Because the trust between a parent and child domain is bidirectional, both
domains trust one another, so users in either domain can access resources in the other
(assuming, of course, that the users have the proper permissions for those resources).
The other feature of the trust relationship between parent and child domains is that
they are transitive. A transitive relationship means that pass-through authentication is transferred across all domains that trust one another. For example, in Figure 1.9, Domain A has a
two-way transitive trust with Domain B, so both trust one another. Domain B has a twoway transitive trust with Domain C, so they also trust one another, but there is no trust
relationship between Domain A and Domain C.With the two-way transitive trust, Domain
C will trust Domain A (and vice versa) because both trust Domain B.This will allow users
in each of the domains to access resources from the other domains.Trusts can also be manually set up between domains so that they are one-way and nontransitive, but by default,
transitive bidirectional trusts are used in domain trees and forests.These trusts are also
implicit, meaning that they exist automatically by default when you create the domains,
unlike explicit trusts that must be created manually.
Figure 1.9 Adjoining Domains in a Domain Tree Use Two-Way Transitive Trusts
Domain B
Domain A
Domain C
Forests
Just as domains can be interconnected into trees, trees can be interconnected into forests. A
forest is one or more domain trees that share the same schema, GC, and configuration
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 25
Active Directory Infrastructure Overview • Chapter 1
information. As is the case with domain trees, domains in the same forests use two-way
transitive trusts between the roots of all domain trees in the forest (that is, the top level
domain in each tree) to allow pass-through authentication, so users can access resources in
domains throughout the forest. As shown in Figure 1.10, although trees require a contiguous namespace, a forest can be made up of multiple trees that use different naming
schemes.This allows your domains to share resources across the network, even though they
don’t share a contiguous namespace.
Figure 1.10 A Forest Allows Multiple Domain Trees to Be Connected and Share
Information
syngress.com
pub.syngress.com
uk.syngress.com
sales.syngress.com
knightware.ca
dev.knightware.ca sales.knightware.ca
rd.knightware.ca
Every Active Directory structure has a forest, even if it only consists of a single domain.
When the first Windows Server 2003 DC is installed on a network, you create the first
domain that’s also called the forest root domain. Additional domains can then be created that are
part of this forest, or multiple forests can be created.This allows you to control which trees are
connected and can share resources with one another (within the same forest), and which are
separated so that users can’t search other domains sharing the GC (in separate forests).
Organizational Units
When looking at domain trees, you might think that the only way to create a directory
structure that mirrors the organization of your company is to create multiple domains.
However, in many companies, a single domain is all that’s needed.To organize Active
Directory objects within this single domain, OUs can be used.
As we mentioned earlier, OUs are containers that allow you to store users, computers,
groups, and other OUs. By placing objects in different OUs, you can design the layout of
Active Directory to take the same shape as your company’s logical structure, without creating separate domains. As shown in Figure 1.11, you can create OUs for different areas of
www.syngress.com
25
256_70-294_01.qxd
26
9/3/03
11:19 AM
Page 26
Chapter 1 • Active Directory Infrastructure Overview
your business, such as departments, functions, or locations.The users, computers, and groups
relating to each area can then be stored inside the OU, so that you can find and manage
them as a single unit.
Figure 1.11 Organizational Units Can Contain Other Active Directory Objects
group
user
computer
Management
OU
group3
group4
user3
user4
computer4
computer3
Sales OU
Accounting OU
Domain
OUs are the smallest Active Directory unit to which you can delegate administrative
authority.When you delegate authority, you give specific users or groups the ability to
manage the users and resources in an OU. For example, you can give the manager of a
department the ability to administer users within that department, thereby alleviating the
need for you (the network administrator) to do it.
Active Directory Components
When looking at the functions of domains, trees, forests, and OUs, it becomes apparent that
each serves as a container.These container objects provide a way to store other components
of Active Directory, so that they can be managed as a unit and organized in a way that
makes administration easier. OUs also provide the added feature of allowing nesting, so that
you can have one OU inside another.
The bulk of components in Active Directory, however, are objects that represent individual elements of the network (in Novell’s NDS structure, these are called leaf objects, in
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 27
Active Directory Infrastructure Overview • Chapter 1
keeping with the tree analogy, because they are at the end of the hierarchical “branch” and
don’t contain any other objects). Objects are divided into classes, and each object class
includes a set of attributes, which are properties that hold data on characteristics and configurations. Just as people are defined by their characteristics (for example, eye and hair color,
height, weight), attributes define an object. A printer object might have attributes that
include the make, model, and configuration information related to that device, whereas a
user object would include attributes such as username, password, and other data that defines
the user. As we’ll see in Chapter 2, these various objects populate the directory, and are used
to manage such things as user, computer, and group accounts.
Logical vs. Physical Components
The components making up Active Directory can be broken down into logical and physical
structures. Logical components in Active Directory allow you to organize resources so that
their layout in the directory reflects the logical structure of your company. Physical components in Active Directory are similarly used, but are used to reflect the physical structure of
the network. By separating the logical and physical components of a network, users are
better able to find resources, and administrators can more effectively manage them.
Many directories are designed to follow the logical structure of an organization.You’re
probably familiar with organizational charts; maps that show the various departments in a
company, and illustrate which departments are accountable to others. In such a map, a
Payroll department might appear below the Finance department, even though they are
physically in the same office. Just as the chart allows you to find where a department falls in
the command structure of a company, the logical structure of a directory allows you to find
resources based on a similar logical layout. As we saw earlier, you can organize your network into forests, trees, and domains, and then further organize users and computers into
OUs named after areas of your business. A map of the directory structure can be organized
to appear identical to the logical structure of the company.
Physical components are used to design a directory structure that reflects the physical
layout, or topology, of the network. For example, as we saw earlier, a site is a combination of
subnets, and a DC is a server that has a copy of the directory on it. DCs are physically
located at specific locations in an organization, while subnets consist of computers using the
same grouping of IP addresses. In both cases, you could visit a room or building and find
these components.Thus, physical components can be used to mirror the physical structure
of an organization in the directory. As illustrated in Figure 1.12, this makes the physical
structure considerably different from the logical structure of a network.
www.syngress.com
27
256_70-294_01.qxd
28
9/3/03
11:19 AM
Page 28
Chapter 1 • Active Directory Infrastructure Overview
Figure 1.12 Logical Structure vs. Physical Structure
The Logical Structure consists of
Forests, Domain Trees, Domains,
Organizational Units, and Objects
Sites and Domain Controllers Are
Part of the Physical Structure
User
Computer
group
Organizational Unit
Domain Controller Domain Controller
Site
Computer
User
group
Organizational Unit
Domain
Domain Controllers
DCs are used to manage domains. As mentioned, the directory on a DC can be modified,
allowing network administrators to make changes to user and computer accounts, domain
structure, site topology, and control access.When changes are made to these components of
the directory, they are then copied to other DCs on the network.
Because a DC is a server that stores a writable copy of Active Directory, not every
computer on your network can act as a DC.Windows Server 2003 Active Directory can
only be installed on Microsoft Windows Server 2003, Standard Edition;Windows Server
2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. Servers running
other the Web Edition of Windows Server 2003 cannot be DCs, although they can be
member servers that provide resources and services to the network.
When a DC is installed on the network, the first domain, forest, and site are created
automatically. Additional domains, forests, and sites can be created as needed, just as additional DCs can be added.This allows you to design your network in a way that reflects the
structure and needs of your organization.
While only one DC is required to create a domain, multiple DCs can (and usually
should) be implemented for fault tolerance and high availability. If more than one DC is
used and one fails, users will be able to log on to another DC that is available.This will
allow users to continue working while the DC is down. In larger companies, a number of
DCs can be added to accommodate significant numbers of users who might log on and log
off at the same time of day or need to access resources from these servers.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 29
Active Directory Infrastructure Overview • Chapter 1
EXAM WARNING
Windows Server 2003 computers can be promoted to DCs by installing Active
Directory on them. To install Active Directory, the Active Directory Installation
Wizard (invoked by running DCPROMO.EXE) is used. Information provided during
the installation is used to add the server to an existing domain, or to create a new
domain, forest, and site if the DC is the first one installed on a network.
Master Roles
Certain changes in Active Directory are only replicated to specific DCs on the network.
Operations Masters are DCs that have special roles, keeping a master copy of certain data in
Active Directory and copying data to other DCs for backup purposes. Because only one
machine in a domain or forest can contain the master copy of this data, they are also
referred to as Flexible Single Master Operations (FSMO) roles.
Five different types of master roles are used in an Active Directory forest, each providing a specific purpose.Two of these master roles are applied to a single DC in a forest
(forestwide roles), while three others must be applied to a DC in each domain (domainwide roles). In the paragraphs that follow, we will look at each of these roles, and discuss
how they are significant to Active Directory’s functionality.
Forestwide master roles are unique to one DC in every forest.There are two master
roles of this type:
■
Schema Master
■
Domain Naming Master
The Schema Master is a DC that is in charge of all changes to the Active Directory
schema. As we’ll see in the next section, the schema is used to define what object classes
and attributes are used within the forest.The Schema Master is used to write to the directory’s schema, which is then replicated to other DCs in the forest. Updates to the schema
can be performed only on the DC acting in this role.
The Domain Naming Master is a DC that is in charge of adding new domains and
removing unneeded ones from the forest. It is responsible for any changes to the domain
namespace. Such changes can only be performed on the Domain Naming Master, thus preventing conflicts that could occur if changes were performed on multiple machines.
In addition to forestwide master roles, there are also domainwide master roles.There are
three master roles of this type:
■
Relative ID (RID) Master
■
Primary domain controller (PDC) Emulator
■
Infrastructure Master
www.syngress.com
29
256_70-294_01.qxd
30
9/3/03
11:19 AM
Page 30
Chapter 1 • Active Directory Infrastructure Overview
TEST DAY TIP
Remember that there is only one forestwide master for each role in a forest, and
one domainwide master for each role in a domain. There can only be one Schema
Master and Domain Naming Master per forest. In other words, if there were two
forests, then there would be one Schema Master and one Domain Naming Master
in each forest. In the same way, there can only be one RID Master, PDC Emulator,
and Infrastructure Master per domain. Although multiple domains can exist in a
forest, there can only be one RID Master, PDC Emulator, and Infrastructure Master
in each domain
The RID Master is responsible for creating a unique identifying number for every
object in a domain.These numbers are issued to other DCs in the domain.When an object
is created, a sequence of numbers that uniquely identifies the object is applied to it.This
number consists of two parts: a domain security ID (SID) and a RID.The domain SID is
the same for all objects in that domain, while the RID is unique to each object. Instead of
using the name of a user, computer, or group, this SID is used by Windows to identify and
reference the objects.To avoid potential conflicts of DCs issuing the same number to an
object, only one RID Master exists in a domain, to control the allocation of ID numbers to
each DC, which the DC can then hand out to objects when they are created.
The PDC Emulator is designed to act like a Windows NT primary DC.This is needed
if there are computers running pre-Windows 2000 and XP operating systems, or if
Windows NT backup domain controllers (BDCs) still exist on the network.The PDC
Emulator is responsible for processing password changes, and replicating these changes to
BDCs on the network. It also synchronizes the time on all DCs in a domain so servers
don’t have time discrepancies between them. Because there can only be one Windows NT
PDC in a domain, there can be only one PDC Emulator.
Even if there aren’t any servers running as BDCs on the network, the PDC Emulator
still has a purpose in each domain.The PDC Emulator receives preferred replication of all
password changes performed by other DCs within the domain.When a password is
changed on a DC, it is sent to the PDC Emulator.The PDC Emulator is responsible for
this because it can take time to replicate password changes to all DCs in a domain. If a user
changes his or her password on one DC and then attempts to log on to another, the second
DC he or she is logging on to might still have old password information. Because this DC
considers it a bad password, it forwards the authentication request to the PDC Emulator to
determine whether the password is actually valid.Whenever a logon authentication fails, a
DC will always forward it to the PDC Emulator before rejecting it.
The Infrastructure Master is in charge of updating changes made to group memberships.
When a user moves to a different domain and his or her group membership changes, it can
take time for these changes to be reflected in the group.To remedy this, the infrastructure
manager is used to update such changes in its domain.The DC in the Infrastructure Master
role compares its data to the GC, which is a subset of directory information for all domains
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 31
Active Directory Infrastructure Overview • Chapter 1
in the forest.When changes occur to group membership, it then updates its group-to-user
references and replicates these changes to other DCs in the domain.
Schema
The schema is a database that is used to define objects and their attributes. Information in
the schema is used to control the types of objects (classes) that can be created in Active
Directory, and the additional properties (attributes) associated with each. In other words, the
schema determines what you can create in Active Directory, and the data that can be used
to configure these objects.
The schema is made up of classes and attributes. Object classes define the type of
object, and include a collection of attributes, which are used to describe the object. For
example, the User class of object contains attributes made up of information about the
user’s home directory, first name, last name, address, and so on.While the object class determines the type of object that can be created in Active Directory, the attributes are used to
provide information about it. An object’s attributes are also known as its properties, and in
most cases, you can configure its attributes by editing its properties sheet (usually accessed
by right clicking the object and selecting Properties).
Active Directory comes with a wide variety of object classes, but additional ones can be
created if needed. Because the schema is so important to Active Directory’s structure, extensions (additions and modifications) to the schema can only be made on one DC in the
forest. Modifications to the schema can only be made on the DC that’s acting in the Schema
Master role. Schema information is stored in a directory partition of Active Directory, and is
replicated to all DCs in a forest.
Attributes are created using the Active Directory Schema snap-in for the Microsoft
Management Console (MMC) (which we’ll discuss later in this chapter).When a new class
or attribute is added to the schema, it cannot be deleted. If a class or attribute is no longer
needed, it can only be deactivated, so it cannot be used anymore. Should the class or
attribute be needed later, you can then reactivate it.
Global Catalog
As anyone who’s tried to search a large database can attest, the more data that’s stored in a
database, the longer it will take to search.To improve the performance of searching for
objects in a domain or forest, the GC is used.The GC server is a DC that stores a copy of
all objects in its host domain, and a partial copy of objects in other domains throughout the
forest.The partial copy contains objects that are most commonly searched for. Because the
GC contains a subset of information in Active Directory, less information needs to be replicated, and increases performance when users search for specific attributes of an object.
In addition to being used for searches, the GC is also used to resolve UPNs that are
used in authentication. As discussed earlier, the UPN has a format like an e-mail address. If
a user logs on to a DC in a domain that doesn’t contain the account, the DC will use the
GC to resolve the name and complete the logon process. For example, if a user logged on
www.syngress.com
31
256_70-294_01.qxd
32
9/3/03
11:19 AM
Page 32
Chapter 1 • Active Directory Infrastructure Overview
with the UPN myname@us.syngress.com from a computer located in ca.syngress.com, the
DC in ca.syngress.com would be unable to find the account in that domain. It would then
use the GC to find and authenticate the user’s account.
The GC is also used to store information on Universal Group memberships, in which
users from any domain can be added and allowed access to any domain.We’ll discuss groups
in greater detail in Chapter 2.When a user who is a member of such a group logs on to a
domain, the DC will retrieve his or her Universal Group membership from the GC.This is
only done if there is more than one domain in a forest.
The GC is available on DCs that are configured to be GC servers. Creating a GC
server is done by using the Active Directory Sites and Services snap-in for the MMC
(which we’ll discuss later in this chapter). After a GC server is configured, other DCs can
query the GC on this server.
Replication Service
The Windows Server 2003 replication service is used to replicate Active Directory between
DCs, so that each DC has an up-to-date copy of the directory database. Because each DC
has an identical copy of the directory, they can operate independently, allowing users to be
authenticated and use network resources if one of the DCs fails.This allows Windows
Server 2003 DCs to be highly reliable and fault tolerant.
Multimaster replication is used to copy changes in the directory to other DCs.With
multimaster replication, DCs work as peers to one another, so that any DC accepts and
replicates these updates (with the exception of the special types of data for which an
Operations Master is assigned). Rather than having to make changes on a primary DC,
changes can be made to the directory from any DC.
Replication occurs automatically between DCs, and generally, no additional configuration is required. However, because there are times when network traffic will be higher, such
as when employees log on to DCs at the beginning of the workday, replication can be configured to occur at specific times.This will enable you to control replication traffic so it
doesn’t occur during peak hours.
To replicate the directory effectively,Windows Server 2003 uses the Knowledge
Consistency Checker (KCC) to generate a replication topology of the forest. A replication
topology refers to the physical connections used by DCs to replicate the directory to other
DCs within the site and to DCs in other sites. After initially creating a replication topology,
the KCC will review and modify the topology at regular intervals.This allows it to see if
certain connections or DCs are unavailable, and if changes need to be made as to how
replicated data will be transferred to other DCs.
Replication is handled differently within a site as opposed to when the directory is
replicated to other sites. Intra-site replication (in which Active Directory is replicated within a
site) is handled by using a ring structure.The KCC builds a bidirectional ring, in which
replication data is passed between DCs in two directions. Because the data is only being
transferred within the site, the replicated data isn’t compressed.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 33
Active Directory Infrastructure Overview • Chapter 1
The KCC creates at least two connections to each DC, so if one connection fails, the
other can be used. For example, in Figure 1.13, connections that are functional are shown
with a straight line, while broken connections are shown with dotted lines. Because one of
the four servers in Figure 1.13 has failed, replication data cannot be passed through it, so
another connection between the servers is used. Using multiple connections provides fault
tolerance.
Figure 1.13 Replication Topology
Domain Controller
Domain Controller
.
Domain Controller
Domain Controller
Intra-site replication is automated to occur at regular intervals, and only occurs when
DCs are notified of a change. By default, when a change is made on a DC, it will wait 15
seconds and then send notification to its closest replication partner. If it has more than one
replication partner, it will send out notifications in three-second intervals to each additional
partner.When a partner receives this notification, it will send out a request for updated directory information to the original DC, which then responds by sending the updated data.The
exception to this process is when an account is locked out, the DC account is changed, or
there are changes in account lockout policy or domain password policy. In these circumstances, there is no 15-second waiting period, and replication occurs immediately.
Replication between sites is called inter-site replication. Because the bandwidth between
sites might be slower than that within a site, inter-site replication occurs less frequently and
is handled differently. Rather than informing other DCs shortly after a change occurs, replication occurs at scheduled times. Information about site link objects is used to determine the
best link to use for passing this data between sites.
Site links are used to define how sites replicate Active Directory information between
one another.These objects store data controlling which sites are to replicate traffic between
www.syngress.com
33
256_70-294_01.qxd
34
9/3/03
11:19 AM
Page 34
Chapter 1 • Active Directory Infrastructure Overview
one another, and which should be used over others. For example, you might have an ISDN
connection between your offices and one located overseas. If the overseas link were slower
and more costly to use than others, you could configure the link so it is only used as a last
resort.Through the site link object, the fastest and least expensive connection between sites
is used for replication.
A DC acts in the role of an inter-site topology generator in each site, and serves the
purpose of building this topology. It considers the cost of different connections, whether
DCs are available, and whether DCs have been added to sites. By gathering this information, the KCC can then update the topology as needed, and provide the method of passing
data between the sites.
How often replication occurs is configurable, so that it occurs as frequently or infrequently as your needs dictate. By default, inter-site replication occurs every 180 minutes
(three hours), and will use the site link to meet this schedule 24 hours a day, 7 days a week.
The frequency of replications can be modified as needed to occur at certain times and days
of the week.
Using Active Directory
1 Administrative Tools
EXAM
70-294
OBJECTIVE
Just as organizations have the tendency to grow and change, so do the networks they use. In
a Windows Server 2003 network, the number of domains, sites, OUs, users, computers, and
other objects populating Active Directory can grow exponentially with a business. Every
new employee needs a new account, and every new computer added to the network means
another object added to the directory. Even when growth is limited, there can be a considerable amount of maintenance to these objects, such as when users change jobs, addresses,
or other issues that involve changes to information and access.To aid administrators with
these tasks, Active Directory provides a number of tools that make management easier.
Two types of administrative tools can be used to manage Active Directory.Windows
Server 2003 provides a variety of new command-line tools that individually administer different aspects of the directory and its objects. By clicking on the Windows Start menu and
clicking Programs | Accessories | Command Prompt (or simply clicking Start | Run
and typing cmd), a prompt will appear allowing you to enter these commands and control
objects and elements of Active Directory.The other method of managing Active Directory is
with tools using a graphical user interface (GUI).These tools allow you to point and click
through objects, and modify them using a graphical display. Most of the graphical tools are
available through the Start | Programs | Administrative Tools menu.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 35
New & Noteworthy...
Active Directory Infrastructure Overview • Chapter 1
Command-Line Tools
Windows Server 2003 includes a number of tools that weren’t available for administration of Active Directory in Windows 2000. These tools run from the command
prompt, and can perform tasks that could previously only be performed using the
GUI consoles. Using these tools, you can connect to remote servers and make modifications to the directory without the added overhead of a GUI interface. Because
many tasks can be performed through the MMC (which we’ll discuss next) or textbased commands, this provides a greater freedom of choice for administrators on
how these tasks are performed.
Command-line tools are particularly beneficial for administrators who were
experienced with DOS or other network operating systems that used command-line
tools (such as Novell NetWare and UNIX). While using these tools requires the user
to switch from one tool to another and manually type each command, users might
find that they can perform common tasks faster through this interface rather than
with the GUI.
Command-line tools are also useful for administrators who want to schedule
tasks at a certain time, or automate tasks in other ways. By running the commands
through scripts or batch files, or invoking them through other applications developed in-house, you can automate certain tasks and make administration easier.
Allowing these commands to be invoked in these ways can also be useful for
allowing users to perform management tasks with which they aren’t familiar.
Graphical Administrative Tools/MMCs
A primary administrative tool for managing Windows Server 2003 and Active Directory is
the Microsoft Management Console (MMC).The MMC isn’t a management tool in itself,
but an interface that’s used to load snap-ins that provide administrative functionality. Snapins provide a specific functionality, or a related set of functions. Because of the design of the
MMC interface, you can load several snap-ins into one console, and create custom tools to
deal with specific tasks. In addition, because these snap-ins run in the same environment, it
becomes easier to learn how to use these tools because you don’t have to learn a different
interface for each.
MMCs can be started by opening pre-made consoles that are available under the
Administrative Tools folder in the Windows Start menu. An empty MMC can be started
by using the Run command in the Windows Start menu. By typing MMC in the Run
command in the Windows Start menu, an empty MMC will start as shown in Figure 1.14.
www.syngress.com
35
256_70-294_01.qxd
36
9/3/03
11:19 AM
Page 36
Chapter 1 • Active Directory Infrastructure Overview
Figure 1.14 Microsoft Management Console
The windows appearing in the MMC are interfaces with individual snap-ins or custom
console files. Each child window in the MMC has two panes.The left pane displays the
console tree, which is a hierarchical display of tools available through the console.These can
be multiple snap-ins that have been loaded into the MMC and saved as a custom console.
The right pane is called the detail pane, and provides commands and information relating
to what is selected in the console tree.
You can add snap-ins for specific tasks by clicking on the File menu and selecting
Add/Remove Snap-in.When this is done, a new dialog box will appear with two tabs:
Standalone and Extensions.
The Standalone tab is used for standalone snap-ins, which are designed to run without
any additional requirements.The Extensions tab is used to load a special type of snap-in,
called an extension snap-in.These are used to add additional functions to a standalone snapin that’s already been installed.
The Standalone tab is used to add or remove snap-ins from the console. As shown in
Figure 1.15, clicking the Add button on this tab will display a list of available standalone
snap-ins. After selecting the one you want to add, click the Add button on this dialog.
Clicking Close will exit this screen, and return you to the previous one, which will now
include your selected snap-ins in a list of ones to install in this console. Clicking OK confirms the selection, and installs them.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 37
Active Directory Infrastructure Overview • Chapter 1
Figure 1.15 Add/Remove Snap-in Dialog Box
As you can see by in Figure 1.15, there are three snap-ins available for Active Directory:
■
Active Directory Users and Computers
■
Active Directory Domains and Trusts
■
Active Directory Sites and Services
While we’ll discuss each of these in the sections that follow, it is important to realize
that these aren’t the only snap-ins that you can use with Windows Server 2003.The MMC
supplies these three snap-ins for use with Active Directory, but others are also available for
specific purposes and management tasks. Each has an individual functionality or set of
related functions for administering Windows Server 2003 and Active Directory.
NOTE
Note that although the three Active Directory-related snap-ins are available to be
added to a custom MMC, each is already installed in a separate pre-configured
MMC available through the Administrative Tools menu.
Because multiple snap-ins can be added and configured in the MMC, you can create
custom consoles to perform specific tasks. After setting up a console, you can save it to a file
that has the .msc extension.The console can be saved in one of two modes: Authoring
and User.
Authoring mode is used to provide full access to the functions of an MMC console.
When saved in this mode, users who open the console can add and remove snap-ins, create
new Windows, create Favorites and taskpads, view everything in the console tree, and save
consoles.
www.syngress.com
37
256_70-294_01.qxd
38
9/3/03
11:19 AM
Page 38
Chapter 1 • Active Directory Infrastructure Overview
User mode is used to limit another user’s ability to use certain functions of the console.
If you were creating a console for users to perform a specific task, but didn’t want them to
access other functions, then User mode would be ideal.There are three access levels for
User mode:
■
Full Access The same as Author mode, except that snap-ins can’t be added or
removed, console settings can’t be changed, and users can’t create Favorites and
taskpads.
■
Limited Access, Multiple Windows Allows users to view parts of the console
tree that were visible when the console was saved, and prohibits users from closing
existing windows. Users can, however, create new windows.
■
Limited Access, Single Window Also allows users to access parts of the console tree that were visible when the console was saved, but prohibits users from
creating new windows.
TEST DAY TIP
The exam will test you on your knowledge of Active Directory, and how to use the
tools that come with Windows Server 2003. Remember that the MMC allows you
to load snap-ins to perform specific tasks, and can also be used to create custom
consoles that provide limited functionality.
Active Directory Users and Computers
The Active Directory Users and Computers console is one of the MMC snap-ins for use
with Active Directory. It allows you to administer user and computer accounts, groups,
printers, OUs, contacts, and other objects stored in Active Directory. Using this tool, you
can create, delete, modify, move, organize, and set permissions on these objects.
As shown in Figure 1.16, when this tool is loaded, a node will appear in the console
tree (left pane) showing the domain. Expanding this node will show a number of containers
that are created by default.While additional containers can be created, the ones that appear
here after creating a DC are:
■
Builtin
■
Computers
■
Domain Controllers
■
Users
These containers store objects that can be managed with this tool, and allow you to
view and modify information related to these different objects.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 39
Active Directory Infrastructure Overview • Chapter 1
Figure 1.16 Active Directory Users and Computers
The Builtin container holds groups that were created by Windows Server 2003, and can
be used to control access.You can add users to these Builtin groups to give them the ability
to perform certain tasks. For example, rather than allowing everyone in the IT department
to use the same Administrator account, users can be added to the built-in Administrators
group.This gives them the ability to administer Windows Server 2003, but allows you to
track which person with this level of security performed certain tasks.
The Computers container is used to store computer objects.These are (as the name
implies) computers running on the network that have joined the domain and have accounts
created in Active Directory.The Computers container can also include accounts used by
applications to access Active Directory.
The Domain Controllers container contains objects representing DCs that reside in the
domain.The ones shown in this container are ones running Windows 2000 Server and
Windows Server 2003. Earlier versions are not displayed.
The Users container is used to store user accounts and groups. Users and Groups that
appear in this container are ones that were created using application programming interfaces (APIs) that can use Active Directory, and ones that were created in Windows NT
prior to upgrading.
Additional containers can be displayed when Active Directory Users and Computers is
running with Advanced Features activated.You can enable Advanced Features by clicking
on the menu item with this name, found in the View menu.When Advanced Features have
been activated, LostAndFound and System containers are displayed in the left console tree.
The LostAndFound container is used to store stray objects whose containers no longer
exist. If an object is created at the same time its container is deleted, or if it is moved to a
location that’s missing after replication, the object is placed in this container.This allows you
to manage the lost object, and move it to a container that does exist.
www.syngress.com
39
256_70-294_01.qxd
40
9/3/03
11:19 AM
Page 40
Chapter 1 • Active Directory Infrastructure Overview
The System container is used for system settings.These are built-in settings for containers and objects used by Active Directory and Windows Server 2003.
Active Directory Domains and Trusts
The Active Directory Domains and Trusts console is used to manage domains and the trust
relationships between them. As shown in Figure 1.17, the console tree of this tool includes
a node for domains making up the network. By selecting the Active Directory Domains
and Trusts node, a listing of domains will appear in the right pane. Using this tool, you can
create, modify, and delete trust relationships between domains, set the suffix for UPNs, and
raise domain and forest functional levels.This enables administrators to control how
domains function, and how they interoperate.
Figure 1.17 Active Directory Domains and Trusts
Using the Active Directory Domains and Trusts console, you can create a variety of different types of trusts between domains and forests. Earlier, we discussed how parent and
child domains and domain trees use a two-way transitive trust to share resources between
domains.The two-way transitive trust means that both domains trust one another, as well as
any other domains with which they have similar trust relationships. In addition to this type
of trust, additional trusts can be created:
■
Shortcut trust
■
Forest trust
■
Realm trust
■
External trust
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 41
Active Directory Infrastructure Overview • Chapter 1
A shortcut trust is transitive, and can be either one-way or two-way.This means that
either one domain can trust another but not vice versa, or both domains can trust each
other.This type of trust is used to connect two domains in a forest, and is particularly useful
when the domains are in different trees. By creating a shortcut, one domain can connect
with another quickly, improving logon times between domains. Connection is quicker
because, when two domains in different trees connect via the implicit trusts that exist by
default, the trust path must go all the way up the tree to the root domain, across to the
other tree’s root domain, and back down the second tree. A shortcut trust, as its name indicates, creates a direct trust between the two domains in different trees.
To illustrate this, let’s look at the situation in Figure 1.18. If a user in DomainD wanted
to use resources in Domain2, he or she would be authenticating to a domain that is located
in a different tree.Without a shortcut trust, the connection would go through DomainA,
across the trust between the two trees to Domain1, and then to Domain2.With a shortcut
trust, DomainD and Domain2 would have a direct trust between them that could be used
for authentication. As we can also see in Figure 1.18, multiple shortcut trusts can exist,
allowing users to be authenticated to other domains that they commonly need to access.
Figure 1.18 Shortcut Trusts
DomainA
DomainB
Domain1
DomainD
Domain2
Domain3
DomainC
A forest trust is also transitive, and can be one-way or two-way. As shown in Figure 1.19,
this type of trust is used to connect two different forests, so that users in each forest can use
resources in the other. Using this type of trust, a user in a domain in one forest could be
authenticated and access resources located in a domain that’s in another forest.This allows
different areas of the network to be interconnected, even though they are separated by
administrative boundaries.
www.syngress.com
41
256_70-294_01.qxd
42
9/3/03
11:19 AM
Page 42
Chapter 1 • Active Directory Infrastructure Overview
Figure 1.19 Forest Trust
DomainA
Domain1
DomainB
DomainD
Domain2
Domain3
DomainC
Forest 1
Forest 2
A realm trust can be one-way or two-way, and can also be either transitive or nontransitive. Nontransitive means that the trust relationship doesn’t extend beyond the two parties.
For example, let’s say DomainA trusts DomainB, and DomainB trusts DomainC. Because
the trust is nontransitive, DomainA and DomainC don’t trust one another because there
isn’t a trust relationship between them. As shown in Figure 1.20, the realm trust is used
when a relationship needs to be created between a Windows Server 2003 domain and a
non-Windows realm that uses Kerberos version 5 (such as one running UNIX).
Figure 1.20 Realm Trust
DomainA
DomainB
Forest 1
www.syngress.com
UNIX Realm
256_70-294_01.qxd
9/3/03
11:19 AM
Page 43
Active Directory Infrastructure Overview • Chapter 1
The final type of trust that can be created is an external trust. An external trust is always
nontransitive, and can be either one-way or two-way. As shown in Figure 1.21, this type of
trust is used to create a relationship between a Windows Server 2003 domain and one running Windows NT 4.0. It can also be used to connect two domains that are in different
forests, and don’t have a forest trust connecting them.
Figure 1.21 External Trust
DomainA
Domain1
Domain2
DomainB
Forest 1
Forest 2
Windows NT 4.0 Domain
The Active Directory Domains and Trusts console is also used for raising domain and
forest levels, which enables additional features in Active Directory. Raising domain and
forest functional levels depends on what operating systems are running on servers, and is
something we discuss in greater detail later in this chapter.
EXAM WARNING
The Active Directory Domains and Trusts console allows you to create different
types of trust relationships to share information and resources between forests,
domains, and non-Windows Server 2003 networks. You can create one- and twoway transitive trusts, forest trusts, realm trusts, external trusts, and shortcut trusts.
Each has a specific use, and cannot be used in all circumstances. You should familiarize yourself with the use of each type of trust.
www.syngress.com
43
256_70-294_01.qxd
44
9/3/03
11:19 AM
Page 44
Chapter 1 • Active Directory Infrastructure Overview
Active Directory Sites and Services
Earlier in this chapter, we discussed how sites represent the physical structure of your network, and are important to replicating information in Active Directory.The Active
Directory Sites and Services console is used to create and manage sites, and control how
the directory is replicated within a site and between sites. Using this tool, you can specify
connections between sites, and how they are to be used for replication.
As shown in Figure 1.22, the Active Directory Sites and Services console has a number
of containers that provide information and functions on creating and maintaining sites.
When a domain is first installed on a DC, a site object named Default-First-Site-Name is
created.This container can (and should) be renamed to something that is meaningful to the
business. As mentioned earlier, additional sites can be created to improve replication
between sites, or domains can be added to this existing site.
Figure 1.22 Active Directory Sites and Services
The Inter-Site Transports container is used to create and store site links. A site link is a
connection between sites. Links created under the IP container use the Internet Protocol
(IP) as their transport protocol, while those created under SMTP use the Simple Mail
Transfer Protocol (SMTP).
The Subnets container is used to create and store objects containing information about
subnets on your network. Subnets are collections of neighboring computers that are subdivided within the network, using a common network ID. Using the Subnets container, you
can group different subnets together to build a site.
Now that we’ve looked at the MMC, and the snap-ins used to manage Active
Directory, let’s get a little hands-on experience. In Exercise 1.02, we’ll see how the MMC is
used to load the snap-ins we’ll use in future exercises.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 45
Active Directory Infrastructure Overview • Chapter 1
EXERCISE 1.02
ADDING SNAP-INS TO THE
MICROSOFT MANAGEMENT CONSOLE
1. From the Run command in the Windows Start menu, type MMC, and
click OK.
2. When the MMC opens, click the Add/Remove Snap-in command on
the File menu.
3. When the Add/Remove Snap-in dialog box appears, click the
Standalone tab to select it. Click the Add button.
4. When the Add Standalone Snap-in appears, select Active Directory
Domains and Trusts from the listing and then click the Add button.
An entry for this snap-in should appear in the listing in the
Add/Remove Snap-in dialog box.
5. Select Active Directory Sites and Services from the listing and then
click the Add button. An entry for this snap-in should appear in the
listing in the Add/Remove Snap-in dialog box.
6. Select Active Directory Users and Computers from the listing and
then click the Add button. An entry for this snap-in should appear in
the listing in the Add/Remove Snap-in dialog box.
7. Click Close to return to the previous screen. At this point, three entries
should appear in the Add/Remove snap-in dialog box. Click OK to
close the dialog.
8. The console tree in the MMC should now contain nodes for each snapin. Expand each snap-in and notice that they contain objects and information relating to the aspects each snap-in deals with.
Command-Line Tools
Windows Server 2003 provides a number of command-line tools that you can use for managing Active Directory.These tools use commands typed in at the prompt, and can provide
a number of services that are useful in administering the directory.The command-line tools
for Active Directory include:
■
Cacls Used to view and modify discretionary access control lists (DACLs) on files.
■
Cmdkey Used to create, list, and delete usernames, passwords, and credentials.
www.syngress.com
45
256_70-294_01.qxd
46
9/3/03
11:19 AM
Page 46
Chapter 1 • Active Directory Infrastructure Overview
■
Csvde Used to import and export data from the directory.
■
Dcgpofix Restores Group Policy Objects (GPOs) to the state they where in
when initially installed.
■
Dsadd Used to add users, groups, computers, contacts, and OUs.
■
Dsget Displays the properties of an object in Active Directory.
■
Dsmod Used to modify users, groups, computers, servers, contacts, and OUs.
■
Dsmove Renames an object without moving it, or moves an object to a new
location.
■
Ldifde Used to create, modify, and delete objects from Active Directory.
■
Ntdsutil Used for general management of Active Directory.
■
Whoami Provides information on the user who’s currently logged on.
In the sections that follow, we will briefly discuss each of these tools, and show you
how they can assist you in performing certain tasks when administering Active Directory.
Cacls
Cacls is used to view and modify the permissions a user or group has to a particular
resource. Cacls provides this ability by allowing you to view and change DACLs on files. A
DACL is a listing of access control entries (ACEs) for users and groups, and includes permissions the user has to a file.The syntax for using this tool is:
Cacls filename
Cacls also has a number of switches, which are parameters you can enter on the command line to use a specific functionality.Table 1.1 lists the switches for Cacls.
Table 1.1 Switches for the Cacls Tool
Parameter
Description
/t
Change the DACLs of files in the current directory
and all subdirectories.
Edit the DACL.
Revokes the users’ rights.
Ignore any errors that might occur when changing
the DACL.
Grants rights to a specified user. Rights that can be
granted are: n (None), r (Read), w (Write), c
(Change), and f (Full Control).
/e
/r username
/c
/g username:permission
Continued
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 47
Active Directory Infrastructure Overview • Chapter 1
Table 1.1 Switches for the Cacls Tool
Parameter
Description
/p username:permission
Replaces the rights of a specified user. The rights
that can be replaced are: n (None), r (Read), w
(Write), c (Change), and f (Full Control).
Denies access to a specified user.
/d username
Cmdkey
Cmdkey is used to create, view, edit, and delete the stored usernames, passwords, and credentials.This allows you to log on using one account, and view and modify the credentials of
another user. As with other command-line tools we’ll discuss, cmdkey has a number of
switches that provided needed parameters for the tool to function.Table 1.2 lists these
parameters.
Table 1.2 Switches for the Cmdkey Tool
Parameter
Description
/add:targetname
Adds a username and password to the list, and specifies the computer or domain (using the targetname
parameter) with which the entry will be associated.
Adds generic credentials to the list.
Instructs cmdkey to retrieve credentials from a smart
card.
Provides the username with which this entry is to be
associated. If the username parameter isn’t provided,
you will be prompted for it.
Provides the password to store with this entry. If the
password parameter isn’t provided, you will be
prompted for it.
Deletes the username and password from the list. If
the targetname parameter is provided, the specified
entry will be deleted. If /ras is included, the stored
remote access entry is deleted.
Lists the stored usernames and credentials. If the
targetname parameter isn’t provided, all of the stored
usernames and credentials will be listed.
/generic
/smartcard
/user: username
/pass:password
/delete: {targetname | /ras}
/list: targetname
Csvde
Csvde is used to import and export data from Active Directory.This data is comma delimitated, so that a comma separates each value. Exporting data in this way allows you to then
www.syngress.com
47
256_70-294_01.qxd
48
9/3/03
11:19 AM
Page 48
Chapter 1 • Active Directory Infrastructure Overview
import it into other applications (for example, Microsoft Office tools such as Access and
Excel).Table 1.3 lists the parameters for this command.
Table 1.3 Switches for the Csvde Tool
Parameter
Description
-i
-f filename
-s servername
-c string1 string2
Used to specify the import mode.
Specifies the filename to import or export data to.
Sets the DC that will be used to import or export data.
Replaces the value of string1 with string2. This is often
used when importing data between domains, and the
DN of the domain data is being exported from (string1)
needs to be replaced with the name of the import
domain (string2).
Verbose mode.
Specifies the location for log files.
The portnumber parameter is used to specify the LDAP
port number. By default, the LDAP port is 389 and the
GC port is 3268.
The BaseDN parameter is used to specify the DN of a
search base for data export.
Used to set the search scope. The value of the scope
parameter can be Base, OneLevel, or SubTree.
Specifies a list of attributes to return in an export query.
If this parameter isn’t used, then all attributes are
returned in the query.
Specifies a list of attributes to omit in an export query.
Used to omit paged searches.
Used to omit attributes that apply to certain objects in
Active Directory.
-v
-j path
-t portnumber
-d BaseDN
-p scope
-l LDAPAttributeList
-o LDAPAttributeList
-g
-m
-n
Specifies that binary values are to be omitted from an
export.
-k
If errors occur during an import, this parameter specifies that csvde should continue processing.
-a username password
Specifies the username and password to be used when
running this command. By default, the credentials of
the user currently logged on are used.
-b username domain password Specifies the username, domain, and password to use
when running this command. By default, the credentials of the user currently logged on are used.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 49
Active Directory Infrastructure Overview • Chapter 1
Dcgpofix
Dcgpofix is used to restore the default domain policy and default DC’s policy to they way
they were when initially created. By restoring these GPOs to their original states, any
changes that were made to them are lost.This tool has only two switches associated with it:
■
/ignoreschema Ignores the version number of the schema.
■
/target: {domain | dc | both} Specifies the target domain, DC, or both.
When the /ignoreschema switch is used, dcgpofix will ignore the version number of
Active Directory’s schema when it runs.This will allow it to work on other versions of
Active Directory, as opposed to the one on the computer on which dcgpofix was initially
installed.You should use the version of dcgpofix that was installed with your installation of
Windows Server 2003, as GPOs might not be restored if versions from other operating systems are used.
Dsadd
Dsadd is used to add objects to Active Directory.The objects you can add with this command-line tool are users, computers, groups, OUs, contacts, and quota specifications.To add
any of these objects, you would enter the following commands at the command prompt:
■
dsadd user Adds a user to the directory
■
dsadd computer Adds a computer to the directory
■
dsadd group Adds a group to the directory
■
dsadd ou Adds an OU to the directory
■
dsadd contact Adds a contact to the directory
■
dsadd quota Adds a quota specification to the directory
While the commands for this tool are straightforward, there is a variety of arguments
associated with each. For full details on these arguments, type the command at the command prompt followed by /?.This will display a list of parameters for each command.
Dsget
Dsget is used to view the properties of objects in Active Directory.The objects you can
view with dsget are users, groups, computers, servers, sites, subnets, OUs, contacts, partitions, and quota specifications.To view the properties of these objects, enter the following
commands:
■
dsget user Displays the properties of a user
■
dsget group Displays the properties of a group and its membership
■
dsget computer Displays the properties of a computer
www.syngress.com
49
256_70-294_01.qxd
50
9/3/03
11:19 AM
Page 50
Chapter 1 • Active Directory Infrastructure Overview
■
dsget server Displays the properties of a DC
■
dsget site Displays the properties of a site
■
dsget subnet Displays the properties of a subnet
■
dsget ou Displays the properties of an OU
■
dsget contact Displays the properties of a contact
■
dsget partition Displays the properties of a directory partition
■
dsget quota Displays the properties of a quota specification
While the commands for this tool are straightforward, there is a variety of arguments
associated with each. For full details on these arguments, type the command at the command prompt followed by /?.This will display a list of parameters for each command.
Dsmod
Dsmod is used to modify existing objects in Active Directory.The objects you can modify
using dsmod are users, groups, computers, servers, OUs, contacts, partitions, and quota specifications.To edit these objects, enter the following commands:
■
dsmod user Modifies the attributes of a user in the directory
■
dsmod group Modifies the attributes of a group in the directory
■
dsmod computer Modifies a computer in the directory
■
dsmod server Modifies the properties of a DC
■
dsmod ou Modifies the attributes of an OU in the directory
■
dsmod contact Modifies the attributes of a contact in the directory
■
dsmod partition Modifies a directory partition
■
dsmod quota Displays the properties of a quota specification
While the commands for this tool are straightforward, there is a variety of arguments
associated with each. For full details on these arguments, type the command at the command prompt followed by /?.This will display a list of parameters for each command.
Dsmove
Dsmove is used to either rename or move an object within a domain. Using this tool, you
can rename an object without moving it in the directory, or move it to a new location
within the directory tree.
EXAM WARNING
The dsmove tool can’t be used to move objects to other domains.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 51
Active Directory Infrastructure Overview • Chapter 1
Renaming or moving an object requires that you use the DN, which identifies the
object’s location in the tree. For example, if you have an object called JaneD in an OU
called Accounting, located in a domain called syngress.com, the DN is:
CN=JaneD, OU=Accounting, DC=syngress, DC=com
The –newname switch is used to rename objects using the DN. For example, let’s say
you wanted to change a user account’s name from JaneD to JaneM.To do so, you would
use the following command:
Dsmove CN=JaneD, OU=Accounting, DC=syngress, DC=com –newname JaneM
The –newparent switch is used to move objects within a domain. For example, let’s say
the user whose name you just changed was transferred from Accounting to Sales, which
you’ve organized in a different OU container.To move the user object, you would use the
following command:
Dsmove CN=JaneM, OU=Accounting, DC=syngress, DC=com –newparent OU=Sales,
DC=syngress, DC=com
In addition to the –newname and –newparent switches, you can also use the parameters
listed in Table 1.4 to control how this tool is used.
Table 1.4 Switches for Dsmove
Parameter
Description
{-s Server –d Domain}
Specifies a remote server or domain to connect to. By
default, dsmove will connect to the DC in the domain
you logged on to.
Specifies the username to use when logging on to a
remote server.
Specifies the password to use when logging on to a
remote server. If you type the * symbol instead of a
password, you are then prompted to enter the pass-
-u Username
-p {Password | *}
word.
-q
{-uc | -uco | -uci}
Sets dsmove to suppress output.
Specifies dsmove to format input and output in
Unicode.
Ldifde
Ldifde is used to create, modify, and delete objects from the directory, and can also be used
to extend the schema. An additional use for this tool is to import and export user and
group information.This allows you to view exported data in other applications, or populate
Active Directory with imported data.To perform such tasks, ldifde relies on a number of
switches that enable it to perform specific tasks, listed in Table 1.5.
www.syngress.com
51
256_70-294_01.qxd
52
9/3/03
11:19 AM
Page 52
Chapter 1 • Active Directory Infrastructure Overview
Table 1.5 Switches for Ldifde
Parameter
Description
-I
Sets ldifde to import data. If this isn’t specified, then
the tool will work in Export mode.
Specifies the name of the file to import or export.
Specifies the DC that will be used to perform the
import or export.
Replaces the value of string1 with string2. This is
often used when importing data between domains,
and the DN of the domain data is being exported
from (string1) needs to be replaced with the name
of the import domain (string2).
Verbose mode.
Specifies the location for log files.
The portnumber parameter is used to specify the
LDAP port number. By default, the LDAP port is 389
and the GC port is 3268.
The BaseDN parameter is used to specify the DN of
a search base for data export.
Used to set the search scope. The value of the scope
parameter can be Base, OneLevel, or SubTree.
Specifies a search filter for exporting data.
Specifies a list of attributes to return in an export
query. If this parameter isn’t used, then all attributes
are returned in the query.
Specifies a list of attributes to omit in an export
query.
Used to omit paged searches.
Used to omit attributes that apply to certain objects
in Active Directory.
Specifies that binary values are to be omitted from
an export.
If errors occur during an import, this parameter
specifies that ldifde should continue processing.
Specifies the username and password to be used
when running this command. By default, the credentials of the user who’s currently logged on are
used.
Specifies the username, domain, and password to
use when running this command. By default, the
credentials of the user who’s currently logged on
are used.
-f Filename
-s Servername
-c string1 string2
-v
-j path
-t portnumber
-d BaseDN
-p scope
-r LDAPfilter
-l LDAPAttributeList
-o LDAPAttributeList
-g
-m
-n
-k
-a username password
-b username domain password
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 53
Active Directory Infrastructure Overview • Chapter 1
Ntdsutil
Ntdsutil is a general-purpose command-line tool that can perform a variety of functions for
managing Active Directory. Using Ntdsutil, you can:
■
Perform maintenance of Active Directory
■
Perform an authoritative restore of Active Directory
■
Modify the Time To Live (TTL) of dynamic data
■
Manage domains
■
Manage data in the directory and log files
■
Block certain IP addresses from querying the directory, and set LDAP policies
■
Remove metadata from DCs that were retired or improperly uninstalled
■
Manage Security Identifiers (SIDs)
■
Manage master operation roles (Domain Naming Master, Schema Master,
Iinfrastructure Master, PDC Emulator, and RID Master)
Typing ntdsutil at the command prompt will load the tool and the prompt will change
to ntdsutil:. As shown in Figure 1.23, by typing help at the command line, you can view
different commands for the tasks being performed. After entering a command, typing help
again will provide other commands that can be used. For example, typing metadata
cleanup after first starting ntdsutil, and then typing help will display a list of commands
relating to metadata cleanup.This allows you to use the command as if you were navigating
through menus containing other commands.You can return to a previous menu at any
time, or exit the program by typing Quit.
Figure 1.23 NTDSUTIL
www.syngress.com
53
256_70-294_01.qxd
54
9/3/03
11:19 AM
Page 54
Chapter 1 • Active Directory Infrastructure Overview
Whoami
Whoami is a tool for displaying information about the user who is currently logged on.
Using this tool, you can view your domain name, computer name, username, group names,
logon identifier, and privileges.The amount of information displayed depends on the
parameters that are entered with this command.Table 1.6 lists the available parameters.
Table 1.6 Switches for Whoami
Parameter
Description
/upn
/fqdn
/logonid
/user
/groups
/priv
/fo format
Displays the UPN of the user currently logged on.
Displays the FQDN of the user currently logged on.
Displays the Logon ID.
Displays the username of the user currently logged on.
Displays group names.
Displays privileges associated with the currently logged-on user.
Controls the format of how information is displayed. The format
parameter can have the value of: table (to show output in a table
format), list (to list output), or csv to display in a comma-delimited
format.
Displays username, groups, SIDs, and privileges for the user currently
logged on.
/all
EXERCISE 1.03
USING WHOAMI
1. From the Windows Start menu, click Command Prompt.
2. When the Command Prompt opens, type WHOAMI at the prompt and
then press the Enter key. The output will show the account you are
currently logged on with.
3. Type WHOAMI /UPN and then press Enter. The UPN of the currently
logged-on user will be displayed on the screen.
4. Type WHOAMI /FQDN and then press Enter. The FQDN of the user
that’s currently logged on will appear on the screen.
5. Type WHOAMI /PRIV and then press Enter. A listing of privileges associated with the account you are currently logged on with should appear
on the screen.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 55
Active Directory Infrastructure Overview • Chapter 1
5. Type WHOAMI /ALL and then press Enter. As shown in Figure 1.24, a
listing of information relating to the account you’re currently logged
on with will be listed on the screen.
Figure 1.24 Results of Using the WHOAMI /ALL Command
Implementing Active Directory
1 Security and Access Control
EXAM
70-294
OBJECTIVE
Security is an important part of Windows Server 2003 and Active Directory.Two primary
methods of implementing security are user authentication and access control. Authentication
is used to verify the identity of a user or other objects, such as applications or computers.
After it’s been determined they are who or what they say they are, the process continues by
giving them the level of access they deserve. Access control manages what users (or other
objects) can use, and how they can use them. By combining authentication and access control, a user is permitted or denied access to objects in the directory.
Access Control in Active Directory
In Active Directory, permissions can be applied to objects to control how these objects are
used. Permissions regulate access by enforcing whether a user can read or write to an
object, has full control, or no access.Three elements determine a user’s access, and define
the permissions they have to an object:
www.syngress.com
55
256_70-294_01.qxd
56
9/3/03
11:19 AM
Page 56
Chapter 1 • Active Directory Infrastructure Overview
■
Security descriptors
■
Object Inheritance
■
Authentication
NOTE
Active Directory permissions are separate from share permissions (also called
shared folder permissions) and NTFS permissions (also called file-level permissions),
and work in conjunction with both.
Objects in Active Directory use security descriptors to store information about permissions, and control who has access to an object.The security descriptor contains information
that’s stored in access control lists (ACLs), which define who can access the object and what
they can do with it.There are two different types of ACLs in the security descriptor:
■
Security access control list (SACL)
■
Discretionary access control list (DACL)
The SACL is used to track an object’s security based on how a user or group accesses
the object. For example, you can audit whether a user was able to access the object using a
particular permission (such as Read,Write, or Full Control). Information about what to
audit is kept in ACEs, which are stored within the SACL.These entries control what is
audited, and contain information about the events to be logged. In doing this, records can
be kept on the security of objects, and whether specific users or groups are able to successfully access them.
As we saw earlier, when we discussed command-line tools for Active Directory, a
DACL is a listing of ACEs for users and groups, and includes information about the permissions that a user or group has to a file.The DACL controls whether a user is granted or
denied access to an object. ACEs in the DACL explicitly identify individual users and
groups, and the permissions granted to each. Because only users and groups identified in
the DACL can access an object in Active Directory, any user or group that isn’t specified is
denied access.
Active Directory places the permissions you can apply to objects into two categories:
standard permissions and special permissions. Standard permissions are those that are commonly applied to objects, whereas special permissions provide additional access control. For
most objects in Active Directory, five permissions are available as standard permissions:
■
Full Control Allows the user to change permissions, take ownership, and have
the abilities associated with all other standard permissions.
■
Read Allows the user to view objects, attributes, ownership, and permissions on
an object.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 57
Active Directory Infrastructure Overview • Chapter 1
■
Write Allows the user to change attributes on an object.
■
Create All Child Objects Allows the user to add objects to an OU.
■
Delete All Child Objects Allows the user to delete objects from an OU.
Permissions can be set on objects by using the Active Directory Users and
Computers snap-in for the MMC. As shown in Figure 1.25, you can set permissions by
using the Security tab of an object’s Properties dialog box.The Security tab is hidden in
the Properties dialog box, unless the Advanced Features menu item is toggled on the
View menu first. After this is done, you can then bring up the Properties dialog box by
selecting an object and clicking Properties on the Action menu, or right-clicking on the
object and selecting Properties.
EXAM WARNING
Because changing permissions can cause major problems if done incorrectly, by
default the Security tab is hidden and needs to be enabled by turning on the
Advanced Features for Active Directory Users and Computers. Until this is done,
you will not be able to modify permissions.
Figure 1.25 Permissions Are Set on the Security Tab of the Object’s Properties
The top pane of the Security tab lists users and groups, and the lower pane lists the various permissions that can be applied to these users and groups.You can set permissions by
selecting one of these users and groups, and checking the applicable permissions. Special
permissions can be set for objects by clicking the Advanced button, which displays a
dialog box where additional permissions can be applied.
www.syngress.com
57
256_70-294_01.qxd
58
9/3/03
11:19 AM
Page 58
Chapter 1 • Active Directory Infrastructure Overview
Because it would take a while to assign permissions to every object in Active Directory,
object inheritance can be used to minimize how often and where permissions are assigned.
Object inheritance refers to how the permissions of a parent object are inherited by child
objects.When permissions are applied to a container, they are propagated to objects within
that container. For example, if a group had Full Control permissions on an OU, the group
would also have Full Control of any of the printer objects within that OU.The permissions
of one object flow down to any objects within the hierarchy, so child objects have the same
permissions as their parents.
Since there might be times when you don’t want the permissions from a parent to
propagate to child objects, inheritance can be blocked. By clearing the Allow Inheritable
Permissions From Parent To Propagate To This Object check box, the permissions
from containers higher in the hierarchy are blocked.When this is done, any permissions
that are modified on parent objects don’t apply to the child. Permissions for the child
object must be explicitly assigned.
EXERCISE 1.04
SETTING PERMISSIONS
ON
ACTIVE DIRECTORY OBJECTS
1. Open Active Directory Users and Computers by clicking selecting
Administrative Tools in the Windows Start menu, and then clicking on
the Active Directory Users and Computers menu item.
2. When the MMC opens with this snap-in installed, expand the console
tree so that your domain and the containers within it are visible.
3. Select your domain from the console tree. From the Action menu,
select New and then click the Organizational Unit menu item. As
shown in Figure 1.26, when the dialog box appears, name the new OU
TestOU, and then click OK. A new OU with this name should now
appear in the console tree beneath your domain.
Figure 1.26 New Object Dialog Box
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 59
Active Directory Infrastructure Overview • Chapter 1
4. In the View menu, click Advanced Features.
5. Select the TestOU OU. From the Action menu, click Properties.
6. When the Properties dialog box appears, click the Security tab. In the
list of usernames, select the name of the account you’re currently
logged on with.
7. In the pane below the list of usernames and groups, click the Full
Control check box under Allow, so that a check mark appears in it. You
now have full control of the OU.
8. Click the Advanced button to display the Advanced Security Settings
dialog box. When the dialog box appears, click the Permissions tab. As
shown in the Figure 1.27. Ensure that the Allow inheritable permissions from the parent to propagate to this object and all child
objects check box is checked. This will allow inheritable permissions to
be applied to this OU, and any within the container. Click OK to return
to the previous screen.
Figure 1.27 Advanced Settings Dialog Box
9. Click OK to exit the Properties dialog box.
www.syngress.com
59
256_70-294_01.qxd
60
9/3/03
11:19 AM
Page 60
Chapter 1 • Active Directory Infrastructure Overview
Role-Based Access Control
Access control can be managed based on the role an Active Directory object plays in an
organization. Since objects represent users, computers, and other tangible elements of an
organization, and these people and things serve different purposes in a company, it makes
sense to configure these objects so that they reflect the tasks they perform. Role-based administration is used to configure object settings, so that computers and users have the necessary
permissions needed to do their jobs based on the roles they fill.
The roles that users and computers are assigned correspond to the functions they serve
in a company.Two categories of roles can be used for role based access control: authorization and computer configuration.
Authorization roles are based on the tasks a person performs as part of his or her job. For
example, Help Desk personnel would need the ability to change passwords, while accountants would need to be able to access financial information and audit transactions. Using
role-based access control, you can give each person the access he or she needs to perform
these tasks.
Authorization roles are similar to security groups, to which users can become members
and acquire a level of security that gives them the ability to perform certain tasks. However,
authorization roles differ in that they are used for applications. Role-based access can be
applied to a single application, set of applications, or a scope within the application. Another
important difference is that role-based authorization can be dynamic, so that users become
part of a group membership as an application runs.This is different from security groups
that require membership to be set beforehand.
In the same way that users have different purposes in a company, so do computers. A
business might have DCs, mail servers, file servers,Web servers, and any number of other
machines providing services to users and applications in an organization. Computer configuration roles are used to control which features, services, and options should be installed and
configured on a machine, based on the function it serves in the company.
Authorization Manager
Authorization Manager is a snap-in for the MMC that allows you to configure role-based
access for applications. By using roles, you ensure that users only have access to the functions and resources they need to perform their jobs, and are prohibited from using other
features and resources they’re not authorized to use. For example, personnel in Payroll
would need to view information on employees (so they can be paid), but wouldn’t need to
access administrative features that allow them to modify passwords.
In Authorization Manager, roles are designed based on the tasks that are supported by
the application. After the role is developed, users and groups can then be assigned to the
role so they have the access necessary to perform these tasks.The tasks that are available for
users to use depend on the application, as the ability to support roles and the functions
available are part of the software design.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 61
Active Directory Infrastructure Overview • Chapter 1
Active Directory Authentication
When you log on to a Windows Server 2003 domain, a single logon gives access to any
resources you’re permitted to use, regardless of their location on the network. A user doesn’t
need to re-enter a password every time the user accesses a server or other resources, because
any authentication after initially logging on is transparent. Because only one logon is needed,
the system needs to verify a person is who he or she claims to be, before any access is given.
Authentication is used to verify a user’s logon credentials.The primary method of determining the identity of a user is by logging on to the local computer and network, where a
person enters a username and password. If these don’t match the username and password for
the local computer or Active Directory account, the person isn’t able to gain access.
Operating systems such as Windows NT, 2000, and Server 2003 store account information in the SAM database.The SAM stores credentials that are used to access the local
machine.When a user logs on to a computer with a local user account that’s stored in the
SAM, the user is authenticated to the local machine.The user’s access is limited to just that
computer when logging on to the machine.
When users log on to the Windows Server 2003 domain, an account in Active
Directory is used to access network resources located within the domain, or in other
trusted domains.When a user logs on, the Local Security Authority (LSA) is used to log
users on to the local computer. It is also used to authenticate to Active Directory. After validating the user’s identity in Active Directory, the LSA on the DC that authenticates the
user creates an access token and associates a SID with the user.
The access token is made up of data that contains information about the user. It holds
information about the user’s name, group affiliation, SID, and SIDs for the groups of which
he or she is a member.The access token is created each time the user logs on. Because the
access token is created at logon, any changes to the user’s group membership or other security settings won’t appear until after the user logs off and back on again. For example, if the
user became a backup operator, he or she would have to log off and log back on before
these changes affected the user’s access.
TEST DAY TIP
Access control and authentication are vital parts of Active Directory’s security, so it
is important that you understand the features and controls of Active Directory. The
initial security feature that users will experience is the interactive logon. When
users log on, an access token is created to indicate the user’s security capabilities.
When changes are made to a user’s account, they will not apply to the user until
that user logs on to the domain.
www.syngress.com
61
256_70-294_01.qxd
62
9/3/03
11:19 AM
Page 62
Chapter 1 • Active Directory Infrastructure Overview
Standards and Protocols
Authentication relies on standards and protocols that are used to confirm the identity of a
user or object.Windows Server 2003 supports several types of network authentication:
■
Kerberos
■
X.509 certificates
■
Lightweight Directory Access Protocol/Secure Sockets Layer (LDAP/SSL)
■
Public Key Infrastructure (PKI)
As we’ll see in the paragraphs that follow, some of these standards and protocols not
only provide a method of authenticating users, but also the ability to encrypt data. By
encrypting data, you ensure that unauthorized users and applications won’t be able to view
or modify the data.The data is encoded at one end, and decoded at the other. By providing
encryption/decryption features, the privacy of information is better maintained.
Kerberos
Kerberos version 5 is an industry standard security protocol that Windows Server 2003 uses
as the default authentication service. It is used to handle authentication in Windows Server
2003 trust relationships, and is the primary security protocol for authentication within
domains.
Kerberos uses mutual authentication to verify the identity of a user or computer, and
the network service being accessed. Each side proves to the other that they are who they
claim to be. Kerberos does this through the use of tickets.
A Kerberos ticket is encrypted data that’s issued for authentication.Tickets are issued by
a Key Distribution Center (KDC), which is a service that runs on every DC.When a user
logs on, the user authenticates to Active Directory using a password or smart card. Because
the KDC is part of Active Directory, the user also authenticates to the KDC and is issued a
session key called a Ticket Granting Ticket (TGT).The TGT is generally good for as long as
the user is logged on, and is used to access a ticket granting service that provides another
type of ticket: service tickets. A service ticket is used to authenticate to individual services, by
providing the ticket when a particular service is needed.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 63
Active Directory Infrastructure Overview • Chapter 1
Head of the Class…
Kerberos Made Easy
What with all the different elements making up the Kerberos process of authentication, it can be a little difficult wrapping your head around everything that’s going
on. A good way of understanding and remembering something is to compare it to
something familiar to you.
Being authenticated by Kerberos is a little like going to a theme park. The TGT
allows you to get into the park, where you can now get tickets to go on the rides.
These secondary tickets allow you to use services, and identify that you’re allowed
to use them.
With this analogy in mind, let’s take a second look at how Kerberos works:
1. The user logs on, and authenticates to the KDC.
2. A TGT is acquired from the KDC, which is then handed to the ticket
granting service.
3. The ticket granting service issues a service ticket to the client.
4. The service ticket is handed to the network service you want to access.
X.509 Certificates
X.509 is a popular standard for digital certificates, published by the International
Organization for Standardization (ISO). X.509 certificates are used to verify that the user is
who he or she claims to be. Digital certificates work as a method of identifying the user,
much as your birth certificate is used to identify you as a person.They can also be used to
establish the identity of applications, network services, computers, and other devices.
X.509 specifies the syntax and format of digital certificates; in other words, it explains
what is to be included in a digital certificate. An X.509 certificate includes information
about the user to whom the certificate was issued, information about the certificate itself,
and can include information about the issuer of the certificate (referred to as the certification authority (CA)).To prevent the certificate from being used indefinitely, it also contains
information about the time period during which the certificate is valid.
LDAP/SSL
LDAP is used by Active Directory for communication between clients and directory
servers. LDAP allows you to read and write data in Active Directory, but isn’t secure by
default.To extend security to LDAP communications, LDAP can be used over Secure
Sockets Layer/Transport Layer Security. Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) provide data encryption and authentication.TLS is the successor to SSL, and
is more secure. It can be used by clients to authenticate servers, and by servers to authenticate clients. Communication using TLS allows messages between the client and server to be
encrypted, so data being passed between the two isn’t accessible by third parties.
www.syngress.com
63
256_70-294_01.qxd
64
9/3/03
11:19 AM
Page 64
Chapter 1 • Active Directory Infrastructure Overview
PKI
Public Key Infrastructure (PKI) provides a means for organizations to secure their communications and transactions through the use of digital certificates and public key cryptography. Certificate Authorities (CAs) are an integral part of a PKI and are used to create and
manage the digital certificates and public keys that are throughout the enterprise. Public
key cryptography is used in combination with digital certificates for a variety of purposes,
which include authentication, authorization, confidentiality of data, verification of data
integrity, and non-repudiation. Public key cryptography uses two types of keys: a private
key and a public key.
For data confidentiality, the public key is used to encrypt session keys and data, and the
private key is used for decryption.The public key is openly available to the public, while
the private key is secret and known only to the person for whom it is created.The members of a key pair are mathematically related, but you cannot extrapolate the private key by
knowing the public key. Using the two keys together, messages can be encrypted and
decrypted using public key cryptography. Furthermore, only the possessor of the private key
can decrypt the message encrypted with the public key.
For authentication, the roles of the public and private keys are reversed.The private key
is used for encryption, and the public key is used for decryption.The private key is unique
to the person being identified, so each user has his or her own private key for authentication purposes. Because each private key has a corresponding public key, the public key is
used to decrypt information used for authenticating the user.
The public and private keys are generated at the same time by a CA.The CA creates and
manages keys, binding public and private keys to create certificates, and vouching for the
validity of public keys belonging to users, computers, services, applications, and other CAs.
In addition to a CA, a registration authority (RA) can also be used to request and
acquire certificates for others.The RA acts as a proxy between the user and the CA, and
relieves the CA of some of the burden of verification.When a user makes a request to a
CA, the RA can intercept the request, authenticate it, and then pass it on to the CA.When
the CA responds to the request, it sends it to the RA, which then forwards it to the user.
Private and public keys are created when someone or something needs to establish the
validity of his, her, or its identity.When the public and private keys are created, the private key
is given to the person or entity that wants to establish the credentials, and a public key is stored
so that anyone who wants to verify these credentials has access to it.When a person wants to
send a message using public key cryptography with the data encrypted so that it cannot be
read by anyone but the holder of the private key, the public key is acquired from the CA and
used to encrypt the message.When a person who holds the private key receives the message,
the public key is validated with the CA. Since the CA is trusted, this validates the authenticity
of the message.After this is done, the private key is then used to decrypt the message.
Conversely, if a person wants to send a message and ensure that he or she is the actual
sender, that person can encrypt the message with his or her private key.Then, the recipient
decrypts it with the sender’s public key, thereby proving that the message really did come
from that sender.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 65
Active Directory Infrastructure Overview • Chapter 1
What’s New in Windows
1 Server 2003 Active Directory?
EXAM
70-294
OBJECTIVE
A number of enhancements and new features in the Windows Server 2003 Active Directory
weren’t available in Windows 2000 Server.These improvements allow various tasks and network operations to be performed more efficiently. However, although there are many new
features, the availability of a number of them depends on the environment in which DCs
are running.
When a Windows Server 2003 DC is created on a network, Active Directory is
installed with a basic set of features. Additional features can be enabled, but this is dependent on the operating systems running as DCs and the functional level (formerly called the
mode) that’s configured for the domain or forest.There are four different levels of functionality for Active Directory:
■
Windows 2000 mixed
■
Windows 2000 native
■
Windows 2003 interim
■
Windows 2003
If you’re upgrading from Windows 2000 Server on your network, you’re probably
familiar with the first two levels. Each of these appeared in Windows 2000, and provided
backward compatibility to older operating systems such as Windows NT 4.0, and allowed
control of what features were available in Active Directory.Windows Server 2003 interim
and Windows Server 2003 functionality are new to Active Directory, and weren’t available
in previous versions.
Windows 2000 mixed allows domains to contain Windows NT BDCs that can interact
with Windows 2000 and Windows Server 2003 servers. In this level, the basic features of
Active Directory are available to use. However, you aren’t able to nest groups within one
another, use Universal Groups that allow access to resources in any domain, or use Security
ID Histories (SIDHistory). Because it accommodates the widest variety of servers running
on your network, this is the default level of functionality when a Windows Server 2003 DC
is installed.
Windows 2000 native is the highest mode available for Windows 2000 and the next
highest level for Windows Server 2003 DCs.Windows 2000 native removes support for
replication to Windows NT BDCs, so these older servers are unable to function as DCs. In
this level, only Windows 2000 and Windows Server 2003 DCs can be used in the domain,
and support for Universal Groups, SIDHistory, and group nesting becomes available.
Windows 2003 interim is a new level that’s available in Windows Server 2003.This level
is used when your domain consists of Windows NT and Windows Server 2003 DCs. It provides the same functionality as Windows 2000 mixed mode, but is used when you are
upgrading Windows NT domains directly to Windows Server 2003. If a forest has never
had Windows 2000 DCs, then this is the level used for performing an upgrade.
www.syngress.com
65
256_70-294_01.qxd
66
9/3/03
11:19 AM
Page 66
Chapter 1 • Active Directory Infrastructure Overview
The highest functionality level for Active Directory is Windows 2003.The Windows
2003 level is used when there are only Windows Server 2003 DCs in the domain.When
this level is set for the domain, a considerable number of features are enabled.We discuss
these features later in this chapter, when we discuss new features that are available with
domain and forest functionality.
The number of features available for Active Directory is also dependent on whether the
functionality level has been raised for the domain or the entire forest.With domain-level
functionality, all servers in the domain are running Windows Server 2003.With this level,
different domains in a forest can be set to use different functionality levels.With forest-level
functionality, all domains in the forest are running Windows Server 2003 and have their
domain functionality raised to Windows Server 2003. As stated previously, there are four
different levels for Windows Server 2003 domain functionality.
Forest functionality can also be raised to enable features that apply to all domains in the
forest.With forest functionality, there are three different levels available:
■
Windows 2000
■
Windows 2003 interim
■
Windows 2003
Windows 2000 level allows Windows NT,Windows 2000, and Windows Server 2003
DCs on the network, and is the default level for a forest.The other two levels are the same
as the domain levels, in that Windows 2003 interim supports Windows Server 2003 DCs
and NT BDCs, while Windows 2003 level supports only Windows Server 2003 DCs on the
network.When the default level is raised to either of these other levels, additional features
in Active Directory become available.
To raise the forest functionality, you must first raise the functionality of domains within
the forest. Each domain in the forest must be raised to either Windows 2000 native or
Windows 2003 before the forest functionality can be raised to Windows 2003.When the
forest functional level is then raised to Windows 2003, any DCs in the forest’s domains will
have their domain functional level automatically raised to Windows 2003.
TEST DAY TIP
New features might be dependent on first raising the functional level of the
domain or forest. Remember which operating systems are allowed to exist at specific levels, and which features are available when all DCs are running Windows
Server 2003.
The tool used to raise domain and forest functional levels is Active Directory Domains and
Trusts. Raising domain levels is done by right-clicking the domain in the left console pane
and then clicking Raise Domain Functional Level from the menu that appears. As
shown in Figure 1.28, you then select the level to which you want to raise the domain, and
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 67
Active Directory Infrastructure Overview • Chapter 1
then click the Raise button. Raising forest functional levels is done similarly.To raise the
forest level, right-click the Active Directory Domains and Trusts node, and then click
Raise Forest Functional Level from the menu that appears (see Figure 1.28). Select the
level to which you want to raise the forest, and click Raise to complete the task.
Figure 1.28 Raise Domain Functional Level Dialog Box
When raising the forest or domain functional levels, it is important to remember that it
is a one-way change. After raising the level, you cannot lower it again later. For example, if
you raise the domain from Windows 2000 mixed to Windows 2003, you cannot return the
level to Windows 2000 mixed again.This means that you can’t add Windows NT BDCs or
Windows 2000 DCs to your domain after the upgrade, and any existing DCs need to be
upgraded or permanently removed from service. If you attempt to change the domain or
forest level after raising it to Windows 2003, a screen similar to Figure 1.29 will appear.
Figure 1.29 Raise Domain Functional Level Dialog Box After Raising the Domain
Functional Level
www.syngress.com
67
256_70-294_01.qxd
68
9/3/03
11:19 AM
Page 68
Chapter 1 • Active Directory Infrastructure Overview
EXAM WARNING
Raising the functional level is a one-way change. You cannot change your mind
later and then lower the level to accommodate older operating systems being used
as DCs. Before raising the level, ensure that operating systems not running
Windows Server 2003 can function in the new level or are upgraded or taken
offline permanently before the change.
New Features Available on
All Windows Server 2003 Computers
Before we look at the individual features that become available when you raise the domain
or forest level, let’s first discuss the new features available regardless of whether the domain
or forest level has been raised.The features and tools we’ll discuss next are available on all
versions of Windows Server 2003 that can act as DCs.
As discussed earlier in this chapter, a number of command-line utilities for Active
Directory enable administrators to perform certain tasks from the command prompt.This
allows administrators to manually enter commands to run operations from a command
prompt, or use these commands in batch files or scripts that can be scheduled to run at certain times.
We also saw earlier that the directory uses partitions to separate data into different collections, and that the application partition is used to store data that’s needed by specific
applications. Because this application-specific data is stored in its own partition, you can
configure Active Directory to replicate only this information to other DCs. Not replicating
the entire directory cuts down on the amount of time and network traffic needed to copy
data to other DCs.
Another new capability provided in Windows Server 2003 is that DCs can be created
from backups. Backups are used to copy data to other media such as tapes, and can be used
to restore lost data if problems arise. For example, if the hard disk on a server fails, you can
use the backup to restore the data to another disk and have the server up and running
again.This same process can be used to restore Active Directory to a new DC, avoiding the
need to replicate the entire directory to the DC across the network. Allowing additional
DCs to be added to an existing domain through the use of backups reduces the time it
takes to set up new DCs on the network.
You can use encryption to protect information that is being transmitted across the network. As previously discussed, LDAP can be used over SSL to encrypt data and ensure that
data isn’t tampered with.This protection prevents unauthorized users from accessing data
over the network.
Active Directory allows you to select multiple user objects, so that you can change the
attributes of more than one object at a time. After selecting two or more user objects in
Active Directory Users and Computers, you can bring up the properties and modify
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 69
Active Directory Infrastructure Overview • Chapter 1
the attributes that are common to each object.This capability makes it faster to manage
users, because you don’t have to make changes to each account individually.
Active Directory also provides the capability to drag and drop objects into containers.
By selecting an object with your mouse, you can then hold down your left mouse button
to drag the object to another location (such as another OU). Releasing the left button
drops the object into the container.This capability also makes it easy to add user and group
objects to groups. Dragging and dropping a user or group into another group adds it to the
group membership.
As we’ll see in the next chapter, a new object class has been added to Active Directory
called InetOrgPerson. InetOrgPerson is a type of object that’s used to represent users in nonMicrosoft directory services, and used just as a user object.The presence of this type of class is
important when directory information is migrated to Active Directory from these directories.
To prevent users, computers, and groups from creating an unlimited number of objects
in Active Directory,Windows Server 2003 has added quotas. Active Directory quotas are
used to limit how many objects are owned in a particular directory partition.While quotas
can be applied to almost every user, computer, and group, Domain Administrators and
Enterprise Administrators are exempted from these limits.
The quotas that are used to limit the ability of a user, computer, or group from creating
too many objects in Active Directory should not be confused with disk quotas, which are
also available on Windows Server 2003 servers (regardless of the functionality level being
used). Disk quotas can be used to limit the amount of hard disk space that can be used on a
volume that’s formatted in NTFS.The NTFS file system is more advanced than other file
systems such as FAT or FAT32, which can also be used to format volumes. By using disk
quotas on an NTFS volume, administrators can prevent users from filling up the hard disk
with an unlimited number of files.
Finally, searching for objects in Active Directory is easier and more efficient in
Windows Server 2003. Active Directory uses object-orientated searches to minimize network traffic, and provides the capability to save queries so that they can be reused repeatedly.The capability to save commonly used queries in Active Directory Users and
Computers is a topic we’ll look at in detail in Chapter 2.
New Features Available Only with
Windows Server 2003 Domain/Forest Functionality
When the domain or forest functional levels have been raised so that all DCs are running
Windows Server 2003, a number of new features become enabled.These features allow you
to modify elements of both your domain and forest, and provide advanced functions that
aren’t available until functionality levels are raised. In the paragraphs that follow, we will
look at the new features available in Active Directory when all DCs have been upgraded to
Windows Server 2003, and the functionality has been raised to Windows 2003.
www.syngress.com
69
256_70-294_01.qxd
70
9/3/03
11:19 AM
Page 70
Chapter 1 • Active Directory Infrastructure Overview
Domain Controller Renaming Tool
The DC renaming tool allows you to rename a DC without having to demote it first.This
can be useful when you need to restructure the network, or simply want to use a more
meaningful name for a particular DC.When this tool is used, the DC name changes, and
any Active Directory and DNS entries are automatically updated.
Domain Rename Utility
Domains can also be renamed. Using the domain rename utility (rendom.exe), you can
change the NetBIOS and DNS names of a domain, including any child, parent, domaintree, or forest root domains (from which all others branch off in the hierarchy). By
renaming domains in this manner, you can thereby move them in the hierarchy. For
example, you can change the name of dev.web.syngress.com to dev.syngress.com, making
the web.syngress.com and dev.syngress.com domains on the same level of the hierarchy.You
could even rename the domain so that it becomes part of a completely different domain
tree.The only domain that you can’t reposition in this manner is the forest root domain.
Forest Trusts
As we saw earlier, forest trusts can also be created, so that a two-way transitive trust relationship exists between two different forests. In creating such a trust, the users and computers in each forest are able to access what’s in both forests.This expands the network, so
users are able to use services and resources in both forests.
Dynamically Links Auxiliary Classes
Additional features have also been added to the schema.Windows Server 2003 supports
dynamically linked auxiliary classes, which allow additional attributes to be added to individual
objects. For example, you can have an auxiliary class that has attributes that are used for the
Accounting department, and others that are useful for the Sales department. By applying
the auxiliary classes to the objects, only those objects are affected. Rather than adding
attributes to an entire class of objects, dynamically linking auxiliary classes allows you to
apply additional attributes to a selection of objects.
Disabling Classes
Because certain objects in Active Directory might no longer be needed after a specific
point, you can disable classes and attributes that are no longer needed in the schema. Classes
and attributes can be disabled, but cannot be deleted. If schema objects are not longer
required, you can deactivate them, and reactivate them later if the situation changes.
Replication
Improvements have also been made in how Active Directory replicates directory data.
Rather than having the entire group membership replicated as a single unit, individual
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 71
Active Directory Infrastructure Overview • Chapter 1
members of groups can now be replicated to other DCs. In addition, changes have been
made to GC replication.When there is an extension of a partial attribute set, only the
attributes that have been added are replicated.These improvements decrease the amount of
network traffic caused by replication because less data is transmitted across the network.
EXERCISE 1.05
RAISING DOMAIN
AND
FOREST FUNCTIONALITY
This exercise should not be performed on a production network. It assumes
that all DCs in the domain are running Windows Server 2003. After raising the
functional levels, you will not be able to roll back to a previous level.
1. From the Windows Start menu, select Administrative Tools, and then
click the Active Directory Domains and Trusts menu item.
2. When Active Directory Domains and Trusts opens, expand the Active
Directory Domains and Trusts node, and select your domain.
3. From the Action menu, click Raise Domain Functional Level.
4. When the Raise Domain Functional Level dialog box appears, select
Windows Server 2003 from the drop-down list. Click the Raise button.
5. A warning message will appear, informing you that this action will
affect the entire domain, and after you raise the domain functional
level, it cannot be reversed. Click OK.
6. After you raise the level, a message box will inform you that the action
was successful. Click OK to continue.
7. In the context pane of Active Directory Domains and Trusts, select the
Active Directory Domains and Trusts node.
8. From the Action menu, click Raise Forest Functional Level.
9. When the Raise Forest Functional Level dialog box appears, select
Windows Server 2003 from the drop-down list. Click the Raise button.
10. A warning message will appear, informing you that this action will
affect the entire forest, and after you raise the forest functional level, it
cannot be reversed. Click OK.
11. After you raise the level, a message box will inform you that the action
was successful. Click OK to continue.
www.syngress.com
71
256_70-294_01.qxd
72
9/3/03
11:19 AM
Page 72
Chapter 1 • Active Directory Infrastructure Overview
Summary of Exam Objectives
Active Directory is a database with a hierarchical structure, storing information on
accounts, resources, and other elements making up the network.This information is stored
in a data source located on the server and replicated to other DCs on the network.The
information pertaining to Active Directory is organized into the schema, domain, and configuration partitions, and can also have additional information for programs stored in the
application partition.This data can be accessed over the network using LDAP.
To identify objects within the directory structure, Active Directory supports a variety of
different naming schemes.These include the Domain Name System (DNS), user principal
name (UPN), Universal Naming Convention (UNC), Uniform Resource Locator (URL)
and Lightweight Directory Access Protocol Uniform Resource Locator (LDAP URL).
Distinguished names (DNs), relative distinguished names (RDNs) and canonical names,
based on X.500 specifications, are also used to identify objects.
A variety of objects build the directory’s hierarchical structure, including users, computers, printers, other objects, and container objects that store them. In addition, other
components are used to make up the physical and logical structure of Active Directory. Sites
represent the physical structure of a network, while domains, trees, and forests represent the
logical structure.Together, they are the building blocks that make up Active Directory.
A primary administrative tool for managing Windows Server 2003 and Active
Directory is the Microsoft Management Console (MMC). Using this tool, you can load
snap-ins that are used to administer different aspects of Windows Server 2003 and Active
Directory.Three snap-ins are predominantly used to manage Active Directory: Active
Directory Users and Computers, Active Directory Domains and Trusts, and Active
Directory Sites and Services. In addition to these graphical tools, new command-line tools
can be used to perform administrative tasks.
Active Directory also provides mechanisms for access control and authentication.
Permissions can be applied to objects to control how they are used, while security descriptors, object inheritance, and authentication are used to determine a user’s access and the
permissions set on objects. Authentication methods that are supported include Kerberos,
X.509 certificates, LDAP over SSL, and PKI.Through these methods,Windows Server 2003
and Active Directory are secured from unauthorized access.
Windows Server 2003 provides a number of new features and tools. For some of these
to be available, the functional level of the domain and/or forest must be raised first.The
functional level is similar to the domain modes used in Windows Server 2000, where backward-compatible features become deactivated and new features that older operating systems
can’t use become available as you raise the level.
A good understanding of the purpose and function of directory services and the infrastructure and topology of Active Directory are key elements in getting the most out of this
powerful database. In this chapter, we provided the overview that is necessary to fully
understanding the more specific topics covered in the rest of the book.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 73
Active Directory Infrastructure Overview • Chapter 1
Exam Objectives Fast Track
Introducing Directory Services
The Active Directory data store is a database of all directory information, and is
also referred to as the directory. It is a file called NTDS.DIT, and is located in the
NTDS folder in the systemroot.
When Active Directory is installed, three partitions exist on each DC: the domain
partition, the configuration partition, and the schema partition.There can also be
one or more application partitions.
Active Directory uses LDAP for communications between clients and directory
servers. LDAP is a light version of the X.500 Directory Access Protocol (DAP).
Understanding How Active Directory Works
Domains are logical groupings of network elements, consisting of computers,
users, printers, and other objects making up the network.
Active Directory allows multiple domains to be connected together in a hierarchy
called a domain tree, consisting of parent and child domains.
Active Directory has two forestwide master roles, and two domainwide master
roles that store master copies of information.The Schema Master and Domain
Naming Master roles are unique to one DC per forest, while the RID Master,
PDC Emulator, and Infrastructure Master roles are all unique to one DC per
domain.
Using Active Directory Administrative Tools
Active Directory Users and Computers allows you to administer user and
computer accounts, groups, printers, organizational units (OUs), contacts, and
other objects stored in Active Directory. Using this tool, you can create, delete,
modify, move, organize, and set permissions on these objects.
Active Directory Domains and Trusts is used to manage domains and the trust
relationships between them. Using this tool, you can create, modify, and delete
trust relationships between domains, set the suffix UPNs, and raise domain and
forest functional levels.
The Active Directory Sites and Services tool is used to create and manage sites,
and control how the directory is replicated within a site and between sites. Using
this tool, you can specify connections between sites, and how they are to be used
for replication.
www.syngress.com
73
256_70-294_01.qxd
74
9/3/03
11:19 AM
Page 74
Chapter 1 • Active Directory Infrastructure Overview
Implementing Active Directory
Security and Access Control
Active Directory divides the permissions you can apply to objects into two
categories: standard and special. Standard permissions are commonly applied to
objects, while special permissions provide additional access control.
Kerberos version 5 is an industry-standard security protocol that’s used by
Windows Server 2003 as the default authentication service. It is used to handle
authentication in Windows Server 2003 trust relationships, and is the primary
security protocol for authentication within domains.
Public Key Infrastructure (PKI) is a method of authentication that uses private
and public keys to provide authentication and encryption. For data confidentiality,
the public key is available to the public and is used to encrypt session keys and
data, while the private key is only know to the person for whom it is created, and
is used for decryption. For authentication, the private key is used for encryption,
and the public key is used for decryption.
What’s New in Windows Server 2003 Active Directory?
Domain functional levels can be raised to enable additional features in Active
Directory.There are four different levels of domain functionality:Windows 2000
mixed,Windows 2000 native,Windows 2003 interim, and Windows 2003.
Forest functional levels can also be raised to enable additional features in Active
Directory.There are three different levels of forest functionality:Windows 2000,
Windows 2003 interim, and Windows 2003.
Windows Server 2003 provides a number of command-line utilities that allow
administrators and users to manage and interact with Active Directory.
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 75
Active Directory Infrastructure Overview • Chapter 1
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: Which editions of Windows Server 2003 can be used as DCs?
A: Active Directory can be installed on Windows Server 2003 Standard Edition,Windows
Server 2003 Enterprise Edition, and Windows Server 2003 Datacenter Edition.When
Active Directory is installed on any of these editions, it will serve as a DC. Active
Directory cannot be installed on Windows Server 2003 Web Edition.
Q: How do I install Active Directory on a Windows Server 2003 member server, to make
it become a DC?
A: Use DCPROMO. DCPROMO invokes the Active Directory Installation Wizard, and
can be used to promote a member server to a DC.You can run it by clicking Start |
Run and typing dcpromo, or you can use the Configure Your Server wizard to
start the Active Directory installation.
Q: Why do Windows Server 2003 DCs use NetBIOS names when other naming schemes
are used?
A: NetBIOS names are used to provide backward support. NetBIOS names are used by
pre-Windows 2000 servers and clients, and allow users of those operating systems to log
on to Windows Server 2003 domains.
Q: I am creating a new Windows Server 2003 network, and have just installed the first DC
on the network.What must I do to create my first site, forest, and domain?
A: Nothing.When a DC is installed on the network, the first domain, forest, and site are
automatically created. Additional domains, forests, and sites can be created as needed,
just as additional DCs can be added. However, the first domain, forest, and site are created based on information you provided when you installed Active Directory.
Q: I want to set permissions on objects in Active Directory, so that unauthorized access to
these objects is prevented.What snap-in do I use?
www.syngress.com
75
256_70-294_01.qxd
76
9/3/03
11:19 AM
Page 76
Chapter 1 • Active Directory Infrastructure Overview
A: The Active Directory Users and Computers snap-in for the Microsoft
Management Console. Using this tool, you can modify permissions and control access.
This snap-in is already preconfigured in a console that you can access via Start |
Programs | Administrative Tools.
Q: I want to make security changes to a user account, but when I bring up the permissions using the Active Directory Users and Computers snap-in for the MMC, the
Security tab doesn’t appear.
A: The Security tab is hidden in the Properties dialog box, unless the Advanced
Features menu item is selected on the View menu first. After this is done, the
Security tab will appear when you bring up the properties for an object.
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
Introducing Directory Services
1. An employee has retired from the company, and you have just disabled his account so
no one can log on to the domain as this user.When this change is made, where will it
be stored in the directory?
A. Domain partition
B. Configuration partition
C. Schema partition
D. Application partition
2. Your company’s employees are represented by two unions. Management has a union
that represents the managers’ interests, while others in the company belong to another
union. Each union requires that dues be deducted from paychecks to pay for their
representation.The Finance department has requested that a field be added to each
user account, so that a code can be entered on the account to show which union each
employee belongs to.They have asked you to create this field.When this new attribute
has been added to user objects, where will it be stored in the directory?
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 77
Active Directory Infrastructure Overview • Chapter 1
A. Domain partition
B. Configuration partition
C. Schema partition
D. Application partition
3. You perform a search of Active Directory over the network, in search of an object
stored in the directory. In performing this search, what protocol will be used?
A. IPX/SPX
B. Directory Access Protocol (DAP)
C. Lightweight Directory Access Protocol (LDAP)
D. X.500
4. A user has the username JohnB. He wants to access a Microsoft Access database called
db.mdb that’s located on a DC called syngress.com, in a directory called DB. Using
the URL, what will this user enter into a browser to access the database?
A. JohnB@syngress.com
B. syngress.com
C. http://syngress.com/DB/db.mdb
D. \\syngress.com\DB\db.mdb
5. A user with the username of JaneD works in the Sales department. Her account is
located in the syngress.com domain. Based on this information, what canonical name
would be used to identify this object in Active Directory?
A. CN=JaneD
B. /CN=JaneD /OU=Sales /DC=syngress /DC=com
C. OU=Sales
D. /syngress.com/Sales/JaneD
Understanding How Active Directory Works
6. You are making changes to object classes and attributes used in Active Directory. On
which of the following DCs will you make these changes?
A. Schema Master
B. RID Master
C. Infrastructure Master
D. PDC Emulator
www.syngress.com
77
256_70-294_01.qxd
78
9/3/03
11:19 AM
Page 78
Chapter 1 • Active Directory Infrastructure Overview
7. Your network consists of two forests, with two domains in one forest and three
domains in the other. Based on this information, how many of the following master
roles will be in the forests and domains?
A. There will be five Schema Masters, Domain Naming Masters, RID Masters, PDC
Emulators, and Infrastructure Masters.
B. There will be two Schema Masters, Domain Naming Masters, RID Masters, PDC
Emulators, and Infrastructure Masters.
C. There will be five Schema Masters and Domain Naming Masters, and two RID
Masters, PDC Emulators, and Infrastructure Masters.
D. There will be two Schema Masters and Domain Naming Masters, and five RID
Masters, PDC Emulators, and Infrastructure Masters.
8. A user recently changed her last name, and you make changes to the user object in
the directory to reflect this. Just before the change, inter-site replication has taken
place using the default schedule. Just after the change, a link between the DC on
which the changes were made and the DC in the other site fails. It will be another
hour until the link is back up again.There are four DCs in each site.Which of the
following will occur?
A. Replication between the DCs will occur normally, because at least two connections to each DC are created by the Knowledge Consistency Checker (KCC).
Because one has failed, the other connection will be used.
B. Replication between the DCs won’t occur. After 15 seconds, a notification of the
change will be sent out, and replication partners will then request updated data.
C. Replication will occur normally, because the information won’t be replicated until
three hours after the last replication.
D. Another link will be used to replicate the data, based on the information gathered
by the topology generator.
Using Active Directory Administrative Tools
9. You are using the Microsoft Management Console (MMC) to administer objects in
Active Directory.You decide to view information about a DC.Which of the following
snap-ins will you use to view this information?
A. Active Directory Users and Computers
B. Active Directory Domains and Trusts
C. Active Directory Sites and Services
D. Dcgpofix
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 79
Active Directory Infrastructure Overview • Chapter 1
10. Your company has merged with another company that uses UNIX machines as their
servers. Users in your Windows Server 2003 domain need to access information on
these UNIX machines, but you don’t want to have information accessed by clients
outside your domain.Which of the following types of trusts will you create to make it
possible to share information in this way?
A. One-way transitive forest trust
B. Two-way transitive realm trust
C. One-way nontransitive realm trust
D. External trust
Implementing Active Directory
Security and Access Control
11. There is a concern about someone accessing objects in Active Directory using
someone else’s account.You want to audit an object to view how users and groups are
accessing it. In setting auditing on this object, where will information on what to
track be stored?
A. Discretionary access control list
B. Security access control list
C. X.509
D. Auditing isn’t provided on objects
12. You are configuring permissions on Active Directory so that managers can modify the
user objects in the OU representing the department each manager is in charge of. In
configuring these permissions, you also want each manager to have the ability to
create new OUs within the OU representing his or her department.You want to give
the most restrictive permissions to achieve these tasks.What permissions will you give
these managers? (Choose all that apply.)
A. Read
B. Write
C. Create All Child Objects
D. Delete All Child Objects
13. You have set permissions on a parent container, and want to prevent these permissions
from being applied to a child container within it. How will you achieve this?
www.syngress.com
79
256_70-294_01.qxd
80
9/3/03
11:19 AM
Page 80
Chapter 1 • Active Directory Infrastructure Overview
A. In Active Directory Users and Computers, open the properties of the parent
OU, and select the Security tab. Click the Advanced button, and when the
dialog box appears, ensure that the Allow Inheritable Permissions From
Parent To Propagate To This Object check box is checked.
B. In Active Directory Users and Computers, open the properties of the parent
OU, and select the Security tab. Click the Advanced button, and when the
dialog box appears, ensure that the Allow Inheritable Permissions From
Parent To Propagate To This Object check box is cleared.
C. In Active Directory Sites and Services, open the properties of the parent OU,
and select the Security tab. Click the Advanced button, and when the dialog
box appears, ensure that the Allow Inheritable Permissions From Parent To
Propagate To This Object check box is cleared.
D. The objective cannot be achieved. Permissions will always be inherited by child
objects.You must move the OU so it is at the same level in the hierarchy as the
parent container.
What’s New in Windows Server 2003 Active Directory?
14. You are upgrading your existing network to use Windows Server 2003.The network
has Windows NT 4.0 domain controllers and the Windows Server 2003 server you’re
adding to the domain. After adding the first Windows Server 2003 DC to the network, you want to raise the domain functional levels to the highest level available for
your network.To which level will you raise the domain?
A. Windows 2000 mixed
B. Windows 2000 native
C. Windows 2003 interim
D. Windows 2003
15. You are upgrading your domain to use a mix of Windows 2000 and Windows Server
2003 DCs. After installing the first Windows Server 2003 DC on the domain, you
want to raise the domain functional level to the highest level possible.Which of the
following will you choose?
A. Windows 2000 mixed
B. Windows 2000 native
C. Windows 2003 interim
D. Windows 2003
www.syngress.com
256_70-294_01.qxd
9/3/03
11:19 AM
Page 81
Active Directory Infrastructure Overview • Chapter 1
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. A
9. A
2. C
10. C
3. C
11. B
4. C
12. A, B, C
5. D
13. B
6. A
14. C
7. D
15. B
8. C
www.syngress.com
81
256_70-294_01.qxd
9/3/03
11:19 AM
Page 82
256_70-294_02.qxd
9/3/03
11:33 AM
Page 83
Chapter 2
MCSA/MCSE 70-294
Working with User,
Group, and Computer
Accounts
Exam Objectives in this Chapter:
3
Planning and Implementing User, Computer, and Group
Strategies
Summary of Exam Objectives
Exam Objectives Fast Track
Exam Objectives Frequently Asked Questions
Self Test
Self Test Quick Answer Key
83
256_70-294_02.qxd
84
9/3/03
11:33 AM
Page 84
Chapter 2 • Working with User, Group, and Computer Accounts
Introduction
An important part of the network administrator’s job involves management of the network’s
users and computers.Windows Server 2003 assigns accounts to both users and computers for
security and management purposes. User accounts can be further managed by placing them
in groups so that tasks—such as assigning permissions—can be applied to an entire group of
users simultaneously rather than having to do so for each individual user account.
This chapter introduces you to the concept of security principles—users, groups, and
computers—and the Security Identifiers (SIDs) that are used to represent them.You’ll learn
about the conventions and limitations for naming these objects.
We show you how to work with Active Directory user accounts, including the built-in
accounts and those you create.You’ll also learn to work with group accounts, and you’ll
learn about group types and scopes.You’ll learn to work with computer accounts, and how
to manage multiple accounts.We’ll show you how to implement user principal name
(UPN) suffixes, and we’ll discuss how to move objects within Active Directory.
You’ll learn to use the built in tools—both graphical and command line—to perform
the common administrative tasks associated with the management of users, groups, and
computers; and the exercises will walk you through the steps of creating and managing all
three types of accounts.
Understanding Active Directory
3 Security Principal Accounts
EXAM
70-294
OBJECTIVE
Active Directory is made up of a wide variety of different directory service objects. Among
these objects are security principal accounts, which consist of the following:
■
User accounts
■
Computer accounts
■
Groups
Security principal accounts are used in authentication and access control, and provide a
means to manage what can be accessed on the network. Based on the security settings associated with a security principal account, you can control whether a user, group, or computer has access to Active Directory, printer, and file system objects, as well as domain
controllers (DCs), member servers, client computers, applications, and other elements of the
network.They are a major factor in keeping your network protected and controlling what
users and computers are authorized to access.
Because security principals represent people, services, computers, and others who individually and collectively access the directory, there are a number of different ways to identify
them. Some names might be familiar to you, such as the username you use to log on to
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 85
Chapter name • Chapter 2
Windows Server 2003 or the name identifying your computer on the network, while others
are used for specific technologies (such as Web browsers) or backward compatibility to older
operating systems. As we’ll see later, the different names provide friendly and unique methods
of identifying users, groups, and computers.
Security Principals and Security Identifiers
Security principals get their name because they are Active Directory objects that are
assigned SIDs when they are created.The SID is used to control access to resources and by
internal processes to identify security principals. Because each SID is unique, unless security
is breached, there is no way for accounts to mistakenly gain access to restricted resources
when the system is properly configured by an administrator.
SIDs are able to remain unique because of the way they are issued. In each domain,
there is a DC that acts as a Relative ID (RID) Master.The RID Master is responsible for
generating relative identifiers, which are used in creating SIDs.The SID is a number that
contains a domain security identifier and relative identifier.The domain ID is the same for
all objects in the domain, but the relative identifier is unique. A pool of these numbers is
issued to each DC within the domain, so they can be assigned to security principals that are
created on the DC.When 80 percent of the numbers in the pool have been assigned to
objects, DCs will then request a new pool from the RID Master.
SIDs are used because unlike the names associated with objects, SIDs don’t change.
When the object is created, a unique alphanumeric value is associated with it, and this stays
with the object until it is deleted. Such things as changing the object’s name or other
attributes don’t affect the SID. For example, if you created a user account called “Jane Doe,”
a SID would also be generated for that account. If you later changed the account’s name to
“Jane Smith,” the object’s name would be altered, but the SID would remain the same. If
the name were used to determine access, it would appear that a completely different user
was attempting to access resources in the domain. Because the SID is used to determine
access, the user’s identity remains constant, and any access the user has will be unaffected.
TEST DAY TIP
Don’t forget that the only accounts that are security principals are user accounts,
computer accounts, and group accounts. These are the only objects that are given
SIDs at the time they are created. If one of these accounts were deleted, and then
recreated with the same information, it would be given a new SID and appear to
internal processes and access control lists (ACLs) as a completely different account.
To better understand a SID, you could compare it to an employee ID.When an
employer issues you one of these numbers, it doesn’t change as situations change in your
life.You could change your name, address, office location, title in the company, or other
identifying factors, but this number will always be your number.The SID is used in the
same manner.
www.syngress.com
85
256_70-294_02.qxd
86
9/3/03
11:33 AM
Page 86
Chapter 2 • Working with User, Group, and Computer Accounts
As shown in Figure 2.1, the SID is used as part of the authentication process.When a
user logs on to a domain, the Local Security Authority (LSA) is used to authenticate to
Active Directory, and create an access token.The access token is used for controlling a user’s
access to resources, and contains the user’s logon name and SID, the names and SIDs for any
groups the user is a member of, and privileges assigned to the user.The token is created
each time the user logs on, and holds all of the information needed for access control.
Figure 2.1 How Security Identifiers Are Used in Access Control
User account is created
and SID is generated for
new account
Domain Controller
User logs on to domain,
and an access token is
created
SID
user
Windows 2003
Domain
Access Token
SIDs in access token are
compared to ACL of
resource. If they match,
user can access resource
Resource
Access
Control
List
When a user attempts to access a resource,Windows Server 2003 compares the SID
with the resource’s security descriptor. A security descriptor contains two components, the
discretionary access control list (DACL) and the system access control list (SACL). An ACL
contains access control entries (ACEs), which are used to control or monitor access to a
resource. An ACE determines whether a user associated with a particular SID is to be
allowed or denied access, or whether the user is to be audited.
The SACL is used for auditing access to a resource. An ACE in a SACL contains information on whether logging should be generated on attempts to access a resource.This logging can be generated when a specified user or group attempts to access a resource and is
successful, fails, or both.
The DACL is used for a different purpose. DACLs determine whether a security principal is granted or denied access to a resource.The DACL catalogs who has access to the
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 87
Chapter name • Chapter 2
resource and what level of access they have.When a user tries to access an object, the user’s
SID is compared to entries in the DACL. If the user’s SID or the SID of a group he or she
belongs to matches an entry in the DACL, that user can be either explicitly permitted or
denied access to use the resource.
When users access a resource, a process begins to determine the level of access they
have, based on the permissions they have to a resource.The system will first determine
whether a DACL exists on a resource. If it does not, then there is no access control for the
resource, so access is granted. If a DACL does exist, then the system will go through the
ACEs until one or more matches are found, or until it finds an ACE that specifies that
access is denied.
NOTE
On a Windows Server 2003 computer using the NTFS file system, all file and folder
objects will have DACLs that control access to local resources and allow auditing.
When using the FAT file system, they will not.
When a security principal attempts to access a resource that is protected by a DACL,
each ACE in the DACL is analyzed in sequence to determine if access should be allowed or
denied. As shown in Figure 2.2, the SID of the user and any groups he or she belongs to is
compared to the ACEs in the DACL.Windows Server 2003 will look at each ACE until
one of the following occurs:
■
An entry is found that explicitly denies access to the resource.
■
One or more entries are found that explicitly grants access to the resource.
■
The entire DACL is searched but no ACE is found that explicitly grants or denies
access. Since no entry is found, the security principal is implicitly denied access.
In Figure 2.2, one user is granted access while the other is denied access.When the
SIDs associated with the access token of the JaneS user is compared with the entries in the
DACL, the system will find that she is a member of GroupA (which has Read and Write
access) and GroupB (which has Execute access). Because of her membership in these
groups, she will be granted Read,Write, and Execute permissions for the resource.When
the SIDs associated with the access token of the JohnD user is compared with the DACL,
the system will find that he is a member of GroupB, which has Execute permission for the
resource. However, there is also an ACE that explicitly denies JohnD Read,Write, and
Execute access.When the user’s SID is compared with this entry, he will be denied access.
In general, the most permissive combination of permissions will be allowed when a user
accesses a resource, unless an explicit deny is assigned.
www.syngress.com
87
256_70-294_02.qxd
88
9/3/03
11:33 AM
Page 88
Chapter 2 • Working with User, Group, and Computer Accounts
Figure 2.2 The User’s SID Is Compared with the DACL’s ACE to Determine Access
Access Token
Access Token
JohnD
GroupB
JaneS
GroupA
GroupB
Granted Access
Denied Access
DACL
ACE
1
Access Denied
JohnD
Read, Write,Execute
ACE
2
Access Granted
GroupA
Read, Write
ACE
3
Access Granted
GroupB
Execute
In addition to containing the user’s SID and the SIDs of any groups the user is a
member of, the access token might also contain additional SIDs that result from group
membership the operating system assigns dynamically or other special logon scenarios.
These SIDs are common to installations of Windows Server 2003 in a stand-alone and/or
Active Directory environment, and for this reason are referred to as well-known security identifiers.Table 2.1 lists the different types of well-known SIDs.
Table 2.1 Well-Known Security Identifiers
Type of SID
SID
Description
Anonymous Logon
S-1-5-7
Authenticated Users
S-1-5-11
Used when a user logs on without supplying
a username and password.
Used when users or computers have been
authenticated with individual accounts. The
exception is when someone logs on with the
Guest account, as this isn’t considered an
authenticated user.
Continued
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 89
Working with User, Group, and Computer Accounts • Chapter 2
Table 2.1 Well-Known Security Identifiers
Type of SID
SID
Description
Batch
S-1-5-3
Creator Owner
S-1-3-0
Creator Group
S-1-3-1
Dialup
S-1-5-1
Everyone
S-1-1-0
Interactive
S-1-5-4
Local System
S-1-5-18
Network
S-1-5-2
Other Organization
S-1-5-1000
Self/Principal Self
S-1-5-10
Service
S-1-5-6
Used when users log on through a batch
queue facility, such as when scheduled tasks
are run under a specific account.
Used as a placeholder in inheritable ACEs.
When an ACE is inherited, this SID is replaced
with the SID of the current owner of the
object.
Used as a placeholder in inheritable ACEs.
When an ACE is inherited, this SID is replaced
with the SID of the primary group to which
the object’s current owner belongs.
Used when the user logs on to the system
using a dial-up connection.
Used to specify the Everyone group. In
Windows Server 2003, this includes authenticated users and the Guest account. Earlier
versions of Windows include these accounts
and anonymous logons.
Used for users who are logged on to the local
machine (as opposed to connecting via the
network) or connected through Terminal
Services.
Used for a service account that’s run by
Windows.
Used when a user logs on through a network
connection. Because of the methods in which
interactive users log on to the system, this
type of SID isn’t used for their access tokens.
Used to determine whether users from other
domains or forests are permitted to authenticate to services.
Used as a placeholder in ACEs. When permissions are granted to Principal Self, they are
given access to the security principal represented by the object. The SID acting as a
placeholder is replaced during access checks
with the SID for the user, group, or computer
represented by the object.
Used for security principals that log on as a
service.
Continued
www.syngress.com
89
256_70-294_02.qxd
90
9/3/03
11:33 AM
Page 90
Chapter 2 • Working with User, Group, and Computer Accounts
Table 2.1 Well-Known Security Identifiers
Type of SID
SID
Description
Terminal Server Users
S-1-5-13
This Organization
S-1-5-15
Used for users that log on to a Terminal
Services server running in Terminal Services
version 4.0 application compatibility mode.
Used to add data to the authentication information of the user who’s logged on by the
authentication server. This is used if the Other
Organization SID isn’t used.
Tools to View and Manage Security Identifiers
Windows Server 2003 provides command-line utilities that can be used to view and
manage SIDs. Because of the way in which SIDs are handled in a domain, it is rare to ever
need this capability. However, should the need arise, it is useful to know these tools exist.
As we saw in Chapter 1,” Active Directory Infrastructure Overview,” the WHOAMI
tool allows you to display information about the user who is currently logged on. By using
the /ALL parameter, you can display all of the user’s access token information, including
information on the username, groups, associated SIDs, and privileges, for the user who is
currently logged on.The syntax for viewing this information is:
WHOAMI /ALL
The NTDSUTIL tool is another utility we discussed in the previous chapter.This tool
is a general-purpose tool that provides a variety of functionality. Using various menus, this
text-based tool allows you to navigate through functions that (among other things) allow
you to manage SIDs in rare instances where duplicate SIDs exist.
EXAM WARNING
The functionality of WHOAMI and NTDSUTIL are quite different. Although both are
tools for working with SIDs, WHOAMI is only used to view SID information, while
NTDSUTIL is a tool for managing duplicate SIDs that might exist in Active Directory.
To avoid potential conflicts of DCs issuing the same SID to an object, only one RID
Master exists in a domain.While this will generally ensure that SIDs are unique within a
domain, there is the remote possibility that duplicate SIDs can be still be issued. An administrator has the ability to assign the role of RID Master to another DC in the domain. If
the RID Master was temporarily unavailable and an administrator seized the RID Master
role on another DC, there would be two RID Masters when the original RID Master
became available.This generally isn’t a problem, because the RID Masters will recognize
that there are two of them in the domain during the next replication cycle, and one of the
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 91
Working with User, Group, and Computer Accounts • Chapter 2
two will relinquish its role. However, in this situation, if two DCs requested a new pool of
relative IDs while both RID Masters were active, then two sets of identical numbers could
be issued to the DCs.
Duplicate SIDs can be found and dealt with by using the Security Account
Management menu of NTDSUTIL. By typing security account management from the
NTDSUTIL prompt, commands shown in Table 2.2 can be accessed. Using these commands, you can check the domain for any objects with duplicate SIDs and delete them to
resolve the issue.
Table 2.2 Commands Available in NTDSUTIL from the Security Account
Management Menu
Command
Description
Check duplicate SID
Checks the local SAM or domain database for
objects with duplicate SIDs.
Checks the local SAM or domain database for
objects with duplicate SIDs and deletes them.
Specifies the server or DC to connect to. %s is a
variable denoting the server or DC to connect to.
Specifies where to create a log file. %s is a variable
denoting a location. If this parameter isn’t used,
events will be logged to a file named dupsid.log
that will be placed in the root folder of the profile
for the user who executes the command.
Returns to previous menu. When the main menu is
displayed again, this command will exit you from
NTDSUTIL.
Cleanup duplicate SID
Connect to server %s
Log file %s
Quit
? or help
Displays help
Now that we’ve discussed these tools and the tasks you can perform with them that
relate to SIDs, let’s put this knowledge to practice in Exercise 2.01
EXERCISE 2.01
VIEWING AND MANAGING SECURITY IDENTIFIERS
1. From the Windows Start menu, click the Command Prompt menu
item.
2. When the command prompt opens, type WHOAMI /ALL and then press
the Enter key. A list of information about the account you’re currently
logged on with will appear on the screen. In this listing, information on
SIDs associated with your account will also be displayed.
www.syngress.com
91
256_70-294_02.qxd
92
9/3/03
11:33 AM
Page 92
Chapter 2 • Working with User, Group, and Computer Accounts
3. When you have finished viewing the list of information, type NTDSUTIL
at the prompt, and then press the Enter key.
4. At the prompt, type security account management, and then press
the Enter key.
5. At the Security Account Maintenance prompt, type connect to server
localhost to establish a connection to your local computer. You can
also use an IP address, NetBIOS, or DNS name to make this connection
to your local computer or a remote one.
6. At the Security Account Maintenance prompt, type one of the following:
■
To check for duplicate SIDs but not remove them, type check duplicate sid, and then press the Enter key.
■
To both check for duplicate SIDs and remove any that are found,
type cleanup duplicate sid and then press the Enter key.
7. Use Notepad to open the dupsid.log file in the root folder of your user
profile to determine if any duplicates were found or removed.
8. At the command prompt, type Quit and then press the Enter key to
return to the previous menu. Type Quit and then press Enter again to
exit NTDSUTIL.
Naming Conventions and Limitations
In looking at the relationship between security principals and SIDs, it becomes apparent
that it would be difficult to use SIDs as the sole method of identifying an account.While
SIDs uniquely identify users, computers, and groups, trying to remember the SID of users
and computers you commonly access through the directory would be almost impossible.
For this reason, various naming conventions are used to distinguish objects in Active
Directory.
Every object in Active Directory has a name to make it easier to find and use.When
naming these objects, each object must be unique so that multiple objects can’t be confused
with one another.This doesn’t mean that two objects can’t be named the same within
Active Directory; just that two objects with the same name can’t exist within the same
administrative boundary under certain circumstances.
In Windows Server 2003, a number of different boundaries exist to logically group
objects and manage them. For example, domains provide a boundary that allows two computers with the same name to exist in different domains. If you had a computer named
server1 in one domain and another computer with this same name in a different domain,
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 93
Working with User, Group, and Computer Accounts • Chapter 2
there would be no conflict. Similarly, UPNs in Windows Server 2003 must be unique in
each forest, and Pre-Windows 2000 logon names must be unique in each domain. As you
can see, there are a number of complex naming rules that you’ll need to familiarize yourself
with for the exam. Even if you’re new to Windows Server 2003 networks, you’re probably
familiar with how domains are named on the Internet, which is the largest DNS namespace
in the world. DNS is used to resolve domain names to IP addresses (and vice versa), and
also provides a standard method of naming domain structures. Active Directory domains
follow the same naming conventions as DNS. For example, syngress.com can be both an
Active Directory domain name and a DNS domain name. Active Directory and DNS are
tightly integrated, which is why the domain names in Active Directory require corresponding DNS namespaces.
As shown in Figure 2.3, an Active Directory namespace is arranged in a hierarchy. In
the hierarchy, objects branch off from a root object, and other objects can branch off from
these.The object that has branched off is called a child object, and the object it branches
from is called a parent. If a domain branches off from another domain, it is called a child
domain.The domain it branches off from is called the parent domain.The child domain
retains information about the domain above it, and includes the full name of the parent.
This contiguous namespace provides a way of conveying how the hierarchical structure of
the domains is designed in a network.
Figure 2.3 Hierarchical Structure of an Active Directory Namespace
Parent Domain
syngress.com
sales.syngress.com
dev.syngress.com
Child Domains
Child of a Child Domain
marketing.sales.syngress.com
www.syngress.com
93
256_70-294_02.qxd
94
9/3/03
11:33 AM
Page 94
Chapter 2 • Working with User, Group, and Computer Accounts
In looking at Figure 2.3, you can see that syngress.com is the parent domain, and that it
has two child domains (sales.syngress.com and dev.syngress.com). Because a child domain
can also have child domains beneath it, we also see that sales.syngress.com has its own child
domain called marketing.sales.syngress.com.
In addition to providing a method to uniquely identify domains within a namespace,
individual computers are also provided with unique names that relate to the hierarchy. Each
computer in a domain has a host name that is unique to the domain. Because of the
boundary provided by domains in the namespace, a computer with the host name server1
could exist in each domain.To show the place of these computers in a DNS domain structure, fully qualified domain names (FQDNs) are used, which combine the host name with
the domain name. For example, a computer with the host name server1 in the domain syngress.com would have the FQDN of server1.syngress.com. In Active Directory, the computer name is also appended to the name of the domain of which it is a member.This
combination can be up to 255 characters in length.When creating computer accounts in
Active Directory, the name of the computer can only consist of letters (a to z, A to Z),
numbers (0 to 9), and hyphens (-).The name cannot consist of all numbers.
Because pre-Windows 2000 computers didn’t use a DNS-like naming scheme, Active
Directory also allows NetBIOS names to be used for backward compatibility. In older network operating systems such as Windows NT, a hierarchical structure of domains wasn’t
used. Computers used a flat namespace in which all computers were given NetBIOS names
that were unique to the domain. In a single domain environment, these were single word
names that allowed clients and services to identify computers on the network, and were
used by users to log on to systems and domains. In a multiple domain environment, the
domain name was typically appended to the computer name using the backslash (\) character; for example, domain\computername. Similarly, logons between domains took the
form of: domain\username. By providing support for NetBIOS names and pre-Windows
2000 domain naming schemes, older clients can access Windows Server 2003 computers
and domains.
NOTE
Backward compatibility to previous versions of Windows operating systems is of
major importance to a Microsoft network. Although Microsoft will try to recommend that newer operating systems are used on client machines and servers, a
network might consist of a variety of Windows versions and editions. Even in situations where clients and servers are all being upgraded to the latest versions, older
versions will reside on the network during the upgrade process. To accommodate
these environments, Windows Server 2003 supports a number of schemes and
technologies for backward compatibility.
The NetBIOS name of a computer can be up to 15 characters in length.When
installing a new Windows Server 2003 server on the network, the operating system will
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 95
Working with User, Group, and Computer Accounts • Chapter 2
suggest a NetBIOS name that is based on the first 15 bytes of the relative distinguished
name (RDN). As we’ll see later in this section, the RDN is another method of identifying
security principals in Active Directory. In an FQDN, the host name (which always appears
left of the leftmost dot in the FQDN) is also the RDN.
In addition to names used by computers and domains, user accounts also have distinct
methods of being named. User accounts have a UPN that can be used to log on from
Windows 2000, XP Professional, and Server 2003 machines.They also have a backwardcompatible login name known as the pre-Windows 2000 name. During the process of creating a new user account, Active Directory will suggest a pre-Windows 2000 name that is
based on the first 20 characters of the UPN that you type in. Either name can be changed
at any time.The pre-Windows 2000 logon name is limited to 20 characters. Although the
pre-Windows 2000 name can still be used to log on to domains on newer operating systems, the UPN logon name is preferred when logging on from Windows 2000 or later.
UPNs consist of a logon account name and a UPN suffix. By default, the UPN suffix is the
domain name that contains the user account. For example, if the user account was located
in a domain called syngress.com, then this domain name would also be the UPN suffix.
The logon name and UPN suffix is connected together using the at (@) sign.This makes it
appear like an Internet e-mail address (username@domain).
While the default UPN suffix for a user account is the domain containing the account,
other UPN suffixes can also be used.To make it simpler to log on to the network, Active
Directory allows you to implement a single UPN suffix for all users. In such a case, you
could have all users have the forest root domain name as their UPN suffix, or even create
alternate UPN suffixes. For example, let’s say that users logged on to an internal Active
Directory domain name called syngress.net, and knew that the external DNS name used by
the Web site was syngress.com.This could be confusing to users, because the public Web
site is popular and well known.To make it less confusing, you could implement an alternate
UPN suffix so that all users logged on to the UPN suffix syngress.com. In using alternate
UPN suffixes, you aren’t limited to using valid DNS or Active Directory domain names.
You can use any UPN suffix you choose.
Because Windows Server 2003 allows users to have the same UPN suffix regardless of
which domain contains their account, UPN logon names must be unique within a forest.
In Windows Server 2003, Active Directory won’t permit two UPNs with the same name to
exist in the same forest.
NOTE
The concept of UPNs can be confusing initially. Keep in mind that a UPN has no
relation whatsoever to a DNS or Active Directory domain name. Despite the fact
that it can have the same name as a valid domain within your forest, it is just a
label or alias that is used as part of a user account name. UPNs are stored in the
Global Catalog (GC), so a GC server must be available to log on using them.
Remember, it is the SID associated with your user account that determines what
domain it belongs to; it can have any valid name associated with it. The purpose of
www.syngress.com
95
256_70-294_02.qxd
96
9/3/03
11:33 AM
Page 96
Chapter 2 • Working with User, Group, and Computer Accounts
using a UPN is to allow users to continue using the same logon name, even if the
domain their account is associated with changes. Because the UPN is not mapped
to a specific domain, it does not need to change when you move a user account
from one domain to another within your forest.
In creating a name that’s used by the user to log on to Active Directory, certain limitations exist in what you can use in the logon name.The name cannot contain all spaces, or
must not contain any leading or trailing spaces, or any of the following characters: “ / \ [ ] :
;| = ,+ * ? < >
NOTE
Several of Microsoft’s instructional materials state that the logon portion of the
UPN name cannot exceed 20 characters, despite the fact that the text box allows
many more to be typed in. This is incorrect. If you test it, you’ll learn that you can
exceed the 20 character limit. The pre-Windows 2000 logon name does recognize
this limit.
In addition, many of the restricted characters listed in the preceding paragraph will not raise an error during account creation if typed in as part of the
User logon name. However, when you attempt to log on you will receive an
error. Strangely, if you type these restricted characters in as part of the preWindows 2000 logon name, it will notify you that they will be changed to the
underscore character (an allowed character) and proceed with account creation.
Groups also have certain requirements that must be adhered to when they’re created. As
we’ll see later in this chapter, groups allow you to add users as members.This collection of
user accounts can then be managed as a unit, making it easy to assign many users permission to access a resource with a single assignment.
When creating groups in Active Directory, the name cannot be longer than 64 characters in length. In addition, the name must not contain leading or trailing spaces, trailing
periods, or any of the following characters: / [ ] : | = ? * , + “ \ < > ;
Security principals also make use of three other types of naming conventions, which are
common to all objects in Active Directory:
■
RDN
■
Distinguished name (DN)
■
Canonical name
Through these naming conventions, security principals can be located in the directory
using the Lightweight Directory Access Protocol (LDAP). Each of these is used to identify
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 97
Working with User, Group, and Computer Accounts • Chapter 2
objects in Active Directory, and provide methods of locating objects within the directory,
regardless of how many layers of organizational units (OUs) it is stored under.
As we’ve discussed, every object is given a name when it is created, and this name is
used to easily identify the object within the directory. As we’ll see later in this chapter, the
name of a user object generally corresponds to the user’s name, while the computer’s name
can correspond to either the Active Directory object name you specify or the NetBIOS
name.These names are RDNs.
RDNs refer to the name of the object in relation to where it is located in the directory. In other words, it doesn’t show the path to where you can find the object in the
directory structure. For example, a user object named John Smith would be a valid RDN.
In looking at this name, however, you wouldn’t know whether it was stored in the Users
container or another location.The RDN doesn’t show exactly where the object can be
found, but refers only to the name of the object.
Because the RDN identifies the object within a container, this name must be unique
within the container in which it is stored. In other words, you can’t have two users named
John Smith in the same OU. If two objects did exist with the same name, confusion could
occur as to which object you really wanted to access.
To provide more specific information concerning the exact location of an object
within the directory’s hierarchy, a DN is used.The DN is used to show the path to an
object. It says that the object is located in a particular domain, and possibly even within a
specific OU.This path identifies the name of the object, and the hierarchy to the container
in which it is stored.To provide this information, the DN uses the following notations:
■
CN The common name of the object.
■
OU An organizational unit that contains the object, or contains another OU in
the hierarchical path to the OU that contains the object.
■
DC A domain component that specifies a DNS name in the hierarchy to the
object. Just as with OU objects, there may be multiple domain components in the
hierarchical path to the object.
As shown in Figure 2.4, the DN uses these notations to provide a map to how you can
find a single object within the structure of Active Directory. In Figure 2.4, we see that there
are a number of users located in the Accounts Receivable OU, which resides in the
Accounting OU of knightware.ca. If you wanted to find a user object named John Doe
within this structure, you would use the following DN:
CN=John Doe,OU=Accounts Receivable,OU=Accounting,DC=knightware,DC=ca
In comparing the DN to Figure 2.4, you can see that it starts with the object, and
works its way up to the highest level of the structure.
www.syngress.com
97
256_70-294_02.qxd
98
9/3/03
11:33 AM
Page 98
Chapter 2 • Working with User, Group, and Computer Accounts
Figure 2.4 Distinguished Names Are Used to Show Location of Objects
DC = ca
knightware.ca
Accounting
Accounts Receivable
John Doe
Jane Smith
DC = knightware
OU = Accounting
OU= Accounts Receivable
Sam Jones
CN=John Doe
As mentioned earlier, the CN within the DN is also the RDN of the object.The
RDN uniquely identifies an object within a parent container, and in the case of our previous example, refers to the John Smith object. In this case, we could refer to the RDN as
follows:
CN=John Smith
Another way of looking at this same information is with the canonical name. Canonical
names provide the same information as the DN, but in reverse. Rather than beginning with
the object and working its way up the highest level, the canonical name starts at the highest
level and works its way down. In looking at the previous example, the DN “CN=John
Doe, OU=Accounts Receivable, OU=Accounting, DC=knightware, DC=ca” would be
translated to the following canonical name:
knightware.ca/Accounting/Accounts Receivable/John Doe
By providing different options for identifying objects and their location in the directory, there is greater versatility in the methods tools that you can use to access these objects.
Before using DNs, RDNs, and canonical names, you need to give the object a unique
name. As we’ll see in the sections that follow, the names for users, computers, and groups
are specified when the security principal itself is created.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 99
Working with User, Group, and Computer Accounts • Chapter 2
Working with
3 Active Directory User Accounts
EXAM
70-294
OBJECTIVE
User accounts are used by people and services so they can be authenticated and access
resources. Each user account contains information about the person or service that uses it,
and provides a means to grant permissions, apply scripts, assign profiles, and control what
actions the user can perform and what he or she can access.Through the account, a set of
credentials is created that protects from unauthorized access.
In Windows Server 2003, two different types of user accounts can be created: local and
domain-based user accounts. Local user accounts are used to control access to the computer
on which you are working.They are created on Windows Server 2003 by using the Local
Users and Groups snap-in, or the Users node under the Local Users and Groups node in
the Computer Management utility. Once created, the account information is stored in a
local database called the Security Accounts Manager (SAM).The account information only
applies to the local computer, and isn’t replicated to other machines within the domain.
When a user logs on to the computer,Windows Server 2003 authenticates the user with
this information, and either permits or denies access to the machine.
Domain accounts are created in Active Directory and are considerably different from
local user accounts. Rather than storing information on the local machine, account information is stored in the directory and replicated to other DCs. As we discussed earlier in this
chapter, when the user logs on to a DC, the account information is used to build an access
token.This access token is used for the duration of time that the user is logged on to the
network, and determines what the user is allowed to access on the network, and actions he
or she can perform.
TEST DAY TIP
Don’t confuse local accounts with domain accounts. Local accounts are stored on
computers and only apply to the security of those machines. Domain accounts are
stored in Active Directory, and security settings for the account can apply to
accessing resources and services across the network.
Active Directory user accounts are created and managed using the Active Directory
Users and Computers snap-in. As shown in the Figure 2.5, this snap-in provides a graphical
user interface (GUI) that allows you to point-and-click through the various tasks related to
administering user objects.The left pane of this tool is the console tree, which contains
nodes representing your domain and the container objects within your domain such as
OUs. Expanding the node of a domain displays the containers, which can be selected to
view objects stored within them.These objects within the container are displayed in the
right pane of the console.
www.syngress.com
99
256_70-294_02.qxd
100
9/3/03
11:33 AM
Page 100
Chapter 2 • Working with User, Group, and Computer Accounts
Figure 2.5 Active Directory Users and Computers
As mentioned in Chapter 1, a number of containers are automatically created when
Active Directory is first installed. Each stores different types of objects, some of which are
used in managing users and computers on the network.These containers are:
■
Builtin The default location for most domain local groups that are created
during the installation of Windows Server 2003 and Active Directory. A few service-specific domain local groups, such as the DnsAdmins group, are created in
the Users container.
■
Computers The default location that is used to store computer objects for
members of the domain.This container does not contain objects for Active
Directory DCs.
■
Domain Controllers The default location that is used to store Active Directory
DC objects.
■
ForeignSecurityPrincipals The Active Directory location used to store foreign
SIDs for user accounts in external trusted domains.
■
Users The default location for user accounts, global groups, and universal groups
that are created during the installation of Active Directory.This container often
contains additional domain local groups that are used by services such as RRAS
and DNS.
In addition to these containers, others also exist that are hidden.You must enable
Advanced Features to display these additional containers.To do this, select View |
Advanced Features. Once enabled, the following containers can then be seen:
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 101
Working with User, Group, and Computer Accounts • Chapter 2
■
LostAndFound Used to store objects whose parent containers no longer exist.
If an object is created on one DC close to the time that its parent container is
deleted on another DC (or if it is moved to a location that’s missing after replication), the object is considered orphaned and is placed in this container.
■
System Contains information about the domain, objects used by Active
Directory, and the underlying Windows Server 2003 operating system. Unlike
most of the other containers, the objects in this container generally cannot be
modified by the administrator.
While these containers are created by Active Directory, objects can also be stored in
OUs that are created by the administrator. By using OUs, you can arrange user accounts,
computer accounts, and other objects into containers that reflect the department or location of these objects. For example, you could create an OU for a branch office, and then
store accounts for users at that location within the OU.This makes it easier to delegate
administrative control, and manage users using Group Policy.
NOTE
By looking carefully at Figure 2.5, you’ll see a difference in the icons between the
Users node and the Domain Controllers node. The Users node is a default container, while Domain Controllers is an OU. A key difference between a default container and an OU is that you cannot apply group policy to a default container.
Therefore, if you create all of your users in the Users container, you will have to
move them into an OU to apply group policy to them, or apply the group policy at
the domain level and allow it to inherit down to the Users container.
Administrators can create OUs, but they cannot create default containers.
Built-In Domain User Accounts
As we’ll see later in this chapter, you can create user objects for accounts used by users and
services within your organization. In addition to those you create, several user accounts are
automatically created when Active Directory is first installed.These built-in accounts are
stored in the Users container of Active Directory Users and Computers, and are named:
■
Administrator
■
Guest
■
HelpAssistant
■
SUPPORT_388945a0
While we’ll discuss each of these accounts in the sections that follow, it is important to
realize that each of the accounts created by Active Directory is assigned group memberships
www.syngress.com
101
256_70-294_02.qxd
11:33 AM
Page 102
Chapter 2 • Working with User, Group, and Computer Accounts
and user rights that provide different levels of access.The rights and permissions they have
vary, because each is designed to be used for a different purpose.You wouldn’t want
everyone in a domain to be able to view, modify, or delete anything they want on the network.This would be a major security issue, and accidents and malicious actions could have
potentially devastating consequences.
Administrator
The Administrator account is the first account that’s created when Active Directory is
installed. As we saw in the previous chapter, when you use the Active Directory Installation
Wizard and set up a new domain, this account is created to give you the access to perform
domain configuration. Once created, it can be used to create and manage security principals and other objects, administer policies, assign permissions, and other tasks needed in the
design and administration of Active Directory.
The Administrator account has the highest level of access of any default account created
in Active Directory. It is a member of the Administrators, Domain Admins, Domain Users,
Enterprise Admins, Group Policy Creator Owners, and Schema Admins groups.While we’ll
discuss groups later in this chapter, the default membership in these groups allows the
Administrator account to have full control over Active Directory. Because these groups provide the security access attributed to this account, you can create additional accounts for
people who perform administrative tasks and make them members of these groups to give
them the same abilities as the Administrator account.
Due to the importance of the Administrator account, it cannot be deleted from Active
Directory, or removed from the Administrators group. It can, however, be disabled or
renamed to make it more difficult for unauthorized or malicious users to use this account
by guessing its password.
Configuring & Implementing...
102
9/3/03
Securing the Administrator Account
Anyone familiar with Windows network operating systems will recognize the
Administrator account as one that’s existed in previous versions. An account
called Administrator has been used in Windows NT, Windows 2000, and
Windows Server 2003. Because it is known, it can be a target for hackers, who
want to access the account and obtain full control over the domain.
To protect your system, you should rename and/or disable the Administrator
account after creating other accounts with administrator-level access. By
renaming the account, others won’t know what the account is called, and
thereby won’t know which account to access to obtain this high level of control.
By disabling the account, they won’t be able to use it at all.
To prevent unauthorized users from accessing accounts with administrative
credentials, any accounts that are members of the groups that provide administrator access should use strong passwords. Strong passwords are more difficult
www.syngress.com
Continued
256_70-294_02.qxd
9/3/03
11:33 AM
Page 103
Working with User, Group, and Computer Accounts • Chapter 2
to guess, and use a combination of three or more of the following keyboard characters:
■
Lowercase letters (a –z)
■
Uppercase letters (A–Z)
■
Numbers (0–9)
■
Special characters (({}[],.<>;:’”?/|\`~!@#$%^&*()_-+=)
While strong passwords can’t be hacked using dictionary attacks that look for
specific words and character combinations in the password, they can still be
cracked using brute-force hacking programs, which try to determine the password
by using all possible combinations of characters in a password. Brute-force hacks
can take a considerable amount of time, but are commonly used to obtain unauthorized access to an account. To make it more difficult for hackers to access an
account using a brute-force attack, you should use longer passwords that consist
of a minimum of eight characters. In a Windows Server 2003 domain, strong passwords are enabled in Group Policy as a requirement for all accounts. This means
that all passwords that are created after the installation of Active Directory must
use at least one uppercase character, lowercase character, and numeric character.
Guest
The Guest account is another built-in account, but provides the lowest level of access. It is
designed to be used by occasional users who need minimal access and don’t want to log on
with their own account, or users who don’t have an account of their own in the domain.
For example, you could give the Guest account permissions to view files on an intranet
Web site, or have read-only access to unclassified material, such as forms new employees
must fill out to apply for a job. People applying for a job could then access and fill out
these forms even though they don’t have their own accounts.
When Active Directory creates this account, it makes the Guest account a member of
the Guests group and Domain Guests global group. Membership in these groups allows a
person using this account to log on to the domain. Just as with other accounts, you can
control what rights and permissions this account has, and add or remove this account from
group memberships.This allows you to increase or decrease the level of access a person
using this account has to resources in the domain.
Because it is better for users to have their own accounts when logging on to the
domain, the Guest account is disabled by default. Having this account disabled prevents
unauthorized persons from using this account to access the domain, and potentially use it
to obtain additional levels of access. As we saw with the Administrator account, the Guest
account can’t be deleted, but can be renamed. Doing so will make it more difficult for
hackers to take advantage of this account, which has also existed in previous versions of
Windows.
www.syngress.com
103
256_70-294_02.qxd
104
9/3/03
11:33 AM
Page 104
Chapter 2 • Working with User, Group, and Computer Accounts
HelpAssistant
The HelpAssistant account is automatically created in Active Directory when a Remote
Assistance session is established. Remote Assistance allows a user to connect to a machine
and assist them, such as by taking control of the computer remotely. For example, a person
working Help Desk could take over a user’s computer remotely, and show the user how to
perform a particular task.
To prevent others from indiscriminately taking over a computer and performing tasks
while a person is logged on, this connection is established with the permission of the
person using the computer. In other words, the person using the computer must allow
another person to take control. A person couldn’t simply highjack another person’s computer using Remote Assistance, and then begin accessing resources under their logged-on
account.
The HelpAssistant account is used to establish the session between the person assisting
a user and his or her machine, and provides limited access to the computer being accessed
remotely.This account is managed by the Remote Desktop Help Session Manager service,
and is deleted automatically when there are no pending Remote Assistance requests.
Because it is removed when no longer needed, it doesn’t always appear in the Users container of Active Directory Users and Computers.
SUPPORT_388945a0
The Support_388945a0 account is used by the Help and Support Service to provide interoperability with and allow access to signed scripts that are made available within Help and
Support Services. An administrator can delegate the ability for a normal user to run these
scripts from links in Help and Support Services.The scripts can be programmed to use the
Support_388945a0 account instead of the logged-on user’s credentials to perform administrative tasks on the local system that the user would not typically be allowed to perform
without administrative-level access.
InterOrgPerson
Unlike the previous accounts we’ve discussed, InetOrgPerson accounts don’t actually refer to
an account named InetOrgPerson, but an object class used to create accounts. Object classes
are sets of attributes used to determine what attributes an object might have when it is created. In Active Directory, the InetOrgPerson class is used to define user accounts. Because it
exists as a type of user class, accounts created with this class are security principals.
InetOrgPerson accounts are used to represent users in non-Microsoft directory services.
While Active Directory is the only directory service used by Windows 2000 and Windows
Server 2003, it isn’t the only directory service in existence. Other network operating systems, such as Novell NetWare, use their own implementations of a directory service, which
aren’t always compatible with Active Directory.The InetOrgPerson is used to assist applications written for other directories, or when migrating from these directory services to
Active Directory.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 105
Working with User, Group, and Computer Accounts • Chapter 2
New & Noteworthy...
As we’ll see in the next section, InetOrgPerson accounts are created in the same way
that user accounts are created. In Active Directory Users and Computers, you would
select the container in which you want to create the new InetOrgPerson account. After
doing this, click the InetOrgPerson menu item under Action | New.This will start the
same wizard that allows you to create a new user account, but will use the InetOrgPerson
object class to create it.
InetOrgPerson Object Class Is Part of
the Windows Server 2003 Active Directory Schema
The InetOrgPerson object class and the attributes it contains originates from RFC
2798. RFC is an acronym for Requests for Comments, and is a document that is
used to specify information and/or technical specifications. RFC 2798 was created
by the Internet Engineering Task Force (IETF) to address the need for a class of user
that accessed directory services over the intranet or Internet. This class of user was
designed to hold attributes about people who accessed the directory using LDAP in
this way.
Because of the need for this type of user class, Microsoft provided a kit that
added an InetOrgPerson object class to the schema in Windows 2000. In Windows
Server 2003, an InetOrgPerson is included in the Active Directory schema as a type
of user class that can be used by LDAP applications requiring this type of object
and when migrating to Active Directory from other directory services. This saves
administrators from needing to extend the schema to create a new InetOrgPerson
object class.
Creating User Accounts
Windows Server 2003 provides multiple ways of creating user accounts in Active Directory.
As mentioned, Active Directory Users and Computers provides a GUI that allows you to
create new accounts quickly and efficiently. As a new method of adding user accounts to
Active Directory, you can also use the DSADD command. In the paragraphs that follow, we
will look at each of these tools.
Creating Accounts Using
Active Directory Users and Computers
Active Directory Users and Computers is a tool that is installed on DCs, and is used by
those with the appropriate access to create domain accounts. Only members of the
Administrators group, Account Operators group, Domain Admins group, Enterprise Admins
group, or someone who’s been delegated authority can create a user account.When
someone is delegated authority to perform a task, it means that he or she been given
www.syngress.com
105
256_70-294_02.qxd
106
9/3/03
11:33 AM
Page 106
Chapter 2 • Working with User, Group, and Computer Accounts
administrative credentials to carry out the action. Responsibility can be delegated through
the Delegation of Control Wizard, Group Policy, or security groups (which we’ll discuss
later in this chapter).
Active Directory Users and Computers is started in a number of ways. As we saw in
Chapter 1, the Active Directory Users and Computers snap-in can be loaded into
Microsoft Management Console (MMC). Using the Windows Start menu can also start
this tool by clicking on Start | Administrative Tools | Active Directory Users and
Computers.The final method of starting it is through the Control Panel. In Control
Panel, open Performance and Maintenance | Administrative Tools | Active
Directory Users and Computers.
Once Active Directory Users and Computers is open, expand the domain in which you
have access, and want to create the account.Within the domain, you select the container in
which you want to create the user object.You can create accounts at the domain level, use an
existing default container (such as Users), or use an OU that you’ve created. Once you’ve
selected the container, click Action | New | User. InetOrgPerson accounts can also be created this way, by selecting InetOrgPerson instead of User from Action | New.
Once the User menu command has been clicked in the Action | New menu, a
wizard will start that will take you through the steps of creating a new account. As shown
in Figure 2.6, the first screen provides a number of fields in which you can enter information relating to the new user:
■
First name The given name of the user.
■
Initials The middle initial(s) in the user’s name.
■
Last name The surname of the user.
■
Full name The entire name of the user. As you enter the user’s first name, initials, and last name, this field will automatically be filled. It can, however, be modified.This name must be unique to the container in which the account is being
created.
■
User logon name The UPN that the user will enter to log on to the domain.
The UPN (remember, this is comprised of the user logon name and the UPN
suffix) must be unique to the enterprise. In other words, two logon names that are
the same cannot exist within the same Active Directory forest.The drop-down list
in this field allows you to select a UPN suffix.
■
User logon name (pre-Windows 2000) The NetBIOS name that the user will
use when logging on to the domain from pre-Windows 2000 operating systems.
Once you have entered this information, click the Next button to continue providing
information to setup the account.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 107
Working with User, Group, and Computer Accounts • Chapter 2
Figure 2.6 Screen Used to Enter New User Information When Creating a
New User Object
The screen that follows allows you to configure password information for the user’s
account. As with the previous screen, a number of fields can be used to manage the initial
setup of the account.These fields are depicted in Figure 2.7, and consist of:
■
Password The password that the user will enter, so he or she can be authenticated.
■
Confirm Password The same password that’s entered in the Password field.
Confirming the password a second time ensures that it has been entered correctly.
■
User must change password at next logon Checking this box requires the
user to change his or her password at first logon. Having the user change the password, ensures that only the user knows the new password and is a good security
practice.This setting is enabled by default.
■
User cannot change password When selected, this ensures that only administrators can change the user’s password.This can be used if the account is being
used by more than one person (such as a Guest account), services, or programs.
This setting is also used in more secure environments that require a guarantee of
password strength. In these environments, administrators are often responsible for
maintaining and changing passwords to ensure they meet security standards.
■
Password never expires This setting exempts the user’s password from the
maximum password age Group Policy setting that is enabled for the domain.This
is helpful if a service or program is using the account. If the User must change
password at next logon option is set, this option is overridden.
www.syngress.com
107
256_70-294_02.qxd
108
9/3/03
11:33 AM
Page 108
Chapter 2 • Working with User, Group, and Computer Accounts
■
Account is disabled This check box is used to prevent a user from logging on
with this account.This can be used if an employee has been terminated, is on
extended leave or vacation, or hasn’t started in his or her job yet.
After entering this information, click the Next button to reach the final screen for creating a new user account.
Figure 2.7 Screen Used to Enter Password Options When Creating a New
User Object
As shown in Figure 2.8, the final screen used in creating a new user object provides
summary information.The information that appears on this screen provides a recap of the
user information and password options that will be used for creating the account. After the
Finish button is clicked, the account is then created in the container you initially chose to
store the object.
Figure 2.8 Summary Screen of New Object Dialog Box
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 109
Working with User, Group, and Computer Accounts • Chapter 2
Now that we’ve looked at how to create a user account, let’s put that knowledge to
practice and create one in the Exercise 2.02.
EXERCISE 2.02
CREATING A USER OBJECT IN
ACTIVE DIRECTORY USERS AND COMPUTERS
1. Open Active Directory Users and Computers from Start |
Administrative Tools Active Directory Users and Computers.
2. When the utility opens, expand the console tree so that your domain
and the containers within it are visible.
3. Select the TestOU OU that you created in Chapter 1 from the console
tree. From the Action menu, select New | User.
4. When the New Object - User dialog box appears, enter the following
information in the corresponding fields:
Field
Data to Enter
First name
Initials
Last name
Full name
User logon name
User logon name (pre-Windows 2000)
John
Q
Public
John Public
Jpublic
Jpublic
5. After entering this information, click the Next button to continue.
6. Enter a password of your choosing in the Password field, and then
reenter it in the Confirm password field.
7. Clear the User must change password at next logon check box.
8. Click Next to continue. When the summary screen appears, review the
settings you have entered and click Finish to create the account.
9. From the Action menu, select New | User.
10. When the New Object - User dialog box appears, enter the following
information in the corresponding fields:
www.syngress.com
109
256_70-294_02.qxd
110
9/3/03
11:33 AM
Page 110
Chapter 2 • Working with User, Group, and Computer Accounts
Field
Data to Enter
First name
Last name
Full name
User logon name
User logon name (pre-Windows 2000)
Jane
Doe
Jane Doe
Jdoe
Jdoe
11. After entering this information, click the Next button to continue.
12. Enter a password of your choosing in the Password field, and then
reenter it in the Confirm password field.
13. Click Next to continue. When the summary screen appears, review the
settings you have entered and click Finish to create the account.
14. Log off and then log back on as the jdoe user. Notice that you are
required to change the password.
15. Log off and then log back on as the jpublic user. Notice that you aren’t
required to change the password.
Creating Accounts Using the DSADD Command
As we saw in Chapter 1,Windows Server 2003 includes a number of command-line tools
that allow you to perform common administrative tasks from a command prompt. Using
the DSADD command, you can create new objects in Active Directory, including user
objects. As is the case when using Active Directory Users and Computers, only members of
the Administrators group, Account Operators group, Domain Admins group, Enterprise
Admins group, or someone who’s been delegated authority can create a user account.This
means that the DSADD command can’t be used as a workaround to creating an account
without authorization.
Create a new user with DSADD by entering the following syntax:
DSADD USER UserDN [-samid SAMName] -pwd {Password|*}
In entering this command, the following parameters must be entered:
■
UserDN This is the DN of the user object you are adding.This provides information on where the account will be created.
■
SAMName This is a NetBIOS name, which is used when logging on from preWindows 2000 computers. If this parameter isn’t added, DSADD will create one,
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 111
Working with User, Group, and Computer Accounts • Chapter 2
based on the first 20 characters of the common name you entered for the
UserDN parameter.
■
Password This is the password that will be used for this account. If an asterisk (*)
is entered for this parameter, you will be prompted to enter a password.
In addition to these parameters, additional settings can be applied when creating a user
account by using the following syntax. Note that this is all one long line.
dsadd user UserDN [-samid SAMName] [-upn UPN] [-fn FirstName] [-mi
Initial] [-ln LastName] [-display DisplayName] [-empid EmployeeID]
[-pwd {Password | *}] [-desc Description] [-memberof Group;...]
[-office Office] [-tel PhoneNumber] [-email Email] [-hometel
HomePhoneNumber] [-pager PagerNumber] [-mobile CellPhoneNumber]
[-fax FaxNumber] [-iptel IPPhoneNumber] [-webpg WebPage] [-title Title]
[-dept Department] [-company Company] [-mgr ManagerDN] [-hmdir
HomeDirectory] [-hmdrv DriveLetter:] [-profile ProfilePath] [-loscr
ScriptPath] [-mustchpwd {yes | no}] [-canchpwd {yes | no}]
[-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires
NumberOfDays] [-disabled {yes | no}] [{-s Server | -d Domain}]
[-u UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}]
As you can see, a considerable number of options can be set in using the DSADD
command, which are not available when initially creating an account with Active Directory
Users and Computers.We’ll explain how such information can be added to an account
with Active Directory Users and Computers in the next section. First, let’s examine the various parameters that can be used in association with the DSADD command.The parameters in this syntax are explained in Table 2.3.
Table 2.3 DSADD Parameters for Creating Users
Parameter
Description
-upn UPN
-fn FirstName
-mi Initial
-ln LastName
-display DisplayName
-empid EmployeeID
-desc Description
-memberof Group
Specifies the UPN for the account.
Specifies the first name of the user.
Specifies the initial(s) of the user.
Specifies the last name of the user.
Specifies the display name of the account.
Specifies the user’s employee ID.
Information that describes the account.
Specifies the DNs of groups of which this
account will be a member.
Specifies the office location of the user.
-office Office
Continued
www.syngress.com
111
256_70-294_02.qxd
112
9/3/03
11:33 AM
Page 112
Chapter 2 • Working with User, Group, and Computer Accounts
Table 2.3 DSADD Parameters for Creating Users
Parameter
Description
-tel PhoneNumber
-email Email
-hometel HomePhoneNumber
-pager PagerNumber
-mobile CellPhoneNumber
Specifies the telephone number of the user.
Specifies the user’s e-mail address.
Specifies the user’s home telephone number.
Specifies the pager number of the user.
Specifies the cellular telephone number of
the user.
Specifies the user’s fax number.
Specifies the user’s IP phone number.
Specifies the URL of the user’s Web page.
Specifies the title of the user.
Specifies the user’s department.
Specifies company information.
Specifies the DN of the user’s manager.
Specifies the home directory of the user.
Specifies the drive letter used by the user to
access his or her home directory. This parameter is used if the HomeDirectory is specified
using the universal naming convention.
Specifies the profile path for the account.
Specifies the logon script path for the
account.
Specifies whether the user needs to change
his or her password the next time he or she
logs on. By default, the user doesn’t need to
change the password, so this would be the
same as specifying no for this parameter.
Specifies whether the user is allowed to
change his or her password. By default, the
user can change his or her password, so this
would be the same as specifying yes for this
parameter.
Specifies whether the password is stored
using reversible encryption, which is used by
Macintosh computers and some forms of
Windows-based authentication. By default,
reversible encryption isn’t used, so this is the
same as this parameter being set to no.
-fax FaxNumber
-iptel IPPhoneNumber
-webpg WebPage
-title Title
-dept Department
-company Company
-mgr ManagerDN
-hmdir HomeDirectory
-hmdrv DriveLetter:
-profile ProfilePath
-loscr ScriptPath
-mustchpwd {yes | no}
-canchpwd {yes | no}
-reversiblepwd {yes | no}
Continued
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 113
Working with User, Group, and Computer Accounts • Chapter 2
Table 2.3 DSADD Parameters for Creating Users
Parameter
Description
-pwdneverexpires {yes | no}
Specifies whether the password expires. By
default, a password will expire, so this is the
same as this parameter being set to no.
Specifies the number of days before the
account expires. If the value of
NumberOfDays is set to 0, the account will
expire at the end of the day. If the value of
NumberOfDays is set to a negative value, it
will set that the account has already expired
that many days ago. If set to a positive value,
it will expire that many days in the future. If
the value of NumberOfDays is set to Never,
the account will never expire.
Specifies whether the account has been disabled. By default, the account is enabled, so
this is the same as this parameter being set
to no.
Specifies to connect to a remote server or
domain. By default, the computer is connected to the DC in the logon domain.
Specifies the username to log on to a remote
server. By default, the username that the user
is logged on to the local system with is used.
The following formats can be used for the
UserName variable:
Username
Domain\username
User principal name
Specifies the password to log on to a remote
server. If an asterisk (*) is used, you will be
prompted for a password.
Specifies quiet mode, and suppresses output.
Specifies Unicode to be used for input or
output. If –uc is used, then input or output is
to a pipe (|). If –uco is used, then output is to
a pipe or file. If –uci is used, then input is
from a pipe or file.
-acctexpires NumberOfDays
-disabled {yes | no}
{-s Server | -d Domain}
-u UserName
-p {Password | *}
-q
{-uc | -uco | -uci}
Managing User Accounts
Managing user accounts is done through the properties of the object, which is accessible by
using Active Directory Users and Computers.You can access the properties of a user object
www.syngress.com
113
256_70-294_02.qxd
114
9/3/03
11:33 AM
Page 114
Chapter 2 • Working with User, Group, and Computer Accounts
by selecting the object, and then clicking on Action | Properties.You can also right-click
on the object and select Properties from the context menu.
Upon opening the Properties of the user, you will see a number of tabs that allow you
to set various options and provide information dealing with the account:
■
General This tab contains basic information about the user, including name, telephone number, and other information.
■
Address This tab contains personal properties about the user, including home
address.
■
Account This tab contains settings that control account expiration, logon hours,
and other account options.
■
Profile This tab contains settings for the user’s logon script, user profile, and
home directory.
■
Telephones This tab contains telephone numbers and other contact information
about the user.
■
Organization This tab contains information about the user’s organization,
department, and manager.
■
Environment This tab contains settings for configuring the startup environment
for Terminal Services.
■
Sessions This tab contains timeout and reconnection settings for Terminal
Services.
■
Remote Control This tab configures remote control settings for Terminal
Services.
■
Terminal Services Profile This tab contains configuration information for the
user’s Terminal Services profile and home directory.
■
COM+ This tab allows you to set whether the user is a member of a particular
COM+ partition set.
■
Published Certificates This tab lists X.509 certificates and their use.
■
Member Of This tab lists the user’s group membership.
■
Dial-in This tab contains settings used by the user for dialing in to or using a
virtual private network (VPN) connection to the network.
■
Object This tab shows the fully qualified name of the user.
■
Security This tab displays an ACL for the user account object.
Individually, each of these tabs allows you to manage different settings related to the
user account. However, a number of these tabs are related, in that they deal with particular
aspects of user account management. As we’ll see in the sections that follow, by using them
together, you can configure how the account can be used.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 115
Working with User, Group, and Computer Accounts • Chapter 2
Personal Information Tabs
In looking at what properties can be set with these tabs, you will see that there are four tabs
that contain personal information about the user: General, Address,Telephones, and
Organization. As shown in Figure 2.9, the General tab contains a number of fields that contain information provided when the account was initially created:
■
First name This field contains the given name of the user.
■
Initials This field contains the middle initial(s) of the user.
■
Last name This field contains the user’s surname.
■
Display name This field contains the full name of the user.
■
Description This field allows you to provide a description of the user account.
For example, if this were an account that was to be used for a service or application, you could provide information on which service or program will use this
account.
■
Office This field allows you to provide information on the office in which the
user works.
■
Telephone number This field allows you to provide the user’s telephone
number.
■
Email This field allows you to enter the e-mail address of the user.
■
Web page This field allows you to enter the Web page belonging to the user.
In looking at this tab, notice that Telephone and Web page fields have a button beside
them named Other.When this button is clicked, a dialog box will open that allows you to
enter additional entries. As you might guess, this is because many users might have more
than one Web page or telephone number associated with them. If additional entries exist,
you can also click the Other button to view these entries in the dialog box that appears.
Figure 2.9 General Tab of User’s Properties
www.syngress.com
115
256_70-294_02.qxd
116
9/3/03
11:33 AM
Page 116
Chapter 2 • Working with User, Group, and Computer Accounts
The Address tab is used to store contact information dealing with a user’s physical or
mailing address. As shown in Figure 2.10, information on this tab includes:
■
Street This text box allows you to enter the full street address of the user. It
allows multiple lines, to account for apartment numbers and other information.
■
P.O. Box This text box allows you to enter the P.O. Box number.
■
City This text box is the city in which the user lives or has a mailing address.
■
State/province This text box is the state or province in which the user lives or
has a mailing address.
■
Zip/Postal Code This text box is the zip code or postal code in which the
user lives or has a mailing address
■
Country/region This drop-down box contains list of countries so that you can
select the one in which the user lives or has a mailing address.
Figure 2.10 Address Tab of a User’s Properties
The Telephones tab is another tab that contains personal properties related to the user.
As shown in Figure 2.11, this tab provides contact information relating to various methods
of verbal or digital communication:
■
Home This text box is used to enter the home telephone number of the user.
■
Pager This text box is used to enter the pager number of the user.
■
Mobile This text box is used to enter the cellular phone number of the user.
■
Fax This text box is used to enter the fax number of the user.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 117
Working with User, Group, and Computer Accounts • Chapter 2
■
IP phone This text box is used to enter the IP phone number of the user.
■
Notes This text box is used to enter any additional notes pertaining to the user.
Because users might have multiple telephone numbers, pagers, and other methods of
communication, each of these fields (except for Notes) also includes an Other button. As
discussed earlier, clicking this button allows you to enter and/or view additional entries for
that particular field.
Figure 2.11 Telephones Tab of User’s Properties
The Organization tab is the final tab that contains personal properties for the user.This
tab allows you to enter information relating to the organization in which the user works. As
seen in Figure 2.12, the fields on this tab include:
■
Title This text box is used to specify the title of the user.
■
Department This text box is used to specify the department in which the user
works.
■
Company This text box is used to specify the name of the company the user
works for.
■
Manager This field allows you to specify the DN pointing to the user’s manager
or supervisor within the company.With this field, you can click the Change
button to change the DN pointing to the manager’s user object, Properties to
view that object’s properties, or Clear to erase the entry pointing to the manager’s
user object.
www.syngress.com
117
256_70-294_02.qxd
118
9/3/03
11:33 AM
Page 118
Chapter 2 • Working with User, Group, and Computer Accounts
■
Direct reports This field shows any other user accounts that have this user’s
account specified as their manager.
Figure 2.12 Organization Tab of User’s Properties
Account Settings
Not all of the tabs in the user’s Properties deal with personal information. As seen in Figure
2.13, the Account tab is used to store information relating to the domain user account,
including password options.The fields on this tab include:
■
User logon name This text box is used to specify the UPN that the user will
use when logging on to the domain.This field also includes a drop-down list for
specifying the UPN suffix.
■
User logon name (pre-Windows 2000) This text box is used to specify the
logon name that is used when logging on from pre-Windows 2000 computers.
■
Account is locked out This check box specifies that the account is locked out,
preventing the user from logging in.
■
User must change password at next logon This check box specifies that the
user must change his or her password when he or she first logs on.
■
User cannot change password This check box prevents the user from
changing his or her password.This is used to restrict password changes so only
administrators have the ability to manage them.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 119
Working with User, Group, and Computer Accounts • Chapter 2
■
Password never expires This check box prevents the password from expiring
after a specific time. If the User must change password at next logon option
is set, this option is overridden.
■
Store password using reversible encryption This check box requires users
to use reversible encryption. Users who are logging on from Macintosh computers require this setting. Some forms of Windows authentication, such as CHAP
and Digest, also require this setting to be enabled.
■
Account is disabled This check box prevents users from logging on with this
account.
■
Smart card is required for interactive logon This check box allows the user
to log on using a smart card.
■
Account is trusted for delegation This allows the account to be used to run
as an identity of a service, so that it can impersonate the account and acquire necessary access.
■
Account is sensitive and cannot be delegated This check box allows a user
to assign responsibility over a portion of the namespace to another user, group, or
computer.
■
Use DES encryption types for this account This check box requires Data
Encryption Standard (DES) to be used with this account.
■
Do not require Kerberos preauthentication This check box removes the
need for preauthentication for accounts that are using another version of Kerberos
that doesn’t require it.
■
Account expires This option button is used to set the expiration date of the
account. Options for this field are Never, which means the account never expires; or
End of, which requires a date to be set specifying when the account will expire.
Figure 2.13 Account Tab of User’s Properties
www.syngress.com
119
256_70-294_02.qxd
120
9/3/03
11:33 AM
Page 120
Chapter 2 • Working with User, Group, and Computer Accounts
In addition to the fields we’ve discussed, the Account tab also includes a Logon Hours
button, which opens a dialog box that allows you to control when this user can log on or
remain logged on to the network. By default, users are able to log on and remain logged on
to the network 24 hours a day, 7 days a week. However, in secure environments, you might
want to control when a user is able to log on.To provide a maintenance window, you
might want to limit users’ ability to log on or remain logged on after regular hours of
work, or during weekends.
As shown in Figure 2.14, the Logon Hours dialog box contains a series of boxes that
determine the times and days when a user can log on. After selecting the boxes representing
the times and dates to log on, click the Logon Permitted or Logon Denied option buttons to respectively permit or deny access during those times. If all of the boxes are selected
and Logon Permitted is selected, then there are no restrictions set for the user.
Figure 2.14 Logon Hours Dialog Box
The other button that appears on the Account tab is the Log On To button.When this
button is clicked, the Logon Workstations dialog box shown in Figure 2.15 appears. On this
dialog box, you can control what computers the user can use when logging on to the
domain. By default, users can log on from any computer. However, by using the fields on
this tab you can heighten security by limiting users to working on the machine at their
desk, or a group of computers within their department. For example, you might want to
prevent users from logging on to the domain from a specific machine so that they cannot
access another user’s data that is stored on that computer.
On this dialog box, there are two options: All computers and The following computers.When All computers is selected, there are no restrictions regarding which
machines a user can log on from.When The following computers is selected, you can
then enter the name of the computer(s) you want to restrict a user to using. After entering
the NetBIOS name of the computer, click the Add button to add that computer to the
list.You can then select computer names from the listing, and click Edit to modify the
entry or Remove to delete it from the list.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 121
Working with User, Group, and Computer Accounts • Chapter 2
Figure 2.15 Logon Workstations Dialog Box
The Profile tab is also used to configure elements of the user’s account, relating to profiles, logon scripts, and home folders. Roaming profiles can be used to provide consistency
across the network, by ensuring that a user has the same desktop environment, application
settings, drive mappings, and personal data regardless of which computer he or she uses on
the network.The Profile path field on this tab is used to specify the path to the user’s profile. Similarly, logon scripts are also used to apply settings to a user’s account, by running a
script when the user logs on to the network.The Logon script field is used to set where
this script is located, so it will automatically run each time the user logs on to this account.
Through these, the user’s environment is configured each time he or she logs on to a DC.
NOTE
The Logon script field on this tab is a hold over from Windows NT days. Group
Policy allows you to specify multiple logon, logoff, startup, and shutdown scripts.
However, if the computers that your users are logging on from does not support
Group Policy, this field comes in handy to ensure that they can still get a logon
script applied to them. Windows 2000 and later computers are capable of using
Group Policy.
Finally, as shown in Figure 2.16, the Home folder section of this tab is used to specify
the location of a home directory that will contain the user’s personal files.The Local path
text box is used to specify a path to the directory on the local system. Alternatively, you can
specify a network location by using the Connect drop-down box to specify a drive letter
that the path will be mapped to, and then enter a UNC path to the directory in the To
text box.
www.syngress.com
121
256_70-294_02.qxd
122
9/3/03
11:33 AM
Page 122
Chapter 2 • Working with User, Group, and Computer Accounts
Figure 2.16 Profile Tab of User’s Properties
Terminal Services Tabs
Terminal Services allows users to access applications that are run on the server. Rather than
running as independent computers, the clients that access Terminal Services act as dumb
terminals.Throughout their session with the server, users run an environment that allows
them to view and interact with programs that appear to run on the local computer but are
actually running on the Terminal Services server located on the network.
The Properties dialog box of a user provides four tabs that specifically deal with
Terminal Services: Environment, Sessions, Remote Control, and Terminal Services Profile.
As seen in Figure 2.17, the Environment tab is used to configure settings for Terminal
Service’s startup environment. By default, users receive a Windows Server 2003 desktop
when connecting using Terminal Services.The Starting program section contains fields
for specifying a particular program to run when logging on to Terminal Services. If this
option is enabled, users will receive the program instead of a desktop.When the Start the
following program at logon check box is selected, you can enter the path and executable name for the program.
The Client devices section also allows you to configure how devices on the computer
you’re working on will be dealt with.The check boxes you can check to enable these settings are:
■
Connect client drives at logon This check box causes drive letters to be
mapped to local client drives in the user’s Terminal Services session.This enables
these local drives to be accessed from the session. Remember, when you are
working in a session, you are actually working on the server, not your client.
Therefore, the drives you seen in Explorer are the drives on the server, not the
client.When this box is checked, you see both.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:33 AM
Page 123
Working with User, Group, and Computer Accounts • Chapter 2
Figure 2.17 Environment Tab of User’s Properties
■
Connect client printers at logon This check box causes printers that are
configured on the client computer to be connected and available while you are
working in a Terminal Services session.
■
Default to main client printer This check box causes the default printer on
your client computer to be the default printer in your Terminal Services session.
In addition to the settings on the Environment tab, the Sessions tab is also used for
configuring Terminal Services. As seen in Figure 2.18, this tab includes numerous settings
for configuring timeout and reconnection settings for Terminal Services sessions:
■
End a disconnected session This drop-down box allows you to choose how
long a disconnected session should remain on the server. If set to Never, which is
the default setting, a disconnected session will remain on the server indefinitely. If
set to a specific time limit, the session will be terminated on the server when this
time limit is reached.
■
Active session limit This drop-down box is used to specify how long a user’s
session should remain active.The default setting is Never, meaning that the user’s
session can remain active indefinitely. If set to a limit by selecting a time from the
drop-down list, the user’s session will remain active until that time is reached. At
this time, the user is either disconnected from the session or the session is terminated, depending on what is set for the When a session limit is reached or
connection is broken option.
■
Idle session limit This drop-down box controls how long a user can remain
connected without any activity before the session ends or the user is disconnected
www.syngress.com
123
256_70-294_02.qxd
124
9/3/03
11:34 AM
Page 124
Chapter 2 • Working with User, Group, and Computer Accounts
from it, depending on what is set for the When a session limit is reached or
connection is broken option.
■
When a session limit is reached or connection is broken This option
button allows you to set what will happen when either of these situations occurs.
You can choose either Disconnect from session or End session.
■
Allow reconnection This option button allows you to control how a user can
reconnect to a disconnected session.You can choose to either reconnect From
any client or From originating client only.
NOTE
There are two ways to end a Terminal Services session. The first it is to log off. This
completely destroys the session that you were using on the server and frees up the
resources it was consuming. The second option is to disconnect. This simply breaks
the communication from your client to the Terminal Services server. It does not terminate your session, which means that it continues to consume resources on the
server. When you reconnect to a disconnected session, it appears exactly as it did
when you disconnected from it.
Figure 2.18 Sessions Tab of User’s Properties
The Remote Control tab allows you to configure remote control settings for the user,
which enables others to take over a session. By taking over the computer, the other person
can then perform actions on the remote computer, enabling that person to perform various
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 125
Working with User, Group, and Computer Accounts • Chapter 2
actions and show the user how to do certain tasks. As shown in Figure 2.19, the fields available to configure these settings are:
■
Enable remote control This check box determines whether others can control
or view a user’s session.This turns on or off remote control for a session
belonging to a user.
■
Require user’s permission This check box determines whether the user needs
to give permission to allow another user to control or view a session.
■
Level of control This option button determines how someone can use remote
control with the user’s session.The options include View the user’s session,
which only allows someone else to view what the user is doing, and Interact
with the session, which allows another user to take control of the session and
perform tasks as if he or she were sitting at the computer of the user that initiated
the session.
Figure 2.19 Remote Control Tab of User’s Properties
The Terminal Services Profile tab is similar to the Profile tab discussed earlier, except
that settings on this tab exclusively relate to a user’s Terminal Services session. As shown in
Figure 2.20, this tab provides the following fields:
■
Profile Path This text box specifies the path to the user’s profile that should be
used with Terminal Services. If no path is specified, the setting from the Profile
tab is used.
■
Terminal Services Home Folder This text box allows you to specify where
the user’s home directory that should be used during a Terminal Services session is
www.syngress.com
125
256_70-294_02.qxd
126
9/3/03
11:34 AM
Page 126
Chapter 2 • Working with User, Group, and Computer Accounts
located. As with the Profiles tab, this section provides two options.The Local
path field is used to specify a local path to a location on the Terminal Services
computer.The Connect drop-down box allows you to specify a drive letter for a
mapped drive that will be available within the session, and a UNC path to the
network location of the home directory. If no home folder is specified, the settings on the Profile tab are used.
■
Allow logon to terminal server This check box is used to enable users to
establish a Terminal Services session. It is enabled by default.
Figure 2.20 Terminal Services Profile
Security-Related Tabs
Several tabs are available through the user object’s properties that control security settings
associated with the account.These tabs are Published Certificates, Dial-in, Security, and
Member Of.Together, they allow you to manage issues related to access control and
authentication.
The Published Certificates tab provides a listing of certificates that are used by the
account, and allows you to add others. As shown in Figure 2.21, this tab allows you to view
any X.509 certificates that have been published for the user account, and includes fields that
explain who it was issued by, who it was issued to, the intended purpose of the certificate,
and its expiration date.The Add from Store button can be used to add additional certificates to the listing from the computer’s local certificate store.The Add from File button
can also be used to add a certificate from a file. If a certificate is no longer needed, you can
select the one you no longer want to be applied to the account and click the Remove
button. Finally, the Copy to File button will export the certificate that is selected in the
list to a file.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 127
Working with User, Group, and Computer Accounts • Chapter 2
Figure 2.21 Published Certificates
The Dial-in tab allows you to configure settings that are used when the user attempts
to connect to the network remotely using a dial-up or VPN connection.These settings are
applied when the user dials in to a Windows Server 2003 remote access server or attempts
to use a VPN connection. As shown in Figure 2.22, this tab is divided into several sections
with multiple options, including:
■
Remote Access Permission (Dial-in or VPN) This option button specifies
whether the user can connect to the network via a dial-up or VPN connection.The
options in this section include Allow access, which enables dial-in or VPN remote
access; Deny access, which prohibits dial-in or VPN remote access; and Control
access through a Remote Access Policy, which is the default option and specifies that a remote access policy is used to control permission for remote access.
■
Verify Caller-ID This check box allows you to specify the telephone number
that the user must be calling from in order to establish a successful connection. It
requires hardware capable of detecting the number that the user is calling from.
■
Callback Options The configuration settings in this section are No Callback,
Set by Caller (Routing and Remote Access Service Only), and Always
Callback To. No Callback is the default option. It enables users to connect
remotely and without the use of callback.When this option is set, the user will
pay for any long distance charges. Set by Caller (Routing and Remote
Access Service Only) allows the caller to specify a telephone number that the
server will call back.When a remote connection is made, the user is prompted for
a username and password. If successfully authenticated, the settings on this tab are
checked and the user is prompted for a telephone number to be called back at.
www.syngress.com
127
256_70-294_02.qxd
128
9/3/03
11:34 AM
Page 128
Chapter 2 • Working with User, Group, and Computer Accounts
The server then disconnects and calls the user back at that number.This allows
the company to pay for any long distance fees, which typically results in cost savings. Always Callback To is the final option.This is a security, not a cost savings,
option that forces the server to call the user back at a preconfigured telephone
number. Because this setting requires the user to be at that telephone number, the
risk of unauthorized users attempting to connect remotely is reduced.
■
Assign a Static IP Address This check box assigns a specific IP address to the
user when the user connects remotely.
■
Apply Static Routes This check box places additional routes in the routing
table upon connection.
■
Static Routes This button is used to define the additional routes that will be
placed in the routing table upon connection.
Figure 2.22 Dial-In Tab
As we saw in Chapter 1, the Security tab (Figure 2.23) is used to configure what permissions other users and groups have to an object.This tab consists of two panes.The top
pane lists users and groups that have been added to the DACL for the account. It also
allows you to add or remove users and groups from the DACL. In the lower pane, you can
enable or disable specific permissions by checking a check box in the Allow or Deny
column. Special permissions can also be set for objects by clicking the Advanced button,
which displays a dialog box (seen in Figure 2.24) where additional permissions can be
applied.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 129
Working with User, Group, and Computer Accounts • Chapter 2
Figure 2.23 Security Tab
Figure 2.24 Special Permissions Dialog Box
As seen in Figure 2.24, the Special Permissions dialog box that’s accessed through the
Advanced button of the Security tab allows you to configure advanced settings and apply
additional permissions to an account. As seen in this dialog, the Permissions tab also provides
an option labeled Allow inheritable permissions from the parent to propagate to this
object and all child objects.When this check box is checked, any permissions applied to
the parent object (which in this case would be an OU) are also applied to this account. If this
check box is unchecked, then any permissions applied at the higher level will not be applied,
and the object will only have the permissions that have been explicitly set for it.
www.syngress.com
129
256_70-294_02.qxd
130
9/3/03
11:34 AM
Page 130
Chapter 2 • Working with User, Group, and Computer Accounts
The final tab we’ll discuss is the Member Of tab. As seen in Figure 2.25, this tab provides a listing of the user’s group membership(s). By clicking the Add button, a dialog box
will appear with a list of available groups of which the user can become a member.
Selecting a group from the list on the Member Of tab and clicking the Remove button
will remove that user from the group’s membership.
Figure 2.25 Member Of Tab
At the bottom of this tab is a button called Set Primary Group, which only applies to
a limited number of users. A primary group is needed by users who use Macintosh computers, and log on to the network through File or Print Services for Macintosh.The other
users who require a primary group are users who are running POSIX-compliant applications.
EXAM WARNING
The default primary group of a new account generally doesn’t need to be changed.
The primary group for new user accounts is Domain Users, while the primary
group for new computer accounts is Domain Computers.
To fully understand how the Member Of tab affects a user’s level of security, we must
look at how groups impact a user’s access. In the section that follows, we will look at the
various groups that users can become members of, and see what each group offers.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 131
Working with User, Group, and Computer Accounts • Chapter 2
Working with Active
3 Directory Group Accounts
EXAM
70-294
OBJECTIVE
Groups are collections of accounts that are grouped together, so that they can be granted
rights and permissions as a single unit. By using groups, you aren’t limited to granting rights
and permissions to each account individually.You can make user accounts, computer
accounts, and other groups members of a group, and grant rights and permissions to all of
them by making changes only at the group level.When a group is given permissions, privileges, or rights, what is granted to it applies to all accounts that are members of the group.
Using groups, you can perform a variety of tasks that will affect the accounts and
groups that are members.These include:
■
Assigning rights to a group account to authorize them to perform a certain task
■
Assigning permissions on shared resources to a group, so that all members can
access the resource in the same manner
■
Distributing bulk e-mail to all members of the group
As we’ll see in the sections that follow, group accounts are a powerful tool for managing large numbers of users as if they used a single account. In associating accounts with
groups, you will find that some groups will have a much larger membership than others,
and some will be used for purposes other than dealing with security issues.
Group Types
The first step in working with group accounts is deciding on the type of group you want
to create and work with. In Active Directory, there are two different types, which are used
for two different purposes:
■
Security groups
■
Distribution groups
The difference between these groups resides in how they are used. Security groups are
designed to be used for security purposes, while distribution groups are designed to be used
for sending bulk e-mail to collections of users. As we’ll see in the paragraphs that follow, the
type of group being used not only relates to its intended purpose, but how it will be handled in terms of security.
Once you create a particular type of group account, it is possible to switch its type at
any time. If you create a security group and later decide to convert it into a distribution
group (or vice versa), Active Directory will allow it depending on the domain functional
level that’s been set. If the domain functional level is set to Windows 2000 native or higher,
the conversion can take place. However, it might not be allowed if the domain is running at
the Windows 2000 mixed level.
www.syngress.com
131
256_70-294_02.qxd
132
9/3/03
11:34 AM
Page 132
Chapter 2 • Working with User, Group, and Computer Accounts
Security Groups
Security groups are what most people think of when discussing groups. A security group is
a collection of users who have specific rights and permissions to resources. Rather than
giving rights to perform certain tasks to individual users, and then setting permissions as to
what resources that user can access, the rights and permissions are applied to the group. Any
users who are members of the group then acquire this same level of security access. In
doing so, collections of users are handled as a single unit, rather than as individuals.
Although both can be applied to a group account, rights and permissions are different
from one another. Rights are assigned to users and groups, and control the actions a user or
member of a group can take. For example, a member of the Backup Operator’s group has the
ability to back up and restore data, while a member of the Administrators group has the
ability to perform almost any action. As we’ll see later in this chapter, there are a number of
security groups to which users can be added, and each of these groups provides differing
levels of access. In Windows Server 2003, rights are also sometimes called privileges.You might
have noticed this earlier when viewing the output of the command WHOAMI /ALL.
Permissions are used to control access to resources.When permissions are assigned to a
group, it determines what the members of the group can do with a particular resource. For
example, one group might only be given Read permissions to a file (so they can view but
not modify it), while another group might be given Full Control (allowing them to do
anything to the file).Through permissions, you can control the level of access a user or
group receives to a shared resource.
Security groups are able to obtain such access because they are given a SID when the
group account is first created. Because it has a SID, it can be part of a DACL, which lists
the permissions users and groups have to a resource.When the user logs on, an access token
is created that includes their SID and those of any groups of which they’re a part.When
they try to access a resource, this access token is compared to the DACL to see what permissions should be given to the user. It is through this process and the use of groups that
the user obtains more (and in some cases, less) access than has been explicitly given to his
or her account.
Another benefit of a security group is that you can send e-mail to it.When e-mail is
sent to a group, every member of the group receives the e-mail. In doing so, this saves
having to send an e-mail message to each individual user.
Distribution Groups
While security groups are used for access control, distribution groups are used for sharing
information.This type of group has nothing to do with security. It is used for distributing
e-mail messages to groups of users. Rather than sending the same message to one user after
another, distribution groups allow applications such as Microsoft Exchange to send e-mails
to collections of users.
The reason why distribution groups can’t be used for security purposes is because they
can’t be listed in DACLs.When a new distribution group is created, it isn’t given a SID,
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 133
Working with User, Group, and Computer Accounts • Chapter 2
preventing it from being listed in the DACL. Although users who are members of different
security groups can be added to a distribution group, it has no effect on the permissions
and rights associated with their accounts.
Head of the Class…
Security Groups vs. Distribution Groups
In looking at the differences between security groups and distribution groups, it
might seem confusing as to why two such groups are used. After all, both can be
used as e-mail entities where e-mail can be sent to the group with the message
being distributed to members. The reason why two types of groups are used lies in
the fact that only security groups have SIDs.
Because security groups have SIDs, they can be included in DACLs and be
given permissions to resources. Distribution groups don’t use SIDs, so they can’t be
given permissions. For this reason, you can add users to as many distribution
groups as needed, and never have to worry that they’ve accidentally been given
greater access because of their membership. If distribution groups didn’t exist, you
might add a user to a security group so he or she could receive e-mails meant for
that group, but erroneously give that user greater access than desired.
The other reason why two types of groups are used is for performance. When
security groups are used, the SID of that group is added to the access token of its
members when they log on. The more security groups a user belongs to, the longer
it will take to log on. Each security group that’s added to the access token increases
the token’s size, making the logon and subsequent resource access slower and more
resource intensive. When distribution groups are used, there is no SID for the group,
so the number of distribution groups a user is a member of has no effect on the
token’s size. Because of these issues, it is always better to use distribution groups for
e-mail needs, and security groups for collections of people who need access.
Group Scopes in Active Directory
Scope is the range that a group will extend over a domain, tree, and forest.The scope is
used to determine the level of security that will apply to a group, which users can be added
to its membership, and the resources that they will have permission to access. As we’ll discuss in the sections that follow, Active Directory provides three different scopes for groups:
■
Universal
■
Global
■
Domain Local
www.syngress.com
133
256_70-294_02.qxd
134
9/3/03
11:34 AM
Page 134
Chapter 2 • Working with User, Group, and Computer Accounts
Universal
Universal groups have the widest scope of any of the different group scopes. Members of
this group are able to contain accounts and groups from any domain in the forest, and can
be assigned permissions to resources in any domain in the forest. In other words, it is all
encompassing within any part of the forest.
Whether a universal security group can be used depends on the functional level that
the domain has been set to. Domains that have the functional level set to Windows 2000
mixed won’t allow universal security groups to be created. However, if the domain functional level is Windows 2000 native or Windows Server 2003, then universal security groups
can be created. In this situation, the group can contain user accounts, global groups, and
universal groups from any domain in the forest, and be assigned permissions to resources in
any domain. Universal distribution groups can be used at any functional level, including
Windows 2000 mixed.
Universal groups can be converted to groups with a lesser scope. Providing the group
doesn’t contain any universal groups as members, a universal group can be converted to a
global group or a domain local group. If universal groups are members of the universal
group that’s being converted, you won’t be able to perform the conversion until these
members are removed.
NOTE
Universal groups are stored in the GC, along with their membership lists. Because
of this, any change in membership triggers forestwide replication. To limit the
impact of this type of replication, Microsoft recommends using relatively static
members (such as global groups) in these groups.
Global
Global groups have a narrower scope than universal groups. A global group can contain
accounts and groups from the domain in which it is created, and be assigned permissions to
resources in any domain in a tree or forest. Because it only applies to the domain in which
it’s created, this type of group is commonly used to organize accounts that have similar
access requirements.
As we saw with universal groups, however, the members that can be part of a global
group depend on the domain functional level. If the functional level of the domain is set to
Windows 2000 mixed, then the membership of a global group can only consist of user
accounts from the same domain. If the functional level of the domain is set to Windows
2000 native or Windows Server 2003, then the global group can have user accounts and
other global groups from the same domain as members. User accounts and global groups
from other domains cannot become members of a global group.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 135
Working with User, Group, and Computer Accounts • Chapter 2
Global groups can also be converted into a universal group, provided that the global
group isn’t a member of any other global groups. If other global groups are members of the
global group, then these must be removed before the conversion can take place.The
domain functional level must be Windows 2000 native or Windows Server 2003 to convert
to a universal security group.
Domain Local
Domain local groups also have a scope that extends to the local domain, and are used to
assign permissions to local resources.The difference between domain local and global
groups is that user accounts, global groups, and universal groups from any domain can be
added to a domain local group. Because of its limited scope, however, members can only be
assigned permissions within the domain in which this group is created.
As you might expect from the two previous scopes, the abilities of a domain local
group depends on the domain functional level. If the functional level is set to Windows
2000 mixed, then the domain local group can only contain user accounts and global groups
from any domain. It cannot contain universal groups when Windows Server 2003 is using
this level of functionality. If the functional level is set to Windows 2000 native or Windows
Server 2003, then the domain local group can contain user accounts and global groups
from any domain, as well as universal groups. In addition, it can contain other domain local
groups from the same domain.These abilities, however, have no impact on permissions. In
all cases, permissions can only be assigned to resources in the local domain.
Domain local groups can be converted to a universal group, provided that there are no
other domain local groups in its membership. If the domain local group does have other
domain local groups as members, then these must be removed from the membership before
a conversion is made.
Built-In Group Accounts
As we saw when we discussed user objects, a number of built-in accounts are automatically
created when you install Active Directory.This not only applies to user accounts, but group
accounts as well. Many of these groups have preconfigured rights, which allow members to
perform specific tasks.When users are added to these groups, they are given these rights in
addition to any assigned permissions to access resources.
The groups that are created when Active Directory is installed can be accessed through
Active Directory Users and Computers, and are located in two containers: Builtin and
Users. Although they are stored in these containers, they can be moved to other OUs
within the domain.Those in the Built-in container have a domain local scope, while those
in the Users container have either a domain local, global, or universal scope. In the paragraphs that follow, we will look at the individual groups located in each of these containers,
and see what rights they have to perform network-related tasks.
www.syngress.com
135
256_70-294_02.qxd
136
9/3/03
11:34 AM
Page 136
Chapter 2 • Working with User, Group, and Computer Accounts
Default Groups in Builtin Container
Up to 14 different built-in groups that might be located by default in the Builtin container,
including:
■
Account Operators, which allows members to manage accounts
■
Administrators, which gives members full control
■
Backup Operators, which allows members to back up and restore files
■
Guests, which gives members minimal access
■
Incoming Forest Trust Builders, which is only available in forest root domains,
and gives members permission to Create Inbound Forest Trusts
■
Network Configuration Operators, which allows members to manage network settings
■
Performance Monitor Users, which allows users to manage performance
counters and use System Monitor
■
Performance Log Users, which allows users to manage performance counters
and use Performance Logs and Alerts
■
Pre-Windows 2000 Compatible Access, which is used for backward compatibility
■
Print Operators, which allows members to manage printers
■
Remote Desktop Users, which allows members to connect to servers using
Remote Desktop
■
Replicator, which is used for replication purposes
■
Server Operators, which allows members to manage servers
■
Users, which contains every user account created in the domain
The Account Operators group is used to allow members to perform group management. Users who are part of its membership have the ability to create, modify, and delete
many of the accounts that are stored in Active Directory.They can manage accounts in any
OU except the Domain Controllers OU, or those located in the Users or Computers containers.To prevent members of this group from affecting administrator accounts, members
of the Account Operators group cannot modify the Administrators and Domain Admins
groups, or any accounts that are members of these groups.
Members of the Account Operators group also have certain abilities when dealing with
DCs in the domain in which this group is located.They can log on locally to a DC, which
means that they can physically sit at a DC and log on to it. In doing so, they could then
make modifications to the DC.They also have the ability to shut down the DC, which is
useful if there is a problem with the DC and no one else is available to restart the system.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 137
Working with User, Group, and Computer Accounts • Chapter 2
The Administrators group is the most powerful of the groups in the Builtin container,
and has full control over the domain.This account can access DCs over the network, back
up files and directories, change system time, adjust memory quotes, create page files, load
and unload device drivers, delegate responsibility to users and computers, shut down the
system, and perform other tasks relating to accounts and DCs. By default, Domain Admins
and Enterprise Admins groups and the Administrator account are members of the
Administrators group.
The Backup Operators group is used to give members the ability to back up and
restore files on DCs. It doesn’t matter what the member’s permissions on different files are,
as they can back up and restore any file on the system. In addition, they have the ability to
log on locally to DCs and shut down the system. Due to the level of abilities attributed to
members of this group, by default there are no members when it is first created.
The Guests group is the least powerful group in the Builtin container, and has a membership that consists of accounts and groups for people who require minimal access, or
haven’t logged on using their own accounts.The Guest account and Domains Guests group
are members of this group. As you’ll recall, the Guest account is disabled by default,
meaning that when this group is initially created it has no active users.
Because of its purpose, the Incoming Forest Trust Builders group is only available in
forest root domains. Members of this group have the permission to Create Inbound Forest
Trust.This permission gives them the ability to create one-way, incoming forest trusts,
which can only be made between the root domains of two forests. A one-way trust means
that users from one forest can access resources in another forest, but not vice versa. Because
of the ability to create trusts between two domains, there are no default members in this
group when it is initially created.
As its name states, the Network Configuration Operators group is used to manage
changes to the network settings.The members in this group have the ability to renew and
release IP addresses on servers in the domain, and modify TCP/IP settings. Because this can
possibly make the server inaccessible if done incorrectly, this group has no default members,
and new members should be added with caution.
Members of the Performance Monitor Users and Performance Log Users groups are
used for managing performance counters on servers within the domain. Performance counters are used to monitor and measure elements of the DC, such as memory, hard disk, processor, network activity, and so on.These utilities are used by two related utilities in
Windows 2000 and Windows Server 2003: System Monitor, and Performance Logs and
Alerts. Both of these utilities can be accessed through the Performance console that is
available under Administrative Tools in the Windows Start menu.
Members of the Performance Monitor Users group can use System Monitor to monitor performance counters.They can view counters locally or remotely, viewing them in a
graphical or textual format. By doing so, they can determine if performance issues exist on
servers within a domain.
Members of the Performance Log Users group also have the ability to manage performance counters, but can use the Performance Logs and Alerts utility to create and view
www.syngress.com
137
256_70-294_02.qxd
138
9/3/03
11:34 AM
Page 138
Chapter 2 • Working with User, Group, and Computer Accounts
logs, and configure alerts that will notify specific users (such as administrators) if a problem
exists. For example, if the amount of free hard disk space drops below a certain level, a message can be sent to a network administrator advising of the potential problem. Members of
this group can also configure certain programs to run if the values of performance counters
exceed or fall below a specific setting.
The Pre-Windows 2000 Compatible Access group is used for backward compatibility for
older versions of Windows. Members of this group have Read access for viewing all users and
groups within the domain. Depending on the security settings chosen during the installation
of Active Directory, the Everyone group might be a member of this group; however, additional members can be added that are running Windows NT 4.0 or earlier if needed.
The Print Operators group allows members to perform tasks that are necessary in the
administration of printers. Users who are members of this group can manage printer
objects in Active Directory, and create, share, manage, and delete printers that are connected
to DCs within the domain. Because adding new printers to a server might require performing certain actions like rebooting the computer, this group also has the ability to load
and unload device drivers, and shut down the system. As with other groups discussed in this
section, the Printer Operators group has no members added to it when initially created.
The Remote Desktop Users group allows members to connect remotely to servers in
the domain. Being able to remotely log on to the DC allows them to perform actions as if
they were physically sitting at the server and working on it. Because of the power this
group gives members, it has no default members.
The Replicator group is one that should never have users added to it.This group is
used by the File Replication Service (FRS) and provides support for replicating data; therefore, it isn’t meant to have users as members.
The Server Operators group provides a great deal of power to its membership, which is
why there are no default members when it is initially created. Members of this group can
perform a number of administrative tasks on servers within the domain, including creating
and deleting shared resources, backing up and restoring files, starting and stopping services,
shutting down the system, and even formatting hard drives. Because members have the potential to cause significant damage to a DC, users should be added with caution to this group.
The Users group includes every user account that’s created in the domain as part of its
membership. By default, the Domain Users, Authenticated Users, and Interactive groups are
members of this group. By being part of this group, members are able to run applications,
access local and network printers, and perform other common tasks that are necessary for
normal job functions.
Default Groups in Users Container
In addition to the groups we’ve discussed, up to 13 built-in groups can be located by
default in the Users container, including:
■
Cert Publishers, which gives members the ability to publish certificates
■
DnsAdmins, which provides administrative access to the DNS Server service
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 139
Working with User, Group, and Computer Accounts • Chapter 2
■
DnsUpdateProxy, which provides members with the ability to perform dynamic
updates for other clients
■
Domain Admins, which gives members full control of the domain
■
Domain Computers, which includes computers that are part of the domain
■
Domain Controllers, which includes DCs
■
Domain Guests, which includes guests of the domain
■
Domain Users, which includes users of the domain
■
Enterprise Admins, which gives full control over every domain in the forest
■
Group Policy Creator Owners, which allows members to manage group policies in the domain
■
IIS_WPG, which is used by Internet Information Service (IIS)
■
RAS and IAS Servers, which allows members to manage remote access
■
Schema Admins, which allows members to modify the schema
■
Telnet Clients, which is used for clients to connect using Telnet
The Cert Publishers group is used for digital certificates, which we discussed in
Chapter 1. Although this group has no default members, when members are added to it
they have the ability to publish certificates for users and computers.This allows data to be
encrypted and decrypted when sent across the network.
The DnsAdmins and DnsUpdateProxy groups are installed when DNS is installed. Both
of these groups have no default members, but when members are added they have abilities
relating to the DNS Server service.The DnsAdmins group allows members to have administrative access to the DNS Server service.The DnsUpdateProxy group allows members to
perform dynamic DNS updates on behalf of other clients, and circumvent the DACLs that
typically accompany Secure Dynamic Updates.
The Domain Admins group has full control in a domain.This group becomes a
member of the Administrators group on each DC, workstation, and member server when
they join a domain. Because of this membership, group members have all of the rights associated with the Administrators group, including the ability to back up and restore files,
change the system time, create page files, enable accounts for delegation, shut down a computer remotely, load and unload device drivers, and perform other takes relating to administration of Active Directory and servers.
The Domain Computers and Domain Controllers groups have memberships consisting
of computers in the domain.The Domain Computers group contains all workstations and
servers that have joined a domain, except for DCs.When a computer account is created, the
computer object automatically becomes a part of this group. Similarly, the Domain
Controllers group contains all DCs that are part of the domain. Using these groups, you can
set permissions and rights that apply to the computer accounts that exist within a domain.
www.syngress.com
139
256_70-294_02.qxd
140
9/3/03
11:34 AM
Page 140
Chapter 2 • Working with User, Group, and Computer Accounts
The next two groups we’ll discuss are for users who have their own accounts, or log on
using a guest account.The Domain Guests group has a membership consisting of any
domain guests, while the Domain Users group consists of all domain users, by default. Any
user account that is created in a domain automatically becomes a member of the Domain
Users group.
Enterprise Admins is a group that appears in the forest root domain, and allows members to have full control over every domain in the forest. Members of this group are automatically added to the Administrators group on every DC in every domain of the forest. As
discussed earlier in this chapter, the Administrator account is a member of this group.
Because of the power it gives a user, additional members should be added with caution.
The Group Policy Creator Owners group is used to manage group policy within a
domain. Group policies allow you to control a user’s environment. Using policies, you can
control such things as the appearance and behavior of a user’s desktop, and limit the user’s
control over his or her computer. Members of the Group Policy Creator Owners group
can modify these policies. Due to the power these members have over users within a
domain, the Administrator account is the only default member of this group.
The IIS_WPG group is installed when IIS is installed. IIS version 6.0 uses worker processes to serve individual DNS namespaces, and allow them to run under other identities.
For example, a worker process might serve the namespace www.syngress.com, but could
also run under another identity in the IIS_WPG group called Syngress. Because these identities need configuration to apply them to a particular namespace, there are no default
members in this group.
The RAS and IAS Servers group is used for the Remote Access Service (RAS) and
Internet Authentication Service (IAS), which provide remote access to a network.The
members of this group have the ability to access the remote access properties of users in a
domain.This allows them to assist in the management of accounts that need this access.
The Schema Admins group is another group that only appears in the forest root
domain.This group allows members to modify the schema.The schema is used to define
the user classes and attributes that form the backbone of the Active Directory database. As
mentioned previously, the Administrator account is a default member of this group.
Additional users should be added with caution, due to the widespread effect this group can
have on a forest.
Creating Group Accounts
In addition to the built-in groups that are created when Active Directory and other services
are installed on DCs, you can also create group accounts to suit the needs of your organization.To create group accounts, you can use either Active Directory Users and Computers or
the DSADD command-line tool. Regardless of the method you use, only members of the
Administrators group, Account Operators group, Domain Admins group, Enterprise Admins
group, or another user or group that’s been delegated authority can create a new group.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 141
Working with User, Group, and Computer Accounts • Chapter 2
Creating Groups Using Active
Directory Users and Computers
Creating new groups in Active Directory Users and Computers begins by selecting the
container or OU in which you want the group to be stored. Once this is done, click
Action | New | Group. Alternatively, you can right-click on the container, and select
New | Group. In either case, this will open the New Object – Group dialog box.
The New Object – Group dialog box requires a minimal amount of information to
create the new group. As shown in Figure 2.26, the Group name text box is where you
enter the Active Directory name of the group. As you enter information into this field, it
will also fill out the Group name (pre-Windows 2000) text box.This is the name that
older operating systems will use to refer to the group. By default, it is the same as the
Group name, but can be modified to any name you want within the naming rules covered previously in the chapter.
Figure 2.26 New Object Dialog Box for Creating New Groups
Below the fields designating the group’s name is a section that allows you to control
the scope. As discussed previously in this chapter, there are three different scopes for groups:
Domain local, Global, and Universal. A Security group type can only be given a universal
scope if the functionality level has been raised to Windows 2000 native or higher. If the
functionality level is Windows 2000 mixed, then the Universal option on this dialog box
will be disabled when creating a Security type group, and the only available options will be
Domain local and Global.
To the right of this section is another one that allows you to specify the type of group
you are creating.Two different types of groups can be created: Security and Distribution. As
mentioned earlier in this chapter, security groups are used to control access, while distribution groups are used by applications for sending bulk e-mail to collections of users.
www.syngress.com
141
256_70-294_02.qxd
142
9/3/03
11:34 AM
Page 142
Chapter 2 • Working with User, Group, and Computer Accounts
Once you have provided the information about the new group, click the OK button to
create the group. After clicking this button, this new object will appear in the container that
you initially selected to store the group. As we’ll see later in this chapter, you can then
modify the properties of this object to provide additional information, such as membership,
descriptions, and other factors.
Creating Groups Using the DSADD Command
As we saw earlier in this chapter, the DSADD command is a useful tool for creating accounts
from the command line. In addition to creating user accounts, you can also use it to create
groups. Creating a new group with DSADD is done by entering the following syntax:
DSADD GROUP GroupDN -samid SAMName -secgrp yes | no -scope l | g | u
When using this command, the following parameters must be entered:
■
GroupDN This parameter is used to specify the DN of the object being added to
Active Directory and where the object will be created.
■
SAMName This parameter is the NetBIOS name that will be used by preWindows 2000 computers.
■
yes | no This parameter is used to specify whether the account will be created as a
security or distribution group. If a security group is being created, then you would
enter yes. If you were going to create a distribution group, then you would enter
no.
■
l | g | u This parameter is used to specify the scope of the group. If you were
creating a domain local group, you would enter l. If you were creating a global
group, you would enter g. If you were creating a universal group, you would enter
u.
In addition to these parameters, you can also specify others by using the following
syntax:
DSADD GROUP GroupDN [-secgrp {yes | no}] [-scope {l | g | u}] [-samid
SAMName] [-desc Description] [-memberof Group ...] [-members
Member ...] [{-s Server | -d Domain}] [-u UserName] [-p {Password
| *}] [-q] [{-uc | -uco | -uci}]
These options provide a variety of settings that can be applied to the group when creating it. In addition to the ones already mentioned, the meanings of these different parameters are explained in Table 2.4.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 143
Working with User, Group, and Computer Accounts • Chapter 2
Table 2.4 DSADD Parameters for Creating Groups
Parameter
Description
-desc Description
-memberof Group ...
Specifies the description you want to add for the group.
Specifies the groups to which this new group should be
added.
Specifies the members that should be made a part of
this group.
Specifies to connect to a remote server or domain. By
default, the computer is connected to the DC in the
logon domain.
Specifies the username to use when logging on to a
remote server. By default, the username that the user is
logged on to their local system is used. The following
formats can be used for the UserName variable:
Username
Domain\username
User principal name
Specifies the password to use when logging on to a
remote server. If an asterisk (*) is used, you will be
prompted for a password.
Specifies quiet mode, and suppresses output.
Specifies Unicode to be used for input or output. If –uc
is used, then input or output is to a pipe (|). If –uco is
used, then output is to a pipe or file. If –uci is used, then
input is from a pipe or file.
-members Member ...
{-s Server | -d Domain}
-u UserName
-p {Password | *}
-q
{-uc | -uco | -uci}
Managing Group Accounts
As we’ve seen, the DSADD command provides a number of options for configuring new
groups, while there are only a minimal number of options available when creating them
through Active Directory Users and Computers. However, most of these options can be
configured and reconfigured at any time by using the object’s properties. By modifying the
group’s properties, you can perform a variety of administrative tasks related to managing
group accounts.
Accessing the properties of a group account is done through Active Directory Users
and Computers. Select the object and click Action | Properties.You can also rightclick on the object, and select Properties in the context menu. Regardless of the method
used to display the properties, a dialog box similar to that shown in Figure 2.27 will appear.
The dialog box contains a great deal of information about the group, and a number of
options that can be configured. As seen in this figure, the title bar states the group’s name
followed by the word “Properties.” In the case of this figure, the properties being viewed are
those of a group called “Accounting Users.”The dialog also provides six different tabs,
which can be used for managing different facets of the account.
www.syngress.com
143
256_70-294_02.qxd
144
9/3/03
11:34 AM
Page 144
Chapter 2 • Working with User, Group, and Computer Accounts
The General tab, shown in Figure 2.27, allows you to modify much of the information
you provided when creating the account in Active Directory Users and Computers. On this
tab, the Group name (pre-Windows 2000) field contains the NetBIOS name that older
operating systems use to access the group. As you’ll notice, this name can be modified, so it
is different from the Active Directory group name. A group can have the name
“Accounting Users,” but have the name “Accounting” for its pre-Windows 2000 name.
Figure 2.27 General Tab in the Properties of a Group
The Description and Notes fields allow you to enter comments about this group,
which can be referred to as needed.The value of the Description field will appear in
Active Directory Users and Computers, and should describe what the group’s purpose is.
For example, if you were creating a special group for backing up files on a server, you could
enter a description that states this purpose.The Notes field also allows you to enter comments, but is used for notations about the group.This can include such information as
changes that were made to the account, members that were added, and so forth.
The Group scope section of the dialog box contains options that are used to change
the scope of the group. Domain local groups can be converted to universal groups, if
there are no other domain local groups in the membership. Global groups can also be
converted to universal groups, providing this group isn’t a member of any other global
groups. Finally, Universal groups can be converted to global groups, if there are no universal groups that are part of this group’s membership.
The Group type section is used to convert the group’s type from being a security
group to a distribution group, or vice versa. As stated previously, the Security option is
used to create a group that controls access to resources and rights to perform certain tasks,
while the Distribution option is used to create a group that is used for sending e-mail to
collections of users. Remember that whether the group is a security or distribution group,
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 145
Working with User, Group, and Computer Accounts • Chapter 2
e-mail can be sent to either group type.To enable users to send e-mail to the group, you
enter an e-mail address in the E-mail field.When a message is sent to this e-mail address,
all members in the group receive a copy.
The Members tab is used to view current group members and add new ones. As
shown in Figure 2.28, this tab provides a field that shows all current members of the group.
To add new members, you click the Add button, which opens a dialog box that allows you
to enter the names of accounts to add. Clicking OK in this dialog adds the name of the
user, computer, or group to the list on the Members tab. Removing accounts from membership is also simple. Just select the account to remove from the list, and then click the
Remove button.
Figure 2.28 Members Tab in the Properties of a Group
By clicking the Add button, the dialog box shown in Figure 2.29 appears. In this
dialog, you can search for the objects you want to add to the Members list. By clicking the
Object Types button, a dialog will appear allowing to you specify the object types you
want to find. In this dialog, you can click check boxes to specify whether to search for
Contacts, Computers, Groups, Users, or Other objects.To limit the search to only start from
a specific point in the directory structure, you can click the Locations button to open a
dialog box showing the directory tree, where you can select the point to begin the search.
Finally, the Enter the object names to select is where you would enter the name of the
object. Upon clicking OK, Active Directory will use these parameters to find the object to
add to the Membership list.
www.syngress.com
145
256_70-294_02.qxd
146
9/3/03
11:34 AM
Page 146
Chapter 2 • Working with User, Group, and Computer Accounts
Figure 2.29 Select Users, Contacts, Computers, or Groups Dialog Box
The Member Of tab, shown in Figure 2.30, is used to add this group to other existing
groups in Active Directory.This tab provides a field that lists all groups to which this group
belongs.To add this group to other groups, click the Add button to open a dialog box
where you can enter the names of the groups you’d like this one to be a member of. Upon
clicking OK, the name of the group is added to the listing on the Member Of tab.
Removing this group from membership in another group is done by selecting that group
from the list, and then clicking the Remove button.
Figure 2.30 Member Of Tab in the Properties of a Group
The Managed By tab is used to designate an account that is responsible for managing
this group.This makes it easy for users to determine who they have to contact to request
membership in the group, and how to establish contact. Checking the Manager can
update membership list check box also allows the account listed on this tab to add and
remove members from the group.To designate a manager, click the Change button and
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 147
Working with User, Group, and Computer Accounts • Chapter 2
specify the account. Once added, it will be displayed in the Name field on this tab.The
properties of this account can then be viewed by clicking the Properties button; however,
many of the commonly viewed elements of this account will automatically appear on the
tab. As shown in Figure 2.31, information such as the Office, Street, City,
State/province, Country/region, Telephone number, and Fax number will appear.
To remove this account from a managerial role, click the Clear button.
Figure 2.31 Managed By Tab in the Properties of a Group
To view information about the group, you can use the Object tab. As shown in Figure
2.32, this tab allows you to view information about this Active Directory object.The
Canonical name of object field displays the canonical name of the group, while the
fields below this provide other data that can’t be modified through the tab.The Object
class field informs you that this is a Group, and information below this tells you when it
was Created and last Modified.The Update Sequence Numbers (USNs) fields below
this shows you what the original and current update sequence numbers for this object are,
which are used by replication to ensure that all DCs have an updated copy of object information.
EXAM WARNING
USNs are an important part of replication, and are used to indicate that changes
have occurred in an object. When changes occur in an account, its USN is incremented to indicate a change has occurred.
www.syngress.com
147
256_70-294_02.qxd
148
9/3/03
11:34 AM
Page 148
Chapter 2 • Working with User, Group, and Computer Accounts
Figure 2.32 Object Tab of Group Properties
The Security tab is used to configure the permissions that other accounts have over the
group. As shown in Figure 2.33, the top pane of this tab lists users and groups with permissions over the account, while the lower pane shows the permissions of an account that’s
selected in the top pane. New accounts can be given access by clicking the Add button.
Once an account is added and selected in the top pane, you enable or disable specific permissions by selecting the check box in the Allow or Deny column. Special permissions can
also be set for objects by clicking the Advanced button.To remove an account, select the
account in the top pane and click the Remove button.
Figure 2.33 Security Tab of Group Properties
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 149
Working with User, Group, and Computer Accounts • Chapter 2
Now that we’ve seen how group accounts are created and can later be managed and
modified, let’s put this knowledge into practice in Exercise 2.03.
EXERCISE 2.03
CREATING AND MODIFYING GROUP ACCOUNTS
1. Open Active Directory Users and Computers by clicking selecting
Start | Administrative Tools | Active Directory Users and
Computers.
2. When Active Directory Users and Computers opens, expand the console
tree so that your domain and the containers within it are visible.
3. Select the TestOU OU from the console tree. From the Action menu,
select New | Group.
4. When the New Object – Group dialog box appears, enter Accounting
Users into the Group name text box.
5. Edit the Group name (pre-Windows 2000) text box so it contains the
value Accounting.
6. Select the Global option under Group scope.
7. Select the Security option under Group type.
8. Click OK to create the group.
9. Right-click on the newly created Accounting Users group, and select
Properties from the context menu.
10. On the General tab, click in the Description field and then enter
Group account for users in the Accounting department.
11. On the Members tab, click the Add button.
12. When the Select Users, Contacts, Computers, or Groups dialog box
appears, enter John Public; Jane Doe in the Enter the object names
to select text box. These are the two users you created in Exercise 2.02
separated by a semicolon.
13. Click OK to add these users. When the Members tab appears again,
the two users should now appear in the list of Members.
14. On the Member Of tab, click the Add button.
15. When the Select Groups dialog box appears, enter Backup Operators
into the Enter the object names to select text box.
16. Click OK to make this group a member of the Backup Operators group.
www.syngress.com
149
256_70-294_02.qxd
150
9/3/03
11:34 AM
Page 150
Chapter 2 • Working with User, Group, and Computer Accounts
17. Click OK to confirm these changes and exit the group Properties dialog
box.
Working with Active
3 Directory Computer Accounts
EXAM
70-294
OBJECTIVE
Computer accounts are objects that are stored in Active Directory and used to uniquely
identify computers in a domain.With computer accounts, data on the computer is stored
within Active Directory, allowing you to view information about the machine and use the
account to set privileges on resources, install applications, and perform other actions related
to its usability on the network.
Creating Computer Accounts
Computer accounts can be created in the Computers container or OUs that have been created in Active Directory.To create a new computer account, you need the same privileges
as when creating user and group accounts. Only members of the Administrators group,
Account Operators group, Domain Admins group, Enterprise Admins group, or a user or
group that has been delegated authority can create a new account. If a user has been issued
the Add workstations to a domain right, then he or she can create up to 10 computer
accounts in a domain.
NOTE
By default, normal domain users have been delegated permission to add up to 10
computers to the domain. This default limit can be changed. For more information, see Microsoft Knowledge Base article Q251335. If the administrator has
already added the computer account to Active Directory, a user can join his or her
computer to the domain without using any of the 10 delegated instances mentioned previously.
There are three different methods in which a new computer account can be created:
■
Joining a workstation to a domain using a user account that has the right to create
a new computer account in the domain
■
Creating a computer account in Active Directory Users and Computers and then
joining the workstation to the domain
■
Creating the computer account using DSADD and then joining the workstation
to the domain
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 151
Working with User, Group, and Computer Accounts • Chapter 2
While accounts can be created before a workstation is added to the domain, only minimal information about the computer will be included in the account. Once the workstation is added to the domain, data is retrieved from the computer that is added to the
account.This includes such facts as the operating system installed on the machine, the version of the operating systems, and other relevant information.
Creating Computer Accounts
by Adding a Computer to a Domain
Computer accounts can be created when adding a computer to a domain. Computers can
be added to a domain by using the same dialog box you use to change the computer’s
name. On a Windows 2000 Professional machine, this is done on the Network
Identification tab of the System Properties dialog.To access this dialog, you can right-click
the My Computer icon located on the desktop, and select Properties on the context
menu.You can also access this dialog by double-clicking the System icon in Control
Panel. Once the System Properties dialog appears, click the Properties button on the
Network Identification tab.
As shown in Figure 2.34, the dialog box that appears after clicking the Properties
button allows you to modify the name of the computer, and choose whether the computer
is part of a workgroup or domain.The Member Of section provides two options.The
Domain option enables a text box that allows you to provide the name of a domain this
computer will join.The Workgroup option enables a text box that allows you to provide
the name of a workgroup this computer will join. At any time, the computer can be
switched from being a member of a workgroup or domain. If the computer is joining a
domain where a computer account doesn’t exist for this machine, then the Computer
name field is used to specify the new Active Directory account’s name.
Figure 2.34 Identification Changes Dialog Box
www.syngress.com
151
256_70-294_02.qxd
152
9/3/03
11:34 AM
Page 152
Chapter 2 • Working with User, Group, and Computer Accounts
After entering the name of a domain this computer will join, click the OK button.The
computer then proceeds to connect to a DC for the domain you are attempting to join,
and if it finds one, a dialog box will be displayed asking you for the username and password
of an account permitted to add workstations to the domain. Once this information is provided and you click OK, the username and password you provided will be authenticated
and (if the user account has the necessary privileges) the workstation will be joined to the
domain. If a computer account already exists for the computer, then data is retrieved and
the account is updated. If no account exists, the account is created.
Creating Computer Accounts Using
Active Directory Users and Computers
Computers can also be created using Active Directory Users and Computers. Right-click
on the container or OU that you want to create the object in, and select New |
Computer. Alternatively, you can select the container or OU in which you want to create
the computer account, and then click Action | New | Computer. A dialog box similar
to the one shown in Figure 2.35 will appear.
Figure 2.35 New Object – Computer Dialog Box
The first field on this screen is used to identify the computer.The Computer name
text box is used to specify the name that you want this computer account to be called in
Active Directory.This will be the RDN of the computer.The Computer name (preWindows 2000) text box is where you would enter the NetBIOS name of this computer,
which older operating systems will use when connecting to this computer. As mentioned
before, the NetBIOS name of a computer can be up to 15 characters in length.When you
enter a value in the Computer name text box, a NetBIOS name will be suggested based
on the first 15 characters of the Computer name field. However, this can be changed to
another name.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 153
Working with User, Group, and Computer Accounts • Chapter 2
Below this is a field that states which user or group can join the computer to the domain.
As we saw in the previous section, when the computer is added to a domain, a username and
password of a user account with the necessary rights is required. By default, the Domain
Admins group has this ability, but this can be changed.To specify another user or group, click
the Change button and enter the name of the user or group that should be given this privilege.The selected user or group will appear in the User or group field of this screen.The
final options on this screen deal with older machines in a domain.The Assign this computer account as a pre-Windows 2000 computer designates that this machine is running an older operating system, such as Windows NT.The Assign this computer account
as a backup domain controller specifies that this is a Windows NT BDC. Only Windows
NT and newer operating systems can have accounts in Active Directory.
The remaining screens require little input. Click the Next button to continue to the
screen that allows you to specify whether the computer is managed. A managed computer
is a Remote Installation Services (RIS) client. If the This is a managed computer check
box is checked, you must then enter the client computer’s globally unique identifier
(GUID). After providing this information and clicking Next, a screen will appear that offers
the following options:
■
Any available Remote Installation Services (RIS) server, which specifies
that any RIS server can provide remote installation services to this computer.
■
The following RIS server, which specifies that only designated RIS servers can
service this computer
Figure 2.36 Managed Screen of New Object – Computer
While the screen with these RIS options will appear if the computer is managed, this will
not occur if the This is a managed computer check box isn’t checked. Upon clicking
Next, you proceed to the final summary screen, which you can review before creating the
computer account. As shown in Figure 2.37, this screen informs you of what the computer
www.syngress.com
153
256_70-294_02.qxd
154
9/3/03
11:34 AM
Page 154
Chapter 2 • Working with User, Group, and Computer Accounts
will be called in Active Directory, and other information on options you chose during setup.
Click the Finish button on this screen to close the wizard and create the account.
Figure 2.37 Final Screen of New Object – Computer
EXERCISE 2.04
CREATING A NEW COMPUTER ACCOUNT
USING ACTIVE DIRECTORY USERS AND COMPUTERS
1. Open Active Directory Users and Computers by going to Start |
Administrative Tools | Active Directory Users and Computers.
2. When Active Directory Users and Computers opens, expand the console
tree so that your domain and the containers within it are visible.
3. Select the Computers container from the console tree. On the Action
menu, select New | Computer.
4. When the New Object-Computer dialog box appears, enter the name
of the computer you will be adding to the domain in the Computer
name text box. Click Next to continue.
5. Click Next to go to the final screen, and then click Finish.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 155
Working with User, Group, and Computer Accounts • Chapter 2
Creating Computer Accounts
Using the DSADD Command
As was the case with users and groups, computer accounts can also be created using the
DSADD command.The command-line method can be used in scripts to automate the
addition computer objects to Active Directory.You can use the DSADD command to
create computer objects using the following syntax:
DSADD COMPUTER ComputerDN
In using this command, ComputerDN specifies the DN of the computer that’s being
added.This provides information on where in the directory structure this account will be
created. However, this isn’t the only parameter that’s available for DSADD. As shown in
Table 2.5, each of these parameters provides different information that is used to set up the
account.To use additional options, the following syntax can be used:
dsadd computer ComputerDN [-samid SAMName] [-desc Description] [-loc
Location] [-memberof GroupDN ...] [{-s Server | -d Domain}] [-u
UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}]
TEST DAY TIP
Prior to Windows Server 2003, DSADD wasn’t available to use with Active
Directory. It is a new tool for creating user accounts, computer accounts, and
group accounts in Active Directory. Depending on the type of account being created, the parameters for this tool will vary. It is important to understand how this
tool works prior to taking the exam.
Table 2.5 DSADD Parameters for Creating Computers
Parameter
Description
-samid SAMName
Specifies the NetBIOS name used by preWindows 2000 computers.
Specifies a description to be used for the
account.
Specifies the location of the computer.
Specifies the groups that this new computer
account will be a member of.
Specifies a connection to a remote server or
domain. By default, the computer is connected
to the DC in the domain that the local user is
logged on to.
-desc Description
-loc Location
-memberof GroupDN
{-s Server | -d Domain}
Continued
www.syngress.com
155
256_70-294_02.qxd
156
9/3/03
11:34 AM
Page 156
Chapter 2 • Working with User, Group, and Computer Accounts
Table 2.5 DSADD Parameters for Creating Computers
Parameter
Description
-u UserName
Specifies the username to use when logging on
to a remote server. By default, the username
that the user logged on to the local system with
is used. The following formats can be used for
the UserName variable:
Username
Domain\username
User principal name
Specifies the password to use when logging on
to a remote server. If an asterisk (*) is used, you
will be prompted for a password.
Specifies quiet mode, and suppresses output
Specifies Unicode to be used for input or output.
If –uc is used, then input or output is to a pipe
(|). If –uco is used, then output is to a pipe or
file. If –uci is used, then input is from a pipe or
file.
-p {Password | *}
-q
{-uc | -uco | -uci}
Managing Computer Accounts
As seen previously, accounts can be administered through the properties of the object,
which can be accessed using Active Directory Users and Computers.To view the properties, select the object and click Action | Properties.You can also right-click on the
object, and select Properties from the context menu. Using either method, a dialog box
with nine tabs will be displayed.
The General tab of a computer account’s properties allows you to view common
information about the computer. As seen in Figure 2.38, the top of the tab displays the
name of the computer, which is also displayed in the title bar of the Properties dialog box.
Below this, the Computer name (pre-Windows 2000) field displays the NetBIOS name
of the computer, which is used by older computers to access this machine.The DNS
name field supplies information on the name used by DNS to access the computer, while
the Role field identifies the role this computer plays on the network. Finally, the
Description field allows you to enter information that describes this computer. For
example, you could specify whether it is a computer used for training purposes, development, or a particular server that provides application services (such as a Web server).
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 157
Working with User, Group, and Computer Accounts • Chapter 2
Figure 2.38 General Tab in the Properties of a Computer Account
As shown in Figure 2.39, the Operating System tab provides information about the
operating system running on the computer that has joined the domain.The Name field
provides the name of the operating system, Version provides the version of the operating
system, and Service pack displays the service pack level that has been applied to the operating system.These values are retrieved from the computer and can’t be modified.
EXAM WARNING
Information on the Operating System tab, and some of the other data that
appears in a computer account is retrieved from the computer when it joins the
domain and is refreshed periodically thereafter. Because this information is
acquired from the machine itself, it can’t be manually modified through the
account’s properties.
The Member Of tab shown in Figure 2.40 displays existing group memberships for this
computer and allows you to add the computer to groups in Active Directory. By default, it
will be a member of the Domain Computers or Domain Controllers group depending on
its network role.The computer account can be made a member of other groups by clicking
the Add button.To remove the computer from a group, select the group in the list and
click the Remove button.
www.syngress.com
157
256_70-294_02.qxd
158
9/3/03
11:34 AM
Page 158
Chapter 2 • Working with User, Group, and Computer Accounts
Figure 2.39 Operating System Tab in the Properties of a Computer Account
Figure 2.40 Member Of Tab in the Properties of a Computer Account
At the bottom of this tab is a section that allows you to set the primary group to which
the computer belongs. By default, computers are made a member of the Domain
Computers group, which is displayed in the Primary group field on this tab.To change
the primary group, you could use the Set Primary Group button, but this generally isn’t
required. Primary groups are used by Macintosh computers and POSIX-compliant applications, and aren’t required by other operating systems or applications.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 159
Working with User, Group, and Computer Accounts • Chapter 2
The Delegation tab shown in Figure 2.41 is used to control whether services can act
on behalf of another user from this computer. Using this tab, you can specify that the
account can be used by specific services. By using the account’s credentials, they are able to
impersonate the account.This tab has three options relating to delegation:
■
Do not trust this computer for delegation The default value, and doesn’t
allow the computer to be used for delegation.
■
Trust this computer for delegation for any service (Kerberos only)
Allows any service to use the computer providing Kerberos is used.
■
Trust this computer for delegation to specified services only Only allows
the services you specify to use the computer for delegation.
When the final option is selected, two additional options become available: Use
Kerberos only and Use any authentication protocol. Use Kerberos only specifies
that delegation can only be performed if Kerberos is used for authentication, while Use
any authentication protocol allows any protocol to be used.
Figure 2.41 Delegation Tab in the Properties of a Computer Account
In addition to these options, the two buttons at the bottom will also be enabled.The
Add button can be clicked to open a dialog that allows you to specify the services that can
use the computer for delegation.This dialog is shown in Figure 2.42. By clicking the Users
or Computers button, another dialog box will open, allowing you to specify the user or
server that has these services associated with them.This will populate the Available
Services field on this screen. By selecting services in this listing or alternatively clicking
Select All, the selected services are delegated for the user or computer accounts selected.
www.syngress.com
159
256_70-294_02.qxd
160
9/3/03
11:34 AM
Page 160
Chapter 2 • Working with User, Group, and Computer Accounts
Clicking OK returns you to the Delegation tab, where the services you selected will
appear in the Delegation tab’s Services to which this account can present delegated
credentials listing. By selecting a service from this list and clicking the Remove button, a
selected service is removed from being able to use this computer.
Figure 2.42 Add Services Dialog
The Location tab of Computer Properties allows you to provide information on the
location of the computer within the organization.This tab has a single text box that allows
you to enter a location name, and a button labeled Browse. If no locations are available to
select using browse, the Browse button will be grayed out.
The Managed By tab is similar to the tab we saw earlier in Figure 2.28 when we discussed group accounts.This tab designates the user account of the contact person who is
responsible for managing the computer object.To designate a manager, click the Change
button.The specified account will be displayed in the Name field on this tab.The properties of the account in this field can be viewed by clicking the Properties button, and the
most pertinent contact information can be viewed on the Managed By tab itself.To
remove this account from a managerial role, click the Clear button.
The Object tab provides information about the object, and is similar to the tab we saw
in Figure 2.32 when discussing groups.The Canonical name of object field on this tab
shows the computer’s canonical name, while the Object class field informs you that this is
a Computer object. Below this is information on when this object was Created and last
Modified.The Update Sequence Numbers (USNs) fields below this show you the
Original and Current update sequence numbers for this object, which are used by replication to ensure that all DCs have an updated version of this object.
The Security tab is similar to the one in Figure 2.33 that we saw when discussing
group accounts.This tab is used to configure the permissions that other accounts have in
Active Directory for this computer object. As discussed previously, the top pane of this tab
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 161
Working with User, Group, and Computer Accounts • Chapter 2
lists users and groups that can be granted permissions to the account, while the lower pane
shows the permissions of an account that’s selected in the top pane.The Add button on
this tab allows you to add additional accounts for which permissions can be configured. By
selecting one of these accounts, you can then enable or disable specific permissions by
selecting a check box in the Allow or Deny column in the lower pane. Special permissions
can also be set for objects by clicking the Advanced button.To remove an account, the
Security tab also provides a Remove button, which will remove the account that is
selected in the top pane.
The final tab in a computer’s properties is the Dial-in tab.This tab is similar to the one
we saw in Figure 2.22 when we discussed user accounts. It allows you to configure settings
that are used when the computer attempts to connect to the network remotely using a
dial-up or VPN connection.The options that appear on this tab include:
■
Remote Access Permission (Dial-in or VPN) This option button specifies
whether the user can connect to the network via a dial-up or VPN connection.The
options in this section include Allow access, which enables dial-in or VPN remote
access; Deny access, which prohibits dial-in or VPN remote access; and Control
access through a Remote Access Policy, which is the default option and specifies that a remote access policy is used to control permission for remote access.
■
Verify Caller-ID This check box allows you to specify the telephone number
that the user must be calling from in order to establish a successful connection. It
requires hardware capable of detecting the number from which the user is calling.
■
Callback Options The configuration settings in this section are No Callback,
Set by Caller (Routing and Remote Access Service Only), and Always
Callback To. No Callback is the default option. It enables users to connect
remotely and without the use of callback.When this option is set, the user will
pay for any long distance charges. Set by Caller (Routing and Remote
Access Service Only) allows the caller to specify a telephone number that the
server will call back.When a remote connection is made, the user is prompted for
a username and password. If successfully authenticated, the settings on this tab are
checked and the user is prompted for a telephone number to be called back at.
The server then disconnects and calls the user back at that number.This allows
the company to pay for any long distance fees, which typically results in cost savings. Always Callback To is the final option.This is a security, not a cost savings,
option that forces the server to call the user back at a preconfigured telephone
number. Because this setting requires the user to be at that telephone number, the
risk of unauthorized users attempting to connect remotely is reduced.
■
Assign a Static IP Address This check box assigns a specific IP address to the
user when he or she connects remotely.
■
Apply Static Routes This check box places additional routes in the routing
table upon connection.
www.syngress.com
161
256_70-294_02.qxd
162
11:34 AM
Page 162
Chapter 2 • Working with User, Group, and Computer Accounts
■
EXAM
70-294
OBJECTIVE
3
9/3/03
Static Routes This button is used to define the additional routes that will be
placed in the routing table upon connection.
Managing Multiple Accounts
In the previous sections, we discussed how you can use tools for Active Directory to create
and manage individual objects. In addition to creating and modifying user accounts, computer accounts, and group accounts, you can also perform actions that affect large numbers
of accounts at once. In the sections that follow, we’ll look at how you can manage UPNs,
move objects, and how to troubleshoot problems that might result when working with
accounts in Active Directory.
Implementing User Principal Name Suffixes
As discussed earlier in this chapter, UPNs consist of a logon account name and UPN suffix,
which is connected together with an @ symbol.When combined they often look just like
an e-mail address, and can in fact be used by programs to send messages to Active Directory
accounts.The UPN is used when logging on to Windows 2000 and Windows Server 2003
domains from Window 2000 or later clients.
In Active Directory, alternative UPN suffixes can be created, so the user can log on
using a UPN suffix that is different from the name of the domain in which their user
account resides. For example, if a user had to log on to a domain with an exceptionally
long name, you could provide an alternate UPN suffix as part of the user’s UPN. In doing
so, the UPN is simplified, making it easier for users to enter it when logging on.
To add a UPN suffix, you must have the appropriate rights. UPN suffixes can only be
added by a member of the Domains Admins group in the forest root domain, a member of
the Enterprise Admins group, or a user or group that has been delegated the proper
authority.
Adding UPN suffixes is done with the Active Directory Domains and Trusts console.
This console is accessed from Start | Administrative Tools | Active Directory
Domains and Trusts. As we saw in Chapter 1, it can also be started through MMC, by
adding the Active Directory Domains and Trusts snap-in.
Once the console has opened, right-click on the Active Directory Domains and
Trusts node in the console tree, and click Properties on the context menu.The properties
can also be displayed by selecting the Active Directory Domains and Trusts node and
clicking Action | Properties. Figure 2.43 shows the Active Directory Domains and
Trusts Properties dialog box.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 163
Working with User, Group, and Computer Accounts • Chapter 2
Figure 2.43 Active Directory Domains and Trusts Properties Dialog Box
As seen in Figure 2.43, the UPN Suffixes tab has a field called Alternative UPN
suffixes where you can enter a new UPN suffix.This doesn’t need to be a legitimate DNS
name, which has been registered or is the name of a domain in the forest.You can create
whatever name you want. Clicking the Add button after specifying a suffix adds the
domain name you entered into the field below, which lists all alternative UPN suffixes that
have been created to date. Selecting a UPN suffix from this list and clicking the Remove
button will remove a previously created UPN suffix from the list.
EXERCISE 2.05
ADDING AND USING ALTERNATIVE UPN SUFFIXES
1. From the Windows Start menu, select Administrative Tools | Active
Directory Domains and Trusts.
2. When the Active Directory Domains and Trusts console appears, select
Active Directory Domains and Trusts from the console tree.
3. From the Action menu, select the Properties menu item.
4. When the Active Directory Domains and Trusts Properties dialog box
appears, click in the Alternative UPN suffixes text box, and, enter the
alternative UPN suffix you want to use (for example, eu.syngress.com).
5. Click the Add button. The listing should now appear in the lower pane.
6. Click OK to finish and close the Active Directory Domains and Trusts
utility.
www.syngress.com
163
256_70-294_02.qxd
164
9/3/03
11:34 AM
Page 164
Chapter 2 • Working with User, Group, and Computer Accounts
7. From the Windows Start menu, select Administrative Tools | Active
Directory Users and Computers.
8. When Active Directory Users and Computers opens, expand the console
tree and then expand your domain. Once this is done, select the
TestOU container.
9. In the right pane, select the Jane Doe user that you created previously.
10. From the Action menu, select the Properties menu item.
11. When the Properties dialog box for the Jane Doe user account opens,
select the Account tab.
12. In the User logon name field, use the drop-down list to select the new
UPN suffix for this user.
13. Click OK to save the change and exit.
Moving Account Objects in Active Directory
Windows Server 2003 provides a number of tools that allow you to move objects within
domains and between them.The tools that can be used for moving objects include Active
Directory Users and Computers, and two command-line utilities. As we’ve seen, Active
Directory Users and Computers is an MMC snap-in that allows you to interact with Active
Directory through a graphical interface.The DSMOVE and MOVETREE are commandline tools that allow you to move objects by entering textual commands at the command
prompt. In the sections that follow, we will look at these tools, and see how they can be
used to move objects within and between domains.
Moving Objects with Active
Directory Users and Computers
Active Directory Users and Computers can be used to move user, computer, and group
accounts to other locations of the directory.With this tool, objects can be moved within a
domain. It can’t, however, be used to move objects to other domains.
Active Directory Users and Computers is the only tool that allows you to move
accounts using a GUI. Because it’s a graphical tool, you can move Active Directory objects
using your mouse. Select an object by holding down your left mouse button, drag the
object to a different container or OU, and release the left mouse button to drop it into the
new location.
In addition, you can also move objects within the directory by right-clicking on the
object, and selecting Move from the context menu. A dialog box will appear asking you to
choose the container or OU the object should be moved to. As seen in Figure 2.44, the
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 165
Working with User, Group, and Computer Accounts • Chapter 2
Move dialog box displays a tree that represents the directory tree. By browsing the folders
in this tree, you can select the container you want the object moved to, and then click OK
to being the move.
Figure 2.44 Move Dialog Box
When using Active Directory Users and Computers, multiple objects can be selected
and moved to other locations.You can select these objects as you would files in Windows
Explorer, by dragging your mouse over the objects to be moved.You can also select a series
of objects by holding down the Shift key as you click on objects, or select a number of
individual objects by holding down the Ctrl key as you click on them. After selecting the
objects to be moved, perform the actions we just discussed to move them to another container or OU.
Moving Objects with the DSMOVE Command
As we saw in Chapter 1, DSMOVE is used to move objects within a domain, and can be
used to rename objects. DSMOVE is a command-line utility that is used from the command prompt. Providing you don’t need to move an object to another domain, you can use
this tool to move an object to other locations in the directory tree.The syntax for using this
tool is as follows:
DSMOVE UserDN [-newparent ParentDN] -pwd {Password|*}
In using this syntax, several different parameters must be entered for moving the object.
The UserDN parameter specifies the DN of the object being moved.The –newparent switch
indicates that you are using DSMOVE to move an object, and is used with the ParentDN
variable to specify the DN of the new location.
To illustrate how this command is used, let’s say you wanted to move an object called
BuddyJ from the Sales OU in knightware.ca to the Finance OU in the same domain.To
move this object, you would use the following command:
www.syngress.com
165
256_70-294_02.qxd
166
9/3/03
11:34 AM
Page 166
Chapter 2 • Working with User, Group, and Computer Accounts
Dsmove CN=BuddyJ,OU=Sales,DC=knightware,DC=ca –newparent
OU=Finance,DC=knightware,DC=ca
TEST DAY TIP
DSMOVE is a new tool for managing Active Directory. This command-line tool will
only allow objects to be moved within a domain. For moving objects to other
domains, the MOVETREE command-line utility (which we’ll discuss later in this
chapter) must be used.
DSMOVE also provides additional parameters to perform actions such as renaming an
object, or controlling the type of input and output for this command.To review these
parameters, refer to the section on DSMOVE in Chapter 1.
Moving Objects with the MOVETREE Command
MOVETREE is the Active Directory Object Manager tool. In addition to other capabilities, it is a command-line tool that allows you to move objects to other domains in a forest.
By using this tool, you have the freedom to move a user account, computer account, group,
or OU to any location within the directory, regardless of the domain.
When an object is moved using this tool, it is first copied to the Lost and Found container before being moved to the destination domain. Objects that can’t be moved remain
in this container, so you can manage them as needed. Because orphaned data might reside
in this domain after using MOVETREE, you should check this container after performing
a move.
EXAM WARNING
The Active Directory Object Manager is MOVETREE.EXE. This tool isn’t automatically installed with Active Directory and must be installed separately with the
Active Directory Support Tools on the installation CD. This tool allows you to move
objects from one domain to another in Active Directory.
A variety of information isn’t moved with this tool.This includes data such as profiles,
logon scripts, and personal information when moving user accounts. Local groups and
global groups also aren’t moved, but membership in these groups remains unaffected so that
security involving the moved objects remains the same.
In addition to the limitations on data associated with accounts, there are also limitations
when MOVETREE is used to move OUs between domains.When an OU is moved,
group policies aren’t affected, as clients will continue to receive these settings from a link to
the policy in the original domain. In other words, although the OU is now in another
domain, clients will connect to the Group Policy Object (GPO) that is located in the origwww.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 167
Working with User, Group, and Computer Accounts • Chapter 2
inal domain. Because this can cause performance issues, it is wise to recreate these policies
in the domain where the OU has been moved, and then delete the GPO in the original
domain (which is no longer needed).
As a command-line tool, MOVETREE requires that certain parameters be used to
effectively complete operations.The syntax for MOVETREE is as follows, and the parameters are explained in Table 2.6.
MoveTree [/start | /continue | /check] [/s SrcDSA] [/d DstDSA]
[/sdn SrcDN] [/ddn DstDN] [/u Domain\Username] [/p Password]
[/quiet]
Table 2.6 Parameters for MOVETREE
Parameter
Description
/start
Specifies whether to start a move with a /check option,
or with the /startnocheck option, which starts the
operation without a check.
Specifies to continue the move after a failure.
Specifies to check the entire tree before moving an
object.
The SrcDSA variable is used to specify the FQDN of the
source server.
The DstDSA variable is used to specify the FQDN of the
destination server.
The SrcDN variable is used to specify the source subtree’s root DN.
The DstDN variable is used to specify the destination
subtree’s root DN.
Specifies the domain and user account to use for the
operation.
Specifies the password of the account to use for the
operation.
Specifies that quiet mode should be used, suppressing
output.
/continue
/check
/s SrcDSA
/d DstDSA
/sdn SrcDN
/ddn DstDN
/u Domain\Username
/p Password
/quiet
The Active Directory Object Manager tool isn’t installed with Active Directory, and
thereby isn’t initially available for use. MOVETREE is available as part of the Active
Directory Support Tools on the installation CD, and can be installed through Windows
Explorer. By accessing the Support\Tools folder on the installation CD, right-clicking on
SUPTOOLS.MSI, and then choosing Install from the menu that appears, the Windows
Support Tools Setup Wizard will start. By following the instructions in this wizard,
which are detailed in Exercise 2.06, MOVETREE and the other support tools will be
installed.
www.syngress.com
167
256_70-294_02.qxd
168
9/3/03
11:34 AM
Page 168
Chapter 2 • Working with User, Group, and Computer Accounts
EXERCISE 2.06
INSTALLING MOVETREE WITH
ACTIVE DIRECTORY SUPPORT TOOLS
1. Insert the Windows Server 2003 Server installation CD into your CDROM drive.
2. From the Windows Start menu, select Windows Explorer.
3. When Windows Explorer opens, expand the node representing your
CD-ROM drive, and then expand the Support | Tools folder.
4. When the contents of the Tools folder is displayed in the right pane,
right-click on the SUPTOOLS.MSI file and click Install in the context
menu.
5. When the Windows Support Tools Setup Wizard appears, click Next
to continue.
6. On the End User License Agreement screen, click I Agree to install
these tools, and then click Next to continue.
7. On the User Information screen, enter your name in the Name field,
and the company you work for in the Organization field. By default,
these fields will already be completed from information acquired from
Windows Server 2003 Server. Click Next to continue.
8. On the Destination Directory screen, accept the default settings, and
click Install Now to install the tools.
9. A dialog box will appear showing that files are being copied to the
folder specified in the Destination Directory screen, and being
installed on Windows Server 2003. Once completed, the final screen of
the wizard will appear, informing you that the tools were successfully
installed. Click Finish to exit the wizard and complete the installation
process.
Troubleshooting Problems with Accounts
Troubleshooting problems with accounts relies on the same methodologies and practices
involved in troubleshooting other problems in Windows Server 2003. It requires an understanding of functions, configurations, and limitations. It also requires starting at the simplest
possible solution for a problem and working up to the most complex. For example, if a
user’s account wasn’t working, you wouldn’t start by restoring Active Directory from a pre-
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 169
Working with User, Group, and Computer Accounts • Chapter 2
vious backup from when the user was able to log on.You might, however, check to see if
the account was disabled or locked out.
It is important that you determine whether the problem exists with the user who’s logging on from a computer, or with the machine itself.You’ll remember that Active Directory
uses both computer and user accounts. If a problem is resulting from the computer account,
no user will be able to perform a certain action from the machine, regardless of what user
account is used.
At times, the problems that exist in a computer account might require resetting it. If
you want to reset a computer account, in Active Directory Users and Computers, you
can right-click on the account you want to reset, and then click Reset from the menu that
appears. After a moment, a message box will appear stating that the account was reset.
Another important part of troubleshooting is determining the scope of a problem. Is
only one person experiencing a problem, or are a number of people experiencing the same
difficulties? In doing so, you can determine whether the problem is with a user or computer account, or with a group of which these members are a part.
The problem might not exist in the user’s account settings, but with DCs in the domain.
For example, if you couldn’t create security principals in Active Directory, the problem could
stem from the fact that the RID Master is unavailable.The DC that has the RID operations
master role allocates RIDs used for SIDs. Because SIDs can’t be issued to new user accounts,
computer accounts, and groups, these security principals can’t be created.
You could use the command netdom query fsmo to identify which computers are holding
single operation master roles. Once you’ve identified the DC serving in a particular master
role, you could either repair the machine, or assign the operations master role to another
machine. Before going through all this work, however, you should remember that the
reason why others can’t perform such actions might be because they don’t have the proper
rights, privileges, or permissions. In all cases, remember to start by looking at the simplest
possible solution first.
www.syngress.com
169
256_70-294_02.qxd
170
9/3/03
11:34 AM
Page 170
Chapter 2 • Working with User, Group, and Computer Accounts
Summary of Exam Objectives
In this chapter, we discussed topics relating to security principals, which are user accounts,
computer accounts, and group accounts. Each security principal is assigned a security identifier (SID) when it is created. SIDs are used to uniquely identify the account, and allow the
security principal to be used for authentication and access control.
In creating these accounts, we saw that there are a number of naming conventions and
limitations. Each account name must be under a maximum length of characters, and refrain
from including certain characters. In addition, each security principal has a relative distinguished name (RDN), distinguished name (DN), and canonical name.
User accounts, computer accounts, and group accounts can all be created using Active
Directory Users and Computers, or by using the command-line utility DSADD.While
these tools allow you to create new accounts, certain accounts are automatically created
when Active Directory is installed.The Administrator, Guest, HelpAssistant, and SUPPORT_388945a0 user accounts are examples of these, as are the numerous built-in groups
created by Active Directory upon installation.
Group accounts are collections of different accounts that are grouped together.There
are two different types of groups: security groups and distribution groups. Security groups
allow you to control the access permissions of users, while distribution groups are used by
applications for sending e-mail to all users in the group.To further control the group, different scopes can be set to determine who can join the group and what they can access. By
using groups, you can manage users as a single unit for the assignment of permissions,
rights, and privileges.
Computer accounts represent workstations, DCs, and member servers.When this type
of account is created and the computer joins the domain, information within the account is
automatically filled in with data retrieved from the machine. Using these accounts, you can
set rights, privileges, and permissions that apply to the machine, regardless of the user who
is logged on at that machine.
Active Directory Trusts and Domains is a snap-in for Microsoft Management Console
(MMC) that can be used to add alternate UPN suffixes. A UPN suffix combines with the
user’s logon name to form the user principal name (UPN). By providing an alternate UPN
suffix, users can log on with a user-friendly name that is easier to remember and use.
Objects within Active Directory can be moved within the directory tree using different
tools included with Windows Server 2003. Active Directory Users and Computers is a
graphical tool, and DSMOVE is a command-line tool, both of which allow you to move
objects within a domain.To move objects to other domains, the Active Directory Object
Manager (also called MOVETREE) can be used.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 171
Working with User, Group, and Computer Accounts • Chapter 2
Exam Objectives Fast Track
Understanding Active Directory
Security Principal Accounts
A security principal is a user account, computer account, or group account.
Security principals are assigned security identifiers (SIDs) when they are created,
which are used to control access to resources, and used by internal processes to
identify security principals.
WHOAMI and NTDSUTIL are tools that allow you to view and manage SIDs.
WHOAMI displays information about the account, including data on SIDs for
the account and groups it is a member of. NTDSUTIL is a tool used to manage
SIDs, and can be used to locate and delete duplicate SIDs.
Every security principal makes use of specific naming conventions, and has limits
regarding the length and types of characters that can be part of the name. In
addition to this, each security principal has a relative distinguished name,
distinguished name, and canonical name .
Working with Active Directory User Accounts
User accounts are objects that allow people and services to be authenticated and
access resources.
InetOrgPerson is a class of user account that is used when migrating to Active
Directory from another directory service.
The pre-Windows 2000 (NetBIOS) name of a user account can be up to 20
characters in length.
Working with Active Directory Group Accounts
Group accounts are used to combine numerous accounts together as a single unit,
and can be managed through Active Directory Users and Computers.With
groups, you can assign rights to a group account to authorize its members to
perform a certain task, assign permissions on shared resources so that all members
can access the resources with the same level of permissions, or distribute bulk email to all members of the group.
Groups can be distribution groups or security groups.
Group accounts in Active Directory can’t have names that exceed 64 characters in
length, and can’t consist solely of numbers.
www.syngress.com
171
256_70-294_02.qxd
172
9/3/03
11:34 AM
Page 172
Chapter 2 • Working with User, Group, and Computer Accounts
Working with Active Directory Computer Accounts
Computer accounts can be created in Active Directory Users and Computers, by
using DSADD, or by adding the workstation to a domain using a user account
that has rights to create a new computer account in the domain.
DSADD allows you to create computer accounts from the command line.
DSADD can also be used to create user accounts and group accounts.
The fully qualified domain name (FQDN) of a computer can be up to 255
characters in length. The pre-Windows 2000 (NetBIOS) name can be up to 15
characters in length.
Managing Multiple Accounts
Active Directory Domains and Trusts can be used to create alternate UPN
suffixes, which allow users to log on using a more appropriate or convenient
name as part of their UPN than their domain name might have provided.
DSMOVE is a command-line utility that allows users to move accounts from one
Active Directory location within a domain to another.
MOVETREE is a command-line tool that allows objects to be moved from one
domain to another in Active Directory.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 173
Working with User, Group, and Computer Accounts • Chapter 2
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: I deleted a computer account by mistake, and recreated it with the same information.
Now it isn’t able to access the same resources it did before.Why is this?
A: The SID has changed.When an account is deleted and then recreated, it is given a new
SID.The SID is compared to ACEs in the DACL that permits or denies access to a
resource. Since the SID has changed, it now doesn’t match the list, making it appear as
if it is a completely different account.
Q: I want to view SIDs associated with the account I’m currently logged on to the computer with.Which tool can I use to do this?
A: WHOAMI is a command-line tool that allows you to display information about the
user who is currently logged on. By typing WHOAMI /ALL, information about the
account is displayed on the screen. Here, you can view information about the username, groups, privileges, and SIDs for the user who is currently logged on.
Q: I am converting a global group to another scope.When I access the options in the
group’s properties, I find that the option for Domain local is disabled. Do I need to
change the domain functional level to have this option enabled?
A: No.This option is disabled because, regardless of the domain functional level, global
groups can’t be converted into domain local groups. Domain local and global groups
can, however, be converted into universal security groups if the domain functional level
is Windows 2000 native or higher.
Q: I want to add users to built-in groups so they can perform certain operations. In
looking at the groups available in Active Directory, I see that multiple groups have the
same rights and are able to perform some of the same tasks. How should I decide
which groups users should be added to?
A: Add users to groups that will give them the necessary rights to perform tasks, but don’t
provide more rights than are needed to do their job. For example, if you wanted a user
to perform backup and restore operations, you could add them to the Backup
Operators group. Although other accounts such as the Administrators group will also
allow this, it would give them considerably more rights than needed.
www.syngress.com
173
256_70-294_02.qxd
174
9/3/03
11:34 AM
Page 174
Chapter 2 • Working with User, Group, and Computer Accounts
Q: I haven’t created an account for a computer in Active Directory yet, but want to have
one created when I join the computer to the domain. After changing the computer’s
properties to join the domain, I’m presented with a dialog box that asks for a username
and password. I’m logged on to the machine using the local Administrator account for
the computer.Why is this dialog box appearing?
A: The dialog box is requesting the username and password of a domain user account with
appropriate rights to create the account.The Administrator account for the workstation
is a local account that has nothing to do with Active Directory. It only provides administrator access to the local computer.
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
Understanding Active Directory
Security Principal Accounts
1. You create a new user account and assign it permissions to resources.When this
account is created, a SID is given to the account to uniquely identify it.When the
user logs on and attempts to access one of these resources, which of the following will
the SID be compared to when determining access?
A. Access token
B. SACL
C. DACL
D. SID
2. A user attempts to access a resource, and entries in the ACL are analyzed to match the
SID.The system examines the entire ACL, but no match is found.Which of the following will occur?
A. The user will be denied access.
B. The user will be granted access.
C. The account will be disabled.
D. Each ACE in the ACL will be read until a match is eventually found.
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 175
Working with User, Group, and Computer Accounts • Chapter 2
3. A RID server has temporarily gone offline. During this time, you seize the RID
Master role on another DC. After the original RID server becomes available again,
you are concerned that duplicate SIDs might now exist for objects in Active
Directory.Which of the following tools would you use to find and delete duplicates?
A. Active Directory Users and Computers
B. MOVETREE
C. WHOAMI
D. NTDSUTIL
Working with Active Directory User Accounts
4. You want to use Remote Assistance to help users with problems by connecting to
their machine and taking control of it remotely.When this action is performed, which
of the following accounts is automatically created and used?
A. HelpAssistant
B. Support_388945a0
C. Guest
D. InetOrgPerson
5. Your network consists of an Active Directory domain with DCs running Windows
Server 2003 and another network running Novell NetWare.You are preparing to
migrate the Novell NetWare network to Windows Server 2003, but want to use an
account that will connect the directory services of these two networks together.
Which of the following class of user account will you create?
A. HelpAssistant
B. Support_388945a0
C. InetOrgPerson
D. None. A regular user account should be created.
6. You are configuring a user account to use Terminal Services.Which of the following
tabs on the user’s account would you use to configure this user?
A. General, Address, Organization
B. Terminal Services Profile, Profile, Account
C. Environment, Sessions, Remote Control
D. Published Certificates, Member Of, Object
www.syngress.com
175
256_70-294_02.qxd
176
9/3/03
11:34 AM
Page 176
Chapter 2 • Working with User, Group, and Computer Accounts
Working with Active Directory Group Accounts
7. You are creating a new group in Active Directory. In creating this group, you want
users to be able to send e-mail to the group so that all members receive a copy of the
message.Which type of group could be used for this purpose?
A. Security
B. Distribution
C. Both security and distribution
D. Neither security nor distribution
8. You created a new domain using DCs that are all running Windows Server 2003.The
domain is part of a forest consisting of the domain you belong to, and three other
domains. Each of these three other domains uses a Windows 2000 native functional
level.The domain you belong to is running at the default domain functional level, and
Active Directory has been configured so that all users in the domain have their own
account.When adding users and groups to the groups you created, you decide that
you want to change the scope of the Accounting and Sales groups.Which of the following must be taken into account when changes are made to these groups? (Choose
all that apply.)
A. If the group has a domain local scope, it cannot contain universal groups.
B. Domain local groups can be converted to universal groups.
C. Global groups can be converted to universal groups.
D. None of the groups in the domain can be universal groups.
9. Your network consists of several domains in a forest that has been set to Windows
Server 2003 forest functionality.You are preparing to create a group that will contain
user accounts from this domain and other domains, and will be used to access
resources located in several of these domains.What will be the scope of the group you
create?
A. Universal
B. Global
C. Domain local
D. Distribution
10. You are an administrator in the domain dev.knightware.ca, which is a child domain
beneath the forest root domain knightware.ca.You want to provide a user in this
domain with the ability to create a forest trust between the dev.knightware.ca domain
and the domain bookworms.ca.Which of the following built-in groups would you
add this user to so he can create such a trust?
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 177
Working with User, Group, and Computer Accounts • Chapter 2
A. Incoming Forest Trust Builders
B. Administrator
C. Account Operators
D. None of the above
Working with Active Directory Computer Accounts
11. You want a new member of the IT staff to be able to create new computer accounts
using Active Directory Users and Computers.Which of the following groups has the
appropriate rights to create a computer account? (Choose all that apply.)
A. Backup Operators
B. Account Operators
C. Domain Admins
D. Domain Users
12. You have given a user the Add workstations to a domain right, so he can have his
computer join the domain. In giving the user this right, how many computer
accounts can the user create?
A. 1
B. 10
C. Unlimited
D. None
13. A new computer account is created in Active Directory Users and Computers for a
workstation running Windows 2000 Professional.When viewing its properties, you
check the Member Of tab and see that it is already included in the membership of a
group.Which of the following groups is this account a member of?
A. Domain Users
B. Domain Computers
C. Domain Controllers
D. Enterprise Admins
www.syngress.com
177
256_70-294_02.qxd
178
9/3/03
11:34 AM
Page 178
Chapter 2 • Working with User, Group, and Computer Accounts
Managing Multiple Accounts
14. Your company has an external DNS domain that is used for the company’s Web site,
and an internal DNS domain that is used for the network.The external DNS domain
is hosted on a UNIX server that hosts the company’s Web site.The Web site using this
external domain name is well known, and due to its popularity, users are confused as
to which domain to log on to.Which of the following can you do to allow users to
log on to the internal network using the external domain name?
A. Use DSADD to add users to the external DNS domain.
B. Use MOVETREE to add users to the external DNS domain.
C. Use Active Directory Users and Computers to create an alternate UPN suffix.
D. Use Active Directory Domains and Trusts to create an alternate UPN suffix.
15. You want to move a user account from an OU located in one domain, to an OU
located in another domain.Which of the following tools will you use to perform this
task?
A. Active Directory Users and Computers
B. Active Directory Domains and Trusts
C. DSMOVE
D. MOVETREE
www.syngress.com
256_70-294_02.qxd
9/3/03
11:34 AM
Page 179
Working with User, Group, and Computer Accounts • Chapter 2
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. C
9. A
2. A
10. D
3. D
11. B, C
4. A
12. B
5. C
13. B
6. C
14. D
7. C
15. D
8. A, D
www.syngress.com
179
256_70-294_02.qxd
9/3/03
11:34 AM
Page 180
256_70-294_03.qxd
9/5/03
1:07 PM
Page 181
Chapter 3
MCSE/MCSA 70-294
Creating User and
Group Strategies
Exam Objectives in this Chapter:
3.1
Plan a security group strategy.
3.2
Plan a user authentication strategy.
3.2.1
Plan a smart card authentication strategy.
3.2.2
Create a password policy for domain users.
Summary of Exam Objectives
Exam Objectives Fast Track
Exam Objectives Frequently Asked Questions
Self Test
Self Test Quick Answer Key
181
256_70-294_03.qxd
182
9/5/03
1:07 PM
Page 182
Chapter 3 • Creating User and Group Strategies
Introduction
Knowing how to create users and groups and the procedures for moving and managing
them is only half the battle when it comes to effectively using these security objects on the
network.The network administrator must also be able to develop strategies for authenticating the identity of anyone who uses network resources, and plan for how to use groups
most effectively to provide the security and access needed.
In today’s connected world, proof of your identity is often required to ensure that
someone else is not trying to use your identity. It used to be that a username and password
were sufficient to authenticate someone to a network. However, password authentication is
only the first step in true authentication of a user’s identity in today’s environment.You
must have a well-defined password policy, which includes account lockout, password rotation, and other options to ensure limited access to your network. In this chapter, we
develop a password policy for your Windows Server 2003 network. However, sometimes
passwords and password policies are not enough, and we have to take authentication to the
next plateau.
Tools such as biometric devices, token devices, voice identification, and smart cards are
becoming much more mainstream for user authentication as the price continues to drop
and acceptance continues to rise. If you have ever seen a large data center, you have probably seen biometric tools such as thumbprint or palm scanners at entryways. Other sites use
smart card readers for access to public computer kiosks. For example, Sun Microsystems
requires the use of smart cards for students to sign into class each day. Each student is
assigned a smart card and a four-digit personal identification number (PIN) that they must
use to sign in.
In Windows Server 2003 and Windows XP, Microsoft has implemented smart card
technology into the operating system as well as Active Directory to provide you with
enhanced authentication abilities, and add security to your network. As a Windows Server
2003 MCSE, you are required to understand how to implement smart card technologies
and manage resources using smart cards.
An effective authentication strategy works hand in hand with a security group strategy.
A well-designed group strategy will ensure that users receive only the appropriate level of
access to resources on the network. It will also reduce the workload of the administrator
and make it easier to manage large numbers of users. Microsoft has a number of fairly complicated models that you will be expected to follow when designing group strategy in an
Active Directory environment.
Creating a Password
Policy for Domain Users
Since they are largely created and managed by end users, passwords have the potential to be
the weakest link in any network security implementation.You can install all the high-powered firewall hardware and virtual private network (VPN) clients you like, but if your vice
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 183
Creating User and Group Strategies • Chapter 3
president of sales uses the name of her pet St. Bernard as her password for the customer
database system, all your preventative measures might be rendered useless. Since passwords
are the “keys to the kingdom” of any computer system, the database that Windows Server
2003 uses to store password information will be a common attack vector for anyone
attempting to hack your network. Luckily,Windows Server 2003 offers several means to
secure passwords on your network. A combination of technical measures, along with a
healthy dose of user training and awareness, will go a long way toward protecting the security of your network systems.
Creating an Extensive Defense Model
In modern computer security, a system administrator needs to create a security plan that
uses many different mechanisms to protect a network from unauthorized access. Rather
than relying solely on a hardware firewall and nothing else, defense in depth would also use
strong passwords as well as other mechanisms on local client PCs, in the event that the firewall is compromised.The idea is to create a series of security mechanisms so that if one is
circumvented, other systems and procedures are in place to help impede an attacker.
Microsoft refers to this practice as an extensive defense model.The key points of this model
are the following:
■
A viable security plan needs to begin and end with user awareness, since a technical mechanism is only as effective as the extent to which the users on your network adhere to it. As an administrator, you need to educate your users about how
to best protect their accounts from unauthorized attacks.This can include advice
about not sharing passwords, not writing passwords down or leaving them otherwise accessible, and making sure to lock a workstation if the user needs to leave it
unattended for any length of time.You can spread security awareness information
via e-mail, posters in employee break areas, printed memos, or any other medium
that will get your users’ attention.
■
Use the system key utility (syskey) on all critical machines on your network.This
utility, discussed later in this chapter, provides additional encryption for password
information that is stored in the Security Accounts Manager (SAM) and Active
Directory databases.
■
Educate your users about the potential hazards of selecting the Save My Password
feature or any similar feature on mission-critical applications, such as remote
access or VPN clients. Make sure that users understand that the convenience of
saving passwords on a local workstation is far outweighed by the potential security
risk if the workstation becomes compromised.
■
If you need to create one or more service accounts for applications to use, make
sure that these accounts have different passwords. Otherwise, compromise of one
account might leave multiple network applications open to attack.
www.syngress.com
183
256_70-294_03.qxd
184
9/5/03
1:07 PM
Page 184
Chapter 3 • Creating User and Group Strategies
■
If you suspect that a user account has been compromised, change the password
immediately. If possible, consider renaming the account entirely, since it is now a
known attack vector.
■
Create a password policy and/or account lockout policy that is appropriate to
your organization’s needs. It’s important to strike a balance between security and
usability in designing these types of account policies. For example, a 23-character
minimum password length might seem like a good security measure on paper, but
any security offered by such a decision will be rendered worthless when your
users leave their impossible-to-remember 23-character passwords pasted to their
monitors on sticky notes.
Strong Passwords
In discussing security awareness with your user community, one of the most critical issues
to consider is that of password strength. A weak password will provide potential attackers
with easy access to your users’ computers, and consequently the rest of your company’s network.Well-formed passwords will be significantly more difficult to decipher. Even though
password-cracking utilities continue to evolve and improve, educating your users regarding
the importance of strong passwords will provide additional security for your network’s
computing resources.
According to Microsoft, a weak password is one that contains any portion of your name,
your company’s name, or your network logon ID. For example, if a username was assigned as
JSmith, and the user’s password was Smith12!@!, that would be considered a weak password. A
password that contains any complete dictionary word—password, thunder, protocol—is also considered weak. It should be understood that blank passwords are weak as well.
By comparison, a strong password will not contain any reference to your username,
personal information, company name, or any word found in the dictionary. Strong passwords should also be at least seven characters long and contain characters from each of the
following groups:
■
Uppercase letters A, B, C …
■
Lowercase letters z, y, x …
■
Numeric digits 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9
■
Non-alphanumeric characters !, *, $, }, etc.
Each strong password should be appreciably different from any previous passwords that
the user has created. P!234abc, Q!234abc, and R!234abc, although each meeting the described
password criteria, would not be considered strong passwords when viewed as a whole.To further complicate matters, an individual password can still be weak even though it meets the
criteria. For example, IloveU123! would be a fairly simple password to crack, even though it
possesses the length and character complexity requirements of a strong password.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 185
Creating User and Group Strategies • Chapter 3
System Key Utility
Most password-cracking software used in attacking computer networks attempts to target
the SAM database or the Active Directory database in order to access passwords for user
accounts.To secure your password information, you should use the system key utility (the
syskey.exe file itself is located in the %systemroot%\System32 directory by default) on every
critical machine that you administer.This utility provides additional encryption for password information, which provides an extra line of defense against would-be attackers.To
use this utility on a workstation or member server, you must be a member of the local
Administrators group on the machine in question. If the machine is a member of a domain,
remember that the Domain Admins group is a member of the local Administrators group
by default. On a domain controller (DC), you need to be a member of the Domain Admins
or Enterprise Admins group.
TEST DAY TIP
On workstations and member servers, password information is stored within the
computer’s Registry. Domain controllers integrate password information into the
Active Directory database that is replicated between domain controllers.
In Exercise 3.01, we go through the steps in enabling the system key utility on a
Windows Server 2003 server.
EXERCISE 3.01
CREATING A SYSTEM KEY
1. From the Windows Server 2003 server desktop, click Start | Run, then
type syskey and click OK. You’ll see the screen shown in Figure 3.1.
Figure 3.1 Enabling syskey Encryption
www.syngress.com
185
256_70-294_03.qxd
186
9/5/03
1:07 PM
Page 186
Chapter 3 • Creating User and Group Strategies
2. As shown in Figure 3.1, select Encryption Enabled, and then click
Update.
3. Choose from the security options shown in Figure 3.2. The various
options available to you are as follows:
Figure 3.2 Selecting syskey Encryption Options
■
Password Startup This choice encrypts the account password information and stores the associated key on the local computer. You will
also need to select a password that will be used to further protect
the key. You’ll need to enter this password during the computer’s
boot sequence. This is a more secure option than storing the startup
key locally without requiring a password, because the password used
to secure the system key isn’t stored anywhere on the local computer.
The drawback to this method is that an administrator must be present to enter the syskey password whenever the machine is rebooted,
which might make this a less attractive option for a remote machine
that requires frequent reboots.
■
System Generated Password, Store Startup Key on Floppy Disk
This option stores the system key on a separate diskette, which
must be inserted during the system startup. This is the most secure
of the three possible options, since the system key itself is not
stored anywhere on the local computer and the machine will not
be able to boot without the diskette that contains the system key.
■
System Generated Password, Store Startup Key Locally This
choice encrypts the SAM or Active Directory password information
using a random key that’s stored on the local computer. You can
reboot the machine without being prompted for a password or a
diskette. However, if the physical machine is compromised, the
system key can be modified or destroyed. Of the three possible
options when using syskey, this is the least secure.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 187
Creating User and Group Strategies • Chapter 3
EXAM WARNING
If you lose the diskette or forget the password that you created when you ran
syskey, you won’t be able to boot the computer in question without restoring the
Registry or the Active Directory database from a point before you implemented
syskey.
4. Once you have selected the option you want, click OK to finish
encrypting the account information. You’ll see the confirmation message shown in Figure 3.3.
Figure 3.3 Confirmation of syskey Success
Defining a Password Policy
Using Active Directory, you can create a policy to enforce consistent password standards across
your entire organization.The options you can specify include: how often passwords must be
changed, the number of unique passwords a user must use before being able to reuse one, and
the complexity level of passwords that are acceptable on your network. Additionally, you can
specify an account lockout policy that will prevent users from logging on after a specified
number of incorrect logon attempts. In this section, we discuss the steps necessary to enforce
password and account lockout policies on a Windows Server 2003 network.
TEST DAY TIP
To create or edit a password policy or an account lockout policy, you must be
logged on as a member of the Domain Admins or Enterprise Admins group.
Applying a Password Policy
In Exercise 3.02, we discuss how to establish a password policy for your Windows Server
2003 domain.
www.syngress.com
187
256_70-294_03.qxd
188
9/5/03
1:07 PM
Page 188
Chapter 3 • Creating User and Group Strategies
EXERCISE 3.02
CREATING A DOMAIN PASSWORD POLICY
1. From the Windows Server 2003 desktop, open Start | Administrative
Tools | Active Directory Users and Computers. Right-click the domain
that you want to set a password policy for, and select Properties.
2. Select the Group Policy tab, followed by the Default Domain Policy,
as shown in Figure 3.4. Click the Edit button.
Figure 3.4 The Group Policy Tab
3. Navigate to Computer Configuration | Windows Settings | Security
Settings | Account Policies | Password Policy. You’ll see the screen
shown in Figure 3.5.
Figure 3.5 Configuring Password Policy Settings
Using password policies, you can configure the following settings:
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 189
Creating User and Group Strategies • Chapter 3
■
Enforce password history This option allows you to define the
number of unique passwords that Windows will retain. This prevents users from using the same passwords again when their passwords expire. Setting this number to at least three prevents users
from alternating between two passwords when they’re prompted
to change their passwords.
■
Maximum password age This setting defines how frequently
Windows will prompt your users to change their passwords.
■
Minimum password age This setting ensures that passwords
cannot be changed until they are more than a certain number of
days old. This works in conjunction with the first setting by preventing users from repeatedly changing their passwords in an effort
to circumvent the “Enforce password history” policy. For example, if
you specify that password history is enforced and set the number of
remembered passwords at 5, a user can simply change his or her
password six times in rapid succession and reuse a favorite password.
■
Minimum password length This option dictates the shortest
allowable length that a user’s password can be. Remember that
longer passwords are typically stronger than shorter ones. Enabling
this setting also prevents users from setting a blank password.
■
Password must meet complexity requirements This policy setting, when activated, forces any new passwords created on your
network to meet the following requirements: minimum of six characters in length, containing three of the following: uppercase letters, lowercase letters, numeric digits, and non-alphanumeric
characters such as %, !, and [.
■
Store passwords using reversible encryption This option stores a
copy of the user’s password within the Active Directory database
using reversible (cleartext) encryption. This is required for certain
message digest functions and authentication protocols to work
properly. This policy is disabled by default and should be enabled
only if you are certain that your environment requires it.
4. For each item that you want to configure, right-click the item and select
Properties. In this case, we’re enforcing a password history of three
passwords. In the screen shown in Figure 3.6, place a check mark next to
Define this policy setting, and then enter the appropriate value.
www.syngress.com
189
256_70-294_03.qxd
190
9/5/03
1:07 PM
Page 190
Chapter 3 • Creating User and Group Strategies
Figure 3.6 Defining the Password History Policy
Modifying a Password Policy
You can modify an existing Windows Server 2003 password policy by navigating to the
policy section listed in the previous exercise and making the changes. New and modified
password policies are only enforced when passwords are changed.Therefore, altering password policy does not place an immediate burden on users.Typically, users won’t notice the
policy change until their passwords expire and they are forced to set new ones. If you need
to ensure that all passwords are forced to comply with the new policy, you can set the User
must change password at next logon option in the properties of the user accounts you
administer.
Applying an Account Lockout Policy
In addition to setting password policies, you can configure your network so that user
accounts will be locked out after a certain number of incorrect logon attempts.This can be
a soft lockout, in which the account will be re-enabled after an administrator specified period
of time. Alternatively, it can be a hard lockout in which user accounts can only be re-enabled
by the manual intervention of an administrator. Before implementing an account lockout
policy, you need to understand the potential implications for your network.
An account lockout policy will increase the likelihood of deterring a potential attack
against your network, but you also run the risk of locking out authorized users.You need to
set the lockout threshold high enough so that authorized users will not be locked out of their
accounts due to simple human error, such as mistyping their passwords before they’ve had
their morning coffee.Three to five is a common threshold.You should also remember that if a
user changes his or her password on Computer A while already logged on to Computer B,
the session on Computer B will continue to attempt to log on using the old (now incorrect)
password.This will eventually lock out the user account and can be a common occurrence,
especially in the case of service and administrative accounts. Exercise 3.03 details the necessary
steps in configuring account lockout policy settings for your domain.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 191
Creating User and Group Strategies • Chapter 3
EXAM WARNING
The issue of password synchronization described in the previous paragraph is not
an issue for organizations that are only running Windows Server 2003 operating
systems.
EXERCISE 3.03
CREATING AN ACCOUNT LOCKOUT POLICY
1. From the Windows Server 2003 desktop, click Start | Administrative
Tools | Active Directory Users and Computers.
2. Right-click the domain you want to administer, and then select
Properties.
3. Select the Default Domain Policy, and click the Edit button.
4. Navigate to the account lockout policy by clicking Computer
Configuration | Windows Settings | Security Settings | Account
Policies | Account Lockout Policy. You’ll see the screen shown in
Figure 3.7.
Figure 3.7 Account Lockout Policy Objects
Using Account Lockout Policy, you can configure the following settings:
■
Account lockout duration This option determines the amount of
time that a locked-out account will remain inaccessible. Setting this
option to 0 means that the account will remain locked out until an
administrator manually unlocks it. Select a lockout duration that
will deter intruders without crippling your authorized users; 30 to
60 minutes is sufficient for most environments.
www.syngress.com
191
256_70-294_03.qxd
192
9/5/03
1:07 PM
Page 192
Chapter 3 • Creating User and Group Strategies
■
Account lockout threshold This option determines the number of
invalid logon attempts that can occur before an account will be
locked out. Setting this option to 0 means that accounts on your
network will never be locked out.
■
Reset account lockout counter after This option defines the
amount of time in minutes after a bad logon attempt that the
“counter” will reset. If this value is set to 45 minutes, and user
jsmith types his password incorrectly two times before logging on
successfully, his running tally of failed logon attempts will reset to 0
after 45 minutes have elapsed. Be careful not to set this option too
high, or your users could lock themselves out through simple typographical errors.
5. For each item that you want to configure, right-click the item and
select Properties. To illustrate, we create an Account lockout threshold
of three invalid logon attempts. In the screen shown in Figure 3.8,
place a check mark next to Define this policy setting, and then enter
the appropriate value.
Figure 3.8 Configuring the Account Lockout Threshold
Creating User Authentication Strategies
Any well-formed security model needs to address the following three topics: authentication,
authorization, and accounting (or auditing). Authentication deals with who a person is,
authorization centers around what an authenticated user is permitted to do, and
accounting/auditing is concerned with tracking who did what to a file, service, or other
resource.Windows Server 2003 addresses all three facets of this security model, beginning
with the user authentication strategies that we discuss in this chapter.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 193
Creating User and Group Strategies • Chapter 3
Regardless of which protocol or technical mechanism is used, all authentication
schemes need to meet the same basic requirement of verifying that a user or other network
object is in fact who or what it claims to be.This can include verifying a digital signature
on a file or hard drive, or verifying the identity of a user or computer that is attempting to
access a resource.Windows Server 2003 offers several protocols and mechanisms to perform
this verification, including (but not limited to) the following:
■
Kerberos
■
NT LAN Manager (NTLM)
■
Secure Sockets Layer/Transport Security Layer (SSL/TLS)
■
Digest authentication
■
Smart cards
The following sections cover the details of each authentication mechanism available
with Windows Server 2003, and the appropriate use for each.The most common authentication mechanism dates back to mainframe computing, password authentication.This occurs
when the user supplies a password to a server or host computer and the server compares
the supplied password with the information that it has stored in association with the user or
resource in question. In the case of users, if the two passwords match, the system permits
the user to log on. Concerns regarding password authentication have largely been connected with ensuring that user passwords are not transmitted in an easily intercepted and
decipherable form over a network connection. In fact, many modern password authentication schemes, such as NTLM and Kerberos, never transmit the actual user password at all.
An issue that is more difficult to address is user education. Even after a great deal of
effort has been put into teaching users the importance of strong passwords, many still use
relatively weak passwords for convenience. In a world of increasingly connected computing
systems, the importance of creating strong password policies as part of your network’s security plan cannot be overstated.To assist in this task,Windows Server 2003 allows you to
establish password policies that mandate the use of strong, complex passwords, as discussed
earlier in the chapter.You can also require that your users log on using smart cards, a topic
that we cover in depth in a later section.
Need for Authentication
User authentication is a necessary first step within any network security infrastructure because
it establishes the identity of the user.Without this key piece of information,Windows Server
2003 access control and auditing capabilities would not be able to function. Once you understand how the various authentication systems operate, you’ll be able to use this information to
create an effective user authentication strategy for your network.The location of your users,
whether they are connected to the LAN via a high-speed network connection or a simple
dial-up line, and the client and server operating systems in use throughout your organization
will dictate the appropriate authentication strategy for your users.
www.syngress.com
193
256_70-294_03.qxd
194
9/5/03
1:07 PM
Page 194
Chapter 3 • Creating User and Group Strategies
Keep in mind as we go along that a fully functional authentication strategy will almost
certainly involve a combination of the methods and protocols. A single solution will not
meet the needs of an enterprise organization.Your goal as a network administrator is to
create an authentication strategy that provides the optimum security for your users while
allowing you to administer the network as efficiently as possible.
Single Sign-On
A key feature of Windows Server 2003 is support for single sign-on, an authentication
mechanism that allows your domain users to authenticate with any computer in the
domain, while only providing their logon credentials one time.This system allows network
administrators to manage a single account for each user, rather than dealing with the
administrative overhead of maintaining multiple user accounts for each server. It also provides greatly enhanced convenience for network users, because needing to maintain only a
single password or smart card makes the network logon process much simpler.
Whether your network authentication relies on single sign-on or not, any authentication scheme is a two-step process. At the very least, the user must perform an interactive
logon in order to access the local computer. If network access is required, network authentication will allow the user to access needed network services and resources. In this section, we
examine both of these processes in detail.
Interactive Logon
A network user performs an interactive logon when presenting valid network credentials to
the operating system of the physical computer the user is attempting to logon to—usually a
desktop workstation.The logon name and password can either be a local user account or a
domain account.When logging on using a local computer account, the user presents credentials that are stored in the SAM database on the local machine. Every Windows NT,
2000, and Server 2003 workstation, stand-alone server, or member server has a SAM
database that is used for this purpose. Accounts stored in a SAM database can only be used
for access to that specific computer.
When using a domain account, the user’s logon information is authenticated against the
Active Directory database.This allows the user to gain access to not only the local workstation but also to all resources he or she has been granted permission to use in the domain
and any trusting domains. In this case, the user’s domain account works in conjunction with
the workstation’s SAM database.The user authenticates to the domain, but is allowed to
access the local computer because his or her domain account has the appropriate permissions and rights locally.This is typically done when the workstation joins the domain,
through group membership. For example, the Domain Users global group in Active
Directory is added to the local Users group on the workstation. Because all domain user
accounts are members of the Domain Users group by default, they also inherit access to the
local computer through this group’s membership in the local Users group.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 195
Creating User and Group Strategies • Chapter 3
Network Authentication
Once a user has gained access to a physical workstation, it’s almost inevitable that the user
will require access to files, applications, or services hosted by other machines on the LAN
or WAN. Network authentication is the mechanism that confirms the user’s identity to whatever network resource the user attempts to access.Windows Server 2003 provides several
mechanisms to enable this type of authentication, including Kerberos and NTLM.
Using the previous description of interactive logons, users who log on using a local
computer account must provide logon credentials each time they attempt to access a network resource.This occurs because the local computer account only exists within the individual computer’s SAM database rather than a centrally managed directory service like
Active Directory.
On the other hand, if the user logs on using a domain account, the user’s identity is
proven by domain level authentication mechanisms that are automatically submitted to any
network services the user is requesting to access.The mechanism used depends on the configuration of the network and the operating systems involved. Because this happens in the
background, the network authentication process is transparent to users in an Active
Directory environment.The network operating system handles everything behind the
scenes without the need for user intervention.This feature provides the foundations for
single sign-on in a Windows Server 2003 environment by allowing users to access resources
in their own domains as well as other trusted domains.
TEST DAY TIP
Network authentication using a domain account can be accomplished via a username and password or with a smart card device.
Authentication Types
Windows Server 2003 offers several different authentication types to meet the needs of a
diverse user base.The default authentication protocol for a homogeneous Windows 2000 or
later environment is Kerberos version 5.This protocol relies on a system of tickets to verify
the identity of network users, services, and devices. For Web applications and users, you can
rely on the standards-based encryption offered by the SSL/TLS security protocols as well as
Microsoft Digest.To provide backward compatibility for earlier versions of Microsoft operating systems,Windows Server 2003 provides support for the NTLM protocol. In this section,
we examine the various authentication options available to you as a Windows administrator.
Kerberos
Within a Windows Server 2003 domain, the primary authentication protocol is Kerberos
version 5. Kerberos provides thorough authentication by verifying not only the identity of
www.syngress.com
195
256_70-294_03.qxd
196
9/5/03
1:07 PM
Page 196
Chapter 3 • Creating User and Group Strategies
network users but also the validity of the network services themselves.This latter feature
was designed to prevent users from attaching to “dummy” services created by malicious
network attackers to trick users into revealing their passwords or other sensitive information.The process of verifying both the user and the service that the user is attempting to
use is referred to as mutual authentication. Only network clients and servers that are running
the Windows 2000,Windows Server 2003, or Windows XP Professional operating system
will be able to use the Kerberos authentication protocol.When these operating systems are
members of a domain, Kerberos will be enabled as their default authentication mechanism
for domain-based resources. In a Windows 2000 or later Active Directory environment, preWindows 2000 computers that attempt to access a “Kerberized” resource will be directed
to use NTLM authentication.
The Kerberos authentication mechanism relies on a key distribution center (KDC) to
issue tickets that allow client access to network resources. Each domain controller in a
Windows Server 2003 domain functions as a KDC. Network clients use DNS to locate the
nearest available KDC so that they can acquire a ticket. Kerberos tickets contain cryptographic information that confirms the user’s identity to the requested service.
These tickets remain resident on the client computer system for a specific amount of
time, usually 10 hours.This ticket lifetime keeps the Kerberos system from being overwhelmed, and is configurable by an administrator. If you set the threshold lower, you must
ensure that your domain controllers can handle the additional load that will be placed on
them. It is also important, however, not to set them too high. A ticket is good until it
expires, which means that if it becomes compromised it will be valid until expiration.
Understanding the Kerberos Authentication Process
When a user enters his or her network credentials on a Kerberos-enabled system, the following steps take place.These transactions occur entirely behind the scenes.The user is only
aware that he or she has entered the password or PIN number (if using a smart card) as part
of a normal logon process.The following steps occur in a single domain environment:
1. Using a smart card or a username/password combination, a user authenticates to
the KDC.The KDC issues a ticket-granting ticket (TGT) to the client system.The
client retains this TGT in memory until needed.
2. When the client attempts to access a network resource, it presents its TGT to the
ticket-granting service (TGS) on the nearest available Windows Server 2003 KDC.
3. If the user is authorized to access the service that it is requesting, the TGS issues a
service ticket to the client.
4. The client presents the service ticket to the requested network service.Through
mutual authentication, the service ticket proves the identity of the user as well as
the identity of the service.
The Windows Server 2003 Kerberos authentication system can also interact with nonMicrosoft Kerberos implementations such as UNIX-based Kerberos realms. In Kerberos, a
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 197
Creating User and Group Strategies • Chapter 3
realm is similar to the concept of a domain.This “realm trust” feature allows a client in a
Kerberos realm to authenticate against Active Directory to access resources, and vice versa.
This interoperability allows Windows Server 2003 domain controllers to provide authentication for client systems running other types of Kerberos, including clients that are running
operating systems other than Windows. It also allows Windows-based clients to access
resources within a non-Windows Kerberos realm.
Secure Sockets Layer/Transport Layer Security
Any time you visit a Web site that uses an https:// prefix instead of http://, you’re seeing
Secure Sockets Layer (SSL) encryption in action. SSL provides encryption for other protocols such as HTTP, LDAP, and IMAP, which operate at higher layers of the protocol stack.
SSL provides three major functions in encrypting TCP/IP-based traffic:
■
Server authentication Allows a user to confirm that an Internet server is really
the machine that it is claiming to be. It’s difficult to think of anyone who
wouldn’t like the assurance of knowing that he or she is looking at the genuine
Amazon.com site, and not a duplicate created by a hacker, before entering any
credit card information.
■
Client authentication Allows a server to confirm a client’s identity during the
exchange of data. For example, this might be important for a bank that needs to
transmit sensitive financial information to a server belonging to a subsidiary
office. Combining server and client authentication provides a means of mutual
authentication.
■
Encrypted connections Allow all data that is sent between a client and server
to be encrypted and decrypted, allowing for a high degree of confidentiality.This
function also allows both parties to confirm that the data was not altered during
transmission.
The Transport Layer Security (TLS) protocol is currently under development by the
Internet Engineering Task Force (IETF). It will eventually replace SSL as a standard for
securing Internet traffic while remaining backward compatible with earlier versions of SSL.
RFC 2712 describes the way to add Kerberos functionality to the TLS suite, which will
potentially allow Microsoft and other vendors to extend its use beyond LAN/WAN
authentication, to use on the Internet as a whole.
SSL and TLS can use a wide range of ciphers (authentication, encryption, and/or
integrity mechanisms) to allow connections with a diverse client base.You can edit the
Registry in Windows Server 2003 to restrict the ciphers allowed.Within the Registry
Editor on the server, browse to the following key: HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers, as shown
in Figure 3.9. Each available cipher has two potential values:
www.syngress.com
197
256_70-294_03.qxd
198
9/5/03
1:07 PM
Page 198
Chapter 3 • Creating User and Group Strategies
■
0xffffffff (enabled)
■
0x0 (disabled)
Figure 3.9 Editing SSL/TLS Ciphers
NT LAN Manager
Versions of Windows earlier than Windows 2000 used NTLM to provide network authentication. In a Windows Server 2003 environment, NTLM is used to communicate between two
computers when one or both of them is running a pre-Windows 2000 operating system.
NTLM will also be used by Windows Server 2003 computers that are not members of a
domain. For example, NTLM authentication would be used in the following communications:
■
Windows 2000 workstations and Windows Server 2003 stand-alone servers that
are participating in a workgroup instead of a domain
■
Windows 2000 or Windows XP Professional computers logging on to an NT 4.0
primary domain controller (PDC) or backup domain controller (BDC)
■
A Windows NT 4.0 Workstation client authenticating to an NT4.0,Windows
2000, or Windows Server 2003 domain controller
■
Users in a Windows NT 4.0 domain that has a trust relationship with a Windows
2000 or Windows Server 2003 domain
NTLM encrypts user logon information by applying a mathematical function (or hash)
to the user’s password. A user’s password isn’t stored in the SAM or Active Directory
database. Rather, the value of a hash that is generated when the user’s account is first created, or the user’s password is changed, is stored. If the password is less than 15 characters
long, two hashes are actually stored: an NT hash and a LM hash.The LM (or LAN
Manager) hash is weak and can easily be broken by password crackers. Because of this it is
recommended that you configure the Network security: Do not store LAN Manager
hash value on next password change Group Policy setting.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 199
Creating User and Group Strategies • Chapter 3
During logon, the domain controller sends a challenge to the client.This is a simple
string of characters that the client mathematically applies to the hash value of the user’s
password.The result of this mathematical algorithm is a new hash that is then transmitted to
the domain controller. In this way, the user’s password is never actually transmitted across
the network.
The domain controller also has the hash for the user’s password. Moreover, it knows the
challenge it sent, so it is able to perform the same calculation. It compares the hash that it
mathematically calculated with the one received from the client. If they match, logon is
permitted.
The NTLM hash function only exists in Windows Server 2003 for backward compatibility with earlier operating systems.Windows Server 2003 domains support both NTLM
and NTLM version 2. If your network environment is exclusively running Windows 2000
or later, you might want to consider standardizing on a stronger form of authentication
such as Kerberos. Using NTLM is preferable to sending authentication information using
no encryption whatsoever, but NTLM has several known vulnerabilities that do not make it
the best choice for network authentication if your operating system supports more
advanced schemes.
Digest Authentication
Microsoft provides digest authentication as a means of authenticating Web applications that are
running on IIS. Digest authentication uses the Digest Access Protocol, which is a simple challenge-response mechanism for applications that are using HTTP or Simple Authentication
Security Layer (SASL) based communications.When Microsoft Digest authenticates a
client, it creates a session key that is stored on the Web server and used to authenticate subsequent authentication requests without needing to contact a domain controller for each
authentication request. Similar to NTLM, digest authentication sends user credentials across
the network as an encrypted hash so that the actual password information cannot be
extracted in case a malicious attacker is attempting to “sniff ” the network connection. A
sniffer is a device or software application that monitors network traffic for sensitive information, similar to a wiretap on a telephone.
NOTE
SASL is a protocol developed by Carnegie Mellon University to provide application
security for client/server applications.
Before implementing digest authentication on your IIS server, you need to make sure
that the following requirements have been met:
■
Clients who need to access a resource or application that’s secured with digest
authentication need to be using Internet Explorer 5 or later.
www.syngress.com
199
256_70-294_03.qxd
200
9/5/03
1:07 PM
Page 200
Chapter 3 • Creating User and Group Strategies
■
The server and all users attempting to log on to IIS must be members of the same
domain; or domains that are connected by an appropriate trust relationship.
■
The domain that the IIS server belongs to must contain a domain controller running Windows 2000 or Server 2003.The IIS server itself also needs to be running
Windows 2000 or later.
■
Digest authentication requires user passwords to be stored in a reversibly
encrypted (cleartext) format within Active Directory.You can configure this setting from the Account tab of the user’s Properties in Active Directory Users and
Computers.You can also use Group Policy to enable this feature for a larger
number of users. After changing this setting, your users need to change their passwords so that a reversibly encrypted hash can be created.
Passport Authentication
If you’ve ever logged on to the MCP Secure Site at www.microsoft.com, you’ve probably
already seen Passport authentication in action. Any business that wants to provide the convenience of single sign-on to its customers can license and use Passport authentication.
Passport authentication enables your company to provide a convenient means for customers
to access and transact business on a given Web site. Sites that rely on Passport authentication
use a centralized Passport server to authenticate users, rather than hosting and maintaining
their own authentication systems. Companies can also use Passport authentication to map
sign-in names to information in a sales or customer database, which can offer Passport customers a more personalized Web experience through the use of targeted ads, content, and
promotional information. As Microsoft Passport has gained acceptance, the Passport sign-on
logo (shown in Figure 3.10) has started to appear on more and more corporate and e-commerce Web sites.
Figure 3.10 Passport Sign-On Through www.ebay.com
From a technical perspective, Passport authentication relies on standards-based Web
technologies, including SSL, HTTP redirects, and cookies. Because the technology used by
Passport authentication is not proprietary, it is compatible with Microsoft Internet Explorer,
Netscape Navigator, and a number of additional Web browsers, as well as operating systems
such as UNIX.The single sign-on service is similar to forms-based authentication that is
common throughout the Internet; it simply extends the functionality of the sign-on features to work across a distributed set of participating sites.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 201
Creating User and Group Strategies • Chapter 3
EXAM WARNING
Both the Internet Explorer and Netscape Navigator browsers need to be at version
4 or higher in order to access sites using Passport authentication.
Head of the Class…
Passport’s Advantages for Businesses
Since Microsoft introduced the .NET Passport service in 1999, it has been responsible for authenticating more than 200 million accounts. Many prominent businesses, including McAfee, eBay, NASDAQ, and Starbucks have integrated .NET
Passport into their Web authentication strategies. If you are considering integrating
Passport authentication into your Web authentication plan, here are some of the
advantages:
■
Single sign-in Allows your users to sign on to the Passport site once
to access information from any participating Web site. This alleviates
the frustration of registering at dozens of different sites and maintaining any number of different sets of logon credentials. The Passport
service allows more than 200 million Passport users quick and easy
access to your site.
■
The Kids Passport service Provides tools that help your business
comply with the legal provisions of the U.S. Children’s Online Privacy
Protection Act (COPPA). Your company can use the Passport service to
conform to the legal aspects of collecting and using children’s personal
information and to customize your Web site to provide age-appropriate
content.
■
Maintain control of your data Since the Passport service is simply an
authentication service, your customer information and data will still be
controlled in-house and is not shared with the Passport servers unless
you configure your Web site to do so.
At the time of this writing, there are two fees for the use of Passport authentication: a US$10,000 fee paid by your company on an annual basis, and a periodic
testing fee of US$1,500 per URL. The $10,000 fee is not URL specific and covers all
URLs controlled by a single company. Payment of these fees entitles your company
to unlimited use of the Passport authentication service for as many URLs as you
have registered for periodic testing.
www.syngress.com
201
256_70-294_03.qxd
202
9/5/03
1:07 PM
Page 202
Chapter 3 • Creating User and Group Strategies
Understanding Passport Authentication Security
Microsoft has created several key features within Passport authentication to ensure that the
security and privacy of your customers and users can be maintained at the highest possible
level. Some of the security features employed by Passport authentication are:
■
The Web pages used to control the sign-in, sign-out, and registration functions are
centrally hosted, rather than relying on the security mechanisms of each individual member site.
■
All centrally hosted pages that are used to exchange usernames, passwords, or
other credential information always use SSL encryption.
■
Passport authentication-enabled sites use encrypted cookies to allow customers to
access several different sites without retyping their logon information. However, a
company can still opt to require users to return to the Passport sign-in screen
when accessing their site for the first time.
■
All cookie files related to Passport authentication use strong encryption.When
you set up your site to use Passport, you receive a unique encryption key to
ensure the privacy of your users’ personal information.
■
The central Passport servers transmit sign-in and profile information to your site
in an encrypted fashion.You can then use this information to create cookies,
avoiding any further client redirection to the Passport servers.
■
A Web site that participates in Passport authentication will never actually receive a
member’s password. Authentication information is transmitted via a cookie that
contains encrypted timestamps that are created when the member first signs on to
Passport.The Microsoft Passport sign-out function allows users to delete any
Passport-related cookies that were created on their local machines during the time
that they were logged on to Microsoft Passport.
■
A participating Web site only communicates directly with the central Passport
server to retrieve configuration files, which are then cached locally by the individual member server. All information that is exchanged between clients and the
Passport servers takes places using HTTP redirects, cookies, and encrypted
queries.
Educating Users
The more highly publicized network security incidents always seem to center on a technical flaw: an overlooked patch that led to a global denial-of-service (DoS) attack, a flaw
that led to the worldwide propagation of an e-mail virus, or something similar. However,
many network intrusions are caused by a lack of knowledge among corporate employees.
For this reason, user education is a critical component of any security plan. Make sure that
your users understand the potential dangers of sharing their logon credentials with anyone
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 203
Creating User and Group Strategies • Chapter 3
else or leaving that information in a location where others could take note of it.Your users
will be far more likely to cooperate and comply with corporate security standards if they
understand the reasons behind the policies and the damage that they can cause by ignoring
security measures.
Security education should be both thorough and repetitive. It is not enough to simply
provide security information at a new-employee orientation and never mention it again. As
a network administrator, you should take steps to make sure that security awareness remains
a part of your users’ daily lives.You can promote this awareness through the simplest of
measures, including adding a paragraph to the employee newsletter, and sending bulletins to
all users when a new virus is becoming a threat. At the same time, you should avoid
sending out so much information that your users become overwhelmed by it. A security
bulletin that no one reads is no more useful than one that you didn’t send at all. By combining user education with technical measures, such as password policies and strong network authentication, you will be well on your way to creating multiple layers of protection
for your network and the data it contains.
Planning a Smart
Card Authentication Strategy
Smart cards provide a portable method of providing security on a network for tasks like
client authentication and securing user data. In this section, we provide an overview of
smart card technology and the steps involved in using smart cards in your Windows Server
2003 network. Smart card implementations rely in part on Certificate Services, so we’ll
spend some time discussing the use of certificates within Windows Server 2003 as well.
Support for smart cards is a key feature within the Windows Server 2003 family. Smart
cards provide tamper-resistant, safe storage for protecting your users’ certificates. Certificates
typically contain encryption keys that are used to encrypt and decrypt data, and can also be
used in the authentication process in lieu of a standard username/password combo. Smart
cards are also beneficial to use because they isolate a portion of the authentication security
processes from the rest of the computer.This provides heightened security because authentication operations are performed on the smart card, which is carried by the user and not
always present, rather than being carried out by processes or components that are always
available within the computer or network.
www.syngress.com
203
256_70-294_03.qxd
1:07 PM
Page 204
Chapter 3 • Creating User and Group Strategies
Configuring & Implementing…
204
9/5/03
Smart Cards in Action
The use of smart cards for authentication and data encryption is a new but growing
trend within enterprise networks. Some cards that appear to be smart cards aren’t.
A good illustration of this type of card is the RSA SecurID Card from www.rsasecurity.com, shown in Figure 3.11.The RSA devices use an internal clock to generate a
new synchronized number every 60 seconds. This creates a highly secure authentication method that is as portable and convenient as a common credit card or automated teller machine (ATM) card.
The number is used in the authentication process and must be verified by the
server. Even if a user has the correct username and password, if this number is
incorrect the user will not be able to log on. Note that this type of card does not
contain a user’s certificate or key. This is not the type of card-based technology
Microsoft will be referring to when asking you about smart cards on the exam.
Figure 3.11 RSA SecurID Card
Not only can smart cards be used for network authentication, they can be
imprinted with employee information so that they can double as identification
badges. In some cases, smart card technology can also be integrated into an
existing employee identification system by imprinting employee information onto
a smart card. Obviously, special care needs to be taken in such implementations so
that the smart card components do not become damaged through everyday use. A
sample smart card/employee ID is shown in Figure 3.12.
Figure 3.12 RSA Smart Card
The advantage of this type of smart card rollout is that users do not have to
remember to carry several different pieces of ID with them. The ID card that gets
Continued
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 205
Creating User and Group Strategies • Chapter 3
them in the office door is the same one that logs them on to their computer. You’ll
also see smart cards that are configured as smaller “fobs,” or tags, that can be carried on a keychain. Some vendors are even integrating smart card technology into
handheld devices and cell phones. The smart card readers themselves can be standalone readers that are plugged into a serial, parallel or USB port. If a “fob” type
smart card is used, it can often be directly plugged into a workstation’s USB port.
One such device is shown in Figure 3.13.
Figure 3.13 RSA USB Token
Using a smart card for network logons provides extremely strong authentication
because it requires two factors: something the user knows (the PIN), and something the user
has (the smart card itself).This system provides stronger authentication than a password
alone, since a malicious user would need to have access to both the smart card and the PIN
in order to impersonate a legitimate user. It’s also difficult for an attacker to perform a
smart card attack undetected, because the user would notice that his or her smart card was
physically missing.
When to Use Smart Cards
Smart cards can provide security solutions for a number of business and technical processes
within your organization.When deciding whether to add smart cards to a given system,
you’ll need to weigh the security benefits against the costs of deployment, both in terms of
hardware and ongoing support. Smart cards can secure any of the following processes
within your business:
■
Using a smart card for interactive user logons provides enhanced security and
encryption for all logon credentials.
■
Requiring smart cards for remote access logons prevents attackers from using dial-up or
VPN connections to compromise your network, even if they gain physical access to
a laptop or home computer with the capability to remotely contact your network.
www.syngress.com
205
256_70-294_03.qxd
206
9/5/03
1:07 PM
Page 206
Chapter 3 • Creating User and Group Strategies
■
Administrator logons are ideal candidates for smart card authentication.They have
the potential to wreak far more havoc on a network installation than an account
belonging to a standard network user. By requiring your administrators to use
smart cards, you can greatly reduce the possibility that an attacker will be able to
gain administrative access to your network.
■
Digital signing and encryption of private user information such as e-mail and other
confidential files are supported with smart cards.
Implementing Smart Cards
Using smart cards on your network involves a number of preparatory steps that we discuss in
this section. First, we look at the steps involved in establishing a CA on your network, and
discuss the related concepts and terminology. Next, we examine the process of establishing
security permissions for users and administrators to request certificates to use with their smart
cards and smart card readers. Finally, we walk through the process of setting up a smart card
enrollment station to issue certificates to your end users as well as the actual procedure to
issue a smart card certificate to a user on your network.We end this section with some best
practices for providing technical support for the smart card users on your network.
PKI and Certificate Authorities
Smart card authentication relies on certificates to control which users can access the network
using their smart cards. A certificate is digitally signed information that verifies the identity of
a person, device, or service. Certificates can be used for a variety of functions, including Web
authentication, securing e-mail, verifying the integrity of application code, and smart card
authentication.The service that issues certificates is referred to as a certificate authority (CA), and
the person or device that receives the certificate is referred to as the subject of the certificate.
Logon certificates typically contain quite a bit of information, including the following:
■
The subject’s private key
■
Identifying information, such as the username or e-mail address
■
The length of time that the certificate will be considered valid
■
Identifier information for the CA that issued the certificate
■
The digital signature of the issuing CA, which attests to the validity of the subject’s key and identifying information
Many companies install their own CAs and issue certificates to their internal users to
heighten the security of their network environment and save money. Using a third-party CA
for a large number of certificates can be very expensive. Each certificate can cost hundreds of
dollars. Using a private CA infrastructure, however, places an extra security burden on the
company. If an upper-level CA becomes compromised, it can affect the validity of all certifi-
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 207
Creating User and Group Strategies • Chapter 3
cates issued by it and subordinate CAs beneath it. Obviously, such an occurrence would be a
major security breach and very expensive to recover from. It is important to ensure that there
is strong security, including physical security, applied to your company’s CAs.
Once a smart card certificate has expired, the user needs to obtain a new one to continue to access network resources. A CA also maintains a certificate revocation list (CRL)
that can be used in case a certificate needs to be cancelled before its regular expiration date.
This might result from a smart card being lost, or a certificate being compromised.
Support for smart cards is a key feature of the public key infrastructure (PKI) that’s
included with Windows Server 2003.You need to take several steps to prepare your
Windows Server 2003 network to allow your company to use smart card devices.The first
step is to install Certificate Services on at least one of your Windows Server 2003 computers.You can accomplish this from Start | Control Panel | Add or Remove
Programs | Add/Remove Windows Components | Certificate Services. A larger
discussion of configuring a Windows Server 2003 CA is beyond the scope of this chapter.
For more information, view the Certificate Services overview article in Windows Server
2003 help.
Once you’ve established your server as a CA, you need to create three types of certificate
templates to allow for smart card use on your network. Just like a document template in
business application software (such as Microsoft Word), a certificate template allows multiple
certificates to be created using the same basic settings.Templates are critical for this purpose
because they ensure that all certificates issued will contain the same core security information and settings.Template information includes:
■
Validity and renewal periods
■
Whether certificates created with the template will be automatically published in
Active Directory
■
Allowed cryptographic service providers
■
Minimum key size
■
The purpose of the certificate
■
What will be used for the Subject name in the certificate
■
How the certificate will be issued
■
Extensions associated with the template
The three security templates that you should create for use are:
■
Enrollment Agent Certificate This template will be used to create certificates
that allow a Windows Server 2003 machine to act as an enrollment station, creating certificates on behalf of smart card users who need to access the network.
■
Smart Card Logon Certificate This template will be used to create certificates that allow your users to authenticate to Active Directory using a smart card
inserted into a smart card reader.
www.syngress.com
207
256_70-294_03.qxd
208
9/5/03
1:07 PM
Page 208
Chapter 3 • Creating User and Group Strategies
■
Smart Card User Certificates Like the previous template, this will be used to
create certificates that allow your users to authenticate to Active Directory using a
smart card inserted into a smart card reader. However, this template can also be
used after logon for secure e-mail.
You’ll be prompted to create these certificate templates automatically the first time you
open the Certificate Templates snap-in. Click Start | Run, type certtmpl.msc, and click
OK.When you’re prompted to install new certificate templates, click OK.This step also
upgrades any existing templates on your server if the machine was functioning as a CA
under a previous version of Windows.
Setting Security Permissions
To implement PKI certificates, administrators and users need the appropriate permissions
for the certificate templates that are installed on the CA.You can manage these permissions
in the Certificate Templates snap-in, by performing the following steps:
1. Open the Certificate Templates snap-in by clicking Start | Run, typing
certtmpl.msc, and clicking OK.You’ll see the screen shown in Figure 3.14.
Figure 3.14 Managing Certificate Templates
2. Right-click the certificate template whose permissions you need to change, and
select Properties.
3. On the Security tab shown in Figure 3.15, add the users and groups who will
need to request certificates based on this template. Under the Allow column,
place a check mark next to the Read and Enroll permissions. Click OK when
you’ve set the appropriate permissions for all necessary users and groups.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 209
Creating User and Group Strategies • Chapter 3
Figure 3.15 Setting Permissions for Certificate Templates
TEST DAY TIP
If you want your users to be able to retrieve and renew their certificates without
any intervention on their part, you’ll also need to enable autoenrollment within the
properties of a certificate template. Autoenrollment is configured on the Request
Handling tab. This is usually not accessible for the Smartcard Logon and Smartcard
User default templates. If you need to change the default settings, you might need
to right-click on each template, select Duplicate Template, and configure a copy of
each template for use instead of the original. Once autoenrollment has been configured, a new permission appears on the security tab (Autoenroll) and can be
granted to users and groups to allow them to autoenroll for a certificate.
Enrollment Stations
To distribute certificates and keys to your users, the CA that’s included with Windows
Server 2003 includes a smart card enrollment station.The enrollment station allows an administrator to request a smart card certificate on a user’s behalf so that it can be installed onto
the user’s smart card.The CA signs the certificate request that’s generated on behalf of the
smart card user. Before your users can request certificates, you need to prepare the enrollment station to generate certificates for their use. Any machine running Windows XP
Professional or Windows Server 2003 can act as an enrollment station.
Enabling Certificate Templates
To prepare your CA to issue Enrollment Agent and smart card certificates, you’ll first need
to enable the appropriate templates. Before you begin, make sure that the appropriate permissions have been applied to these templates.To enable the templates:
www.syngress.com
209
256_70-294_03.qxd
210
9/5/03
1:07 PM
Page 210
Chapter 3 • Creating User and Group Strategies
1. Open the Certification Authority snap-in by clicking Start | Administrative
Tools | Certification Authority.
2. In the console tree, navigate to Certification Authority | ComputerName |
Certificate Templates.
3. From the Action menu, click New | Certificate Template to Issue.You’ll see
the screen shown in Figure 3.16.
Figure 3.16 Enabling a Certificate Template
4. Select the Enrollment Agent template, and click OK.
5. Return to the Action menu, and select New | Certificate Template to Issue.
Select one of the following options:
■
For certificates that will only be valid for user authorization, select the
Smartcard Logon certificate template, and click OK.
■
For certificates that can be used both for logon and secure e-mail, click the
Smartcard User certificate template, and then click OK.
Requesting an Enrollment Agent Certificate
In Exercise 3.04, we prepare a Windows Server 2003 computer to act as a smart cart enrollment station. Be sure that the user account you’re using has been granted the Read and
Enroll permissions for the Enrollment Agent certificate template.
EXERCISE 3.04
CREATING A SMART CARD CERTIFICATE ENROLLMENT STATION
1. Log on to the machine as the user who will be installing the certificates.
2. Open a blank MMC console by clicking Start | Run, typing mmc, and
clicking OK.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 211
Creating User and Group Strategies • Chapter 3
3. From the console window, click File | Add/Remove Snap-in, and then
select Add.
4. Select the Certificates snap-in, click Add, select the option button next
to My user account, and click Finish. Click Close and then click OK.
You’ll see the Certificates snap-in shown in Figure 3.17.
Figure 3.17 The Certificates Management Console
5. In the left pane, select Console Root | Certificates - Current User |
Personal.
6. Click Action | All Tasks | Request New Certificate. Click Next to
bypass the Welcome screen.
7. Select the Enrollment Agent certificate template and click Next.
8. Enter Smart Card Enrollment Certificate in the Friendly name text box
and click Next.
9. Click Finish to complete the certificate request.
10. Expand Personal and select the Certificates node. In the right pane,
verify that the certificate has been issued and installed.
Enrolling Users
The process of setting up your company’s employees to use smart cards includes hardware,
software, and administrative considerations. On the hardware side, you need to purchase and
install smart card readers for all your users’ workstations. Assuming that the readers are Plugand-Play compatible, the hardware installation process should be fairly simple. Once the necessary hardware is in place, you’ll use the Enrollment Station to install Smartcard Logon or
User certificates in each user’s smart card as well as setting initial PINs for them to use. Along
www.syngress.com
211
256_70-294_03.qxd
212
9/5/03
1:07 PM
Page 212
Chapter 3 • Creating User and Group Strategies
with these technical issues, you will also be required to create and document policies
regarding identification requirements to receive a smart card or reset a forgotten PIN. Finally,
you’ll need to train your users on the new procedure to log on to a smart card-protected
workstation, since the familiar Ctrl + Alt + Del key sequence will no longer be used.
Installing a Smart Card Reader
Most smart card readers are Plug-and-Play compatible under the Windows Server 2003
software family, so their actual installation is relatively straightforward. If you’re using a
reader that is not Plug-and-Play compatible or has not been tested by Microsoft, you’ll
need to obtain installation instructions from the card reader’s manufacturer. As of this
writing, the smart card readers listed in Table 3.1 are supported by Windows XP and
Windows Server 2003.The corresponding device drivers will be installed on the workstation or server when the card reader has been detected by the operating system.
Table 3.1 Supported Smart Card Readers Under Windows Server 2003
Brand
Smart Card Reader
Interface
Device Driver
American Express
Bull
Compaq
Gemplus
Gemplus
Gemplus
Hewlett-Packard
Litronic
Schlumberger
Schlumberger
Schlumberger
SCM Microsystems
SCM Microsystems
SCM Microsystems
SCM Microsystems
Systemneeds
Omnikey AG
Omnikey AG
Omnikey AG
GCR435
SmarTLP3
Serial reader
GCR410P
GPR400
GemPC430
ProtectTools
220P
Reflex 20
Reflex 72
Reflex Lite
SCR111
SCR200
SCR120
SCR300
External
2010
2020
4000
USB
Serial
Serial
Serial
PCMCIA
USB
Serial
Serial
PCMCIA
Serial
Serial
Serial
Serial
PCMCIA
USB
Serial
Serial
USB
PCMCIA
Grclass.sys
Bulltlp3.sys
grserial.sys
Grserial.sys
Gpr400.sys
Grclass.sys
Scr111.sys
Lit220p.sys
Pscr.sys
Scmstcs.sys
Scr111.sys
Scr111.sys
Scmstcs.sys
Pscr.sys
Stcusb.sys
Scr111.sys
Sccmn50m.sys
Sccmusbm.sys
Cmbp0wdm.sys
To install a smart card reader on your computer, simply attach the reader to an available
port, either serial or USB, or insert the reader into an available PCMCIA slot on a laptop. If
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 213
Creating User and Group Strategies • Chapter 3
the driver for the reader is preinstalled in Windows Server 2003, the installation will take
place automatically. Otherwise, the Add Hardware Wizard will prompt you for the location
of the relevant software.
EXAM WARNING
If a smart card reader is attached to a serial port, it’s likely that you’ll need to
reboot the machine before Windows will detect the device and install the appropriate driver.
Issuing Smart Card Certificates
Once you’ve established the appropriate security for the certificate templates and installed
smart card readers on your users’ workstations, you can begin the process of issuing the smart
card certificates.The enrollment process must be a controlled procedure. In much the same
way that employee access cards are monitored to ensure that unidentified persons do not gain
physical access to your facility, smart card certificates need to be monitored to ensure that
only authorized users can view network resources. In Exercise 3.05, we use the Web enrollment application to set up a smart card with a logon certificate for one of our users.
EXERCISE 3.05
SETTING UP A SMART CARD
FOR
USER LOGON
1. Log on to your workstation with a user account that has permissions to
the appropriate certificate template in the domain where the user’s
account is located, and permission to enroll other users for certificates.
The account used for Exercise 3.04 has these permissions.
2. Open Internet Explorer, and browse to http://servername/certsrv/,
where servername is the name of the CA on your network.
3. Select Request a certificate for a smart card on behalf of another
user by using the smart card certificate enrollment station.
4. A Security Warning dialog box will open asking if you’d like to install
and run the Microsoft Smart Card Enrollment Control. Click Yes. Note
that your IE security settings must be set to Low for this ActiveX control to function properly.
5. In the Certificate Template drop-down box select one of the following:
www.syngress.com
213
256_70-294_03.qxd
214
9/5/03
1:07 PM
Page 214
Chapter 3 • Creating User and Group Strategies
■
Smart Card Logon Select this option if you want to issue a certificate that will only be valid for authenticating to the Windows
domain.
■
Smart Card User Select this option to issue a certificate that will
allow the user to use secure e-mail and log on to the Windows
Server 2003 domain.
4. In the Certification Authority drop-down box, select the name of the
CA for your domain. If there are multiple CAs in your domain, choose
the one that you want to request the certificate from.
5. In the Cryptographic Service Provider drop-down box, select the CSP
of the smart card’s manufacturer. This choice is specific to the smart
card hardware you have installed. Consult the manufacturer’s documentation if you are uncertain.
6. For Administrator Signing Certificate, select the Enrollment Agent
certificate that will sign the certificate enrollment request. This will
actually display the user account that the Enrollment Agent certificate
is issued to.
7. For User to Enroll, click Select User to browse to the user account that
you are associating the smart card certificate with. Insert a smart card
into the smart card device attached to the system, and click Enroll to
create a certificate for this user.
8. You’ll be prompted to set an initial PIN for the card.
9. If another user has previously used the smart card that you’re
preparing, a message will appear indicating that another certificate
already exists on the card. Click Yes to replace the existing certificate
with the one you just created.
10. On the final screen, you have the option to either view the certificate
you just created or begin a new certificate request.
11. Close your browser when you’ve finished so that no extraneous certificates can be created if you walk away from the enrollment station
without logging off.
Assigning Smart Cards
Once you’ve preconfigured your users’ smart cards, you need to establish guidelines
defining how cards are assigned to users who require them.This part of your smart card
deployment plan is more procedural than technical, because you need to determine accept-
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 215
Creating User and Group Strategies • Chapter 3
able policies and service-level agreements for your smart cards and smart card readers. For
example, what type of identification will you require in order for a user to obtain a smart
card? Even if yours is a small organization and you recognize all of your users on sight, you
should still record information from a driver’s license or another piece of photo identification for auditing purposes.
Another set of issues revolves around your users’ PINs.These are the equivalent of a password when using smart cards. How many unsuccessful logon attempts will you allow before
locking out a smart card? Although this number will vary according to your individual business requirements, three or four PIN entry attempts are usually sufficient. Next, you need to
decide whether you will allow users to reset their own PINs or if they’ll need to provide personal information to, and have them reset by, the IT staff.The former option is more convenient for your user base, but that convenience will come at the expense of potential security
liabilities. If user PINs need to be reset by the IT staff, decide what type of information users
need to present in order to verify their identities. Document all applicable security policies,
distribute them to your administration and security personnel, and make sure that your users
are aware of these policies before they take possession of their smart cards.
Logon Procedures
To log on to a computer using a smart card, your users no longer need to enter the Ctrl +
Alt + Del key combination. Rather, they simply insert the smart card into the smart card
reader, at which point they’ll be prompted to enter the PIN associated with the certificate
on the card. Once the PIN is accepted, the user has access to all local and network
resources to which the user’s Active Directory account has been granted permissions.
TEST DAY TIP
The techniques covered here only apply to using smart card logons on computers
that are attached to a domain. Third-party software is required to use smart cards
on a stand-alone Windows Server 2003 computer.
Revoking Smart Cards
Along with creating policies for issuing and configuring smart cards, you should consider how
your organization will handle revoking the smart card of an employee who resigns or is terminated.To be successful, this decision should be viewed as a joint effort between your company’s administrative staff, such as payroll and human resources, and the IT department. Just as
employees need to return ID badges and keys as part of the exit process, they should also be
required to return their smart cards to the company.Whether the employee exits the company in a graceful manner or not, you should add the employee’s smart card certificate(s) to
your CA’s CRL at the same time that you disable or delete the employee’s other logon IDs
and credentials. Depending on the manufacturer of the smart card, you might have an option
to physically disable the smart card itself based on a serial number or other unique identifier.
www.syngress.com
215
256_70-294_03.qxd
216
9/5/03
1:07 PM
Page 216
Chapter 3 • Creating User and Group Strategies
Planning for Smart Card Support
Like any device or technology used to enhance network security, smart cards require you to
make plans to educate your users on how to use them and provide administrative tools to
support their ongoing use. First, make sure that your users understand the purpose of
deploying smart cards.You’ll receive a much better response if they comprehend the importance of the added security, rather than if they’re simply handed a smart card and told to use
it. Emphasize that the smart card is a valuable resource to protect the company and its
assets, rather than simply another corporate procedure designed to annoy employees or
waste their time.They should know who to call for help and technical support, and what to
do if their card is lost or stolen. Maintain a printed version of this information, and distribute it to your users when they receive their smart cards.You can also publish this information on your corporate intranet, if you have one.When orienting your users to the use
of smart cards, make sure you cover the following key points:
■
Protect the external smart card chip If the chip itself becomes scratched,
dented, or otherwise damaged, the smart card reader might not be able to read the
data on the chip.This is similar to the magnetic strip on a credit card or an ATM
card.
■
Do not bend the card Bending the card can destroy the card’s internal components.This can extend to something as simple as a user putting the smart card in a
back pocket, because he or she might sit on the card and break its internal components.
■
Avoid exposing the card to extreme temperatures Leaving a smart card on
the dashboard of a car on a hot day can melt or warp the card. Extreme cold can
make the card brittle and cause it to break.
■
Keep the smart card away from magnetic sources Avoid magnetic sources
such as credit card scanners at retail stores.
Along with user education, there are several settings within Active Directory Group
Policy that can simplify the administration of smart cards on your network. Some of these,
such as account lockout policies and restricted logon times, will impact users by default if they
rely on their smart cards for domain logons. Other policy settings are specific to managing
smart cards on your network.Within Group Policy, you can enable the following settings:
■
Smart card required for interactive logon This setting prevents a user
account from logging on to the network by presenting a username/password
combination.When enabled, the user will only be able to authenticate by using a
smart card.This provides strict security for your users; however, you should plan
an alternate means of authentication in case your smart card implementation
becomes unavailable.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 217
Creating User and Group Strategies • Chapter 3
EXAM WARNING
This policy only applies to interactive and network logons. Remote access logons
are managed by separate policies on the remote access server.
■
On smart card removal Allows you to mandate that when a user removes his
or her smart card from the reader, the active session is either logged off or locked.
User education is critical if you select the forced logoff option, because users need
to make sure that they’ve saved changes to any of their documents and files before
they remove their smart cards.
■
Do not allow smart card device redirection Prevents your users from using
smart cards to log on to a Terminal Services session. Set this policy if you’re concerned about conserving network resources associated with your Terminal Server
environment.
■
Account lockout threshold Although this setting is not specific to smart cards,
smart card PINs are more susceptible to password attacks because of their short
length, so your lockout threshold settings should be adjusted accordingly.
From an administrative standpoint, there are several other important considerations in
creating a support structure for smart card use.You need to identify the people within your
organization who will be able to perform security-related tasks such as resetting PINs or
distributing temporary cards to replace those that are lost or stolen.You also need to decide
how you’ll handle personnel issues such as changes in name and employment status. Finally,
you’ll need to carefully consider your procedures for high-level employees, traveling users,
and support personnel.
Planning a Security Group Strategy
Before you can effectively start working with groups in Windows Server 2003, you need to
first understand what groups are and why they are used. A group is a collection of objects
(user, group, and/or computer accounts) that are managed as a single object.The objects
that belong to the group are known as group members. In Windows, as with many operating systems, groups are used to simplify the administrative process of assigning permissions
and rights to multiple user and computer accounts.
A set of default groups is created during the installation of Windows Server 2003 on a
computer.These groups reside in the local SAM database of the stand-alone or member
server, and can only be granted rights and permissions on that computer. Domain controllers also have a set of default groups.These groups reside within the Active Directory
database structure and can be used throughout the domain.
www.syngress.com
217
256_70-294_03.qxd
218
9/5/03
1:07 PM
Page 218
Chapter 3 • Creating User and Group Strategies
You aren’t limited to using the default groups.Windows Server 2003 allows you to
create your own groups both at the SAM and Active Directory database levels.This book
deals with Active Directory, so we will assume that you are working in a Windows Server
2003 Active Directory environment when we discuss planning group strategy.
Understanding Group Types and Scopes
In an Active Directory environment, there are two basic group characteristics: type and
scope.The group type identifies the purpose of the group.There are two group types for
Active Directory-based groups in Windows Server 2003:
■
Distribution
■
Security
Group scope refers to how the group can be used.Three group scopes can be specified
for a group that resides within the Active Directory database:
■
Domain local
■
Global
■
Universal
Security and Distribution Groups
Two types of groups can be created in Windows Server 2003:
■
Distribution groups Distribution groups are used for distributing messages to
group members. Distribution groups are used with e-mail applications, such as
Microsoft Exchange.They allow a user to send e-mail to an address that is associated with the group and have it distributed to all members whose accounts are
mailbox enabled. Distribution groups are not security enabled, and therefore
cannot be used to assign permissions to Windows resources.The exam will not
focus on distribution groups.
■
Security groups Security groups can also be used to for the distribution of email.Their main purpose, however, is to allow administrators to assign permissions
and user rights to group members. Permissions can be assigned to Active
Directory, file system, Registry, and printer objects. User rights include actions
such as Backup files and directories and Restore files and directories, both of which are
assigned to the Backup Operators group by default.
In Active Directory, security groups provide two major benefits:
■
They allow you to simplify and reduce administrative requirements by assigning
permissions and rights for a resource to the group rather than to each individual
user that requires access. All users that are members of the group will receive the
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 219
Creating User and Group Strategies • Chapter 3
configured permissions and rights.This is much more efficient than explicitly
assigning permissions and rights to users on an individual basis. In addition, this
provides you with the capability to move users in and out of groups as their job
and task requirements dictate, while leaving the groups’ permissions or rights
unchanged.
■
Security groups allow you to quickly and efficiently delegate administrative
responsibilities for performing specific tasks in Active Directory. As an example, if
you have a group of six help desk workers that you want to allow to reset user
passwords, you can place the six users in a group and delegate the ability to the
group. Again, you are able to move users in and out of the group as their job and
task requirements dictate, while leaving the group’s rights unchanged.This makes
it very easy to simply add in other users when they require the same rights.
TEST DAY TIP
Permissions determine which users, groups, or computers can access specified
resources and what they can do (read, write, execute, etc.) to that resource. By
assigning these permissions to a group, instead of individual users, you can ensure
that all members of the group receive the required permissions, unless they conflict with permissions that are assigned to the user explicitly or through another
group.
Rights are a separate concept. Although they can relate to resources, more
often rights relate to actions a user can perform involving the operating
system. The right to log on locally (at the server console) or across the network
are good examples. The ability to reboot a computer is also a right that must
be granted to a user.
Local, Domain Local, Global, and Universal Groups
Unlike group types, which are fairly simple to understand, group scopes can be confusing
to those new to working with Windows Server 2003 and Active Directory.The scope of
the group identifies the extent to which the group can be applied throughout the domain
or forest. Even this is not as simple as it sounds.The objects that can be members of a
group, as well as the groups available, vary depending on the functional level of the domain.
www.syngress.com
219
256_70-294_03.qxd
1:07 PM
Page 220
Chapter 3 • Creating User and Group Strategies
New & Noteworthy...
220
9/5/03
Domain and Forest Functionality
Domain and forest functionality is a new feature introduced in Windows Server
2003. By having different levels of domain and forest functionality available within
your Active Directory implementation, you can make different features available to
your network.
If all of your network’s domain controllers are Windows Server 2003 and the
domain functional level is set to Windows Server 2003, then all domain features
(such as the ability to rename a domain controller) become available. If your entire
Active Directory forest is also set at the Windows Server 2003 functional level, then
you also gain additional functionality (such as the ability to rename entire
domains). In a non-upgrade environment, there are three domain functional levels
available:
■
Windows 2000 mixed This is the default domain functional level.
Windows NT 4.0 BDCs, Windows 2000 domain controllers, and
Windows Server 2003 domain controllers are permitted at this functional level.
■
Windows 2000 native This is the minimum domain functional level
for using universal security groups. It also enables some additional
group nesting capability. This level allows for Windows 2000 and
Windows Server 2003 domain controllers.
■
Windows Server 2003 This is the highest domain functional level. It
provides the most features, and allows only Windows Server 2003
domain controllers.
Once you have raised the domain functional level, domain controllers running
earlier operating systems cannot be used in that domain. As an example, if you
raise the domain functional level to Windows Server 2003, Windows 2000 domain
controllers cannot be added to the domain.
Domain Local Groups
According to Microsoft, domain local groups (DLGs) are used when assigning permissions
or user rights.While we’ve loosely mentioned this in regard to all groups, it is this specific
group scope that Microsoft wants you to use when modifying the access control list (ACL)
of an object such as a file, or assigning a user right. Other groups will be added to a DLG
to have their members receive the group’s assigned permissions or rights.
In a Windows 2000 mixed functional level domain, domain local groups can consist of
users, computers, and global groups from the domain the DLG exists in, and any trusted
domain.When the functional level of the domain is raised to Windows 2000 native or
Windows Server 2003, a DLG can also contain other domain local groups from its local
domain, as well as universal groups. Despite the fact that this group type can contain users
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 221
Creating User and Group Strategies • Chapter 3
and computers directly, it is important to remember that Microsoft recommends that you
use it to contain other groups, which themselves contain users or computers. Specific scenarios regarding this usage are presented later in the chapter.
Global Groups
Microsoft specifies global groups (GGs) as the primary container for user and computer
objects.Their models often call for grouping users according to role, function, responsibility,
or department into global groups. For example, all members of the benefits team might be
members of both an HR global group and a Benefits global group. Although a GG can be
directly added to an ACL or assigned a user right, GGs are typically added to other groups,
such as DLGs, in order to be granted access to resources.
In a Windows 2000 mixed functional level domain, a GG can contain users and computers from the same domain in which it exists.When the functional level of the domain is
raised to Windows 2000 native or Windows Server 2003, a GG can also contain other GGs
from its local domain.
Universal Groups
Unlike global and domain local groups, universal groups (UGs) are not stored at the
domain partition level of Active Directory.They reside in the Global Catalog (GC). Because
of this, adding or removing objects from a universal group triggers forest-wide replication.
Microsoft recommends that other groups, and not individual user and computer accounts,
be the primary members of a UG. Such members are much less likely to change.
For example, if you add a user to a UG, it triggers forest-wide replication.When you
later remove that user, it again triggers forest-wide replication. However, if you add a user
to a GG, which is a member of the UG, no forest-wide replication is triggered. GGs have
their membership maintained at the domain level, so only domain level replication is triggered. Likewise, removing the user from the GG triggers domain level replication, not
forest-wide replication.
Universal security groups do not exist in a Windows 2000 mixed functional level
domain.When the functional level of the domain is raised to Windows 2000 native or
Windows Server 2003, universal security groups can contain domain users, computer
accounts, and global groups from any trusted domain, as well as other universal groups.
Table 3.2 provides a summary of the group membership that is allowed for each domain
functional level.
www.syngress.com
221
256_70-294_03.qxd
222
9/5/03
1:07 PM
Page 222
Chapter 3 • Creating User and Group Strategies
Table 3.2 Group Scope Behavior versus Domain Functional Level
Domain Status
Universal Group
Windows Server
2003 or Windows
2000 native
Members can include Members can include
domain user accounts, user accounts, comcomputer accounts,
puter accounts, and
and global groups
other global groups
from any trusted
from the domain in
domain; as well as
which the global
other universal groups. group exists.
Windows 2000 mixed Universal security
groups cannot be
created.
Global Group
Domain Local Group
Members can
include user
accounts, computer
accounts, and global
groups from the
domain the DLG
exists in or any
trusted domain; universal groups; as well
as other domain local
groups from the
domain in which the
DLG exists.
Members can include Members can include
user and computer user accounts, comaccounts from the
puter accounts, and
domain in which the global groups from
global group exists. the domain the DLG
exists in or any
trusted domain.
Changing the Group Scope
As if the concept of group scopes wasn’t confusing enough, when a domain is operating at
the Windows 2000 native or Windows Server 2003 functional levels, an administrator can
change an existing group’s scope. Universal groups can be converted to global or domain local
groups, and global and domain local groups can be converted to universal groups. However,
global groups cannot be converted directly to domain local groups (and vice versa).
The rules governing this are much easier than they first appear. Simply put, you cannot
convert from one group type to another if the current membership of the group that is
being converted is not compatible with the membership allowed for the target scope. For
example, a universal security group cannot have a domain local group as a member.
Therefore, if you are trying to convert a DLG into a UG, the DLG cannot have any other
domain local groups as members.Table 3.3 outlines the possibilities and restrictions of
changing the scope of a group.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 223
Creating User and Group Strategies • Chapter 3
Table 3.3 Changing the Scope of a Group
Domain Status
Universal Group
Windows Server
2003 or Windows
2000 native
Can be changed to
Can be converted
a global group as
to a domain local
long as no group
group with no
members are other
restrictions.
universal groups, or
user, computer, or
global group accounts
from any domain
other than the one
in which the global
group will exist.
Not allowed
Not allowed
Windows 2000
mixed
Global Group
Domain Local
Group
Can be changed to
a universal group as
long as the group
is not a member of
any other global
group.
Not allowed
Configuring & Implementing…
Nesting Groups
You’ve seen how groups can have other groups as members. This concept is known
as group nesting. Groups can be nested to help reduce management overhead. The
type of nesting you can perform is determined by the domain’s functional level. If
the domain functional level is set to Windows 2000 native or Windows Server 2003,
the following groups have additional nesting capability:
■
Domain local groups These groups can have other domain local
groups from the same domain as well as universal groups nested in
their group membership.
■
Global groups These groups can have other global groups from the
same domain nested in their membership.
■
Universal groups These groups can have global groups from any
trusted domain and other universal groups nested in their membership.
The nesting occurs in addition to the basic security group memberships that
are permitted at the Windows 2000 mixed functional level.
Group nesting is pictured in Figure 3.18. If a user moves from a tier 2 position
in desktop support to the Windows server team, removing the user from one group
and adding the user to another group automatically adjusts the permissions and
rights the user is receiving from several groups. In the first example, the user is a
member of the Tier2 global group, which is itself a member of the Desktop Support
global group. This group is in turn nested in the IT global group. Thus, any perContinued
www.syngress.com
223
256_70-294_03.qxd
224
9/5/03
1:07 PM
Page 224
Chapter 3 • Creating User and Group Strategies
missions or rights granted to the IT, Desktop Support, and Tier2 groups will be
given to the user.
When the user’s account is moved, the user becomes a member of the
Windows global group. The move will cause the user to lose all of the permissions
and rights that were granted from the Tier2 and Desktop Support global groups.
The Windows group is a member of the Software global group, which is nested in
the Server Support global group. Finally, Server Support is a member of the IT
global group. The user’s new group membership will bring all of the permissions
and rights granted to the IT, Server Support, Software, and Windows global groups.
Figure 3.18 Using Group Nesting
IT
Desktop Support
Tier 1
Tier2
Tier3
Server Support
Software
Hardware
Windows
Netware
Unix
User
User
Security Group Best Practices
Microsoft has a number of different recommended methods for using groups in a domain
environment.You should expect to be asked a number of complex questions about the
appropriate use of groups. Most of their recommendations fall into one of two models:
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 225
Creating User and Group Strategies • Chapter 3
■
A single domain forest
■
A multiple domain forest
Designing a Group Strategy for a Single Domain Forest
AGDLP.This simple acronym sums up everything you need to remember for the use of
groups in a single domain forest environment. Each of the letters has a specific meaning:
■
A Accounts
■
G Global groups
■
DL Domain local groups
■
P Permissions
The acronym can be read as: Accounts (user and computer objects) are placed into
Global groups, which are placed into Domain Local groups, which are added to ACLs and
granted Permissions to a resource. Earlier we mentioned that Microsoft wants you to place
related users (such as all HR personnel) into global groups, and use domain local groups for
granting access to resources. AGDLP, their simplest model, makes these recommendations
exceptionally clear and easy to remember.
Consider an environment like the one we mentioned previously.You have a new
employee who is joining the benefits team within a company.The new user needs to access
to both benefits-related resources and all general HR resources.Therefore, you add the user
into both the Benefits and HR global groups.These global groups are themselves members
of domain local groups, one of which is illustrated in Figure 3.19.The HR global group is
a member of the HR_Print domain local group.This group is used to grant access to the
general printers that all members of the HR department are allowed to use.
Figure 3.19 AGDLP in a Single Domain Forest
HR_Print
domain
local
group
Printer
HR
global
group
Syngress.com
Benefits
global
group
New User
www.syngress.com
225
256_70-294_03.qxd
226
9/5/03
1:07 PM
Page 226
Chapter 3 • Creating User and Group Strategies
When the domain functional level is elevated to Windows 2000 native or Windows
Server 2003, Microsoft specifies a new group model, AGGDLP.The meaning of the letters
does not change.Therefore, this model means: Accounts are placed into Global groups that
can be placed into other Global groups and/or Domain Local groups, which are added to
ACLs and granted Permissions to resources.This can make a huge difference, because it
allows you to potentially reduce the number of groups that you have to add a new user to.
Consider the example used previously. If you nest the Benefits global group into the HR
global group, you gain a tremendous advantage.When a new user joins the benefits team, you
only have to add that user’s account to a single user group, Benefits. Because this group is also
a member of the HR global group, the user will receive all of the permissions and rights
assignments associated with both groups. Figure 3.20 shows the AGGDLP model.
Figure 3.20 AGGDLP in a Single Domain Forest
Printer
HR_Print
domain
local
group
Syngress.com
HR
global
group
Benefits
global
group
New User
Designing a Group Strategy
for a Multiple Domain Forest
These existing models can also be extended to a multiple domain forest. In a Windows
2000 mixed functional level domain, it takes quite a few resource assignments to grant permissions across domains. Extending the previous example, two additional domains will be
added. Each domain is for a different region of the world, and each has an HR department.
The company needs all HR employees to be able to access files that are located in the
North America office. Because the domain is at the Windows 2000 mixed functional level,
the AGDLP model is used.
Again, a new user joins the benefits team, this time in the Europe domain.The user is
added to the Benefits and HR global groups in the Europe domain.The HR global group
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 227
Creating User and Group Strategies • Chapter 3
in each domain has also been added to the Global_HR_Resources domain local group in
the North America Domain.The Global_HR_Resources DLG has been granted the necessary permissions on the ACL for the files. Because all HR employees are (directly or indirectly) members of the HR global group in their domain, and each HR global group is a
member of the Global_HR_Resources domain local group, they all have permission to
access the required files.These complex relationships are shown in Figure 3.21.
Figure 3.21 AGDLP in a Multiple Domain Forest
Files
Europe.
Syngress.com
Global_HR_
Resources
domain local
group
Benefits
global
group
HR
global
group
NorthAmerica.
Syngress.com
HR
global
group
Benefits
global
group
Asia.
Syngress.com
HR
global
group
Benefits
global
group
New User
Moving all of the domains in the forest to the Windows 2000 native or Windows
Server 2003 functional level greatly reduces the complexity. Just as we saw in the previous
section, when a new benefits user joins the company, the only group his or her account
needs to be made a member of is the Benefits global group in his or her regional domain.
Again, this is because the Benefits global group is nested in the HR global group.
The real power in a multiple domain environment, however, comes in the ability to use
universal security groups.You no longer have to add each HR global group into the
Global_HR_Resources domain local group. Instead, you can add all of the HR global
groups into a universal group called ALL_HR.You then add this group into the
Global_HR_Resources DLG.These group memberships are shown in Figure 3.22.
When universal groups enter the design, we are using the AGGUDLP model (sometimes abbreviated AGUDLP), where U represents Universal group.This model means:
Accounts should be placed into Global groups that can be placed into other Global groups
and/or Universal groups, and then into Domain Local groups, which are added to ACLs
and granted Permissions to resources.
www.syngress.com
227
256_70-294_03.qxd
228
9/5/03
1:07 PM
Page 228
Chapter 3 • Creating User and Group Strategies
Figure 3.22 AGGUDLP in a Multiple Domain Forest
All_HR
universal
group
Global_HR_
Resources
domain local
group
Europe.
Syngress.com
Files
NorthAmerica.
Syngress.com
HR
global
group
HR
global
group
HR
global
group
Benefits
global
group
Benefits
global
group
Asia.
Syngress.com
Benefits
global
group
New User
While this might look like a similar amount of work when compared with Figure 3.21,
the real power of this design becomes evident when you attempt to grant all HR users
access to another resource, such as a printer in Asia. In this case, you simply need to create a
new DLG and grant the print permission for the printer in the Asia domain to that group.
In Figure 3.23, the group is called HR_Print_Asia.You then simply add the All_HR universal group to the HR_Print_Asia domain local group. Imagine what the diagram would
look like if you couldn’t use a universal group and how much more work would be
involved.You would need to add each HR global group to the HR_Print_Asia domain
local group. Now imagine that you have dozens of similar situations in your forest, and
you’ll no doubt appreciate the simplicity and reduced management requirements that universal groups bring with them.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 229
Creating User and Group Strategies • Chapter 3
Figure 3.23 Using AGGUDLP to Grant Access to an Additional Resource
All_HR
universal
group
Global_HR_
Resources
domain local
group
Europe.
Syngress.com
HR
global
group
Files
NorthAmerica.
Syngress.com
HR
global
group
Printer
Asia.
Syngress.com
HR
global
group
Benefits
global
group
Benefits
global
group
HR_Print_
Asia
domain local
group
Benefits
global
group
New User
www.syngress.com
229
256_70-294_03.qxd
230
9/5/03
1:07 PM
Page 230
Chapter 3 • Creating User and Group Strategies
Summary of Exam Objectives
This chapter addressed several key skills that are measured by Microsoft Exam 70-294.You
should be well versed in the concepts presented in this chapter as well as the exercises
designed to give you hands-on experience with some of the new functions and features in
Windows Server 2003.
User passwords are often the weakest link in any network security implementation.To
help combat this,Windows Server 2003 allows you to configure password and account
lockout policies for all user accounts within a domain.You can configure passwords to
expire after a specific number of days, mandate a minimum password length, and control
how many unique passwords will be stored in Active Directory to control when a user can
reuse an old password. Mandating password complexity forces your users to create passwords that are at least six characters long and contain three of the following types of characters: uppercase, lowercase, numeric, and non-alphanumeric. In addition, you can enforce
an account lockout policy that will disable a user account after a certain number of incorrect logon attempts.
Planning a user authentication strategy involves a firm understanding of the various
authentication protocols offered by Windows Server 2003.The default authentication protocol for LAN communication is Kerberos v5, although NTLM (and NTLMv2) is still supported to allow communication with pre-Windows 2000 computers on your network.
Digest authentication, along with SSL/TLS, can provide secure access for users accessing
resources via Web-based technology.You can implement one or more of these technologies
when implementing an authentication plan for your network.
In a Windows Server 2003 environment, you can use smart cards as a stronger means of
authentication for your users. Smart cards rely on Certificate Services to create enrollment
certificates, as well as logon certificates to enable your users to authenticate and access network resources using their smart cards.This chapter also covered best practices for managing smart cards on your network, including preparing, issuing, maintaining, and revoking
smart cards for the users.
There are two types of groups in a Windows Server 2003 domain: distribution and
security. Distribution groups are used for messaging, such as e-mail. Security groups are the
focus of the exam and are used to assign permissions and user rights. In addition, there are
three group scopes in an AD domain: domain local, global, and universal.The capabilities of
each scope vary depending on the functional level of the domain.
Domain local groups are used when assigning permissions or user rights. Microsoft
wants you to use DLGs when modifying the ACL of an object such as a file, or assigning a
user right. Other groups are added to a DLG to have their members receive the group’s
assigned permissions or rights. In a Windows 2000 mixed functional level domain, domain
local groups can consist of users, computers, and global groups from the domain the DLG
exists in, and any trusted domain.When the functional level of the domain is raised to
Windows 2000 native or Windows Server 2003, a DLG can also contain other domain local
groups from its local domain, as well as universal groups.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 231
Creating User and Group Strategies • Chapter 3
Microsoft specifies global groups as the primary container for user and computer
objects.They call for grouping users according to role, function, responsibility, or department into global groups. In a Windows 2000 mixed functional level domain, a global group
can contain users and computers from the same domain in which it exists.When the functional level of the domain is raised to Windows 2000 native or Windows Server 2003, a GG
can also contain other global groups from its local domain.
Unlike global and domain local groups, universal groups (UGs) are stored in the Global
Catalog (GC). Adding or removing objects from a universal group triggers forest-wide
replication.To minimize this, Microsoft recommends that other groups, and not individual
user and computer accounts, be the primary members of a universal group. Universal security groups do not exist in a Windows 2000 mixed functional level domain.When the
functional level of the domain is raised to Windows 2000 native or Windows Server 2003,
universal security groups can contain domain users, computer accounts, and global groups
from any trusted domain, as well as other universal groups.
An administrator can change an existing group’s scope. Universal groups can be converted to global or domain local groups, and global and domain local groups can be converted to universal groups. However, global groups cannot be converted directly to domain
local groups (and vice versa).You cannot convert from one group type to another if the
current membership of the group that is being converted is not compatible with the membership allowed for the target scope.
Microsoft has a number of acronyms that describe how groups should be used in different scenarios, including:
■
AGDLP Accounts (user and computer objects) are placed into Global groups,
which are placed into Domain Local groups, which are added to access control
lists (ACLs) and granted Permissions to a resource.This model is used in a single
or multiple domain environment, when the Windows 2000 mixed domain functional level is in use.
■
AGGDLP Accounts are placed into Global groups that can be placed into other
Global groups and/or Domain Local groups, which are added to ACLs and
granted Permissions to resources.This model can only be used in domains that
have a Windows 2000 native or Windows Server 2003 functional level.
■
AGGUDLP (or AGUDLP) Accounts should be placed into Global groups that
can be placed into other Global groups and/or Universal groups, and then into
Domain Local groups, which are added to ACLs and granted Permissions to
resources.This model can only be used in domains that have a Windows 2000
native or Windows Server 2003 functional level. In addition, it is primarily used in
a multiple domain environment.
www.syngress.com
231
256_70-294_03.qxd
232
9/5/03
1:07 PM
Page 232
Chapter 3 • Creating User and Group Strategies
Exam Objectives Fast Track
Creating a Password Policy for Domain Users
According to Microsoft, complex passwords consist of at least seven characters,
including three of the following four character types: uppercase letters, lowercase
letters, numeric digits, and non-alphanumeric characters such as & $ * and !.
Password policies and account lockout policies are set at the domain level in
Group Policy.
If a subset of your user base requires a different set of account policies and other
security settings, you should create a separate domain to meet their requirements.
Be sure that you understand the implications of an account lockout policy before
you enable one in a production environment.
Creating User Authentication Strategies
Within a domain, Kerberos v5 is the default communication method between
two machines that are running Windows 2000 or later.
Pre-Windows 2000 computers use NTLM (or NTLMv2) authentication in an
Active Directory domain.
To provide authentication for Web applications, you can implement either
SSL/TLS or Microsoft Digest.
Planning a Smart Card Authentication Strategy
Microsoft Windows Server 2003 relies on its public key infrastructure (PKI) and
Certificate Services to facilitate smart card authentication.
Smart card certificates are based on the following three certificate templates:
Enrollment Agent, Smartcard Logon, and Smartcard User.
Several Group Policy settings are specific to smart card implementations; most
other account policy settings will also affect smart card users.
Planning a Security Group Strategy
There are two types of groups in a Windows Server 2003 domain: distribution
and security.
Only security groups can be used to assign permissions.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 233
Creating User and Group Strategies • Chapter 3
There are three group scopes in a Windows Server 2003 domain: domain local,
global, and universal.
Additional group nesting and universal security groups are only available at the
Windows 2000 native and Windows Server 2003 domain functional levels.
Existing groups can have their scopes changed in Windows 2000 native and
Windows Server 2003 functional level domains.
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: How can I configure a smart card user to be able to temporarily log on to the network
if the user has forgotten his or her card?
A: In the Properties of the user’s account within Active Directory Users and
Computers, make the following changes on the Account tab:
1. Clear the check mark next to Smart card is required for interactive logon.
2. Place a check mark next to User must change password at next logon.
Finally, right-click the user object and select Reset Password. Inform the user of
the new password, and that it will need to be changed at next logon.
Q: What are the advantages of implementing a “soft lockout” policy versus a “hard
lockout”?
A: A hard lockout policy refers to an account that must be manually unlocked by an
administrator.This setting provides the highest level of security but carries with it the
risk that legitimate users will be unable to access network resources. In some circumstances, it can be used to effectively create a DoS attack against your own network.
Hard lockouts place a greater burden on account administrators, because at least one
must always be available for users to contact when they need their accounts unlocked.
A soft lockout expires after a set amount of time and helps limit the effectiveness of
password attacks against your network, while reducing the burden placed on administrators in a hard lockout environment.
www.syngress.com
233
256_70-294_03.qxd
234
9/5/03
1:07 PM
Page 234
Chapter 3 • Creating User and Group Strategies
Q: My organization is in the planning stages of a smart card rollout.What are the security
considerations involved in setting up a smart card enrollment station?
A: Since a smart card enrollment station allows you to create certificates on behalf of any
user within your Windows Server 2003 domain, you should secure these machines
heavily in terms of both physical location and software patches. Imagine the damage
that could be done if a malicious user were able to create a smart card logon certificate
for a member of the Domain Admins group and use it to log on to your network at
will.
Q: How can I convince my users that the company’s new smart card rollout is something
that is protecting them, rather than simply “yet another stupid rule to follow”?
A: One of the most critical components of any network security policy is securing “buyin” from your users. A security mechanism that is not followed is not much more useful
than one that doesn’t exist.Try to explain the value of smart card authentication from
the end-user’s perspective. If you work in a sales organization, ask your sales force how
they would feel if their client contacts, price quotes, and contracts fell into the hands of
their main competitor. In a situation like this, providing a good answer to “What’s in it
for me?” can mean the difference between a successful security structure and a failed
one.
Q: All of my workstations run Windows 95. I know that these don’t support Kerberos for
authentication. How can I configure the domain to use the NTLM protocol instead of
the default of Kerberos protocol?
A: You do not need to perform any configuration to support NTLM authentication.
Windows Server 2003 supports not only basic NTLM but also NTLM version 2, by
default, for pre-Windows 2000 computers. In addition, NTLMv2 is more secure than
NTLM, and will be automatically used if the domain controller is able to ascertain that
the client supports it.
Q: I have a three-domain environment. All three of my domains have the same global
groups. I’ve added the HR global group from two of the domains to an All_HR universal group. I’ve also added the All_HR universal group to domain local groups in
these same two domains.Why can’t I add the All_HR universal group to any domain
local groups in my third domain?
A: All three domains must be at a functional level that supports universal security groups.
It is possible to have a forest environment in which some domains are at the appropriate level and others are not. In this case, it sounds like two domains are at the
Windows 2000 native or Windows Server 2003 functional level, but the third is at the
Windows 2000 mixed functional level. Raise all domains to at least the Windows 2000
native level and try again.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 235
Creating User and Group Strategies • Chapter 3
Q: I’m in a single domain environment. My domain functional level is Windows Server
2003. I’m trying to convert a group from a global scope to a domain local scope.The
group only contains users, but the option button is grayed out.What’s wrong?
A: You cannot convert directly from a global group scope to a domain local group scope.
You can only convert to and from a universal group scope.To accomplish this, you
must first convert the global group to a universal group. Once this completes successfully, convert the universal group to the domain local group scope.
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
Creating a Password Policy for Domain Users
1. What is a potential drawback of creating a password policy on your network that
requires user passwords to be 25 characters long?
A. Users will be more likely to write down a password that is so difficult to
remember.
B. User passwords should be at least 30 characters long to guard against brute-force
password attacks.
C. There are no drawbacks; this solution creates network passwords that will be
impossible for an unauthorized user to penetrate.
D. Windows Server 2003 will not allow a password of more than eight characters.
2. You have recently started a new position as a network administrator for a Windows
Server 2003 network. Shortly before the previous administrator left the company, the
syskey utility was used on one of your domain controllers to create a password that
needs to be entered when the machine is booted.You reboot the domain controller,
only to discover that the password the previous administrator documented is incorrect.You are unable to contact your predecessor to obtain the correct one. How can
you return this DC to service as quickly as possible?
A. Reformat the system drive on the server and reinstall Windows Server 2003.
B. Boot the server into Directory Services Restore Mode and restore the DC from a
point before the previous administrator ran the syskey utility.
www.syngress.com
235
256_70-294_03.qxd
236
9/5/03
1:07 PM
Page 236
Chapter 3 • Creating User and Group Strategies
C. Boot the server into Safe Mode and run syskey again to change the password.
D. Use ntdsutil to seize the PDC Emulator role and transfer it to another DC.
3. According to Microsoft, which of the following would be considered weak passwords
for a user account named jronick? (Choose all that apply.)
A. S#n$lUsN7
B. soprano
C. ronickrj
D. Oo!dIx2
E. new
4. You have implemented a password policy that requires your users to change their
passwords every 30 days and retains their last three passwords in memory.While sitting
in the lunch room, you hear someone advise his coworker that all she needs to do to
get around that rule is to change her password four times so that she can go back to
using the password that she is used to.What is the best way to modify your domain
password policy to avoid this potential security liability?
A. Increase the maximum password age from 30 days to 60 days.
B. Enforce password complexity requirements for your domain users’ passwords.
C. Increase the minimum password age to seven days.
D. Increase the minimum password length of your users’ passwords.
5. You are a new network administrator for a Windows Server 2003 domain. In making
user support calls, you have noticed that many users are relying on simplistic passwords
such as their children’s or pets’ names. Passwords on the network are set to never
expire, so some users have been using these weak passwords for years.You change the
default Group Policy to require strong passwords. Several weeks later, you notice that
the network users are still able to log on using their weak passwords.What is the most
likely reason why the weak passwords are still in effect?
A. You must force the users to change their passwords before the strong password
settings will take effect.
B. The Group Policy settings have not replicated throughout the network yet.
C. Password policies need to be set at the organizational unit (OU) level, not the
domain level.
D. The users reverted back to their passwords the next time they were prompted to
change them.
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 237
Creating User and Group Strategies • Chapter 3
Creating User Authentication Strategies
6. You have created an e-commerce Web application that allows your customers to purchase your company’s products via the Internet. Management is concerned that customers will not feel comfortable providing their credit card information over the
Internet.What is the most important step to secure this application so that your customers will feel confident that they are transmitting their information securely and to
the correct Web site?
A. Use IP restrictions so that only your customers’ specific IP addresses can connect
to the e-commerce application.
B. Issue each of your customers a smart card that they can use to authenticate to
your e-commerce Web site.
C. Place your company’s Web server behind a firewall to prevent unauthorized access
to customer information.
D. Install a Secure Sockets Layer (SSL) certificate on your Web server.
7. Your network environment consists of Windows 2000 Professional,Windows XP
Professional, and Windows NT 4.0 Workstation computers.You have just upgraded all
domain controllers to Windows Server 2003.The domain and forest functional levels
are both set to Windows Server 2003.The company does not use any Web applications or services.Which of the following authentication protocols will be used on the
network? (Choose all that apply.)
A. Digest
B. NTLM
C. Kerberos
D. SSL
8. You’ve decided to implement Web-based authentication.You have a wide range of
domains, domain controllers, and domain functional levels in your enterprise
Windows Server 2003 forest. Because you are a homogenous Windows environment,
you decide to implement digest authentication.Which of the following requirements
must you keep in mind when planning to implement digest authentication? (Choose
all that apply.)
A. Digest authentication requires IE 5 or later on the clients.
B. There must be at least one Windows Server 2003 DC in the IIS server’s domain.
C. User passwords must be stored with reverse encryption.
D. There must be at least one Windows 2000 or later DC in the IIS server’s domain.
www.syngress.com
237
256_70-294_03.qxd
238
9/5/03
1:07 PM
Page 238
Chapter 3 • Creating User and Group Strategies
Planning a Smart Card Authentication Strategy
9. Your network configuration includes a Terminal Server designed to allow users at
remote branches to access network applications.The Terminal Server often becomes
overloaded with client requests, and you have received several complaints regarding
response times during peak hours.You have recently issued smart cards for the users
located at your corporate headquarters and would like to prevent those users from
using their smart cards to access the Terminal Server. How can you accomplish this
goal in the most efficient manner possible?
A. Enable auditing of logon/logoff events on your network to determine which
smart card users are accessing the Terminal Server, and then speak to their supervisors individually.
B. Create a separate OU for your Terminal Server. Create a global group containing
all smart card users, and restrict the logon hours of this group for the Terminal
Server’s OU.
C. Enable the “Do not allow smart card device redirection” setting within Group
Policy.
D. Create a global group containing all smart card users, and deny this group the
“Log on locally” right to the computers on your network.
10. You have attached a smart card reader to your Windows XP Professional workstation’s
serial port.The reader is not detected when you plug it in and is not recognized when
you scan for new hardware within Device Manager.The smart card reader is listed on
the Microsoft Web site as a supported device, and you have verified that all cables are
connected properly.Why is your workstation refusing to recognize the smart card
reader?
A. The manufacturer-specific installation routine is not compatible with Windows
Server 2003.
B. The workstation needs to be rebooted before it will recognize the card reader.
C. Smart card readers are only supported on machines running Windows Server
2003.
D. You are not logged on as a member of the Domain Admins group.
11. You have recently deployed smart cards to your users for network authentication.You
configured the Smartcard Logon certificates to expire every six months. One of your
smart card users has left the company without returning her smart card.You have disabled this user’s logon account, but management is concerned that she will still be able
to use the smart card to access network resources. How can you be sure that the
information stored on the former employee’s smart card cannot be used to continue
to access network resources?
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 239
Creating User and Group Strategies • Chapter 3
A. Monitor the security logs to ensure that the former employee is not attempting to
access network resources.
B. Use the smart card enrollment station to delete the user’s Smartcard Logon
certificate.
C. Deny the Autoenroll permission to the user’s account on the Smartcard Logon
Certificate template.
D. Add the user’s certificate to the CRL on your company’s CA, and publish the CRL.
Planning a Security Group Strategy
12. One of your coworkers is trying to grasp the concept of distribution and security
group types. He asks you what the two primary benefits are for the security group
type.What do you tell him? (Choose two.)
A. You tell him that they can have permissions and user rights assigned to them.
B. You tell him that they can function for messaging just like a distribution group
type.
C. You tell him that they allow for quick and efficient delegation of administrative
responsibility in Active Directory.
D. You tell him that they can only be used for messaging and granting permissions
to Active Directory, file system, Registry, and printer objects.
13. Your boss has been looking over marketing material from Microsoft. She asks you
how you plan on using universal groups.You administer a single domain environment
that is about to be upgraded to Windows Server 2003.What do you tell her?
A. You tell her that because you will be using a Windows Server 2003 functional
level domain, you will be using only universal groups.
B. You tell her that because you will be using a Windows 2000 native functional
level domain, you will be using only universal groups.
C. You tell her that you will use universal groups to replace global groups, but will
still be using domain local groups for resource access.
D. You tell her that you will not be using universal groups.
14. Last night you finished configuring a complex set of groups for your new Windows
Server 2003 Active Directory environment.You spent this morning adding users to
their appropriate groups. Now that the Active Directory environment is configured,
you are trying to add the groups into ACLs in the file system. For some reason, they
aren’t showing up in the list of groups to select from.You can see all the default
groups that the operating system and Active Directory installed.Why can’t you see the
groups you created?
www.syngress.com
239
256_70-294_03.qxd
240
9/5/03
1:07 PM
Page 240
Chapter 3 • Creating User and Group Strategies
A. You don’t have permission.
B. You didn’t activate the groups in Active Directory.
C. You created distribution groups.
D. You created security groups.
15. Your company has a single domain environment that will be upgraded to Windows
Server 2003. One of the company’s existing Windows NT 4.0 BDCs must remain in
place because a custom application requires it.This application will not be migrated
until sometime next year.The company has many departments, each of which has
sub-departments and teams.The company would like to take advantage of Windows
Server 2003’s new group nesting capabilities.Which of the following group models is
appropriate for this company?
A. AGDLP
B. AGGDLP
C. AGGUDLP
D. AGUDLP
www.syngress.com
256_70-294_03.qxd
9/5/03
1:07 PM
Page 241
Creating User and Group Strategies • Chapter 3
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. A
9. C
2. B
10. B
3. B, C, E
11. D
4. C
12. A, C
5. A
13. D
6. D
14. C
7. B, C
15. A
8. A, C, D
www.syngress.com
241
256_70-294_03.qxd
9/5/03
1:07 PM
Page 242
256_70-294_04.qxd
9/4/03
4:28 PM
Page 243
Chapter 4
MCSA/MCSE 70-294
Working with
Forests and Domains
Exam Objectives in this Chapter:
1.3.5
Set an Active Directory forest and domain functional level
based on requirements.
1.3
Implement an Active Directory directory service forest and
domain structure.
2.1
Manage an Active Directory forest and domain structure.
1.3.1
Create the forest root domain.
1.3.2
Create a child domain.
1.3.3
Create and configure Application Data Partitions.
Summary of Exam Objectives
Exam Objectives Fast Track
Exam Objectives Frequently Asked Questions
Self Test
Self Test Quick Answer Key
243
256_70-294_04.qxd
244
9/4/03
4:28 PM
Page 244
Chapter 4 • Working with Forests and Domains
Introduction
A Microsoft Active Directory network has both a physical and a logical structure. Forests
and domains define the logical structure of the network, with domains organized into
domain trees in which subdomains (called child domains) can be created under parent
domains in a branching structure. Domains are logical units that hold users, groups, computers, and organizational units (OUs) (which in turn can contain users, groups, computers,
and other OUs). Forests are collections of domain trees that have trust relationships with
one another, but each domain tree has its own separate namespace.
In this chapter, you will learn all about the functions of forests and domains in the
Windows Server 2003 Active Directory infrastructure, and we will walk you through the
steps of creating a forest and domain structure for a network.You’ll learn to install domain
controllers (DCs), create the forest root domain and a child domain, find out how to name
and rename domains, and how to set the functional level of a forest and domain.
The Domain Name System (DNS) is an integral part of a Windows Server 2003 network, as it is used for providing name resolution within the network.We will discuss the
role of DNS in the Active Directory environment, and you’ll learn about the relationship of
the DNS and Active Directory namespaces, how DNS zones are integrated into Active
Directory, and how to configure DNS servers for use with Active Directory.
Understanding Forest
and Domain Functionality
A Windows Server 2003 domain is group of networked computers that share a common
Active Directory database, and a common namespace.You can think of a domain as a limited boundary of network security and administrative control. A namespace is a hierarchical
collection of service and object names, typically stored within DNS and Active Directory.
There are some similarities between the Active Directory namespace and the DNS
namespace, both of which are required by Windows Server 2003. For example, the name of
an Active Directory tree is derived from the DNS name of the tree root, which means that
both namespaces share the same root.When you rename the root domain, you must automatically rename all child domains in the tree to match; hence, all levels of both namespace
hierarchies.The Active Directory and DNS namespaces, by Microsoft definition, must have
the same name. Exceptions do exist, however, such as during a domain rename procedure.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 245
Head of the Class…
Working with Forests and Domains • Chapter 4
How Can I Tell the Difference between
the Active Directory Namespace and the DNS Namespace?
Among the differences in the two namespaces is the ability of DNS to split a
domain name into two separate zones. In split-DNS, one zone typically provides
name resolution for resources outside the firewall, while the other zone provides
name resolution for the inside. Inside users can locate and use external resources.
An Active Directory domain cannot be split in the same way and continue to fully
interoperate.
Another difference is where the data is stored. Even given identical names,
and even with Active Directory integrated DNS, the two namespaces occupy different partitions within the directory. This gives them different logical addresses,
although replication of the two is accomplished in the same way. With non-Active
Directory-integrated DNS, the namespaces do not reside in the same directory and
do not need to reside on the same servers. Non-integrated DNS must also provide
its own replication topology. In either case, the data is always discretely separated.
DNS records and Active Directory objects work together, but never truly intermingle.
One of the most distinct differences is the real-time nature of dynamic DNS.
When a server is shut down, dynamic DNS removes the resource records associated
with that server from its database. Unless you created static records, as you might
for an e-mail or web server, DNS retains no knowledge of the machine. Active
Directory, by contrast, requires the stability of constant knowledge for all hosts. If
a server were to be removed and re-added to Active Directory, the host would
receive a new Security Identifier (SID) and be treated as a new and unique system.
In Active Directory, hosts within the same domain are often subdivided into sites
and OUs, while DNS hosts are only differentiated by record types.
These distinctions help clarify the forest and domain structure, the namespaces they define, and the interoperability between them.
Active Directory is composed of a number of components, each associated with a different concept, or layer of functionality.You should understand each of these layers before
making any changes to the network.The Active Directory itself is a distributed database,
which means it can be spread across multiple computers within the forest. Among the
major logical components are:
■
Forests
■
Trees
■
Domains
■
The domain namespace
Aspects of the physical structure include the following:
www.syngress.com
245
256_70-294_04.qxd
246
9/4/03
4:28 PM
Page 246
Chapter 4 • Working with Forests and Domains
■
Sites
■
Servers
■
Roles
■
Links
Administrative boundaries, network and directory performance, security, resource management, and basic functionality are all dependent on the proper interaction of these
elements.
Figure 4.1 shows the logical view of a Windows Server 2003 Active Directory. Note
that the differentiation between forests and trees is most obvious in the namespace. By its
nature, a tree is one or more domains with a contiguous namespace. Each tree consists of
one or more domains, while each forest consists of one or more trees. Because a forest can
be composed of discrete multiple trees, a forest’s namespace can be discontiguous. By discontiguous, we mean that the namespaces anchor to different forest-root DNS domains, such as
cats.com and dogs.com. Both are top-level domains and are considered two trees in a forest
when combined into a single directory as shown in Figure 4.1.
Figure 4.1 The Forest Structure
Forest
Root
Domain
Dogs.com
Cats.com
Domain
Child Labs.dogs.com
Domain
Tree
Tree
Child
Domain
Calico.cats.com
Child
Domain
Yellow.labs
.dogs.com
Child
Domain
Black.labs
.dogs.com
The Role of the Forest
An Active Directory always begins with a forest root domain, which is automatically the first
domain you install.This root domain becomes the foundation for additional directory components. As the cornerstone of your enterprise-computing environment, you should protect
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 247
Working with Forests and Domains • Chapter 4
it well. Fault tolerance and good backups are not optional—they are essential. If an administrative error or hardware failure results in the unrecoverable loss of this root structure, the
entire forest becomes inoperable. Certain forest objects and services are only present at the
root (for example, the Enterprise Administrators and Schema Administrators groups, and the
Schema Master and Domain Naming Master roles).These cannot be easily recreated,
depending on the type of failure.
New Forestwide Features
Many of the new features offered by Windows Server 2003 are only available in a forest
where you have raised the forest functional level to Windows Server 2003. For more information on functional levels and a breakdown of when these new features become available,
see the section Forest and Domain Functional Levels later in the chapter
Defunct Schema Objects
In Windows 2000 Active Directory, you could deactivate a schema class or attribute. Now,
once your forest has been raised to the Windows Server 2003 functional level, you cannot
only deactivate them, you can even rename and redefine them.This feature protects against
the possibility of one application irreversibly claiming another application’s schema. It
allows for the redefinition of classes and attributes without changing their unique identities.
These items are called reused. If the class or attribute is left deactivated, it is called defunct.
Where this becomes important is where, for example, you make an error in the definition of an attribute. In Windows 2000, the best you can do is deactivate the attribute with
the incorrect syntax and create a new one with a different name. If you have an application
that requires a certain attribute name, there’s little you can do but operate with the incorrect definition, get by without it altogether, or find a different application. Restoring the
schema from a state backup is possible, but risky. Now, with the new functionality of
Windows Server 2003, you can deactivate the incorrect attribute and safely create a new
one that uses the same object identifier (OID) and Lightweight Directory Access Protocol
(LDAP) display name as the old one, but with the correct syntax.
Another case is when an object identifier collision occurs.This is where a needed OID
conflicts with an existing one, a situation usually created by mistyping a number. By deactivating the first OID, the second can be created.There are several situations in which classes
and attributes cannot be deactivated, and it is an operation that should always be performed
with great care and planning.
Domain Rename
This is a complex and sweeping modification to the namespace of a domain. DNS names,
and NetBIOS names of any child, parent, or forest-root domain can now be changed. As far
as Windows Server 2003 Active Directory is concerned, the identity of a domain rests in its
domain Globally Unique Identifier (GUID), and its domain SID. Creating new DNS or
NetBIOS names will leave those attributes unchanged.The domain rename function is not
www.syngress.com
247
256_70-294_04.qxd
248
9/4/03
4:28 PM
Page 248
Chapter 4 • Working with Forests and Domains
able to promote a domain to the forest root role. Even if you rename the forest root
domain, its role will remain unchanged.
The renaming process will temporarily interrupt the functionality of the domain and
its interaction with the forest, until the DCs are rebooted. Client workstations will not
function properly until they are each rebooted twice. Due to the complexity of the operation, the risks of such a sweeping change, and the unavoidable domain and workstation service interruptions, domain renaming should not be considered a routine operation.
Forest Restructuring
Existing domains can now be moved to other locations within the namespace. During this
restructuring, you will manually break and reestablish the appropriate trust relationships
among the domains. A requirement for namespace changes, or a need to decrease administrative overhead, typically drives forest restructuring.This reduction in overhead is accomplished by reducing replication traffic, reducing the amount of user and group
administration required, and simplifying the administration of Group Policy.The smallest
possible number of domains will provide the most efficient design. Minimizing the number
of domains reduces administrative costs and increases the efficiency of your organization.
Reasons to restructure include:
■
Decommissioning a domain that is no longer needed
■
Changing the internal namespace
■
Upgrading your network infrastructure to increase your bandwidth and replication capacity, which enables you to combine domains
Before you begin restructuring Windows Server 2003 domains within your forest, make
sure that the forest is operating at the Windows Server 2003 functional level.
Universal Group Caching
Before Windows Server 2003, some sites had to make a decision to deploy a Global Catalog
(GC) at each remote site regardless of the number of users at that location, because each
DC contacts a GC server during a Windows 2000 native mode logon.The problem was
that a GC generated a lot of replication traffic and required a lot of disk space, memory, and
WAN bandwidth.The solution in Windows Server 2003 is Universal Group caching.
Universal Group caching is a new feature of the Windows Server 2003 DC, which caches
a user’s complete Universal Group membership.The cache is populated at first logon, and
subsequent logons use the cache, which is refreshed periodically.
Some of the benefits of Universal Group caching include faster logon times.
Authenticating DCs no longer have to consult a GC to get Universal Group membership
information. In addition, you can save the cost of upgrading a server to handle the extra
load for hosting the GC. Finally, network bandwidth is minimized because a DC no longer
has to handle replication for all of the objects located in the forest.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 249
Working with Forests and Domains • Chapter 4
Application Partitions
New & Noteworthy...
Another DC enhancement allows for the creation of application-specific Active Directory
partitions, also known as naming contexts. Active Directory stores the information in a hierarchy that can be populated with any type of object except for security principles such as
users, groups, and computers.This dynamic body of data can be configured with a replication strategy involving DCs across the entire forest, not just a single domain.With application partitions, you can define as many or as few replicas as you want. Site topologies and
replication schedules are observed, and the application objects are not replicated to the GC.
Conveniently, application partitions can leverage DNS for location and naming.The
Windows Server 2003 Web Edition cannot host application partitions because they do not
support the DC role.
Active Directory Application
Partitions Can Exist on a Non-DC
Another new type of application partition is the Active Directory in Application
Mode (ADAM) stand-alone product that allows Windows Server 2003 web edition
and other member servers and workstations to participate in a form of application
partitions without being DCs. It is maintained and replicated independent of the
central Active Directory, although it interfaces with directory-enabled Kerberos and
NTLM for authentication services. One advantage with this configuration is that
schema changes made to support Web-based applications do not have to clutter
up the core operating system’s (OS’s) schema. It gives you local control and naming
flexibility in addition to the autonomous schema, and can be run on Windows XP
or Windows Server 2003. ADAM is sometimes referred to as Active Directory
“Light.”
ADAM runs as a non-OS service. This means that multiple instances can run
concurrently on a single server, with each instance being independently configurable. It is an extended capability that allows you to deploy Active Directory as a
lightweight directory service for the rapid and flexible implementation of directoryenabled applications.
ADAM can be particularly helpful in the following areas:
■
Application-specific directories, where you can store “private” directory data relevant only to the application.
■
Application developer activities, where ADAM uses the same programming model and administration as Active Directory. This enables
the developer to work with a local instance on the developer workstation and then later move the application to Active Directory.
■
Extranet Access Management (EAM) solutions, such as hosting user
objects that are not Active Directory security principals. This allows you
to use LDAP to authenticate non-Windows or external users.
Continued
www.syngress.com
249
256_70-294_04.qxd
250
9/4/03
4:28 PM
Page 250
Chapter 4 • Working with Forests and Domains
■
Migration scenarios, where an organization has an established X.500
directory that must be maintained to serve legacy applications.
Install from Backups
The Install from backups feature provides the capability to install a DC using backup media
rather than populating the Active Directory through a lengthy replication period.This is
especially useful for domains that cross-site boundaries using limited WAN connectivity.To
do this, back up your directory store using Windows Backup, restore the files at the
remote site’s candidate DC, and run dcpromo using the source replication from files
option.This also works for GC servers.
Active Directory Quotas
The new Active Directory quotas (not to be confused with disk quotas) are defined as the
number of objects that can be owned by a given user in a given directory partition.
Fortunately, Domain Admins and Enterprise Administrators are exempt from the quota, and
they do not apply at all to the schema partition. Replicated operations do not count toward
the quota; only the original operations do. Quota administration is performed through a set
of command-line tools, including dsadd, dsmod, dsget, and dsquery. No graphical interface
exists for quota administration.
Linked Value Replication
Linked value replication provides an answer to Windows 2000’s limit of 5000 direct group
members. Instead of treating a large group as a single replication unit, linked value replication allows a single member to be added or removed from the group during replication,
thereby reducing network traffic.Without it, for example, any changes to a 10,000-member
distribution group will trigger a complete replication.With a group that large, this would
be likely to occur many times in a typical day.
Improved Knowledge Consistency Checker
The Windows 2000 Knowledge Consistency Checker (KCC) would not operate properly
within a forest containing more than 200 sites due to the complexity of the inter-site replication topology generator algorithms.The service had to be turned off in that case, and the
replication topology had to be managed manually.The Windows Server 2003 KCC can
automatically manage replication among up to 5000 sites due to new, more efficient algorithms. In addition, it uses greatly improved topology generation event logging to assist in
troubleshooting.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 251
Working with Forests and Domains • Chapter 4
Reduced NTDS.DIT Size
The Windows Server 2003 directory takes advantage of a new feature called Single Instance
Store (SIS).This limits the duplication of redundant information.The new directory store is
about 60 percent smaller than the one in Windows 2000.
Forest Trusts
In Windows NT 4.0, there were few options for the interoperability of business units; for
example, either Calico.cats.com trusted Labs.dogs.com or they didn’t.There were no other
real options. In addition, if trust existed at all, it tended to be complete.When Windows
2000 introduced the Active Directory, many more options became available so that partnerships and integrated project teams could form on the network just as they did in real life.
The problem with that approach was that there always had to be a dominant partner at the
root— the playing field could never be completely even.
The idyllic utopia of a single forest cannot handle certain situations.The root owner
employs Administrators, Domain Admins, and Enterprise Admins, any of which can gain
access to any resource in the forest with nothing more than a little persistence. Domains
make good administrative boundaries, and domains and sites make good replication boundaries, but only a forest can provide a viable security boundary.
Understanding the politics of business, Microsoft stepped in with a solution called multiple-forest trusts in Windows Server 2003, which, when used, result in a configuration called
federated forests.Without the forest trust, Kerberos authentication between forests would not
work. Remember that having two forests means two Active Directory databases and two
completely distinct sets of directory objects, such as user accounts. Accessing resources
across the federated forest boundary requires a more complex trust path than the one
between domains within a single forest. See Figure 4.2 for an example of a multiple-forest
trust path.
NOTE
Note that “federated forest” is not a term you’ll find in the Windows Server 2003
Help files. However, this terminology has been used in TechNet articles on Windows
Server 2003. For more information on the concept and implementation, see
Planning and Implementing Federated Forests in Windows Server 2003: www.
microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/
windowsserver2003/maintain/security/fedffin2.asp.
www.syngress.com
251
256_70-294_04.qxd
4:28 PM
Page 252
Chapter 4 • Working with Forests and Domains
Figure 4.2 The Forest Trust Path
Forest
Trust
Cats.com
Root
Domain
Root
Domain
Dogs.com
Tree-Root
Trust
Tree-Root
Trust
Child
Domain
Child
Domain
Tabby
Calico.cats.com
Head of the Class…
252
9/4/03
Child
Domain
Yellow.labs
.dogs.com
Labs.dogs.com
Parent-Child
Trust
Child
Domain
Onyx
Black.labs
.dogs.com
How Can I Share Resources between Two Active
Directories?
Here’s how sharing resources between two Active Directories works. Say that Tabby,
a user in the Windows 2000 Calico.cats.com domain, tries to access the public
folder on a file server called Onyx in the Windows Server 2003 Black.labs.dogs.com
domain as shown in Figure 4.2.
First, Tabby logs on to her workstation using Kerberos authentication and tries
to access a public folder on Onyx. Her workstation naïvely contacts one of the
Calico.cats.com DCs, which hosts the Kerberos KDC, requesting a service ticket for
the server principle name (SPN) of Onyx.black.labs.dogs.com. Naturally, the DC’s
database doesn’t contain that information, so it queries the Cats.com GC to see if
any of the other domains in its forest contain such a machine. As it turns out, the
GC isn’t so global, and Tabby gets an error.
This is because the Windows 2000 GC is limited to its own forest. Tabby wisely
purrs and convinces her manager to upgrade their forest to Windows Server 2003.
Being very catty, the Enterprise Administrators in Cats.com quickly take care of the
Continued
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 253
Working with Forests and Domains • Chapter 4
prerequisites for the establishment of a forest trust with Dogs.com as soon as the
upgrade is complete.
This time, instead of generating an error, Tabby’s newly upgraded GC checks
its database for forest trusts. When it finds one, it looks at the forest trust trusted
domain object to see if its listed name suffixes correspond with the target SPN. Sure
enough, a match is found, and it generates a routing hint back to the
Calico.cat.com DC, which in turn hints to Tabby’s workstation that it needs to go
climb a different tree.
Undaunted, the workstation asks a forest-root DC at Cats.com for a referral to
one of the DCs at the forest root of Dogs.com, based on the routing hint just
received. This generates more electronic red tape. Now the Calico workstation has
to make a request to the Dogs.com KDC for a service ticket to Onyx. Not the
brightest bulb in the pack, the KDC has to ask its own GC server in the Dogs.com
domain to see if it knows this file server. Being as global as needed this time, a
match is found and the SPN goes back to the Dogs.com forest-root KDC, which
sends it off to Tabby’s workstation back in the Calico child domain.
Success! Well, almost. Starting all over again, this time with a resolved SPN,
the workstation negotiates with the KDC in Calico.cats.com for Tabby to access
Onyx, and receives the appropriate server service ticket. Finally, sending the service
ticket directly to Onyx through a trust path of one forest trust, two tree-root
domain trusts, and one parent and child domain trust, the file server examines
Tabby’s credentials and sends her an access token.
Windows Explorer opens and displays the filenames in the \\Onyx\public
folder. Tabby, unaware of the complex chain of events set off by her request,
accesses the files.
Routing Hints for Forest Trusts
Routing hints are a new feature of GCs.The problem with creating trusts between forests is
that all traditional authentication channels stop at the forest boundary. DCs and traditional
GCs are sometimes not enough.When these fail to produce an SPN describing the location of the service being requested, routing hints from the Windows Server 2003 GC help
guide the workstation toward the correct forest within the Federated Forest boundary.The
GC server does this by checking the forest trust’s trusted domain object (TDO) for trusted
name suffixes that match the one found in the destination SPN.The routing hint always
goes back to the originating device so that it can resume its search for the SPN location in
the other forest.This new functionality has some limitations. If the TDO contains outdated
or incorrect information, the hint might be incorrect since the GC does not actually check
for the existence of the other forests.
www.syngress.com
253
256_70-294_04.qxd
254
9/4/03
4:28 PM
Page 254
Chapter 4 • Working with Forests and Domains
Cross-Forest Authentication
Although some types of data access are supported,Windows Server 2003 does not support
NetBIOS name resolution or Kerberos delegation across forests. NTLM authentication for
down-level clients continues to be fully supported, however. A Universal Group in one
forest might contain global groups from one or more additional forests across any available
forest trusts.
Federated Forest, or cross-forest, authentication takes two forms. In the default forest-wide
authentication, an “allow-all deny-some” approach is used. In other words, external users have
the same level of access to local resources as the local users do.The other form of access control takes the security conscious approach of “deny-all allow-some.”This optional method is
called selective authentication, and requires more administrative overhead by granting explicit
control over the outside use of local resources.You must set a control access right called
allowed to authenticate on an object for the users and groups that need access from another
forest. If selective authentication is enabled, an Other Organization SID is associated with the
user.This SID is then used to differentiate the external user from local users and determines if
an attempt can be made to authenticate with the destination service.
For reliable authentication using Kerberos, system time must be accurate across every
workstation and server. Servers are best synchronized with the same time source, while
workstations are synchronizing time with the servers. In an upgraded Active Directory
domain, this is usually not a problem.The Windows Server 2003 W32Time service provides
time synchronization for all Windows XP and Windows 2003 OSs. Kerberos version 5 is
particularly time sensitive and might falsely interpret logon requests as intrusion attempts if
the time is off. In that case, user access will be denied. Earlier versions of Windows might
need some assistance with the net time command in a logon script to stay current. In a federated forest, individual enterprises can choose to attune with different time sources. If
these sources diverge, although each forest is chronologically homogenous, they might not
agree with each other, resulting in a failure of all cross-forest authentications.
The Role of the Domain
The domain is the starting point of Active Directory. It is the most basic component that
can functionally host the directory. Simply put, Active Directory uses the domain as a container of computers, users, groups, and other object containers. Objects within the domain
share a common directory database partition, replication boundaries and characteristics,
security policies, and security relationships with other domains.
Typically, administrative rights granted in one domain are only valid within that
domain.This also applies to Group Policy Objects (GPOs), but not necessarily to trust relationships, which you will learn more about later in the book. Security policies such as the
password policy, account lockout policy, and the Kerberos ticket policy are defined on a
per-domain basis.The domain is also the primary boundary defining your DNS and
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 255
Working with Forests and Domains • Chapter 4
NetBIOS namespaces.The DNS infrastructure is a requirement for an Active Directory
domain, and should be defined before you create the domain.
There are several good reasons for a multiple domain model, although the best overall
practice consists of an empty root domain with a single user domain. Do not install additional domains unless you have a specific reason for them. Some of the more common reasons include:
■
Groups of users with different security policy requirements, such as strong
authentication and strict access controls.
■
Groups of users requiring additional autonomy, or administrative separation for
security reasons.
■
A requirement for decentralized administration due to political, budgetary, time
zone, or policy pressures.
■
A requirement for unique namespaces.
■
Controlling excessive directory replication traffic by breaking the domain into
smaller, more manageable pieces.This often occurs in an extremely large domain,
or due to a combination of geographical separation and unreliable WAN links.
■
Maintaining a pre-existing NT domain structure.
The primary Active Directory partitions, also called naming contexts, are replicated
among all DCs within a domain.These three partitions are the schema partition, the configuration partition, and the domain partition.
■
The schema partition contains the classSchema and the attributeSchema objects
that make up the directory schema.These classes and attributes define all possible
types of objects and object properties within the forest. Every DC in the entire
forest has a replica of the same schema partition.
■
The configuration partition, replicated identically on all DCs throughout the
forest, contains Active Directory’s replication topology and other configuration
data.
■
The domain partition contains the local domain objects, such as computers,
users, and groups, which all share the same security policies and security relationships with other domains. If multiple DCs exist within a domain, they contain a
replica of the same domain partition. If multiple domains exist within a forest,
each domain contains a unique domain partition.
Since each domain contains unique principles and resources, there must be some way
for other domains to locate them. Active Directory contains objects that adhere to a
naming convention called the DN, or distinguished name.The DN contains enough detail to
locate a replica of the partition that holds the object in question. Unfortunately, most users
and applications do not know the DN, or what partition might contain it.To fulfill that
www.syngress.com
255
256_70-294_04.qxd
256
9/4/03
4:28 PM
Page 256
Chapter 4 • Working with Forests and Domains
role, Active Directory uses the GC, which can locate DNs based on one or more specific
attributes of the needed object.
The GC contains a portion of every naming context in the directory, including the
schema and configuration partitions. In order to be able to find everything, the GC must
contain a replica of every object in the Active Directory. Fortunately, it only maintains a small
number of attributes for each object.These attributes are those most commonly used to
search for objects, such as a user’s first, last, and logon names.The GC extends an umbrella
of awareness throughout the discontiguous namespace of the enterprise.
Although the GC can be modified and optimized, it typically requires infrequent attention.The Active Directory replication system automatically builds and maintains the GC,
generates its replication topology, and determines which attributes to include in its index.
EXAM WARNING
Remember this distinction between the GC and the Schema Master: The GC contains a limited set of attributes of all objects in the Active Directory. The Schema
Master contains formal definitions of every object class that can exist in the forest
and every object attribute that can exist within an object.
In other words, the GC contains every object, while the schema contains
every definition of every type of object.
New Domainwide Features
Active Directory technology debuted with Windows 2000. Now, with Windows Server
2003, it has been refined and enhanced. Active Directory is now easier to deploy, more efficient at replication, has improved administration, and poses a better end-user experience.
Some features are enabled right away, while others require a complete migration of DCs to
the new release before they become available.There are countless new features, the most
significant of which we discuss next.
Domain Controller Rename
Not to be confused with domain renaming, domain controller rename is the ability to rename
a DC without following the Windows 2000 procedure of demoting, renaming, and promoting again. In a large domain, this saves considerable time, especially over a slow WAN
link, since the process of re-promoting the DC requires a replication of the Active
Directory.
Renaming a DC in Windows Server 2003 is much easier than it was in 2000, but that
does not mean it has become a simple procedure. If you have multiple DCs, before you
rename one of them you must make sure of a few things first. If any Operational Master
roles reside on the DC, you need to transfer them to another DC. If the DC is a GC server,
you have to move that role as well. Remember that the first DC you install in the forest is
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 257
Working with Forests and Domains • Chapter 4
the root DC.This DC is responsible for the GC and for all Flexible Single Master
Operations (FSMO) roles unless you have spread them out manually.You need to transfer
all of these functions to another DC before you rename the server.
Universal Groups and Group Conversions
Universal Groups are able to contain members from any domain in any forest, and they
replicate to the GC.They are particularly useful for administrative groups. One of the best
uses for groups with universal scope is to consolidate groups above the domain level.To do
this, add domain user accounts to groups with global scope and nest these Global Groups
within Universal Groups. Using this strategy, changes to the Global Groups do not directly
affect the membership of groups with universal scope.Taking it one step further, a
Universal Group in one forest can contain Global Groups from one or more additional
forests across any available forest trusts.
Here is an example. Refer to Figure 4.2.You have two domains in different forests with
NetBIOS names of CATS and DOGS. Each domain contains a Global Group called
Birdwatchers.To take advantage of this new capability, you add both of the Global Groups,
CATS\Birdwatchers and DOGS\Birdwatchers, to a Universal Group you create called
ALLBirdwatchers.The second step is to create an identical Universal Group in the other
forest as well.The ALLBirdwatchers group can now be used to authenticate users anywhere
in both enterprises. Any changes in the membership of the individual Birdwatchers groups
will not cause replication of the ALLBirdwatchers group.
You should strive to manage your Universal Groups in such a way as to minimize the
frequency of changes, since every change causes the entire membership of the group to be
replicated to every GC in the forest. A newly created group, by default is configured as a
Security Group with global scope regardless of the current domain functional level. Refer
to Table 4.1 for a summary of Universal Group capabilities that are available at the various
domain functional levels.
Groups can also be changed from one scope to another, within certain limitations.
Changing a group scope is not allowed in domains with a functional level of Windows 2000
mixed or Windows Server 2003 interim.The following scope conversions are allowed in
domains with a functional level of Windows 2000 native or Windows Server 2003:
■
Global to Universal, if the group you want to change is not a member of another
Global Group.
■
Domain Local to Universal, if the group you want to change does not have
another Domain Local Group as a member.
■
Universal to Global, if the group you want to change does not have another
Universal Group as a member.
■
Universal to Domain Local, with no restrictions.
www.syngress.com
257
256_70-294_04.qxd
258
9/4/03
4:28 PM
Page 258
Chapter 4 • Working with Forests and Domains
Table 4.1 Summary of Universal Group Capabilities by Domain Functional Level
Functional Level
Windows 2000 mixed
Windows 2000 native
Universal Group
Members
Universal Group
Nesting
None
User and computer accounts,
Global Groups, and Universal
Groups from any domain
None
Universal Groups can be
added to other groups
and assigned permissions
in any domain
None
Universal Groups can be
added to other groups
and assigned permissions
in any domain
Windows Server 2003 interim None
Windows Server 2003
User and computer accounts,
Global Groups, and Universal
Groups from any domain
Security Group Nesting
Security Groups are used to grant access to resources. Using nesting, you can add a group to
a group.This reduces replication traffic by nesting groups to consolidate member accounts.
A Security Group can also be used as an e-mail distribution list, but a Distribution Group
cannot be used in a discretionary access control list (DACL), which means it cannot be used
to grant access to resources. Sending e-mail to a Security Group sends the message to all
members of the group.
In the Windows 2000 mixed domain functional level, Security Groups are restricted to
the following members:
■
Global Groups can only have user accounts as members.
■
Domain Local Groups can have other Global Groups and user accounts as members.
■
Universal Groups cannot be created.
EXAM WARNING
It is very important to know the different restrictions on group memberships at different domain functional levels.
Distribution Group Nesting
Distribution Groups are collections of users, computers, contacts, and other groups.They
are typically used only for e-mail applications. Security Groups, on the other hand, are used
to grant access to resources and as e-mail distribution lists. Using nesting, you can add a
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 259
Working with Forests and Domains • Chapter 4
group to a group. Group nesting consolidates member accounts and reduces replication
traffic.Windows NT did not support Distribution Groups within the OS, but they are supported in all versions of Active Directory. Distribution Groups cannot be listed in DACLs in
any version of Windows, which means they cannot be used to define permissions on
resources and objects, although they can be used in DACLs at the application layer.
Microsoft Exchange is a common example. If you do not need a group for security purposes, create a Distribution Group instead.
Number of Domain Objects Supported
In Windows 2000, group membership was stored in Active Directory as a single multivalued
attribute.When the membership list changed, the entire group had to be replicated to all
DCs. So that the store could be updated in a single transaction during the replication process, group memberships were limited to 5000 members. In Windows Server 2003, Linked
Value Replication removes this limitation and minimizes network traffic by setting the granularity of group replication to a single principle value, such as a user or group.
Distribution Groups
Distribution Groups, unlike Security Groups, are not primarily used for access control,
although they can be used in an ACL at the application layer. Distribution groups are
designed to be used with e-mail applications only.You can convert a Distribution Group to
a Security Group (or vice versa), if the functional level is Windows 2000 native or higher.
You have to be a domain or enterprise admin, or a member of the Account Operators
Group (or have the appropriate authority delegated) to convert a group. Changing the
group type is as simple as right-clicking the group in Active Directory Users and
Computers, clicking Properties, and clicking the desired group type on the General tab.
Domain Trees
A domain tree can be thought of as a DNS namespace composed of one or more domains.
If you plan to create a forest with discontiguous namespaces, you must create more than
one tree. Referring back to Figure 4.1, you see two trees in that forest, Cats.com and
Dogs.com. Each has a contiguous namespace because each domain in the hierarchy is directly
related to the domains above and below it in each tree.The forest has a discontiguous namespace because it contains two unrelated top-level domains.
Forest and Domain Functional Levels
Functional levels are a mechanism that Microsoft uses to remove obsolete backward compatibility within the Active Directory. It is a feature that helps improve performance and security. In Windows 2000, each domain had two functional levels (which were called
“modes”), native mode and mixed mode, while the forest only had one functional level. In
Windows Server 2003, there are two more levels to consider in both domains and forests.
To enable all Windows Server 2003 forest and domainwide features, all DCs must be run-
www.syngress.com
259
256_70-294_04.qxd
260
9/4/03
4:28 PM
Page 260
Chapter 4 • Working with Forests and Domains
ning Windows Server 2003 and the functional levels must be set to Windows Server 2003.
Table 4.2 summarizes the levels, DCs supported in each level, and each level’s primary purpose.
Table 4.2 Domain and Forest Functional Levels
Type
Functional Level
Supported DCs
Purpose
Domain Default
Windows 2000 mixed
NT, 2000, 2003
Domain
Windows 2000 native
2000, 2003
Domain
Windows Server 2003
interim
NT, 2003
Domain
Windows Server 2003
2003
Forest Default
Windows 2000
NT, 2000, 2003
Forest
Windows Server 2003
interim
NT, 2003
Forest
Windows Server 2003
2003
Supports mixed environments during
upgrade; low security,
high compatibility
Supports upgrade from
2000 to 2003
Supports upgrade from
NT to 2003; low
security, no new
features
Ideal level, best
security, least compatibility, all new Active
Directory features are
enabled
Supports mixed environments during
upgrade; low security,
high compatibility
Supports upgrade from
NT to 2003; low
security, some new
features
Ideal level, best
security, least compatibility, all new Active
Directory features are
enabled
Domain Functionality
When considering raising the domain functionality level, remember that the new features
will directly affect only the domain being raised.The four available functional levels are:
■
Windows 2000 mixed
■
Windows 2000 native
■
Windows Server 2003 interim
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 261
Working with Forests and Domains • Chapter 4
■
Windows Server 2003
Once the domain functional level has been raised, no prior version DCs can be added
to the domain. In the case of the Windows Server 2003 domain functional level, no
Windows 2000 servers can be promoted to DC status after the functionality has been
raised.Table 4.2 summarizes the levels, DCs supported in each level, and the level’s primary
purpose. See Table 4.3 for a summary of the capabilities of the current Windows 2000 and
new Windows Server 2003 domain functional levels.
Table 4.3 Domain Functional Level Features
Domain Feature
Local and Global
Groups
Distribution Groups
GC support
Number of domain
objects supported
Kerberos KDC key
version numbers
Security Group
nesting
Distribution Group
nesting
Universal Groups
SIDHistory
Converting groups
between Security
Groups and Distribution Groups
DC rename
Logon timestamp
attribute updated
and replicated
User password
support on the
InetOrgPerson
objectClass
Windows
Windows 2000 Windows 2000 Windows Server Server 2003
Mixed
Native
2003 Interim
Native
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
40,000
Enabled
Enabled
1,000,000
Enabled
Enabled
40,000
Enabled
Enabled
1,000,000
Disabled
Disabled
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Disabled
Disabled
Disabled
Enabled
Continued
www.syngress.com
261
256_70-294_04.qxd
262
9/4/03
4:28 PM
Page 262
Chapter 4 • Working with Forests and Domains
Table 4.3 Domain Functional Level Features
Domain Feature
Constrained
delegation
Users and
Computers
container
redirection
Windows
Windows 2000 Windows 2000 Windows Server Server 2003
Mixed
Native
2003 Interim
Native
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Enabled
Windows 2000 Mixed Domain Functional Level
The Windows 2000 mixed domain functional level is primarily designed to support mixed
environments during the course of an upgrade.Typically, this applies to a transition from
Windows NT to Windows 2000, although it is also the default mode for a newly created
Windows Server 2003 domain. It is characterized by lowered security features and defaults,
and the highest compatibility level possible for Active Directory.
■
All Windows DCs are supported.
■
Active Directory domain features not supported in this mode:
■
Group nesting
■
Universal Groups
■
SIDHistory
■
Converting groups between Security Groups and Distribution Groups
■
Domain controller rename
■
Logon timestamp attribute updated and replicated
■
User password support on the InetOrgPerson objectClass
■
Constrained delegation
■
Users and Computers container redirection
■
Can be raised to Windows 2000 native mode or directly to the Windows Server
2003 domain level.
■
Can never be lowered since no lower domain functional level exists.
In the Windows 2000 mixed functional level, which is the default level,Windows 2000
and greater DCs can exist, as well as Windows NT backup domain controllers (BDCs).
Newly created Windows Server 2003 domains always start at this level.Windows NT primary domain controllers (PDCs) do not exist in any version of Active Directory.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 263
Working with Forests and Domains • Chapter 4
Windows 2000 Native Domain Functional Level
The Windows 2000 native domain functional level is primarily intended to support an
upgrade from Windows 2000 to Server 2003.Typically, this applies to existing Active
Directory implementations since mixed and interim modes support the upgrade from
Windows NT. It is characterized by better security features and defaults, and an average
compatibility level.
■
Microsoft Windows NT 4.0 DCs are not supported.
■
Active Directory domain features not supported in this mode:
■
Domain controller rename
■
Logon timestamp attribute updated and replicated
■
User password support on the InetOrgPerson objectClass
■
Constrained delegation
■
Users and Computers container redirection
■
Can be raised to the Windows Server 2003 domain level.
■
Can never be lowered back to the Windows 2000 mixed mode.
In Windows 2000 native functional level, DCs have all been upgraded to Windows 2000
or Windows Server 2003. Native mode enables Universal Security Groups, nested groups,
group conversion between distribution and security types, and SIDHistory.
Windows Server 2003 Interim Domain Functional Level
The Windows Server 2003 interim domain functional level is the preferred method of supporting Windows NT environments during the course of an upgrade.This level only applies
to a transition from Windows NT to Windows Server 2003 because it does not allow for
the presence of Windows 2000 DCs. It is characterized by lowered security features and
defaults, similar to the Windows 2000 mixed domain functional level, and a high compatibility level for Windows NT.
■
Microsoft Windows 2000 DCs are not supported.
■
New Active Directory domain features not supported in this level:
■
Group nesting
■
Universal Groups
■
SIDHistory
■
Converting groups between Security Groups and Distribution Groups
■
Domain controller rename
■
Logon timestamp attribute updated and replicated
www.syngress.com
263
256_70-294_04.qxd
264
9/4/03
4:28 PM
Page 264
Chapter 4 • Working with Forests and Domains
■
User password support on the InetOrgPerson objectClass
■
Constrained delegation
■
Users and Computers container redirection
■
Can only be raised to the Windows Server 2003 domain level.
■
Can never be lowered since the Windows 2003 interim domain level only exists
during an upgrade from Windows NT 4.0 to Windows Server 2003, bypassing
Windows 2000.
■
Reasons to use the Windows 2003 interim domain functional level:
■
Upgrading a Windows NT 4.0 domain directly to Windows 2003.
■
Windows NT 4.0 BDCs will not upgrade immediately.
■
Your Windows NT 4.0 domain contains groups with more than 5000 members, not including the Domain Users group.
■
You have no plans to implement Windows 2000 DCs at any time.
■
Since the Windows 2003 interim domain level greatly improves group replication efficiency, it is better to upgrade directly from Windows NT 4.0 to
Windows Server 2003 instead of to Windows 2000, and then to 2003.
In the Windows Server 2003 interim domain functional level, no domainwide features
are activated, although many forest level features are activated at this level (see the section
Windows Server 2003 Interim Forest Functional Level later in the chapter).This mode is only
used during the upgrade of Windows NT 4.0 DCs to Windows Server 2003 DCs. If a
Windows 2000 Active Directory domain already exists, then the Windows Server 2003
interim domain level cannot be achieved.
Remember that any domain joined to an existing forest inherits its domain functional
level from the child, top-level, or root-level domain that it connects to during the joining
process.The domain level of Windows 2000 is only the default when you create a new
forest root.
EXAM WARNING
Remember the difference between domain and forest functional levels of the same
name. For example, the Windows Server 2003 interim domain functional level can
never be reversed. The Windows Server 2003 interim forest functional level can be
reversed temporarily for the purpose of joining a Windows NT 4.0 domain as a new
domain in an existing forest during an upgrade of the NT 4.0 domain to the
Windows Server 2003 level. To revert your Windows Server 2003 forest back to the
interim level for an upgrade, you must manually configure the forest level with LDAP
tools such as Ldp.exe or Adsiedit.msc, and then back again. As you can see from this
example, domain functional levels and forest functional levels are not the same.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 265
Working with Forests and Domains • Chapter 4
Windows Server 2003 Domain Functional Level
The Windows Server 2003 domain functional level is the ideal level.This level does not
allow for the presence of Windows NT or Windows 2000 DCs. It starts out with the best
security defaults and capabilities, and the least compatibility with earlier versions of windows. All new 2003 Active Directory domain features are enabled at this level, providing the
most efficient and productive environment.
■
DCs not supported at this level:
■
Windows NT 4.0 DCs
■
Windows 2000 DCs
■
All new Active Directory domain features are supported at this level.
■
Cannot be raised to any other level, since no higher level exists at this time.
■
Can never be lowered to the Windows 2000 mixed mode, the Windows 2000
native mode, or the Windows Server 2003 interim level.
In the Windows Server 2003 domain functional level, only Windows Server 2003 DCs
can exist.
Forest Functionality
The Windows Server 2003 forest functional levels are named similarly to the domain levels.
Windows 2000 originally had only one level, and that level was carried over into Windows
2003.The two other available functional levels are Windows Server 2003 interim and
Windows Server 2003, sometimes referred to as Windows Server 2003 native mode.Table
4.2 summarizes the levels, DCs supported in each level, and the level’s primary purpose.
As with domain functional levels, each forest functional level carries over the features
from lower levels, and activates new features as well.These new features apply across every
domain in your forest. After you raise the forest functional level, earlier OSs cannot be promoted to DCs. For example,Windows NT 4.0 and Windows 2000 DCs cannot be part of
the forest at any level, except through external or forest trusts, once the forest level has been
raised to Windows Server 2003 native. See Table 4.4 for a summary of the capabilities of the
new Windows Server 2003 forest functional levels.
Table 4.4 New Forest Functional Level Features
Forest Feature
Windows 2000
Windows
Windows Server Server 2003
2003 Interim
Native
Support for more than 5000
members per group
Universal Group caching
Application partitions
Not available
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Continued
www.syngress.com
265
256_70-294_04.qxd
266
9/4/03
4:28 PM
Page 266
Chapter 4 • Working with Forests and Domains
Table 4.4 New Forest Functional Level Features
Forest Feature
Windows 2000
Windows
Windows Server Server 2003
2003 Interim
Native
Install from backups
Quotas
Rapid GC demotion
SIS for system access control
lists (SACL) in the Jet
Database Engine
Improve topology generation
event logging
Windows Server 2003 DC
assumes the Intersite
Topology Generator
(ISTG) role
Efficient group member
replication using linked value
replication
Improved KCC inter-site
replication topology
generator algorithms
ISTG aliveness no longer
replicated
Attributes added to the GC,
such as: ms-DS-Entry-Time-ToDie, Message QueuingSecured-Source, Message
Queuing-Multicast-Address,
Print-Memory, Print-Rate,
and Print-Rate-Unit
Defunct schema objects
Cross-forest trust
Domain rename
Dynamic auxiliary classes
InetOrgPerson objectClass
change
Application groups
15-second intrasite replication
frequency for Windows
Server 2003 DCs upgraded
from Windows 2000
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Disabled
Enabled
Enabled
Disabled
Enabled
Enabled
Disabled
Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Continued
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 267
Working with Forests and Domains • Chapter 4
Table 4.4 New Forest Functional Level Features
Forest Feature
Windows 2000
Windows
Windows Server Server 2003
2003 Interim
Native
Reduced NTDS.DIT size
Unlimited site management
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Windows 2000 Forest Functional Level (default)
The Windows 2000 forest functional level is primarily designed to support mixed environments during the course of an upgrade.Typically, this applies to a transition from Windows
2000 to Windows Server 2003. It is also the default mode for a newly created Windows
Server 2003 domain. It is characterized by relatively lower security features and reduced
efficiency, but maintains the highest compatibility level possible for Active Directory.The
Windows 2003 interim forest functional level handles upgrades from Windows NT to
Windows Server 2003.
■
All Windows DCs are supported.
■
Active Directory forest features not supported in this mode:
■
Efficient group member replication using linked value replication
■
Improved KCC inter-site replication topology generator algorithms
■
ISTG aliveness no longer replicated
■
Attributes added to the GC, such as ms-DS-Entry-Time-To-Die, Message
Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory, PrintRate, and Print-Rate-Unit
■
Defunct schema objects
■
Cross-forest trust
■
Domain rename
■
Dynamic auxiliary classes
■
InetOrgPerson objectClass change
■
Application groups
■
15-second intra-site replication frequency for Windows Server 2003 DCs
upgraded from Windows 2000
■
Reduced NTDS.DIT size
■
Unlimited site management
■
Can only be raised to the Windows 2003 native forest level.
■
Can never be lowered back to the Windows 2000 level.
www.syngress.com
267
256_70-294_04.qxd
268
9/4/03
4:28 PM
Page 268
Chapter 4 • Working with Forests and Domains
In the Windows 2000 functional level, which is the default level,Windows 2000 and
greater DCs can exist, as well as Windows NT BDCs. Newly created Windows Server 2003
forests always start at this level.Windows NT PDCs do not exist in any version of Active
Directory. Features available in the Windows 2000 forest functional level of Windows Server
2003 carry over the old features and add many new ones.
Windows Server 2003 Interim Forest Functional Level
The Windows Server 2003 interim forest functional level is the preferred method of supporting Windows NT environments during the course of an upgrade.This level only applies
to a transition from Windows NT to Windows Server 2003 because it does not allow for
the presence of Windows 2000 DCs anywhere in the forest. It is characterized by lowered
security features and defaults, but provides many efficiency improvements over the
Windows 2000 forest functional level.
■
Microsoft Windows 2000 DCs are not supported.
■
New Active Directory forest features not supported in this level:
■
Defunct schema objects
■
Cross-forest trust
■
Domain rename
■
Dynamic auxiliary classes
■
InetOrgPerson objectClass change
■
Application groups
■
15-second intrasite replication frequency for Windows Server 2003 DCs
upgraded from Windows 2000
■
Reduced NTDS.DIT size
■
Unlimited site management
■
Can only be raised to the Windows Server 2003 forest functional level.
■
Can never be lowered to the Windows 2000 level, since the Windows 2003
interim domain level only exists during an upgrade directly from Windows NT 4.0
to Windows Server 2003.
■
Reasons to use the Windows 2003 interim forest functional level:
■
Upgrading a root Windows NT 4.0 domain directly to Windows 2003.
■
Windows NT 4.0 BDCs will not upgrade immediately.
■
Your Windows NT 4.0 domain contains groups with more than 5000 members, not including the Domain Users group.
■
You have no plans to implement Windows 2000 DCs at any time.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 269
Working with Forests and Domains • Chapter 4
■
Since the Windows 2003 interim domain level greatly improves group replication efficiency, it is better to use the Windows 2003 interim forest functional
level instead of upgrading to Windows 2000, and then to Windows 2003.
■
You are upgrading a Windows NT 4.0 PDC as the first DC of a new root
domain in an existing Windows Server 2003 forest.
■
Simultaneously upgrading and joining a Windows NT 4.0 domain as a child
domain in an existing Windows Server 2003 forest.
In the Windows Server 2003 interim forest functional level, unlike the Windows Server
2003 interim domain functional level, many new features are activated while still allowing
Windows NT 4.0 BDC replication.This mode is only used during the upgrade of a Windows
NT 4.0 domain to a Windows Server 2003 forest. If a Windows 2000 Active Directory forest
already exists, then the Windows Server 2003 interim forest level cannot be achieved.
To revert your Windows Server 2003 forest back to the interim level for an upgrade,
you must manually configure the forest level with LDAP tools such as Ldp.exe or
Adsiedit.msc. Remember that any domain joined to an existing forest inherits its domain
functional level from the child, top-level, or root-level domain that it connects to during
the joining process.The default forest level of Windows 2000 only applies when you create
a new forest.
Windows Server 2003 Forest Functional Level
The Windows Server 2003 forest functional level is the ideal level.This level does not allow
for the presence of Windows NT or Windows 2000 DCs anywhere in the forest. It starts
out with the best security defaults and capabilities, and the least compatibility with earlier
versions of Windows. All new 2003 Active Directory forest features are enabled at this level,
providing the most efficient and productive environment.
■
DCs not supported at this level:
■
Windows NT 4.0 DCs
■
Windows 2000 DCs
■
All new Active Directory forest features are supported at this level.
■
Cannot be raised to any other level, since no higher level exists in Windows
Server 2003.
■
Can never be lowered back to the Windows 2000 level, but can be temporarily
lowered to the Windows Server 2003 interim level for the purpose of joining a
Windows NT 4.0 domain as a new domain in an existing forest during an upgrade
of the NT 4.0 domain to the Windows Server 2003 level.
In the Windows Server 2003 forest functional level, only Windows Server 2003 DCs
can exist.
www.syngress.com
269
256_70-294_04.qxd
270
9/4/03
4:28 PM
Page 270
Chapter 4 • Working with Forests and Domains
EXAM
70-294
OBJECTIVE
1.3.5
Raising the Functional Level
of a Domain and Forest
Before increasing a functional level, you should prepare for it by performing the following
tasks. First, inventory your entire forest for earlier versions of DCs.The Active Directory
Domains and Trusts MMC snap-in can generate a detailed report should you need it.You
can also perform a custom LDAP query from the Active Directory Users and Computers
MMC snap-in that will discover Windows NT DC objects within the forest. Use the following search string:
(&(objectCategory=computer)(operatingSystem Version=4*)
(userAccountControl:1.2.840.113556.1.4.803:=8192))
There should be no spaces in the query, and type it in all on one line.The search string
is shown on two lines for readability.
Second, you need to physically locate all down-level DCs for the new functional level in
the domain or forest as needed, and either upgrade or remove them.
Third, verify that end-to-end replication is working in the forest using the Windows
Server 2003 versions of Repadmin.exe and Replmon.exe.
Finally, verify the compatibility of your applications and services with the version of
Windows that your DCs will be running, and specifically their compatibility with the target
functional level. Use a lab environment to test for compatibility issues, and contact the
appropriate vendors for compatibility information.
Domain Functional Level
Before raising the functional level of a domain, all DCs must be upgraded to the minimum
OS level as shown in Table 4.2. Remember that when you raise the domain functional level
to Windows 2000 native or Windows Server 2003, it can never be changed back to Windows
2000 mixed mode. Exercise 4.01 takes you systematically through the process of verifying the
current domain functional level. Exercise 4.02 takes you through the process of raising the
domain functional level.To raise the level, you must be an enterprise administrator, a domain
administrator in the domain you want to raise, or have the appropriate authority.
EXERCISE 4.01
VVERIFYING THE DOMAIN FUNCTIONAL LEVEL
1. Log on as a Domain Admin of the domain you are checking.
2. Click on Start | Control Panel | Performance and Maintenance |
Administrative Tools | Active Directory Users and Computers, or use
the Microsoft Management Console (MMC) preconfigured with the
Active Directory Users and Computers snap-in.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 271
Working with Forests and Domains • Chapter 4
3. Locate the domain in the console tree that you are going to raise in
functional level. Right-click the domain and select Raise Domain
Functional Level.
4. In the Raise Domain Functional Level dialog box, the current domain
functional level appears under Current domain functional level.
NOTE
This check can also be performed using the Active Directory Domains and Trusts
MMC snap-in.
EXERCISE 4.02
RAISING THE DOMAIN FUNCTIONAL LEVEL
1. Log on locally as a Domain Admin to the PDC or the PDC Emulator
FSMO of the domain you are raising.
2. Click on Start | Administrative Tools | Active Directory Domains and
Trusts, or use the MMC preconfigured with the Active Directory
Domain and Trusts snap-in.
3. Locate the domain in the console tree that you are going to raise in
functional level. Right-click the domain and select Raise Domain
Functional Level.
4. A dialog box will appear entitled Select an available domain functional level. There are only two possible choices, although both might
not be available.
■
Select Windows 2000 native, and then click the Raise button to
raise the domain functional level to Windows 2000 native.
■
Select Windows Server 2003, and then click the Raise button to
raise the domain functional level to Windows Server 2003.
www.syngress.com
271
256_70-294_04.qxd
272
9/4/03
4:28 PM
Page 272
Chapter 4 • Working with Forests and Domains
NOTE
You can also use the Active Directory Users and Computers MMC snap-in to perform this exercise.
Forest Functional Level
Before raising the functional level of a forest, all DCs in the forest must be upgraded to the
minimum OS level as shown in Table 4.2. In practice, since the only forest functional level
that will be available to you is Windows Server 2003, all DCs in the forest must be running
Windows Server 2003. Locate all down-level DCs and either upgrade them or remove
them from the domain.You do not have to upgrade the domain functional level before the
forest functional level.The reason for this is that all domains in the forest will automatically
raise to the level of Windows Server 2003 to match the forest level after Active Directory
replicates the changes.The forest Schema Master performs this operation. Exercise 4.03
takes you through the process of verifying the current forest functional level. Exercise 4.04
shows you how to raise the forest functional level.To raise the forest level, you must be an
enterprise administrator, a domain administrator at the forest root, or have the appropriate
authority.
EXERCISE 4.03
VERIFYING THE FOREST FUNCTIONAL LEVEL
1. Log on as an Enterprise Administrator in the forest you are checking.
2. Click on Start | Administrative Tools | Active Directory Domains and
Trusts, or use the MMC preconfigured with the Active Directory
Domains and Trusts snap-in.
3. In the console tree, right-click the Active Directory Domains and
Trusts folder and select Raise Forest Functional Level.
4. In the Raise Forest Functional Level dialog box, the current forest functional level appears under Current forest functional level.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 273
Working with Forests and Domains • Chapter 4
EXERCISE 4.04
RAISING THE FOREST FUNCTIONAL LEVEL
1. Log on locally as an Enterprise Administrator on the PDC Emulator
FSMO of the forest root domain you are raising.
2. Click on Start | All Programs | Administrative Tools | Active
Directory Domains and Trusts, or use the MMC preconfigured with
the Active Directory Domains and Trusts snap-in.
3. In the console tree, right-click the Active Directory Domains and
Trusts folder and select Raise Forest Functional Level.
4. Where it asks you to Select an available forest functional level, click
Windows Server 2003, and then click the Raise button.
Optimizing Your Strategy for Raising Functional Levels
There are two basic strategies for traveling the path from the Windows 2000 native level
and Windows 2000 mixed-mode levels to the goal of Windows Server 2003 functional
levels across your forest.
■
The Windows 2000 native mode path.
■
Raise the level of all domains to the Windows 2000 native functional level.
■
Raise the forest level to Windows Server 2003.
Benefits of this method include:
■
You do not have to perform the domain level-raising procedure on every domain
before raising the forest level.
■
It automatically does the work of tracking down all down-level domains and DCs
for you.The process fails if these exist, but then you have a ready list of preparation work to do.This is helpful if your forest is not well documented. See the
sidebar If Raising the Forest Functional Level Fails for more information.
■
The Windows Server 2003 level path.
■
Raise the level of all domains to the Windows 2000 native functional level.
■
Raise the level of all domains to the Windows Server 2003 functional level.
■
Raise the forest level to Windows Server 2003.
www.syngress.com
273
256_70-294_04.qxd
4:28 PM
Page 274
Chapter 4 • Working with Forests and Domains
The benefits of this method are:
■
All of the new Windows Server 2003 domain-level features are turned on before
you make the commitment to raising the level of the forest.
■
You can perform integration and interoperability testing on a smaller scale
without committing the forest to the functional upgrade.
There are three basic approaches for the use of interim modes when upgrading
Windows NT to Windows Server 2003. Interim level should be avoided if you will ever
have a need to implement Windows 2000 DCs. Here are the three strategies:
New & Noteworthy...
274
9/4/03
■
When upgrading the Windows NT PDC into a new Windows Server 2003 forest,
select the interim level from the dcpromo utility.
■
When upgrading the Windows NT PDC into an existing Windows Server 2003
forest, manually set the interim level with Ldp.exe or Adsiedit.msc, and join the
forest during the upgrade.The upgraded domain inherits the interim setting from
the forest.
■
Upgrade or remove all Windows NT BDCs, and then upgrade the Windows NT
PDC. Since no Windows NT DCs remain in the domain, the Windows Server
2003 interim functionality level is not needed.
If Raising the Forest Functional Level Fails
Typically, when the procedure for raising the forest functional level fails, it is
because of the existence of DCs somewhere in the forest that must still be
upgraded from Windows NT 4.0 or Windows 2000. To find out, click Save As right
after the failure from the Raise Forest Functional Level dialog box. This will save
a helpful log file to aid you in locating the DCs and domains that do not meet the
requirements.
If you have verified that all DCs have been upgraded to Windows Server 2003
but continue to get a failure, consider the following two possibilities:
■
You have upgraded the DC in question, but Active Directory replication
has not yet completed.
■
The DC causing the error is no longer in service, but its corresponding
computer object has not been removed from the domain.
Go to “Q” article number 216498 in the Microsoft Knowledge Base for information on how to remove data in Active Directory after an unsuccessful DC demotion. This is a likely cause of the error.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 275
Working with Forests and Domains • Chapter 4
EXAM
70-294
OBJECTIVE
1.3
2.1
Creating the Forest and Domain Structure
The process of creating the forest and domain structure is centered on the use of the Active
Directory Installation Wizard.This utility installs and configures DCs, which in turn provide
the Active Directory directory service to networked computers and users.The first step is
to install Windows Server 2003 as a member server or a stand-alone server. At this point,
you should be familiar with that process, so it will not be covered here.
Next comes the decision process leading to the installation of a DC. Essentially, there
are two reasons to install a DC: to create a new domain, or to add an additional DC to an
existing domain. Depending on your current forest structure, you will end up with one of
four results:
■
A new forest
■
A new domain tree in an existing forest
■
A new child domain in an existing domain
■
A new DC in an existing domain
Deciding When to Create a New DC
Since a domain cannot exist without a DC, you must create at least one for each domain.
The process of creating the first DC also creates the domain itself.The domain can be
either a new child domain or the root of a new tree.The difference is in the namespace.
See the section Domain Trees earlier in the chapter. Here are the four main reasons to create
a new DC:
■
Creating the first domain in your network
■
Creating a new domain in your forest
■
Improving a domain’s reliability
■
Improving network performance between sites
If you want to create a domain with a name that is not related to any other namespace
in your forest, you will create a new tree. If you want to create a domain that will function
as an additional subunit within an existing domain, you will create a child domain.
To improve a domain’s reliability, you should always create at least a second DC in each
domain.That way, if the first one fails, you will still be able to use the second. If your
existing DCs are overloaded, simply adding another DC to your domain will help spread
the load. If any of your domains are divided by WAN links, then it is a good practice to
place a DC in each site. Besides lowering WAN bandwidth utilization and improving logon
response times, you also provide a level of fault tolerance. If the WAN link fails, users on
both sides of the link will continue to be able to log on if your domain is at the Windows
Server 2003 functional level.
www.syngress.com
275
256_70-294_04.qxd
4:28 PM
Page 276
Chapter 4 • Working with Forests and Domains
Configuring & Implementing...
276
9/4/03
Legacy DNS Compatibility
You might find it useful at times to interoperate with a legacy DNS server, such as
that found on older UNIX servers and Windows NT, especially during a migration.
One way to accomplish this is to configure the legacy server to support Active
Directory. Every Windows Server 2003 DC creates a file in the
%Systemroot\System32\Config folder called Netlogon.dns. It contains the DNS
records necessary to register the resources of the DC.
If you are using a DNS server that does not support dynamic updates, but
does supports the SRV resource record, you should import the Netlogon.dns
records from all of your Active Directory DCs into the primary zone file corresponding to the namespace your Active Directory is using. Windows DNS clients
configured with the legacy DNS server’s IP address will then use the static SRV
records to locate a DC to begin the logon process. The flaw in this setup is that any
time one of your DCs is offline, you will get some number of logon failures until
you manually remove the corresponding SRV records.
In this type of environment, DNS issues and misconfigurations are common.
For example, if you try to execute any of the Active Directory MMC snap-ins, such
as Active Directory Users and Computers, and you get an error saying, “No
authority can be contacted for authentication,” then DNS might be incorrectly configured. First, make sure that your DNS client is using the intended DNS server.
Verify that the zones on your DNS server are configured correctly, that your DNS
server has authority for the zone that contains your Active Directory namespace,
and that the correct SRV records have been imported into the applicable primary
zone file.
Active Directory requires DNS.The Active Directory Installation Wizard will look for
an authoritative DNS server that accepts dynamic updates for the domain. If a DNS server
that can accept dynamic updates is not available, the Active Directory Installation Wizard
will optionally create one for you that is preconfigured for the name of your domain.When
you restart the new DC, it will register itself with DNS.
Installing Domain Controllers
You should know what type of domain you want to install before you begin, and the namespace it will use. Read the procedure for the type of domain you want to install and know
what your responses will be. For example, if you want the shared system volume ( SYSVOL) on
its own disk volume, you will need to prepare it ahead of time. Before you run the Active
Directory Installation Wizard, make sure that the authoritative DNS zone allows dynamic
updates and that your DNS server supports SRV records. As always, no matter how small the
domain, it should always have two DCs for fault tolerance and availability.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 277
Configuring & Implementing...
Working with Forests and Domains • Chapter 4
What Else Do I Need to Know Before I Install a DC?
Before running the Active Directory Installation Wizard, you should know the
answers to the questions it will ask. Some of the questions require preparation
ahead of time. Here are a few of the important points to consider before typing
dcpromo.
1. Where do I put my database and log folders? The default setting of
%SystemRoot\ntds for both the Active Directory database and logs is
good for small networks, but consider putting these two items on their
own disk volume for better performance. The Active Directory is a
database and is susceptible to the same performance issues of any
other database. The best practice for the Ntds.dit database store is to
use a RAID-5 arrangement of the appropriate size for your enterprise.
As an additional performance enhancement for large enterprises, use
two mirrored physical disks for the log folders. Install and configure
these disk structures before running dcpromo. The Active Directory
sizer tool, found at www.microsoft.com/windows2000/techinfo/
reskit/tools/new/adsizer-o.asp, allows you to estimate the hardware that
you need to deploy Active Directory in your organization. Adsizer.exe
performs its estimates based on your enterprise usage profile, and your
domain and site topologies.
2. Where do I put the SYSVOL? The contents of the SYSVOL are replicated to all DCs in the domain. It contains a copy of all the domain’s
public files. The default setting of %SystemRoot\sysvol is acceptable for
small networks, but consider putting it on its own disk volume for
better performance.
3. Select Permissions compatible with pre-Windows 2000 server operating systems only after considering the impact of weaker permissions. This option adds the Everyone group to the Pre-Windows 2000
Compatible Access group. Don’t be hasty; if you aren’t sure you need
it, select Permissions compatible only with Windows 2000 or
Windows Server 2003 operating systems. Even with a pure Windows
XP and Server 2003 network, you might find that some of your applications are not working. Manually add the group as described previously.
If the problem is fixed, then you have applications that are not compatible with Windows Server 2003 domains. Once those applications are
upgraded, remove the backward compatibility setting to enhance security. This will prevent anonymous users from accessing your user and
group information.
4. Select a strong password for the Directory Services Restore Mode
Administrator Password. Use a mixture of numbers, uppercase letters,
lowercase letters, and special characters. The best practice is to put the
password in a sealed envelope under lock and key for emergencies.
www.syngress.com
277
256_70-294_04.qxd
278
9/4/03
4:28 PM
Page 278
Chapter 4 • Working with Forests and Domains
EXAM
70-294
Creating a Forest Root Domain
OBJECTIVE
1.3.1 The initial DC that you install, as shown in Figure 4.3, will provide your users with the Active
Directory. Consider making this an empty root domain where your Enterprise Administrators
have accounts, but no regular users.With the procedure in Exercise 4.05, you will simultaneously create your first domain, called the root domain, and your first forest.
Figure 4.3 Creating a New Domain in a New Forest
Dogs.com
Root
Domain
EXERCISE 4.05
CREATING A NEW DOMAIN
IN A
NEW FOREST
1. Log on as a local Administrator.
2. Click Start | Run.
3. Type dcpromo.
4. Click OK to start the Active Directory Installation Wizard.
5. In the Welcome to the Active Directory Installation Wizard window,
click Next as shown in Figure 4.4.
Figure 4.4 The Welcome Dialog Box for dcpromo
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 279
Working with Forests and Domains • Chapter 4
6. In the Operating System Compatibility window, click Next as shown
in Figure 4.5.
Figure 4.5 The Operating System Compatibility Dialog
Box for dcpromo
7. In the Domain Controller Type window, click Domain controller for a
new domain | Next as shown in Figure 4.6.
Figure 4.6 The Domain Controller Type Dialog Box Used for a New DC
in a New Domain
8. In the Create New Domain window, click Domain in a new forest |
Next as shown in Figure 4.7.
www.syngress.com
279
256_70-294_04.qxd
280
9/4/03
4:28 PM
Page 280
Chapter 4 • Working with Forests and Domains
Figure 4.7 The Create New Domain Dialog Box Used for Creating a
New Domain in a New Forest
9. In the New Domain Name window, type the full DNS domain name
for the new domain, and click Next as shown in Figure 4.8.
Figure 4.8 The New Domain Name Dialog Box Used for Creating a
New Domain in a New Forest
10. In the NetBIOS Domain Name window, verify the NetBIOS name and
click Next as shown in Figure 4.9. The default name is generally the
best one to use.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 281
Working with Forests and Domains • Chapter 4
Figure 4.9 The NetBIOS Domain Name Dialog Box for dcpromo
11. In the Database and Log Folders window, type or browse to the location where you want the database and log folders. Click Next as shown
in Figure 4.10.
Figure 4.10 The Database and Log Folders Dialog Box for dcpromo
12. In the Shared System Volume window, type or browse to the location
where you want the SYSVOL folder. Click Next as shown in Figure 4.11.
www.syngress.com
281
256_70-294_04.qxd
282
9/4/03
4:28 PM
Page 282
Chapter 4 • Working with Forests and Domains
Figure 4.11 The Shared System Volume Dialog Box for dcpromo
13. In the DNS Registration Diagnostics window, verify an existing DNS
server to be authoritative for this new forest, or click Install and configure the DNS server on this computer, and set this computer to use
this DNS server as its preferred DNS server. Click Next as shown in
Figure 4.12.
Figure 4.12 The DNS Registration Diagnostics Window with No
Current DNS Server Available
14. In the Permissions window, you have two options: Permissions compatible with pre-Windows 2000 server operating systems and
Permissions compatible only with Windows 2000 or Windows
Server 2003 operating systems. Select one, and then click Next as
shown in Figure 4.13.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 283
Working with Forests and Domains • Chapter 4
Figure 4.13 The Permissions Dialog Box for dcpromo
15. In the Directory Services Restore Mode Administrator Password
window, input and confirm the password for the Directory Services
Restore Mode. Click Next as shown in Figure 4.14.
Figure 4.14 The Directory Services Restore Mode Administrator
Password Dialog Box for dcpromo
16. Read the Summary window. Click Next as shown in Figure 4.15. The
installation will continue for several minutes.
17. Restart your new DC.
18. Verify that the installation was successful. Open a command prompt
and enter the Net Share command. It should report the existence of
the Netlogon and SYSVOL shares. To verify that the DNS service locator
records for the new DC were successfully created, follow these steps:
www.syngress.com
283
256_70-294_04.qxd
284
9/4/03
4:28 PM
Page 284
Chapter 4 • Working with Forests and Domains
1. Click Start | Administrative Tools | DNS to start the DNS administrator console.
2. Expand the server name.
3. Expand Forward Lookup Zones.
4. Expand the domain.
5. Verify that the _msdcs, _sites, _tcp, and _udp folders are present
and contain records for your new DC. These service location records
are crucial to the operation of the DC. See Table 4.7 for a more
detailed description of the required records, and Figure 4.16 for a
view of the DNS administrator tool used to view them.
Figure 4.15 The Summary Window Describing the Forest Root
Figure 4.16 The DNS Administrator Tool Used to Verify a Successful
Forest-Root Installation
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 285
Working with Forests and Domains • Chapter 4
Creating a New Domain Tree in an Existing Forest
This will often be the second domain that you install, as shown in Figure 4.17.This type of
arrangement accommodates a forest comprised of two different company divisions, or two
companies within a larger corporation. Domains are used as boundaries for security and
administration.With the procedure in Exercise 4.06, you will simultaneously create your
first nonroot top-level domain, and the second tree in your forest. Note that a new bidirectional, transitive trust is automatically created with the forest root.
Figure 4.17 Creating a New Domain Tree in an Existing Forest
Dogs.com
itive
Trans st
Tru
Root
Domain
Top-Level
Domain
Fish.com
EXERCISE 4.06
CREATING A NEW DOMAIN TREE
IN AN
EXISTING FOREST
1. Log in as a local Administrator.
2. Click Start | Run.
3. Type dcpromo.
4. Click OK to start the Active Directory Installation Wizard.
5. In the Welcome to the Active Directory Installation Wizard window,
click Next.
6. In the Operating System Compatibility window, click Next.
7. In the Domain Controller Type window, click Domain controller for a
new domain | Next, as shown in Figure 4.18.
www.syngress.com
285
256_70-294_04.qxd
286
9/4/03
4:28 PM
Page 286
Chapter 4 • Working with Forests and Domains
Figure 4.18 The Domain ControllerType Dialog Box Used for a New
Domain Tree in an Existing Forest
8. In the Create New Domain window, click Domain in an existing
forest | Next, as shown in Figure 4.19.
Figure 4.19 The Create New Domain Dialog Box Used for a New
Domain Tree in an Existing Forest
9. In the Network Credentials window, type in the username, password,
and domain name of an Enterprise Administrator or Domain Admin in
the forest-root domain. Click Next.
10. In the New Domain Tree window, type the full DNS domain name for
the new domain, and click Next.
11. In the NetBIOS Domain Name window, verify the NetBIOS name and
click Next. The default name is generally the best one to use.
12. In the Database and Log Folders window, type or browse to the location where you want the database and log folders. Click Next.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 287
Working with Forests and Domains • Chapter 4
13. In the Shared System Volume window, type or browse to the location
where you want the SYSVOL folder. Click Next.
14. In the DNS Registration Diagnostics window, configure an existing
DNS server to be authoritative for this tree, or click Install and configure the DNS server on this computer, and set this computer to
use this DNS server as its preferred DNS server. Click Next, as shown
in Figure 4.20.
Figure 4.20 The DNS Registration Diagnostics Dialog Box Used for a
New Domain Tree in an Existing Forest
15. In the Permissions window you have two options: Permissions compatible with pre-Windows 2000 server operating systems and
Permissions compatible only with Windows 2000 or Windows
Server 2003 operating systems. Select one, and then click Next.
16. In the Directory Services Restore Mode Administrator Password
window, input and confirm the password for the Directory Services
Restore Mode. Click Next.
17. Read the Summary window. Click Next, as shown in Figure 4.21. The
installation will continue for several minutes.
18. Restart your new DC.
19. Verify that the installation was successful. Open a command prompt
and enter the Net Share command. It should report the existence of
the Netlogon and SYSVOL shares. To verify that the DNS service locator
records for the new DC were successfully created, follow these steps:
www.syngress.com
287
256_70-294_04.qxd
288
9/4/03
4:28 PM
Page 288
Chapter 4 • Working with Forests and Domains
Figure 4.21 The Summary Dialog Box Used for a New Domain Tree in
an Existing Forest
1. Click Start | Administrative Tools | DNS to start the DNS administrator console.
2. Expand the server name.
3. Expand Forward Lookup Zones.
4. Expand the domain.
5. Verify that the _msdcs, _sites, _tcp, and _udp folders are present
and contain records for your new DC. These service location records
are crucial to the operation of the DC. See Table 4.7 for a more
detailed description of the required records, and Figure 4.16 for a
view of the DNS administrator tool used to view them.
EXAM
70-294
OBJECTIVE
1.3.2
Creating a New Child Domain in an Existing Domain
This will often be the third domain that you install, as shown in Figure 4.22.This type of
arrangement accommodates a tree comprised of two different company groups, sometimes
in physically separate locations. Since domains are used as boundaries for security and
administration, there are many reasons for segregating a subgroup. If a group requires higher
or lower levels of security, or if a different group of administrators requires complete control, then a child domain is a good idea.With the procedure in Exercise 4.07, you will
create your first child domain within any existing tree of your forest. Note that a new bidirectional, transitive trust is automatically created with the parent domain, simultaneously
creating an implicit trust between the child domain and the forest-root. See the section
Establishing Trust Relationships later in this chapter for more information on the transitivity
and direction of trusts.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:28 PM
Page 289
Working with Forests and Domains • Chapter 4
Tra
n si
Tru tive
st
Figure 4.22 Creating a New Child Domain in an Existing Domain
Root
Domain
Dogs.com
Top-Level
Top-Level
Domain
Domain
Fish.com
Tra
nsi
Tru tive
st
Implicit
Trust
Domain
Cat.fish.com
EXERCISE 4.07
CREATING A NEW CHILD DOMAIN
IN AN
EXISTING DOMAIN
1. Log in as a local Administrator.
2. Click Start | Run.
3. Type dcpromo.
4. Click OK to start the Active Directory Installation Wizard.
5. In the Welcome to the Active Directory Installation Wizard window,
click Next.
6. In the Operating System Compatibility window, click Next.
7. In the Domain Controller Type window, click Domain controller for a
new domain | Next, as shown in Figure 4.23.
www.syngress.com
289
256_70-294_04.qxd
290
9/4/03
4:28 PM
Page 290
Chapter 4 • Working with Forests and Domains
Figure 4.23 The Domain ControllerType Dialog Box Used for a New
Child Domain in an Existing Domain
8. In the Create New Domain window, click Child Domain in an existing
domain tree | Next, as shown in Figure 4.24.
Figure 4.24 The Create New Domain Dialog Box Used for a New Child
Domain in an Existing Domain
9. In the Network Credentials window, type in the username, password,
and domain name of an Enterprise Administrator in the forest-root
domain, or a Domain Admin in the parent domain, and click Next.
10. In the Child Domain Installation window, verify the parent domain
and type the name of the new child domain. Click Next, as shown in
Figure 4.25.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 291
Working with Forests and Domains • Chapter 4
Figure 4.25 The Child Domain Installation Dialog Box Used for a New
Child Domain in an Existing Domain
11. In the NetBIOS Domain Name window, verify the NetBIOS name and
click Next. The default name is generally the best one to use.
12. In the Database and Log Folders window, type or browse to the location where you want the database and log folders. Click Next.
13. In the Shared System Volume window, type or browse to the location
where you want the SYSVOL folder. Click Next.
14. In the DNS Registration Diagnostics window, check to see if the DNS
settings are correct for the parent domain. Click Next, as shown in
Figure 4.26.
Figure 4.26 The DNS Registration Diagnostics Dialog Box Used for a
New Child Domain in an Existing Domain
15. In the Permissions window you have two options: Permissions compatible with pre-Windows 2000 server operating systems and
Permissions compatible only with Windows 2000 or Windows
Server 2003 operating systems. Select one, and then click Next.
www.syngress.com
291
256_70-294_04.qxd
292
9/4/03
4:29 PM
Page 292
Chapter 4 • Working with Forests and Domains
16. In the Directory Services Restore Mode Administrator Password
window, input and confirm the password for the Directory Services
Restore Mode. Click Next.
17. Read the Summary window. Click Next, as shown in Figure 4.27. The
installation will continue for several minutes.
Figure 4.27 The Summary Dialog Box for a New Child Domain in an
Existing Domain
18. Restart your new DC.
19. Verify that the installation was successful. Open a command prompt
and enter the Net Share command. It should report the existence of
the Netlogon and SYSVOL shares. To verify that the DNS service locator
records for the new DC were successfully created, follow these steps:
1. Click Start | Administrative Tools | DNS to start the DNS administrator console.
2. Expand the server name.
3. Expand Forward Lookup Zones.
4. Expand the domain.
5. Verify that the _msdcs, _sites, _tcp, and _udp folders are present
and contain records for your new DC. These service location records
are crucial to the operation of the DC. See Table 4.7 for more a
more detailed description of the required records, and Figure 4.16
for a view of the DNS administrator tool used to view them.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 293
Configuring & Implementing...
Working with Forests and Domains • Chapter 4
What If dcpromo Fails?
There are a few things to check for after a failure of the Active Directory Installation
Wizard. First, check the contents of the %SystemRoot%\Debug\Dcpromo.log file.
■
If the log file reports that The system cannot find the file specified,
then check for the presence of the %SystemRoot%\System32\Ntds.dit
file. This is a default directory services file on a member server. The way
to fix this is to expand Ntds.di_ from any server CD. Note that this file
should be in the System32 folder on a member server. Once you run a
successful dcpromo, the active Ntds.dit file will be in the folder you
specified during the promotion.
■
If you receive an Access is denied error, check for incorrect permissions
on the default Ntds.dit file, as well as on your new and existing NTDS
folders.
■
If SRV records fail to show up in the appropriate DNS zone, check first
to see if the new DC’s Primary DNS Server TCP/IP property is set to the
correct DNS server. If the DC is a DNS server, then this value should
point to itself.
Creating a New DC in an Existing Domain
This is the only situation where you will run the Active Directory Installation Wizard
without creating a new domain. See Exercise 4.08 for the necessary steps. Usually, you will
need to perform this procedure when your domain has grown to the point that it needs
additional DCs to spread the workload.
Using the Conventional Across-the-Network Method
In Windows 2000 Server, this is the standard method. Copying the Active Directory
database along with other state data over the network during DC promotion is now an
option in Windows Server 2003, as illustrated in Figure 4.28.The other option is to run
dcpromo with a backup file. Note that several wizard choices are missing from this procedure in comparison to the earlier ones because you are not creating a new domain, and that
different windows appear based on your use of the /ADV option.The /ADV switch with
dcpromo is required for promoting from a backup file, but is optional in the across-the-network method.
www.syngress.com
293
256_70-294_04.qxd
294
9/4/03
4:29 PM
Page 294
Chapter 4 • Working with Forests and Domains
Figure 4.28 Using the Conventional Across-the-Network Method
DC2
DC1
Network
Domain
EXERCISE 4.08
CREATING A NEW DOMAIN
CONTROLLER IN AN EXISTING DOMAIN USING THE
CONVENTIONAL ACROSS-THE-NETWORK METHOD
1. Log in as a local Administrator.
2. Click Start | Run.
3. Type dcpromo /adv.
4. Click OK to start the Active Directory Installation Wizard.
5. In the Welcome to the Active Directory Installation Wizard window,
click Next.
6. In the Operating System Compatibility window, click Next.
7. In the Domain Controller Type window, click Additional domain controller for an existing domain | Next, as shown in Figure 4.29.
Figure 4.29 The Domain Controller Type Dialog Box Used for a New
DC in an Existing Domain
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 295
Working with Forests and Domains • Chapter 4
8. In the Copying Domain Information window, click Over the network
| Next, as shown in Figure 4.30.
Figure 4.30 The Copying Domain Information Dialog Box Used for
the Across-the-Network Method
9. In the Network Credentials window, type in the username, password,
and domain name of an Enterprise Administrator in the forest-root
domain, or a Domain Admin in the parent domain, and click Next.
10. In the Additional Domain Controller window, type in or browse to the
top-level domain name where you are adding the new DC, and click
Next, as shown in Figure 4.31.
Figure 4.31 The Additional Domain Controller Dialog Box
Browse Option
11. In the Database and Log Folders window, type or browse to the location where you want the database and log folders. Click Next.
www.syngress.com
295
256_70-294_04.qxd
296
9/4/03
4:29 PM
Page 296
Chapter 4 • Working with Forests and Domains
12. In the Shared System Volume window, type or browse to the location
where you want the SYSVOL folder. Click Next.
13. In the Directory Services Restore Mode Administrator Password
window, input and confirm the password for the Directory Services
Restore Mode. Click Next.
14. Read the Summary window. Click Next, as shown in Figure 4.32. The
installation will continue for several minutes.
Figure 4.32 The Summary Dialog Box Used for an Additional DC in an
Existing Domain
15. Restart your new DC.
16. Verify that the installation was successful. Open a command prompt
and enter the Net Share command. It should report the existence of
the Netlogon and SYSVOL shares. To verify that the DNS service locator
records for the new DC were successfully created, follow these steps:
1. Click Start | Administrative Tools | DNS to start the DNS administrator console.
2. Expand the server name.
3. Expand Forward Lookup Zones.
4. Expand the domain.
5. Verify that the _msdcs, _sites, _tcp, and _udp folders are present
and contain records for your new DC. These service location records
are crucial to the operation of the DC. See Table 4.7 for a more
detailed description of the required records, and Figure 4.16 for a
view of the DNS administrator tool used to view them.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 297
Working with Forests and Domains • Chapter 4
Using the New System State Backup Method
Windows 2000 only offered two choices when deploying DCs and GC servers for remote
sites, and neither choice was ideal for many companies.The first choice was to build the
server at the home office where it could replicate over the LAN, and ship it to the remote
location.This worked, as long as you got the new server online within the 60-day tombstone lifetime. If you didn’t, the DC or GC could reanimate previously deleted Active
Directory objects, including user accounts.
The second choice was to promote the server at the remote location and hope that
replication would finish before users needed to use your WAN bandwidth for something
else—like logging on to the domain. Replication can take days over a slow link, depending
on the size of your directory and the available bandwidth.The tombstone problem still
exists, but it is easier to ship new backup media from the main office than it is to ship an
entire server.
Figure 4.33 Using the New System State Backup Method
DC1
DC2
DLT Tape
Domain
This final DC installation procedure covers the new method of installing the Active
Directory database on your new DC from backups, as illustrated in Figure 4.33.You should
use a healthy Windows Server 2003 DC as the source of the system state, and DNS should
be working before you begin. Exercise 4.09 is an advanced procedure, and assumes certain
skills such as installing Windows Server 2003 as a member server, the use of Windows
Backup, and general Windows administrative abilities.You should also test this procedure in
a lab environment before trying it on an operational network. In addition, Exercise 4.09
will show you how to use an answer file to automate the promotion process, making this the
optimal procedure for unattended installations. Figure 4.34 shows a sample answer file.The
/ADV switch with dcpromo is only necessary for promoting from a backup file.
www.syngress.com
297
256_70-294_04.qxd
298
9/4/03
4:29 PM
Page 298
Chapter 4 • Working with Forests and Domains
EXERCISE 4.09
CREATING A NEW DOMAIN CONTROLLER IN AN EXISTING
DOMAIN USING THE NEW SYSTEM STATE BACKUP METHOD
Steps 1 through 3 walk you through taking the snapshot.
1. Log in as a local Administrator on the healthy DC.
2. Create a directory called C:\Backup. If the folder already exists, remove
any files that it contains.
3. Using Windows Backup, save the system state. It is a good practice to
name the file after your source DC, giving it a .bkf extension.
You now must transport the file. Use the backup media of your choice,
ensuring your ability to perform the restore at the other end. Remember that
the backup file can be many GBs in size. If you choose to use the network to
transport the file, you can perform the restore and the copy at the same time
using the following steps. There are various ways to accomplish this. If you
choose to use a third-party backup program to transport the file on physical
media such as DLT tape, CD, or DVD, you will still need to use Windows
Backup at the other end to extract the data from the backup file. Adjust the
procedure to your preferences.
4. Log on as a local Administrator on the member server that you want to
promote, and create a shared folder called C:\Restore. It might be on
your LAN or across a WAN at this point, so you might need a helping
hand at the other end.
5. Back at the DC, map a drive to the shared folder created previously if
you choose to copy the file over the network.
6. You have two options, depending on your choice of transport. If you
are copying the file across the network, use the Restore Wizard within
Windows Backup from the existing DC to restore the domaincontrollername.bkf file to the shared folder in the member server. If you
have created physical media for transport, use the Restore Wizard
directly on the member sever using the local physical media.
NOTE
Within Windows Backup, select the System State as the file to restore. Most
importantly, select Advanced Options and specify the mapped drive as the destination if you are restoring from the source machine. If you don’t, it will assume
the file’s original location and you will revert your DC to the state it was in at the
time of the backup.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 299
Working with Forests and Domains • Chapter 4
7. Create a file on the member server containing the following settings.
For the exercise, we call this file DCUnattend.txt. Examine the options
in Figure 4.34. They allow for unattended Active Directory installations
in other configurations such as directly across the network from an
established DC. Remember to rename the member server before promoting it, or you will be faced with the opportunity to perform a
domain controller rename procedure, which is another new feature of
Windows Server 2003.
Figure 4.34 Sample DCUnattend.txt File
[Unattended]
Unattendmode=fullunattended
[DCINSTALL]
UserName=(domain or Enterprise admin account)
Password=(password)
UserDomain=(domain of the user account)
DatabasePath=c:\Windows\ntds
LogPath=c:\Windows\ntds
SYSVOLPath=c:\Windows\sysvol
SafeModeAdminPassword
CriticalReplicationOnly
SiteName=
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=(domain name, not including any server name)
ReplicationSourceDC=
ReplicateFromMedia=yes
ReplicationSourcePath=c:\NTDSrestore
RebootOnSuccess=yes
NOTE
Coordinate with your computer security department if necessary, since the username and password of an administrator account will be hard coded into the
answer file. You might have local regulations prohibiting this. Microsoft has provided a risk mitigation method of automatically erasing the password from the file
as soon as it is used. If you want to run the answer file again, you must edit the
file and re-enter the password. One way around this is to delegate permission for
this operation to a regular domain user account and use that account within the
answer file, although other security issues have to be considered in that case.
www.syngress.com
299
256_70-294_04.qxd
300
9/4/03
4:29 PM
Page 300
Chapter 4 • Working with Forests and Domains
8. Open a command prompt and type the following command: Dcpromo
/adv /answer:C:\DCUnattend.txt. After it is complete, the system will
reboot. If dcpromo stops and asks for information, then some information was missing from the answer file.
9. Verify that the installation was successful. Open a command prompt
and enter the Net Share command. It should report the existence of
the Netlogon and SYSVOL shares. To verify that the DNS service locator
records for the new DC were successfully created, follow these steps:
1. Click Start | Administrative Tools | DNS to start the DNS administrator console.
2. Expand the server name.
3. Expand Forward Lookup Zones.
4. Expand the domain.
5. Verify that the _msdcs, _sites, _tcp, and _udp folders are present
and contain records for your new DC. These service location records
are crucial to the operation of the DC. See Table 4.7 for a more
detailed description.
Assigning and Transferring Master Roles
In Windows NT 4.0, the domain had only one authoritative source for domain-related
information, the PDC.With the implementation of Active Directory came the multi-master
model, where objects and their properties can be modified on any DC and become authoritative through replication conflict resolution measures.This scalability effort came with a
price in complexity, and Active Directory FSMO roles were designed.The problem with
the multi-master architecture is that some domain and enterprisewide operations are not
well suited for it.The best design placed those functions on a single DC within the domain
or forest.
The advantage of a single-master model is that conflicts cannot be introduced while
the Operations Master is offline.The alternative involves resolving conflicts later, with possibly negative results.The disadvantage is that all Operations Masters must be available at all
times to support all dependant activities within the domain or forest.The Active Directory
supports five operational master roles: the Schema Master, Domain Master, RID Master,
PDC Emulator, and the Infrastructure Master.Two of these operate at the forest level only,
the Schema Master and the Domain Naming Master. Conversely, the RID Master, PDC
Emulator, and Infrastructure Master operate at the domain level.To examine this role relationship between master roles and the required authorization for administering them in the
forest and domains, refer to Table 4.5. Additionally, since it is often important for you to be
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 301
Working with Forests and Domains • Chapter 4
aware of mixing certain operational master roles with the GC function, use Exercise 4.21 to
view the GC status of any DC. Most importantly, ensure that your Infrastructure Master
never coexists with a GC.
■
Schema Master:To update the schema of a forest, you must have access to the
Schema Master DC, which controls all schema updates and modifications.There
can be only one Schema Master in the forest.
■
Domain Naming Master: The Domain Naming Master DC controls the addition or removal of domains in the forest as well as adding and removing any
cross-references to domains in external LDAP directories.There can be only one
Domain Naming Master in the forest.
■
Infrastructure Master: The Infrastructure Master is responsible for updating references from objects in the local domain to objects in other domains.There can
be only one Infrastructure Master DC in each domain.
■
Relative ID (RID) Master: The RID Master processes RID pool requests from
all DCs in the local domain.These relative identifiers are the unique part of the
SID, which is a security identifier used to uniquely identify objects and group
memberships.There can be only one RID Master DC in each domain.
■
PDC: The PDC Emulator is a DC that advertises itself as the PDC to workstations, member servers, and BDCs running Windows NT. It is also the Domain
Master Browser, and handles Active Directory password collisions, or discrepancies.There can be only one PDC Emulator in each domain.
Table 4.5 Valid Authorization Levels for Viewing, Transferring, and Seizing
Operations Master Roles
Domain Admin- Enterprise
Domain Admin- istrator on the Administrator
istrator on the Forest-Root
Local Domain
Domain
Role
Task
Schema Master
Viewing, transferring, or seizing
Viewing, transferring, or seizing
Viewing, trans
-ferring, or seizing
Viewing, transferring, or seizing
Viewing, transferring, or seizing
Domain Naming
Master
Infrastructure
Master
RID Master
PDC Emulator
X (Plus Schema
Admins membership)
X
X
X
X
X
X
X
X
X
www.syngress.com
301
256_70-294_04.qxd
302
9/4/03
4:29 PM
Page 302
Chapter 4 • Working with Forests and Domains
The forest level, therefore, has five roles—one of each. Each domain added after the forest
root domain has three additional masters.With that information, we can determine the
number of operations master servers required in a given forest with the following formula:
((Number of domains * 3)+2)
Given the formula, we can determine that the forest depicted in Figure 4.22, with three
domains, needs a maximum of 11 server platforms to support the 11 FSMO roles (3*3=9,
and 9+2=11), unless you assign multiple roles to a single DC. Often, small domains, empty
root domains, or best practices will make combining several of these roles onto a single DC
desirable. In the example shown in Figure 4.22, the following roles exist:
■
One Schema Master in Dogs.com.
■
One Domain Naming Master in Dogs.com
■
Three PDC Emulators (one each in Dogs.com, Fish.com, and Cat.fish.com)
■
Three RID Masters (one each in Dogs.com, Fish.com, and Cat.fish.com)
■
Three Infrastructure Masters (one each in Dogs.com, Fish.com, and Cat.fish.com)
The first DC that you install in the forest root will automatically host all five roles.The
first DC that you install in any additional domains will automatically host the three roles of
PDC Emulator, RID Master, and Infrastructure Master.
EXAM WARNING
Remember that in a Windows 2000 mixed-mode domain or forest, or in a
Windows Server 2003 interim-level domain or forest, Windows NT 4.0 DCs cannot
host FSMO roles.
You can use the ntdsutil.exe command-line utility to transfer FSMO roles, or you can
use an MMC snap-in tool. Depending on which role you want to transfer, you can use one
of the following three MMC snap-in tools:
■
Active Directory Schema snap-in (Schema Master role)
■
Active Directory Domains and Trusts snap-in (Domain Naming Master role)
■
Active Directory Users and Computers snap-in (RID Master, Infrastructure
Master, and PDC Emulator roles)
To seize a role, you must use the ntdsutil utility. If a computer cannot be contacted due
to a hardware malfunction or long-term network failure, the role must be seized.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 303
Working with Forests and Domains • Chapter 4
NOTE
The Microsoft recommendation is that you perform any seizing procedure from the
DC that is taking the FSMO roles. All five roles should be in the forest for full functionality. Seize a role only when the other DC that hosted it is not returning to the
domain; otherwise, fix the broken DC and transfer the roles instead of seizing
them. If the role is functional, ntdsutil.exe defaults back to a transfer, aborting the
seizure attempt.
Locating,Transferring, and Seizing the Schema Master Role
The DC that hosts the Schema Master role controls each update or modification to the
schema.You must have access to the Schema Master to update the schema of a forest.
NOTE
You must be a member of the Schema Admins group to perform this operation.
The Enterprise Administrator account is automatically a member of this group.
Refer to Exercise 4.10 for instructions on how to identify the DC that is performing
the Schema Master operation role for your forest using the command line or the GUI.
Refer to Exercise 4.11 for instructions on how to transfer the Schema Master operations
role for your forest to a different DC, and Exercise 4.08 for steps to seize the role to
another DC in case of a failure.
Temporary loss of the Schema Master is not noticeable to domain users. Enterprise and
domain administrators will not notice the loss either, unless they are trying to install an
application that modifies the schema during installation or trying to modify the schema
themselves.You should seize the schema FSMO role to the standby operations master only
if your old Schema master will be down permanently.
EXERCISE 4.10
LOCATING THE SCHEMA OPERATIONS MASTER
1. Log on as an Enterprise Administrator in the forest you are checking.
2. Click Start | Run.
3. Type regsvr32 schmmgmt.dll in the Open box, and click OK. This registers the Schmmgmt.dll.
4. Click OK in the dialog box showing that the operation succeeded.
5. Click Start | Run, type mmc, and then click OK.
www.syngress.com
303
256_70-294_04.qxd
304
9/4/03
4:29 PM
Page 304
Chapter 4 • Working with Forests and Domains
6. On the menu bar, click File | Add/Remove Snap-in, click Add, doubleclick Active Directory Schema, click Close, and then click OK.
7. Expand and then right-click Active Directory Schema in the top left
pane, and then select Operations Masters to view the server holding
the Schema Master role as shown in Figure 4.35.
Figure 4.35 Locating the Schema Operations Master
EXERCISE 4.11
TRANSFERRING THE SCHEMA OPERATIONS MASTER ROLE
1. Log on as an Enterprise Administrator in the forest where you want to
transfer the Schema Master role.
2. Click Start | Run.
3. Type regsvr32 schmmgmt.dll in the Open box, and then click OK. This
registers the Schmmgmt.dll.
4. Click OK in the dialog box showing that the operation succeeded.
5. Click Start | Run, type mmc, and then click OK.
6. On the menu bar, click File | Add/Remove Snap-in, click Add, doubleclick Active Directory Schema, click Close, and then click OK.
7. Right-click Active Directory Schema in the top left pane, and then
click Change Domain Controller.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 305
Working with Forests and Domains • Chapter 4
8. Click Specify Name as shown in Figure 4.36, type the name of the DC
that will be the new role holder, and then click OK.
Figure 4.36 Transferring the Schema Operations Master Role
9. Right-click Active Directory Schema again, and then click Operations
Master.
10. Click Change.
11. Click OK to confirm that you want to transfer the role, and then click
Close.
Locating,Transferring, and Seizing the Domain Naming Master Role
The Domain Naming Master DC controls the addition or removal of domains in the
forest, AND adding and removing any cross-references to domains in external LDAP directories.There can be only one Domain Naming Master in the forest.
Refer to Exercise 4.12 for instructions on how to identify the DC that is performing the
Domain Naming Master operation role for your forest. Refer to Exercise 4.13 for instructions
on how to transfer the Domain Naming Master operations role for your forest to a different
DC, and Exercise 4.16 for steps to seize the role to another DC in case of a failure.
EXAM WARNING
Remember that in a Windows 2000 or Windows 2000 functional-level forest, the
Domain Naming Master must also be a GC server. After the upgrade to the
Windows Server 2003 forest functional level, that restriction is lifted and you can
then separate the two functions.
www.syngress.com
305
256_70-294_04.qxd
306
9/4/03
4:29 PM
Page 306
Chapter 4 • Working with Forests and Domains
Windows Server 2003 Domain Naming Masters are no longer required to
host the GC.
EXERCISE 4.12
LOCATING THE DOMAIN NAMING OPERATIONS MASTER
1. Log on as an Enterprise Administrator in the forest you are checking.
2. Click Start | Run, type: mmc, and then click OK.
3. On the menu bar, click File | Add/Remove Snap-in, click Add, doubleclick Active Directory Domains and Trusts, click Close, and then click
OK.
4. Right-click Active Directory Domains and Trusts in the top left pane,
and then click Operations Masters to view the server holding the
domain naming master role as shown in Figure 4.37.
Figure 4.37 Locating the Domain Naming Operations Master
EXERCISE 4.13
TRANSFERRING THE
DOMAIN NAMING MASTER ROLE
1. Click Start | Administrative Tools | Active Directory Domains and
Trusts.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 307
Working with Forests and Domains • Chapter 4
2. Right-click Active Directory Domains and Trusts, and click Connect to
Domain Controller, unless you are already on the DC to which you are
transferring to the role. In the Enter the name of another domain
controller window, type the name of the DC that will be the new role
holder, and then click OK. Optionally, in the Or, select an available
domain controller list, click the DC that will be the new role holder,
and click OK. See Figure 4.38.
Figure 4.38 Connecting to a New DC
3. In the console tree, right-click Active Directory Domains and Trusts,
and then select Operations Master as shown in Figure 4.39.
Figure 4.39 Transferring the Domain Naming Master Role
4. Click Change.
www.syngress.com
307
256_70-294_04.qxd
308
9/4/03
4:29 PM
Page 308
Chapter 4 • Working with Forests and Domains
5. Click OK for confirmation, and click Close.
Locating,Transferring, and Seizing the
Infrastructure, RID, and PDC Operations Master Roles
The Infrastructure Master is responsible for updating references from objects in the local
domain to objects in other domains.There can be only one Infrastructure Master DC in
each domain.The RID Master processes Relative ID (RID) pool requests from all DCs in
the local domain.There can be only one RID Master DC in each domain.The PDC
Emulator is a DC that advertises itself as the PDC to workstations, member servers, and
BDCs running Windows NT. It is also the Domain Master Browser, and handles Active
Directory password collisions, or discrepancies.There can be only one PDC Emulator in
each domain.
Refer to Exercise 4.14 for instructions on how to identify the DCs that are performing
the FSMO roles for your forest using the Active Directory Users and Computers GUI
interface. Refer to Exercise 4.15 for instructions on how to transfer the Infrastructure, RID,
and PDC Master operations roles for your forest to different DCs, and Exercise 4.16 for
instructions on how to seize the roles to other DCs in case of a failure.
EXERCISE 4.14
LOCATING THE INFRASTRUCTURE,
RID, AND PDC OPERATIONS MASTERS
1. Log on as an Enterprise Administrator in the forest you are checking.
2. Click Start | Run, type dsa.msc, and click OK. This is an alternate
method for opening the Active Directory Users and Computers
administrative tool.
3. Right-click the selected Domain Object in the top left pane, and then
click Operations Masters.
4. Click the Infrastructure tab to view the server holding the
Infrastructure Master role.
5. Click the RID tab to view the server holding the RID Master role.
6. Click the PDC tab to view the server holding the PDC Master role.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 309
Working with Forests and Domains • Chapter 4
EXERCISE 4.15
TRANSFERRING THE INFRASTRUCTURE,
RID, AND PDC MASTER ROLES
1. Click Start | Administrative Tools | Active Directory Users and
Computers.
2. Right-click Active Directory Users and Computers, and click Connect
to Domain Controller unless you are already on the DC you are transferring to. In the Enter the name of another domain controller
window, type the name of the DC that will be the new role holder, and
then click OK; or in the Or, select an available domain controller list,
click the DC that will be the new role holder, and click OK.
3. In the console tree, right-click Active Directory Users and Computers,
and click All Tasks | Operations Master.
4. Take the appropriate action below for the role you want to transfer.
5. Click the Infrastructure tab, and click Change.
6. Click the RID tab, and click Change as shown in the example in
Figure 4.40.
7. Click the PDC tab, and click Change.
Figure 4.40 Transferring the RID Master Role
8. Click OK for confirmation, and click Close.
www.syngress.com
309
256_70-294_04.qxd
310
9/4/03
4:29 PM
Page 310
Chapter 4 • Working with Forests and Domains
EXERCISE 4.16
SEIZING THE FSMO MASTER ROLES
1. Log on to any working DC.
2. Click Start | Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and press Enter.
4. In ntdsutil, type ? at any prompt to see a list of available commands,
and press Enter.
5. Type connections, and press Enter.
6. Type connect to server servername, where servername is the name of
the server that will receive the role, and press Enter.
7. At the server connections: prompt, type q, and press Enter.
8. Type the appropriate seizing command as shown next. See the example
in Figure 4.41. If the FSMO role is available, ntdsutil.exe will perform a
transfer instead. Respond to the Role Seizure Confirmation Dialog box
as shown in Figure 4.42.
seize Schema master
seize domain naming master
seize Infrastructure master
seize RID master
seize PDC
Figure 4.41 Seizing the PDC Master Role
D:\WINDOWS\system32\ntdsutil.exe: roles
fsmo maintenance: connections
server connections: connect to server DC4
Binding to DC4 ...
Connected to DC4 using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize PDC
Attempting safe transfer of PDC FSMO before seizure.
FSMO transferred successfully - seizure not required.
Server "DC4" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-SiteName,CN=Sites,
CN=Configuration,DC=Dogs,DC=com
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 311
Working with Forests and Domains • Chapter 4
Domain - CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-SiteName,CN=Sites,
CN=Configuration,DC=Dogs,DC=com
PDC - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=
Configuration,DC=Dogs,DC=com
RID - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=
Configuration,DC=Dogs,DC=com
Infrastructure - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-SiteName,C
N=Sites,CN=Configuration,DC=Dogs,DC=com
fsmo maintenance:q
Figure 4.42 Seizing the Schema Operations Master Role
9. After you seize the role, type q, and then press Enter repeatedly until
you quit the Ntdsutil tool.
Placing the FSMO Roles
It is a good idea to place the RID and PDC Emulator roles on the same DC. Down-level
clients and applications target the PDC, making it a large consumer of RIDs. Good communication between these two roles is important. If performance demands it, place the
RID and PDC Emulator roles on separate DCs, but make sure they stay in the same site
and that they are direct replication partners with each other.
www.syngress.com
311
256_70-294_04.qxd
312
9/4/03
4:29 PM
Page 312
Chapter 4 • Working with Forests and Domains
As previously stated, you should place the Infrastructure Master on a non-GC server to
maintain proper replication. Additionally, ensure that the Infrastructure Master has a direct
connection object to a GC server somewhere in the forest, preferably in the same site.
There are two exceptions to this rule:
■
Single domain forest If your forest contains only one Active Directory domain,
then there can be no phantoms.The Infrastructure Master has no functionality in
a single domain forest. In that case, you can place the Infrastructure Master
on any DC.
■
Multidomain forest where every DC holds the GC Again, there can be no
phantoms if every DC in the domain hosts a GC.There is no work for the
Infrastructure Master to perform. In that case, you can place the Infrastructure
Master on any DC.
Considering the forest level, the Schema Master and Domain Naming Master roles are
rarely used and should be tightly controlled. For that reason, you can place them on the
same DC. Another Microsoft-recommended practice is to place the Domain Naming
Master FSMO on a GC server.Taking all of these practices together, a Microsoft-recommended best-practice empty root domain design would consist of two DCs with the following FSMO/GC placement:
■
■
DC 1:
■
Schema Master
■
Domain Naming Master
■
GC
DC 2:
■
RID Master
■
PDC Emulator
■
Infrastructure Master
This preferred design remains valid until performance degradation forces you to separate
the roles. Consider upgrading the hardware instead, or adding additional GCs, since the recommended configuration is the most efficient. For extremely large forests, install additional
DCs and separate roles as needed. For these reasons and more, you need to be able to locate
and assess your GC placement in relation to your FSMO roles. Here is how you find GCs:
1. Log on to any working DC.
2. Click Start | Programs | Administrative Tools | Active Directory Sites
and Services.
3. Double-click Sites in the left console pane, and browse to the appropriate site, or
click Default-first-site-name if no other sites are available.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 313
Working with Forests and Domains • Chapter 4
4. Expand the Servers folder, and click the name of the DC that you want to
check.
5. In the DC’s folder, double-click NTDS Settings.
6. Click Action | Properties.
7. On the General tab, locate the Global Catalog check box to see if it is selected
as shown in Figure 4.43.
Figure 4.43 Locating the Global Catalog Function
EXAM
70-294
OBJECTIVE
1.3.3
Using Application Directory Partitions
The Active Directory contains several partitions for the storage of object data.These directory partitions, also called naming contexts, are contiguous Active Directory subtrees that are
replicated across DCs. As a minimum, each DC contains a replica of three partitions: the
schema partition, the configuration partition, and the domain partition in addition to any
application directory partitions that you might choose to create. An instance of an application directory partition on another DC is called a replica.
The default security descriptor for objects in the application directory partition is
defined by an attribute called the security descriptor reference domain. By default, this attribute
is the parent domain of the application directory partition. If the partition is a child of
another application directory partition, the default security descriptor reference domain is
the security descriptor reference domain of its parent. If it has no parent, the forest root
domain becomes the default security descriptor reference domain.This attribute can be
modified as shown in Exercise 4.17.
www.syngress.com
313
256_70-294_04.qxd
314
9/4/03
4:29 PM
Page 314
Chapter 4 • Working with Forests and Domains
EXAM WARNING
Some important points to remember about application directory partitions:
Ntdsutil.exe is the tool that you use to administer application directory partitions.
Two common uses of application directory partitions are TAPI
([Telephony]) and DNS.
An application directory partition does not have a NetBIOS name.
GPOs cannot reference application directory partitions.
■
■
■
■
Exercise 4.17 covers the basic procedures related to the use of application directory
partitions.
EXERCISE 4.17
ADMINISTERING APPLICATION DIRECTORY PARTITIONS
1. Log on as an Enterprise Administrator.
2. Click Start | Run, type ntdsutil, and click OK.
3. At the ntdsutil command prompt, type domain management.
4. At the domain management command prompt, type connection.
5. At the connection command prompt, type connect to server servername, where servername represents the DNS name of the DC where
you want to create the application directory partition.
6. At the connection command prompt, type quit.
7. At the domain management command prompt, consult the following
list of commands for the function you want to perform:
■
Create an application directory partition: use the command create
nc application_directory_partition domain_controller
■
Delete an application directory partition: use the command delete
nc application_directory_partition
■
Add an application directory partition replica: use the command
add nc replica application_directory_partition domain_controller
■
Remove an application directory partition replica: use the command
remove nc replica application_directory_partition
■
Display application directory partition information: use the command list
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 315
Working with Forests and Domains • Chapter 4
Add an application directory partition replica: use the command set
nc reference domain application_directory_partition
domain_controller
In this context, application_directory_partition is the DN of the
application directory partition that you want to operate on, and
domain_controller is the DNS name of the DC where you want to perform the operation. If you are operating on the DC that you connected
to in step 5, use “NULL” as the domain_controller parameter.
■
8. Enter q until ntdsutil exits.
NOTE
If you remove the last replica of an application directory partition, you might permanently lose the data in that partition. Before you delete the last copy of a particular partition, make sure it is no longer needed.
Establishing Trust Relationships
As the name implies, trusts are all about sharing information. For security purposes, you
should carefully consider your reasons before creating a new trust relationship, as well as
knowing which type of trust to implement. In Active Directory, a shortcut trust doesn’t add
more trust; rather, it can make the trusts you already have more efficient. External trusts are
a concept left over from Windows NT, but are still necessary for sharing resources with a
Windows NT domain or any other Windows domain outside your forest. A realm trust
allows cross-platform interoperability with non-Windows Kerberos V5 (version 5) realms,
such as those commonly used with UNIX systems. Finally, you should consider the new
Windows Server 2003 forest trust as discussed earlier in the chapter. As you can see, trusts
are varied in properties and purposes.The most important concepts to understand about
trusts before you create them are direction and transitivity. Always be aware of the extent of
any internal access that you grant to external users.
Direction and Transitivity
As the name implies, trusts are predetermined avenues of access to forest resources. It is like
giving someone a key to your house and hoping that he or she won’t misuse your trust.
DCs do the authenticating, but not all DCs necessarily trust each other.That’s where you
come in, setting the relationships between domains that govern the flow of information.
Two primary attributes of trusts are direction and transitivity.The direction of trust flows
from the trusting domain to the trusted domain as shown by the arrow in Figure 4.44.
www.syngress.com
315
256_70-294_04.qxd
316
9/4/03
4:29 PM
Page 316
Chapter 4 • Working with Forests and Domains
Cats.com trusts Dogs.com.The direction of access is always in the opposite direction;
Dogs.com accesses resources in Cats.com.This is a one-way trust. Likewise, Dogs.com trusts
Fish.com, but does not trust Cats.com.Two one-way trusts can combine to simulate a
single two-way trust.
Figure 4.44 The Nontransitive Trust
Dogs.com
tive
nsi t
a
r
s
nt
No Tru
No
Root
ntr
an
Tru sitive
st
Domain
Fish.com
Cats.com
Domain
Trust
Domain
The second attribute of the trust is transitivity, or a measure of how far the trust
extends. A nontransitive trust has limits.The trusted domain, and only the trusted domain, can
access resources through the trust to the trusting domain. As shown in Figure 4.44, if the
Dogs.com domain has trusts to other domains such as Fish.com, those other domains are
barred from access to Cats.com unless they have a nontransitive trust of their own.The
absence of the third leg of the trust breaks the circle of access.This is the behavior of all
trusts in Windows NT.
Conversely, transitive trusts, like the ones shown in Figure 4.45, are the skeleton keys of
access. Anyone on the trusted side of the trust relationship can enter, including anyone
trusted by the trusted domain.When a user or process requests access to a resource in
another domain, a series of hand-offs occurs within the authentication process down the
trust path as shown in Figure 4.45.When Cats.com trusts Dogs.com, they must trust all
Dogs.com child domains equally at the level of the trust.There are two types of trusts in
Figure 4.45, parent and child and tree-root. All trusts shown are bidirectional and transitive, as
they are by default in Windows Server 2003. Calico.cats.com has a trust relationship with
Yellow.labs.dogs.com because of the trust path that extends through all three intervening
domains. If Calico.cats.com has no reason to trust Yellow.labs.dogs.com, then the cats must
apply permissions to limit or block the access.
TEST DAY TIP
Remember that default Windows Server 2003 trust relationships are friendly. The
default and most common trusts in Active Directory, which are parent and child
and tree-root trusts, are both bidirectional and transitive, meaning that the trust
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 317
Working with Forests and Domains • Chapter 4
path extends throughout the entire forest. You can remember this type of transitive trust with the old saying, “Any friend of yours is a friend of mine.”
Other types of Windows Server 2003 trusts exist, such as forest, shortcut,
external, and realm, each of which can be bidirectional or unidirectional and
have different transitivity properties. One of the first things you should do
when you sit down at the testing station is to write down the trusts and their
properties on your scratch paper. Do this before starting the test so as not to
waste valuable time.
Figure 4.45 The Transitive Trust
e
sitiv
Tran usts
Tr
Root
Domain
Dogs.com
Cats.com
Domain
Child
Domain
Labs.dogs.com
Trust
Child
Domain
Calico.cats.com
Child
Domain
Yellow.labs.dogs.com
Types of Trusts
A trust is a logical authentication path between two domains. A trust path is the number of
trusts that must be traversed between the source and destination of a resource request.Two
trusts, tree-root and parent and child, are created by default when running the Active Directory
Installation Wizard.The other four trusts—shortcut, external, realm, and forest—can be created
as needed with the New Trust Wizard or the Netdom.exe command-line tool.
When creating those four trusts, you have the option of creating two one-way relationships, simulating bidirectional capabilities. As with any use of passwords, it is a security best
practice to use long, random, and complex passwords in the establishment of trusts.The best
option is to use the New Trust Wizard to create both sides simultaneously, in which case
the wizard generates a strong password for you. Naturally, you must have the appropriate
administrative credentials in both domains for this to work.
www.syngress.com
317
256_70-294_04.qxd
318
9/4/03
4:29 PM
Page 318
Chapter 4 • Working with Forests and Domains
NOTE
See Chapter 5, “Working with Trusts and Organizational Units,” for more detailed
information on the different types of trusts.
Restructuring the Forest and Renaming Domains
In Windows Server 2003, you can rename domains in an Active Directory forest after the
forest structure is in place.This was not true in the Windows 2000 Server family.You build
your Active Directory forest structure one domain at a time, and the resulting relationships
are the result of the order in which you create them and the DNS names you assign.
Renaming domains allows you to change the forest structure. For example, you can raise a
child domain to be a new tree-root domain, or lower a top-level domain to child status in
another tree. In each case, you rename an existing domain to create a different forest structure. In cases where restructuring is not your goal, you can rename domains without
affecting the trust relationships between domains. For example, you do not create a different
domain-tree structure if you rename a root domain, although the names of all child
domains below it are also changed.
This is a complex and sweeping modification to the namespace of one or more
domains. During the domain rename procedure, you can change DNS and NetBIOS
names, but the true identity of a domain lies in its domain GUID and its domain SID.
Creating new DNS or NetBIOS names will leave those attributes unchanged.
WARNING
The renaming process will temporarily interrupt the functionality of the domain
and its interaction with the forest, until the DCs are rebooted. Client workstations
will not function properly until they are each rebooted twice. Due to the complexity of the operation, the risks of such a sweeping change, and the unavoidable
domain and workstation service interruptions, do not consider domain renaming
as a routine operation.
Domain Rename Limitations
Windows NT 4.0 had no supported method for domain renaming, other than a complete
rebuild of the new domain.The best option that Windows 2000 offers is only the first half of
the solution—you still have to create a new domain from scratch. Microsoft released a support
tool called the Active Directory Object Manager that can migrate users, computers, and
groups into the new empty domain structure.Windows Server 2003 now supports the full
solution. However, even with the new restructuring capability, certain types of structural
changes are not supported, and many forests cannot be renamed due to limitations of the prowww.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 319
Working with Forests and Domains • Chapter 4
cedure.These limitations include the presence of Exchange 2000. Other problematic issues
arise, such as the failure of enterprise certificates with certain types of embedded pointers, and
network saturation due to the replication of sweeping changes to the directory.
Domain Rename Limitations in a Windows 2000 Forest
Windows Server 2003’s forest restructuring capabilities provide solutions to some of the
problems that the Windows 2000 Server family did not address. In a Windows 2000 forest,
renaming domains is not directly possible after the forest structure is in place.The only way
to accomplish it is to move or recreate the domain contents.These constraints make
domain name changes or forest restructuring prohibitive in Windows 2000.
■
You cannot change the DNS name or the NetBIOS name of a domain.You can,
however, achieve similar results by moving its contents into a new domain using
the Active Directory Object Manager (MoveTree) in the Windows 2000 Support
Tools.
■
Using the Active Directory Object Manager method, you cannot move a domain
within a forest in a single operation.
■
Using the Active Directory Object Manager method, you cannot split a domain
into two domains in a single operation.
■
Using the Active Directory Object Manager method, you cannot merge two
domains into a single domain in a single operation.
Domain Rename Limitations
in a Windows Server 2003 Forest
Windows Server 2003 Standard, Enterprise, and Datacenter Editions provide tools that you
can use to safely rename domains. Since domain renaming is at the core of forest restructuring, you can leverage this capability with very powerful results.When considering
restructuring an existing Windows Server 2003 forest, be sure to consider the limitations of
domain renaming. Adding, removing, merging, and splitting domains are operations outside
the scope of the domain rename process.
■
You cannot change which domain is the forest root domain, although you can
still give it a new DNS or NetBIOS name.
■
You cannot remove or add domains to the forest.The number of domains before
and after the restructuring must remain the same (you can, of course, add new
domains after the name change).
■
You cannot move a domain name from one domain to another in a single
operation.
www.syngress.com
319
256_70-294_04.qxd
320
9/4/03
4:29 PM
Page 320
Chapter 4 • Working with Forests and Domains
The resulting forest, no matter how sweeping the DNS and NetBIOS changes are, must
result in a well-formed forest. A well-formed forest has the following characteristics:
■
All domains within the forest must form one or more DNS trees.
■
The forest-root domain must be the root of one of these trees.
■
A domain directory partition must not have an application directory partition as a
parent.
Domain Rename Dependencies
Other conditions that must be eliminated, or prerequisites that must be met before you can
attempt the domain rename procedure, include the following:
■
Domain rename is not supported in a domain where Exchange 2000 is installed.
■
All of your DCs must be running Windows Server 2003, and the Active Directory
forest functional level must be raised to Windows Server 2003.
■
The domain rename procedure requires Enterprise Administrator privileges.
■
The control station for the domain rename operation must not be a DC.You
must use a member server to perform the operation.
■
All domain-based DFSroot servers must be running Windows 2000 with Service
Pack 3 or higher.
The authentication levels needed in each step of the domain rename procedure are
identified in Table 4.6.
WARNING
Rendom.exe versions prior to version 1.2 (such as the one on the Windows Server
2003 distribution CD) failed to detect Exchange 2000 and incorrectly permitted
domain rename operations. The updated tool is available at www.microsoft.com/
windowsserver2003/downloads/domainrename.mspx.
www.syngress.com
Rename Procedure
STEP Task
4
5
6
7
8
9
10
11
12
Enterprise
Administrator
X
(or Backup Operator)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Page 321
3
Back up all DCs
Domain
Domain Administrator
Administrator
on a Different Domain
on the Local Domain
4:29 PM
2
Backup, or thirdparty application
Set up the control Copy, and Windows
station
Server 2003 Support
tools setup
Generate the current Copy, and rendom
forest description
/list
Specify the new
rendom /showforest,
forest description
and Notepad or
other plain-text
editor
Generate domain
rendom /upload
rename instructions
Push domain rename dsquery, repadmin
instructions to All
DCs and verify DNS
readiness
Verify readiness
rendom /prepare
of DCs
Execute domain
rendom /execute
rename instructions
Unfreeze the forest rendom /end
configuration
Re-establish external Active Directory
trusts
Domains and Trusts,
or netdom
Fix Distributed File DFS (MMC snap-in),
System (DFS) topology or dfsutil
Fix GPOs and links gpfixup, and
repadmin
Local Administrator
on the Control
Machine
9/4/03
1
Tool(s)
256_70-294_04.qxd
Table 4.6 Required Authorization Levels for Each Step of the Domain
256_70-294_04.qxd
322
9/4/03
4:29 PM
Page 322
Chapter 4 • Working with Forests and Domains
Domain Rename Conditions and Effects
The domain rename procedure is complex, requires a great deal of care in planning and
execution, and should always be tested in a lab environment before performing it on an
operational forest.The time required to go through a complete domain rename operation
varies; the number of domains, DCs, and member computers is directly proportional to the
level of effort required.
NOTE
There is a good reason for caution. Read this entire procedure before attempting
any part of it, including the pre- and post-procedure steps. You might find limitations that preclude the procedure altogether on your network. Consult Microsoft
documentation, read Technet articles, and search for patches, hotfixes, and service
packs that can affect domain renaming and forest restructuring. Every attempt is
made in this chapter to address all pertinent topics and concerns, but issues and
conflicts continue to be exposed over time. Search Microsoft.com for new “Q” articles detailing conditions that might have an affect on this procedure. Most importantly, consider hiring a consultant who has recently and successfully performed a
domain renaming operation.
Before undertaking a domain rename operation, you must fully understand the following conditions and effects.They are inherent in the process and must be dealt with or
accommodated.
■
Each DC requires individual attention. Some changes are not replicated throughout
the Active Directory.This does not mean that every DC requires a physical visit.
Headless management can greatly reduce the level of effort required, depending on
the size and structure of the domain and the number of sites it contains.
■
The entire forest will be out of service for a short period. Close coordination is
required with remote sites, especially those in other time zones. During this time,
DCs will perform directory database updates and reboot. As with other portions
of the procedure, the time involved is proportional to the number of DCs
affected.
■
Any DC that is unreachable or fails to complete the rename process must be
eliminated from the forest for you to declare the procedure complete.
■
Each client workstation requires individual attention. After all DCs have updated
and rebooted, each client running Windows 2000 or Windows XP must be
rebooted two times to fully adapt to the renamed domain.Windows NT workstations must disjoin from the old domain name and rejoin the new domain name, a
manual process that requires a reboot of its own.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 323
Working with Forests and Domains • Chapter 4
■
The DNS host names of your DCs are not changed automatically by the domain
rename process.To make them reflect the new domain name, you must perform
the domain controller rename procedure on each DC. Having the host name of a DC
decoupled from its domain name does not affect forest service, but the discrepancy will be confusing until you change the names.
■
The DNS suffix of client workstations and member servers will automatically
update through the domain renaming process, but not all computers will match
the DNS name of the domain immediately. As with most portions of this process,
the period of time required is proportional to the number of hosts in the domain.
Domain Rename Preliminary Steps
Prerequisites for the domain rename operation are not trivial.The preparation phase will
ensure that these are in place. Complete all of the preliminary steps in this section before
beginning the rename procedure. If these prerequisites are not taken care of, the domain
rename cannot be successfully performed.
Setting Windows Server 2003 Forest Functionality
The first step in preparing for a domain rename is to ensure that all DCs are running some
edition of Windows Server 2003.This is a prerequisite to raising the forest to the Windows
Server 2003 functional level, which is another preparatory step. See the section Raising the
Functional Level of a Domain and Forest for additional information on functional levels.
Creating Shortcut Trust Relationships
Interaction between domains in your forest is based on the establishment of trusts among
the domains.The Active Directory Installation Wizard creates most of these trusts automatically during the domain creation process.Through the manual creation of shortcut trusts,
you can maintain that interaction after the domains are renamed. It is only necessary if the
forest structure will change as result of the manipulation of the namespace. If you are
renaming a domain in place without changing its relationship with other domains in the
forest, then this step is not needed. Refer to Chapter 5 for the trust-creation procedures.
Pre-Creating a Parent-Child Trust Relationship
While repositioning domains, the necessary shortcut trust relationships must be created
between the domain you want to reposition and its new parent domain.These pre-created
trust relationships substitute for the required parent-child trust relationships that will be
missing in the restructured forest.
For example, suppose you want to restructure the Zoo.net forest, shown in Figure 4.46,
so that the Cat.fish.zoo.net domain becomes a child of the Zoo.net domain.You must
create two one-way, transitive shortcut trust relationships between Cat.fish.zoo.net and
Zoo.net before you can rename the child domain Cat.fish.zoo.net to the child domain
www.syngress.com
323
256_70-294_04.qxd
324
9/4/03
4:29 PM
Page 324
Chapter 4 • Working with Forests and Domains
Catfish.zoo.net.This trust relationship pre-creates the two-way parent-child trust relationship required for the parent and child domains after the rename. Figure 4.46 shows the
before structure, and Figure 4.47 shows the after structure, illustrating the needed shortcut
trust relationships for the new structure.
Figure 4.46 Pre-Creating a Parent-Child Trust Relationship Before the Forest
Restructure
Two
one-way
Shortcut
trusts
Root zoo.net
Domain
Child fish.zoo.net
Domain
Child
Domain
Cat.fish
.zoo.net
Child
Domain
Guppy.fish
.zoo.net
Child
Domain
Angel.fish
.zoo.net
Figure 4.47 Parent and Child Trust After the Forest Restructure
Parent-Child
Trust
Child
Domain
Catfish.zoo.net
Root zoo.net
Domain
Child
Domain
Child
Domain
Guppy.fish
.zoo.net
www.syngress.com
fish.zoo.net
Child
Domain
Angel.fish
.zoo.net
256_70-294_04.qxd
9/4/03
4:29 PM
Page 325
Working with Forests and Domains • Chapter 4
Pre-Creating Multiple Parent-Child Trust Relationships
If you need to restructure a domain that is both a child domain and a parent domain, you
will need to create shortcut trust relationships in two places. For example, suppose you
want to restructure the Zoo.net forest, shown in Figure 4.48, so that the
Striped.angel.fish.zoo.net domain becomes a direct child of Fish.zoo.net, and the
Angel.fish.zoo.net domain becomes a child of Catfish.net.This restructure operation calls
for four shortcut trusts that will become the two parent-child trust relationships for the
new forest. Figure 4.48 shows the before structure, and Figure 4.49 shows the after structure,
illustrating the needed shortcut trust relationships.
Figure 4.48 Pre-Creating Multiple Parent-Child Trust Relationships Before the
Forest Restructure
Tree Root
Trust
Root
Domain
zoo.net
fish.zoo.net
Domain
Catfish.net
Child
Domain
Angel.fish
.zoo.net
Child
Domain
Striped.Angel
.fish.zoo.net
Child
Domain
Pre-Creating a Tree-Root Trust
Relationship with the Forest Root Domain
When you restructure a domain to become a new tree root, you must pre-create two oneway, transitive trust relationships with the forest root domain. For example, suppose you
have a three-level deep tree and you want to shorten it by creating a new tree.This will
move the lowest domain to become a new tree-root domain. Figure 4.50 shows the two
one-way shortcut trusts you create, and Figure 4.51 shows the tree-root trust relationship
after the restructuring. Stripedangel.fish.zoo.net becomes the tree-root domain
Angelfish.net.
www.syngress.com
325
256_70-294_04.qxd
326
9/4/03
4:29 PM
Page 326
Chapter 4 • Working with Forests and Domains
Figure 4.49 Multiple Parent and Child Trusts After the Forest Restructure
Tree Root
Trust
Root
zoo.net
Domain
Catfish.net
Child
Domain
Domain
Fish
.zoo.net
Parent-Child
Trusts
Child
Domain
Striped
.catfish.net
Renamed
Domains
Child
Domain
StripedAngel
.fish.zoo.net
Figure 4.50 Pre-Creating a Tree-Root Trust Relationship Before the Forest
Restructure
Zoo.net
Tree Root
Trust
Shortcut
Trusts
Root
Domain
Fish
.zoo.net
Domain
Catfish.net
Child
Domain
Child
Domain
StripedAngel
.fish.zoo.net
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 327
Working with Forests and Domains • Chapter 4
Figure 4.51 Tree-Root Trust Relationship After the Forest Restructure
Zoo.net
Tree Root
Trust
Root
Domain
Tree Root
Trust
Parent- Child
Tru st
Domain
Angelfish.net
Domain
Catfish.net
Child
Domain
Fish .zoo.net
Preparing DNS
Any time a client requires access to Active Directory, it activates an internal mechanism
called the DC locator for locating DCs through DNS. It uses SRV records for this. If no
SRV records are found in DNS, the access fails.To prevent this failure, before renaming an
Active Directory domain you need to be sure that the appropriate zones exist for the forest
and for each domain.
After you create the DNS zones for the new domain name, your DCs will populate
each zone through dynamic update.This is one of the reasons for the reboot after the execution of the renaming script. Configure the zones to allow secure dynamic updates as a
good security practice. Repeat the zone creation for each domain you plan to rename.
Everything needed to support your existing Active Directory domain must be recreated
to support the domain after renaming. Usually, this is accomplished by mirroring your current DNS infrastructure. As an example, say you want to rename an existing domain called
Labs.dog.com to Retrievers.dog.com. If the zone containing your current SRV resource
records is called Labs.dog.com, you will need to create a new DNS zone called
Retrievers.dog.com.
To analyze and prepare DNS zones for domain rename, first compile a list of DNS
zones that you need to create. Second, create the forward lookup zones using the DNS tool
and configure them to allow dynamic updates.The section Configuring DNS Servers for Use
with Active Directory gives more detailed information.
www.syngress.com
327
256_70-294_04.qxd
4:29 PM
Page 328
Chapter 4 • Working with Forests and Domains
Head of the Class…
328
9/4/03
What Happens to My Distributed
File System When I Rename My Domain?
First, those of you who are not using DFS should think seriously about it. DFS allows
you to redirect specific folders like My Documents out to a high-availability network
location where each user’s files can be backed up and protected. Folder redirection
is a Group Policy extension that allows you to identify a connection between network servers or DFS roots and the local folders that you want to redirect.
What happens to DFS when you rename a domain all depends on how you
have it configured. Think about it. If you use a domain-based DFS path like
\\domainName\DFSRoot, then when the domainName goes away, what happens to
the path?
It goes dead, and everyone’s documents disappear, or become inaccessible. As
far as the users know, all of their data is gone. Your telephone will ring by 5 a.m.
the next day—guaranteed. What does it depend on, and how can you keep your
telephone from ringing? If your Folder Redirection policy specifies the NetBIOS
name of the domain in your domain-based DFS path, and you keep the NetBIOS
name of your domain the same instead of changing it along with the DNS name,
then you’re okay.
What if you want to change your NetBIOS name along with your DNS name?
You could push out a new group policy and move the files to another location.
Temporarily, you could point your folder redirection to a stand-alone DFS path, or
even to a simple server-based share. You should do that a couple of days before the
rename just to be sure it works before shaking things up again—you’ll be too busy
renaming to worry about DFS at that point. Since \\hostName\DFSRoot stays rock
solid through a domain rename, your documents should still be available the next
morning. When things settle down, restore the user files back to your domainbased DFS root and push out the old DFS policy again. That isn’t without risk, but
it keeps things working.
What about home directories and roaming profiles? Same thing. Look at the
pathname you specify in your policy to determine whether they’ll break when you
rename the domain. Make sure to fix those beforehand.
Configuring Member Computers for Host Name Changes
Because Active Directory is tightly integrated with DNS, member computers are designed
to automatically change their primary DNS suffixes when the domain membership of the
computer changes. If you rename the domain, this is treated like a membership change and
the fully qualified DNS host name changes automatically to match.This is the default
behavior, and you can check for it by following the steps in Exercise 4.18.
As an example, if you want to rename an existing domain called Labs.dog.com to
Retrievers.dog.com, the full DNS host name of the member computers of this domain will
also change from host.Labs.dog.com to host.Retrievers.dog.com if the default behavior is
in effect.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 329
Working with Forests and Domains • Chapter 4
NOTE
You should check to see if this default behavior has been changed in your domain,
because your rename will fail if you are not using the default setting.
The full DNS name and therefore the primary DNS suffix of a member computer
changes when the domain is renamed if both of the following conditions are true:
■
The primary DNS suffix of the computer is configured to update when domain
membership changes. See Exercise 4.18 for instructions on how to check this setting.
■
The member computer has no group policy applied that specifies a primary DNS
suffix. See Exercise 4.19 for instructions on how to check this setting.
EXERCISE 4.18
USING THE CONTROL PANEL TO
CHECK FOR PRIMARY DNS SUFFIX CONFIGURATION
1. On a member computer, open the System Control Panel.
2. Click Computer Name | Change.
3. Click More, and verify if Change primary domain suffix when
domain membership changes is selected (as shown in Figure 4.52). If
it is, then the computer will automatically adjust to the new primary
DNS suffix.
4. Click OK until all dialog boxes are closed.
Figure 4.52 The System Control Panel, General Tab, More Button
www.syngress.com
329
256_70-294_04.qxd
330
9/4/03
4:29 PM
Page 330
Chapter 4 • Working with Forests and Domains
Determining Whether Group Policy
Controls the Primary DNS Suffix for the Computer
There are a few ways to determine whether Group Policy controls the primary DNS suffix
for the computer. Log on to a representative member computer and do one of the following:
■
Open a command prompt and type gpresult. Look in the output to see if
Primary DNS Suffix is listed under Applied Group Policy objects.
■
Open Active Directory Users and Computers, right-click the computer
object you want to check, and click All Tasks | Resultant Set of Policy
(Logging).
■
Perform the steps in Exercise 4.19. If a value is present in step 4, then the primary
DNS suffix group policy is applied to the computer.
EXERCISE 4.19
USING THE REGISTRY TO CHECK FOR PRIMARY DNS SUFFIX
DOMAIN RENAME COMPUTER READINESS
1. Click Start | Run.
2. Type regedit and click OK.
3. Navigate to HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\System\DNSclient.
4. If the Primary DNS Suffix key contains a value, then the computer will
not automatically adjust to the new primary DNS suffix.
5. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters.
6. Verify whether the value of REG_RWORD SyncDomainWithMembership
is 0x1. This value indicates that the primary DNS suffix changes when
the domain membership changes. Any other value means that the computer will not automatically adjust to the new primary DNS suffix.
Because the replication effects of member computer names being updated is proportional to the number of computers within the renamed domain, large domains can generate
a large amount of traffic.This replication “storm” is a problem for only the largest deployments. If you think that the resulting replication traffic might pose a problem to your
infrastructure, then consult the section entitled Avoiding Replication Effects of Domain Rename
in Large Deployments later in this chapter.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 331
Working with Forests and Domains • Chapter 4
Preparing Certification Authorities
You can continue to support the management of enterprise certificates through a domain
rename when the following requirements have been met beforehand:
■
The Certificate Authority functionality (CA) is not installed on any DCs.
■
All CAs should include both LDAP and HTTP URLs in their Authority
Information Access (AIA) and Certificate Distribution Point (CDP) extensions.
NOTE
If the CA has issued any certificate with only one of these URL types, the certificate
might not work. The steps covered in this chapter might not be sufficient for full
management of your CAs after the domain is renamed, depending on the complexity of your domain configuration. Proceed with the domain renaming only if
you have substantial expertise in handing Microsoft CAs.
If any of the following situations exist, CA management is not supported through the
domain rename process:
■
The CDP or AIA configuration includes only LDAP URLs. Certificates issued by
the CA will no longer be valid because the old LDAP extensions will be wrong
after the domain rename process. As a workaround, you will have to renew the
existing CA hierarchy and all issued End Entity certificates.
■
If you have established any interdomain trust relationships authenticated with
cross-certificates, and they have name constraints, those names might not be valid
after the domain rename operation. As a workaround, you will have to reissue
cross-certificates containing the new name constraints.
■
If RFC 822-style e-mail names (user@host.network) are a property of the user
account, these e-mail names will be incorrect after the domain rename operation.
Additionally, if any certificate template is configured to include RFC 822-type email names within the certificate, those names will no longer be valid.Those
Active Directory accounts should be updated prior to issuing any new certificates.
Finally, check to see if your certificate revocation lists (CRLs) and CA certificates are
going to expire soon. If so, these should all be renewed, reissued, and replicated to all client
machines prior to the rename process.
Avoiding Replication Effects of Domain Rename in Large Deployments
Thousands of computer names being changed at about the same time can cause a replication “storm.” If you are concerned about this replication traffic, this section is for you. If
you can tolerate a significant period of network congestion or saturation, you can skip this
www.syngress.com
331
256_70-294_04.qxd
332
9/4/03
4:29 PM
Page 332
Chapter 4 • Working with Forests and Domains
preparatory step. Note that versions of Windows before Windows XP do not fully support
this approach.
The solution is to rename member computers in smaller batches to lessen the replication traffic problem.You must take steps to limit the number of computers that will be
renamed following domain rename by reversing one of the conditions in Configuring
Member Computers for Host Name Changes earlier in this chapter.
When a computer’s name is changed, an update of the dnsHostName and
servicePrincipalName attributes on its computer account in Active Directory is triggered.This
happens during the reboot after the domain rename. In addition, it triggers an update of the
host (A) and pointer (PTR) DNS resource records in the DNS database.The two events, if
triggered by a large number of computers within a short period of time, might provoke
replication activity that saturates the network. Using Group Policy, you should reconfigure
the default behavior that changes the primary DNS suffix on member computers when a
domain is renamed.
Group Policy triggers the same replication traffic as the domain rename procedure. For
that reason, you must manage the Group Policy application in stages.This is accomplished
by dividing computer objects among several OUs or sites in Active Directory.To temporarily separate some of the computers, you might want to create additional interim OUs.
Generally speaking, only do this for workstations. Allow member servers to change automatically during the reboot, making them the last to change; otherwise, some services
might be affected until the domain rename is complete. If you have a large number of
servers, apply the DNS Suffix Search List policy to workstations first, and then to servers.
Before Applying Group Policy
The purpose of applying this group policy is to avoid replication and DNS update traffic
caused by the automatic update of the primary DNS suffix on all member computers following a domain rename. Use Group Policy to revise the primary DNS suffix of all computers in stages to the new domain name before the procedure.That way, domain
computers are manually updated and already have the correct primary DNS suffix at the
time you perform the domain rename. After you apply the group policy, the DNS suffix of
member computers will not match the DNS name of the domain for some period.To
handle this problem, the first step is to configure the domain to accept the possible names
that the DNS suffix can have. Make sure you do this before applying the policy.
The default primary DNS suffix is the name of the domain itself.To make a new one
available to member computers, you must first make the DNS suffixes known at the
domain level.You accomplish this by editing the msDS-AllowedDNSSuffixes attribute on the
domain object to contain these additional DNS domain names.This multivalued attribute
contains a list of valid DNS suffixes for member computers of the Active Directory
domain.The msDS-AllowedDNSSuffixes attribute should not contain the same values in
more than one domain.
At the same time, configure the DNS Suffix Search List group policy on all systems to
contain the old primary DNS suffix, new primary DNS suffix, and any parent suffixes of
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 333
Working with Forests and Domains • Chapter 4
the old and new primary DNS suffixes. For example, if the old DNS suffix of a domain was
Cat.fish.zoo.com and the new name will be Catfish.naturepreserve.com, the DNS Suffix
Search List should contain the following suffixes:
■
Cat.fish.zoo.com
■
Catfish.naturepreserve.com
■
Fish.zoo.com
■
Naturepreserve.com
Note that the versions of Windows before Windows XP do not support the Group
Policy setting for the DNS Suffix Search List.To perform this procedure, all DCs in the
domain must be running Windows Server 2003, and a subdomain must exist in DNS for
each new DNS suffix that you add. Use ADSI Edit, one of the Windows Server 2003
Support Tools, to modify the msDS-AllowedDNSSuffixes attribute value on the domain object
in Active Directory as shown in Exercise 4.20. Do this for each domain whose name is
going to change.
EXERCISE 4.20
USING ADSI EDIT TO ADD DNS
SUFFIXES TO MSDS-ALLOWEDDNSSUFFIXES
1. Click Start | Programs | Windows Server 2003 Support Tools | Tools
| ADSI Edit.
2. In the scope pane, right-click ADSI Edit and select Connect to.
3. Under Computer, click Select or type a domain or server name, and
then click OK.
4. Double-click the domain directory partition for the domain you want to
modify.
5. Right-click the domain container object, and select Properties.
6. In the Attributes box, on the Attribute Editor tab, double-click the
msDS-AllowedDNSSuffixes attribute.
7. In the Multi-valued String Editor dialog box, in the Value to add
field, type a DNS suffix and then click Add.
8. Repeat this process for all the DNS suffixes that you need for the
domain, and click OK.
9. Click OK to close the Properties dialog box.
10. Repeat steps 2 through 9 for any additional domains that are being
renamed.
www.syngress.com
333
256_70-294_04.qxd
334
9/4/03
4:29 PM
Page 334
Chapter 4 • Working with Forests and Domains
Using Group Policy to Predefine the
Primary DNS Suffix Prior to Domain Rename
To prepare for the application of Group Policy, you need to create groupings of member
computers for incremental rollout. Perform the following steps for each domain to be
renamed.
1. Estimate the largest number of computers that can be renamed in your environment without adverse affects. Microsoft’s recommendation is to define groups of
1000 or less for a normal healthy LAN environment. Adjust this number for local
conditions.
2. Define rollout groups of the chosen size.
3. Create a schedule, leaving sufficient time between applications of Group Policy to
allow replication to occur. Make sure the updated dnsHostName and
servicePrincipalName attributes on computer accounts and replication of the DNS
records of the renamed computers are completed during each period before the
next group begins.
4. Apply Group Policy to the rollout groups according to the schedule. Make sure all
groups receive the policy before renaming the domain. Note that computers must
be rebooted for the host name change to take effect.
NOTE
Do not apply this policy to DCs. They will be renamed later in a separate procedure.
5. After the domain rename procedure is complete, and after all computers have
rebooted, disable the temporary DNS Suffix group policy.
Performing the Rename Procedure
This section presents step-by-step procedures for executing the domain rename operation in
your forest. Be sure to review and complete the preliminary procedures before performing
any steps in this section.There will be a short period of service interruption in your Active
Directory forest during this procedure. For the most part, this occurs while all the DCs in the
forest are automatically rebooting.The applicable section of the procedure tells you when to
expect it. Except for this short interruption, the Active Directory service should continue to
be available and function normally throughout the rest of the procedure.
A certain level of proficiency is expected from those performing this procedure. Do not
attempt it unless you have considerable experience with Active Directory, CAs, domain and
forest maintenance procedures and troubleshooting, and are comfortable with the administrative tools involved. Although not all steps require the same level of authority, you should
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 335
Working with Forests and Domains • Chapter 4
have access to the group memberships listed in Table 4.6 to perform the procedure as a
whole.These include:
■
Enterprise Admins group in the forest
■
Domain Admins group in trusted domains
■
Domain Admins group in trusting domains
■
Local Administrators group on the control station
Each step should be completed before going on to the next. Many steps will fail or have
unpredictable results if performed out of order.This especially applies to the freezing and
unfreezing of the forest configuration. During this time, the forest must be quiescent.You must
not make any changes to the Active Directory such as adding or removing domains, DCs,
directory partitions, or trust relationships other than those called for in the procedure itself.
When the rename process is complete, you can press forward with those types of activities.
STEP 1: Back Up All DCs
Simply put; make sure you accomplish a full backup of the system state of every DC in the
entire forest. Get complete backups of CAs, DFS roots, FSMO masters, and other commonuse and infrastructure items. Check the logs of every backup for any errors that might have
occurred, and perform one or more restores on test systems to ensure your backup processes
are sound.
STEP 2: Prepare the Control Station
Pick a conveniently located server that meets the following requirements:
■
Must be a member of one of the domains that will be renamed.
■
Must be a member server, not a DC, running Windows Server 2003 Standard
Edition,Windows Server 2003 Enterprise Edition, or Windows Server 2003
Datacenter Edition.
■
Must have available the installation CD for the version of Windows installed on
the control station.
This server will function as the administrative control station for the entire domain
rename operation.You will be running and controlling all rename procedures from this station. Special tools will need to be installed on the local disk, and scripts created and edited
here. Although you do have to contact each DC in the forest, you will reach them remotely
from this station.
Perform Exercise 4.21 to install Windows Server 2003 Support Tools from the OS CD.
www.syngress.com
335
256_70-294_04.qxd
336
9/4/03
4:29 PM
Page 336
Chapter 4 • Working with Forests and Domains
EXERCISE 4.21
SETTING UP THE CONTROL STATION WITH
THE REQUIRED TOOLS FOR THE DOMAIN RENAME OPERATION
1. Log on to the control station with at least local administrator rights.
2. Create a directory named X:\RenameTools on a local disk drive, where X
is a local drive letter.
NOTE
You will be executing all rename tools from within this directory. Give it a name
you will be comfortable with, but that will alert other administrators as to what it
is used for.
3. Insert the Windows Server 2003 Standard Edition, Windows Server
2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition
operating system CD into the CD-ROM drive.
4. Open a command prompt and copy the files from the valueadd directory, shown here with the CD-ROM in drive letter G. Use the command
copy G:\valueadd\msft\mgmt\DomainRename\*.* X:\ RenameTools.
5.
Verify that rendom.exe and gpfixup.exe are present in your working
directory on the control station.
6. Browse to the G:\Support\Tools directory, and double-click Setup to
install the Windows Server 2003 Support tools.
7. Verify that repadmin.exe and dfsutil.exe are installed on the
control station.
STEP 3: Document the Current Forest
In this step, you will use the rendom utility to generate a description of your current forest
structure as an XML-encoded file. It will contain a list of all the domain directory partitions as well as your application directory partitions within the forest.This is the baseline
that you start from, and you will modify this file later.
If you want to use authorization other than the account you are logged on as, use alternate credentials with the /user and /pwd command-line switches of rendom.exe. Perform
Exercise 4.22 to generate the baseline forest description.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 337
Working with Forests and Domains • Chapter 4
EXERCISE 4.22
GENERATING THE CURRENT FOREST DESCRIPTION FILE
1. Log on to the control station with Enterprise Administrator rights.
2. Open a Command Prompt, change to the RenameTools directory, and
type rendom /list.
3. Type the following command to save a copy of the forest description
file for future reference: copy domainlist.xml domainlist-save.xml
The /list option of the rendom.exe creates an XML-encoded file named domainlist.xml
in the current directory. It contains a textual description of your current forest structure,
including a list of all the application directory partitions and domain directory partitions
within your forest.You will find an entry for each of these domain and application directory
partitions bounded by the <Domain></Domain> XML tags, as shown in Figure 4.53. Each
entry contains naming data that includes the object GUID of the partition root object, the
DNS name of the domain or application directory partition, and the NetBIOS name of the
domain. An application directory partition does not have a NetBIOS name.
In the example, the domainlist.xml file shows the structure of a forest containing two
domains called Zoo.net and Fish.zoo.net with NetBIOS names of ZOO and FISH, respectively.Three other entries appear, corresponding to the application directory partitions used
by the Active Directory integrated DNS service.These application directory partitions must
also be renamed:
■
DomainDnsZones.fish.zoo.net
■
DomainDnsZones.zoo.net
■
ForestDnsZones.zoo.net
The entry for an application directory partition is annotated with an XML comment in
the form:
<!— PartitionType:Application —>
The entry for the root domain of the forest is also annotated with an XML comment
in the form:
<! — ForestRoot —>
For this procedure, the critical fields are those bounded by the
<DNSname></DNSname> and <NetBiosName></NetBiosName> tags.
www.syngress.com
337
256_70-294_04.qxd
338
9/4/03
4:29 PM
Page 338
Chapter 4 • Working with Forests and Domains
Figure 4.53 Forest Description File, domainlist.xml, Generated by Rendom.exe
<?xml version = "1.0"?>
<Forest>
<Domain>
<!— PartitionType:Application —>
<Guid>3dacd6ab-d4e8-b94e-63b9-8bacc5d5e10b</Guid>
<DNSname>DomainDnsZones.fish.zoo.net</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<Guid>73cfaaec-faa6-4732-a851-c8050763fab0</Guid>
<DNSname>fish.zoo.net</DNSname>
<NetBiosName>FISH</NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<!— PartitionType:Application —>
<Guid>4d1c9e17-18bb-c642-1f4c-acc1be13d117</Guid>
<DNSname>ForestDnsZones.zoo.net</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<!— PartitionType:Application —>
<Guid>4d1c9e17-18bb-c642-1f4c-acc1be13d117</Guid>
<DNSname>DomainDnsZones.zoo.net</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<! — - ForestRoot —>
<Guid>73cfaaec-faa6-4732-a851-c8050763fab0</Guid>
<DNSname> zoo.net</DNSname>
<NetBiosName>ZOO</NetBiosName>
<DcName></DcName>
</Domain>
</Forest>
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 339
Working with Forests and Domains • Chapter 4
STEP 4: Design the New Forest
From the preliminary procedures, your new forest structure should be well documented. In
this step, you will overlay the new structure over the old one as described by the domainlist.xml file generated in step 3.You will use a text editor to edit the domainlist.xml file and
replace your old domain names with new ones.You must also edit the names of application
directory partitions in the same way.When you rename an Active Directory domain, the
corresponding DNS-specific application directory partition must also be renamed, if you are
using Active Directory-integrated DNS. If it is not, new DNS servers added to the network will
not automatically load the DNS zones stored in the DNS-specific application directory
partition and will not function properly.
Use a simple text editor such as Notepad to make the changes. Remember that at this
time you can change the NetBIOS name of any domain, the DNS name of any domain, or
both. In addition, take care to change the names of any child domains affected by a
renamed parent. Review all name changes for well-formed characteristics as described in the
Domain Rename Limitations in a Windows 2003 Forest section in this chapter.
WARNING
Double-check this step, preferably with more than one person to ensure that the
changes are complete and correct. These are the actual names that will be implemented, and any typographical or hierarchical error could translate into a nonfunctional forest or domain. If your target structure is not what you intended, you
must perform the entire domain rename procedure again.
Here are some guidelines for name changes:
■
Change the DNS name from old to new, which is the field bounded by the tags
<DNSname></DNSname>.
■
Change the NetBIOS name from old to new, which is the field bounded by the
tags <NetBiosName></NetBiosName>.
■
Change the domain-level DNS Application Partition name from old to new,
which is the DomainDnsZones.<domain DNS name> field bounded by the tags
<DNSname></DNSname>.
■
Change the forest-level DNS Application Partition name from old to new, which
is the ForestDnsZones.<forest DNS name> field bounded by the tags
<DNSname></DNSname>.
■
Do not change the GUID represented in the field bounded by the
<Guid></Guid> tags.
www.syngress.com
339
256_70-294_04.qxd
340
9/4/03
4:29 PM
Page 340
Chapter 4 • Working with Forests and Domains
Review Figure 4.54 for a sample of what the domainlist.xml file would look like after
the following restructuring design overlay. In this case, both DNS and NetBIOS names
were changed:
■
The top-level DNS name of Zoo.net has been changed to the more politically
correct name of Naturepreserve.net, while its child domain of fish.zoo.net has
been changed to Aquatics.naturepreserve.net.
■
The NetBIOS name of ZOO has been changed to PRESERVE, while the
NetBIOS name of its child domain has been changed from FISH to AQUATICS.
■
The domain-level DNS application partition name has been changed from
DomainDnsZones.fish.zoo.net to DomainDnsZones.aquatics.naturepreserve.net.
■
The domain-level DNS application partition name has been changed from
DomainDnsZones.zoo.net to DomainDnsZones.naturepreserve.net.
■
The forest-level DNS Application Partition name has been changed from
ForestDnsZones.zoo.net to ForestDnsZones.naturepreserve.net.
■
The GUID fields have not been modified.
■
No NetBIOS names have been assigned to any PartitionType:Application.
NOTE
If you have a Microsoft TAPI dynamic directory for an Active Directory domain, you
might have application partitions for the TAPI application data. There is normally
one TAPI-specific application directory partition for each domain. When you
rename an Active Directory domain, the corresponding TAPI-specific application
directory partition is not renamed automatically. If they exist, you should change
those as well.
Figure 4.54 Forest Description File, domainlist.xml, Customized for the New
Forest Design
<?xml version = "1.0"?>
<Forest>
<Domain>
<!— PartitionType:Application —>
<Guid>3dacd6ab-d4e8-b94e-63b9-8bacc5d5e10b</Guid>
<DNSname>DomainDnsZones.aquatics.naturepreserve.net</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
Continued
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 341
Working with Forests and Domains • Chapter 4
Figure 4.54 Forest Description File, domainlist.xml, Customized for the New
Forest Design
</Domain>
<Domain>
<Guid>73cfaaec-faa6-4732-a851-c8050763fab0</Guid>
<DNSname>aquatics.naturepreserve.net</DNSname>
<NetBiosName>AQUATICS</NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<!— PartitionType:Application —>
<Guid>4d1c9e17-18bb-c642-1f4c-acc1be13d117</Guid>
<DNSname>ForestDnsZones.naturepreserve.net</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<!— PartitionType:Application —>
<Guid>4d1c9e17-18bb-c642-1f4c-acc1be13d117</Guid>
<DNSname>DomainDnsZones.naturepreserve.net</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<! — - ForestRoot —>
<Guid>73cfaaec-faa6-4732-a851-c8050763fab0</Guid>
<DNSname> naturepreserve.net</DNSname>
<NetBiosName>PRESERVE</NetBiosName>
<DcName></DcName>
</Domain>
</Forest>
Rendom.exe will display the new forest structure in the domainlist.xml file in a userfriendly format using text indentation to reflect the domain hierarchy using the /showforest
option. Type the command rendom /showforest from a command prompt in the
Renametools directory after each change to the domainlist.xml file to verify the forest
structure. Recheck the contents of this file after every edit until you are sure it is correct.
www.syngress.com
341
256_70-294_04.qxd
342
9/4/03
4:29 PM
Page 342
Chapter 4 • Working with Forests and Domains
STEP 5: Draft Domain Rename Instructions
Now that you have built a definition of your new forest structure, it is time to generate the
domain rename instructions that will implement the change.These instructions will execute
individually and remotely on each DC in the forest. Not surprisingly, the Domain Naming
Master plays a central role in the renaming process.The rendom.exe utility creates the specially formatted scripts, containing a sequence of directory updates, and writes them to the
msDS-UpdateScript attribute on the Partitions container object in the configuration directory partition on the Domain Naming Master for the forest.
The new forest description must be available as the XML-encoded file domainlist.xml,
which you created by editing the original forest description file in the previous step. Follow
these steps to create the domain rename instructions.
1. Open a command prompt, and change to the RenameTools directory.
2. Enter the command rendom /upload.
3. Verify the existence of the state file dclist.xml in the RenameTools directory and
that it contains an entry for every DC in your forest.
In addition to generating the domain rename instructions and uploading them into the
Active Directory, the rendom /upload command also generates a state file called dclist.xml and
writes it to the current directory of RenameTools. Rendom uses this state file to track the
progress and state of each DC in the forest.This tracking continues throughout the
remaining steps of the domain rename procedure. Refer to Figure 4.55 for an example of
the dclist.xml file. It contains the states for two DCs in the Zoo.net domain called DC1
and DC2, and two DCs in the Fish.zoo.net domain called DC3 and DC4.
Figure 4.55 Examining the dclist.xml State File Used for Tracking the Progress of
Domain Rename
<?xml version = "1.0"?>
<DcList>
<Hash>zzzzzzzz</Hash>
<Signature>zzzzzzzz</Signature>
<DC>
<Name>DC1.zoo.net</Name>
<State>Initial</State>
<LastError>0</LastError>
<Password />
<LastErrorMsg />
<FatalErrorMsg />
<Retry></Retry>
Continued
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 343
Working with Forests and Domains • Chapter 4
Figure 4.55 Examining the dclist.xml State File Used for Tracking the Progress of
Domain Rename
</DC>
<DC>
<Name>DC2.zoo.net</Name>
<State>Initial</State>
<LastError>0</LastError>
<Password />
<LastErrorMsg />
<FatalErrorMsg />
<Retry></Retry>
</DC>
<DC>
<Name>DC3.fish.zoo.net</Name>
<State>Initial</State>
<LastError>0</LastError>
<Password />
<LastErrorMsg />
<FatalErrorMsg />
<Retry></Retry>
</DC>
<DC>
<Name>DC4.fish.zoo.net</Name>
<State>Initial</State>
<LastError>0</LastError>
<Password />
<LastErrorMsg />
<FatalErrorMsg />
<Retry></Retry>
</DC>
</DcList>
Every DC in the forest must have an entry in the dclist.xml state file.The state of each
DC is delineated by the tags <State></State>. At this point in the rename process, all DCs
are initialized to the Initial state. As the procedure progresses, these states will change.
www.syngress.com
343
256_70-294_04.qxd
344
9/4/03
4:29 PM
Page 344
Chapter 4 • Working with Forests and Domains
STEP 6: Push Instructions to DCs
In Exercise 4.23, you will trigger a forced Active Directory replication.This pushes out the
domain rename instructions that you previously uploaded to the Domain Naming Master
to all DCs in the forest.Then, you should verify that the DC Locator SRV records registered in DNS by each DC for the new domain names have replicated to all DNS servers
that are authoritative for those records.
NOTE
You do not have to force replication, but it will accelerate the replication of the
changes to the Partitions container in the configuration directory partition to all
DCs in the forest. Alternately, you can wait for replication to complete according to
the delay characteristics and replication intervals of your forest.
EXERCISE 4.23
FORCING THE SYNCHRONIZATION OF CHANGES
MADE TO THE DOMAIN NAMING MASTER
1. Open a command prompt, and change to the RenameTools directory.
2. Type the command repadmin /syncall /d /e /P /q
DomainNamingMaster. Note that DomainNamingMaster is the DNS
host name of the current Domain Naming Master for the forest.
NOTE
Use the dsquery utility to determine which host is the Domain Naming Master, or
perform Exercise 4.12. In addition, be aware that the repadmin command-line
options are case sensitive.
It is critical that all DCs successfully replicate before continuing. If repadmin completes
successfully, the Domain Naming Master DC will have replicated to every other DC in the
forest. If you get an error for some of the DCs in the forest, you must try again until all
DCs in the forest have successfully received the changes from the Domain Naming Master.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 345
Working with Forests and Domains • Chapter 4
STEP 7:Verify DNS Readiness
During domain rename, the Net Logon service of each DC pre-publishes the SRV resource
records to the authoritative DNS servers associated with their new domain name.The DC
Locator will malfunction if these are not successfully published. Other records must also be
in place for authentication and replication to take place. Refer to Exercise 4.24 to verify
that the various DNS records for the new domain names were successfully created.
NOTE
Do not, under any circumstances, proceed with domain rename if any of the DNS
records listed in Table 4.7 are missing. They are all required for normal operation of
the forest.
EXERCISE 4.24
VERIFYING THE DNS SERVICE LOCATOR RECORDS
1. Click Start | Programs | Administrative Tools | DNS to start the DNS
administrator console.
2. Expand the server name.
3. Expand the Forward Lookup Zones.
4. Expand the domain you want to verify.
5. Verify that the DNS records listed in Table 4.7 are present for all your
DCs within each domain. These records are crucial to the operation of
the domain.
Table 4.7 Required SRV Resource Records
Location of DNS Record
Type
of Record
DsaGuid._msdcs.DnsForestName
CNAME
Purpose
There must be one CNAME record
pertaining to every DC in all
authoritative DNS servers. Without it,
replication will not take place from
that DC.
Continued
www.syngress.com
345
256_70-294_04.qxd
346
9/4/03
4:29 PM
Page 346
Chapter 4 • Working with Forests and Domains
Table 4.7 Required SRV Resource Records
Location of DNS Record
Type
of Record
_ldap._tcp.pdc._msdcs.
DnsDomainName
SRV
_ldap._tcp.gc._msdcs.
DnsForestName
SRV
_ldap._tcp.dc._msdcs.
DnsDomainName
SRV
Purpose
There must be one SRV record
associated with the PDC FSMO on all
authoritative DNS servers. Without it,
the authentication of users and
computers will not function correctly.
There must be at least one record
pointing to at least one GC on all
authoritative DNS servers in the
forest. This record also ensures the
proper functioning of authentication
for users and computers. Minimally,
at least one record of this type must
be present on all authoritative DNS
servers. Records for the other GCs
should eventually replicate.
There must be at least one record for
at least one DC on all authoritative
DNS servers for each domain. This is
another record required for the
functioning of authentication of
users and computers. Minimally, at
least one record of this type must be
present on all authoritative DNS
servers. Records for the other DCs
should eventually replicate to the
other authoritative DNS servers.
Now you need to check the status of every DC in the forest to verify that the Active
Directory database is in a healthy state and ready to perform the domain rename instructions. Use Exercise 4.25 to accomplish this.The Rendom tool will issue a Remote
Procedure Call (RPC) individually to each DC in the forest and update the state file
dclist.xml.
EXERCISE 4.25
VERIFYING THE READINESS
OF ALL
DOMAIN CONTROLLERS
1. Open a command prompt, and change to the RenameTools directory.
2. Type the command rendom /prepare. The rendom utility will check for
the following:
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 347
Working with Forests and Domains • Chapter 4
Active Directory
Container
Attribute
Is Replicated To
Partitions
Partitions
Partitions
msDS-UpdateScript
msDS-DnsRootAlias
servicePrincipalName
Every DC in the forest
Every DC in the forest
Every DC in a domain and the GC
servers
3. Verify the existence of the state file dclist.xml in the RenameTools directory and that it contains an entry for every DC in your forest showing a
state of Prepared.
The control station computer issues an RPC to every DC in the forest when you run
the rendom /prepare command.The results are tracked by the state file dclist.xml.This RPC
executes on each DC to verify that its directory replica is in a healthy state and that it is
ready to run the domain rename instructions. Rendom updates the state field in each DC
section of the dclist.xml file to the Prepared status as shown by (<State>Prepared</State>) if
it is successful. If not, check the command execution log called rendom.log in the current
working directory. It contains valuable information about the actual tasks performed by the
tool, and at what stage or on which DC the problem occurred.
During this time, the forest must be quiescent.You must not make any changes to the
Active Directory such as adding or removing domains, DCs, directory partitions, or trust
relationships. Rendom will detect this type of activity and require you to execute rendom
/end. If this happens, you will have to start over again from step 3 and redocument the
forest configuration.
Do not proceed until all DCs are in the Prepared state.
STEP 8: Execute Instructions
The script you uploaded to the msDS-UpdateScript attribute on the Partitions container on
every DC in the forest will now be executed.To execute the domain rename instructions, you
will run the rendom utility, which causes the control station computer to issue an RPC to
each DC in the forest individually. As the DCs receive their execute commands, they run the
rename instructions that they have already received, and then reboot automatically. At the end
of step 8, every DC tracked by the state file dclist.xml will be in one of two final states:
■
Done The DC has successfully completed the domain rename operation.
■
Error The DC has encountered an irrecoverable error and can never complete
the domain rename operation.
www.syngress.com
347
256_70-294_04.qxd
348
9/4/03
4:29 PM
Page 348
Chapter 4 • Working with Forests and Domains
NOTE
There will be a temporary disruption in service while the DCs respond to the
rendom utility and reboot.
Executing the Domain Rename Instructions on All DCs
Now you need to use the rendom command again.This time, all of your preparation and
planning will come to fruition.Think of this stage as “flipping the switch.” Follow these
steps to run the Rendom utility from a command prompt and then check the state file
dclist.xml for the status of each DC.The Rendom command must be repeated until all
DCs have either successfully executed the domain rename, or you have established that one
or more DCs are unreachable and will be removed from the forest.
1. Open a command prompt, and change to the RenameTools directory.
2. Type the command rendom /execute.
3. Verify the existence of the state file dclist.xml in the RenameTools directory and
that it contains an entry for every DC in your forest showing a state of Done or
Error.
4. If dclist.xml shows any DCs still in the Prepared state, repeat step 2 as many times
as needed until the stopping criterion is met, which is the Done or Error state.
NOTE
Don’t worry about running the command multiple times, because rendom /execute
skips any DC in the Done or Error state no matter how many times you run it, and
only retries those in the Prepared state.
The control station issues an RPC to every DC in the forest that is known to the state
file dclist.xml, which commands it to execute the rename instructions that it already has,
and then reboot.The DC’s entry in the state file will be updated to read
<State>Done</State>. If it fails with a fatal or irrecoverable error, the DC’s state file entry
will be updated to read <State>Error</State>.When it reaches the Error state, the error
code is written to the last error field <LastError></LastError> and a corresponding error
message is written to the <FatalErrorMsg></FatalErrorMsg> field.
If a DC reached the Error state in the dclist.xml file, but you believe it is a recoverable
error that you have since corrected, you can force the rendom /execute command to retry
issuing the RPC to that DC as described in the following steps.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 349
Working with Forests and Domains • Chapter 4
Forcing rendom /execute to Re-Issue
the RPC to a DC in the Error State
To force Rendom / execute to re-issue the RPC to a DC in the Error state follow
these steps:
1. Open a command prompt, and change to the RenameTools directory.
2. Locate the <Retry></Retry> field in the dclist.xml file for the DC that you
want to retry.
3. Change the entry to <Retry>yes</Retry> for that DC, and resave the file.The
next execution of the rendom /execute command will re-issue the execute-specific
RPC to that DC.
4. Type the command rendom /execute.
5. Check the state file dclist.xml to see if it contains an entry for the retried DC. If
it says the state is Done, then the RPC was successful; if it shows a state of
Prepared, then retry step 4; if it shows a state of Error, you can start this exercise
over at step 2 or proceed to step 6.
6. Declaring the Execute Instructions stage complete is at your discretion. If all the
DCs show a state of Done or Error, you can stop.You can retry execution
attempts repeatedly if you have an Error, but when you decide to stop trying, you
must remove Active Directory from any DC still in the Error state.
NOTE
Don’t worry about running the command multiple times, because rendom /execute
skips any DC in the Done or Error state no matter how many times you run it, and
only retries those in the Prepared or Error/Retry state.
One final warning:The DNS host names of the DCs in the renamed domains do not
change automatically in the manner of the member servers. In other words, the fully qualified DNS host name of a DC in the renamed domain will continue to reflect the old
domain name in its DNS suffix. A different procedure is required for that. See the section
Renaming a Domain Controller.
STEP 9: Unfreeze the Forest Configuration
During this procedure, the forest should have been quiescent.You should not have attempted
any changes to the Active Directory such as adding or removing domains, DCs, directory partitions, or trust relationships other than those called for in the procedure. Perform the steps in
Exercise 4.26 to unfreeze the forest configuration. Now that the core portion of the rename
process is complete, you can press forward with those types of activities, although the best
www.syngress.com
349
256_70-294_04.qxd
350
9/4/03
4:29 PM
Page 350
Chapter 4 • Working with Forests and Domains
practice is to finish the rename procedure first, along with any post-procedure tasks that are
needed.When the forest is stable and healthy, then proceed normally.
EXERCISE 4.26
UNFREEZING THE FOREST CONFIGURATION
1. Reboot the control station twice. This will ensure that all local services
learn of the new DNS and/or NetBIOS name of the control station’s
domain.
2. Open a command prompt, and change to the RenameTools directory.
3. Type the command rendom /end. Note that this command removes the
msDS-UpdateScript attribute from the Partitions container of the
Domain Naming Master FSMO.
STEP 10: Re-establish Trusts
The intraforest shortcut trusts created in the preliminary steps are automatically adjusted
during the domain rename operation so they will continue to work. Unfortunately, your
external trusts, including cross-forest trusts, were not protected and must be re-established.
You must be a member of the Domain Admins group in the target domain of the external
trust to delete and recreate inter-forest and external trusts. Refer to Chapter 5 for the trustcreation procedures.
STEP 11: Repair DFS Topology
In this step, you will repair references to a renamed domain in the DFS topology data.The
dfsutil.exe command-line tool will accomplish this. Dfsutil scans the entire topology for a
given DFS root including the root name, root replica servers, and link target servers, and
fixes any occurrences of the oldname with the newname as specified on the command line.
Dfsutil also connects to DFS root replica servers and changes the topology information
held in its local Registry there as well.
To perform Exercise 4.27, you must be a member of the Domain Admins group in the
target domain of the DFS fix-up.The DFS utility might need to be run more than once to
fix the topology for every DFS root. All DFS root servers in a renamed domain must be
running Windows 2000 with Service Pack 3 or higher.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 351
Working with Forests and Domains • Chapter 4
EXERCISE 4.27
REPAIRING THE DFS
TOPOLOGY
1. Use the DFS MMC snap-in or the dfsutil.exe utility to examine the DFS
topology. The first step is to prepare a list of DFS roots where a root
path, root replica server name, or a link target server name needs to be
fixed as a result of renaming the domain. Subsequent steps describe
when each topology component needs to be repaired. Note that the
DFSutil.exe utility can only repair domain-based DFS root topologies,
not stand-alone DFS roots.
2. Examine your DFS topology for any domain-based DFS root paths. They
need to be changed in the topology when the domain name changes.
For example, if the name of the domain zoo.net changed to naturepreserve.net, then a domain-based DFS root named \\ zoo.net \public
would need to be changed to \\naturepreserve.net\public. Remember
that if the root path uses the NetBIOS name of the domain, and the
NetBIOS name of the domain was not changed, then it does not need
to be repaired.
3. Any domain-based DFS root replica host name or link target host name
needs to be changed in the DFS topology during the domain rename
process if it is specified as a fully qualified DNS name. For example, the
DNS host name of a DFS replica server named guppy.zoo.net might
change to guppy.naturepreserve.net because of the domain name
change. Likewise, a DFS link might need to be changed from
\\poodle.zoo.net\good places to bury a bone to \\poodle.naturepreserve.net\bones Again, NetBIOS names only change if they were
instructed to change during the rename process.
4. On the control station, open a command prompt and change to the
RenameTools directory. For every DFS root that requires a repair of any
topology component described previously, type the following command (the entire command must be typed on a single line): DFSutil
/RenameFtRoot /Root:DFSRootPath /OldDomain:OldName/
NewDomain:NewName /Verbose. Note that:
■
DFSRootPath is the DFS root to operate on; for example, \\naturepreserve.net\public.
■
OldName is the exact old name to be replaced in the topology for
the DFS root.
■
NewName is the exact new name to replace the old name in the
topology.
www.syngress.com
351
256_70-294_04.qxd
352
9/4/03
4:29 PM
Page 352
Chapter 4 • Working with Forests and Domains
5. Check your fixed DFS topology again to confirm that it reflects the
renamed domain.
6. Reboot all DFS root replica servers twice to refresh the DFS service
topology information.
7. Repeat steps 1 through 6 for every renamed domain. You can enter the
commands in sequence.
STEP 12: Repair Group Policy Objects and Links
GPOs and GPO references in each renamed domain need to be repaired with the
gpfixup.exe command-line tool as shown in Exercise 4.28.These GPOs and their links still
have the old domain name embedded in their properties, and will not function normally
until repaired. Managed software deployment is also impaired because Group Policy-based
software installation and maintenance data such as software distribution point network paths
can also be based on the domain name. Gpfixup.exe will repair these for you as well, and it
needs to be run once in each renamed domain. Moreover, since GPOs cannot reference
application directory partitions, there is no repair required on those.This step completes the
core domain rename procedure; however, many other steps could be necessary depending
on your configuration as shown in the section Steps to Take After the Domain Rename
Procedure.
NOTE
The GPO/link fix-up procedure does not repair interdomain GPO links. If you have
any of these in your forest, they will have to be repaired manually. This is a matter
of breaking and reestablishing each link. It also does not repair network paths for
software distribution points that are external to the domain.
EXERCISE 4.28
REPAIRING GPOS
AND
LINKS
1. Open a command prompt. Click Start | All Programs | Accessories |
Command Prompt.
2. Change to the RenameTools directory.
3. Type this entire command on a single line: gpfixup
/olddns:OldDomainDnsName /newdns:NewDomainDNSName
/oldnb:OldDomainNetBIOSName
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 353
Working with Forests and Domains • Chapter 4
/newnb:NewDomainNetBIOSName/dc:DcDnsName 2>&1
>gpfixup.log. In this case:
■
OldDomainDnsName is the old DNS name of the renamed domain.
■
NewDomainDnsName is the new DNS name of the renamed
domain.
■
OldDomainNetBIOSName is the old NetBIOS name of the renamed
domain.
■
NewDomainNetBIOSName is the new NetBIOS name of the
renamed domain.
■
DcDnsName is the DNS host name of a DC in the renamed domain,
preferably the PDC Emulator. Pick one that successfully completed
the rename operation with a final Done state in the dclist.xml state
file in step 8.
NOTE
The command line parameters /oldnb and /newnb are only required if the NetBIOS
name of the domain changed; otherwise, these parameters can be omitted from
the command line for Gpfixup. In addition, the redirected output—both status and
errors—is saved to the file gpfixup.log, which can be periodically displayed to monitor progress of the command.
4. To force replication of the Group Policy repair changes to the rest of
the DCs in the renamed domain, type repadmin /syncall /d /e /P /q
DcDnsName NewDomainDN and then press Enter. In this case:
■
DcDnsName is the DNS host name of the DC that was targeted by
the gpfixup command.
■
NewDomainDN is the DN corresponding to the new DNS name of
the renamed domain.
NOTE
Remember, the DNS host name of a DC in a renamed domain does not change
automatically when the domain name changes. Use the old name unless you have
changed it manually to the new one at this point.
5. Repeat steps 3 and 4 in this procedure for every renamed domain. You
can do them in sequence. For two domains, execute gpfixup twice and
www.syngress.com
353
256_70-294_04.qxd
354
9/4/03
4:29 PM
Page 354
Chapter 4 • Working with Forests and Domains
repadmin twice. Do not run gpfixup more than once for each renamed
domain, and do not run it at all for renamed application directory
partitions.
Steps to Take After the Domain Rename Procedure
Follow the instructions in this section to be sure that all functionality relying on an accurate
domain name has been addressed. One of the main concerns involves your Enterprise CA.
Verifying Certificate Security
If you use enterprise certificates, perform all of the following procedures after domain
rename is complete.Your enterprise CA can be configured with both LDAP and HTTP
URLs pointing to your CRL. Determine your certificate attributes before continuing.
NOTE
If you only have LDAP URLs in your enterprise certificates, then all previously issued
certificates will stop working when you rename the domain. The only available
workaround for correcting the LDAP CDP and AIA pointers is to renew your entire
CA hierarchy and reissue all End Entity certificates. This will result in PKI downtime
until you resolve these issues.
Preparing URLs for CDP and AIA Extensions After Domain Rename
To ensure that your old enterprise certificates operate properly after the domain rename,
make a CNAME DNS record redirecting the old HTTP server name to the new DNS
name for the server, as shown in Exercise 4.29.This refers to the host servicing the CRLs
of your CA.With this redirection, the HTTP URLs in the old certificates will continue to
be valid.This is needed so that the client machines will be able to obtain CRLs and CA
certificates for verification purposes.
EXERCISE 4.29
CONFIGURING DNS
FOR THE
REDIRECTING ALIAS ENTRY
1. Click Start | Administrative Tools | DNS.
2. Expand the DNS server entry.
3. Right-click the old DNS zone.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 355
Working with Forests and Domains • Chapter 4
4. Select New Alias (CNAME ).
5. In the Alias name box, type the original FQDN of the HTTP server.
6. In the Fully qualified domain name for target host box, type the new
FQDN of the HTTP server, and then click OK.
7. Test the new mapping by pinging the FQDN of the old HTTP server
from a command prompt. The ping should be redirected automatically
to the new FQDN of the HTTP server.
NOTE
You can remove the CNAME record when you are assured that all existing certificates have been renewed.
Verifying the Use of User Principal Names
Smart card logons via Kerberos require that the UPN in the user certificate match the UPN
in the user account in Active Directory.The two types of UPNs are implicit and explicit.
■
Implicit UPN The absence of an explicitly assigned value for its UPN attribute
means that a user account is assumed to have an implicit UPN for authentication
purposes based on the DNS name of the domain in which the account exists. If
the DNS name changes, the implicit UPNs of all user accounts in the domain
also change. Both the old and the new implicit UPNs will be accepted for
authentication until the cleanup step described later. After that step, only the new
implicit UPN will be accepted.
■
Explicit UPN A domain user account is said to have an explicit UPN if it has an
explicitly assigned value for its UPN attribute. If the DNS name changes, the
explicit UPNs of user accounts are not impacted, and no additional action is
needed to maintain certificate functionality.
Enabling Certificate Enrollment in the Renamed Domain
In the new domain, you need to enable certificate enrollment using either autoenrollment
or the Certificates MMC snap-in.To accomplish this, a small change has to be made in
Active Directory to the Enrollment Services container in the configuration directory partition (cn=Enrollment Services,cn=Public Key Services, cn=Services, cn=Configuration,
dc=ForestRootDomain).This container holds a CA object with a dNSHostName attribute containing the old DNS name of the CA machine. For convenience, you can use the Visual
www.syngress.com
355
256_70-294_04.qxd
356
9/4/03
4:29 PM
Page 356
Chapter 4 • Working with Forests and Domains
Basic script shown here to change the value of this attribute.This is an advanced procedure,
and should only be performed by experienced systems administrators and systems engineers. Do not attempt it if you are unfamiliar with scripting, Registry editing, and the dangers involved with both.
Perform the following procedure for each CA in your domain. In addition, note that
you will have to set the container name, CA name, CA host name, and DNS names to
match your domain configuration.
Execute the following commands within a Visual Basic script, or use this information
with any other LDAP administration tool. It references your CA and changes the dnshostname object attribute:
name = "LDAP://CN=CAName,CN=Enrollment Services,CN=Public Key Services,
CN=Services,CN=Configuration,DC=SubDomain,DC=Domain,DC=RootDomain"
Set obj = GetObject(name)
Obj.dnshostname = "TheCAMachine’sNewDNSName"
Obj.setinfo
Change the Registry on each CA machine to reflect its new DNS name. On the CA
machine, open the Registry editor and locate the entry CAServerName under
HKLM\System\CurrentControlSet\CertSvc\Configuration\YourCAName. Change the
value in CAServerName to correspond to your new DNS host name.
To enable proper Web enrollment, update the file used by your Web enrollment ASP
pages. On each CA machine, search for the file named certdat.inc. On a default install, it is
located in the %windir%\system32\certsrv folder. Save a copy of this file before editing,
open it using Notepad, change the DNS name of the CA machine in the file, and resave it
as certdat.inc. Note that the sServerType value can be either “Enterprise” or “StandAlone.”
The value you should change is marked in the following code in bold, (sServerConfig).The
certdat.inc file looks something like this:
<%' CODEPAGE=65001 'UTF-8%>
<%' certdat.inc - (CERT)srv web - global (DAT)a
' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<%
' default values for the certificate request
sDefaultCompany=""
sDefaultOrgUnit=""
sDefaultLocality=""
sDefaultState=""
sDefaultCountry=""
' global state
sServerType="Enterprise"
sServerConfig="DNSName\CAName"
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 357
Working with Forests and Domains • Chapter 4
sServerDisplayName="CAName"
nPendingTimeoutDays=10
' control versions
sXEnrollVersion="5,131,2510,0"
sScrdEnrlVersion="5,131,2474,0"
%>
Update the Shared Folder option.You also need to edit the certsrv.txt file to reflect the
new DNS name of the CA machine if the CA was installed with the shared folder option.
This file is located in your shared folder.
Verify the validity of CDP and AIA extensions.Your CDP and AIA extensions are
sometimes hard coded. If they are, you must change the extension URLs to reflect the new
DNS name of the CA machine.This is done in the following manner:
1. In the Certification Authority MMC snap-in, right-click the CA name and select
Properties.
2. On the Extensions tab, check the CDP and AIA extensions, paying particular
attention to the portion bolded in the following examples:
■
Flexible extensions have the following format:
http://<ServerDNSName>/CertEnroll/<CAName>
<CRLNameSuffix><DeltaCRLAllowed>.crl.
■
Hard-coded extensions have the following format: http://dnsname.companyname.com/certenroll/<CAName><CRLNameSuffix><DeltaCRLAllow
ed>.crl
3. If the CDP and AIA extensions are flexible, then take no action.
4. If the CDP and AIA extensions are not flexible, or hard coded, change the extension URLs to reflect the new DNS name of the CA machine.
Only if the CA is running on Windows 2000, change the Registry to reflect the new
domain name for the LDAP extension for the CDP as shown in the following steps:
1. On the CA machine, open the registry editor and locate the entry
LDAPRevocationDN under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\C
onfiguration
\YOURCANAME\ExitModules\CertificateAuthority_MicrosoftDefault.Exit.
2. Change the value in LDAPRevocationDN to reflect the new domain name for the
LDAP extension.
That covers the procedure necessary to complete the renaming process for the CA
server itself, but other servers also need changes to complete the process.You will need to
www.syngress.com
357
256_70-294_04.qxd
358
9/4/03
4:29 PM
Page 358
Chapter 4 • Working with Forests and Domains
perform the following steps on servers hosting functions such as Web proxy, revocation, and
enrollment within your CA hierarchy. As before, be careful with changes to the Registry
and ensure that you have good backups before performing these steps.
First, update the CA Web proxy. If you have a Web proxy machine for CA web pages
whose DNS host name has changed, then you need to change the following Registry key:
1. Open the registry editor and locate the entry WebClientCAMachine under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\
Configuration.
2. Change the value in WebClientCAMachine to correspond to your new CA Web
Proxy DNS host name.
Now, update the Netscape revocation check mechanism:
1. On all machines where Web pages for the CA reside, such as on the Web proxy
itself and on the CA servers, look for a file named nsrev_CANAME.asp containing the DNS host name of the CA machine that is used by the Netscape
revocation checking mechanism. Under the default installation settings,
nsrev_CANAME.asp will be in the folder %Windir%\system32\certsrv\certenroll, and its contents will be similar to:
<%
Response.ContentType = "application/x-netscape-revocation"
serialnumber = Request.QueryString
set Admin = Server.CreateObject("CertificateAuthority.Admin")
stat = Admin.IsValidCertificate("CAMachineDnsHostname\CANAME",
serialnumber)
if stat = 3 then Response.Write("0") else Response.Write("1") end if
%>
2. Open nsrev_CANAME.asp with Notepad and change the
CAMachineDnsHostName, as bolded in the preceding entry, to correspond to the
new DNS host name.
Finally, change the User Identity for SCEP Add-on: If the Simple Certificate
Enrollment Protocol (SCEP) Add-on for Microsoft Certificate Services is installed, check
the user context where the MSCEP process runs. Since the IIS metabase is not altered
during domain rename, you might need to change this username to reflect the new name
NewDomainname\UserName. To change the user identity for SCEP in IIS:
1. In the IIS MMC snap-in, browse to Application pools.
2. Under Application pools, right-click the folder for SCEP and select
Properties.
3. On the Identity tab, change the username as described previously.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 359
Working with Forests and Domains • Chapter 4
Renewing Subordinate and Issuing CA Certificates
After you have performed Exercises 4.29, 4.43, and 4.44 on all CA or CA-related servers as
called for, you should renew all certificates to update the CDP and AIA locations. Start
with all subordinate and issuing CAs certificates in hierarchical order, starting from the top.
After that is complete, update the group policy on all machines to ensure that the new root
CA certificates have full distribution.
Publishing new Certificate Revocation Lists
On all CA machines in the renamed domain, publish new Delta and Base CRLs by running the certutil.exe –crl command.
Updating Domain Controller Certificates
Any authentication mechanism based on certificates, such as replication and smart cards,
requires an update to the DC certificates. If template-based autoenrollment was set before
the domain rename procedure, these certificates can be updated by incrementing the version number of the Domain Controller Authentication and Directory Email Replication
Certificate templates to force re-enrollment. If autoenrollment was not already set, roll out a
Group Policy setting Machine-Based Autoenrollment.When that takes effect, the DC
machines will re-enroll and update the existing V1 Domain Controller Certificate. If you
increase the version number on other templates, especially those related to authentication,
they will also trigger autoenrollment for users and their machines.
Miscellaneous Tasks
Microsoft recommends a number of other follow-up tasks to the domain rename procedure.These tasks should be performed, but no particular order is necessary.
Publishing Service Connection Points for
Renamed TAPI-Specific Application Directory Partitions
During the domain rename procedure, you might have renamed TAPI-specific application
directory partitions. If so, then you need to republish service connection points for the new
name of the application directory partition.This will allow TAPI clients to locate the newly
named partition. At the same time, you need to remove the service connection points for
the old name.
This is a simple matter of removing the old service connection point by executing the
command
tapicfg removescp /directory:mstapi.olddomainname /domain:newdomainname
You then need to publish a new service connection point for the new application
directory partition name by executing the command:
tapicfg publishscp /directory:mstapi.newdomainname /domain:newdomainname
/forcedefault
You should execute both commands from the control station.
www.syngress.com
359
256_70-294_04.qxd
360
9/4/03
4:29 PM
Page 360
Chapter 4 • Working with Forests and Domains
Orchestrating a Password Reset for Digest Authentication
If you are using a Digest authentication mechanism using the DNS domain name as the
realm, then Digest authentication cannot be used after a domain rename until a given user’s
password is changed.You will have to ensure that all users reset their passwords. Digest
authentication does the same thing as Basic authentication, but it provides a security
improvement in the way in which a user’s credentials are sent across the network. Using
Digest authentication, credentials are transmitted across the network as an MD5 (message
digest) hash.When this is done, the original username and password cannot be easily deciphered using packet-sniffing tools. Here are some suggestions on how to accomplish this:
1. Expire all user passwords by changing your domain password policy in the
renamed domain.
2. Send out an e-mail warning users that they must change their passwords immediately after they reboot their machines for the second time after the rename.
Users change their passwords by using Ctrl+Alt+Del and clicking the Change
Password button.
Remove Any Redundant Inter-Domain Trusts within Your Forest
During forest restructuring, as opposed to simple domain renaming, you created additional
shortcut trusts to preserve complete trust between all domains in your new forest.
Sometimes, there will be old trust relationships that are no longer needed due to the new
structure. Review all trusts for obsolete or incorrect relationships, and use the Active
Directory Domains and Trusts MMC snap-in to remove them.
Repairing Start Menu Shortcuts
for the Security Policy MMC Snap-Ins
The shortcuts to the Domain Security Policy and Domain Controller Security Policy
MMC snap-ins in the Start menu are broken by the name change as well.The following
steps show how to repair these snap-ins. Perform them on every DC in every renamed
domain as needed.
To repair the shortcut for the Domain Security Policy snap-in:
1. Click Start | Programs | Administrative Tools.
2. Right-click Domain Security Policy and select Properties.
3. Edit the Target field to replace the old domainname that appears as part of the
/gpobject: parameter with the new domainname, click OK.
To repair the shortcut for the Domain Controller Security Policy snap-in:
1. Click Start | Programs | Administrative Tools.
2. Right-click Domain Controller Security Policy and select Properties.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 361
Working with Forests and Domains • Chapter 4
3. Edit the Target field to replace the old domainname that appears as part of the
/gpobject: parameter with the new domainname, and click OK.
Removing Group Policy Setting the Primary DNS Suffix of Member
Computers in Renamed Domains
If you performed computer renames in groups to avoid excess replication traffic, you configured and applied a group policy to apply the primary DNS suffix setting to member
computers in your renamed domains.This policy can now be removed.
Removing DNS Zones that Are No Longer Needed
With name changes occurring, some of the DNS zones in your DNS infrastructure might
be obsolete. Old records might still exist. Use the DNS administration tool to remove the
old DNS zones.
Backing Up Domain Controllers
The content of the Active Directory database, system Registry, and GPOs on the DCs will
have changed as a result of the domain rename operation. For this reason, your pre-procedure backups are no longer up to date, and new ones should be performed right away.
As a post-domain rename procedure, perform the following steps:
1. Back up the system state: Accomplish a full system state backup of all DCs in the
forest so that you have a recoverable backup state.
2. Back up GPOs: Download and install the Group Policy Management Console
(GPMC) from the Microsoft Web site. GPMC makes Group Policy easier to use,
and adds functional improvements such as the ability to back up GPOs independently of the rest of Active Directory. If you backed up GPOs with GPMC prior
to the domain rename operation, those objects cannot be restored afterward from
those backups.
3. Back up all data volumes.
You should back up the system state and all data volumes at the same time.This precaution prepares you in case you need to rebuild the server. Better yet, create an Automated
System Recovery (ASR) backup set.You should do this whenever the OS changes, such as
when you install new hardware, drivers, or a service pack. It especially holds true after a
domain rename.With an ASR backup set, you can recover from a system failure with more
confidence and ease.You need to back up all data volumes at the same time because ASR
protects only the system areas, not the data.
The system state is a collection of system-specific data within the OS that must be
backed up as a unit. It does not provide a replica of the entire system.The system state data
includes the following: the Registry, the COM+ Class Registration database, system files,
boot files, and all files covered by Windows File Protection. If the server is a certificate
www.syngress.com
361
256_70-294_04.qxd
362
9/4/03
4:29 PM
Page 362
Chapter 4 • Working with Forests and Domains
server, the system state backup also includes the Certificate Services database. If the server is
a DC, it includes the SYSVOL directory and the Active Directory database. Finally, if the
server is a node in a cluster or a Web server, the system state includes the cluster database
information or the IIS Metabase, respectively.
Restart Member Computers
All member computers in the renamed domains in your forest must be restarted to trigger
the domain membership changes. Some tips for performing this step include:
■
Reboot member computers twice.
■
Member computers on a wireless LAN (WLAN) should be connected to a wired
network while performing the two required reboots. Otherwise, eject the wireless
network card and then reinsert it after logon prior to each reboot.
■
Disjoin and rejoin any remote computers that connect to the renamed domain
through a remote connection such as dial-up and VPN.
■
Disjoin and rejoin any Windows NT 4.0–based computers.
Attribute Clean-Up After Domain Rename
As the last mandatory procedure, this step removes all values of the msDS-DnsRootAlias
and msDS-UpdateScript attributes from Active Directory that were written during the
domain rename operation by connecting to the Domain Naming Master DC. Simply execute the rendom /clean command from a command prompt at the control station.
Rename Domain Controllers
As previously noted, the DNS host names of DCs in the renamed domains do not change
automatically.This host name can be changed using a special procedure.The time it takes
for the name change to replicate throughout the DNS and Active Directory databases
might cause a temporary inability of clients to locate or authenticate to the renamed computer. For that reason, renaming a DC requires that you follow a computer rename preparation procedure.This precludes service interruptions.
In Windows 2000, the process of renaming a DC involves demoting, renaming, and
promoting again. Since the process of re-promoting the DC requires a replication of the
Active Directory, this can take a long time. Renaming a DC in Windows Server 2003 is
much easier than it was in 2000, but that does not mean it is a simple procedure. Before
renaming, you need to transfer operational master roles to another computer. If it is a GC
server, you should move that role as well. Remember that the first DC that you installed in
the forest is the root DC.This DC is responsible for the GC and for all FSMO roles unless
you have spread them out manually. In this case, you need to install a second DC and
transfer all of these functions to it before you rename the first server.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 363
Working with Forests and Domains • Chapter 4
The way in which Windows 2003 implements this new capability is through a new
Computername option in Netdom.exe.This is a relatively quick and safe procedure,
requiring only a reboot.The first step is to install the Support Tools from the Windows
Server 2003 distribution CD on every DC that you want to rename. If you are performing
a domain rename, then you are already at the Windows Server 2003 functional level.
Domain controller rename is only supported at that level.
There are several cautions when changing a DC’s computer name:
■
It might be tempting to go directly to My Computer | Properties |
Computer Name and click the Change button just as you would for any other
computer.Windows 2000 grayed out the option, but in Windows Server 2003, the
button is functional.Windows allows this simpler version of renaming with only a
warning, but replication latency renders the DC unavailable for a period of time
even though the DNS SRV records are still offering the DC’s services to the network.The safe method is to use the netdom utility.
■
Don’t be confused by the command syntax. Microsoft calls the option to change
the computername “computername.”This can easily be confused with the actual
name of the computer that you need to type into the command line.
■
Most command-line utilities in Windows Server 2003 call for a computername
argument.Typically, this requires a DNS name, but in the case of the domain controller rename, it expects the NetBIOS name instead. If you are unsure of the distinction, use the NBTSTAT-n command from a command line on your DC.The
output shows only NetBIOS names and their identifying suffixes.The name registered for Domain <00> is the NetBIOS domain name, while the Computername
<20> record, identifying the Server service, is also the computer’s NetBIOS host
name.
NOTE
The NBTStat command gives you access to a lot of information. Microsoft
Knowledge Base article 163409 describes NetBIOS suffixes, (which are identified by
the16th character of the NetBIOS name), and article 119495 lists and describes
some of the names that register with the WINS Service. NBTStat, within its various
options, gives you NetBIOS services, sessions, status, and statistics. It can also
remove, correct, and reload NetBIOS name cache entries, and display the primary
Media Access Control (MAC) address of a remote NetBIOS-compatible host.
Follow these steps to rename your Windows Server 2003 DC:
1. Log in as a domain administrator and open a command prompt.
2. Execute the rename command:
www.syngress.com
363
256_70-294_04.qxd
364
9/4/03
4:29 PM
Page 364
Chapter 4 • Working with Forests and Domains
Netdom Computername OldComputerNetBIOSname /add:
NewComputerFQDN
3. Verify the secondary name with the following command:
Netdom Computername OldComputerNetBIOSname /enumerate
The command will report old and new DNS names. Allow some time for the
computer account to be replicated throughout the domain, and the DNS resource
records to be distributed to the authoritative DNS servers.
4. Select the new computername as the primary one:
Netdom Computername OldComputerNetBIOSname /makeprimary:
NewComputerFQDN
The /enumerate option should have displayed both computer names.Type the new
name exactly as shown by the command in step 3. Now that you have changed
the primary name, the /enumerate command will not work again until you reboot.
5. Reboot and log on as a domain admin.
6. Check the names again:
Netdom Computername NewComputerNetBIOSname /enumerate
7. Delete the old computer name:
Netdom Computername NewComputerNetBIOSname /remove:
OldComputerFQDN
Type the old name exactly as shown by the /enumerate command in step 6.
8. Confirm the functionality of the new name. Using the DNS administrator,
expand the DNS server icon. Click the forward lookup zone and check for an
(A) record for the new computer name.Verify that it points to the correct IP
address.There should not be a host record for the old name. If you find one,
delete it.
WARNING
Netdom doesn’t change any DNS delegation records that are based on the old
computer name. If you have them, they will need to be manually corrected or
replication will fail. Specifically, check for delegation records in the _msdcs zone.
Consult Microsoft Knowledge Base Article 321046 for instructions on how to use
the DNSLint utility to troubleshoot active directory replication issues.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 365
Working with Forests and Domains • Chapter 4
Implementing DNS in the Active Directory
Network Environment
DNS is a service that takes the user-friendly names of the Internet and looks up their associated IP addresses. Active Directory uses DNS in the same way, looking up servers and services for users and applications. Because DNS is a hierarchical naming system, all Internet
names exist within one of many available namespaces. One particularly familiar root namespace is the .com domain.The purpose of this hierarchy is to ensure that all names within a
given namespace are unique.This way, when you connect to Microsoft.com, you know that
you are connecting to the Microsoft.com owned by Microsoft, and not a Microsoft.com
owned by some other company. Another function of DNS is to send you an IP address
based on the service you want, rather than the machine name you want. Say that you send
e-mail to an address in another company.Your mail server doesn’t have to know the host
name of the destination mail server to get its IP address. Instead, it asks DNS, “Who is the
mail server for that domain?” DNS answers with an IP address, and your e-mail is sent.
Within your enterprise, DNS operates in much the same way; looking up IPs and
helping people get access to the resources they need. On your network, there are many different servers and services. Fortunately, dynamic update allows your servers to update DNS
tables on their own, advertising their services automatically as you install them and move
them around. For example, when a user tries to log on, his or her station asks DNS, “Where
is a logon server?” DNS looks up what is called a service location resource record (SRV)
for logon servers and sends it back to the user’s station, which connects to a DC for logon.
Whatever implementation of DNS you use with your Active Directory, it must support
these SRV records. Using the Windows implementation of DNS gives you additional features that make it easier to use. For example, when you install a new domain, the DNS
zones are automatically created and configured for you, significantly reducing the time you
must spend manually configuring each DNS server. If you do have problems, the Windows
Server 2003 DNS service has configuration enhancements that simplify the debugging and
logging of incorrect DNS configurations.This helps you solve problems faster by suggesting
troubleshooting steps for you to take. Another way in which Active Directory helps you
configure DNS is through Group Policy for DNS clients.This greatly simplifies the implementation of DNS changes.
Windows 2000,Windows XP, and Windows Server 2003 are similar in their user interfaces for DNS, but Windows NT is significantly different.Table 4.8 shows a comparison of
the administrative tools used in NT versus more recent versions.
www.syngress.com
365
256_70-294_04.qxd
366
9/4/03
4:29 PM
Page 366
Chapter 4 • Working with Forests and Domains
Table 4.8 Comparison of Administrative Tools in Windows NT vs. Windows Server
2003
DNS Task
Windows NT 4.0 uses
Windows 2000, XP, and Server
2003 use
Installing the DNS
server service
Starting the DNS
Manager
Starting, stopping,
or restarting the
DNS service
Network control panel
Windows Components wizard
Start | Administrative
Tools | DNS Manager
Services control panel
Start | Administrative Tools |
DNS
Start | Administrative Tools |
DNS, then right-click
Computername | All Tasks and
select Start, Stop, Pause, Resume,
or Restart
In the DNS tool, right-click DNS
| Connect to DNS Server…, The
following computer: type
Computername, click OK
Adding a remote
Server menu in DNS
server to DNS Manager Manager
DNS and Active Directory Namespaces
Active Directory uses the DNS standard for naming objects. Like DNS, Active Directory is
a hierarchical arrangement of objects within objects. Active Directory uses the same rules
and procedures as DNS to resolve domain names, computer names, and service names. An
enterprise with Internet connectivity can register its internal Active Directory forest-root
domain as an Internet domain with one of the Internet naming registries.With an external
namespace like this, the domains and trees within your forest become subdomains of an
Internet root domain.
For security reasons, the confidentiality, integrity, and availability of your company’s
information assets is usually protected by a number of methods. One method is to implement an internal namespace that is hidden from the publicly accessible Internet.Technically
speaking, you can use the same name on your internal and external namespaces while
maintaining them as isolated entities. However, your users and system administrators will be
easily confused by the parallel names, and conflicts can arise. Keeping your external namespace separate and distinct from your internal ones makes it easier to maintain firewall and
router configurations, especially when using domain name filters and exclusion lists. If you
publish your Active Directory namespace externally, then you supply potential hackers with
a portion of your naming system.This is part of what they need to compromise your user
accounts and computer services. In addition, internal namespaces are not constrained by
worldwide Internet uniqueness. If you want, instead of limiting yourself to .com, .net, or
.org, you could name your internal domain Ilove.golf or anything else you choose within
the limitations of RFC 1123 and UTF-8 standards.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 367
Working with Forests and Domains • Chapter 4
NOTE
In Active Directory, NetBIOS computer and service names are simply generated by
using the first 15 characters of the DNS host name. That means the first 15 characters before the first dot in the fully qualified DNS hostname—anything after the
first dot doesn’t count. Active Directory has no dependence on NetBIOS names,
although they still work to provide backward compatibility with pre-2000 versions
of Windows.
In Windows Server 2003, Active Directory supports multiple discontiguous interforest
namespaces through the implementation of GCs, and multiple discontiguous extraforest
namespaces through the use of routing hints.This means that multiple namespaces can
coexist within the same Active Directory.You should, however, be aware that name collisions
are possible using cross-forest trusts if namespaces overlap within the federated forest.
DNS Zones and Active Directory Integration
Standard DNS zones are stored in text files in the %systemroot/System32/Dns folder. After
DNS is integrated into the directory, it exists in a dnsZone container object identified by
the name of the zone. DNS and Active Directory can use identical names for different
namespaces. For this reason, it is important to understand that they are not the same namespace. DNS contains zones and records, while Active Directory contains domains and
domain objects.
Windows Server 2003 brings in a new feature that blurs the line between DNS and
Active Directory, called application partitions.With this release of Windows, DNS zones and
records can be contained within the Active Directory itself, and are subject to the same
replication and authentication parameters. Some advantages of this include a reduction in
the number of objects stored in the GC, and a finely tuned replication domain. Regular
Active Directory integrated DNS zones are replicated in their entirety to the domain partition of every DC whether it needs it or not and to the GC. By contrast, application partition-integrated DNS zones only replicate to DNS servers, reducing replication traffic and
unused replicas.There are two automatically configured application partitions. One has a
forestwide scope and resides on DCs running DNS in the forest root.The other application
partition has a more limited domain scope, and resides on DCs running DNS in each
domain.
EXAM WARNING
Be aware that each computer in the domain has representative DNS records and
Active Directory objects. Objects, records, services, and attributes can use the same
hostname, and refer to the same computer, but exist in different namespaces. This
is true even for Active Directory-integrated and application partition-integrated
DNS zones.
www.syngress.com
367
256_70-294_04.qxd
4:29 PM
Page 368
Chapter 4 • Working with Forests and Domains
NOTE
Only primary DNS zones can be stored in the Active Directory. Secondary zones
must be stored in the old standard text format. This might seem odd at first, but
secondary DNS zones are essentially obsolete in light of the multi-master replication model of the Active Directory-integrated DNS zone. Secondary zones might
still be needed if some zones will not be stored in the Active Directory, or will be
maintained during the migration period.
Some of the benefits to be gained by integrating DNS with Active Directory include:
Head of the Class…
368
9/4/03
■
An upgrade from the standard DNS single-master update model to the multimaster model. Updates can take place at any DNS server, not just the one that is
authoritative for each zone.The multi-master model eliminates the single point of
failure for dynamic updates.
■
Access control lists (ACLs) on directory-integrated zones, allowing you to specify
who can delete, modify, or even who can read records within the zone.
■
Secure updates, which protect the integrity of your DNS zones by protecting
against DNS poisoning and other malicious attacks.
■
The automatic replication and synchronization of DNS zones whenever you
install a new DC.
■
A common replication topology for DNS zones and Active Directory domains.
The nonintegrated DNS requires the design, implementation, testing, and administration of two different replication topologies.
■
Added replication efficiency, since Active Directory replication is faster and more
efficient than standard DNS replication.
Active Directory Integrated DNS Supports
Multidomain DNS Conditional Forwarding
Multidomain DNS Conditional Forwarding sounds complex, but it couldn’t be
much easier. You learned in Windows 2000 that Active Directory needs a sturdy
and secure DNS infrastructure. One of the secure aspects of DNS comes from a
design called split DNS where you basically keep two sets of records, one for the
outside of your network and one for the inside. The Internet DNS server holds the
address information for your Web site, e-mail, and FTP servers. The inside server
holds address information for your intranet and serves the needs of your Active
Directory.
Continued
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 369
Working with Forests and Domains • Chapter 4
Split DNS works fine, except when joined with a very useful feature of
Windows called Active Directory integrated zones. Active Directory integrated
zones let you secure a zone for a DNS domain such as Dogs.com with one limitation: the DNS servers for Dogs.com must also be DCs for an Active Directory domain
whose name is Dogs.com.
If you want to run more than one Active Directory domain in your intranet,
then that presents a problem. Let’s review some facts:
■
Each Active Directory domain requires its own DNS zone.
■
A DC can only serve one domain at a time.
■
If you want to use Active Directory integrated zones, then you must
have a separate set of DNS servers for each domain, since you must
have a separate set of DCs.
That’s where the problem lies. It is easy to keep two separate sets of records
on just one DNS domain. You divide the world up into two simple areas: outside
and inside. In this case, your inside users get full unfiltered DNS information about
the outside world, but not the other way around. It isn’t so easy with multiple
domains.
Now let’s add the second internal domain called Fish.com. To make Dogs.com
users see the correct set of records, you must point all of their servers and workstations to the internal DNS servers that contain the internal-only version of the
Dogs.com information. To support the users in Fish.com, you will set up a different
DNS server for the internal-only version of Fish.com records, and point all those
users to that server. When you use split-DNS, users in Dogs.com get the internalonly DNS information about their own domain and the public DNS information
about the Fish.com domain. From the other side, users in Fish.com get their own
internal DNS records, but only the public DNS information for any other domain.
Here’s the problem: What if a Dogs.com user wants to access a resource on
Fish.com? That means the user must locate a DC in Fish.com to do the lookup on
the IP address of the resource in Fish.com.
Unfortunately, Dogs.com DNS servers only know the internal structure of their
own domain, while Fish.com DNS servers only know the internal structure of
Fish.com. The user tries to look up that information in the local DNS, but it doesn’t
know the answer.
There is more than one approach to solving this problem, but Windows Server
2003 offers a good one called conditional DNS forwarding. It lets you set up the
Dogs.com DNS server so that whenever it needs to lookup something in a zone
called Fish.com, it will know to go straight over to the Fish.com server for the
answer, rather than out to the Internet root servers hosting the .com domain.
www.syngress.com
369
256_70-294_04.qxd
370
9/4/03
4:29 PM
Page 370
Chapter 4 • Working with Forests and Domains
Configuring DNS Servers
for Use with Active Directory
It is a good practice to add additional DNS servers to eliminate concerns over a single
point of failure.Traditionally, you would install a standard secondary DNS server.With
Active Directory integration, all you need to do is convert your standard primary DNS
server to an Active Directory integrated primary DNS server. Once that is done, simply
configure additional DCs to take on the DNS role for redundancy.
There are a few things to be acquainted with when you integrate your DNS into the
directory. For one thing, there are no more secondary DNS servers. Once integrated into
Active Directory, all DNS servers are primary. Zone transfers no longer take place; instead,
Active Directory replication is used to distribute changes as they occur.With legacy DNS
systems, Standard DNS zones are administered using a text editor. DNS zones stored in
Active Directory are administered using the DNS console or the dnscmd command-line tool
only—no more text editing.
The following sections take you through the Windows Server 2003 versions of
common DNS administrative procedures related to Active Directory and application partition integration. By default, the DNS Server service will attempt to discover and build the
standard DNS application directory partitions in Active Directory. Depending on how DNS
was originally implemented, these default partitions might already exist. If necessary, you
can manually create them as shown in the following steps. Some DNS procedures require
the Windows support tool’s dnscmd utility, which you can install by double-clicking suptools.msi on the Windows Server 2003 CD in the \Support\Tools folder.
Integrating an Existing Primary
DNS Server with Active Directory
To integrate an existing primary DNS server with Active Directory, follow these steps:
1. On the current DNS server, click Start | Programs | Administrative Tools |
DNS to start the DNS Administrator console.
2. Expand the server name.
3. Right-click your primary DNS zone, click Properties, click the General tab,
and note the Type value.This will be Primary zone, Secondary zone, or Stub zone.
4. Click Change.
5. In the Change Zone Type box, click the check box for Store the zone in
Active Directory.
NOTE
This check box is only available if your DNS server is also a DC.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 371
Working with Forests and Domains • Chapter 4
6. Click Yes to verify, and then click OK.
7. In the Domain properties, the type should now read Active DirectoryIntegrated.You can add as many additional DNS servers as you want.
8. To force replication to occur immediately instead of waiting for the regular replication cycle, follow these steps:
1. Click Start | Administrative Tools | Active Directory Sites and
Services.
2. Expand the sites. If no additional sites are configured, you will use the one
called default-first-site-name.
3. Expand the following folders: your site, Servers, your Computer, NTDS
Settings. One or more DC objects are listed in the right pane. Right-click
each entry to see its “friendly” name. Right-click an entry, and select
Replicate Now to begin replication immediately.The time it takes to update
the target controller depends on network performance and the amount of
data replicated.
Creating the Default DNS
Application Directory Partitions
To create the default DNS application directory partitions, follow these steps:
1. Log on to your DNS server as an Enterprise Administrator.
2. To open DNS, click Start | Administrative Tools, and double-click DNS.
3. In the console tree, expand and right-click the DNS server and select Create
Default Application Directory Partitions. Follow the instructions to create
the DNS application directory partitions.The options are:
■
Would you like to create a single partition that stores DNS zone data
and replicates that data to all DNS servers in the Active Directory
domain DnsDomainName. Yes, or No. This option creates one DNS application directory partition for each domain in the forest. DNS zones stored in
this partition are replicated to all Active Directory-integrated DNS servers in
the domain. Depending on your domain structure and the context of the command, you might get this question multiple times for different domains.
■
Would you like to create a single partition that stores DNS zone data
and replicates that data to all DNS servers in the Active Directory
forest DnsForestName? Yes, or No. This option creates one DNS partition
named for your forest. It contains all the DNS servers running on the DCs in
the forest, and replicates the DNS data to all DNS servers. DNS zones stored in
this application directory partition are replicated to all Active Directory-integrated DNS servers in the forest.
www.syngress.com
371
256_70-294_04.qxd
372
9/4/03
4:29 PM
Page 372
Chapter 4 • Working with Forests and Domains
NOTE
The option to create the default application directory partitions in the DNS console
will not be available if they are already present in the Active Directory.
Using dnscmd to Administer Application Directory
Partitions
There are some differences between standard DNS and the Active Directory-integrated
version of DNS. For example, when you uninstall a DNS server hosting Active Directoryintegrated zones, these zones will either be saved or deleted. Since the zone data is stored
on other DNS servers, it will not be deleted unless the DNS server that you uninstall is the
last one hosting that zone.Windows gives you a warning if this is the case.
Only Enterprise Admins can create a DNS application directory partition. Most other
DNS tasks can be handled by the DnsAdmins or Domain Admins group.
1. Log on to your DNS server with the credentials needed for the given task.
2. Open a command prompt. Click Start | All Programs | Accessories |
Command Prompt, or click Start | Run and type cmd.
3. Use the following dnscmd.exe options. See the example following for assistance:
■
Type the following command as an Enterprise Administrator to create a DNS
application directory partition: dnscmd ServerName
/CreateDirectoryPartition FQDN.
■
Type the following command as a member of the DnsAdmins or
DomainAdmins group to enlist a DNS server in a DNS application directory
partition: dnscmd ServerName /EnlistDirectoryPartition FQDN.
■
Type the following command as a member of the DnsAdmins or
DomainAdmins group to n-enlist a DNS server in a DNS application directory partition: dnscmd ServerName /UnenlistDirectoryPartition FQDN.
In this case, ServerName specifies the DNS host name or IP address of the DNS server,
and FQDN specifies the name of the target DNS application directory partition.
NOTE
An FQDN has a trailing period to qualify its position at the root of the namespace,
such as “Fish.com.” shown in the following example. To see the full syntax of these
commands, type:
dnscmd /CreateDirectoryPartition /?
dnscmd /EnlistDirectoryPartition /?
dnscmd /UnenlistDirectoryPartition /?
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 373
Working with Forests and Domains • Chapter 4
Here is an example. Note the “.” at the end of the FQDN:
D:\SupportTools>dnscmd DC4.Fish.com /CreateDirectoryPartition Fish.com.
DNS Server DC4.Fish.com created directory partition: Fish.com.
Command completed successfully.
Securing Your DNS Deployment
DNS is full of information. It helps users find services, and services find resources.
Unfortunately, it sometimes provides malicious users with that same wealth of information
about your network.To help keep this from happening, use the following guidelines as a
minimum approach to your DNS security architecture.
■
Use a split DNS design with internal DNS servers protected by your firewall and
external DNS servers on the outside.Your internal namespace can be a child
domain of your external namespace, or be completely different.
■
Use your internal DNS servers to host your internal namespace and your external
DNS servers to host your external namespace.The external servers should not be
able to forward name lookups from the Internet to your internal network, but
internal servers can forward queries to the outside.
■
Use a packet-filtering firewall to lock down DNS port 53 so that only external
DNS servers under your control can communicate with your internal DNS
servers.
■
Configure secure dynamic updates.With this setting, only computers joined to
the Active Directory can authenticate with DNS; hence, register their service
locator records. Computers that are unable to authenticate cannot make changes
to DNS data.
■
Carefully monitor and control who has the ability to control DNS zones through
the DACL in Active Directory.
www.syngress.com
373
256_70-294_04.qxd
374
9/4/03
4:29 PM
Page 374
Chapter 4 • Working with Forests and Domains
Summary of Exam Objectives
The logical structure of the network is defined by forests and domains, with domains organized into domain trees in which subdomains (called child domains) can be created under
parent domains in a branching structure. Domains are logical units that hold users, groups,
computers, and OUs (which in turn can contain users, groups, computers, and other OUs).
Forests are collections of domain trees that have trust relationships with one another, but
each domain tree has its own separate namespace. Aspects of the physical structure include
sites, servers, roles, and links.
An Active Directory always begins with a forest root domain, which is automatically
the first domain that you install.This root domain becomes the foundation for additional
directory components.The domain is the starting point of Active Directory. It is the most
basic component that can functionally host the directory. Simply put, Active Directory uses
the domain as a container of computers, users, groups, and other object containers. Objects
within the domain share a common directory database partition, replication boundaries and
characteristics, security policies, and security relationships with other domains.The process
of creating the forest and domain structure is centered on the use of the Active Directory
Installation Wizard, which is also known as the dcpromo utility.
The first step is to install Windows Server 2003 as a member server or a stand-alone
server. Next comes the decision process leading to the installation of a DC. Essentially, there
are two reasons to install a DC: to create a new domain, or to add an additional DC to an
existing domain. Depending on your current forest structure, you will end up with one of
four results: A new forest, a new domain tree in an existing forest, a new child domain in an
existing domain, or a new DC in an existing domain. Since a domain cannot exist without
a DC, you must create at least one for each domain.The process of creating the first DC
also creates the domain itself. Here are the four main reasons to create a new DC: creating
the first domain in your network, creating a new domain in your forest, improving a
domain’s reliability, and improving network performance between sites.To improve a
domain’s reliability, you should always create at least a second DC in each domain.That
way, if the first DC fails, you will still be able to use the second DC.
Application data partitions are another DC enhancement that allows for the creation of
application-specific Active Directory partitions, also known as naming contexts. An instance
of an application directory partition on another DC is called a replica. Site topologies and
replication schedules are observed in this type of partition, and the application objects are
not replicated to the GC. Conveniently, application partitions can leverage DNS for location and naming.Windows Server 2003 Web Edition cannot host application partitions
because they do not support the DC role.
Before raising the functional level of a domain, all DCs must be upgraded to the minimum OS level. Remember that when you raise the domain functional level, it can never
be changed back except for the case of Windows Server 2003 native. It can be temporarily
reverted to interim level for the purpose of joining an NT domain during an upgrade
directly to Windows Server 2003. New features and better security become available with
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 375
Working with Forests and Domains • Chapter 4
each subsequent higher level, but compatibility issues might be sufficient reason to delay the
level-raising procedure.
In Windows NT 4.0, the domain had only one authoritative source for domain-related
information, the primary domain controller, or PDC.The implementation of Active
Directory brought the multi-master model, where objects and their properties could be
modified on any DC and become authoritative through replication conflict resolution measures.The problem with the multi-master architecture is that some domain and enterprisewide operations are not well suited for it.The best design placed those functions on a
single DC within the domain or forest, and Microsoft created the Active Directory Flexible
Single-Master Operations (FSMO) roles.The Active Directory supports five operational
master roles: the Schema Master, Domain Master, RID Master, PDC Emulator, and the
Infrastructure Master.Two of these operate at the forest level only, the Schema Master and
the Domain Naming Master. Conversely, the RID Master, PDC Emulator, and
Infrastructure Master operate at the domain level.You can use the ntdsutil.exe command-line
utility to transfer FSMO roles, or you can use an MMC snap-in tool. Depending on which
role you want to transfer, you need to use one of the following three MMC snap-in tools:
Active Directory Schema, Active Directory Domains and Trusts, or Active Directory Users
and Computers.To seize a role, you must use the ntdsutil utility. If a computer cannot be
contacted due to a hardware malfunction or long-term network failure, the role must be
seized. After you seize a master role, the old DC that hosted it should never be brought
back online.This is especially true of the Schema Master, Domain Naming Master, and
RID Master roles. Rebuild the system as a member server and then promote it as a newly
installed DC if needed.
DNS and Active Directory use identical names for different namespaces. For this
reason, it is meaningful to understand that they are not the same namespace. DNS contains
zones and records, while Active Directory contains domains and domain objects.Windows
Server 2003 brings in a new feature that blurs the line between DNS and Active Directory,
called application partitions.With this release of Windows, DNS zones and records can be
contained within the Active Directory itself, and are subject to the same replication and
authentication parameters. Some advantages of this include a reduction in the number of
objects stored in the GC, and a finely tuned replication domain. DNS zones stored in
Active Directory are administered using the DNS console or the dnscmd command-line tool
only—no more text editing.When you deinstall a DNS server hosting Active Directoryintegrated zones, these zones will be saved or deleted. Since the zone data is stored on other
DNS servers, it will not be deleted unless the DNS server you uninstall is the last one
hosting that zone.Windows gives you a warning if this is the case.
Because forests and domains are the foundation of the Windows Server 2003 Active
Directory, this topic is an important one for all network administrators to master.The
knowledge and skills imparted in this chapter are designed to help you understand and
answer the questions on Exam 70-294, and to assist you in implementing and maintaining
an Active Directory network on the job.
www.syngress.com
375
256_70-294_04.qxd
376
9/4/03
4:29 PM
Page 376
Chapter 4 • Working with Forests and Domains
Exam Objectives Fast Track
Understanding Forest and Domain Functionality
The new forest features of domain renaming and forest restructuring are only
available after all DCs in the entire forest have been upgraded to Windows Server
2003 and the forest functional level has been raised to the Windows Server 2003
level.
Cross-forest trusts are another new feature of Windows Server 2003 that when
used, result in a configuration called federated forests.Without the forest trust,
Windows-based Kerberos authentication between forests would not work.
Linked value replication provides a solution to Windows 2000’s limit of 5000 direct
group members by replicating only those members that changed instead of
replicating the entire group.
Functional levels are a mechanism that Microsoft uses to remove backward
compatibility within the Active Directory once it is no longer needed. In
Windows Server 2003, there are two additional functional levels to consider in
both domains and forests, as compared to Windows 2000 (where the functional
levels were called “modes”).
Creating the Forest and Domain Structure
You should know what type of domain you want to install before you begin, and
the namespace it will use.
To improve a domain’s reliability, you should always create at least two DCs in
each domain.
Application Director Partitions allow the fine tuning of the replication of DNS
Active Directory Integrated zones.
The Schema Master and Domain Naming Master roles are only present at the
forest root.
The first DC that you install in the forest is the root DC. It is responsible for the
GC and for all five FSMO roles. Some roles can later be transferred to other DCs
for performance and diversification.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 377
Working with Forests and Domains • Chapter 4
Implementing DNS in the Active Directory Network
Environment
The domain is the primary boundary defining DNS and NetBIOS namespaces.
NetBIOS computer and service names are generated by using the first 15
characters of the DNS host name. Active Directory has no dependence on
NetBIOS names, but they continue to work, providing backward compatibility
with pre-2000 versions of Windows.
There are three basic configurations of Windows DNS: Standard DNS, Active
Directory-integrated DNS, and application partition-integrated DNS.
Active Directory-integrated DNS is an upgrade from the standard DNS singlemaster update model to the multi-master model, removing single points of failure.
Every domain requires a DNS server. If one is not available during the installation
of the first DC,Windows Server 2003 will install and configure one for you.
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: What is the big deal about raising the functional levels of my domains and forests?
Shouldn’t I raise the levels as soon as they meet the prerequisites?
A: No. Remember that functional levels, once raised, cannot practically be lowered again.
In addition, some situations are better suited to skipping a level, rather than raising to
one level and then the other. In this case, known future restructuring and upgrade
activities should be considered before raising functional levels.
Q: Now that cross-forest trusts are available, wouldn’t it be easier to create a different forest
for each division of the company instead of putting them in different domains within a
single forest?
A: No.The enterprise approach to IT management includes gains in efficiency, functionality, data sharing, resource management, and business-unit collaboration, while
reducing manpower and IT expenses. Localized ways of thinking are not competitive in
a business sense, create inefficiencies, reduce functionality, and foster an environment
www.syngress.com
377
256_70-294_04.qxd
378
9/4/03
4:29 PM
Page 378
Chapter 4 • Working with Forests and Domains
where workarounds and patches end up lowering information security in order to
make things work in the enterprise. Cross-forest trusts can be an advantage in the right
situations, but dividing a single enterprise into subunits is not one of them.
Q: The differences between functional levels of domains and forests are complicated and
detailed. Couldn’t I skip this section and focus on the larger issues and concepts when
studying for the test, since I can always look up the information on the job?
A: No. Microsoft tests are scenario-based and rich with configuration details. Many test
questions will have different answers based on the functional level context of the scenario. In other words, you won’t completely understand the question if you don’t
understand the functional level involved. If you don’t understand the question, you are
likely to answer it incorrectly.
Q: How much of the Active Directory design stage should be complete before I install my
first DC?
A: Primarily, the DNS design should be complete, and the decision should be made about
how the forest-root domain will be used. Additional DCs and domains can be added
later. FSMO roles and GCs can be shifted as needed, and trusts with other forests and
external domains can be added later. Essentially, the first DC that you install should be
in a lab environment. From that perspective, you should install your first DC for testing
and training purposes as soon as possible.
Q: If my DNS is already integrated with the Active Directory, why would I go through the
trouble of converting it to an application directory?
A: Application partition-integrated DNS zones only replicate to DNS servers, reducing
replication traffic and increasing directory efficiency by removing unused replicas of the
data. Additionally, the number of objects stored in the GC is reduced, and you no
longer have to maintain the replication topology of DNS separate from the replication
topology of the Active Directory.
Q: If every FSMO role can be seized by another DC upon failure, why would I want to
spread the roles out between different machines?
A: There are several reasons. Chief among these are the associated risks of seizing roles. Lost
or corrupted directory data can result from FSMO failures, especially if the malfunctioning machine ever comes back online. Seizing roles should not be considered a routine
operation. Another consideration is performance. Each role exacts a certain amount of
CPU and memory overhead, and your servers might perform better if roles are spread
among multiple systems. If that weren’t enough, some roles and functions should not
coexist on the same DC, such as the Infrastructure Master and the GC. FSMO placement
should not be ignored, and this knowledge will be important on the test.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 379
Working with Forests and Domains • Chapter 4
Q: I read a lot about the concept of namespaces. Isn’t this just an abstract concept that has
no practical meaning to the real world?
A: No. Namespaces are well-defined boundaries that are critical for you to understand,
whether you are in the planning, designing, implementing, or maintenance stage of
your Active Directory deployment. Often, two namespaces will have the same or similar
names. If a name or service resolution failure occurs, you must understand namespaces
to intelligently troubleshoot the problem.
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
Understanding Forest and Domain Functionality
1. Your Yellow.labs.dogs.com Information Assurance department has just used John the
Ripper, a password-cracking program, against your Active Directory user accounts.
They report that 40 percent of your passwords were compromised within an eighthour period. After some research, you determine that removing the LM authentication for down-level clients will make password guessing much more difficult. Further,
you decide to require Kerberos authentication at all of your DCs. After some telephone calls, you assure your manager and CIO that all computers in all domains
within your forest are loaded with Windows 2000, 2003, or XP. No legacy workstations are present that require backward LM or NTLM compatibility.With their permission, you apply the security setting using Group Policy. Almost immediately,
authentication fails between Fish.com and the Yellow.labs.dogs.com domain, although
ping still works. Previously, all users in both domains had complete access to all
resources in the two domains, but now every authenticated access fails. Refer to
Figure 4.56.Why is this problem happening?
www.syngress.com
379
256_70-294_04.qxd
380
9/4/03
4:29 PM
Page 380
Chapter 4 • Working with Forests and Domains
Figure 4.56 Question #1 Diagram
Root
Domain
Dogs.com
Tree-root trust
Child
Domain
Labs.dogs.com
Parent and child trust
W2K
Domain
Fish.com
External
Trust
Child
Domain
Yellow.labs.dogs.com
A. Network problems.
B. Selective authentication problems.
C. NT LAN Manager authentication problems.
D. Trust transitivity problems.
2. Over a weekend, you upgrade your Windows NT 4.0 domain through the Windows
Server 2003 interim functional level up to the Windows Server 2003 functional level.
Most client PCs are running Windows NT 4.0.Your test NT workstation continues to
operate, but on Monday morning you start getting trouble tickets from several workstations that cannot log on to the new domain. As a temporary workaround, those
users are able to log on from other workstations.What is the most likely cause?
A. The malfunctioning workstations are running Windows NT 4.0 SP2.
B. The users’ old passwords do not meet the new complexity requirements of
Windows Server 2003.
C. Some workstations did not pick up the new trust relationships, and need to be
removed and re-added to the domain.
D. Some user accounts have not replicated to all DCs yet. Choose the Synchronize
all domain controllers option from the Active Directory Domains and
Trusts MMC snap-in.
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 381
Working with Forests and Domains • Chapter 4
3. A large company has just merged with yours.They have a corporate 24-hour
Enterprise Administrators group running a forest at the Windows Server 2003 functional level.Your company has NT, 2000, and XP clients on a single NT domain.Your
PDC and four of your five BDCs are still running Windows NT.Two of your permissions groups have more than 5000 members.The new conglomerate has given you a
budget for upgrading the local infrastructure so that you can participate in the corporate forest structure through a cross-forest trust.What are the minimum requirements
you must meet before joining the corporate forest? (Choose all that apply.)
A. Ask the Enterprise Administrators to temporarily set their forest to interim level
using manual LDAP administrative tools.
B. Install new servers and create a pristine local forest root using your namespace.
C. Upgrade your PDC to Windows Server 2003, and join the corporate forest
during the upgrade.
D. Upgrade your four Windows NT BDCs to Windows Server 2003.
4. Two forests are joined with a cross-forest trust, linking the two for resource sharing.
Both forests synchronize their time with the Internet, they both contain some
Windows NT 4.0 workstations, and they reside in different time zones. One day, the
cross-forest trust fails, and users cannot authenticate across their forest boundaries,
although the network is healthy at layer 3.What might have happened?
A. The two forests are using different time sources, or one forest-root PDC emulator
has malfunctioned.
B. The Windows NT systems need to reboot, or use the scheduler service to run the
net time \\<timecomputer> /set /yes command on each NT machine.
C. DCs in both forests should be set up to automatically run the w32tm /config
/syncfromflags:manual /manualpeerlist:Peerlist command, listing only each other
as their time source.
D. The PDC Emulator needs its time reset, since Windows NT 4.0 workstations and
servers automatically synchronize with their PDC.
E. The scenario is impossible, since Windows NT cannot function in a Windows
Server 2003 functional level domain, and cross-forest trusts can only be created in
such a domain.
5. Your IT manager wants you to link four divisions of the company through a ring of
eight unidirectional cross-forest trusts. He uses this reasoning: If multiple forest trusts
are established, then authentication requests made in any domain of any forest can pass
through multiple forest trusts, hence multiple Kerberos domains, on their way to their
destination.Why is he wrong?
www.syngress.com
381
256_70-294_04.qxd
382
9/4/03
4:29 PM
Page 382
Chapter 4 • Working with Forests and Domains
A. While each cross-forest trust is transitive at the forest level, where all domains in
both forests can authenticate, they are not transitive at the federated forest level as
he suggests.The trust path cannot include more than one cross-forest trust.
B. Cross-forest trusts are not transitive, and will not allow pass-through authentication.
C. To create a ring of trust around four forests, you only need four cross-forest trusts.
D. Cross-forest trusts are bidirectional, so only three trusts are needed to link all four
forests. Completing the “ring” is not necessary.
6. You are the database administrator for a large enterprise, and you are trying to install
an Active Directory-integrated application.The product literature says it implements
new classes within the directory.The installation fails with an obscure message.What is
the most likely reason for the failure?
A. The application uses a service account that is not a member of the Enterprise
Administrators group.
B. You are not a member of the Domain Admins account in the domain where you
are trying to install the application.
C. You are not in the Schema Administrators group.
D. You do not have permissions to create GPOs.
7. What FSMO roles should exist in a child domain in a Windows Server 2003 forest?
(Choose all that apply.)
A. Schema Master
B. Domain Naming Master
C. PDC Emulator
D. RID Master
E. GC
F.
Infrastructure Master
Creating the Forest and Domain Structure
8. Your company is expanding its single location with five new offices, all in different
states. Each location will have 10 marketing employees or less to supplement the 25
already employed at the main office.Your security engineer says that all employees will
abide by the same company security policy.They will hire another systems administrator
at your office to handle the increased workload.When asked about how the company’s
single-domain Windows Server 2003 Active Directory will be affected by the expansion,
you reply that new servers will have to be installed at the remote locations.Your manager wants to know what server hardware and software to budget for.What do you tell
him? (Choose one.)
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 383
Working with Forests and Domains • Chapter 4
A. Five servers and five copies of Windows Server 2003 Datacenter Edition
B. Five servers and five copies of Windows Server 2003 Standard
C. Ten servers and ten copies of Windows Server 2003 Enterprise Edition
D. Ten servers and ten copies of Windows Server 2003 Standard
9. You have just been hired to install an Active Directory for a new startup company. An
e-commerce Web farm has already been set up, waiting to join your root domain.
Walleyedhucklemullys.com employs seven chemists who appear to split their time
evenly between research and development activities, two Web developers, one network
engineer, and the owner of the company.The previous MCSE who ordered the computers and software has already left the company, and all you have is a pile of boxes
and a crude sketch of a logical Active Directory forest.The owner of the company has
already approved the design and wants you to work all weekend to make it work.
After you clean up the drawing somewhat, it looks like Figure 4.57. Among the boxes
you find six computers, three copies of Windows Server 2003 Standard, and three
copies of Windows Server 2003 Web Edition. Under the pressure of time, you create
the forest structure with two computers in each of the three domains. On Monday
morning, you approach your new manager to say that the Active Directory design is
weak.What is wrong with it? (Choose all that apply.)
Figure 4.57 Question #9 Diagram
Walleyedhucklemullys.com
Fire
wal
l
Internet
Root
Domain
Top-Level
Domain
Development
.WHMs.com
for
m .com
r
a
b F llys .
We lemu tions
e
rc ck ta
me edhu orks
m
w
o
y
E-c alle user
l
W
/ ra
p:/ ve
htt nd se
a
Child
Domain
Research.development
.WHMs.com
www.syngress.com
383
256_70-294_04.qxd
384
9/4/03
4:29 PM
Page 384
Chapter 4 • Working with Forests and Domains
A. DNS should be split, and the design is full of bad namespace and computer security practices.
B. Too many domains.
C. You should have installed Windows Server 2003 Enterprise instead of Standard.
D. Firewall is in the wrong place, because Web servers should be directly on the
Internet.
E. Not enough DCs for the number of domains.
10. The name of your company has changed from Fish to Aquatics. In her zeal to
embrace the new company image, your CEO directs you to change the Active
Directory domain name to reflect the new company name.You efforts are unsuccessful.Which of the following would cause the domain rename tool to fail? (Choose
all that apply.)
A. Your DCs are running Windows Server 2000 Enterprise Edition.
B. The Active Directory forest functional level is set to Windows Server 2003
interim.
C. You are logged in as a Domain Admin.
D. Your current mail server is running Exchange 2000.
E. Your DFS root server is running Windows 2000 with Service Pack 3.
F.
You are logged on to a Windows 2003 Server DC as an Enterprise Admin.
11. Your network operations center has identified excessive bandwidth utilization caused
by authentication traffic in the root domain subnet, especially between
Calico.cats.com and Labs.dogs.com.Your logical network is set up as shown in Figure
4.58.What type of trust or trusts would you set up to alleviate the situation?
Figure 4.58 Question #11 Diagram
e
sitiv
Tran rusts
T
Root
Domain
Dogs.com
Cats.com
Domain
Child
Domain
Calico.cats.com
www.syngress.com
Child
Domain
Labs.dogs.com
Child
Domain
Yellow.labs.dogs.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 385
Working with Forests and Domains • Chapter 4
A. Set up a bidirectional transitive parent and child trust between Calico.cats.com
and Labs.dogs.com.
B. Set up a shortcut trust between Calico.cats.com and the forest root, and set up a
second shortcut trust between Labs.dogs.com and the forest root.
C. Set up a shortcut trust between Calico.cats.com and Labs.dogs.com.
D. Set up two shortcut trusts between Calico.cats.com and Labs.dogs.com.
E. Set up a realm trust between Calico.cats.com and Labs.dogs.com.
12. Which of the following factors should have the most influence on the number of
domains that you install? (Choose all that apply.)
A. The need for different security policies for different groups of users.
B. The need for different schemas for each user group.
C. The possibility that one company division might eventually be sold.
D. The separation of IT management between different major physical sites.
E. The structure of your organizational chart.
13. Your company has just elected a new chairperson who believes in a sound information infrastructure. Currently, your network is a product of years of least-cost and
least-effort development. Having the opportunity to build a new enterprise, you sit
down and begin your design.What is the most critical design question to answer
before beginning the installation of your new Windows Server 2003 forest?
A. The name of the root-level domain.
B. The number of domains that you need to support the enterprise.
C. The locations of the operational master roles and GCs.
D. Whether to use application directory partitions for your DNS servers.
Implementing DNS in the
Active Directory Network Environment
14. Your DNS expert is not an MCSE, and has mostly UNIX experience.Your enterprise
runs on Windows Server 2003 Active Directory application partition enabled DNS
servers.You want your DNS expert to have access to the DNS servers, but you do not
want to grant the ability to configure other DCs.
www.syngress.com
385
256_70-294_04.qxd
386
9/4/03
4:29 PM
Page 386
Chapter 4 • Working with Forests and Domains
To which group should you add your expert?
A. Enterprise Admins
B. DNSAdmins
C. Administrators
D. Domain Admins
15. A help desk ticket is routed to you with the diagnosis that your DNS server is failing
to renew the lease on a user’s IP address. After reviewing the roles that DNS plays in
the Active Directory, you think you know where the problem lies.What are the roles
of DNS? (Choose all that apply.)
A. Locating DCs
B. Assigning IP addresses
C. Defining the Active Directory namespace
D. Name resolution
www.syngress.com
256_70-294_04.qxd
9/4/03
4:29 PM
Page 387
Working with Forests and Domains • Chapter 4
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. C
9. A, B, E
2. A
10. A, B, C, D, F
3. A, C
11. D
4. A
12. A, D
5. A
13. A
6. C
14. B
7. C, D, F
15. A, C, D
8. B
www.syngress.com
387
256_70-294_04.qxd
9/4/03
4:29 PM
Page 388
256_70-294_05.qxd
9/4/03
4:30 PM
Page 389
Chapter 5
MCSA/MCSE 70-294
Working with Trusts
and Organizational Units
Exam Objectives in this Chapter:
1.3.6
Establish trust relationships. Types of trust relationships
might include external trusts, shortcut trusts, and crossforest trusts.
2.1.1
Manage trust relationships.
3.3.1
Analyze the administrative requirements for an OU.
3.4.3
Move objects within an OU hierarchy.
3.4
Implement an OU structure.
3.4.1
Create an OU.
3.4.2
Delegate permissions for an OU to a user or to a security
group.
1.5
Plan an administrative delegation strategy.
1.5.1
Plan an organizational unit (OU) structure based on
delegation requirements.
1.5.2
Plan a security group hierarchy based on delegation
requirements.
3.3
Plan an OU structure.
3.3.2
Analyze the Group Policy requirements for an OU structure.
389
256_70-294_05.qxd
390
9/4/03
4:30 PM
Page 390
Chapter 5 • Working with Trusts and Organizational Units
Introduction
Trust relationships define the ways in which users can access network resources across
domains and forests.Without a trust between the domain to which a user belongs and the
domain in which a resource resides, the user won’t be able to access that file, folder, printer,
or other resource. Hence, it is important for network administrators to understand how the
built-in (implicit) trusts in the Active Directory network function, and how to create
explicit trusts to provide access (or faster access) between domains.
Organizational units (OUs) are container objects within the directory structure that can
be used, as the name implies, to organize resources, including (but not limited to) users,
groups, and computers. Group policies can be applied to OUs, and administration of an OU
can be delegated, making it easy to perform tasks that need to apply to only select objects.
This chapter addresses these two important components of Active Directory: trust relationships and OUs.You’ll learn about the different types of trusts that exist in the Active
Directory environment, both implicit and explicit, and you’ll learn to create shortcut,
external, realm, and cross-forest trusts.You’ll also learn to verify and remove trusts, and how
to secure trusts using SID filtering.
Next, we discuss the creation and management of OUs and you learn to apply group
policy to OUs and how to delegate control of an OU.We show you how to plan an OU
structure and strategy for your organization, considering delegation requirements and the
security group hierarchy.
EXAM
70-294
Working with Active Directory Trusts
OBJECTIVE
1.3.6 One of the many issues that need to be dealt with in any computer organization is how to
2.1.1 protect resources.The main difficulty that administrators face is the dilemma of how to
ensure that the resources of the company are not accessible by those who do not need
access.The other side of that coin, equally important, is how to ensure that people who do
need access are granted access with the least amount of hassle. In small companies, the issues
are simpler, because multiple domains rarely exist. In today’s larger corporations and conglomerates, the issues of security are compounded.What administrators need is an easy tool
to manage access across multiple domains and, often, across forests.
The tool is Active Directory Domains and Trusts.With Active Directory Domains and
Trusts, an administrator can establish relationships between domains that will allow users in
one domain to access the resources in another.This way, the administrator can ensure that
all users who need access can have it without the hassles involved in having user accounts
in multiple domains.
Several terms need to be defined in order to understand how trusts work. First, you
need to understand the differences between two types of trusts:
■
Transitive trusts The trust relationship passes through each trusted domain so
that if A trusts B and B trusts C, A trusts C.
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 391
Working with Trusts and Organizational Units • Chapter 5
■
Non-transitive trusts The trust relationship stops with the two domains
between which it is created.
In addition to being transitive or non-transitive, a trust can be either one-way or twoway. A transitive two-way trust allows all domains to share resources to all users regardless of
to which domain they belong. For example, you create a trust between two domains
(Domain X and Domain Y). User accounts in Domain X have access to resources in
Domain Y.The reverse is also true, user accounts in Domain Y have access to domain X’s
resources.This is a two-way trust; the trust works in both directions. Now let’s add a new
Domain Z and create a trust relationship to Domain Y.The transitive trust allows the user
accounts in Domain X to access resources in Domain Z and vice versa without having to
create an additional trust between Domain X and Domain Z (see Figure 5.1).This reduces
the numbers of trusts that an administrator needs to create and maintain.
Figure 5.1 Transitive Trust
Domain X
Transitive Two-way Trust
Domain Y
Implied Trust
Transitive Two-way Trust
Domain Z
A non-transitive trust restricts the relationship to domains outside of the trust. It does not
inherently allow other domains to pass through their authentication information to access
resources outside of the trust. Once again, let’s use the example of Domain X and Domain
Y. If a non-transitive trust relationship is established between Domain X and Domain Y, the
user accounts in the two domains have access to resources in the other domain. If we now
add a new Domain Z and create a trust between Domain Y and Domain Z, users in
Domain X are not automatically allowed access to resources in Domain Z (see Figure 5.2).
www.syngress.com
391
256_70-294_05.qxd
392
9/4/03
4:30 PM
Page 392
Chapter 5 • Working with Trusts and Organizational Units
Figure 5.2 Non-Transitive Trust
Root
Domain X
Two-way Trust
Root
Domain Y
Implied Trust
Two-way Trust
Root
Domain Z
We’ve been talking about two-way (bidirectional) trusts; but a trust can also be oneway (unidirectional). One-way trusts are created to allow more restrictive control over
which users are allowed access to resources. For example, in Figure 5.3, a one-way trust is
created between Domain X and Domain Y. Users in Domain X have access to resources in
Domain Y. However, users in Domain Y do not have access to resources in Domain X. In
this definition, Domain X is referred to as the trusted domain, and Domain Y is the trusting
domain. A two-way trust allows users in either domain to have access to resources in the
other domain.
One-way trusts must specify the direction of the trust. One-way trusts can be either
incoming or outgoing, depending on whether the trust is created from the trusting or the
trusted domain. Incoming trusts permit the users in the domain where the trust is created
(the trusted domain) to access resources in the specified domain (the trusting domain). Users
in the trusting domain do not have access, through this trust, to the resources in the trusted
domain. (You can, however, create a second trust that goes the other way, to accomplish the
same effect as a two-way trust.)
Outgoing trusts allow the users in the specified domain (the trusted domain) to have
access to resources in the originating domain (the trusting domain). Users in the originating domain do not have access to resources in the specified domain.
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 393
Working with Trusts and Organizational Units • Chapter 5
Figure 5.3 One-Way Trust
Domain X
One-Way Trust
Domain Y
Another concept and set of terms to understand in regard to trusts is:
■
Implicit
■
Explicit
Implicit trusts are trusts that are created automatically by the nature of the built-in relationships between domains within a forest.These implicit trusts are two-way and transitive.
Implicit trusts automatically exist between each domain that is created and its child
domain(s). An implicit trust also exists between the root domain of each domain tree and
the root domains of every other domain tree in the forest.
An explicit trust is one that is created by an administrator; it does not exist automatically, but has to be explicitly created. For example, an administrator can create an explicit
trust (in this case, called a shortcut trust) between any two child domains in different domain
trees to provide for a direct trust (and faster authentication) between them.
Explicit trusts are also used to enable authenticate across forests.When a forest trust is
created, a transitive trust is created between the forest root domains in both forests.This
allows all the members in the forest to exchange authentication information with the other
forest.The forest trust is also called an explicit trust between the two forests. If an additional
forest trust is created between one of the original forests and a third forest, an implicit trust
with the other original forest is not established to the third forest. In order for the third
forest to have a trust relationship with the other forest, an explicit forest trust must be created between the two (see Figure 5.4).
www.syngress.com
393
256_70-294_05.qxd
4:30 PM
Page 394
Chapter 5 • Working with Trusts and Organizational Units
Figure 5.4 Implicit Trust
X
Forest 1
Implied Trust
Y
Transitive Two-Way Trust
Z
Transitive Two-Way Trust
Forest 2
Forest 3
Implicit Trust
New & Noteworthy...
394
9/4/03
Trust Types
Although the concept behind trust relationships is not a new item in the Windows
NT family, the new trust types and flexibility offered is new to Windows Server 2003
domains. The Active Directory Domains and Trusts tool in the Administrative Tools
menu gives you the necessary tools to allow users in Active Directory domains to
easily gain access to resources in other domains, even if the other domain is a nonWindows Kerberos domain.
As with any new features, especially those related to security and access, you
can expect several new questions focused on the new terms and concepts. You will
be required to have a thorough understanding of the concepts that follow.
Types of Trust Relationships
Two or more Active Directory domains are implicitly or explicitly connected using trust
relationships.The authentication requests made from one domain to the other domains use
these relationships.The trusts provide a seamless coexistence of resources within the forest
structure. Users are granted access to the resources in the other domain(s) after being
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 395
Working with Trusts and Organizational Units • Chapter 5
authenticated in their own domain first. Once authenticated in their own domain, they can
traverse the other domains to gain access to their resources.
TEST DAY TIP
On the day of the test you will want to review the types of trusts as well as when
to use each of the different trusts. On the exam, you might be given a scenario
that will require you to determine the type of trust that will best meet the requirements in the scenario.
Because there are several new types of trust, you should ensure that you
know when it is appropriate to use the different trusts.
The primary advantage of these relationships is that administrators no longer need to
create multiple user accounts for each user who needs access to resources within each
domain. Administrators can now add the users of the other domains to their access control
lists (ACLs) to control access to a resource.To take full advantage of these relationships, the
administrator must know about the various types of trust that exist, and when to use them.
Default Trusts
When the Active Directory Installation Wizard is used to create a new domain within an
existing forest, two default trusts are created: a parent and child trust, and the tree-root trust.
Four additional types of trusts can be created using the New Trust Wizard or the command-line utility netdom.The default trust relationships inside a Windows 2000 and
Windows Server 2003 forest are transitive, two-way trusts.
A parent and child trust is a transitive, two-way trust relationship. It allows authentication requests made in the child domain to be validated in the parent domain. Because the
trusts are transitive, these requests pass upwards from child to parent until they reach the
root of the domain namespace.This relationship will allow any user in the domain to have
access to any resource in the domain if the user has the proper permissions granted.
An additional transitive, two-way trust is created to simplify the navigation, the treeroot trust.This is especially needed in large organizations that might have multiple levels of
child domains.The tree-root trust is a trust that is created between any child domain and
the root domain.This provides a shortcut to the root.This trust relationship is also automatically created when a new domain tree is created.
Shortcut Trust
Shortcut trusts are transitive in nature and can either be one-way or two-way.These are
explicit trusts that you create when the need exists to optimize (“shortcut”) the authentication process.Without shortcut trusts in place, authentication travels up and down the
domain tree using the default parent and child trusts, or by using the tree-root trusts. In
large complex organizations that use multiple trees, this path can become a bottleneck
www.syngress.com
395
256_70-294_05.qxd
396
9/4/03
4:30 PM
Page 396
Chapter 5 • Working with Trusts and Organizational Units
when authenticating users.To optimize access, the network administrator can create an
explicit shortcut trust directly to the target domain (see Figure 5.5).
Figure 5.5 Shortcut Trust
Forest 1
Shortcut Trust
These trusts are used when user accounts in one domain need regular access to the
resources in another domain. Shortcut trusts can be either one- or two-way.
One way shortcut trusts should be established when the users in one domain need
access to resources in the other domain, but those in the second domain do not need access
to resources in the first domain.
Two-way trusts should be created when the users in both domains need access to the
resources in the other domain.The shortcut trust will effectively shorten the authentication
path, especially if the domains belong to two separate trees in the forest.
Realm Trust
Realm trusts are explicit trusts that are created to join a Windows Server 2003 domain to a
non-Windows Kerberos v5 realm.This allows you the flexibility of creating a trust for your
non-Windows networks to interoperate with the security services based on other Kerberos
v5 implementations, such as with UNIX.This extension of security can be switched from
one-way or two-way trusts and from transitive to non-transitive.
External Trust
An external trust is used when you need to create a trust between domains outside of your
forest.These trusts can be one- or two-way trusts.They are always non-transitive in nature.
This means that you have created an explicit trust between the two domains, and domains
outside this trust are not affected.You can create an external trust to access resources in a
domain in a different forest that is not already covered by a forest trust (see Figure 5.6).
EXAM WARNING
You will always need to create an external trust when connecting to a Windows NT
4.0 or earlier domain. These domains are not eligible to participate in Active
Directory. These trusts must be one-way trusts. If you have worked with Windows
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 397
Working with Trusts and Organizational Units • Chapter 5
NT 4.0, you will remember that the only trusts allowed were non-transitive oneway trusts.
Figure 5.6 External Trust
Transitive Two-Way Trust
Forest 2
Forest 1
Forest 3
External Trust
External Trust
Windows NT 4.0 Domain
After the trust has been established between a domain in a forest and a domain outside
the forest, the security principals from the domain outside the forests will be able to access the
resources in the domain inside the forest. Security principals can be the users, groups, computers, or services from the external domain.They are account holders that are each assigned
a security identifier (SID) automatically to control access to the resources in the domain.
The Active Directory in the domain inside the forest will then create foreign security
principal objects representing each security principal from the trusted external domain.You
can use these foreign security principals in the domain local groups.This means that the
domain local groups can have members from the trusted external domain.You use these
groups to control access to the resources of the domain.
The foreign security principals are seen in Active Directory Users and Computers. Since
the Active Directory automatically creates them, you should not attempt to modify them.
Forest Trust
A forest trust can only be created between the root domains in two forests. Both forests
must be Windows Server 2003 forests.These trusts can be one- or two-way trusts.They are
considered transitive trusts because the child domains inside the forest can authenticate
themselves across the forest to access resources in the other forest.
www.syngress.com
397
256_70-294_05.qxd
398
9/4/03
4:30 PM
Page 398
Chapter 5 • Working with Trusts and Organizational Units
EXAM WARNING
Although the trust relationship is considered transitive, this only applies to the
child domains within forests. The transitive nature of the trust exists only within
the two forests explicitly joined by a forest trust. The transitivity does not extend to
a third forest unless you create another explicit trust (see Figure 5.4).
Forest trusts help manage the Active Directory infrastructure.They do this by simplifying the management of resources between two forests by reducing the required number
of external trusts. Instead of needing multiple external trusts, a two-way forest trust
between the two root domains will allow full access between all the affected domains.
Additionally, the administrator can take advantage of both the Kerberos and NTLM
authentication protocols to transfer authorization data between forests.
Forest trusts can provide complete two-way trusts with every domain within the two
forests.This is useful if you have created multiple forests to secure data within the forest or
to help isolate directory replication within each forest.
Creating, Verifying, and Removing Trusts
Trust relationships are created and managed using the Active Directory Domains and
Trusts utility in the Administrative Tools menu.To create or manage trusts, you must be
a member of the Domain Admins group or the Enterprise Admins group in the Active
Directory, or have the appropriate authority delegated to you.
Most administrators will use the RunAs command to manage trusts.This is generally
accepted as a security best practice.
EXERCISE 5.01
CREATING A TRANSITIVE, ONE-WAY INCOMING REALM TRUST
1. Open Active Directory Domains and Trusts by clicking Start |
Programs | Administrative Tools, and then selecting Active Directory
Domains and Trusts.
2. In the console tree, right-click the domain node. Select Properties in
the context menu.
3. On the Trusts tab, click the New Trust button.
4. When the New Trust Wizard opens, click Next.
5. On the Trust Name page, enter the target realm’s name and click Next.
6. On the Trust Type page, select Realm Trust and click Next (see
Figure 5.7).
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 399
Working with Trusts and Organizational Units • Chapter 5
Figure 5.7 Trust Types
7. On the Transitivity of the Trust page, click Transitive, and then click
Next (see Figure 5.8).
Figure 5.8 Transitivity of Trust
8. On the Direction of Trust page, click One-way: incoming, and then
click Next (see Figure 5.9).
www.syngress.com
399
256_70-294_05.qxd
400
9/4/03
4:30 PM
Page 400
Chapter 5 • Working with Trusts and Organizational Units
Figure 5.9 Direction of Trust
9. On the Summary page, review the information, and then click Finish.
This wizard will allow you to also create non-transitive trusts and two-way and oneway outgoing realm trusts. Alternatively, you can use the netdom command to create a
realm trust.
Securing Trusts Using SID Filtering
One security concern when using trusts is a malicious user who has administrative credentials in the trusted domain sniffing the trusting domain to obtain the credentials of an
administrator account.With the credentials of the trusting domain administrator, the malicious administrator could add a spoofed SID to allow full access to the trusting domain’s
resources.This type of threat is called an elevation of privilege attack.
The security mechanism used by Windows Server 2003 to counter an elevation of
privilege attack is SID filtering. SID filtering is used to verify that an authentication request
coming in from the trusted domain only contains the domain SIDs of the trusted domain.
It does this by using the SIDHistory attribute on a security principal.
NOTE
Security principal is a term used to describe any account that has a SID automatically assigned. Examples of security principals are users, groups, services, or computers. Part of each security principal is the domain SID to identify the domain in
which the account was created.
SID filtering uses the domain SID to verify each security principal. If a security principal includes a domain SID other than one from trusted domains, the SID filtering process
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 401
Working with Trusts and Organizational Units • Chapter 5
removes the SID in question.This is done to protect the integrity of the trusting domain.
This will prevent the malicious user from being able to elevate his or her own privileges or
those of other users.
There are some potential problems associated with SID filtering. It is possible for a user
whose SID contains SID information from a domain that is not trusted to be denied access
to the resources in the trusting domain.This is can be a problem when universal groups are
used. Universal groups should be verified to contain only users that belong to the trusted
domain.
SID filtering can be disabled if there is a high level of trust for all administrators in the
affected domains, there are strict requirements to verify all universal group memberships,
and any migrated users have their SIDHistories preserved.To disable SID filtering, use the
netdom command.
EXAM
70-294
Working with Organizational Units
OBJECTIVE
3.3.1 An OU is a frequently misunderstood unit inside Active Directory. An OU is simply a con3.4.3 tainer in Active Directory that can contain any of the following:
■
Users
■
Groups of users
■
Printers
■
Shared folders
■
Computers
■
Other OUs
OUs are security boundaries. Many people confuse an OU with a security group.The
key to understanding the difference begins with understanding what each is designed to
accomplish. A security group is used to control access to a resource. In other words, permissions to a file, folder, or printer are set on security groups to manage the users as they try to
access the object. Policies are set on OUs, to control what users can see and do on their
computers, such as changing their wallpaper, accessing the Control Panel, what applications
they can use, or whether they can shut down the computer. Policies can control either users
or computers.
The means by which policies are applied is the Group Policy Object (GPO). GPOs can
be applied to domains, sites, and OUs.The smallest scope that can have a GPO applied to it
is the OU. It is also the last unit to which the GPO is applied, as it is the closest unit to the
security object (the user account or computer account).The GPO gives us the ultimate in
control over users and computers.
Creating OUs inside a domain allows for two different types of hierarchies. One hierarchy is the structure of the domain and child domains; the other hierarchy is the structure
of the OU and its child OUs.The two hierarchies give you flexibility in how to manage
www.syngress.com
401
256_70-294_05.qxd
402
9/4/03
4:30 PM
Page 402
Chapter 5 • Working with Trusts and Organizational Units
the organization.The concept of placing one OU inside another is called nesting. Although
there are no limits to the number of nested OUs, Microsoft recommends that you not
exceed 10 levels of nesting.
Understanding the Role of Container Objects
OUs are not security principals. Security principals are user accounts, group accounts, and
computer accounts. OUs are containers that are used to organize the Active Directory.
The purpose of creating OUs is to allow the administrator to create a container that can be
used to implement security policies, run scripts, deploy applications, and delegate authority
for granular administrative control.
TEST DAY TIP
Domain local groups and global groups are used to manage users and control
access to resources. OUs are created to reflect the organizational structure, to
manage security polices, and to delegate authority.
EXAM
70-294
Creating and Managing Organizational Units
OUs are created and managed in the Active Directory Users and Computers tool in
3.4 the Administrative Tools.This tool allows you to add OUs to the domain. After adding
3.4.1
an OU, you have the ability to delegate control, add members, and move the OU. All of
these activities can be accomplished by right-clicking on the OU that you want to manage
and selecting the appropriate action from the context menu.The context menu will give
you options to delete, rename, and enter the properties of the OU as well.
Configuring & Implementing...
OBJECTIVE
Configuring and Implementing Organizational Units
Active Directory provides us the potential to create multiple structures to represent our organizations. The goal is to provide enough flexibility to accomplish our
tasks in a fashion that makes the most sense. The physical layout of the network
is encompassed using sites, subnets, and site links. The logical layout of the
Active Directory uses OUs. Remember to always note the differences between the
physical and the logical layouts when designing the structure.
Often, administrators create the OU structure based on the departmental
hierarchy. This is not always the best practice. You should create OUs for applying
GPOs, hiding Active Directory objects or part of the Active Directory tree from a
part of the organization, or for the delegation of authority. Remember, if you
have not clearly defined the purpose of the OU, then you probably shouldn’t
create it.
Continued
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 403
Working with Trusts and Organizational Units • Chapter 5
For each OU that you plan to create, you should be able to document its purpose, a list of the users who will have control over it, and how much and the type
of control they will have.
The Properties window of an OU has three tabs:
■
General
■
Managed By
■
Group Policy
The General tab allows you to enter a description of the OU, street, city, state/providence, zip/postal code, and country/region information.
The Managed By tab allows you to change the user account that manages the OU.
When a user account has been selected, the tab will display information about the account,
such as office, address, and telephone numbers.This is read for the corresponding section of
the user information stored about that user account.The Managed By tab has three buttons to manage this section of the OU Properties: Change,View, and Clear.The Change
button opens a user window so you can select the account that will be used to manage the
OU.The View button lets you see the user’s account Properties window.You have the
opportunity of making any necessary changes to the user’s account.The Clear button
removes the user account from the Managed By tab.
The Group Policy tab is discussed in the next section.
EXERCISE 5.02
CREATING AN ORGANIZATIONAL UNIT
1. Open Active Directory Users and Groups by clicking Start | Control
Panel | Performance and Maintenance | Administrative Tools, and
then double-click Active Directory Users and Groups.
2. In the console tree, right-click on the domain node. Select New in the
context menu, and then select Organizational Unit.
3. In the New Organizational Unit window, type the name of the OU.
4. Click OK to create the OU.
5. Right-click on the new OU and select Properties from the menu.
6. On the General tab, enter a description to explain the purpose of the
OU (see Figure 5.10).
www.syngress.com
403
256_70-294_05.qxd
404
9/4/03
4:30 PM
Page 404
Chapter 5 • Working with Trusts and Organizational Units
Figure 5.10 OU Properties
7. Click on the Managed By tab (see Figure 5.11). Click the Change
button. Select a user account to manage the OU from the Users and
Groups window.
Figure 5.11 Managed By Properties
8. Click the Group Policy tab (see Figure 5.12). Click the New button to
create a new GPO.
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 405
Working with Trusts and Organizational Units • Chapter 5
Figure 5.12 Group Policy Properties
9. Rename the GPO by typing the new name.
10. Right-click on the GPO, and select No Override from the menu. Notice
the check mark by the GPO in the No Override column (see Figure 5.13).
Figure 5.13 No Override Option
11. Click the Edit button. From the GPO window, double-click User
Configuration | Administrative Templates | Start Menu & Taskbar.
Double-click Remove Favorites menu from Start Menu. In the window
that opens, click Enable to remove favorites from the Start menu.
www.syngress.com
405
256_70-294_05.qxd
406
9/4/03
4:30 PM
Page 406
Chapter 5 • Working with Trusts and Organizational Units
12. Click the Explain tab. This defines what the impact of your actions will
be.
13. Click OK to close the Remove Favorites menu from Start Menu
window.
14. Close the GPO window.
15. Check the Block Inheritance option.
16. Right-click on the GPO and select Disable from the menu.
17. Close all windows.
Applying Group Policy to OUs
One of the fundamental reasons for creating an OU is to apply a GPO to it. After creating
the OU, you can then create a new GPO or apply an existing GPO.The Group Policy
tab found in the OU Properties window is the most important tab of the OU properties.
This is where you create, associate, and edit the GPOs that will affect the OU.This tab has
the following buttons:
■
New
■
Add
■
Edit
■
Options
■
Delete
■
Properties
The New button will create a new GPO.When it is clicked, you need to supply the
name for the new GPO.
After the GPO is created, use the Edit button to edit its configuration settings.The
GPO is broken into two sets of configuration settings, Computer and User. Each of these settings is further defined by three categories of settings: Software, Windows, and Administrative
Templates.These are the settings you use to control the OU (or other unit to which the
GPO is applied).
The Add button lets you create a Group Policy Object Link.The link lets you apply
an existing GPO to the OU.You will have the ability to navigate through the domain to
locate the existing GPO and link it to the new OU.
The Options button gives you two options: No Override and Disable. Disable is very
intuitive; it will disable the GPO.The No Override option is used by a parent OU’s GPO to
ensure that the settings in the GPO are not overridden by a child OU’s GPO.These options
can be accessed by right-clicking the GPO and selecting the option from the context menu.
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 407
Working with Trusts and Organizational Units • Chapter 5
The Properties button opens the Properties window for the GPO.The Properties
window has three tabs: General, Links, and Security.The General tab displays a
Summary section and a Disable section.The Summary section displays GPO information
such as the date created, date last modified, revision versions, domain name, and the unique
name of the GPO.The Disable section allows you to disable either or both sets of configuration settings.You can disable the Computer Configurations Settings and/or the User
Configuration Settings. Disabling unused parts of the GPO increases performance.The
Links tab displays all of the sites, domains, or OUs found that use the GPO. It has a Find
button to assist you in locating where the GPO has been applied.The Security tab sets the
permissions for the GPO.
The permissions that are set via the Security tab control the level of access that a user
or group of users has over the GPO.The levels of permissions are:
■
Full Control
■
Read
■
Write
■
Create Child Objects
■
Delete Child Objects
■
Apply Group Policy
The last button is Delete, which is used to delete a GPO.
At the bottom of the Group Policy tab is the option to Block Inheritance. Block
Inheritance will block settings from the GPOs that would otherwise be inherited from a
parent OU.This gives the child OU the ability to control which settings to accept from the
parent OUs. However, if the parent has set the No Override and the child sets Block
Inheritance, the No Override setting takes precedence.
TEST DAY TIP
The relationship between GPOs and OUs is one that makes for easy test questions.
Pay particular attention to the effects of the No Override setting and the Block
Inheritance setting.
EXAM
70-294
Delegating Control of OUs
Delegation of control over an OU is done to alleviate the tasks of the network administra3.4.2 tors from performing the routine functions of an OU. Often, a manager or supervisor
whose account is in the OU will have a better understanding of the daily tasks associated
with the users and computers that belong to the OU, and is thus well positioned to take
care of the OU. Delegation is a simple process. A wizard will walk you through the process.
The Delegation of Control Wizard is discussed later in the chapter.
OBJECTIVE
www.syngress.com
407
256_70-294_05.qxd
408
9/4/03
4:30 PM
Page 408
Chapter 5 • Working with Trusts and Organizational Units
After you have decided to whom you want to delegate control, decide on which tasks
to delegate.You have the ability to delegate management control over users and groups as
well as the Group Policy Links.You can pass control of different activities to different
people in the organization.
Specifically, the levels of delegations are:
■
Create, delete, and manage user accounts
■
Reset passwords on user accounts
■
Read all user information
■
Create, delete, and manage groups
■
Modify the membership of a group
■
Manage Group Policy Links
As you can see, delegation can reduce the amount of daily management tasks required
by the network administrator.
TEST DAY TIP
The administrative task of delegating control to others is one that is likely to be
covered on the exam. It is likely to be a straightforward scenario that will ask you
to delegate control to another user or group of users. Pay attention to the levels of
control that can be delegated.
EXAM
70-294
OBJECTIVE
Planning an OU Structure and
Strategy for Your Organization
1.5
1.5.1
1.5.2 The OU structure can make your life easier—or it can do the opposite. If you spent time
3.3 planning the structure and the implementation, the chances improve that your life will
3.3.2 become easier and that you will be able to focus on the many facets of network administration without having to perform daily maintenance on the OUs and user issues such as
resetting passwords.Your strategy should include the following:
■
What OUs to create
■
What policies need to be applied to cover the security requirements of the OU
■
Who needs to be in charge of the OU (so you can delegate control to that user)
As with any structure, you will be faced with many decisions that need to be addressed;
for example, whether a domain or OU is more appropriate for a given scenario.When
making these decisions, remember to factor in the ease with which growth and changes can
be accommodated.
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 409
Working with Trusts and Organizational Units • Chapter 5
Head of the Class…
Domains or Organizational Units
One of the challenges that you will face when planning your domain and OU structure is whether to create an OU or create a new domain when you need to split off
part of the organization. There are some basic guidelines to help you determine
which is the appropriate choice for a given scenario.
You will want to create new domains when the organization is decentralized
and uses administrators for each of the sets of users and resources. Another reason
to create multiple domains is when you need to create a GPO that will require different Password or Account Lockout Policies. That’s because account policies can
only be applied at the local or domain level, not at the OU level.
You should create OUs for everything else. Specifically, create OUs to reflect
the organization’s structure, especially if the organizational structure is likely to
change. Create OUs so you can delegate control over users, groups, and resources.
Domains are not easy to modify after they are created, so it is best to create OUs
instead of domains, except when you have a specific reason to create separate
domains that cannot be satisfied by the creation of OUs.
EXAM WARNING
You might have a question where you will need to apply GPOs to containers that
have different Password or Account Lockout Policies requirements. Remember that
Password and Account Lockout Policies can only be applied to domains. Otherwise,
you would create OUs for the different GPOs.
Delegation Requirements
Delegation of control over an OU is frequently a necessity for many organizations.The delegation allows a local manager or IT staff member to control the OU.To delegate the control, you must be a member of the Enterprise Admins or Domain Admins global groups, or
you must have been granted the privilege of delegating control.
From a security standpoint, when you delegate control, you should first determine the
level of control that you want to grant. Just because you delegate basic administrative control over the OU does not mean that you fully relinquish control of the OU.
TEST DAY TIP
As you perform Exercise 5.03, pay attention to the levels of authority that you can
delegate. The exam might ask questions concerning the various levels of control
that can be granted.
www.syngress.com
409
256_70-294_05.qxd
410
9/4/03
4:30 PM
Page 410
Chapter 5 • Working with Trusts and Organizational Units
EXERCISE 5.03
DELEGATING AUTHORITY
1. Click Start | Programs | Administrative Tools | Active Directory
Users and Computers.
2. In the console tree, right-click the OU to be delegated. Select Delegate
Control in the context menu. This invokes the Delegation of Control
Wizard.
3. In the Delegation of Control Wizard, click Next to continue.
4. In the User or Groups window, click Add and then select the user who
will receive the delegated control. Click Add and then click OK. Click
Next to continue.
5. In the Tasks to Delegate window (see Figure 5.14), select the tasks
that you want to delegate. Click Next to continue.
Figure 5.14 Delegation Tasks
6. In the Completing Delegation of Control window, review the information and click Finish.
Security Group Hierarchy
One of the issues that will need to be evaluated as you deploy Active Directory is the answer
to this question:What is the effective policy that will be applied to a specific user? Because it is
www.syngress.com
256_70-294_05.qxd
9/4/03
4:30 PM
Page 411
Working with Trusts and Organizational Units • Chapter 5
possible for a user to have several layers of GPOs applied, it is very possible to have conflicting
policies.This section discusses how to evaluate which policy will ultimately apply.
The first concept that needs to be covered is the order in which policies are applied.
The first rule to remember is that a policy always overrides a profile setting.This becomes a
factor as users might be moved from one OU where they use roaming profiles that allow
the user a lot of liberty to configure their own settings. As these users are moved to another
OU where the users’ privileges are more controlled, they might notice that the user profile
settings are overwritten by the OU policies.
The next concept is the order of the application of polices. Group policy is applied in
this order:
■
Local computer policy
■
Site policy
■
Domain policy
■
OU policies, starting with the parent OU and working inward toward the security object through the child OUs
As an administrator, you still have further control over the application of policies.
Windows Server 2003 Active Directory has two settings that help you with this control: No
Override and Block Inheritance.The No Override setting is set to prevent a child OU
policy setting from overwriting the policy setting of the parent. It does not apply if the
policy setting is not set in the parent GPO.
The Block Inheritance setting allows you to control the inheritance of a policy setting in the parent by blocking it from being applied to the child. Even though you can set
Block Inheritance, if the No Override option is set, No Override will be the setting
that takes effect.
TEST DAY TIP
You might encounter questions on the exam that require you to evaluate a number
of different GPOs applied at site, domain, and OU level and determine the effective
policy for a particular user, computer, or OU. It is helpful, in these situations, when
there are multiple nested OUs, to draw a diagram of the OU structure to help you
see the relationships between parent and child containers.
www.syngress.com
411
256_70-294_05.qxd
412
9/4/03
4:31 PM
Page 412
Chapter 5 • Working with Trusts and Organizational Units
Summary of Exam Objectives
In this chapter, we covered several of the Microsoft exam objectives.The first of these
objectives is to establish trust relationships.Trust relationships are the relationships established between domains, trees, and forests so users in one domain can access the resources
in another domain.This could be accomplished by creating new user accounts for the
people who need to access the resources, but doing so would add to the administrative
overhead of the domain. Microsoft developed a better solution: trust relationships.
Trusts come in many flavors to meet the needs of the situation where users in one
domain need access to the resources in another domain. First, there are the default trusts
created between parent and child domains.These trusts are automatically created to simplify
usage of resources in a tree.The network administrator can create additional types of trusts
such as external, shortcut, realm, and forest trusts. External trusts link two external domains.
Shortcut trusts simplify the authentication paths needed to authenticate users. Realm trusts
are created to connect a non-Windows network to a Windows Server 2003 domain. Forest
trusts link forests together in the enterprise.
As you create these additional trust types, you can determine whether the trust will
work in one direction only, or if it can work in both directions.When the trust works in
both directions, it is called a two-way or bidirectional trust, and users in both domains have
access to resources in both domains.
Another issue is whether the trust is transitive. A transitive trust ”passes” through one
trusted domain to another. A transitive trust implies a trust relationship when more than
two domains are involved. If Domain A trusts Domain B, and Domain B trusts Domain C,
then Domain A trusts Domain C.This is sometimes not the effect you want when creating
trusts.The administrator has control over the transitive nature of the trust. As a further protection, SID filtering helps to prevent against elevation of privelege attacks that could
potentially be launched by rogue users who have administrative access in the trusted
domain.
The second part of this chapter covered working with organizational units (OUs). An
OU is a container used to organize the resources and users of the domain. OUs can contain
computers, users, groups of users, printers, shared directories, and other OUs. As the corporate infrastructure shifts, it is easy to move objects inside the Active Directory structure
from one OU to another.
One of the major reasons for creating an OU is to apply policy settings that affect the
Windows environment, security, and applications to the members of the OU.This is accomplished using Group Policy Objects (GPOs). Another major reason for creating OUs is to be
able to delegate control to a local manager or supervisor.This empowers local supervisors
with the ability to manage the users and computers within their realm of control.
Trusts and OUs are both important components of a Windows Server 2003 network,
and thus it is important to understand both, not only to master the objectives of Exam 70294, but to perform the duties of a network administrator.
www.syngress.com
256_70-294_05.qxd
9/4/03
4:31 PM
Page 413
Working with Trusts and Organizational Units • Chapter 5
Exam Objectives Fast Track
Working with Active Directory Trusts
Trusts allow users in one domain to access resources in another domain without
having to create additional accounts in the domain with the resources.
Whenever a child domain is created, two-way transitive trusts are automatically
created between the parent and the child.
Realm trusts are created to join a Windows Server 2003 domain to a nonWindows Kerberos realm.
Forest trusts are created between the root domains of two forests to allow users in
one forest to access resources in the other forest.
SID filtering is a security device that uses the domain SID to verify each security
principal.
Working with Organizational Units
OUs are Active Directory containers that can have users, groups, printers, shared
folders, computers, and other OUs as members.
OUs are created to help organize objects in the Active Directory; they are not
security principals.
The smallest scope to which a GPO can be assigned is an OU.
Control of the OU can be delegated to other users to simplify the task of
administration.
Planning an OU Structure and Strategy for Your
Organization
Create separate domains when you need decentralization of administrative
functions and for GPOs that use different Password and Account Lockout
Policies.
You must delegate control over an OU for others to be able to manage the OU.
GPOs are applied first to the local computer, then to the site, then to the domain,
then to parent OUs, and finally to child OUs.
You can control application of GPOs to child domains by using Block
Inheritance or by setting No Override.
www.syngress.com
413
256_70-294_05.qxd
414
9/4/03
4:31 PM
Page 414
Chapter 5 • Working with Trusts and Organizational Units
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: What are the differences between external, realm, and shortcut trusts?
A: An external trust is created to establish a relationship with a domain outside your tree
or forest. A realm trust is created to establish a relationship with a non-Microsoft network using Kerberos authentication. A shortcut trust is used to optimize the authentication process.
Q: What type of trust is needed to have users in a non-Windows Kerberos realm use
resources in a Windows 2003 domain?
A: A realm trust will allow users in the non-Windows Kerberos realm to have access to the
resources in a Windows 2003 domain.
Q: What type of trust needs to be created between the root domain and a domain that is
several layers deep inside the same tree?
A: None.Transitive two-way trusts are automatically created between the layers of the tree
structure.
Q: What is the difference between implied, implicit, and explicit trusts?
A: An implicit trust is one that is automatically created by the system. An example is the
trusts created between parent and child domains. An explicit trust is one that is manually created. An example is a forest trust between two trees. An implied trust is one that
is implied because of the transitive nature of trusts. An example is the trust between
two child domains that are in different trees, and a tree-root trust was created between
the roots of the tress.
Q: What exactly does SID filtering accomplish?
A: SID filtering is used to secure a trust relationship where the possibility exists that
someone in the trusted domain might try to elevate his or her own or someone else’s
privileges.
www.syngress.com
256_70-294_05.qxd
9/4/03
4:31 PM
Page 415
Working with Trusts and Organizational Units • Chapter 5
Q: What is the difference between an OU, site, and domain.
A: All three are containers to which a GPO can be assigned.The domain is the basic
building block of the organization. It can contain the other container types, site and
OUs.The site is a container that will represent the physical layout of the organization.
An OU is a logical container that can be used to implement security policies, run
scripts, deploy applications, and delegate authority for granular administrative control.
Q: What is the difference between an OU and a security principal?
A: A security principal is a user, group, computer, or service that holds an account and can
be given access to resources. An OU is a container that is used to organize objects in
the Active Directory. OUs are also boundary units that are used to apply the security
settings from a GPO.
Q: How and why is control of an OU delegated?
A: Control over a GPO is delegated to put the responsibility for the OU in the appropriate hands. Control is often delegated to the manager or supervisor responsible for
the users and computers in the OU.You delegate control by right-clicking on the OU
In Active Directory Users and Computers and selecting Delegate Control from
the menu.This launches the Delegation of Control wizard.You can also set the user
account that has management responsibilities from the Managed By tab in the OU’s
properties.
Q: How are GPOs applied?
A: GPOs applied to user configuration are applied as part of the logon process, whereas
GPOs applied to computer configuration are applied as part of the boot process. First,
any GPOs linked to the local computer are applied, followed by the site, then the
domain, and finally the OUs. GPOs linked to the parent OU are applied first followed
by the GPOs linked to the child. If a conflict exists in the settings of the various GPOs,
the one applied last takes precedence.
www.syngress.com
415
256_70-294_05.qxd
416
9/4/03
4:31 PM
Page 416
Chapter 5 • Working with Trusts and Organizational Units
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
Working with Active Directory Trusts
1. You are administering two domains, mycompany.com and denver.hr.mycompany.com.
Users in denver.hr.mycompany.com need to access resources in mycompany.com.You
want to optimize the trust relationships.What type of trust should you create to
allow this?
A. Cross-domain trust
B. Shortcut trust
C. External trust
D. None
2. Your company, mycompany.com, is merging with the yourcompany.com company.
The details of the merger are not yet complete.You need to gain access to the
resources in the yourcompany.com company before the merger is completed.What
type of trust relationship should you create?
A. Forest trust
B. Shortcut trust
C. External trust
D. Tree Root trust
3. Your boss just informed you that your company will be participating in a joint venture with a partner company. He is very concerned about the fact that a trust relationship needs to be established with the partner company. He fears that an administrator
in the other company might be able to masquerade as one of your administrators and
grant himself privileges to resources.You assure him that your network and its
resources can be protected from an elevated privilege attack. Along with the other
security precautions that you will take, what will you tell your boss that will help him
rest easy about the upcoming scenario?
A. The permissions set on the Security Accounts Manager (SAM) database will prevent the other administrators from being able to make changes.
www.syngress.com
256_70-294_05.qxd
9/4/03
4:31 PM
Page 417
Working with Trusts and Organizational Units • Chapter 5
B. The SIDHistory attribute tracks all access from other domains.Their activities can
be tracked in the System Monitor.
C. The SIDHistory attribute from the partner’s domain attaches the domain SID for
identification. If an account from the other domain tries to elevate its own or
another user’s privilege, the SID filtering removes the SID in question.
D. SID filtering tracks the domain of every user who accesses resources.The
SIDHistory records this information and reports the attempts to the Security log
in Event Viewer.
4. You recently completed a merger with yourcompany.com. Corporate decisions have
been made to keep the integrity of both of the original companies; however, management has decided to centralize the IT departments.You are now responsible for
ensuring that users in both companies have access to the resources in the other company.What type of trust should you create to solve the requirements?
A. Forest trust
B. Shortcut trust
C. External trust
D. Tree Root trust
5. You recently created a trust relationship with a partner company for collaboration on
a joint project.This partner company has many such joint projects and has many trust
relationships with other companies.You created a share containing all the files needed
for the joint project.You worked with the partner company’s administrator and added
your project members to one of his existing universal groups that contains all of the
members in his domain who need access to the project files.You added them to the
permissions on the folder and the permissions on the share.You granted the universal
group Read access to the share permission and Read & Execute access to the folder
via NTFS permissions. SID Filtering has been enabled.The users in the universal
group are now complaining that they cannot gain access to the project’s files.What do
you need to do to fix the problem?
A. You need to upgrade the level of permissions on the folder to Modify so that the
universal group can have access.
B. You need to upgrade the level of permissions to Change on the share so that the
universal group can have access.
C. You need to break the trust relationship and recreate it; it has a corrupted file.
D. You need to have the domain administrator from the partner domain verify that
only members from his domain are in the universal group
www.syngress.com
417
256_70-294_05.qxd
418
9/4/03
4:31 PM
Page 418
Chapter 5 • Working with Trusts and Organizational Units
Working with Organizational Units
6. The development team of your company has started a new research project.They want
to ensure that only the members of their project team are allowed to see the new directories that they create.You created a new OU that contains the user accounts of the
development team, the computers they will be using, a shared folder where they are
going to place their research documents, and several printers that are to be isolated from
the rest of the company.They are concerned about who will have access to the new
directories. How will you protect the directories from unauthorized access?
A. Create a GPO that will limit access to the directories. Apply the GPO to the new
OU.
B. Create a GPO that will limit access to the directories. Apply the GPO to the
domain.
C. Create a security group that contains the members of the research group. Remove
the Everyone group from the ACL. Add the new group to the ACL and grant it
the appropriate permissions.
D. Do nothing. Since the directories and files are part of an OU, no one outside the
OU can access them.
7. You created three OUs for your domain: one called Corp, and two child OUs called
Sales and Tech.You create two GPOs, one called Desktop the other called Network.The
Desktop GPO specifies the desktop settings for all users.The Network GPO specifies
the network and Registry policies.The Registry policy prohibits users from being
able to edit the Registry.You first apply the Desktop GPO to the Corp OU and then
apply the Network GPO to the Corp OU.You want the members of the Tech OU to
be able to modify Registry settings.What should you do?
A. Nothing; because the GPOs were not applied to the Tech OU, they will not affect
the users.
B. Nothing; because you applied the Desktop GPO first, the Desktop GPO will not
take effect.
C. You should set No Override on the Tech OU so that its settings are not overridden.
D. You should set Block Inheritance on the Tech OU so that the settings from the
parent OU are not applied to the child OU.
8. Your Active Directory domain has one site and five OUs. Marketing and Technical are
child OUs to the Corp OU.The Marketing OU is a parent to the Sales and PR OUs.
You are using GPOs to configure environment and security policies on the network.
The following restrictions are in place:
www.syngress.com
256_70-294_05.qxd
9/4/03
4:31 PM
Page 419
Working with Trusts and Organizational Units • Chapter 5
■
Corp OU Disable Registry editing tools for all users
■
Marketing OU Disable modification of network connections for all users
■
Technical OU Corporate logo as desktop wallpaper for all users
■
Sales OU 3D Pipes screensaver for all users
■
PR OU High Contrast #1 color scheme for all users
Which restriction or restrictions will be in place for users in the Sales OU? (Choose
all that apply.)
A. Disable Registry editing tools for all users.
B. Disable modification of network connections for all users.
C. Corporate logo as desktop wallpaper for all users.
D. 3D Pipes screensaver for all users.
E. High Contrast #1 color scheme for all users.
9. You have an OU called Support.You have a GPO called RegEdit.The only setting in
the RegEdit GPO is that the use of the Registry editing tools has been disabled in
the User Configuration node. For performance reasons, the decision has been made to
limit the numbers of GPOs that are processed at logon.The decision has been made
to remove the requirement to disable the use of the Registry editing tools.What
should your course of action be to implement the new decisions?
A. Remove the RegEdit GPO from the Support OU.
B. Create a new GPO that enables the use of the Registry editing tools. Apply the
new GPO to the Support OU.
C. Edit the Registry on the computers used by the Support OU that will allow for
use of the Registry editing tools.
D. Configure a local GPO to allow the use of the Registry editing tools. Set the No
Override option to this policy.
10. You created three OUs for your domain: one called Corp, and two child OUs called
Sales and Tech.You create two GPOs, one called Desktop and the other called Network.
The Desktop GPO specifies the desktop settings for all users.The Network GPO
specifies the network and Registry policies.The Desktop policy prohibits users from
being able to change their wallpaper.You first apply the Desktop GPO to the Corp
OU, and then apply the Network GPO to the Corp OU.You delegated control of the
OU to the senior member of the Tech group. Later, the Tech OU manager modifies
the Desktop GPO to allow his users to change their wallpaper.What should you do
to ensure that their changes will not take effect?
www.syngress.com
419
256_70-294_05.qxd
420
9/4/03
4:31 PM
Page 420
Chapter 5 • Working with Trusts and Organizational Units
A. Nothing, since the GPOs were not applied to the Tech OU, they will not affect
the users.
B. You should set No Override on the Tech OU so that its settings are not overridden.
C. You should set No Override on the Corp OU so that its settings are not overridden.
D. You should set Block Inheritance on the Tech OU so that the settings from the
parent OU are not applied to the child OU.
11. Your network consists of a single domain and five OUs.The parent OU is named Corp.
Corp has two child OUs, First Floor and Second Floor.The First Floor OU has one child
OU, Sales.The Second Floor OU has one child OU, Administration. All of the company’s
DCs are members of the Corp OU.The First Floor and Second Floor OUs contain the
resources that belong to their respective floors.The Sales OU has nonadministrative
computers, users, and groups.The Administration OU has the administration computers,
users, and groups.You need to design a domainwide security policy that will accomplish
the following goals:
■
All users need to have the same password and lockout policy.
■
Audit policies are required for only the DCs.
■
The nonadministrative computers do not need the same level of security applied
to them as is required for the administrative computers.
■
The number of group policies to be processed at logon needs to be minimized.
You take the following actions:
■
Create a single GPO.
■
Import a security template for the DCs.
■
Link the GPO to the domain.
Which of the desired results are achieved by your actions?
A. All users have the same password and lockout policy.
B. Audit policies implemented only on the DCs.
C. The nonadministrative computers have the same level of security applied to them
as is required for the administrative computers.
D. The number of group policies to be processed at logon is minimized.
www.syngress.com
256_70-294_05.qxd
9/4/03
4:31 PM
Page 421
Working with Trusts and Organizational Units • Chapter 5
Planning an OU Structure
and Strategy for Your Organization
12. Your Active Directory domain consists of one site.You have three OUs.The Corp OU
is a parent OU to the Sales OU and Training OU.You have specified restrictions in various group policies and included them in GPOs. On the Corp OU, there is a linked
GPO, which prevents users from using Registry editing tools.The Sales OU has a linked
GPO that specifies a company logo as the desktop for all users.The Training OU has a
linked GPO that disables users from modifying network connections. All other group
policy settings are set to defaults.What restrictions (if any) will users in the Sales OU be
under when they log on to the network? (Choose all that apply.)
A. They cannot edit the Registry.
B. They have the company logo as their desktops.
C. They cannot modify network connections.
D. They will have no restrictions.
13. You have been tasked to ensure that network security policies are in place, and standards
are implemented for users’ configurations.The network is a single Active Directory
domain network.There are five OUs: Corp, Sales, Marketing, Development, and
Technical.The Corp OU is a parent OU to all other OUs.You are given the following
list of objectives to meet:
■
All users must be prohibited from editing their Registries.
■
All users must have a password of at least eight characters.
■
Users in the Sales and Marketing OUs must not be able to store more than
50MB of data on any server.
■
Users in the Development OU must change their passwords every 30 days.
■
All policy settings should only affect their intended targets.
Which of the following solutions will accomplish all of your objectives?
A. Create a GPO called Policy, with settings prohibiting users from using Regedit,
and requiring passwords of at least eight characters. Link Policy to the Corp OU.
Create a GPO called Data, with disk quotas set at 50MB. Link Data to the Sales
OU and to the Marketing OU. Create a GPO called Password, making users
change their passwords every 30 days. Link Password to the Development OU.
www.syngress.com
421
256_70-294_05.qxd
422
9/4/03
4:31 PM
Page 422
Chapter 5 • Working with Trusts and Organizational Units
B. Create a GPO called Policy, with settings prohibiting users from using Regedit,
and requiring passwords of at least eight characters. Link Policy to the domain.
Create a GPO called Data, with disk quotas set at 50MB. Link Data to the Corp
OU. Create a GPO called Password, making users change their passwords every
30 days. Link Password to the Development OU.
C. Create a GPO called Policy, with settings prohibiting users from using Regedit,
and requiring passwords of at least eight characters. Link Policy to the Corp OU.
Create a GPO called Data, with disk quotas set at 50MB. Link Data to the Corp
OU. Create a GPO called Password, making users change their passwords every
30 days. Link Password to the Corp OU.
D. Create a GPO called Policy. In Policy, define settings prohibiting users from using
Regedit, requiring passwords of at least eight characters, setting disk quotas at
50MB, and a maximum password age of 30 days. Link Policy to the Corp OU.
14. Your Active Directory domain has two OUs.The Corp OU is a parent OU to the
Technical OU.You have implemented a GPO linked to the Corp OU.You do not
want those settings affecting the users in the Technical OU. How can you accomplish
this with minimal effort?
A. On the GPO linked to the Technical OU, select Block Policy inheritance.
B. On the GPO linked to the Corp OU, select Block Policy inheritance.
C. On the GPO linked to the Technical OU, negate any options set in the Corp OU
by choosing Disabled for those options.
D. On the GPO linked to the Technical OU, select No Override.
15. John Smith is a junior network administrator for your company. His user account is
JSmith.You want him to take charge of linking all network group policies to the
appropriate OUs. Because of his experience level, you do not want him to have additional controls over the OUs.What is the easiest way to accomplish this?
A. Use the Delegation of Control Wizard. Select JSmith, and check Create, delete,
and manage groups.
B. Use the Delegation of Control Wizard. Select JSmith, and check Manage Group
Policy links.
C. Use the Delegation of Control Wizard. Select JSmith, and check Create and
Modify Group Policy.
D. Use the Delegation of Control Wizard. Select JSmith, and check Apply Group
Policy.
www.syngress.com
256_70-294_05.qxd
9/4/03
4:31 PM
Page 423
Working with Trusts and Organizational Units • Chapter 5
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. D
9. A
2. C
10. C
3. C
11. A, D
4. A
12. A, B
5. D
13. A
6. C
14. A
7. D
15. B
8. A, B, D
www.syngress.com
423
256_70-294_05.qxd
9/4/03
4:31 PM
Page 424
256_70-294_06.qxd
9/5/03
3:29 PM
Page 425
Chapter 6
MCSA/MCSE 70-294
Working with
Active Directory Sites
Exam Objectives in this Chapter:
1.4
Implement an Active Directory site topology.
2.2
Manage an Active Directory site.
2.2.3
Configure site boundaries.
1.4.1
Configure site links.
2.2.2
Configure site link costs.
2.2.1
Configure replication schedules.
2.5.1
Diagnose and resolve issues related to Active Directory
replication.
1.4.1
Configure site links.
2.3
Monitor Active Directory replication failures. Tools might
include Replication Monitor, Event Viewer, and support
tools.
2.3.1
Monitor Active Directory replication.
2.3.2
Monitor File Replication service (FRS) replication.
425
256_70-294_06.qxd
426
9/5/03
3:29 PM
Page 426
Chapter 6 • Working with Active Directory Sites
Introduction
In the previous chapter, we saw the logical structure of the network as defined by forests
and domains. Sites and the subnets, of which sites are comprised, define the physical structure of an Active Directory network. Sites are important in an enterprise-level multiple
location network for creating a topology that optimizes the process of replicating Active
Directory information between domain controllers (DCs). Sites are used for replication and
for optimizing the authentication process by reducing authentication traffic across slow,
high-cost WAN links. Site and subnet information is also used by Active Directory-enabled
services to help clients find the nearest service providers.
In this chapter, we discuss the role of sites in the Active Directory infrastructure, and
how replication, authentication, and distribution of services information work within and
across sites.We explain the relationship of sites with domains and subnets, and how to create
sites and site links.
You’ll also learn about site replication and how to plan, create, and manage a replication
topology.We’ll walk you through the steps of configuring replication between sites, and discuss how to troubleshoot replication failures.
Understanding the Role of Sites
In today’s distributed network environment, the communication must always be rapid and
reliable. Geographical and other restrictions resulted in the need to create smaller networks,
known as subnets.These subnets provide rapid and reliable communication between locations, which can also be attained in larger networks by using Microsoft Windows Server
2003 Active Directory Sites.They ensure rapid and reliable communication by using the
methods offered by Microsoft Windows Server 2003 Active Directory Sites to regulate
inter-subnet traffic.
A site defines the network structure of a Windows Server 2003 Active Directory. A site
consists of multiple Internet Protocol (IP) subnets linked together by rapid and reliable connections.The primary role of sites is to increase the performance of a network by economic and rapid transmission of data.The other roles of sites are replication and
authentication.The Active Directory physical structure manages when and how the authentication and replication must take place.The Active Directory physical structure allows the
management of Active Directory replication scheduling between sites.The performance of
a network is also based on the location of objects and logon authentication as users log on to
the network.
TEST DAY TIP
As a network administrator, you must be familiar with the various roles and services
offered by the Active Directory Sites. You needn’t worry about memorizing every
detail for this particular exam. What you do have to know are the basics of how each
role and services of Active Directory Sites works, and how Active Directory Sites can
be used efficiently in terms of data transmission as part of a large network.
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 427
Working with Active Directory Sites • Chapter 6
Replication
Replication is defined as the practice of transferring data from a data store present on a
source computer to an identical data store present on a destination computer to synchronize
the data. In a network, the directory data must live in one or more places on the network
to be equally available to all users.The Active Directory directory service manages a replica
of directory data on one or more DCs, ensuring the availability of directory data to all
users.The Active Directory works on the concept of sites to perform replication efficiently,
and uses the Knowledge Consistency Checker (KCC) to choose the best replication topology
for the network automatically.
NOTE
The KCC is a process that runs on a DC, and identifies the most efficient replication
topology for the network automatically, based on the data provided by the network in Active Directory Sites and Services.
Authentication
Authentication is a process by which a system validates users, using the logon information
provided.The authentication process includes the confirmation of the source and integrity
of information, such as verifying the identity of a user or computer.The information such
as user’s name and password are verified with the data available in the system. If the system
finds a match, access is granted and an access token is generated that is used to subsequently
determine the user’s level of access to objects according to the DACLs on those objects.
The granting of the level of access based on permissions is called authorization.
An important characteristic of authentication in the Windows Server 2003 family is its
support for single sign-on.The single sign-on feature allows a user to log on to the network
once, using a single password, and authenticate to any computer in a network.
The single sign-on feature offers the following security advantages:
■
For a user, the use of a single password reduces ambiguity and increases the work
efficiency of the system.
■
For administrators, the level of administrative support needed for authenticating
the domain users is reduced, since the administrator needs only to maintain one
account per user.
EXAM WARNING
Make sure you are familiar with the advantages of the single sign-on feature and
how it works.
www.syngress.com
427
256_70-294_06.qxd
428
9/5/03
3:29 PM
Page 428
Chapter 6 • Working with Active Directory Sites
Windows Server 2003 uses two methods to carry out authentication:
■
Interactive logon authentication
■
Network authentication
TEST DAY TIP
As a network administrator, you must be familiar with the various authentication
mechanisms offered by Active Directory Sites. You needn’t worry about memorizing every detail for this particular exam. What you do have to know are the
basics of how each of the authentication mechanisms of the Active Directory Sites
works, and how Active Directory Sites can be used efficiently in terms of user
authentication in a network.
Interactive Logon Authentication
Interactive logon authentication verifies the user’s logon information to either a domain
account or to a local computer.This process of authentication is based on the type of user
account, such as a domain account or a local computer account:
■
With a domain account, a user logs on to the network by providing logon information such as a password or smart card, using single sign-on data stored in the
Active Directory directory service.When a user logs on to the network with a
domain account, the user can access resources both in the domain to which he or
she logs on and any other trusted domains.
■
With a local computer account, a user logs on to a local computer by providing
logon information stored in the Security Accounts Manager (SAM) on the local
machine.
NOTE
SAM is a local security account database for local computer accounts. Local user
accounts are usually stored on workstations or servers, and can only be used to
access the local computer, not resources on any other computer on the network.
Network Authentication
Network authentication verifies the user’s identification to a network service to which the
user tries to gain access.To offer this type of authentication, the security system of Windows
Server 2003 supports authentication mechanisms:
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 429
Working with Active Directory Sites • Chapter 6
■
Kerberos V5
■
Secure Socket Layer/Transport Layer Security (SSL/TLS)
When a domain account is used, network authentication occurs transparently and in
the background via Kerberos or TLS/SSL. Users who use a local computer account must
give user credentials such as a username and password while trying to gain access to a network resource.
EXAM WARNING
Make sure you know the differences between interactive logon authentication and
network authentication in Windows Server 2003.
Distribution of Services Information
Active Directory distributes a wide range of service information.The DCs are also used to
distribute directory information and generate responses for each service request.The Active
Directory distributes service-centric information such as configurations and bindings.The distribution of this type of information enables the services to be more accessible by clients
and is easily manageable for administrators.
The distribution of services information in Active Directory enables the client and
applications to get information from the directory.This information is then used to access
the services offered by the servers present on the network. Figure 6.1 shows how the services information is accessed between the client, server, and a DC in a network.
Figure 6.1 Services Information Shared between a Client, Server, and
a Domain Controller
Domain
Controller
1
2
3
Client
Server
www.syngress.com
429
256_70-294_06.qxd
430
9/5/03
3:29 PM
Page 430
Chapter 6 • Working with Active Directory Sites
In Figure 6.1, the client shares the services information between a client, server, and a
DC in three steps:
1. The client makes a request.
2. The client receives the services information from a DC as a response.
3. The clients available on the network server then use the services information.
TEST DAY TIP
Make sure you know the wide range of services information offered by the Active
Directory Sites. Be aware of how the services information is accessed between the
client, server, and a DC on a network.
Certain sets of services are distributed by the directories by default, including file and
print services, storage management, Active Directory, and management services.These sets
of services can be modified in the directories to meet the needs of your network environment.The distribution of services to the directory provides the following benefits:
■
Resource availability This Active Directory model is a service-centric model
that enables the client to provide access to the distributed network services. Since
the services information is distributed to the directory, clients needn’t store the
resource’s location.
■
Administration Distributing services in Active Directory enables the administrator to resolve configuration-related problems in a network centrally, instead of
having to visit individual computers.This feature ensures that all the services
employ the latest configuration information.
■
Publishing services This process enables the data or operations available to the
network users. Publishing a service in Active Directory enables users and administrators to move from a machine-centric view of the network to a service-centric
view.
EXAM WARNING
Make sure you are familiar with the benefits of distribution of services to the directory, and how it works to provide them for you.
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 431
Working with Active Directory Sites • Chapter 6
Relationship of Sites to Other
Active Directory Components
A site is as a collection of inter-connected computers that operates over IP subnets. A site is
also a place on a network having high bandwidth connectivity.The relationship of sites to
Active Directory components is based on the following network operations performed
by sites:
■
Control of replication occurrences
■
Changes made with the sites
■
How efficiently DCs within a domain can communicate
Relationship of Sites and Domains
A site can contain one or more domains, and a domain can be part of one or more sites.
Sites and domains do not have to maintain the same namespace. Sites and domains are interrelated to each other because sites control replication of the domain information.
Head of the Class…
The Relationship of Sites and Domains
Domains are also defined as units of replication. Through the use of SRV records,
the DNS server provides information regarding the location of domain controllers
in various sites. A Domain Name System (DNS) server recognizes each domain that
is present in a particular site. If your network requires more than one domain, you
can easily create multiple domains. Figure 6.2 illustrates the relationship between
sites and domains in a network, and helps us to understand that a site can have
one or more domains, and a domain can have one or more sites.
In Figure 6.2, we see how multiple sites reside in a single domain, and how a
single site can consist of multiple domains. A domain provides the following benefits:
■
Organizing domain objects.
■
Publishing of resources and information about domain objects.
■
Applying Group Policy Objects (GPOs) to the domain to perform
resource and security management
■
Delegating authority eliminates the need for administrators with broad
administrative authority.
■
Security policies and settings such as user rights and password policies
do not change from one domain to another.
■
Each domain stores only the information about the objects located in
that domain.
Continued
www.syngress.com
431
256_70-294_06.qxd
432
9/5/03
3:29 PM
Page 432
Chapter 6 • Working with Active Directory Sites
Figure 6.2 The Relationship of the Sites and Domains Present
in a Network
Domain
Site
Site
Site
Domain
Domain
EXAM WARNING
Make sure you are familiar with the benefits provided by a domain, and how it
works to provide them for you.
For more information on the working of domains, see Chapter 4, “Working with
Forests and Domains.”
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 433
Working with Active Directory Sites • Chapter 6
Physical vs. Logical Structure of the Network
The sites present in an Active Directory denote the physical structure of a network.The physical structure information is available as site and site link objects in the directory.This information is used to build the most efficient replication topology. Generally, Active Directory
Sites and Services are used to define sites and site links.
Sites represent the physical structure of the network, and domains represent the logical
structure of the organization. In Active Directory, sites map the physical structure of a network, while domains map the logical or administrative structure of an organization.This partitioning of physical and logical structure offers the following advantages:
■
You can develop and manage the logical and physical structures of your network
independently.
■
You do not have to base domain namespaces on your physical network.
■
You can deploy DCs for multiple domains within the same site.
■
You can deploy DCs for the same domain in multiple sites.
TEST DAY TIP
Make sure you know and understand the differences between the physical and the
logical structure of the network. Be aware of how each is used to build the most
efficient replication topology.
The Relationship of Sites and Subnets
In Active Directory, a site consists of a set of computers that are inter-connected in a local
area network (LAN). Computers within the same site typically exist in the same building,
or on the same campus network. A single site consists of one or more IP subnets.These
subnets are a section of an IP network, with each subnet having a unique network address.
A subnet address consists of a cluster of neighboring computers in much the same way
as the postal codes group neighboring postal addresses. Figure 6.3 shows one or more
clients residing within a subnet that defines an Active Directory site.
The subnet created through Active Directory Sites and Services are sections of an IP
network, with each subnet having a unique network address. In Figure 6.3,
172.16.224.0/19 is a unique network address of the Active Directory site.
Sites and subnets are represented in Active Directory by site and subnet objects, which
we create through the Active Directory Sites and Services administrative tool. Each site
object is associated with one or more subnet objects.
www.syngress.com
433
256_70-294_06.qxd
434
9/5/03
3:29 PM
Page 434
Chapter 6 • Working with Active Directory Sites
Figure 6.3 Active Directory Site with One or More Client Computers
Active Directory site
Client
EXAM
70-294
Creating Sites and Site Links
OBJECTIVE
1.4 In the previous sections, we discussed the concepts of sites and subnets.To review, sites and
2.2 the subnets define the physical structure of an Active Directory network. A site is a collec2.2.3 tion of inter-connected computers that operate over subnets, sharing a network with high
bandwidth connections.The high bandwidth connection is represented by the difference
between the highest and lowest frequencies in a given range. Site links represent physical
connections between sites, which enables communication between sites.
NOTE
The Windows Server 2003 Active Directory consists of the default site link, named
DEFAULTIPSITELINK, which is created automatically when the first domain in the
network is created. This link is assigned to the Default-First-Site-Name site. These
are the names assigned automatically when you create the first site. You should
change the default names to something more descriptive.
Site Planning
You should plan thoroughly before creating and deploying an Active Directory. Site planning enables you to optimize the efficiency of the network and reduce administrative overwww.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 435
Working with Active Directory Sites • Chapter 6
head. High-performance sites are developed based on the proper planning of the physical
design of your network. Site planning enables you to determine exactly which sites you
should create and how they can be linked using site links and site link bridges. Site information is stored in the configuration partition, which enables you to create sites and related information at any point in your deployment of Active Directory.
Site planning enables you to publish site information in the directory for use by applications and services. Generally, the Active Directory consumes the site information.You’ll
see how replication impacts site planning later in the chapter.
Criteria for Establishing Separate Sites
When you initially create a domain, a single default Active Directory site called Default-SiteFirst-Name is created.This site represents your entire network. A domain or forest consisting
of a separate site can be highly efficient for a LAN connected by high-speed bandwidth.
NOTE
A forest is defined as multiple Active Directory domains that share the same class,
site, attribute definitions, and replication information (but not necessarily the same
namespace). The domains present in the same forest are linked with two-way transitive trust relationships.
When a network consists of a single subnet or multiple subnets joined by reliable, highspeed links, a single site topology offers the following advantages:
■
Simplified replication management
■
Regular directory updates between all DCs
Establishing a single site topology enables all replication to occur as intrasite replication,
which requires no manual replication configuration. A single site topology design enables
DCs to receive updates with respect to directory changes.
www.syngress.com
435
256_70-294_06.qxd
436
9/5/03
3:29 PM
Page 436
Chapter 6 • Working with Active Directory Sites
NOTE
Intrasite replication refers to replication among DCs within the same site. Intersite
replication refers to replication among DCs located at different sites.
Creating a Site
Sites are created using the Active Directory Sites and Services tool of Windows Server
2003. Exercise 6.01 walks you through the steps involved in creating a site.
Active Directory Sites and Services tool is a Microsoft Management Console (MMC)
that can be used to administer the replication of directory data.This tool can also be used
to create new sites, site links, subnets, and so forth.
EXERCISE 6.01
CREATING A NEW SITE
1. To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools | Active Directory Sites and
Services. The Active Directory Sites and Services console appears as
shown in Figure 6.4.
Figure 6.4 The Active Directory Sites and Services Tool
2. Highlight the Sites folder in the left-hand tree pane of the Active
Directory Sites and Services console. Right-click and select Sites folder
New | Site option from the context menu as shown in Figure 6.5.
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 437
Working with Active Directory Sites • Chapter 6
Figure 6.5 The New Site Option
3. Selecting the New Site option opens a New Object – Site dialog box
as shown in Figure 6.6.
Figure 6.6 The New Object – Site Dialog Box
4. Type the name of the site in the Name box present in the New Object
– Site dialog box as shown in Figure 6.7.
5. Select an initial site link object for the site from the New Object – Site
dialog box as shown in Figure 6.7.
www.syngress.com
437
256_70-294_06.qxd
438
9/5/03
3:29 PM
Page 438
Chapter 6 • Working with Active Directory Sites
Figure 6.7 The Name of the Site
6. Click OK. This completes the process of creating a site using the Active
Directory Sites and Services tool. Figure 6.8 shows the initial site link
object of the site.
Figure 6.8 The Initial Site Link Object for the Site
Renaming a Site
Renaming a site is one of the first tasks you should perform when administering a site
structure.When you create a site initially, it is created with the default name Default-FirstSite-Name.This name can be changed based on the purpose of the site, such as the name
of the physical location.
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 439
Working with Active Directory Sites • Chapter 6
A site is also renamed when a network of an organization is expanded by one or more
sites. Even if an organization is located in a single location, it makes sense to rename the
Default-First-Site-Name, because you never know when the network will expand.
Renaming a site enables administrators to differentiate sites present in a network easily and
perform administration tasks efficiently.
When a DC becomes aware that its site has been renamed, it will update its DNS
records appropriately. Because of issues with cached DNS lookups and client caching of site
names that will lead to temporary delays in connectivity directly after a rename, it’s best to
name and rename sites as early as possible in the deployment. After renaming a site, it’s
advisable to manually force replication with other DCs in the same site.
Sites are renamed using the Active Directory Sites and Services tool of Windows Server
2003. Exercise 6.02 walks you through the steps involved in renaming a site.
EXERCISE 6.02
RENAMING A NEW SITE
1. To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools. Double-click Active Directory
Sites and Services. The Active Directory Sites and Services dialog box
appears as shown in Figure 6.9.
Figure 6.9 The Active Directory Sites and Services Tool
2. Highlight the Sites folder in the left-hand tree pane of the Active
Directory Sites and Services console. Expand the Sites folder, and
you’ll see the sites shown with icons of small, yellow office buildings as
shown in Figure 6.10.
www.syngress.com
439
256_70-294_06.qxd
440
9/5/03
3:29 PM
Page 440
Chapter 6 • Working with Active Directory Sites
Figure 6.10 The Sites Folder
3. Right-click the site you want to rename and select the Rename option
from the context menu as shown in Figure 6.11.
Figure 6.11 The Rename Option
4. Type the new name of the site in the Name box in the left console
pane as shown in Figure 6.12.
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 441
Working with Active Directory Sites • Chapter 6
Figure 6.12 The Rename Dialog Box
5. Click OK. This completes the process of renaming a site using the Active
Directory Sites and Services tool.
Creating Subnets
Subnets are associated with the Active Directory sites to match client computers.The subnets are denoted by a range of IP addresses.The Active Directory Sites and Services user
interface prevents you from having to provide the subnet names manually; instead, you are
prompted for a network address. An example of a subnet name for an IP version 4 networks is 10.14.208.0/20.This IP address consists of two portions: the network address
appears before the slash, and after the slash is a representation of the subnet mask. Some
common subnet masks and the corresponding slash notations are shown in Table 6.1.The
number following the slash indicates the number of binary digits (bits) that make up the
network partition of the IP address. 255 in decimal translates to 11111111 in binary 8 bits),
thus you can see how the subnet masks in Table 6.1 translate to the corresponding slash
notations.
Table 6.1 Subnet Masks and Slash Notation
Subnet Mask
Slash Notation
255.0.0.0
255.255.0.0
255.255.255.0
/8
/16
/24
www.syngress.com
441
256_70-294_06.qxd
442
9/5/03
3:29 PM
Page 442
Chapter 6 • Working with Active Directory Sites
Subnets are created using the Active Directory Sites and Services tool of Windows
Server 2003. Exercise 6.03 shows the steps involved in creating subnets.
EXERCISE 6.03
CREATING SUBNETS
1. To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools, and then double-click Active
Directory Sites and Services. The Active Directory Sites and Services
console appears as shown in Figure 6.13.
Figure 6.13 The Active Directory Sites and Services Tool
2. Highlight the Sites folder in the left tree pane of the Active Directory
Sites and Services console. Expand the Sites folder as shown in
Figure 6.14.
Figure 6.14 The Sites Folder
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 443
Working with Active Directory Sites • Chapter 6
3. Right-click Subnets and select New Subnet from the context menu as
shown in Figure 6.15.
Figure 6.15 The New Subnet Option
4. Selecting the New Subnet option opens a New Object – Subnet dialog
box as shown in Figure 6.16.
Figure 6.16 The New Object – Subnet Dialog Box
5. Type the network address and subnet mask in the form of dotted decimal notation in the text boxes present in the New Object – Subnet
dialog box as shown in Figure 6.17.
www.syngress.com
443
256_70-294_06.qxd
444
9/5/03
3:29 PM
Page 444
Chapter 6 • Working with Active Directory Sites
Figure 6.17 The Network Address and Subnet Mask
6. Select a site object for this subnet from the list provided in the New
Object – Subnet dialog box as shown in Figure 6.18.
Figure 6.18 The Site Object
7. Click OK. This completes the process of creating a subnet using the
Active Directory Sites and Services tool.
Associating Subnets with Sites
After creating sites and subnets, the next step is to associate your subnets with sites.
Computers on Active Directory networks communicate with each other using the
Transmission Control Protocol/Internet Protocol (TCP/IP) assigned to sites based on their
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 445
Working with Active Directory Sites • Chapter 6
locations in a subnet. Remember that a site consists of one or more IP subnets.You specify
the subnets associated with each site on your network by creating subnet objects in the
Active Directory Sites and Services console.The association of subnets with sites enables
the computers on the Active Directory network to use the subnet information to find a
DC in the same site, so that authentication traffic will not cross over WAN links. Active
Directory also uses subnets during the replication process to determine the best routes
between DCs.
Subnets are associated with sites using the Active Directory Sites and Services tool of
Windows Server 2003. Exercise 6.04 walks you through the steps involved in associating
subnets with sites.
EXERCISE 6.04
ASSOCIATING SUBNETS
WITH
SITES
1. To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools, and then double-click Active
Directory Sites and Services.
2. Highlight the Subnet folder present in the left tree pane of the Active
Directory Sites and Services console (see Figure 6.19).
Figure 6.19 The Subnet Folder
3. Right-click the newly created subnet and select the Properties option;
this will open a Properties dialog box as shown in Figure 6.20.
4. Associate any site with this subnet by selecting the available site from
the site drop-down menu, and click OK, as shown in Figure 6.20.
www.syngress.com
445
256_70-294_06.qxd
446
9/5/03
3:29 PM
Page 446
Chapter 6 • Working with Active Directory Sites
Figure 6.20 Subnet Dialog Box for Associating/Changing the Site
5. Click OK. This completes the process of associating a subnet with a site
using the Active Directory Sites and Services tool.
EXAM
70-294
Creating Site Links
After creating and defining the scope of each site, the next step in the site configuration
1.4.1 process is establishing connections between the sites.The physical connectivity between the
2.2.2
sites is established between the Active Directory databases by site link objects. A site link
object is an Active Directory object that embodies a set of sites that can communicate at
uniform cost. A site link can consist of two or more sites. Because a site link joins two or
more sites with a uniform cost and replication schedule, they are used to determine the
efficiency and direction of replication traffic throughout the Active Directory topology.
Each site link is based on the following four components:
OBJECTIVE
■
Transport The networking technology to move the replication traffic.
■
Sites The sites that the site link connects.
■
Cost The value to calculate the site links by comparing to others, in terms of
speed and reliability charges.
■
Schedule The times and frequency at which the replication will occur.
Site links are created using the Active Directory Sites and Services tool of Windows
Server 2003. Exercise 6.05 walks you through the steps involved in creating site links.
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 447
Working with Active Directory Sites • Chapter 6
EXERCISE 6.05
CREATING SITE LINKS
1. To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools, and then double-click Active
Directory Sites and Services.
2. Highlight the Inter-Site Transports folder in the left tree pane of the
Active Directory Sites and Services console. Expand the Inter-Site
Transports folder as shown in Figure 6.21.
Figure 6.21 The Inter-Site Transports Folder
3. Right-click either the IP or SMTP folder (depending on what protocol
the network is based on) in the left tree pane of the Active Directory
Sites and Services console. Select New Site Link from the context
menu as shown in Figure 6.22.
Figure 6.22 The New Site Link Option
www.syngress.com
447
256_70-294_06.qxd
448
9/5/03
3:29 PM
Page 448
Chapter 6 • Working with Active Directory Sites
4. Selecting New Site Link option opens a New Object – Site Link dialog
box as shown in Figure 6.23.
Figure 6.23 The New Object – Site Link Dialog Box
5. Type the name of the new site link object in the Name box in the New
Object – Site Link dialog box as shown in Figure 6.24.
Figure 6.24 The Name of the New Site Link Object
6. Select two or more sites for establishing connection from the Sites not
in this site link box, and click Add as shown in Figure 6.25.
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 449
Working with Active Directory Sites • Chapter 6
Figure 6.25 Selecting Sites to Establish Connection
7. Click OK. This completes the process of creating a new site link object
using the Active Directory Sites and Services tool. Figure 6.26 shows the
final screen shot of the process.
Figure 6.26 ADSS Tool After Creating the New Site Link
EXAM
70-294
Configuring Site Link Cost
OBJECTIVE
Site link costs are calculated to determine how expensive an organization considers the net1.4.1
2.2.2 work connection between two sites that the site link is connecting.
Higher costs represent more expensive connections. If there are two site links available
between two sites, the lowest cost site link will be chosen. Each site link is assigned an IP or
www.syngress.com
449
256_70-294_06.qxd
450
9/5/03
3:29 PM
Page 450
Chapter 6 • Working with Active Directory Sites
SMTP transport protocol, a cost, a replication frequency, and an availability schedule. All
these parameters reflect the characteristics of the physical network connection.
The cost assigned to a site link is a number on an arbitrary scale that should reflect, in
some sense, the expense of transmitting traffic using that link. Cost can be in the range of 1
to 32,767, and lower costs are preferred.The cost of a link should be inversely proportional
to the effective bandwidth of a network connection between sites. For example, if you
assign a cost of 32,000 to a 64 kbps line, then you should assign 16,000 to a 128 kbps line
and 1000 to a 2 Mbps line. It makes sense to use a high number for the slowest link in your
organization. As technology improves and communication becomes cheaper, it’s likely that
future WAN lines will be faster than today’s, so there’s little sense in assigning a cost of two
for your current 128 kbps line and a cost of 1 for your 256 kbps line, because these low
link costs leave no room for future fexibility should you upgrade to quicker links.
Site link costs are configured using the Active Directory Sites and Services tool of
Windows Server 2003. Exercise 6.06 illustrates the steps involved in creating site link costs.
EXERCISE 6.06
CONFIGURING SITE LINK COSTS
1. To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools, and then double-click Active
Directory Sites and Services.
2. Highlight the Sites folder in the left tree pane of the Active Directory
Sites and Services console and expand the Sites folder.
3. Highlight the Inter-Site Transports folder in the left tree pane of the
Active Directory Sites and Services console and expand the Inter-Site
Transports folder as shown in Figure 6.27.
Figure 6.27 The Inter-Site Transports Folder
www.syngress.com
256_70-294_06.qxd
9/5/03
3:29 PM
Page 451
Working with Active Directory Sites • Chapter 6
4. Right-click the site link whose cost you want to configure in the left
tree pane of the Active Directory Sites and Services console, and
select Properties as shown in Figure 6.28. Selecting Properties opens a
dialog box as shown in Figure 6.29.
Figure 6.28 The Properties Option
Figure 6.29 The Properties Dialog Box
5. Type the value for the cost of replication of the site link object in the
Cost box in the dialog box as shown in Figure 6.30.
www.syngress.com
451
256_70-294_06.qxd
452
9/5/03
3:29 PM
Page 452
Chapter 6 • Working with Active Directory Sites
Figure 6.30 The Cost of the Site Link Object
6. Click OK. This completes the process of configuring the site link costs
using the Active Directory Sites and Services tool.
EXAM
70-294
OBJECTIVE
Understanding Site Replication
2.2 An essential process for any domain that has multiple DCs is replication. Replication ensures
2.2.1 that each copy of the domain data is up to date, and is done by sending information about
2.5.1
changes from one DC to another.
Every Windows domain typically has multiple servers that act as DCs. In Windows
Server 2003, every DC is capable of making changes to the database that has domain user
and computer accounts.
Purpose of Replication
Earlier versions of NT were configured in a single-master environment where the PDC
was used to maintain and manage the master copy of the domain database, and was also in
charge of replicating changes to the BDCs. In a single-master environment, if for some reason
th