Planning, Implementing, and Maintaining a Microsoft Windows

Planning, Implementing, and Maintaining a Microsoft Windows

PUBLISHED BY

Microsoft Press

A Division of Microsoft Corporation

One Microsoft Way

Redmond, Washington 98052-6399

Copyright © 2004 by Microsoft Corporation

All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.

Library of Congress Cataloging-in-Publication Data

Spealman, Jill.

MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a

Microsoft Windows Server 2003 Active Directory Infrastructure / Jill Spealman, Kurt

Hudson, and Melissa Craft. p. cm.

Includes index.

ISBN 0-7356-1438-5

1. Electronic data processing personnel--Certification. 2. Microsoft software--Examinations--Study guides. 3. Directory services (Computer network technology)--Examinations--Study guides. 4. Microsoft Windows server. I. Title:

Planning, implementing, and maintaining a Microsoft Windows Server 2003 Active

Directory infrastructure. II. Hudson, Kurt. III. Microsoft Corporation. IV. Title.

QA76.3S6453 2003

005.7'13769--dc21

Printed and bound in the United States of America.

2003056122

1 2 3 4 5 6 7 8 9 QWT 8 7 6 5 4 3

Distributed in Canada by H.B. Fenn and Company Ltd.

A CIP catalogue record for this book is available from the British Library.

Microsoft Press books are available through booksellers and distributors worldwide. For further informa­ tion about international editions, contact your local Microsoft Corporation office or contact Microsoft

Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to [email protected].

Active Directory, IntelliMirror, Microsoft, Microsoft Press, MS-DOS, Windows, Windows NT, and

Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United

States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Acquisitions Editor: Kathy Harding

Project Editor: Julie Miller

For nSight Publishing Services (www.nsightworks.com)

Project Manager: Susan H. McClung

Technical Editor: Thomas Keegan

Proofreaders: Jan Cocker, Jolene Lehr,

Katie O’Connell, Robert Saley

Copyeditor: Melissa von Tschudi-Sutton

Desktop Publishing Specialist: Mary Beth McDaniel

Indexer: Jack Lewis

Body Part No. X08-16602

About the Authors

Jill Spealman

, a technical writer and instructional designer, is the owner of Wordsmith, Inc., a Chicago-area company that develops training materials. Jill has written six training and certification books for Microsoft Press on Microsoft Windows NT and

Microsoft Windows 2000, and she has received national awards for these works from the Society for Technical Communication. She has 16 years of experience developing documentation and training, and has worked for Thomson NETG, Wallace, Waste Man­ agement, Rockwell FirstPoint Contact, GAB Robins, and National Forwarding.

Kurt Hudson

is an instructor, author, and consultant for computer technologies. In recent years, he has concentrated on the areas of computer networking, Active Direc­ tory, integrating UNIX and Microsoft Windows, and computer security. Kurt regularly teaches summer programs at Northern Arizona University in Flagstaff, Arizona. He also has taught several courses through Microsoft Research for several other universities, including the University of Colorado (Boulder), Texas A&M, Duke University—Fuqua

College of Business, the University of Iowa, the University of California (San Diego), the

University of Virginia, the University of North Carolina, Kansas State University (Manhat­ tan), Case Western Reserve University, and the University of Florida (Gainesville).

Kurt has earned many technical certifications, including Microsoft Certified Systems

Engineer (MCSE in Windows 2000, Windows NT 4.0+I, and Windows NT 3.51),

Microsoft Certified Systems Administrator (MCSA), Cisco Certified Network Associate

(CCNA), Certified Technical Trainer (CTT+), Security+, Network+, A+, and i-Net+. He also has a graduate degree in business management (Masters of Management) from

Troy State University in Troy, Alabama. Further, he has written many books on com­ puter-related topics and contributed to numerous other publications.

Melissa Craft

(CCNA, MCNE, MCSE, Network+, CNE-3, CNE-4, CNE-GW, CNE-5, CCA) is the vice-president and CIO for Dane Holdings, Inc., a financial services corporation in Phoenix, Arizona, where she manages the Web development, LAN, and WAN for the company. During her career, Melissa has focused her expertise on developing enterprisewide technology solutions and methodologies focused on client organizations. These technology solutions touch every part of a system’s lifecycle, from assessing the need, determining the return on investment, network design, testing, and implementation to operational management and strategic planning. In 1997, Melissa began writing maga­ zine articles on networking and the information technology industry. In 1998, Syngress hired Melissa to contribute to an MCSE certification guide. Since then, Melissa has con­ tinued to write about various technology and certification subjects.

Melissa holds a bachelor’s degree from the University of Michigan and is a member of the IEEE, the Society of Women Engineers, and American Mensa, Ltd. Melissa currently resides in Glendale, Arizona, with her family, Dan, Justine, and Taylor.

Contents at a Glance

11

12

13

14

9

10

7

8

Part 1

1

2

5

6

3

4

Learn at Your Own Pace

Implementing Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Administering Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Deploying Software with Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Administering Security with Group Policy . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Managing Active Directory Performance . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Part 2

Prepare for the Exam

15 Planning and Implementing an Active Directory

Infrastructure (1.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

16 Managing and Maintaining an Active Directory

Infrastructure (2.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1

17 Planning and Implementing User, Computer, and

Group Strategies (3.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1

18 Planning and Implementing Group Policy (4.0) . . . . . . . . . . . . . . . . . . . 18-1

19 Managing and Maintaining Group Policy (5.0) . . . . . . . . . . . . . . . . . . . 19-1

Part 3

Appendixes

A New Active Directory Directory Features in the

Windows Server 2003 Family. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

B Active Directory Setup Answer File Parameters . . . . . . . . . . . . . . . . . . . . B-1

C User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 v

Practices

Configuring a Static IP Address and Preferred DNS Server . . . . . . . . . . . . . . . . . . . . . .2-14

Installing and Removing Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-31

Fixing a DNS Configuration and Installing Active Directory . . . . . . . . . . . . . . . . . . . . . .2-33

Verifying Active Directory Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-41

Using Active Directory Installation Troubleshooting Tools. . . . . . . . . . . . . . . . . . . . . . . .2-52

Viewing Active Directory Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-13

Customizing an MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-26

Backing Up Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-41

Restoring Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-53

Creating a Child Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-17

Renaming a Domain Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-22

Viewing and Transferring Operations Master Role Assignments . . . . . . . . . . . . . . . . . .4-38

Managing Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-70

Configuring Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-21

Configuring Intersite Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-38

Monitoring and Troubleshooting Active Directory Replication . . . . . . . . . . . . . . . . . . . .5-69

Creating an OU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-13

Administering OUs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-22

Creating, Modifying, and Verifying Domain User Accounts . . . . . . . . . . . . . . . . . . . . . . .7-22

Managing User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-37

Managing Home Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-41

Administering User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-46

Planning New Group Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-17

Creating and Administering Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-27

Using Run As to Start a Program as an Administrator . . . . . . . . . . . . . . . . . . . . . . . . . .8-33

Locating Objects in Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-10

Controlling Access to Active Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-30

Implementing a GPO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-45

Generating RSoP Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-24

Managing Special Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-47

Deploying Software with Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-28

Implementing Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-41

Administering the Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-54

Managing Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-67

Using Security Configuration and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-79

Using System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17

Using Performance Logs And Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-33

Tables

1-1. Active Directory Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33

2-1. Netdiag Command Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45

2-2. Dcdiag Command Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47

2-3. Active Directory Installation and Removal Troubleshooting Scenarios. . . . . . . . . . 2-51

2-4. Graphic Design Institute Network Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-54

3-1. Features Enabled by Domain Functional Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

3-2. Features Enabled by Forest Functional Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

3-3. Active Directory–Specific Windows Support Tools . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

3-4. MMC User Mode Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21

4-1. Netdom Trust Command Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-68

5-1. Intrasite and Intersite Replication Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

5-2. Reasons for Adding a Global Catalog and Their Consequences . . . . . . . . . . . . . . . 5-43

5-3. Repadmin Command Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-62

5-4. Dsastat Command Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-64

5-5. Active Directory Replication Troubleshooting Scenarios. . . . . . . . . . . . . . . . . . . . . 5-67

6-1. Dsmove Command Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

7-1. Domain User Account Naming Convention Considerations . . . . . . . . . . . . . . . . . . . 7-6

7-2. Strong Password Requirement Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8

7-3. User Name Options in the New Object–User Dialog Box. . . . . . . . . . . . . . . . . . . . . 7-14

7-4. Password Options in the New Object–User Dialog Box . . . . . . . . . . . . . . . . . . . . . . 7-16

7-5. Tabs in the Properties Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18

7-6. Domain User Accounts for Exercise 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22

7-7. Domain User Account Properties for Exercise 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23

7-8. Settings Contained in a User Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27

7-9. Sample Folders Contained in a User Profile Folder . . . . . . . . . . . . . . . . . . . . . . . . 7-28

7-10. OUs of City Power & Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-49

8-1. Group Scope Membership Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

8-2. Default Groups in the Builtin Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

8-3. Default Groups in the Users Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11

8-4. Commonly Used Special Identity Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12

8-5. Commonly Used Built-In Local Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14

8-6. Customer Service Division Employee Information . . . . . . . . . . . . . . . . . . . . . . . . . 8-18

8-7. Employee Information Access Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18

9-1. Common Object Types and Their Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

9-2. User Accounts for Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

9-3. Basic Standard Permissions and Type of Access Allowed . . . . . . . . . . . . . . . . . . . 9-16

9-4. Pages in the Delegation Of Control Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35

10-1. Ways to Open the Group Policy Object Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-6

10.2. Windows Server 2003 Default Administrative Templates . . . . . . . . . . . . . . . . 10-14

10-3. Default GPO Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33

10-4. Permissions for GPO Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41

10-5. Results of Your Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-52

11-1. Software Settings RSoP Query Results Column Descriptions . . . . . . . . . . . . . . 11-16

11-2. Scripts RSoP Query Results Column Descriptions . . . . . . . . . . . . . . . . . . . . . . 11-16

11-3. Administrative Templates RSoP Query Results Tab Descriptions . . . . . . . . . . . 11-16

11-4. Gpresult Command Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20

11-5. Default Locations for Special Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

11-6. Effects of Policy Removal Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38

11-7. Group Policy Object Editor Console Troubleshooting Scenarios . . . . . . . . . . . . 11-54

11-8. Group Policy Settings Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . 11-55

11-9. Folder Redirection and Offline Files Troubleshooting Scenarios . . . . . . . . . . . . 11-56

12-1. Software Deployment Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-7

12-2. Strategies and Considerations for Deploying Software . . . . . . . . . . . . . . . . . . . 12-14

12-3. Software Deployment Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . 12-42

12-4. Wide World Importers Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-47

13-1. Software Restriction Policies Troubleshooting Scenarios . . . . . . . . . . . . . . . . . 13-27

13-2. Event Categories in the Audit Policy Extension . . . . . . . . . . . . . . . . . . . . . . . . . 13-31

13-3. Some Active Directory Object Events and What Triggers Them . . . . . . . . . . . . 13-36

13-4. User Events and What Triggers Them . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-38

13-5. Results When the Apply These Auditing Entries To Objects And/

Or Containers Within This Container Only Check Box Is Cleared . . . . . . . . . . . . . . . . 13-39

13-6. Printer Events and What Triggers Them . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-40

13-7. Audit Policy Plan for Exercise 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-42

13-8. Logs Maintained by Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-46

13-9. Security Configuration and Analysis Troubleshooting Scenarios . . . . . . . . . . . . 13-78

14-1. Important Active Directory System Monitor Counters on the

NTDS Performance Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-5

14-2. Important FileReplicaSet Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-8

14-3. Directory Service Log and System Monitor Troubleshooting Scenarios . . . . . . 14-15

14-4. Options in the Schedule Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-25

14-5. Options in the Action Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-30

14-6. Performance Logs And Alerts Troubleshooting Scenarios. . . . . . . . . . . . . . . . . 14-32

14-7. Some Registry Entries in the Diagnostics Subkey. . . . . . . . . . . . . . . . . . . . . . . 14-39

Troubleshooting Labs

Chapter 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-56

Chapter 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56

Chapter 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-72

Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-73

Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26

Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-50

Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37

Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-40

Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-52

Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-61

Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-49

Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-83

Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46

Case Scenario Exercises

Chapter 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-54

Chapter 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55

Chapter 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-74

Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-74

Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24

Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-49

Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35

Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-41

Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-50

Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59

Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-47

Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-82

Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-44

Contents

About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi

Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii

About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii

Features of This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii

Part 1: Learn at Your Own Pace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii

Part 2: Prepare for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv

Informational Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv

Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

Keyboard Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi

Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi

Setup Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii

The Microsoft Certified Professional Program . . . . . . . . . . . . . . . . . . . . . . . . . . xl

Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xl

Requirements for Becoming a Microsoft Certified Professional . . . . . . . . . . . .xli

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlii

Evaluation Edition Software Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliii

Part 1

Learn at Your Own Pace

1 Introduction to Active Directory

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Lesson 1: Active Directory Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Understanding Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Why Have a Directory Service? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

The Windows Server 2003 Directory Service . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Active Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Active Directory Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Catalog Services—The Global Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

2

Lesson 2: Understanding Active Directory Concepts and Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21

Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21

Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25

Change and Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28

Group Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29

DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31

Object Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31

Active Directory Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35

Lesson 3: Planning the Active Directory Infrastructure Design . . . . . . . . . . . . . . 1-36

What Is an Active Directory Infrastructure Design? . . . . . . . . . . . . . . . . . . . 1-36

Design Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37

The Design Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-44

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45

Installing and Configuring Active Directory

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Lesson 1: Preparing for Active Directory Installation. . . . . . . . . . . . . . . . . . . . . . 2-3

Active Directory Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Determining the Domain Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Determining the Domain Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Determining the Storage Location of the Database and Log Files . . . . . . . . 2-11

Determining the Location of the Shared System Volume Folder . . . . . . . . . . 2-11

Determining the DNS Configuration Method . . . . . . . . . . . . . . . . . . . . . . . 2-11

Determining the DNS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Practice: Configuring a Static IP Address and Preferred DNS Server . . . . . . 2-14

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Lesson 2: Installing and Removing Active Directory. . . . . . . . . . . . . . . . . . . . . 2-17

Installing Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17

Removing Active Directory Services from a Domain Controller. . . . . . . . . . . 2-30

Practice: Installing and Removing Active Directory . . . . . . . . . . . . . . . . . . . 2-31

3

Practice: Fixing a DNS Configuration and Installing Active Directory . . . . . . . 2-33

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36

Lesson 3: Verifying Active Directory Installation . . . . . . . . . . . . . . . . . . . . . . . . 2-37

Verifying an Active Directory Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37

Practice: Verifying Active Directory Installation . . . . . . . . . . . . . . . . . . . . . 2-41

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42

Lesson 4: Troubleshooting Active Directory Installation and Removal. . . . . . . . . 2-43

Troubleshooting Active Directory Installation . . . . . . . . . . . . . . . . . . . . . . . 2-43

Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-51

Practice: Using Active Directory Installation Troubleshooting Tools. . . . . . . . 2-52

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-53

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-54

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-54

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-56

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-59

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-60

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-60

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-60

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-61

Administering Active Directory

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Lesson 1: Using Active Directory Administration Tools . . . . . . . . . . . . . . . . . . . . 3-3

Active Directory Administration Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Practice: Viewing Active Directory Administration Tools . . . . . . . . . . . . . . . . 3-13

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16

Lesson 2: Customizing MMCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

The MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Using MMCs for Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21

Creating Custom MMCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

Modifying Custom MMCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24

Practice: Customizing an MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28

Lesson 3: Backing Up Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

Preliminary Backup Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

Creating an Active Directory Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

4

Scheduling Active Directory Backup Operations . . . . . . . . . . . . . . . . . . . . . 3-36

Deleting Scheduled Active Directory Backup Operations . . . . . . . . . . . . . . . 3-39

Practice: Backing Up Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43

Lesson 4: Restoring Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-44

Restoring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-44

Preliminary Restore Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45

Performing a Nonauthoritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-46

Specifying Advanced Restore Settings for a Nonauthoritative Restore . . . . . 3-48

Performing an Authoritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50

Practice: Restoring Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-53

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-53

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-59

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-61

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-62

Installing and Managing Domains, Trees, and Forests

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Lesson 1: Creating Multiple Domains, Trees, and Forests. . . . . . . . . . . . . . . . . . 4-3

Creating Multiple Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Creating Additional Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Creating Multiple Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

Creating Additional Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11

Creating Multiple Forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13

Creating Additional Forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15

Practice: Creating a Child Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

Lesson 2: Renaming and Restructuring Domains and Renaming

Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19

Renaming and Restructuring Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19

Renaming a Domain Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20

Practice: Renaming a Domain Controller . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22

5

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23

Lesson 3: Managing Operations Master Roles. . . . . . . . . . . . . . . . . . . . . . . . . 4-24

Operations Master Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

Forest-Wide Operations Master Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

Domain-Wide Operations Master Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

Managing Operations Master Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27

Planning Operations Master Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29

Viewing Operations Master Role Assignments . . . . . . . . . . . . . . . . . . . . . . 4-31

Transferring an Operations Master Role Assignment . . . . . . . . . . . . . . . . . 4-32

Seizing an Operations Master Role Assignment . . . . . . . . . . . . . . . . . . . . . 4-35

Practice: Viewing and Transferring Operations Master Role Assignments . . . 4-38

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40

Lesson 4: Managing Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41

Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41

Planning Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43

Creating Trust Relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-49

Practice: Managing Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-70

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-71

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-72

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-72

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-74

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-75

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-76

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-76

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-77

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-78

Configuring Sites and Managing Replication

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Lesson 1: Understanding Sites and Replication . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Understanding Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Understanding Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

Lesson 2: Configuring Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11

Configuring Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11

Creating Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

Creating Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15

Creating, Moving, and Removing Domain Controller Objects in a Site . . . . . 5-17

Designating a Site License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

Practice: Configuring Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

Lesson 3: Configuring Intersite Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Configuring Intersite Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Creating Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Configuring Site Link Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

Designating a Preferred Bridgehead Server . . . . . . . . . . . . . . . . . . . . . . . . 5-31

Creating Site Link Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33

Creating and Configuring Connection Objects . . . . . . . . . . . . . . . . . . . . . . 5-35

Practice: Configuring Intersite Replication . . . . . . . . . . . . . . . . . . . . . . . . . 5-38

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40

Lesson 4: Configuring Global Catalog Servers . . . . . . . . . . . . . . . . . . . . . . . . 5-41

Understanding Global Catalog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-41

Creating or Removing a Global Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44

Enabling the Universal Group Membership Caching Feature . . . . . . . . . . . . 5-45

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47

Lesson 5: Configuring Application Directory Partitions . . . . . . . . . . . . . . . . . . . 5-48

Application Directory Partitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-48

Application Directory Partition Replication . . . . . . . . . . . . . . . . . . . . . . . . . 5-49

Application Directory Partitions and Domain Controller Demotion . . . . . . . . 5-50

Security Descriptor Reference Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51

Managing Application Directory Partitions . . . . . . . . . . . . . . . . . . . . . . . . . 5-52

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-57

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-58

Lesson 6: Monitoring and Troubleshooting Replication . . . . . . . . . . . . . . . . . . . 5-59

Monitoring and Troubleshooting Replication. . . . . . . . . . . . . . . . . . . . . . . . 5-59

Troubleshooting Active Directory Replication . . . . . . . . . . . . . . . . . . . . . . . 5-66

Practice: Monitoring and Troubleshooting Active Directory Replication . . . . . 5-69

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-71

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-72

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-73

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-74

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-76

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-77

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-77

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-78

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-79

6 Implementing an OU Structure

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

Lesson 1: Understanding OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Understanding OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Defining OUs to Delegate Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Defining OUs to Administer Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

Defining OUs to Hide Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

Designing OU Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

Lesson 2: Creating an OU Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

Creating OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

Creating OUs to Hide Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12

Practice: Creating an OU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15

Lesson 3: Administering OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

Administering OUs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

Practice: Administering OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-29

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-29

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-30

7 Administering User Accounts

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Lesson 1: Understanding User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Understanding User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Local User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

Domain User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

Built-In User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

Domain User Account Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

Password Requirements and Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

Using Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12

Lesson 2: Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13

Creating Domain User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13

Modifying Domain User Account Properties . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Practice: Creating, Modifying, and Verifying Domain User Accounts . . . . . . . 7-22

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26

Lesson 3: Managing User Profiles and Home Folders. . . . . . . . . . . . . . . . . . . . 7-27

Understanding User Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27

User Profile Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29

User Profiles Settings in Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-31

Creating User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-31

Practice: Managing User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37

Best Practices for User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-39

Home Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-39

Creating Home Folders on a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-40

Practice: Managing Home Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-41

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-42

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-43

Lesson 4: Maintaining User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-44

Renaming, Disabling, Enabling, and Deleting User Accounts. . . . . . . . . . . . 7-44

Unlocking User Accounts and Resetting Passwords . . . . . . . . . . . . . . . . . . 7-45

Practice: Administering User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-48

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-48

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-49

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-50

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-53

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-53

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-54

8 Administering Groups

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Lesson 1: Understanding Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Introduction to Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Group Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

Group Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

Group Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

Group Nesting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

Local Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8

Default Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

Planning Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

Practice: Planning New Group Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17

Group Accounts Planning Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19

Group Accounts Planning Worksheet (Answers) . . . . . . . . . . . . . . . . . . . . . 8-20

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22

Lesson 2: Creating and Administering Groups . . . . . . . . . . . . . . . . . . . . . . . . . 8-23

Creating a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23

Deleting a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-24

Adding Members to a Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25

Changing the Group Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26

Practice: Creating and Administering Groups . . . . . . . . . . . . . . . . . . . . . . . 8-27

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-29

Lesson 3: Administration Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-30

Why You Should Not Run Your Computer as an Administrator . . . . . . . . . . . 8-30

Using the Run As Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-30

Practice: Using Run As to Start a Program as an Administrator . . . . . . . . . . 8-33

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-41

9 Administering Active Directory Objects

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Lesson 1: Locating Active Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

Locating Active Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

Using Saved Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8

Practice: Locating Objects in Active Directory. . . . . . . . . . . . . . . . . . . . . . . 9-10

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Lesson 2: Controlling Access to Active Directory Objects . . . . . . . . . . . . . . . . . 9-14

Understanding Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Assigning Standard Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

Administering Special Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

Setting Inheritance for a Permission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23

Changing Inherited Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26

Selective Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26

Removing Security Principals and Their Permissions . . . . . . . . . . . . . . . . . 9-28

Removing Special Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28

Transferring Object Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29

Practice: Controlling Access to Active Directory Objects . . . . . . . . . . . . . . . 9-30

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-32

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-33

Lesson 3: Delegating Administrative Control of

Active Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-34

Delegating Administrative Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-34

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-39

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-39

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-40

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-41

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-43

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-44

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-44

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-45

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-46

10 Implementing Group Policy

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

Lesson 1: Understanding Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

Understanding Group Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

Understanding GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Group Policy Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8

Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

How Group Policy Affects Startup and Logging On . . . . . . . . . . . . . . . . . . 10-15

How Group Policy Is Applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16

Using Security Groups to Filter GPO Scope . . . . . . . . . . . . . . . . . . . . . . . 10-20

Using WMI Queries to Filter GPO Scope . . . . . . . . . . . . . . . . . . . . . . . . . 10-20

Delegating Control of GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21

Resultant Set of Policy (RSoP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22

Lesson 2: Group Policy Planning Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23

Group Policy Planning Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23

Plan Group Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23

Planning GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24

Planning Administrative Control of GPOs . . . . . . . . . . . . . . . . . . . . . . . . . 10-26

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-30

Lesson 3: Implementing a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31

Implementing a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31

Creating a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31

Creating an MMC for a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-32

Delegating Control of a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33

Configuring Group Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36

Disabling Unused Group Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . 10-37

Indicating GPO Processing Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . 10-38

Filtering GPO Scope with Security Groups . . . . . . . . . . . . . . . . . . . . . . . . 10-40

Linking a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41

Modifying a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-42

Removing a GPO Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-42

Deleting a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-43

Editing a GPO and GPO Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-43

Refreshing a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-44

Group Policy Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-44

Practice: Implementing a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-45

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-48

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-49

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-50

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-52

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-55

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-56

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-56

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-56

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-57

11 Administering Group Policy

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

Lesson 1: Managing Group Policy with RSoP . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Understanding RSoP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Generating RSoP Queries with the Resultant Set Of Policy Wizard . . . . . . . . 11-4

Generating RSoP Queries with the Gpresult Command-Line Tool . . . . . . . . 11-19

Generating RSoP Queries with the Advanced System Information

Policy Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22

Delegating Control of RSoP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23

Practice: Generating RSoP Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-24

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27

Lesson 2: Managing Special Folders with Group Policy . . . . . . . . . . . . . . . . . . 11-28

Folder Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-28

Default Special Folder Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Setting Up Folder Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Policy Removal Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-37

Folder Redirection and Offline Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38

Folder Redirection Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-46

Practice: Managing Special Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-47

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-48

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-49

Lesson 3: Troubleshooting Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-50

Troubleshooting Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-50

Group Policy Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . 11-54

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-58

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-61

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-64

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-64

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-65

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-65

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-66

12 Deploying Software with Group Policy

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Lesson 1: Understanding Software Deployment with Group Policy . . . . . . . . . . . 12-3

Understanding Software Deployment with Group Policy. . . . . . . . . . . . . . . . 12-3

Software Installation Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

Add Or Remove Programs in Control Panel . . . . . . . . . . . . . . . . . . . . . . . . 12-7

Software Deployment Approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7

Software Deployment Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8

Distributing Windows Installer Packages . . . . . . . . . . . . . . . . . . . . . . . . . 12-10

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12

Lesson 2: Deploying Software with Group Policy . . . . . . . . . . . . . . . . . . . . . . 12-13

Deploying Software with Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-13

Planning and Preparing a Software Deployment . . . . . . . . . . . . . . . . . . . . 12-13

Setting Up an SDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15

Creating a GPO and a GPO Console for Software Deployment . . . . . . . . . . 12-16

Specifying Software Deployment Properties for the GPO . . . . . . . . . . . . . . 12-16

Adding Windows Installer Packages to the GPO and Selecting

Package Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20

Setting Windows Installer Package Properties . . . . . . . . . . . . . . . . . . . . . 12-21

Software Deployment Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-27

Practice: Deploying Software with Group Policy . . . . . . . . . . . . . . . . . . . . 12-28

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-32

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-33

Lesson 3: Maintaining Software Deployed with Group Policy . . . . . . . . . . . . . . 12-34

Redeploying Applications Deployed with Group Policy . . . . . . . . . . . . . . . . 12-34

Upgrading Applications Deployed with Group Policy . . . . . . . . . . . . . . . . . 12-34

Removing Applications Deployed with Group Policy. . . . . . . . . . . . . . . . . . 12-37

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-39

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-40

Lesson 4: Troubleshooting Software Deployed with Group Policy . . . . . . . . . . . 12-41

Troubleshooting Software Deployed with Group Policy . . . . . . . . . . . . . . . . 12-41

Software Deployment Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . 12-42

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-46

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-47

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-47

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-49

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-51

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-52

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-52

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-53

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-54

13 Administering Security with Group Policy

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2

Lesson 1: Understanding Active Directory Security. . . . . . . . . . . . . . . . . . . . . . 13-3

Understanding Security Administration with Group Policy . . . . . . . . . . . . . . 13-3

Security Settings in Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

Best Practices for Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-11

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12

Lesson 2: Implementing Software Restriction Policies . . . . . . . . . . . . . . . . . . 13-13

Understanding Software Restriction Policies . . . . . . . . . . . . . . . . . . . . . . 13-13

Default Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-14

How Software Restriction Policies Work. . . . . . . . . . . . . . . . . . . . . . . . . . 13-15

Implementing Software Restriction Policies . . . . . . . . . . . . . . . . . . . . . . . 13-17

Optional Tasks for Implementing Software Restriction Policies . . . . . . . . . 13-24

Best Practices for Software Restriction Policies . . . . . . . . . . . . . . . . . . . 13-26

Software Restriction Policies Troubleshooting . . . . . . . . . . . . . . . . . . . . . 13-27

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-28

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-29

Lesson 3: Implementing an Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30

Understanding Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30

Understanding Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-31

Implementing an Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-33

Best Practices for Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-40

Practice: Implementing Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-41

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-44

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-45

Lesson 4: Administering the Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-46

Understanding Windows Server 2003 Logs . . . . . . . . . . . . . . . . . . . . . . 13-46

Viewing the Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-47

Finding Events in the Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-48

Filtering Events in the Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-50

Configuring the Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-51

Clearing the Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-52

Archiving the Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-53

Practice: Administering the Security Log . . . . . . . . . . . . . . . . . . . . . . . . . 13-54

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-55

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-56

Lesson 5: Using Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-57

Understanding Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-57

Managing Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-63

Best Practices for Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-66

Practice: Managing Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 13-67

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-68

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-69

Lesson 6: Using Security Configuration And Analysis . . . . . . . . . . . . . . . . . . . 13-70

Understanding the Security Configuration And Analysis Feature. . . . . . . . . 13-70

Using the Security Configuration And Analysis Feature . . . . . . . . . . . . . . . 13-70

Security Configuration And Analysis Best Practices . . . . . . . . . . . . . . . . . 13-78

Security Configuration And Analysis Troubleshooting . . . . . . . . . . . . . . . . 13-78

Practice: Using Security Configuration And Analysis . . . . . . . . . . . . . . . . . 13-79

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-81

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-81

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-82

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-83

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-86

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-87

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-87

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-87

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-88

14 Managing Active Directory Performance

Why This Chapter Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Lesson 1: Monitoring Performance with Service Logs and System Monitor. . . . . 14-2

Understanding the Directory and File Replication Service Logs . . . . . . . . . . 14-2

Understanding System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3

Monitoring Performance with the Directory Service Log and System

Monitor Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14

Directory Service Log and System Monitor Troubleshooting . . . . . . . . . . . 14-14

Practice: Using System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18

Lesson 2: Monitoring Performance with Performance Logs And Alerts . . . . . . . 14-19

The Performance Logs And Alerts Snap-In . . . . . . . . . . . . . . . . . . . . . . . . 14-19

Managing Active Directory Performance from the Command Line . . . . . . . 14-31

Monitoring Performance with Performance Logs And Alerts

Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-31

Performance Logs And Alerts Troubleshooting . . . . . . . . . . . . . . . . . . . . . 14-32

Practice: Using Performance Logs And Alerts. . . . . . . . . . . . . . . . . . . . . . 14-33

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-35

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-36

Lesson 3: Optimizing and Troubleshooting Active Directory Performance . . . . . 14-37

Optimizing and Troubleshooting Active Directory Performance . . . . . . . . . . 14-37

Troubleshooting Active Directory Performance with the Directory

Service Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-38

Troubleshooting Active Directory Performance with the Performance

Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-41

Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-43

Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-44

Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-44

Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-48

Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49

Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49

Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50

Part 2

Prepare for the Exam

15 Planning and Implementing an Active Directory Infrastructure (1.0)

Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5

Plan a Strategy for Placing Global Catalog Servers . . . . . . . . . . . . . . . . . . . . . .15-7

Objective 1.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-8

Objective 1.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-10

Plan Flexible Operations Master Role Placement . . . . . . . . . . . . . . . . . . . . . . 15-12

Objective 1.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-13

Objective 1.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-15

Implement an Active Directory Forest and Domain Structure . . . . . . . . . . . . . . 15-17

Objective 1.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-20

Objective 1.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-24

Implement an Active Directory Site Topology . . . . . . . . . . . . . . . . . . . . . . . . . 15-28

Objective 1.4 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-29

Objective 1.4 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-31

Plan an Administrative Delegation Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . 15-32

Objective 1.5 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-33

Objective 1.5 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-35

16 Managing and Maintaining an Active Directory Infrastructure (2.0)

Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1

Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4

Manage an Active Directory Forest and Domain Structure . . . . . . . . . . . . . . . . . 16-6

Objective 2.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-8

Objective 2.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-11

Manage an Active Directory Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-14

Objective 2.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-16

Objective 2.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-19

Manage Active Directory Replicaton Failures . . . . . . . . . . . . . . . . . . . . . . . . . 16-21

Objective 2.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-23

Objective 2.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-26

Restore Active Directory Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . 16-28

Objective 2.4 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-29

Objective 2.4 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-31

Troubleshoot Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-33

Objective 2.5 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-34

Objective 2.5 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-36

17 Planning and Implementing User, Computer, and Group Strategies (3.0)

Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2

Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-4

Plan a Security Group Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5

Objective 3.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6

Objective 3.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-10

Plan a User Authentication Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-14

Objective 3.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-15

Objective 3.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-18

Plan an OU Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-20

Objective 3.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-22

Objective 3.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-25

Implement an OU Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-28

Objective 3.4 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-29

Objective 3.4 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-32

18 Planning and Implementing Group Policy (4.0)

Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1

Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-3

Plan Group Policy Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5

Objective 4.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-7

Objective 4.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-11

Configure the User Environment by Using Group Policy . . . . . . . . . . . . . . . . . . 18-15

Objective 4.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-17

Objective 4.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-21

Deploy a Computer Environment by Using Group Policy. . . . . . . . . . . . . . . . . . 18-24

Objective 4.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-25

Objective 4.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-30

19 Managing and Maintaining Group Policy (5.0)

Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1

Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-3

Troubleshoot Issues Related to Group Policy Application Deployment . . . . . . . . 19-5

Objective 5.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6

Objective 5.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-11

Maintain Installed Software by Using Group Policy . . . . . . . . . . . . . . . . . . . . . 19-14

Objective 5.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-15

Objective 5.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-20

Troubleshoot the Application of Group Policy Security Settings . . . . . . . . . . . . 19-24

Objective 5.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-25

Objective 5.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-28

Part 3

Appendixes

A New Active Directory Directory Features in the

Windows Server 2003 Family

New System-Wide Active Directory Features . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3

New Change and Configuration Management Features . . . . . . . . . . . . . . . . . . . . A-5

New Domain- and Forest-Wide Active DIrectory Features . . . . . . . . . . . . . . . . . . . A-6

B Active Directory Setup Answer File Parameters

AdministratorPassword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-1

AllowAnonymousAccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-1

AutoConfigDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2

ChildName . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2

ConfirmGc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2

CreateOrJoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2

CriticalReplicationOnly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-3

DatabasePath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-3

DisableCancelForDnsInstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-3

DNSOnNetwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-4

DomainNetBiosName . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-4

IsLastDCInDomain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-4

LogPath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-4

NewDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-5

NewDomainDNSName . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-5

ParentDomainDNSName . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-5

Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-5

RebootOnSuccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-6

RemoveApplicationPartitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-6

ReplicaDomainDNSName. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-6

ReplicaOrMember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7

ReplicaOrNewDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7

ReplicationSourceDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7

ReplicationSourcePath. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8

SafeModeAdminPassword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8

SetForestVersion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8

SiteNameb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-9

Syskey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-9

SysVolPath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-9

TreeOrChild . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-9

UserDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-10

UserName . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-10

C User Rights

Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-1

Logon RIghts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-5

Assigning User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-6

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-1

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I-1

About This Book

Welcome to

MCSE Self-Paced Training Kit (Exam 70-294): Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

.

This kit introduces you to Windows Server 2003 Active Directory and prepares you to plan, configure, and administer your Active Directory infrastructure. You will learn to use

Active Directory directory service to centrally manage users, groups, shared folders, and network resources, and to administer the user environment and software with Group

Policy. This kit shows you how to implement and troubleshoot security in a directory ser­ vices infrastructure and how to monitor and troubleshoot Active Directory performance.

Important

In this book, the use of “Windows Server 2003 family” and “Windows Server

2003” refers to the family of four products: Microsoft Windows Server 2003, Standard Edi­ tion; Microsoft Windows Server 2003, Enterprise Edition; Microsoft Windows Server 2003,

Datacenter Edition; and Microsoft Windows Server 2003, Web Edition. However, Windows

Server 2003, Web Edition, only partially supports the use of Active Directory. Windows Server

2003, Web Edition, can participate as a member server in an Active Directory–enabled network, but it cannot be used as an Active Directory domain controller.

See Also

For more information about becoming a Microsoft Certified Professional, see the section titled “The Microsoft Certified Professional Program” later in this introduction.

Intended Audience

This book was developed for information technology (IT) professionals who plan to take the related Microsoft Certified Professional exam 70-294,

Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

as well as IT professionals who need to install, configure, administer, monitor, and trou­ bleshoot Microsoft Windows Server 2003 Active Directory

.

Note

Exam skills are subject to change without prior notice and at the sole discretion of

Microsoft.

Prerequisites

This training kit requires that students meet the following prerequisites:

Experience implementing and administering a network operating system in envi­ ronments where: from 250 to 5,000 or more users are supported; three or more physical locations are supported; typical network services and resources include messaging, database, file and print, proxy server or firewall, Internet and intranet, remote access, and client computer management; three or more domain control­ lers are supported; and connectivity needs include connecting branch offices and individual users in remote locations to the corporate network and connecting cor­ porate networks to the Internet.

Experience implementing and administering a desktop operating system

Experience designing a network infrastructure

About The CD-ROM

For your use, this book includes a Supplemental CD-ROM. This CD-ROM contains a variety of informational aids to complement the book content:

The Microsoft Press Readiness Review Suite Powered by MeasureUp. This suite of practice tests and objective reviews contains questions of varying degrees of com­ plexity and offers multiple testing modes. You can assess your understanding of the concepts presented in this book and use the results to develop a learning plan that meets your needs.

An electronic version of this book (eBook). For information about using the eBook, see the section “The eBook” later in this introduction.

Installation scripts and example files that you will use to perform the hands-on exercises in this book. These include files that demonstrate key concepts and illus­ trate a specific point, as well as files that are there for your convenience, such as scripts that can be used reduce the amount of time you spend setting up your sys­ tem in order to perform a particular exercise.

An eBook of the

Microsoft Encyclopedia of Networking, Second Editon,

and of the

Microsoft Encyclopedia of Security

, which provide complete and up-to-date refer­ ence materials for networking and security.

Sample chapters from several Microsoft Press books titles give you additional information about Windows Server 2003 and introduce you to other resources that are available from Microsoft Press

A second CD-ROM contains a 180-day evaluation edition of Microsoft Windows Server

2003, Enterprise Edition.

Caution

The 180-day Evaluation Edition provided with this training is not the full retail prod­ uct and is provided only for the purposes of training and evaluation. Microsoft Technical Support does not support this evaluation edition.

For additional support information regarding this book and the CD-ROM (including answers to commonly asked questions about installation and use), visit the Microsoft

Press Technical Support Web site at

http://www.microsoft.com/mspress/support/.

You can also email

[email protected]

or send a letter to Microsoft Press, Attention:

Microsoft Press Technical Support, One Microsoft Way, Redmond, WA 98052-6399.

Features of This Book

This book is divided into two parts. Use Part 1 to learn at your own pace and practice what you’ve learned with practical exercises. Part 2 contains questions and answers that you can use to test yourself on what you’ve learned.

Part 1: Learn at Your Own Pace

Each chapter of Part 1 identifies the exam objectives that are covered within the chap­ ter, provides an overview of why the topics matter by identifying how the information applies in the real world, and lists any prerequisites that must be met to complete the lessons presented in the chapter.

The chapters are divided into lessons. Lessons contain practices made up of one or more hands-on exercises. These exerices give you an opportunity to use the skills being presented or explore the part of the application being described. Each lesson also has a set of review questions to test your knowledge of the material covered in that lesson.

After the lessons, you are given an opportunity to apply what you’ve learned in a case scenario exercise. In this exercise, you work through a multi-step solution for a realistic case scenario. You are also given an opportunity to work through a troubleshooting lab that explores difficulties you might encounter when applying what you’ve learned on the job.

Each chapter ends with a short summary of key concepts and a short section listing key topics and terms that you need to know before taking the exam, summarizing the key learnings with a foucs on the exam.

Real World

Real World Helpful Information

You will find sidebars like this one that contain related information you might find helpful. “Real World” sidebars contain specific information gained through the experience of IT professionals just like you.

Part 2: Prepare for the Exam

Part II helps to familiarize you with the types of questions that you will encounter on the MCP exam. By reviewing the objectives and the sample questions, you can focus on the specific skills that you need to improve before taking the exam.

See Also

For a complete list of MCP exams and their related objectives, go to

http:// www.microsoft.com/traincert/mcp.

Part II is organized by the exam’s objectives. Each chapter covers one of the primary groups of objectives, called

Objective Domains

. Each chapter lists the tested skills you need to master to answer the exam questions and includes a list of further readings to help you improve your ability to perfom the tasks or skills specified by the objectives.

Within each Objective Domain, you will find the related objectives that are covered on the exam. Each objective provides you with the several practice exam questions. The answers are accompanied by explanations of each correct and incorrect answer.

Note

These questions are are also available on the Supplemental CD-ROM as a practice text.

Informational Notes

Several types of reader aids appear throughout the training kit.

Tip

contains methods of performing a task more quickly or in a not-so-obvious way.

Important

contains information that is essential to completing a task.

Note

contains supplemental information.

Caution

contains valuable information about possible loss of data; be sure to read this information carefully.

Warning

contains critical information about possible physical injury; be sure to read this information carefully.

See Also

contains references to other sources of information.

Planning

contains hints and useful information that should help you plan the implementation.

Security Alert

highlights information you need to know to maximize security in your work environment.

Exam Tip

flags information you should know before taking the certification exam.

Off the Record

contains practical advice about the real-world implications of information presented in the lesson.

Notational Conventions

The following conventions are used throughout this book.

Characters or commands that you type appear in

bold

type.

Italic

in syntax statements indicates placeholders for variable information.

Italic

is also used for book titles.

Names of files and folders appear in Title caps, except when you are to type them directly. Unless otherwise indicated, you can use all lowercase letters when you type a file name in a dialog box or at a command prompt.

File name extensions appear in all lowercase.

Acronyms appear in all uppercase.

Monospace

type represents code samples, examples of screen text, or entries that you might type at a command prompt or in initialization files.

Square brackets [ ] are used in syntax statements to enclose optional items. For example, [

filename

] in command syntax indicates that you can choose to type a file name with the command. Type only the information within the brackets, not the brackets themselves.

Braces { } are used in syntax statements to enclose required items. Type only the information within the braces, not the braces themselves.

Keyboard Conventions

A plus sign (+) between two key names means that you must press those keys at the same time. For example, “Press ALT+TAB” means that you hold down ALT while you press TAB.

A comma ( , ) between two or more key names means that you must press each of the keys consecutively, not together. For example, “Press ALT, F, X” means that you press and release each key in sequence. “Press ALT+W, L” means that you first press ALT and W at the same time, and then release them and press L.

Getting Started

This training kit contains hands-on exercises to help you learn about Windows

Server 2003 Active Directory. Use this section to prepare your self-paced training environment.

To complete some of these procedures, you must have two networked computers or be connected to a larger network. Both computers must be running Windows

Server 2003.

Caution

Several exercises may require you to make changes to your servers. This may have undesirable results if you are connected to a larger network. If you are connected to a larger network, check with your network administrator before attempting these exercises.

Hardware Requirements

Each computer must have the following minimum configuration. All hardware should be on the Microsoft Windows Server 2003 Hardware Compatibility List, and should meet the requirements listed at

http://www.microsoft.com/windowsserver2003/evaluation/ sysreqs/default.mspx

.

Minimum CPU: 32-bit 133 MHz processor for x86-based computers (733 MHz is recommended), 733 MHz processor for Itanium-based computers

Minimum RAM: 128 MB RAM

Disk space for setup: 1.5 GB hard disk for x86-based computers, 2.0 GB hard disk for Itanium-based computers

12X or faster CD-ROM drive

Monitor capable of 800 x 600 resolution (1024 x 768 recommended)

High-density disk drive

Microsoft Mouse or compatible pointing device

Software Requirements

The following software is required to complete the procedures in this training kit:

A copy of the Windows Server 2003 installation CD-ROM (A 180-day evaluation edition of Microsoft Windows Server 2003, Enterprise Edition is included with this training kit.)

Caution

The 180-day Evaluation Edition provided with this training kit is not the full retail product and is provided only for the purposes of training and evaluation. Microsoft Technical

Support does not support these evaluation editions. For additional support information regarding this book and the CD-ROMs (including answers to commonly asked questions about installation and use), visit the Microsoft Press Technical Support web site at

http:// mspress.microsoft.com/mspress/support/.

You can also e-mail

[email protected]

or send a letter to Microsoft Press, Attn: Microsoft Press Technical Support, One Microsoft Way, Red­ mond, WA 98502-6399.

Setup Instructions

Set up your computers according to the manufacturer’s instructions. Then install

Windows Server 2003, Enterprise Edition according to the instructions provided below.

Caution

If your computers are part of a larger network, you must verify with your network administrator that the computer names, domain name, and other information used in setting up your computers as described in Chapter 2, “Installing and Configuring Active Directory,” do not conflict with network operations. If they do conflict, ask your network administrator to provide alternative values and use those values throughout all of the exercise in this book.

Installing Windows Server 2003

To complete the exercises in this course, you should install Windows Server 2003 on two networked computers. During installation, you can use the Windows Server 2003

Setup program to create a partition on your hard disks, on which you should install

Windows Server 2003 as a stand-alone server in a workgroup.

Note

You can use an automated installation file, Winnt.sif, on the CD-ROM in order to install your computers. You’ll find a copy of the file in the Unattended folder in the Server1 and Server2 subfolders. If you use these automated installation files, simply copy the appro­ priate Winnt.sif file onto a floppy disk. Start your computer from the CD-ROM drive. After the system begins to start from CD-ROM, insert the floppy disk with the Winnt.sif file. The instal­ lation should proceed without your intervention. The only thing that you must do is type the product key when prompted. Otherwise the installation of your server is automated. Install

Server1 before you install Server2. Otherwise, follow the manual installation method described on the next page.

To install Windows Server 2003

1.

Insert the Microsoft Windows Server 2003, Enterprise Edition CD-ROM into the

CD-ROM drive.

2.

On the Welcome to Microsoft Windows Server 2003 screen, select Install Windows

Server 2003, Enterprise Edition.

3.

On the Welcome to Windows Setup page on the Windows Setup dialog box, select

New Installation in the Installation Type list, and then click Next.

4.

On the License Agreement page on the Windows Setup dialog box, read the license agreement. To proceed, you must select I Accept This Agreement.

Click Next.

5.

On the Your Product Key page, type the product key that appears on the sticker attached to the installation CD-ROM case, and then press Next.

6.

On the Setup Options page, select the appropriate setup options for your organi­ zation, and then click Next.

7.

On the Upgrade To The Windows NTFS File System page, select the appropriate file system for your setup, and then click Next.

8.

On the Get Updated Setup Files, select No, Skip This Step and Continue Installing

Windows, and then click Next. The installation procedure copies setup files and restarts your computer in text mode.

9.

On the Setup Notification screen, press Enter.

10.

On the Welcome to Setup screen, press Enter. Setup searches for previouslyinstalled versions of Windows.

11.

A new screen appears if Setup finds previously installed versions of Windows.

Press ESC to continue.

12.

On the next screen, select the partition on which you want to install Windows

Server 2003, Enterprise Edition, press Enter, and then press C to continue Setup using the selected partition. Or, to create a new partition in unpartitioned space, just press C. Then you can install Windows Server 2003, Enterprise Edition, in the newly partitioned space. Specify the size of the partition (at least 2 GB is recom­ mended) and press Enter to continue. Be sure to format the partition as NTFS.

13.

Setup examines your disks, copies additional files, and then restarts your computer.

14.

Setup installs Windows files and displays messages about the benefits of using

Windows Server 2003. On the Regional and Language Options page, select the appropriate settings for your organization, and then click Next.

15.

On the Personalize Your Software page, type your name in the Name box and your organization name in the Organization box, and then press Next.

16.

On the Licensing Modes page, click Next.

17.

On the Computer Name And Administrator Password page, type

SERVER1

in the

Computer Name box. (Type

SERVER2

in the Computer Name box if you are installing Windows Server 2003 Enterprise Edition on your second computer.)

Then type a password in the Administrator Password and Confirm Password boxes. Click Next.

18.

On the Modem Dialing Information page, enter the appropriate information about your modem, and then click Next.

19.

On the Date And Time Settings page, enter the appropriate information about the date and time and your time zone, and then click Next.

20.

Setup installs Windows files and displays messages about the benefits of using

Windows Server 2003. On the Networking Settings page, ensure that Typical Set­ tings is selected and then click Next.

21.

On the Workgroup Or Computer Domain page, ensure that No, This Computer Is

Not On a Network Or Is On A Network Without A Domain is selected and that the workgroup name is WORKGROUP, and then click Next.

22.

Setup installs Windows files, displays messages about the benefits of using

Windows Server 2003, and then restarts your computer. The newly installed ver­ sion of Windows Server 2003, Enterprise Edition is now running.

23.

Remove the Windows Server 2003 installation CD-ROM from the CD-ROM drive.

The Readiness Review Suite

The Supplemental CD-ROM includes a practice test of 300 sample exam questions and an objective review with an additional 125 questions. Use these tools to reinforce your learning and to identify any areas in which you need to gain more experience before taking the exam

To install the practice test

1.

Insert the Supplemental CD-ROM into your CD-ROM drive.

Note

If AutoRun is disabled on your machine, refer to the Readme.txt file on the Supplemental CD-ROM.

2.

Click Readiness Review Suite on the user interface menu and follow the prompts.

The eBooks

The Supplemental CD-ROM includes an electronic version of this training kit, as well as eBooks for the

Microsoft Encyclopedia of Networking, Second Edition,

and the

Microsoft Encyclopedia of Security

. The eBooks are in portable document format

(PDF) and must be viewed using Adobe Acrobat Reader.

To use the eBooks

1.

Insert the Supplemental CD-ROM into your CD-ROM drive.

Note

If AutoRun is disabled on your machine, refer to the Readme.txt file on the CD-ROM.

2.

Click Training Kit eBook on the user interface menu and follow the prompts. You also can review any of the other eBooks that are provided for your use.

Note

You must have the Supplemental CD-ROM inserted in your CD-ROM drive to run the eBook.

The Microsoft Certified Professional Program

The Microsoft Certified Professional (MCP) program provides the best method to prove your command of current Microsoft products and technologies. The exams and corre­ sponding certifications are developed to validate your mastery of critical competencies as you design and develop, or implement and support, solutions with Microsoft prod­ ucts and technologies. Computer professionals who become Microsoft certified are rec­ ognized as experts and are sought after industry-wide. Certification brings a variety of benefits to the individual and to employers and organizations.

See Also

For a full list of MCP benefits, go to

http://www.microsoft.com/traincert/start/ itpro.asp

.

Certifications

The Microsoft Certified Professional program offers multiple certifications, based on specific areas of technical expertise:

Microsoft Certified Professional (MCP).

Demonstrated in-depth knowledge of at least one Microsoft Windows operating system or architecturally significant platform. An MCP is qualified to implement a Microsoft product or technology as part of a business solution for an organization.

Microsoft Certified Solution Developer (MCSD).

Professional developers qualified to analyze, design, and develop enterprise business solutions with Microsoft development tools and technologies including the Microsoft .NET Framework.

Microsoft Certified Application Developer (MCAD)

.

Professional developers qual­ ified to develop, test, deploy, and maintain powerful applications using

Microsoft tools and technologies including Microsoft Visual Studio .NET and

XML Web services.

Microsoft Certified Systems Engineer (MCSE

)

.

Qualified to effectively analyze the business requirements, and design and implement the infrastructure for business solutions based on the Microsoft Windows and Microsoft Server 2003 operating system.

Microsoft Certified Systems Administrator (MCSA)

. Individuals with the skills to manage and troubleshoot existing network and system environments based on the

Microsoft Windows and Microsoft Server 2003 operating systems.

Microsoft Certified Database Administrator (MCDBA).

Individuals who design, implement, and administer Microsoft SQL Server databases.

Microsoft Certified Trainer (MCT)

. Instructionally and technically qualified to deliver Microsoft Official Curriculum through a Microsoft Certified Technical Edu­ cation Center (CTEC).

Requirements for Becoming a Microsoft Certified Professional

The certification requirements differ for each certification and are specific to the prod­ ucts and job functions addressed by the certification.

To become a Microsoft Certified Professional, you must pass rigorous certification exams that provide a valid and reliable measure of technical proficiency and expertise.

These exams are designed to test your expertise and ability to perform a role or task with a product, and are developed with the input of professionals in the industry.

Questions in the exams reflect how Microsoft products are used in actual organizations, giving them “real-world” relevance.

Microsoft Certified Product (MCPs) candidates are required to pass one current

Microsoft certification exam. Candidates can pass additional Microsoft certification exams to further qualify their skills with other Microsoft products, development tools, or desktop applications.

Microsoft Certified Solution Developers (MCSDs) are required to pass three core exams and one elective exam. (MCSD for Microsoft .NET candidates are required to pass four core exams and one elective.)

Microsoft Certified Application Developers (MCADs) are required to pass two core exams and one elective exam in an area of specialization.

Microsoft Certified Systems Engineers (MCSEs) are required to pass five core exams and two elective exams.

Microsoft Certified Systems Administrators (MCSAs) are required to pass three core exams and one elective exam that provide a valid and reliable measure of techni­ cal proficiency and expertise.

Microsoft Certified Database Administrators (MCDBAs) are required to pass three core exams and one elective exam that provide a valid and reliable measure of technical proficiency and expertise.

Microsoft Certified Trainers (MCTs) are required to meet instructional and techni­ cal requirements specific to each Microsoft Official Curriculum course they are certified to deliver. The MCT program requires on-going training to meet the requirements for the annual renewal of certification. For more information about becoming a Microsoft Certified Trainer, visit

http://www.microsoft.com/traincert/ mcp/mct/

or contact a regional service center near you.

Technical Support

Every effort has been made to ensure the accuracy of this book and the contents of the companion disc. If you have comments, questions, or ideas regarding this book or the companion disc, please send them to Microsoft Press using either of the following methods:

E-mail:

[email protected]

Postal Mail: Microsoft Press

Attn:

MCSE Self-Paced Training Kit (Exam 70-294):

Planning and Maintaining a Microsoft Windows

Server 2003 Active Directory Infrastructure

, Editor

One Microsoft Way

Redmond, WA 98052-6399

For additional support information regarding this book and the CD-ROM (including answers to commonly asked questions about installation and use), visit the Microsoft

Press Technical Support Web site at

http://www.microsoft.com/mspress/support/

. To connect directly to the Microsoft Press Knowledge Base and enter a query,

visit http:// www.microsoft.com/mspress/support/search.asp

. For support information regarding

Microsoft software, please connect to

http://support.microsoft.com/

.

Evaluation Edition Software Support

The 180-day Evaluation Edition provided with this training is not the full retail product and is provided only for the purposes of training and evaluation. Microsoft and

Microsoft Technical Support do not support this evaluation edition.

Caution

The Evaluation Edition of Microsoft Windows Server 2003, Enterprise Edition, included with this book should not be used on a primary work computer. The evaluation edi­ tion is unsupported. For online support information relating to the full version of Microsoft

Windows Server 2003, Enterprise Edition, that might also apply to the Evaluation Edition, you can connect to

http://support.microsoft.com

.

Information about any issues relating to the use of this evaluation edition with this training kit is posted to the Support section of the Microsoft Press Web site

(http:// www.microsoft.com/mspress/support/)

. For information about ordering the full version of any Microsoft software, please call Microsoft Sales at (800) 426-9400 or visit

http:// www.microsoft.com

.

Part 1

Learn at Your Own Pace

1

Introduction to Active

Directory

Active Directory directory service provides a single point of network resource manage­ ment, allowing you to add, remove, and relocate users and resources easily. This chap­ ter introduces you to Active Directory concepts and administration tasks and walks you through the steps involved in planning an Active Directory infrastructure.

Note

In this book, the use of “Windows Server 2003 family” and “Windows Server 2003” refers to the family of four products: Microsoft Windows Server 2003, Standard Edition;

Microsoft Windows Server 2003, Enterprise Edition; Microsoft Windows Server 2003, Datacenter Edition; and Microsoft Windows Server 2003, Web Edition. However, Windows Server

2003, Web Edition only partially supports the use of Active Directory. Windows Server 2003,

Web Edition can participate as a member server in an Active Directory–enabled network but cannot be used as an Active Directory domain controller.

Why This Chapter Matters

This chapter introduces you to Active Directory. As you read through the lessons in this chapter, keep in mind that the concepts introduced here are examined in greater detail in later chapters as you learn how to implement and administer

Windows Server 2003 Active Directory.

Lessons in this Chapter:

Lesson 1: Active Directory Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Lesson 2: Understanding Active Directory Concepts and

Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21

Lesson 3: Planning the Active Directory Infrastructure Design. . . . . . . . . . . 1-36

Before You Begin

To complete this chapter, you must be familiar with basic administration concepts used in Microsoft Windows NT or Microsoft Windows 2000.

1-3

1-4

Chapter 1 Introduction to Active Directory

Lesson 1: Active Directory Overview

Active Directory provides a method for designing a directory structure that meets the needs of your organization. This lesson introduces the concept of a directory service, the use of objects in Active Directory, and the function of each of the Active Directory components.

After this lesson, you will be able to

Explain the function of a directory service

Explain the purpose of Active Directory

Explain the purpose of the schema in Active Directory

Identify the components of Active Directory

Describe the function of Active Directory components

■ Explain the purpose of the global catalog in Active Directory

Estimated lesson time: 3 0 minutes

Understanding Directory Services

A

directory

is a stored collection of information about objects that are related to one another in some way. For example, an e-mail address book stores names of users or entities and their corresponding e-mail addresses. The e-mail address book listing might also contain a street address or other information about the user or entity.

In a distributed computing system or a public computer network such as the Internet, there are many objects stored in a directory, such as file servers, printers, fax servers, applications, databases, and users. Users must be able to locate and use these objects.

Administrators must be able to manage how these objects are used. A

directory service

stores all the information needed to use and manage these objects in a centralized loca­ tion, simplifying the process of locating and managing these resources. A directory ser­ vice differs from a directory in that it is both the source of the information and the mechanism that makes the information available to the users.

A directory service acts as the main switchboard of the network operating system. It is the central authority that manages the identities and brokers the relationships between distributed resources, enabling them to work together. Because a directory service supplies these fundamental operating system functions, it must be tightly coupled with the management and security mechanisms of the operating system to ensure the integrity and privacy of the network. It also plays a critical role in an organization’s ability to define and maintain the network infrastructure, perform system administration, and control the overall user experience of a company’s information systems.

Lesson 1 Active Directory Overview

1

-

5

Why Have a Directory Service?

A directory service provides the means to organize and simplify access to resources of a networked computer system. Users and administrators might not know the exact name of the objects they need. However, they might know one or more characteristics of the objects in question. As illustrated in Figure 1-1, they can use a directory service to query the directory for a list of objects that match known characteristics. For exam­ ple, “Find all color printers on the third floor” queries the directory for all color printer objects that are associated with the third floor characteristic (or maybe a location char­ acteristic that has been set to “third floor”). A directory service makes it possible to find an object based on one or more of its characteristics.

User

Server 1

Printer 1

Server 2

?

Directory server

Name: Server 1

OS: Windows 2000

Type: File server

Location: 1st floor

Name: Server 2

OS: Novell NetWare 4.0

Type: File server

Location: 2nd floor

Printer

Name: Printer 1

Type HP-4Si

Color: No

Duplex: Yes

Location: 3rd floor

Figure 1-1 Using a directory service

A directory service is both an administration tool and an end user tool. As a network becomes larger, more objects must be managed and the directory service becomes a necessity.

The Windows Server 2003 Directory Service

Active Directory

is the directory service included in the Windows Server 2003 family.

Active Directory includes the directory, which stores information about network resources, as well as all the services that make the information available and useful.

Active Directory is also the directory service included in Windows 2000.

1-6

Chapter 1 Introduction to Active Directory

Active Directory Services Features

Active Directory in the Windows Server 2003 family is a significant enhancement over the flat domain model provided in Windows NT. Active Directory is integrated within the Windows Server 2003 family and offers the following features:

Centralized data store

All data in Active Directory resides in a single, distrib­ uted data repository, allowing users easy access to the information from any loca­ tion. A single distributed data store requires less administration and duplication and improves the availability and organization of data.

Scalability

Active Directory enables you to scale the directory to meet business and network requirements through the configuration of domains and trees and the placement of domain controllers. Active Directory allows millions of objects per domain and uses indexing technology and advanced replication techniques to speed performance.

Extensibility

The structure of the Active Directory database (the schema) can be expanded to allow customized types of information.

Manageability

In contrast to the flat domain model used in Windows NT, Active

Directory is based on hierarchical organizational structures. These organizational structures make it easier for you to control administrative privileges and other security settings, and to make it easier for your users to locate network resources such as files and printers.

Integration with the Domain Name System (DNS)

Active Directory uses

DNS, an Internet standard service that translates easily readable host names to numeric Internet Protocol (IP) addresses. Although separate and implemented dif­ ferently for different purposes, Active Directory and DNS have the same hierarchi­ cal structure. Active Directory clients use DNS to locate domain controllers. When using the Windows Server 2003 DNS service, primary DNS zones can be stored in

Active Directory, enabling replication to other Active Directory domain controllers.

Client configuration management

Active Directory provides new technolo­ gies for managing client configuration issues, such as user mobility and hard disk failures, with a minimum of administration and user downtime.

Policy-based administration

In Active Directory, policies are used to define the permitted actions and settings for users and computers across a given site, domain, or organizational unit. Policy-based management simplifies tasks such as operating system updates, application installation, user profiles, and desktopsystem lock down.

Replication of information

Active Directory provides multimaster replication technology to ensure information availability, fault tolerance, load balancing, and other performance benefits. Multimaster replication enables you to update the

Lesson 1 Active Directory Overview

1

-

7 directory at any domain controller and replicates directory changes to any other domain controller. Because multiple domain controllers are employed, replication continues, even if any single domain controller stops working.

Flexible, secure authentication and authorization

Active Directory authen­ tication and authorization services provide protection for data while minimizing barriers to doing business over the Internet. Active Directory supports multiple authentication protocols, such as the Kerberos version 5 protocol, Secure Sockets

Layer (SSL) version 3, and Transport Layer Security (TLS) using X.509 version 3 certificates. In addition, Active Directory provides security groups that span domains.

Security integration

Active Directory is integrated with Windows Server 2003 security. Access control can be defined for each object in the directory and on each property of each object. Security policies can be applied locally, or to a spec­ ified site, domain, or organizational unit.

Directory-enabled applications and infrastructure

Features within Active

Directory make it easier for you to configure and manage applications and other directory-enabled network components. In addition, Active Directory provides a powerful development environment through Active Directory Service Interfaces

(ADSI).

Interoperability with other directory services

Active Directory is based on standard directory access protocols, including

Lightweight Directory Access Proto­ col (LDAP)

version 3, and the

Name Service Provider Interface (NSPI)

, and can interoperate with other directory services employing these protocols. Because the

LDAP directory access protocol is an industry-standard directory service protocol, programs can be developed using LDAP to share Active Directory information with other directory services that also support LDAP. The NSPI protocol, which is used by Microsoft Exchange Server 4 and 5.

x

clients, is supported by Active Direc­ tory to provide compatibility with the Exchange directory.

Signed and encrypted LDAP traffic

By default, Active Directory tools in Win­ dows Server 2003 sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with.

See Also

For those readers already familiar with the features of Active Directory for

Windows 2000, a detailed listing of the new Active Directory features available in the Windows

Server 2003 family is located in Appendix A, “New Active Directory Features in the

Windows Server 2003 Family.”

1-8

Chapter 1 Introduction to Active Directory

Active Directory Objects

The data stored in Active Directory, such as information about users, printers, servers, databases, groups, computers, and security policies, is organized into objects. An

object

is a distinct named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account object might include the user’s first name, last name, and logon name, while the attributes of a computer account object might include the computer name and description (see Figure 1-2).

Objects Active Directory

Attributes

Computer name

Description

Computers

Comp1

Computers

Comp2

Attributes

First name

Last name

Logon name

Users

Figure 1-2 Active Directory objects and attributes

Comp3

Users

Jane Doe

John Doe

Attribute value

Some objects, known as

containers

, can contain other objects. For example, a domain is a container object that can contain objects such as user and computer accounts. In

Figure 1-2, the Users folder is a container that contains user account objects.

Active Directory Schema

The Active Directory schema defines objects that can be stored in Active Directory. The

schema

is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory. Because the schema definitions themselves are stored as objects, they can be administered in the same manner as the rest of the objects in Active Directory.

The schema is defined by two types of objects: schema class objects (also referred to as schema classes) and schema attribute objects (also referred to as schema attributes).

As shown in Figure 1-3, class objects and attribute objects are defined in separate lists within the schema. Schema class objects and attribute objects are collectively referred to as

schema objects

or

metadata

.

Partial list of schema class objects

Lesson 1 Active Directory Overview

1

-

9

Partial list of schema attribute objects

Computer

Computer class object definition

Description

Common name

X.500 OID

Class type

Category accountExpires accountNameHistory aCSAggregateTokenRatePerUser

Group categoryID attribute object definition

Description

Common name

X.500 OID

Syntax range limits catalogs categories categoryID

User

Figure 1-3 Schema class objects and attribute objects

Schema class objects

describe the possible Active Directory objects that can be created.

A schema class functions as a template for creating new Active Directory objects. Each schema class is a collection of schema attribute objects. When you create a schema class, the schema attributes store the information that describes the object. The User class, for example, is composed of many schema attributes, including Network Address and Home Directory. Every object in Active Directory is an instance of a schema class object.

Schema attribute objects

define the schema class objects with which they are associ­ ated. Each schema attribute is defined only once and can be used in multiple schema classes. For example, the Description attribute is used in many schema classes, but is defined only once in the schema, which ensures consistency.

A set of basic schema classes and attributes is shipped with Active Directory. Experi­ enced developers and network administrators can dynamically extend the schema by defining new classes and attributes for existing classes. For example, if you need to provide information about users that is not currently defined in the schema, you must extend the schema for the User class. However, extending the schema is an advanced operation that could have serious consequences. Because schema cannot be deleted, but only deactivated, and a schema is automatically replicated, you must plan and prepare carefully before extending the schema.

1-10

Chapter 1 Introduction to Active Directory

Active Directory Components

Various Active Directory components are used to build a directory structure that meets the needs of your organization. The following Active Directory components represent logical structures in an organization: domains, organizational units (OUs), trees, and forests. The following Active Directory components represent physical structures in an organization: sites (physical subnets) and domain controllers. Active Directory com­ pletely separates the logical structure from the physical structure.

Logical Structures

In Active Directory, you organize resources in a logical structure—a structure that mir­ rors organizational models—using domains, OUs, trees, and forests. Grouping resources logically allows you to easily find a resource by its name rather than by remembering its physical location. Because you group resources logically, Active

Directory makes the network’s physical structure transparent to users. Figure 1-4 illus­ trates the relationship of the Active Directory domains, OUs, trees, and forests.

Forest

Domain

Domain Domain Domain

Domain

OU

OU OU

OU OU OU

Tree

OU

Figure 1-4 The relationship of Active Directory domains, OUs, trees, and forests

Domains

The core unit of logical structure in Active Directory is the

domain

, which can store millions of objects. Objects stored in a domain are those considered vital to the network. These vital objects are items the members of the networked community need in order to do their jobs: printers, documents, e-mail addresses, databases, users, distributed components, and other resources. All network objects exist within a domain, and each domain stores information only about the objects it contains. Active

Lesson 1 Active Directory Overview

1

-

11

Directory is made up of one or more domains. A domain can span more than one physical location. Domains share the following characteristics:

All network objects exist within a domain, and each domain stores information only about the objects that it contains.

A domain is a security boundary. Access to domain objects is governed by access control lists (ACLs), which contain the permissions associated with the objects.

Such permissions control which users can gain access to an object and what type of access they can gain. In the Windows Server 2003 family, objects include files, folders, shares, printers, and other Active Directory objects. None of the security policies and settings—such as administrative rights, security policies, and ACLs— can cross from one domain to another. You, as the domain administrator, have absolute rights to set policies only within your domain.

The

domain functional level

(known as

domain mode

in Windows 2000) provides a way to enable domain-wide Active Directory features within your network environ­ ment. Four domain functional levels are available: Windows 2000 mixed (default),

Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The

Windows 2000 mixed functional level allows a Windows Server 2003 domain control­ ler to interact with domain controllers in the same domain running Windows NT 4,

Windows 2000, or the Windows Server 2003 family. The Windows 2000 native func­ tional level allows a Windows Server 2003 domain controller to interact with domain controllers in the domain running Windows 2000 or Windows Server 2003.

The Windows Server 2003 interim functional level allows a Windows Server 2003 domain controller to interact with domain controllers in the domain running Windows NT 4 or

Windows Server 2003. The Windows Server 2003 functional level allows a Windows

Server 2003 domain controller to interact only with domain controllers in the domain running Windows Server 2003. You can raise the functional level of a domain only if the domain controllers in the domain are running the appropriate version of Windows. See

Chapter 3, “Administering Active Directory,” for details about raising domain functional levels.

As an administrator, you must create a domain structure to reflect your company’s orga­ nization. See Lesson 3, “Planning the Active Directory Infrastructure Design,” to learn the basics of domain design. See Chapter 4, “Installing and Managing Domains, Trees, and Forests,” for details about creating domains.

OUs An

OU

is a container used to organize objects within a domain into a logical administrative group. OUs provide a means for handling administrative tasks, such as the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy

1-12

Chapter 1 Introduction to Active Directory structure of other domains—each domain can implement its own OU hierarchy. By adding OUs to other OUs, or

nesting

, you can provide administrative control in a hier­ archical fashion.

As an administrator, you must create an OU structure to reflect your company’s orga­ nization. See Lesson 3, “Planning the Active Directory Infrastructure Design,” to learn the basics of OU design. See Chapter 6, “Implementing an OU Structure,” to learn about implementing an OU structure.

In Figure 1-5, the

microsoft.com

domain mirrors the organization of a shipping com­ pany and contains three OUs: US, Orders, and Disp, where Orders and Disp are nested within the US OU. In the summer months the number of shipping orders taken increases, and management has requested the addition of a subadministrator for the

Orders department. The subadministrator must have permission only to create user accounts and provide users with access to Orders department files and shared printers.

Rather than creating another domain, the request can be met by assigning the subad­ ministrator the appropriate permissions within the Orders OU.

Orders OU microsoft.com

Admin

US

Users Files

DISP

Printers

Figure 1-5 Using an OU to handle administrative tasks

If the subadministrator is later required to create user accounts in the US, Orders, and

Disp OUs, you could grant the administrator the appropriate permissions separately within each OU. However, because the Orders and Disp OUs are nested in the US OU, a more efficient method is to assign permissions once in the US OU, and allow them to be inherited by the Orders and Disp OUs. By default, all child objects (the Orders and Disp OUs) within Active Directory inherit permissions from their parents (the US

OU). Granting permissions at a higher level and using inheritance capabilities can reduce administrative tasks.

Trees A

tree

is a grouping or hierarchical arrangement of one or more Windows

Server 2003 domains that you create by adding one or more child domains to an exist­ ing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in the next lesson. Following DNS standards, the domain name of a child domain is the relative name of that child domain appended with the name of the parent domain. In Figure 1-6,

microsoft.com

Lesson 1 Active Directory Overview

1

-

13 is the parent domain and

us.microsoft.com

and

uk.microsoft.com

are its child domains.

The child domain of

uk.microsoft.com

is

sls.uk.microsoft.com

. By creating a hierarchy of domains in a tree, you can retain security and allow for administration within an OU or within a single domain of a tree. The tree structure easily accommodates organiza­ tional changes. microsoft.com uk.microsoft.com us.microsoft.com

sls.uk.microsoft.com

Figure 1-6 A domain tree

As an administrator, you must create a tree structure to reflect your company’s organi­ zation. See Lesson 3, “Planning the Active Directory Infrastructure Design,” to learn the basics of tree design. See Chapter 4, “Installing and Managing Domains, Trees, and For­ ests,” for details about creating trees.

Forests

A

forest

is a grouping or hierarchical arrangement of one or more sepa­ rate, completely independent domain trees. As such, forests have the following characteristics:

All domains in a forest share a common schema.

All domains in a forest share a common global catalog.

All domains in a forest are linked by implicit two-way transitive trusts.

Trees in a forest have different naming structures, according to their domains.

Domains in a forest operate independently, but the forest enables communication across the entire organization.

In Figure 1-7, the

microsoft.com

and

msn.com

trees form a forest. The namespace is contiguous only within each tree.

1-14

Chapter 1 Introduction to Active Directory uk.microsoft.com microsoft.com us.microsoft.com

uk.msn.com sls.uk.microsoft.com msn.com sls.uk.msn.com us.msn.com

Figure 1-7 A forest of trees

The

forest functional level

provides a way to enable forest-wide Active Directory fea­ tures within your network environment. Three forest functional levels are available:

Windows 2000 (default), Windows Server 2003 interim, and Windows Server 2003. The

Windows 2000 functional level allows a Windows Server 2003 domain controller to i n t e r a c t w i t h d o m a i n c ontrollers in the domain running Wi ndows N T 4 ,

Windows 2000, or Windows Server 2003. The Windows Server 2003 interim functional level allows a Windows Server 2003 domain controller to interact with domain control­ lers in the domain running Windows NT 4 or Windows Server 2003. The Windows

Server 2003 functional level allows a Windows Server 2003 domain controller to interact only with domain controllers in the domain running Windows Server 2003. You can raise the functional level of a forest only if the domain controllers in the forest are run­ ning the appropriate version of Windows. See Chapter 3, “Administering Active

Directory,” for details about raising forest functional levels.

As an administrator, you must create a forest structure to reflect your company’s orga­ nization. See Lesson 3, “Planning the Active Directory Infrastructure Design,” to learn the basics of forest design. See Chapter 4, “Installing and Managing Domains, Trees, and Forests,” for details about creating forests.

Physical Structures

The physical components of Active Directory are sites and domain controllers. As an administrator, you use these components to develop a directory structure that mirrors the physical structure of your organization.

Sites

A

site

is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your network, you should combine only subnets that have fast, cheap, and reliable network connections with one another. “Fast” network connections are at least 512 kilobits per second (Kbps). An available bandwidth (the average amount of bandwidth that is

Lesson 1 Active Directory Overview

1

-

15 available for use after normal network traffic is handled) of 128 Kbps and higher is suf­ ficient for a site.

With Active Directory, sites are not part of the namespace. When you browse the log­ ical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites. As shown in Figure 1-8, a single domain can span one or more geographical sites, and a single site can include user accounts and computers belonging to multiple domains.

Site A

A single domain with a single site

Site A

Site B

A single domain with multiple sites

Multiple domains with a single site

Site A

Figure 1-8 The relationship of site and domain structures

As an administrator, you must create a site structure to reflect your company’s organi­ zation. See Lesson 3, “Planning the Active Directory Infrastructure Design,” to learn the basics of site design. See Chapter 5, “Configuring Sites and Managing Replication,” for details about configuring sites.

1-16

Chapter 1 Introduction to Active Directory

Domain Controllers A

domain controller

is a computer running Windows Server 2003 that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, each domain controller in a domain has a complete replica of the domain’s portion of the directory. A domain controller can service only one domain. A domain controller also authenticates user logon attempts and maintains the security policy for a domain.

The following list describes the functions of domain controllers:

Each domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain.

Domain controllers in a domain automatically replicate directory information for all objects in the domain to each other. When you perform an action that causes an update to Active Directory, you are actually making the change at one of the domain controllers. That domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that each domain controller replicates at one time.

Domain controllers immediately replicate certain important updates, such as the disabling of a user account.

Active Directory uses multimaster replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to. Domain controllers can hold different information for short periods of time until all domain controllers have synchronized changes to Active

Directory.

Although Active Directory supports multimaster replication, some changes are impractical to perform in multimaster fashion. One or more domain controllers can be assigned to perform single-master replication (operations not permitted to occur at different places in a network at the same time).

Operations master roles

are special roles assigned to one or more domain controllers in a domain to perform single-master replication.

Domain controllers detect collisions, which can occur when an attribute is modi­ fied on a domain controller before a change to the same attribute on another domain controller is completely propagated. Collisions are detected by comparing each attribute’s property version number, a number specific to an attribute that is initialized upon creation of the attribute. Active Directory resolves the collision by replicating the changed attribute with the higher property version number.

Lesson 1 Active Directory Overview

1

-

17

Having more than one domain controller in a domain provides fault tolerance. If one domain controller is offline, another domain controller can provide all required functions, such as recording changes to Active Directory.

Domain controllers manage all aspects of users’ domain interaction, such as locat­ ing Active Directory objects and validating user logon attempts.

As an administrator, you must place domain controllers in sites to reflect your organi­ zation’s physical structure and optimize replication and authentication. See Lesson 3,

“Planning the Active Directory Infrastructure Design,” to learn the basics of domain controller placement. See Chapter 2, “Installing and Configuring Active Directory,” for details about creating domain controllers.

Catalog Services—The Global Catalog

Active Directory allows users and administrators to find objects such as files, printers, or users in their own domain. However, finding objects outside of the domain and across the enterprise requires a mechanism that allows the domains to act as one entity. A catalog service contains selected information about every object in all domains in the directory, which is useful in performing searches across an enterprise.

The global catalog is the catalog service provided by Active Directory.

The

global catalog

is the central repository of information about objects in a tree or for­ est. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest. A domain controller that holds a copy of the global cat­ alog is called a

global catalog server

. You can designate any domain controller in the forest as a global catalog server. Active Directory uses multimaster replication to repli­ cate the global catalog information between global catalog servers in other domains. It stores a full replica of all object attributes in the directory for its host domain and a par­ tial replica of all object attributes contained in the directory for every domain in the for­ est. The partial replica stores attributes most frequently used in search operations (such as a user’s first and last names, logon name, and so on). Attributes are marked or unmarked for replication in the global catalog when they are defined in the Active

Directory schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains, ensuring that data in the global catalog is secure.

Global Catalog Functions

The global catalog performs the following two key functions:

It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.

It enables finding directory information regardless of which domain in the forest actually contains the data.

1-18

Chapter 1 Introduction to Active Directory

When a user logs on to the network, the global catalog provides universal group mem­ bership information for the account to the domain controller processing the user logon information. If there is only one domain controller in a domain, the domain controller holds the global catalog server. If there are multiple domain controllers in the network, one domain controller is configured to hold the global catalog. If a global catalog is not available when a user initiates a network logon process, the user is able to log on only to the local computer unless the site has been specifically configured to cache univer­ sal group membership lookups when processing user logon attempts.

Tip

If a user is a member of the Domain Admins group, he or she is able to log on to the network even when the global catalog is not available.

The global catalog is designed to respond to user and programmatic queries about objects anywhere in the domain tree or forest with maximum speed and minimum network traffic. Because a single global catalog contains information about all objects in all domains in the forest, a query about an object that is not contained in the local domain can be resolved by a global catalog server in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries.

The Query Process

A

query

is a specific request made by a user to the global catalog in order to retrieve, modify, or delete Active Directory data. The following steps, illustrated in Figure 1-9, describe the query process:

1.

The client queries its DNS server for the location of the global catalog server.

2.

The DNS server searches for the global catalog server location and returns the IP address of the domain controller designated as the global catalog server.

3.

The client queries the IP address of the domain controller designated as the global catalog server. The query is sent to port 3268 on the domain controller; standard

Active Directory queries are sent to port 389.

4.

The global catalog server processes the query. If the global catalog contains the attribute of the object being searched for, the global catalog server provides a response to the client. If the global catalog does not contain the attribute of the object being searched for, the query is referred to Active Directory.

You can configure any domain controller or designate additional domain controllers as global catalog servers. When considering which domain controllers to designate as glo­ bal catalog servers, base your decision on the ability of your network structure to han­ dle replication and query traffic.

Lesson 1 Active Directory Overview

1

-

19

As an administrator, you must place global catalog servers in sites to provide quick responses to user inquiries, as well as redundancy. See Lesson 3, “Planning the Active

Directory Infrastructure Design,” to learn the basics of designing global catalog server placement. See Chapter 5, “Configuring Sites and Managing Replication,” for details about configuring global catalog servers.

Domain A Domain B

Client

DC3

DC1

4 3

1

2

DC2

Global catalog server

DC3

Global catalog server

DC2

Multimaster replication

Global catalog

DC1

Global catalog

Figure 1-9 The query process

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” section at the end of this chapter.

1.

How is a directory service different from a directory?

2.

How is Active Directory scalable?

1-20

Chapter 1 Introduction to Active Directory

3.

What is multimaster replication?

4.

Name the Active Directory components used to represent an organization’s logical structure.

5.

Name the physical components of Active Directory.

6.

What is the function of the global catalog?

Lesson Summary

A directory service stores all the information needed to use and manage system objects in a centralized location, simplifying the process of locating and managing these resources.

Data stored in Active Directory is organized into objects, which have attributes.

The Active Directory schema defines objects that can be stored in Active Directory.

Schema classes and attributes define the Active Directory schema.

The logical structures in an organization are represented by the following Active

Directory components: domains, OUs, trees, and forests.

The physical components of Active Directory are sites and domain controllers.

The global catalog is the central repository of information about objects in a tree or forest.

Lesson 2 Understanding Active Directory Concepts and Administration Tasks

1

-

21

Lesson 2: Understanding Active Directory Concepts and Administration Tasks

In the Windows Server 2003 family and Active Directory, there are several new con­ cepts and some changes to the concepts used in Windows NT. These concepts include replication, trust relationships, change and configuration management, group policies,

DNS, and object naming. It is important that you understand the meaning of these con­ cepts as they apply to Active Directory. In addition, you should also familiarize yourself with the Active Directory administration tasks, which correspond to the chapters in this training kit.

After this lesson, you will be able to

Explain Active Directory replication

Explain the security relationships between domains in a tree (trusts)

Explain the components of change and configuration management

Explain the purpose and function of Group Policy

Describe how DNS is used by Active Directory

Describe how objects are named in Active Directory

Describe the tasks required for Active Directory administration

Estimated lesson time: 2 0 minutes

Replication

Users and services should be able to access directory information at any time from any computer in the domain tree or forest.

Replication

ensures that changes to a domain controller are reflected in all domain controllers within a domain. Directory informa­ tion is replicated to domain controllers both within and among sites.

What Information Is Replicated

The information stored in the directory (in the Ntds.dit file) is logically partitioned into four categories. Each of these information categories is referred to as a

directory parti­ tion

. A directory partition is also referred to as a

naming context

. These directory par­ titions are the units of replication. The directory contains the following partitions:

Schema partition

This partition defines the objects that can be created in the directory and the attributes those objects can have. This data is common to all domains in a forest and is replicated to all domain controllers in a forest.

Configuration partition

This partition describes the logical structure of the deployment, including data such as domain structure or replication topology. This

1-22

Chapter 1 Introduction to Active Directory data is common to all domains in a forest and is replicated to all domain control­ lers in a forest.

Domain partition

This partition describes all of the objects in a domain. This data is domain-specific and is not replicated to any other domains. However, the data is replicated to every domain controller in that domain.

Application Directory partition

This partition stores dynamic applicationspecific data in Active Directory without significantly affecting network perfor­ mance by enabling you to control the scope of replication and the placement of replicas. The application directory partition can contain any type of object except security principals (users, groups, and computers). Data can be explicitly rerouted to administrator-specified domain controllers within a forest in order to prevent unnecessary replication traffic, or it can be set to replicate everything to all domain controllers in the same fashion as the schema, configuration, and domain partitions.

A domain controller stores and replicates:

The schema partition data for a forest.

The configuration partition data for all domains in a forest.

The domain partition data (all directory objects and properties) for its domain.

This data is replicated to additional domain controllers in the domain. For the pur­ pose of finding information, a partial replica containing commonly used attributes of all objects in the domain is replicated to the global catalog.

A global catalog stores and replicates:

The schema partition data for a forest

The configuration partition data for all domains in a forest

A partial replica containing commonly used attributes for all directory objects in the forest (replicated between global catalog servers only)

A full replica containing all attributes for all directory objects in the domain in which the global catalog is located

Caution

Extensions to schema in a global catalog should be approached carefully. Schema extensions can have disastrous effects on large networks because the extensions cannot be deleted (only disabled) and because of the large amount of network traffic generated as the extensions are synchronized throughout the forest.

Lesson 2 Understanding Active Directory Concepts and Administration Tasks

1

-

23

How Information Is Replicated

Active Directory replicates information in two ways:

intrasite

(within a site) and

intersite

(between sites). The need for up-to-date directory information is balanced with the limitations imposed by available network bandwidth.

Intrasite Replication Within a site, a Windows Server 2003 service known as the

knowledge consistency checker (KCC)

automatically generates a topology for replica­ tion among domain controllers in the same domain using a ring structure. The KCC is a built-in process that runs on all domain controllers. The topology defines the path for directory updates to flow from one domain controller to another until all domain controllers in the site receive the directory updates. The KCC determines which servers are best suited to replicate with each other, and designates certain domain controllers as replication partners on the basis of connectivity, history of successful replication, and the matching of full and partial replicas. Domain controllers can have more than one replication partner. The KCC then builds connection objects that represent replication connections between the replication partners.

The ring structure ensures that there are at least two replication paths from one domain controller to another; if one domain controller is down temporarily, replication still continues to all other domain controllers, as shown in Figure 1-10.

Replication topology links

DC1

DC4 DC2

Failure on domain controller 3

Replication ring is broken

DC3

Figure 1-10 Intrasite replication topology

Replication ring is broken

The KCC analyzes the replication topology within a site every 15 minutes to ensure that it still works. If you add or remove a domain controller from the network or a site, the

KCC reconfigures the topology to reflect the change.

1-24

Chapter 1 Introduction to Active Directory

When more than seven domain controllers are added to a site, the KCC creates addi­ tional connection objects across the ring structure so that if a change occurs at any one domain controller, replication partners are available to ensure that no domain control­ ler is more than three replication hops from another domain controller, as shown in

Figure 1-11. These optimizing connections are created at random and are not necessar­ ily created on every domain controller.

DC2

DC1

DC3

DC8

DC4

DC7

DC5

DC6

Figure 1-11 A maximum of three replication hops between domain controllers, due to the addition of connection objects by the KCC

Intersite Replication

To ensure replication between sites, you must connect them manually by creating site links. Site links represent network connections and allow rep­ lication to occur. A single KCC per site generates all connections between sites. Active

Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance, as shown in Figure 1-12.

You provide information about the replication transport used, cost of a site link, times when the link is available for use, and how often the link should be used. Active Direc­ tory uses this information to determine which site link is used to replicate information.

Customizing replication schedules so replication occurs during specific times, such as when network traffic is light, makes replication more efficient.

As an administrator, you must configure sites and replication to ensure that the most up-to-date information is available to users. Replication and site link configuration are discussed in more detail in Chapter 5, “Configuring Sites and Managing Replication.”

Site link AB

Lesson 2 Understanding Active Directory Concepts and Administration Tasks

1

-

25

Site A

Site link CA

Site B Site C

Site link BC

DC1

Figure 1-12 Intersite replication topology

DC2

Trust Relationships

A

trust

relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain, as shown in Figure 1-13. Users and applications are authenticated in the Windows Server 2003 family using one of two trust protocols: Kerberos version 5 or NT LAN Manager (NTLM). The Kerberos version 5 protocol is the default protocol for computers running Windows Server 2003. If any computer involved in a transaction does not support Kerberos version 5, the NTLM protocol is used. A trust relationship is also permitted with any MIT Kerberos version 5 realm. There are two domains in a trust relationship—the trusting and the trusted domain.

Direction of access

Direction of trust

Trusting (Resource)

Domain A

Trusted (Account)

Domain B

Figure 1-13 Trusting and trusted domains linked with a one-way trust

1-26

Chapter 1 Introduction to Active Directory

Trusts have the following characteristics:

Method of creation

Trusts can be created manually (explicitly) or automatically

(implicitly). Not all trusts can be created both ways.

Transitivity

Trusts can be not bound by the domains in the trust relationship

(transitive), or they can be bound by the domains in the trust relationship (nontransitive). For example, a transitive trust means that if a Domain A trusts

Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. Sim­ ilarly, a nontransitive trust means that if Domain A trusts Domain B and Domain B trusts Domain C, there is no trust relationship between Domain A and Domain C.

Direction

Trusts can be one-way or two-way. A one-way trust is a single trust relationship, where Domain A trusts Domain B, as shown in Figure 1-13. One-way relationships can be nontransitive or transitive depending on the type of trust being created. In a two-way trust, Domain A trusts Domain B and Domain B trusts

Domain A. This means that authentication requests can be passed between the two domains in both directions.

In the Windows Server 2003 family, Active Directory supports the following forms of trust relationships:

Tree-root trust

A

tree-root trust

is implicitly established when you add a new tree root domain to a forest. For example, in Figure 1-14, a tree-root trust is estab­ lished between Domain A and Domain 1 when Domain 1, a new tree root domain, is added to the forest. The trust is created between the domain you are creating (the new tree root) and the existing forest root domain. A tree-root trust can be set up only between the roots of two trees in the same forest. The trust is transitive and two-way.

Parent-child trust

A

parent-child trust

relationship is implicitly established when you create a new child domain in a tree. For example, in Figure 1-14, a par­ ent-child trust is established between Domain 1 and Domain 2 when Domain 2, a new child domain, is added to the tree. The Active Directory installation process automatically creates a trust relationship between the new domain and the domain that immediately precedes it in the namespace hierarchy (for example,

uk.microsoft.com

is created as the child of

microsoft.com

). As a result, a domain joining a tree immediately has trust relationships established with every domain in the tree. These trust relationships make all objects in the domains of the tree available to all other domains in the tree. The trust is transitive and two-way.

Lesson 2 Understanding Active Directory Concepts and Administration Tasks

1

-

27

Forest with Two Trees

Domain A

Domain 1

Domain B

Domain D Domain 2

Domain C

Domain E

Figure 1-14 Domain structure showing tree-root and parent-child trusts

Shortcut trust

A

shortcut trust

must be explicitly created by a systems adminis­ trator between two domains in a forest. This trust is used to improve user logon times, which can be slow when two domains are logically distant from each other in a forest or tree hierarchy. The trust is transitive and can be one-way or two-way.

External trust

An

external trust

must be explicitly created by a systems admin­ istrator between Windows Server 2003 domains that are in different forests, or between a Windows Server 2003 domain and a domain whose domain controller is running Windows NT 4 or earlier. This trust is used when users need access to resources located in a Windows NT 4 domain or in a domain located within a sep­ arate forest, which cannot be joined by a forest trust. The trust is nontransitive and can be one- or two-way.

Forest trust

A

forest trust

must be explicitly created by a systems administrator between two forest root domains. This trust allows all domains in one forest to transitively trust all domains in another forest. A forest trust is not transitive across three or more forests. For example, forest A trusts forest B and forest B trusts forest C. There is no trust relationship between forest A and forest C. The trust is transitive between two forests only and can be one-way or two-way. Forest trusts are only available when the forest is at the Windows Server 2003 functional level.

Realm trust

A

realm trust

must be explicitly created by a systems administrator between a non–Windows Kerberos realm and a Windows Server 2003 domain.

This trust provides interoperability between the Windows Server 2003 domain and any realm used in Kerberos version 5 implementations. The trust can be transitive or nontransitive and one-way or two-way.

As an administrator, you must plan trust relationships to provide users with the access to resources they require. See Chapter 4, “Installing and Managing Domains, Trees, and

Forests,” for details about planning trust relationships.

1-28

Chapter 1 Introduction to Active Directory

Change and Configuration Management

Change and configuration management is a set of Windows Server 2003 features that simplify computer management tasks such as

Managing the configuration of each user’s desktop

Managing how software is deployed and installed on personal computers to ensure that users have the software that they require to perform their jobs

Installing an initial operating system on a new computer

Replacing computers

Change and configuration management includes the User Data Management, Software

Installation and Maintenance, User Settings Management, and Computer Settings Man­ agement features, which are collectively known as the IntelliMirror management tech­ nologies. Change and configuration management also includes the Remote Operating

System (OS) Installation technologies.

Change and Configuration Management Features

The IntelliMirror Management Technologies can be described as follows:

User Data Management

Data and documents follow the users so they can access the data they need to do their jobs. Technologies used include Active

Directory, Group Policy, Offline Files, Synchronization Manager, Disk Quotas, and

Roaming user profiles.

Software Installation and Maintenance

Software follows the users so they have the software they need to do their jobs. Technologies used include Active Direc­ tory, Group Policy, Windows Installer, and Add/Remove Programs in Control Panel.

User Settings Management

User settings follow users and the users can see their preferred desktop arrangements. Technologies used include Active Directory and Roaming user profiles.

Computer Settings Management

Administrators can define how computers are customized and restricted on the network. Technologies used include Active

Directory user and computer accounts and Group Policy.

Remote Installation Services

Administrators can enable remote installation of

Microsoft Windows XP; Windows Server 2003, Standard Edition; Windows Server

2003, Enterprise Edition; Microsoft Windows 2000 Professional; Microsoft Windows

2000 Server; and Windows 2000 Advanced Server on new or replacement com­ puters without pre-installation or on-site technical support. Technologies used include Active Directory, Group Policy, and Remote Installation Services.

IntelliMirror

is a set of Windows 2000 features that assist with managing user and com­ puter information, settings, and applications. When IntelliMirror is used in both server

Lesson 2 Understanding Active Directory Concepts and Administration Tasks

1

-

29 and client, the users’ data, applications, and settings follow them when they move to another computer. IntelliMirror uses Active Directory and Group Policy to manage users’ desktops based on users’ business roles, group memberships, and locations. You can configure desktops to meet a new user’s requirements each time that user logs on to the network.

Group Policies

Group policies

are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users’ desktops. For example, using group policies, you can set the programs that are available to users, the programs that appear on the user’s desktop, and Start menu options.

To create a specific desktop configuration for a particular group of users, you create

Group Policy Objects (GPOs). GPOs are collections of Group Policy settings. Each computer running Windows Server 2003 has one local GPO and might, in addition, be subject to any number of nonlocal (Active Directory–based) GPOs. Local GPOs are overridden by nonlocal GPOs. Nonlocal GPOs are linked to Active Directory objects

(sites, domains, or OUs). Nonlocal GPOs can be applied to either users (regardless of which computer they log on to) or computers (regardless of who logs on to them). Fol­ lowing the inheritance properties of Active Directory, nonlocal GPOs are applied hier­ archically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.

How GPOs Are Applied

Because nonlocal GPOs are applied hierarchically, the user or computer’s configura­ tion is a result of the GPOs linked to its site, domain, and OU. GPOs are applied in the following order:

1. Local GPO

Each server running Windows Server 2003 has exactly one GPO stored locally.

2. GPOs linked to sites

Any GPOs that have been linked to the site are applied next. GPO application is synchronous; the administrator specifies the order of

GPOs linked to a site.

3. GPOs linked to domains

Multiple domain-linked GPOs are applied synchro­ nously; the administrator specifies the order of GPOs linked to a domain.

4. GPOs linked to OUs

GPOs linked to the OU highest in the Active Directory hierarchy are applied first, followed by GPOs linked to its child OU, and so on.

Finally, the GPOs linked to the OU that contains the user or computer are applied.

At the level of each OU in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several group policies are linked to an OU, then they are applied synchronously in an order specified by the administrator.

1-30

Chapter 1 Introduction to Active Directory

Figure 1-15 shows how Group Policy is applied for the example Marketing and

Servers OUs.

Domain Group Policy Objects

A1

Site microsoft.com

OUs

Accounts Resources

A2

A3

A4 A5 A6

Headquarters

Marketing Desktops Servers

Servers OU GPOs applied = A3, A1, A2, A4, A6

Marketing OU GPOs applied = A3, A1, A2, A5

Figure 1-15 How Group Policy is applied

The default order of processing Group Policy settings can be subject to exceptions if the computer is a member of a workgroup or if any of the No Override, Block Policy

Inheritance, or Loopback settings are invoked for a GPO.

The

Resultant Set of Policy (RSoP) Wizard

is provided to make policy implementation and troubleshooting easier. The RSoP Wizard is a query engine that works in two modes: logging mode and planning mode. In logging mode, the wizard polls existing policies and any applications associated with a particular user or computer, and then reports the results of the query. In planning mode, the wizard asks questions about a planned policy implementation, and then reports the results of the query.

As an administrator, you must be able to administer Group Policy to provide users with the access to resources they require. See Chapter 10, “Implementing Group Policy,”

Chapter 11, “Administering Group Policy,” and Chapter 12, “Deploying Software with

Group Policy,” for details about Group Policy administration.

Lesson 2 Understanding Active Directory Concepts and Administration Tasks

1

-

31

DNS

DNS

is a service used in

Transmission Control Protocol/Internet Protocol (TCP/IP)

networks, such as the Internet, to locate computers and services through user-friendly names. DNS provides a method of naming computers and network services using a hierarchy of domains. When a user enters a user-friendly DNS name in an application,

DNS services can resolve the name to other information associated with the name, such as an IP address. For example, it’s easy for most users who want to locate a computer on a network to remember and learn a friendly name such as

example.microsoft.com

.

However, computers communicate over a network by using numeric addresses. DNS provides a way to map the user-friendly name for a computer or service to its numeric address. If you have used a Web browser, you have used DNS.

Active Directory uses DNS as its domain naming and location service. DNS provides the following benefits:

DNS names are user-friendly, which means they are easier to remember than IP addresses.

DNS names remain more constant than IP addresses. An IP address for a server can change, but the server name remains the same.

DNS allows users to connect to local servers using the same naming convention as the Internet.

See Also

To read more about DNS, launch an Internet search engine and run a search for

RFC 1034 and RFC 1035. Requests For Comments (RFCs) are the official documents of the

Internet Engineering Task Force (IETF) that specify the details for new Internet specifications or protocols. RFC 1034 is entitled “Domain Names—Concepts and Facilities,” and RFC 1035 is entitled “Domain Names—Implementation and Specification.”

Object Naming

Because Active Directory is an LDAP-compliant directory service, network clients use

LDAP to query the Active Directory database. Every object in Active Directory is iden­ tified by a name, and LDAP standards determine how the objects are named. Active

Directory uses a variety of object naming conventions: distinguished names, relative distinguished names, globally unique identifiers, and user principal names.

See Also

To read more about LDAP, launch an Internet search engine and run a search for

RFC 1779, RFC 2247, and RFC 2251. RFC 1779 is entitled “A String Representation of Distin­ guished Names,” RFC 2247 is entitled “Using Domains in LDAP/X.500 Distinguished Names,” and RFC 2251 is entitled “Lightweight Directory Access Protocol (v3).”

1-32

Chapter 1 Introduction to Active Directory

Distinguished Name

Every object in Active Directory has a

distinguished name (DN)

that uniquely identifies the object and contains sufficient information for a client to retrieve the object from the directory. The DN includes the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object. For example, the follow­ ing DN identifies the user object Scott Cooper in the

microsoft.com

domain:

CN=Scott Cooper,OU=Promotions,OU=Marketing,DC=Microsoft,DC=Com

In the DN, three LDAP abbreviations, CN, OU, and DC, are used for the naming attribute. CN indicates the object’s common name, OU indicates the organizational unit name, and DC indicates the domain component name. DNs must be unique, because

Active Directory does not allow duplicate DNs.

Relative Distinguished Name

Active Directory supports querying by attributes, so you can locate an object even if the exact DN is unknown or has changed. The

relative distinguished name (RDN)

of an object is the part of the name that is an attribute of the object itself. In the preceding example, the RDN of the Scott Cooper user object is Scott Cooper. The RDN of the par­ ent object is Promotions.

Note

Active Directory does not display the LDAP abbreviations for the naming attributes common name (CN), organizational unit (OU), and domain component (DC). These abbrevia­ tions are shown here only to illustrate how LDAP recognizes the portions of the distinguished name. Most Active Directory tools display object names in canonical form, which lists the

RDNs from the root, or the DNS domain name, downwards.

Globally Unique Identifier

A

globally unique identifier (GUID)

is a 128-bit hexadecimal number that is guaranteed to be unique within the enterprise. GUIDs are assigned to objects when the objects are created. The GUID never changes, even if you move or rename the object. Applica­ tions can store the GUID of an object and use the GUID to retrieve that object regardless of its current DN.

In Windows NT, each domain resource was associated with a security identifier (SID) that was generated within the domain. This meant that the SID was guaranteed to be unique only within the domain. A GUID is unique across all domains, meaning that you can move objects from domain to domain and they will still have a unique identifier.

Lesson 2 Understanding Active Directory Concepts and Administration Tasks

1

-

33

User Principal Name

Each user account has a “friendly” name, known as the

user principal name (UPN)

.

The UPN consists of a user account name (sometimes referred to as the

user logon name

) and a domain name identifying the domain in which the user account is located. For example, the user object Scott Cooper in the

microsoft.com

tree might have a UPN of

[email protected]

(using the full first name and the first letter of the last name).

Active Directory Administration Tasks

Administering Windows Server 2003 Active Directory involves both configuration and day-to-day maintenance tasks. Administrative tasks can be grouped into the categories described in Table 1-1. These administrative categories roughly correspond to chapters in this training kit.

Table 1-1

Active Directory Administration Tasks

Administrative Category

Planning the Active Directory infrastructure design

Installing and configuring Active

Directory

Administering Active Directory

Installing and managing domains, trees, and forests

Configuring sites and managing replication

Implementing an OU structure

Administering user accounts

Administering group accounts

Specific Tasks

Assemble a design team. Analyze the business and technical environment. Create a forest plan. Create a domain plan. Create an OU plan. Create a site topology plan.

Gather pre-installation information. Install Active

Directory. Verify the Active Directory installation.

Remove Active Directory. Use tools to troubleshoot the Active Directory installation.

Use Active Directory administration tools. Use and customize Microsoft Management Consoles (MMCs).

Back up and restore Active Directory.

Plan and create additional domains, trees, and for­ ests. Transfer operations master roles. Seize opera­ tions master roles. Plan and implement trust relationships.

Plan, create, and configure sites. Configure intersite replication. Configure global catalog servers. Use tools to manage, monitor, and troubleshoot replication.

Plan, create, and manage an OU structure.

Create user accounts, user profiles, and home direc­ tories. Maintain user accounts.

Plan, create, and manage group accounts.

1-34

Chapter 1 Introduction to Active Directory

Table 1-1

Active Directory Administration Tasks (Continued)

Administrative Category

Administering Active Directory objects

Implementing Group Policy

Administering Group Policy

Deploying software with Group Policy

Administering Active Directory security

Managing Active Directory performance

Specific Tasks

Locate Active Directory objects. Publish resources in Active Directory. Control access to Active Direc­ tory objects. Delegate administrative control of

Active Directory objects. Move Active Directory objects. Use scripting to manage Active Directory objects.

Plan and create GPOs. Link GPOs to sites, domains, and OUs.

Use the RsoP Wizard to check the results of GPOs.

Redirect special folders with Group Policy. Use tools to manage and troubleshoot Group Policy.

Deploy software using Group Policy. Deploy a software upgrade or security patch using Group Policy.

Use tools to manage and troubleshoot the software deployment.

Implement software restriction policies. Implement an audit policy to log security events. Administer the security log and view security events. Manage security templates. Use the Security Configuration and Analysis tool to analyze system security.

Use Active Directory performance monitoring tools to monitor Active Directory performance. Optimize and troubleshoot Active Directory performance.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the “Questions and Answers” section at the end of this chapter.

1.

List the four directory partitions of the Active Directory database.

2.

What is the function of the KCC?

Lesson 2 Understanding Active Directory Concepts and Administration Tasks

3.

List the six types of trusts used in Active Directory.

1

-

35

4.

What is change and configuration management? What is IntelliMirror?

5.

Explain the function of group policies.

6.

Define each of the following names: DN, RDN, GUID, UPN.

Lesson Summary

■�

The information stored in the directory is logically partitioned into four units of replication in the following partitions: schema partition, configuration partition, domain partition, and application partition.

■�

Active Directory replicates information in two ways: intrasite (within a site), and intersite (between sites).

■�

A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Windows Server 2003 supports the following trust relationships: tree-root trust, parent-child trust, shortcut trust, external trust, forest trust, and realm trust.

■�

Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users’ desktops. GPOs are collections of Group Policy settings.

■�

DNS is a service used in TCP/IP networks, such as the Internet, to locate comput­ ers and services through user-friendly names. Active Directory uses DNS as its domain naming and location service.

1-36

Chapter 1 Introduction to Active Directory

Lesson 3: Planning the Active Directory

Infrastructure Design

This lesson introduces you to the Active Directory infrastructure design. It also explains the tools you need to create an infrastructure design and provides an overview of the design process. In each stage of the design process, the basic reasons for defining each component of Active Directory in the design are discussed. It is important that you understand the value of planning your Active Directory infrastructure before you attempt implementation. You should also have basic knowledge of the reasons for defining Active Directory components in a design.

After this lesson, you will be able to

State the function of an Active Directory infrastructure design

Name the resources necessary to create an Active Directory infrastructure design

Name the steps in the Active Directory infrastructure design process

Discuss the reasons for using multiple forests

Discuss the reasons for using multiple domains

Discuss the reasons for defining OUs

Discuss the reasons for defining sites

Discuss the reasons for placing domain controllers in sites

Estimated lesson time: 3 0 minutes

What Is an Active Directory Infrastructure Design?

Before you implement Active Directory in your organization, you need to devise some type of plan. An

Active Directory infrastructure design

is a plan you create that repre­ sents your organization’s network infrastructure. You use this plan to determine how you will configure Active Directory to store information about objects on your network and make the information available to users and network administrators.

Because your Active Directory infrastructure design is key to the success of your

Windows Server 2003 deployment, you must thoroughly gather information for, develop, and test your design before deployment. A significant amount of rethinking, redevelopment, and retesting might also be necessary at various points during the design process to ensure that your design meets the needs of your organization. An effective infrastructure design helps you provide a cost-effective deployment, eliminat­ ing the need to spend time and money reworking your infrastructure.

Lesson 3 Planning the Active Directory Infrastructure Design

1

-

37

Design Tools

To develop an effective Active Directory infrastructure design, you must assemble the following tools:

Design team

Business and technical analyses

Test environment

Assembling a Design Team

Before you begin designing your Active Directory infrastructure, you must identify the people in your organization who should be involved in the design process and assem­ ble them into a design team. To ensure that all aspects of your organization are addressed in your Active Directory implementation, you might want to employ a multilevel team design consisting of the following three panels:

■�

Infrastructure designers

The key personnel involved in designing your Active

Directory infrastructure

■�

Staff representatives

The personnel throughout the organization who are responsible for carrying out daily operations

■�

Management representatives

The management level personnel who are responsible for approving business decisions within the organization

The design team members selected for each panel must be willing and be permitted to commit their time and talents throughout the design process to ensure that the infra­ structure design effectively meets the requirements of their organization.

Analyzing Business and Technical Environments

After you’ve assembled a design team, the next design tools you need to assemble are analyses of your organization’s business and technical environments. An analysis of an organization’s business environment defines how it organizes and manages its nontechnical resources, such as its products and customers, business structure, business processes, company strategies, and the information technology (IT) management orga­ nization. An analysis of an organization’s technical environment defines how it orga­ nizes and manages its technical resources, such as its network architecture, hardware, software, technical standards, DNS environment (if applicable), and Windows NT envi­ ronment (if applicable). Most often, your organization will have a business infrastructure or network already in place; it’s up to you as an infrastructure designer to call on members of the design team to help you assemble documentation about these environments.

1-38

Chapter 1 Introduction to Active Directory

Testing Environment

After you complete your infrastructure design, you should be prepared to test it in a test environment. A test environment is a simulation of your production environment that allows you to test parts of your Windows Server 2003 deployment, such as your

Active Directory infrastructure design, without risk to your organization’s network. To ensure the success of your organization’s Windows Server 2003 deployment, your organization should establish a test environment.

By setting up your infrastructure design in a test environment, you can see how the design actually works and determine whether any changes are necessary for improve­ ment. Setting up your design in a test environment is an invaluable tool in the devel­ opment of an effective design.

The Design Process

After you’ve assembled your design team, gathered business and network analyses, and established a test environment, you’re ready to begin planning your infrastructure design. The Active Directory infrastructure design process consists of the following four stages:

1.

Creating a forest plan

2.

Creating a domain plan

3.

Creating an OU plan

4.

Creating a site topology plan

During each stage, you consult your business and technical analysis documents and assess your organization’s requirements. You also assess any changes planned to address growth and scalability issues.

Stage One—Creating a Forest Plan

After analyzing your organization’s requirements, the first step in creating a forest plan is to determine the number of Active Directory forests required. Because using more than one forest requires administrators to maintain multiple schemas, configuration containers, global catalogs, and trusts, and requires users to take complex steps to use the directory, you should strive to create only one forest for your organization. However, you might need to consider using multiple forests in the following situations:

■�

Network administration is separated into autonomous groups that do not trust each other.

Business units are politically separated into autonomous groups.

Lesson 3 Planning the Active Directory Infrastructure Design

1

-

39

Business units must be maintained separately.

There is a need to isolate the schema, configuration container, or global catalog.

■�

There is a need to limit the scope of the trust relationship between domains or domain trees.

In this stage you also create a

schema modification policy

, a plan that outlines who has control of the schema and how modifications that affect the entire forest are adminis­ tered. Adhering to the schema modification policy, you assess an organization’s schema needs and determine whether to modify the schema. If it is necessary to mod­ ify the schema, you design a schema modification plan.

Stage Two—Creating a Domain Plan

After analyzing your organization’s requirements, the first step in creating a domain plan is to determine the number of domains required. Because adding domains to the forest increases management and hardware costs, you should minimize the number of domains. Once you’ve created a domain, the domain cannot be easily moved or renamed. However, you might need to consider using multiple domains in the follow­ ing situations:

To meet required security policy settings, which are linked to domains

To meet special administrative requirements, such as legal or privacy concerns

To optimize replication traffic

To retain Windows NT domains

To establish a distinct namespace

The second step in creating a domain plan is to define the forest root domain. You can choose an existing domain for the forest root or designate a new domain to serve as a dedicated forest root domain. Using a dedicated forest root domain provides advan­ tages in security administration, replication traffic, and scalability. Define your forest root domain with caution, because once you’ve named the forest root domain you cannot change it without renaming and reworking the entire Active Directory tree.

The third step in creating a domain plan is to define a domain hierarchy and name domains. To define the domain hierarchy, you must perform the following actions:

Determine the number of domain trees

Designate tree root domains for each of the trees

Arrange the remaining subdomains in a hierarchy under the root domains

1-40

Chapter 1 Introduction to Active Directory

To name domains, you must perform the following actions:

Assign a DNS name to the forest root domain for each forest in the organization

Assign a DNS name to each tree root domain

■�

Assign DNS names to each remaining subdomain, according to its position in the hierarchy

Finally, you determine the placement of DNS servers. You also plan additional zones, determine the existing DNS services employed on DNS servers, and determine the zone replication method to use. The end result of a domain plan is a domain hierarchy diagram that includes domain names and planned zones.

Stage Three—Creating an OU Plan

After analyzing your organization’s requirements, to create an OU plan you must define an OU structure. There are three reasons for defining an OU:

To delegate administration

To hide objects

To administer Group Policy

The primary reason for defining an OU is to delegate administration. Delegating adminis­ tration is the assignment of IT management responsibility for a portion of the namespace, such as an OU, to an administrator, a user, or a group of administrators or users.

After you’ve determined the OU structure, you must place user accounts in the appro­ priate OUs. The end result of an OU plan is a diagram of OU structures for each domain and a list of users in each OU.

Stage Four—Creating a Site Topology Plan

After analyzing your organization’s requirements, the first step in creating a site topol­ ogy plan is to define sites. The main purpose of a site is to physically group computers to optimize network traffic. In Active Directory, site structure mirrors the location of user communities. You must define a site for each of the following:

Each LAN or set of LANs that are connected by a high-speed backbone

■�

Each location that does not have direct connectivity to the rest of the network and is reachable only by using SMTP mail

The second step in creating a site topology plan is to place domain controllers. Because the availability of Active Directory depends on the availability of domain controllers, a

Lesson 3 Planning the Active Directory Infrastructure Design

1

-

41 domain controller must always be available so users can be authenticated. For optimum network response time and application availability, you must place at least

One domain controller in each site

Two domain controllers in each domain

In addition, you might need to place additional domain controllers in a site if

■�

There are a large number of users in a site and the link to the site is slow or near capacity

The link to a site is historically unreliable or only intermittently available

The third step in creating a site topology plan is to define a replication strategy. An effective replication strategy ensures efficient replication and fault tolerance. In this step you configure site links, which includes designating the method of replication transport, site link cost, replication frequency, and replication availability. You also have the option to specify preferred bridgehead servers.

The final step in creating a site topology plan is to place global catalog servers and operations masters within a forest. The end result of a site topology plan is a site dia­ gram that includes site links and a site link table that provides details about site link configurations, as well as locations of domain controllers and operations masters roles.

Depending on the needs of the organization, a site topology plan might also include a table that provides details about site link bridges and preferred bridgehead servers.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What three tools are necessary to develop an effective Active Directory infrastruc­ ture design?

2.

List the four stages in the Active Directory design process.

1-42

Chapter 1 Introduction to Active Directory

3.

Why should you strive to create only one forest for your organization?

4.

Why should you try to minimize the number of domains in your organization?

5.

Why should you define the forest root domain with caution?

6.

What is the primary reason for defining an OU?

Lesson Summary

■�

The Active Directory infrastructure design process consists of four stages: (1) creating a forest plan, (2) creating a domain plan, (3) creating an OU plan, and (4) creating a site topology plan.

■�

Strive to create only one forest for an organization to avoid administering multiple schemas, configuration containers, global catalogs, and trusts, and requiring users to take complex steps to use the directory.

■�

Minimize the number of domains to avoid increased management and hardware costs. Once you’ve named the forest root domain you cannot change it without rebuilding the entire Active Directory tree.

■�

There are three reasons for defining an OU: (1) to delegate administration, (2) to hide objects, and (3) to administer Group Policy. The primary reason for defining an OU is to delegate administration.

■�

The main purpose of a site is to physically group computers to optimize network traffic. In Active Directory, site structure mirrors the location of user communities.

Chapter 1 Introduction to Active Directory

1

-

43

Chapter Summary

■�

The logical structures in an organization are represented by the following Active

Directory components: domains, OUs, trees, and forests.

The physical components of Active Directory are sites and domain controllers.

■�

The global catalog is the central repository of information about objects in a tree or forest.

■�

The information stored in the directory is logically partitioned into four units of replication in the following partitions: schema partition, configuration partition, domain partition, and application partition.

■�

Active Directory replicates information in two ways: intrasite (within a site), and intersite (between sites).

■�

Windows Server 2003 supports the following trust relationships: tree-root trust, parent-child trust, shortcut trust, external trust, forest trust, and realm trust.

■�

Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users’ desktops.

■�

The Active Directory infrastructure design process consists of four stages: (1) creating a forest plan, (2) creating a domain plan, (3) creating an OU plan, and (4) creating a site topology plan.

Exam Highlights

Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information.

Key Points

■�

The logical structures in an organization are represented by the following Active

Directory components: domains, OUs, trees, and forests.

The physical components of Active Directory are sites and domain controllers.

■�

Active Directory replicates information in two ways: intrasite (within a site), and intersite (between sites).

1-44

Chapter 1 Introduction to Active Directory

■�

Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users’ desktops.

The primary reason for defining an OU is to delegate administration.

■�

The main purpose of a site is to physically group computers to optimize network traffic.

Key Terms

Active Directory

A Windows-based directory service. Active Directory stores infor­ mation about objects on a network and makes this information usable to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive, hierarchical view of the network and a sin­ gle point of administration for all network objects.

domain

A collection of computer, user, and group objects defined by the administra­ tor. These objects share a common directory database, security policies, and secu­ rity relationships with other domains.

forest

One or more Active Directory domains that share the same class and attribute definitions (schema), site, and replication information (configuration), and forestwide search capabilities (global catalog). Domains in the same forest are linked with two-way, transitive trust relationships.

organizational unit (OU)

An Active Directory container object used within domains. An OU is a logical container into which users, groups, computers, and other OUs are placed. It can contain objects only from its parent domain. An OU is the smallest scope to which a GPO can be linked, or over which administrative authority can be delegated.

site

One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topol­ ogy to take advantage of the physical network.

Questions and Answers

1

-

45

Page

1-19

Page

1-34

Questions and Answers

Lesson 1 Review

1.

How is a directory service different from a directory?

A directory service differs from a directory in that it is both the source of the information and the mechanism that makes the information available to the users.

2.

How is Active Directory scalable?

Active Directory enables you to scale the directory to meet business and network requirements through the configuration of domains and trees, and the placement of domain controllers.

Active Directory allows millions of objects per domain and uses indexing technology and advanced replication techniques to speed performance.

3.

What is multimaster replication?

Multimaster replication is a replication model in which any domain controller accepts and rep­ licates directory changes to any other domain controller. Because multiple domain controllers are employed, replication continues, even if any single domain controller stops working.

4.

Name the Active Directory components used to represent an organization’s logical structure.

The Active Directory components used to represent an organization’s logical structure are domains, organizational units (OUs), trees, and forests.

5.

Name the physical components of Active Directory.

The physical components of Active Directory are sites and domain controllers.

6.

What is the function of the global catalog?

The global catalog has two main functions: (1) it enables a user to log on to a network by pro­ viding universal group membership information to a domain controller when a logon process is initiated, and (2) it enables finding directory information regardless of which domain in the for­ est actually contains the data.

Lesson 2 Review

1.

List the four directory partitions of the Active Directory database.

The four directory partitions of the Active Directory database are schema partition, configura­ tion partition, domain partition, and application partition.

2.

What is the function of the KCC?

The KCC is a built-in process that runs on all domain controllers. The KCC configures connection objects between domain controllers. Within a site, each KCC generates its own connections.

For replication between sites, a single KCC per site generates all connections between sites.

3.

List the six types of trusts used in Active Directory.

The six types of trusts used in Active Directory are tree-root trust, parent-child trust, shortcut trust, external trust, forest trust, and realm trust.

1-46

Chapter 1 Introduction to Active Directory

Page

1-41

4.

What is change and configuration management? What is IntelliMirror?

Change and configuration management is a set of Windows Server 2003 features that sim­ plify computer management tasks. IntelliMirror is a set of Windows Server 2003 features that assist with managing user and computer information, settings, and applications. When

IntelliMirror is used in both server and client, the users’ data, applications, and settings follow them when they move to another computer.

5.

Explain the function of group policies.

Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to modify computer settings and specify the behavior of users’ desktops.

6.

Define each of the following names: DN, RDN, GUID, UPN.

The distinguished name (DN) uniquely identifies the object and contains the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object. The r e l a tive distinguished name (RDN) is the part of an object’s DN that is an attribute of the object itself. The globally unique identifier (GUID) is a 128-bit hexadecimal num­ ber that is guaranteed to be unique within the enterprise. The user principal name (UPN) con­ sists of a user account name (sometimes referred to as the user logon name) and a domain name identifying the domain in which the user account is located.

Lesson 3 Review

1.

What three tools are necessary to develop an effective Active Directory infrastruc­ ture design?

The following tools are necessary to develop an effective Active Directory infrastructure design: design team, business and technical analyses, and test environment.

2.

List the four stages in the Active Directory design process.

The stages in the design process are creating a forest plan, creating a domain plan, creating an

OU plan, and creating a site topology plan.

3.

Why should you strive to create only one forest for your organization?

Using more than one forest requires administrators to maintain multiple schemas, configura­ tion containers, global catalogs, and trusts, and requires users to take complex steps to use the directory.

4.

Why should you try to minimize the number of domains in your organization?

Adding domains to the forest increases management and hardware costs.

5.

Why should you define the forest root domain with caution?

Define your forest root domain with caution, because once you’ve named the forest root domain you cannot change it without renaming and reworking the entire Active Directory tree.

6.

What is the primary reason for defining an OU?

The primary reason for defining an OU is to delegate administration.

2

Installing and Configuring

Active Directory

Exam Objectives in this Chapter:

Implement an Active Directory directory service forest and domain structure

Create the forest root domain

Install and configure an Active Directory domain controller

Why This Chapter Matters

The information in this chapter shows you how to install, remove, and verify

Active Directory, and troubleshoot an Active Directory installation. Determining whether to install a new forest, domain tree, or domain are some of the first deci­ sions you’ll have to make when installing Active Directory. Understanding exactly what is involved when you make these choices is critical to the success of your installation. Planning the Active Directory structure and Domain Name System

(DNS) structure is essential.

It’s important to be familiar with the various installation methods so you can choose the one that best meets your needs. Once you’ve installed Active Direc­ tory, you should expect that some changes might still be necessary. This could involve the installation of additional domain controllers or the removal of others.

You must be able to remove Active Directory if you find that a particular server no longer needs to be a domain controller. Verifying proper Active Directory instal­ lation is important to ensure the installation turned out the way you intended before you continue with your Active Directory deployment. Finally, as an admin­ istrator, you must be able to use tools to troubleshoot problems you may encoun­ ter during the Active Directory installation and removal processes.

Lessons in this Chapter:

Lesson 1: Preparing for Active Directory Installation . . . . . . . . . . . . . . . . . . . 2-3

Lesson 2: Installing and Removing Active Directory . . . . . . . . . . . . . . . . . . 2-17

Lesson 3: Verifying Active Directory Installation . . . . . . . . . . . . . . . . . . . . . 2-37

Lesson 4: Troubleshooting Active Directory Installation and Removal . . . . . 2-43

2-1

2-2

Chapter 2 Installing and Configuring Active Directory

Before You Begin

To complete the lessons in this chapter, you must:

Have a general understanding of Active Directory components and concepts as discussed in Chapter 1, “Introduction to Active Directory.”

Prepare your test environment according to the descriptions given in the “Getting

Started” section of “About This Book.”

Lesson 1 Preparing for Active Directory Installation

2

-

3

Lesson 1: Preparing for Active Directory Installation

There are a number of prerequisites you must consider before you begin installing

Active Directory. These prerequisites include the design of your organization’s domain structure and domain name; the storage location of the database, log, and shared sys­ tem volume files; and the method of DNS configuration. This lesson shows you how to prepare for Active Directory installation.

After this lesson, you will be able to

Describe the Active Directory installation prerequisites

Estimated lesson time: 1 5 minutes

Active Directory Installation Prerequisites

Before you can install Active Directory, you should take some time to be sure that you are prepared by determining in advance:

The domain structure

The domain name

The storage location of the database and log files

The location of the shared system volume folder

The DNS configuration method

The DNS configuration

You must determine all of these installation prerequisites because they are required to complete the Active Directory installation process.

Determining the Domain Structure

To determine the domain structure, you must assess your company’s physical environ­ ment, determine the forest root domain, determine the number of domains, and orga­ nize domains in a hierarchy.

Assessing the Physical Environment

The physical environment of your organization’s network includes

The current location of points on the network

The current number of users at each location

The current network type used at each location

The current location, link speed, and percentage of available bandwidth of remote network links

2-4

Chapter 2 Installing and Configuring Active Directory

Note

Available bandwidth is the amount of bandwidth that remains when you take the total bandwidth available for a link and subtract the amount of network traffic that occurs on the link during peak traffic.

The current Transmission Control Protocol/Internet Protocol (TCP/IP) subnets at each location

The current speed of local network links

The current location of domain controllers

The current list of servers at each location and the services that run on them

The current location of firewalls in the network

For example, Figure 2-1 shows the physical environment for Contoso Pharmaceuticals.

Employees are distributed fairly evenly among the four locations. In the next five years, growth for all locations is estimated at 3 percent. The Chicago office is the hub of the

Contoso Pharmaceuticals’ wide area network (WAN). Network connections are utilized moderately; however the Kansas City–Chicago connection has a high degree of utilization.

St. Paul

8500 employees

Partial T1 connection

512 Kbps

60% utilized

Chicago

9000 employees

Partial T1 connection

512 Kbps

40% utilized

Kansas City

7500 employees

T1 connection

1.544 Mbps

90% utilized

Columbus

7000 employees

Figure 2-1 Physical environment for Contoso Pharmaceuticals

In addition to your assessment of the organization’s physical environment, you should also consider other infrastructures currently employed in the organization. For exam­ ple, if your organization has already invested in a DNS structure, you should probably retain this structure. Similarly, if your organization is using a large Microsoft Exchange operation, you might want to base your domain structure on the same model. Before you change existing infrastructures, you must weigh the cost of the change against the potential benefits.

Lesson 1 Preparing for Active Directory Installation

2

-

5

Real World

Integrating DNS Structures

Most organizations have existing DNS structures they must maintain. This is espe­ cially true for any organization that already has a Windows 2000 Active Directory installation. Further, companies that manage medium to large TCP/IP networks usually have existing DNS servers. In these organizations, you’ll probably need to integrate the Windows 2003 Server Active Directory domain and any DNS config­ uration into the existing environment.

Organizations that already have Windows 2000 Active Directory implementations should be the easiest to integrate because the DNS structure will likely remain the same when the domain is upgraded to the Windows 2003 Server Active Directory domain. Organizations that do not have an existing Active Directory implementa­ tion are likely to have a lot more planning to do. For example, the most prevalent non-Windows DNS implementation is the Berkeley Internet Name Domain

(BIND), which is maintained by the Internet Software Consortium (ISC). If an organization chooses to keep their BIND DNS servers, there are three main meth­ ods for integrating an existing BIND and Active Directory:

Configure BIND DNS to handle all DNS records for Active Directory. In this case, you’d ensure that the BIND DNS server version could support SRV records (BIND 4.9.7 and later versions work properly for this purpose). Also, it is highly desirable to use a BIND server that supports Dynamic DNS (BIND versions 8.2.2 and later will do so).

Configure BIND DNS to delegate an Active Directory specific subdomain.

For example, if the company uses

contoso.com

, the Active Directory name space might be

ad.contoso.com

. This is a very popular choice for many companies.

Configure the BIND DNS server to delegate the _msdcs, _sites, tcp, and _udp portions of the DNS namespace to your Windows 2003 Server configured as a DNS server.

For more information on this subject, search the Microsoft Web site for “DNS

Server Top Support Articles” or “Integrating Active Directory with an Existing DNS

Infrastructure.” Also, anyone using BIND DNS should visit

http://www.isc.org

to review the latest notes and updates for BIND.

Determining the Forest Root Domain

As you learned in Chapter 1, the

forest root domain

is the first domain you create in an

Active Directory forest. The forest root domain must be centrally managed by an IT organization that is responsible for making domain hierarchy, naming, and policy

2-6

Chapter 2 Installing and Configuring Active Directory decisions. When planning a domain structure, you should start with a

dedicated

forest root domain. A forest root domain is dedicated when it is set up exclusively to admin­ ister the forest infrastructure. A dedicated forest root domain is recommended for the following reasons:

You can control the number of administrators allowed to make forest-wide changes. By limiting the number of administrators in the forest root domain, you reduce the likelihood that an administrative error will impact the entire forest.

You can easily replicate the forest root across the enterprise. Because a dedicated root domain is small, it can be easily replicated anywhere on your network to provide protection against catastrophes.

The forest root never becomes obsolete. Because the only purpose of the forest root domain is to serve as the root, there is little chance of it becoming obsolete.

You can easily transfer ownership of the root. Transferring ownership of the root domain does not involve migrating production data or resources.

The role of a dedicated forest root domain is to define and manage the infrastructure.

Therefore, when you plan domains, you should reserve the dedicated forest root domain for forest administration only. Avoid including users or resources not dedicated to forest administration in the forest root domain.

Determining the Number of Domains

After you’ve planned the dedicated forest root domain, you should begin planning your domain structure with a single child domain under the root, and add more domains only when the single child domain model no longer meets your needs. One domain can span multiple sites and contain millions of objects. Keep in mind that site and domain structures are separate and flexible. A single domain can span multiple geographical sites, and a single site can include users and computers belonging to mul­ tiple domains. Planning your site structure is covered in Chapter 5, “Configuring Sites and Managing Replication.”

You should not create separate domains to reflect your company’s organization of divi­ sions and departments. Because functional structures such as divisions, departments, or project teams are always subject to change, defining domains based on these struc­ tures in the organization is strongly discouraged. Within each domain, you can model your organization’s management hierarchy for delegation or administration using orga­ nizational units (OUs) for this purpose. You can then assign Group Policy and place users, groups, and computers into the OUs. Planning OU structure is covered in

Chapter 6, “Implementing an OU Structure.”

Lesson 1 Preparing for Active Directory Installation

2

-

7

If you are upgrading from Microsoft Windows NT, it is likely that you will need to con­ solidate domains. The principles for defining multiple domains in Windows NT no longer apply in Windows Server 2003. These principles are the following:

Security Accounts Manager (SAM) size limitations

In Windows NT, the SAM database had a limitation of about 40,000 objects per domain. In Windows Server

2003, each domain can contain more than one million objects, so it is no longer necessary to define a new domain just to handle more objects.

Primary domain controller (PDC) availability requirements

In

Windows NT, only one computer in a domain, the PDC, could accept updates to the domain database. In Windows Server 2003, all domain controllers accept updates, eliminating the need to define new domains just to provide fault toler­ ance.

Limited delegation of administration within domains

In Windows NT, domains were the smallest units of administrative delegation. In Windows Server

2003, OUs allow you to partition domains to delegate administration, eliminating the need to define domains just for delegation.

Reasons to create more than one child domain under the forest root include the following:

To meet required security policy settings that are linked to domains

To meet special administrative requirements, such as legal or privacy concerns

To optimize replication traffic

To retain Windows NT domains

To establish a distinct namespace

!

Exam Tip

Make sure you know why using a dedicated root domain is important. Also, make sure you know the reasons for creating more than one child domain.

In the example, Contoso Pharmaceuticals requires stricter password requirements at the Chicago office, and there is a need to control replication traffic on the highly uti­ lized Chicago–Kansas City network connection. In addition, the company plans to add a new office in Winnipeg, Canada within two years and anticipates having to address requirements of the government of Canada. Therefore, the Active Directory infrastruc­ ture designers have planned to implement a dedicated forest root domain and a domain for each of the company’s present locations; a total of five domains, as shown in Figure 2-2.

2-8

Chapter 2 Installing and Configuring Active Directory

Server 2

Locatio

Name: Server

OS: No

Type: F

Locatio

Printer

Name: Printer

Type H

Color:

Duplex

Locatio

Figure 2-2 The domains planned for Contoso Pharmaceuticals

Defining a Domain Hierarchy

If you’ve determined that your company requires more than one domain, you must organize the domains into a hierarchy that fits the needs of your organization. Recall that domains in a forest share the same configuration, schema, and global catalog. As domains are placed in a hierarchy, the two-way transitive trust relationship allows the domains to share resources.

The primary difference between domain trees and forests is in their DNS name struc­ ture. All domains in a domain tree have a contiguous DNS namespace. Unless your organization operates as a group of several entities, such as a partnership or conglom­ erate, your network probably lends itself to a contiguous DNS namespace and you should set up multiple domains in a single domain tree in a forest. If you need to com­ bine organizations with unique domain names, create an additional forest. You can also create additional forests to separate DNS zones. Each tree in the forest has its own unique namespace.

In the example, the Contoso Pharmaceuticals physical structure maps to a group of domains in a domain tree. Contoso Pharmaceuticals is not a part of any other entity, nor are there any known plans for creating multiple entities in the future. There is one dedicated root domain. Therefore, Contoso Pharmaceuticals will set up its multiple domains in a single tree in a single forest, as shown in Figure 2-2.

See Also

The “Best Practices Design Guide” is an excellent guide for developing an Active

Directory design to manage Windows networks, and is available on the Microsoft TechNet

Web site at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ ad/windows2000/plan/bpaddsgn.asp

. This guide provides a step-by-step methodology for

Active Directory design based on practices learned from customers who have already deployed Active Directory in their organizations.

Lesson 1 Preparing for Active Directory Installation

2

-

9

Determining the Domain Name

In Windows Server 2003 and Active Directory, a

domain name

is a name given to a col­ lection of networked computers that share a common directory. Because Active Directory uses DNS as its domain naming and location service, Windows Server 2003 domain names are also DNS names. When logging on to the network, Active Directory clients query their DNS servers to locate domain controllers.

In DNS, names are arranged in a hierarchy and can be partitioned according to the hierarchy. The hierarchy allows parent-child relationships where the name of the child domain is designated by the name of the parent domain, preceded by a label for the child domain. For example,

uk.microsoft.com

is a child domain of the

microsoft.com

domain; for the child name the “uk” label is placed before the name of the parent domain,

microsoft.com

. Thus, a domain’s name identifies its position in the hierarchy.

In the example shown in Figure 2-3, the root domain is named

contoso.com

, while each of the child domains have been named for the physical locations that represent the domains.

Figure 2-3 Domain naming for Contoso Pharmaceuticals

Because domain names designated in Active Directory are employed by users as they navigate the forest, the names you select are very important. Select an easily identifi­ able name for the forest root domain, which is the basis for its child and grandchild domains. If you adhere to some basic guidelines, you should be able to determine domain names that meet the needs of your organization. The following are guidelines for naming domains:

Use only the Internet standard characters. Internet standard characters are defined as: A–Z, a–z, 0–9, and the hyphen (-). Although Windows Server 2003 DNS supports the use of almost any Unicode character in a name, by using only Internet standard characters you ensure that your Active Directory domain names will be compatible with other versions of DNS.

Differentiate between internal and external namespaces. Because most organiza­ tions have an Internet presence, you should use different names for the internal and external root domains to clearly delineate public resources from private

2-10

Chapter 2 Installing and Configuring Active Directory resources and prevent unauthorized users from accessing resources on the inter­ nal network. For example, Microsoft is represented on the Internet by the DNS name

microsoft.com

. However, the organization might use

corp.microsoft.com

to represent their Active Directory forest root domain name.

Base the internal DNS name on the Internet DNS name. If you use an internal DNS name that is related to the Internet DNS name, it will be easier for users to understand the navigational structure. Consider using the Internet DNS name as a suffix for Active Directory domain names. For example,

corp.microsoft.com

is easily understandable as an extension to

microsoft.com

.

Never use the same domain name twice. For example, Microsoft should not use the name

microsoft.com

for both its Internet and intranet root domains. If a

microsoft.com

client attempts to connect to either the Internet or the intranet

microsoft.com

site, the domain that answers first is the one to which the client is connected.

Use only registered domain names. Register all second-level domain names, whether they are internal or external namespaces, with the InterNIC or other authorized naming authority. For example, Microsoft should register its secondlevel domain name as

microsoft.com

. The company does not need to register

corp.microsoft.com

because it is not a second-level domain name. Internal names that are second-level domain names should be registered to ensure access from outside the corporate firewall. You can find more information about registering domain names at

http://www.internic.net

.

Tip

Be sure to register and receive verification for domain names

before

creating your

Active Directory domain namespace to avoid having to change domain names. Changing a domain name can take time and waste resources.

Use short, distinct, meaningful names. Use domain names that are easy to use and are representative of your organization’s identity.

Use names that have been reviewed internationally. Review domain names to ensure that they are not derogatory or offensive in other languages.

Use names that will remain static. Use generic names rather than specific ones. For example, Microsoft might use

hq.corp.microsoft.com

for its Redmond headquar­ ters domain rather than

redmond.corp.microsoft.com

to avoid the need for change if the headquarters is moved.

Use the International Organization for Standardization (ISO) standards for names that include countries and U.S. states. The ISO defines two-letter country codes and U.S. state codes, as presented in ISO 3166. You can find more information about ISO 3166 at

http://www.iso.org/iso/en/prods-services/iso3166ma/index.html

.

Lesson 1 Preparing for Active Directory Installation

2

-

11

Determining the Storage Location of the Database and Log Files

Installing Active Directory creates the database and database log files. The Active

Directory database is the directory for the new domain. The default location for the database and database log files is %

Systemroot

%\Ntds, where

%Systemroot%

is the path and folder name where the Microsoft Windows Server 2003 system files are located, typically, C:\Windows. However, you can specify a different location when installing

Active Directory using the Active Directory Installation Wizard. For best performance and fault tolerance, it’s recommended that you place the database and the log file on separate hard disks that are NTFS file system (NTFS) drives, although NTFS is not required. It’s also recommended that you have 1 gigabyte (GB) of space to install

Active Directory, although the Active Directory Installation Wizard requires only a minimum of 200 megabytes (MB) of disk space for the Active Directory database and

50 MB for the log files.

The directory database is stored in a file named Ntds.dit, which contains all of the infor­ mation stored in the Active Directory data store. The directory database is an Extensible

Storage Engine (ESE) database that contains the schema, global catalog, and objects stored on a domain controller. When Active Directory is installed, Ntds.dit is copied from the

%Systemroot%\

System32 directory into the directory you specify. Active

Directory services are started from the new copy of the file, and if there are other domain controllers present, the replication process updates the file to the other domain controllers.

Determining the Location of the Shared System Volume Folder

Installing Active Directory creates the shared system volume, a folder structure that exists on all Windows Server 2003 domain controllers. It stores public files that must be replicated to other domain controllers, such as logon scripts and some of the Group

Policy Objects (GPOs), for both the current domain and the enterprise. The default location for the shared system volume is

%Systemroot%\

Sysvol. However, you can specify a different location during Active Directory installation. The shared system vol­ ume must be located on a partition or volume formatted with NTFS.

Replication of the shared system volume occurs on the same schedule as Active Direc­ tory replication. As a result, you might not notice file replication to or from the newly created system volume until two replication periods have elapsed (typically, 10 min­ utes). This is because the first file replication period updates the configuration of other system volumes so that they are aware of the newly created system volume.

Determining the DNS Configuration Method

You can configure your Windows Server 2003 DNS server manually or you can allow it to be configured automatically during Active Directory installation. Manual configu­ ration of DNS to support Active Directory is required if you are using a non–Windows

2-12

Chapter 2 Installing and Configuring Active Directory

Server 2003 DNS server or if you want to set up a configuration other than the default configuration set up during Active Directory installation. You can configure DNS man­ ually using the DNS console. For details about manually configuring DNS for Active

Directory, refer to the

MCSA/MCSE Self-Paced Training Kit (Exam 70-291): Implement­ ing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastruc­ ture

(Microsoft, Press, 2003).

Although Active Directory requires that the DNS service be installed on your network, you can install DNS implementations other than Microsoft Windows Server 2003 DNS service. However, these other implementations might not have all of the features of

Windows Server 2003 DNS. Therefore, you might not be able to take advantage of full

DNS integration with Active Directory. For details about Active Directory interoperabil­ ity with other DNS services, refer to the

MCSA/MCSE Self-Paced Training Kit (Exam 70-

291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003

Network Infrastructure

.

Determining the DNS Configuration

If you allow DNS to be configured automatically during Active Directory installation, the server is automatically set to meet the DNS requirements for joining Active Direc­ tory. However, if you have installed DNS manually or if your DNS solution does not support dynamic update, you must ensure that your configuration meets the DNS requirements for joining an Active Directory domain as described in this section.

Computers joining an Active Directory domain must satisfy the following DNS requirements:

The computer must be configured with a static Internet Protocol (IP) address and the IP address of a preferred DNS server.

The _ldap._tcp.dc._msdcs.

DNSDomainName

service (SRV) resource record must exist in DNS.

DNSDomainName

is the DNS name of the Active Directory domain the computer is attempting to join.

The host (A) resource record for the DNS name of the domain controllers speci­ fied in the data field of the _ldap._tcp.dc._msdcs.

DNSDomainName

service (SRV) resource record must exist in DNS.

Configuring a Static IP Address and Preferred DNS Server

Before you install Active Directory on a server, you should configure a static IP address for the server and designate a preferred DNS server. To configure a static IP address for a server and designate a preferred DNS server, complete the following steps:

1.

Click Start, point to Connect To, and then click Show All Connections.

2.

Right-click Local Area Connection and then click Properties.

Lesson 1 Preparing for Active Directory Installation

2

-

13

3.

Click Internet Protocol (TCP/IP) and then click Properties.

4.

In the Internet Protocol (TCP/IP) Properties dialog box, shown in Figure 2-4, click

Use The Following IP Address. To specify a static IP address for the DNS server, type the IP address, subnet mask, and default gateway IP addresses in the IP

Address, Subnet Mask, and Default Gateway boxes, respectively.

Figure 2-4 The Internet Protocol (TCP/IP) Properties dialog box, showing configuration for a static IP address

5.

Click the Use The Following DNS Server Addresses button and type the IP address of the preferred DNS server in the Preferred DNS Server box. It is a best practice to use a preferred DNS server in the same site. Optionally, you can specify the IP address of an alternate DNS server that this server will use if the preferred DNS server does not respond.

6.

Click OK.

Off the Record

You should always configure a Preferred and Alternate DNS server for all client computers, member servers, and domain controllers whenever possible. Without DNS, domain member computers are unable to find domain controllers. If you only configure a Pre­ ferred DNS server on (a) domain member computer(s) and that DNS server is unavailable for any reason, those domain member computers will be unable to locate a domain controller. If a client computer is unable to locate a domain controller, a large variety of connectivity and logon issues can occur.

2-14

Chapter 2 Installing and Configuring Active Directory

Configuring the Required DNS Resource Records

Computers joining an Active Directory domain require the following resource records in DNS to locate an Active Directory domain controller:

_ldap._tcp.dc._msdcs.

DNSDomainName

service (SRV) resource record, which identifies the names of the domain controllers that serve the Active Directory domain.

DNSDomainName

is the DNS name of the Active Directory domain the computer is attempting to join.

A corresponding address (A) resource record that identifies the IP addresses for the domain controllers listed in the _ldap._tcp.dc._msdcs.

DNSDomainName

SRV resource record.

To verify the presence of DNS resource records needed to join an Active Directory domain, complete the following steps:

1.

Click Start, and then click Command Prompt.

2.

Type

nslookup

and press Enter.

3.

At the Nslookup (“>”) prompt, type

q=srv

and press Enter.

4.

At the next prompt, type

_ldap._tcp.dc._msdcs.

DNSDomainName

. The DNS query for resource records specified in the Nslookup command

set q=srv

returns both SRV and A resource records.

5.

Review the output and determine if all domain controllers in the Active Directory domain that this computer is attempting to join are included and registered using valid IP addresses. In some cases, you might need to manually add or verify reg­ istration of the service (SRV) resource records used to support Windows Server

2003 domain controllers.

6.

If you need to add the SRV resource records that have been created for a domain controller, open and view the Netlogon.dns file, created by the Active Directory

Installation Wizard when a server computer is promoted to a domain controller.

Netlogon.dns can be found at the following location on a domain controller:

%Systemroot%\

System32\Config\Netlogon.dns. If you have installed DNS manu­ ally or if your DNS solution does not support dynamic update, you must manually enter these records on your DNS server(s).

Practice: Configuring a Static IP Address and Preferred DNS Server

In this practice, you configure a static IP address and preferred DNS Server for your two practice servers, Server1 and Server2. You will use these servers to complete exer­ cises throughout this training kit.

Lesson 1 Preparing for Active Directory Installation

2

-

15

Caution

The exercises in this training kit are designed to be completed on servers set up on their own practice network. The exercises require you to make changes to your server configuration and can produce undesirable results if you are connected to a larger network. If you are connected to a larger network, check with your administrator before attempting these exercises.

Exercise: Configuring a Static IP Address and Preferred DNS Server

In this exercise, you configure a static IP address and a preferred DNS server to prepare your servers for Active Directory service installation in Lesson 2.

To configure a static IP address and preferred DNS server

1.

Log on to both servers as Administrator using

password

as your password.

Security Alert

In a real-world environment, always be sure to use a complex password.

Microsoft recommends mixing uppercase and lowercase letters, numbers, and symbols (for example, Lp6*g9F2).

2.

Use the procedure provided earlier in this lesson to configure a static IP address for Server1. Configure Server1 as its own preferred DNS server. See your network administrator for valid IP addresses or use 192.168.1.1.

3.

Use the procedure provided earlier in this lesson to configure a static IP address for Server2. Configure Server1 as the preferred DNS server. See your network administrator for valid IP addresses or use 192.168.1.2.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of the chapter.

1.

What are the reasons to create more than one child domain under a dedicated root domain?

2.

What is a forest root domain?

2-16

Chapter 2 Installing and Configuring Active Directory

3.

For best performance and fault tolerance, where should you store the database and log files?

4.

What is the function of the shared system volume folder and where is the default storage location of the folder?

5.

Which of the following is not a valid reason for creating an additional domain?

a.

To meet SAM size limitations

b.

To meet required security policy settings, which are linked to domains

c.

To meet special administrative requirements, such as legal or privacy concerns

d.

To optimize replication traffic

Lesson Summary

Before you can install Active Directory, you must determine the domain structure, domain names, storage location of the database and log files, location of the shared system volume folder, and the DNS configuration method.

Begin your domain structure with a single dedicated root domain, and add child domains only to meet required security policy settings, which are linked to domains; to meet special administrative requirements, such as legal or privacy concerns; to optimize replication traffic; to retain Windows NT domains; or to establish a distinct namespace.

A forest root domain is the first domain you create in an Active Directory forest.

The forest root domain must be centrally managed by an IT organization that is responsible for making domain hierarchy, naming, and policy decisions.

The default location for the database and database log files is

%Systemroot%\

Ntds, although you can specify a different location during Active Directory installation.

For best performance and fault tolerance, place the database and the log file on separate hard disks that are NTFS drives.

The default location for the shared system volume is

%Systemroot%\

Sysvol, although you can specify a different location during Active Directory installation.

The shared system volume must be located on a partition or volume formatted with NTFS.

Lesson 2 Installing and Removing Active Directory

2

-

17

Lesson 2: Installing and Removing Active Directory

After you’ve completed your preparation work with the installation prerequisites described in Lesson 1, you’re ready to install Active Directory. Removing Active Direc­ tory follows a process similar to installation. This lesson shows you how to install and remove Active Directory.

After this lesson, you will be able to

Install Active Directory using the Active Directory Installation Wizard

Install Active Directory using an unattended installation

Install Active Directory using the network or backup media

Install Active Directory using the Configure Your Server Wizard

Remove Active Directory

Estimated lesson time: 4 0 minutes

Installing Active Directory

There are four ways to install Active Directory:

Using the Active Directory Installation Wizard (to install Active Directory in most situations)

Using an answer file to perform an unattended installation (to install Active Direc­ tory remotely)

Using the network or backup media (to install Active Directory on additional domain controllers in the network using media)

Using the Configure Your Server Wizard (an additional way to install the first domain controller in a network only)

All these methods promote the computer to the role of domain controller, install Active

Directory, and, if desired, install and configure the DNS server.

Installing Active Directory Using the Active Directory Installation Wizard

The Active Directory Installation Wizard is the main tool used to install Active Direc­ tory. The wizard presents a set of pages, on which you must input the following:

Domain controller type—either the first domain controller for a new domain or a new domain controller added to an existing domain

Domain type—a new domain in a new forest, a child domain in an existing domain tree, or a new domain tree in an existing forest

2-18

Chapter 2 Installing and Configuring Active Directory

Domain name

NetBIOS name for the domain

Active Directory database and log folder location

Shared system volume folder location

Default permissions for user and group objects

Directory services restore mode administrator password

After you input this information, the wizard installs Active Directory, creates the full domain name, assigns the NetBIOS name for the domain, sets the Active Directory database and log folder location, sets the shared system volume folder location, and installs DNS and a preferred DNS server if you requested automatic DNS installation.

The Active Directory Installation Wizard does not install Dynamic Host Configuration

Protocol (DHCP), assign the static IP address, assign the subnet mask, create a DHCP scope, or set up an application naming context in Active Directory for use by Tele­ phony Application Programming Interface (TAPI) client applications.

As you begin installing Active Directory using the Active Directory Installation Wizard, you must choose whether to create the first domain controller for a new domain or add the new domain controller to an existing domain. You portray the domain structure by making these choices as they are presented in the wizard.

Creating the First Domain Controller for a New Domain

If you choose to create the first domain controller for a new domain, you create both the domain controller and a new domain. You can then specify whether you want to create a new domain in a new forest, a child domain in an existing domain tree, or a new domain tree in an existing forest, as illustrated in Figure 2-5.

When you create a new domain in a new forest, either the new domain is the first domain in the organization or it is a new domain that you want to be completely inde­ pendent from your existing forest. When you create a new child domain in an existing domain tree, the new domain is a child domain of an existing domain. Recall that domains in a tree share a contiguous namespace and a hierarchical naming structure.

When you create a new domain tree in an existing forest, the new domain is not part of an existing domain. Recall that trees in a forest have different naming structures, according to their domains, but the forest enables communication across the entire organization.

Domain controller for a new domain

Lesson 2 Installing and Removing Active Directory

2

-

19 microsoft.com domain.com microsoft.com microsoft.com noam.microsoft.com europe.microsoft.com noam.microsoft.com

New domain in a new forest

New child domain in an existing tree

Additional domain controller for an existing domain

New domain tree in an existing forest microsoft.com

Existing domain controller

Peer domain controller

Figure 2-5 Domain controller roles and domain structure selections available during Active

Directory installation

Adding a New Domain Controller to an Existing Domain

I f y o u c h o o s e t o a d d a domain controller to an existing domain, you create a

peer domain controller

, as shown in Figure 2-5. Peer domain controllers provide redundancy and reduce the load on the existing domain controllers. Peer domain controllers are often placed in differ­ ent geographic locations to minimize Active Directory access traffic.

Off the Record

Whenever you configure Active Directory, it’s very important to consider two domain controllers per domain the absolute minimum. If you only have one domain controller, you can lose the entire domain and all accounts if a serious hardware issue occurs. Of course, if you take the time to back up your Active Directory domain, the domain is not lost entirely, but it can still cause a significant problem. For example, users may not be able to log on properly and no new accounts can be created until Active Directory is restored. Further, you’ll only have the data that is current as of your last backup of Active Directory. Any accounts created since that backup will be lost. To avoid this issue, always install a minimum of two domain controllers for each domain.

2-20

Chapter 2 Installing and Configuring Active Directory

Using the Active Directory Installation Wizard The Active Directory Installation Wiz­ ard is started by typing

dcpromo

in the Run dialog box.

!

Exam Tip

Know how to invoke the Active Directory Installation Wizard.

To install Active Directory for a new domain using the Active Directory Installation

Wizard, complete the following steps:

1.

Click Start and then click Run. In the Run dialog box, type

dcpromo

in the Open box and click OK.

2.

On the Welcome To The Active Directory Installation Wizard page, click Next.

3.

On the Operating System Compatibility page, click Next.

4.

On the Domain Controller Type page, shown in Figure 2-6, select Domain Controller For A New Domain, and then click Next.

Figure 2-6 Active Directory Installation Wizard, Domain Controller Type page

5.

On the Create New Domain page, shown in Figure 2-7, ensure that Domain In A

New Forest is selected, and then click Next.

Lesson 2 Installing and Removing Active Directory

2

-

21

Figure 2-7 Active Directory Installation Wizard, Create New Domain page

6.

On the New Domain Name page, shown in Figure 2-8, in the Full DNS Name For

New Domain box, type the name of the domain and then click Next.

Figure 2-8 Active Directory Installation Wizard, New Domain Name page

7.

After a few moments, the NetBIOS Domain Name page appears, as shown in

Figure 2-9. It’s recommended that you use the default NetBIOS name. Click Next.

2-22

Chapter 2 Installing and Configuring Active Directory

Figure 2-9 Active Directory Installation Wizard, NetBIOS Domain Name page

8.

On the Database and Log Folders page, shown in Figure 2-10, type the location of the Active Directory database in the Database Folder box and the Active Directory log in the Log Folder box. It’s recommended that you place the database and the log file on separate hard disks that are NTFS drives. Click Next.

Figure 2-10 Active Directory Installation Wizard, Database And Log Folders page

Lesson 2 Installing and Removing Active Directory

2

-

23

9.

On the Shared System Volume page, shown in Figure 2-11, type the location of the

Sysvol folder in the Folder Location box. The shared system volume must be located on a partition or volume formatted with NTFS. Click Next.

Figure 2-11 Active Directory Installation Wizard, Shared System Volume page

10.

On the DNS Registration Diagnostics page, shown in Figure 2-12, view the details of the diagnostic test. Then select the appropriate option, as follows:

❑ If you have configured DNS but there is a problem and you have fixed it, select I Have Corrected The Problem. Perform The DNS Diagnostic Test

Again, and then click Next.

❑ If you have not yet configured DNS and you want the wizard to configure it, select Install And Configure The DNS Server On This Computer, and then click Next.

❑ If you have configured DNS but there is a problem and you would like to cor­ rect the problem later, select I Will Correct The Problem Later By Configuring

DNS Manually, and then click Next.

2-24

Chapter 2 Installing and Configuring Active Directory

Figure 2-12 Active Directory Installation Wizard, DNS Registration Diagnostics page

11.

On the Permissions page, shown in Figure 2-13, select the appropriate default permissions for user and group objects, and then click Next.

Figure 2-13 Active Directory Installation Wizard, Permissions page

12.

On the Directory Services Restore Mode Administrator Password page, shown in

Figure 2-14, type the password you want to assign to this server’s Administrator account in the event the computer is started in directory services restore mode in the Restore Mode Password box. Confirm the password in the Confirm Password box. Click Next.

Lesson 2 Installing and Removing Active Directory

2

-

25

Figure 2-14 Active Directory Installation Wizard, Directory Services Restore Mode Administra­ tor Password page

13.

On the Summary page, shown in Figure 2-15, the options that you selected are listed. Review the contents of the Summary page, and then click Next. The wizard takes a few minutes to configure Active Directory components. If you have not configured a static Internet Protocol (IP) address for the server, you will be prompted to do so.

Figure 2-15 Active Directory Installation Wizard, Summary page

14.

When the Completing The Active Directory Installation Wizard page appears, click

Finish, and then click Restart Now.

2-26

Chapter 2 Installing and Configuring Active Directory

15.

On the This Server Is Now A Domain Controller page, click Finish. Active Direc­ tory is now installed on the server.

Note

Before you attempt to install Active Directory on a server, you must have an edition of

Windows Server 2003 family installed and a static IP address configured for the server. Refer to Lesson 1 for instructions on configuring a static IP address for a server.

Installing Active Directory Using an Answer File

You can create an answer file to run the Active Directory Installation Wizard without having to respond to the screen prompts. An

answer file

is a file that contains answers to questions that should be automated during installation. The answer file must contain all of the parameters that the Active Directory Installation Wizard needs to install Active

Directory. An answer file that is used to install Windows Server 2003 can also include the installation of Active Directory, or you can create an answer file that installs only

Active Directory and is run after the Windows Server 2003 setup is complete and you have logged on to the system.

To create the answer file, refer to the instructions located in the “Microsoft Windows

Preinstallation Reference,” viewable by opening the Ref.chm compiled HTML help file on the Windows Server 2003 CD-ROM. The Ref.chm file is located in the Deploy.cab file in the \Support\Tools folder on the CD. The parameters required for the Active

Directory setup answer file are described in Appendix B, “Active Directory Setup

Answer File Parameters.”

To install Active Directory using an answer file, complete the following steps:

1.

Restart your computer and log on as Administrator.

2.

Click Start and then click Run. In the Run dialog box, type

dcpromo /answer:

answer file

, where

answer file

is the name of the answer file, in the Open box and click OK.

Installing Active Directory Using the Network or Backup Media

In Windows 2000, promoting a member server to become an additional domain controller in an existing domain, required replicating the entire directory database to the new domain controller. In case of low network bandwidth or a large directory database, this replication could take hours or even days to complete. Servers running Windows

Server 2003 can be promoted using a restored backup taken from a Windows Server

2003 domain controller. This backup can be stored on any backup media (Tape, CD, or

DVD) or a network share. You can find more information about backing up Active

Directory in Chapter 3, “Administering Active Directory.”

Lesson 2 Installing and Removing Active Directory

2

-

27

Using backup media to create an additional domain controller in your domain reduces the amount of replication required to copy the directory database across your LAN or

WAN and will create an additional domain controller faster. This is because Active

Directory only needs to replicate the changes that occurred after that backup was taken. The amount of replication that transpires depends on the age of the backup.

The backup cannot be older than the tombstone lifetime of the domain, which is set to a default value of 60 days. Therefore, it is always recommended to use the most recent backup available.

If the domain controller that was backed up contained an application directory parti­ tion, it will not be restored on the new domain controller. For information about cre­ ating an application directory partition on a new domain controller, refer to Chapter 5,

“Configuring Sites and Managing Replication.”

Although network bandwidth requirements will be greatly reduced by using this mech­ anism, network connectivity is still necessary so that

All critical objects are replicated to the new domain controller

Non-critical objects created after the backup was taken and other changes can be replicated to the new domain controller

Data stored in the Sysvol folder is replicated to the new domain controller

To install Active Directory using the network or backup media, complete the following steps:

1.

Click Start, click Run, and then type

dcpromo /adv

in the Open box and click OK.

2.

On the Operating System Compatibility page, click Next.

3.

On the Domain Controller Type page, select Additional Domain Controller For An

Existing Domain, and then click Next.

4.

On the Copying Domain Information page, select one of the following options:

Over The Network to copy domain information to this server over the network.

From These Restored Backup Files and type the path to the backup files in the box to copy domain information to this server from backup files.

Note

To copy domain information to the server from backup files, you must first back up the system state of a domain controller belonging to the domain in which this server will become an additional domain controller. Second, the system state backup must be restored locally on the server you are promoting. To do this using Windows Server 2003 backup, choose the option Restore Files To: Alternate Location.

If the domain controller you restored the system state from was also a global catalog, the

Active Directory Installation Wizard will ask if you would like this domain controller to become a global catalog as well.

2-28

Chapter 2 Installing and Configuring Active Directory

See Also

For more information about backing up Active Director y, refer to Chapter 3.

5.

On the Network Credentials page, specify your user name and password in the

User Name and Password boxes, respectively. In the Domain box, type in the domain name and then click Next.

6.

On the Database and Log Folders page, ensure that the correct locations for the database folder and the log folder appear in the Database Folder box and the Log

Folder box, respectively. Click Next.

7.

On the Shared System Volume page, ensure that the correct location for the shared system volume folder appears in the Folder Location box. Click Next.

8.

On the Directory Services Restore Mode Administrator Password page, type the password you want to assign to this server’s Administrator account in the event the computer is started in directory services restore mode in the Restore Mode Password box. Confirm the password in the Confirm Password box. Click Next.

9.

On the Summary page, review your selections. Click Next to proceed with the installation. Restart the computer when prompted.

Installing Active Directory Using the Configure Your Server Wizard

The

Configure Your Server Wizard

provides a central location for you to install many services, including Active Directory, on a computer running Windows Server 2003. The

Configure Your Server Wizard is available from the Manage Your Server screen, which opens automatically the first time you log on to a server by using administrative permissions. You can use the Configure Your Server Wizard to install Active Directory only if the computer is the first server on the network and has not yet been configured. Oth­ erwise, if you attempt to use the Configure Your Server Wizard to install additional domain controllers on the network, the wizard simply accesses the Active Directory

Installation Wizard to perform the actual installation.

If the computer is the first server on the network and has not yet been configured, the

Configure Your Server Wizard provides the Configuration Options page to promote the server to a domain controller and install Active Directory. The Configuration Options page configures your server in the following ways:

Promotes the computer to domain controller.

Creates a full domain name for your network.

Assigns a static IP address.

Installs Active Directory, DNS server, DHCP server, and Routing and Remote

Access.

Lesson 2 Installing and Removing Active Directory

2

-

29

Assigns a subnet mask, if none has been configured on this server. By default, the

Configure Your Server Wizard assigns a subnet mask of 255.255.255.0.

Assigns a preferred DNS server, if none has been configured on this server. By default, the Configure Your Server Wizard assigns a preferred DNS server with the same IP address as the one specified for this server.

Assigns a DNS forwarder that you specify.

Configures and activates a DHCP scope.

Authorizes a DHCP server in Active Directory.

Sets up an application-naming context on the domain controller in Active Directory for use by TAPI client applications.

Note

Unlike the Active Directory Installation Wizard, the Configure Your Server Wizard does not allow you to set the Active Directory database and log folder location or set the shared system volume folder location. It also does not allow you to select a Directory Services

Restore Mode Administrator Password.

When you use the Configure Your Server Wizard, the Configuration Options page is not available if the following points are true:

The computer is already configured as a DNS or DHCP server.

The computer has been set up to receive a dynamically configured IP address from a DHCP server on the network.

The current session is a remote session.

The computer is running Routing and Remote Access.

No IP-enabled network adapters are installed.

More than one IP-enabled network adapter has been installed.

The computer does not have at least one NTFS partition.

The computer is joined to a domain.

The computer is already a domain controller.

The computer is not a domain controller yet, but the Active Directory Installation

Wizard has already been started.

The computer is a certificate authority (CA).

There is another computer on the network running the Windows Server 2003 family.

The computer is running Windows Server 2003, Datacenter Edition.

The computer is running Windows Server 2003, Web Edition.

2-30

Chapter 2 Installing and Configuring Active Directory

Note

If the Configuration Options page is not available and you attempt to use the Config­ ure Your Server Wizard to install Active Directory, the wizard simply starts the Active Directory

Installation Wizard. Refer to the “Installing Active Directory Using the Active Directory Installa­ tion Wizard” section earlier in this chapter for details.

If the Configuration Options page is available, the Configure Your Server Wizard pre­ sents a set of pages, on which you must input:

Domain name

NetBIOS name

IP address of a forwarder, if desired

Removing Active Directory Services from a Domain Controller

Running Dcpromo on an existing domain controller allows you to remove Active

Directory from the domain controller and demotes it to either a stand-alone server or a member server. If the domain controller is the last domain controller in the domain, it will become a stand-alone server. If other domain controllers will remain in the domain, it will become a member server. A

stand-alone server

is a computer that runs the Windows Server 2003 operating system but does not participate in a domain. It does not share account information with any other computer and cannot provide access to domain accounts. A

member server

is a computer that runs the Windows

Server 2003 operating system and participates in a domain, but does not store a copy of the directory database. For a member server, permissions can be set on resources that allow users to connect to the server and use its resources.

If you remove Active Directory from all domain controllers in a domain, you also delete the directory database for the domain, and the domain no longer exists. Computers joined to this domain can no longer log on to the domain or use domain services.

To remove Active Directory, you must have administrative credentials as follows:

To remove Active Directory from a domain controller that is the last domain controller in a tree-root or a child domain, you must provide enterprise administrator credentials or be a member of the Enterprise Admins group.

To remove Active Directory from a domain controller that is the last domain controller in the forest, you must log on to the domain as Administrator or as a mem­ ber of the Domain Admins group.

To remove Active Directory from a domain controller that is not the last domain controller in the domain, you must be logged on as a member of either the

Domain Admins group or the Enterprise Admins group.

Lesson 2 Installing and Removing Active Directory

2

-

31

To remove Active Directory from a domain controller, complete the following steps:

1.

Log on as the appropriate administrator.

2.

Click Start, click Run, and then type

dcpromo

in the Open box and then click

OK.

3.

On the Welcome To The Active Directory Installation Wizard page, click Next.

4.

If the domain controller is a global catalog server, a message appears telling you to make sure other global catalogs are accessible to users of the domain before removing Active Directory from this computer. Click OK.

5.

On the Remove Active Directory page, select the check box if the server is the last domain controller in the domain. Click Next.

6.

If the server is the last domain controller in the domain, the Application Directory

Partitions page appears. If you want to remove all application directory partitions listed on this page, click Next. Otherwise, click Back. If you clicked Next, the Confirm Deletion page appears. Select the check box if you want the wizard to delete all the application directory partitions on the domain controller, and then click Next.

Note

Because removing the last replica of an application directory partition will result in the permanent loss of any data contained in the partition, the Active Directory Installation

Wizard will not remove application directory partitions unless you confirm the deletion. You must decide when it is safe to delete the last replica of a particular partition. If the domain controller holds a TAPI application directory partition, you may need to use the Tapicfg.exe command-line tool to remove the TAPI application directory partition. For more information on using Tapicfg.exe, refer to Windows Server 2003 help.

7.

On the Administrator Password page, type and confirm the administrator password, and then click Next.

8.

On the Summary page, click Next. The Configuring Active Directory progress indi­ cator appears as Active Directory is removed from the server. This process will take several minutes. Click Finish.

9.

On the Active Directory Installation Wizard dialog box, click Restart Now to restart the computer and complete the removal of Active Directory from the computer.

Practice: Installing and Removing Active Directory

In this practice, you install and remove Active Directory on your two practice servers,

Server1 and Server2.

Note

To complete this practice successfully, you must have completed the practice in

Lesson 1.

2-32

Chapter 2 Installing and Configuring Active Directory

Exercise 1: Installing Active Directory

In this exercise, you install Active Directory on Server1, a stand-alone server, making it the first domain controller in a new domain.

To install Active Directory

1.

On Server1, click Start, point to Control Panel, click Add Or Remove Programs, and then click Add/Remove Windows Components. The Windows Components

Wizard opens.

2.

In the Components box in the Windows Components window, scroll down and clear Networking Services, and then click Next.

3.

In the Completing the Windows Components Wizard window, click Finish.

4.

Close the Add or Remove Programs window.

5.

Restart Server1 and log on as Administrator.

Tip

Ensure that the IP address for Server1 is the preferred DNS server as specified in

Lesson 1.

6.

Use the procedure provided earlier in this lesson for installing Active Directory using the Active Directory Installation Wizard to install Active Directory on

Server1. Use the Active Directory domain name

contoso.com

. Ensure that the Net-

BIOS name is contoso.

7.

On the Database and Log Folders page, ensure that the correct locations for the database folder and the log folder appear in the Database Folder box and the Log

Folder box, respectively. Click Next.

8.

On the Shared System Volume page, ensure that the correct location for the shared system volume folder appears in the Folder Location box. Click Next.

9.

On the Directory Services Restore Mode Administrator Password page, type the password you want to assign to this server’s Administrator account in the Restore

Mode Password box in the event the computer is started in directory services restore mode. Confirm the password in the Confirm Password box. Click Next.

10.

Use the default entries for the remaining wizard pages. On the Summary page, review your selections. Click Next to proceed with the installation.

11.

Restart Server1 when the wizard prompts you.

Lesson 2 Installing and Removing Active Directory

2

-

33

Real World

Verifying DNS Configuration Settings

DNS configuration errors are one of the most common Active Directory installa­ tion issues. Issues such as the DNS client pointing to the wrong IP address will prevent you from installing Active Directory. If you have difficulty installing

Active Directory, you should verify your DNS settings on both the client and the server, especially if you see a message that indicates the domain or domain controller could not be contacted.

Practice: Fixing a DNS Configuration and Installing Active Directory

In this practice, you configure DNS server settings on Server2 so that you can install

Active Directory, and then uninstall Active Directory from the server.

Exercise 1: Fixing a DNS Configuration

In this exercise, you’ll incorrectly configure your DNS server settings for Server2. Then, you’ll attempt to install Active Directory on Server2. Finally, you’ll correct the DNS server settings so you can properly install Active Directory on Server2.

To fix a DNS configuration and install Active Directory

1.

Log on to Server2 as Administrator.

2.

Click Start, point to Control Panel, point to Network Connections, and then click

Local Area Connection.

3.

n the Local Area Connection Status dialog box, click Properties.

4.

n the Local Area Connection Properties dialog box, select Internet Protocol (TCP/

IP), and then click Properties.

5.

Ensure DNS is not installed by clicking Start, pointing to Administrative Tools, and then checking for DNS in the tree.

6.

n the Internet Protocol (TCP/IP) Properties dialog box, set Preferred DNS Server setting to 127.0.0.1.

7.

Clear all IP Addresses in the Alternative DNS server setting box, and then click OK.

8.

Log off Administrator.

9.

Log on using the local administrator’s user name and password. In the Log On To

Windows dialog box, ensure that you have the Log On To box set to SERVER2

(this computer). You may need to click Options in order to see the Log On To box.

Click OK.

10.

Click Start, and then click Run. Type

dcpromo

in the Open dialog box. Click OK.

2-34

Chapter 2 Installing and Configuring Active Directory

11.

When the Active Directory Installation Wizard starts, click Next to begin installing

Active Directory.

12.

Read the Operating System Compatibility page, and then click Next.

13.

On the Domain Controller Type page, select Additional Domain Controller For An

Existing Domain, and then click Next.

14.

On the Network Credentials page, type the user name and password of the domain administrator account. Type

contoso.com

as the domain, and then click

Next.

15.

You should see an Active Directory Installation Wizard message box indicating an error. The message box tells you that the domain controller for

Contoso.com

cannot be located. This is because your Preferred DNS server is incorrectly config­ ured. Click Details to read more about this error, and then click OK.

16.

On the Network Credentials screen, click Cancel to cancel the Active Directory installation, and then click Yes to confirm the cancellation.

17.

To correct your DNS configuration, click Start, point to Control Panel, point to Network Connections, and then click Local Area Connection.

18.

In the Local Area Connection Properties dialog box, select Internet Protocol (TCP/

IP) and click Properties.

19.

In the Internet Protocol (TCP/IP) Properties dialog box, set the Preferred DNS

Server setting to the IP Address of Server1. Click OK.

20.

Click OK to close the Local Area Connection Properties dialog box.

21.

Install Active Directory on Server2 as described earlier in this exercise.

Exercise 2: Removing Active Directory from a Domain Controller

In this exercise, you remove Active Directory from Server2, a domain controller, mak­ ing it a member server for a domain.

To remove Active Directory from a domain controller

1.

On Server2, use the procedure provided earlier in this lesson to remove Active

Directory from a domain controller.

2.

Restart Server2 when the wizard prompts you.

Lesson 2 Installing and Removing Active Directory

2

-

35

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the “Questions and Answers” section at the end of this chapter.

1.

What command must you use to install Active Directory using the Active Directory

Installation Wizard?

2.

What items are installed when you use the Active Directory Installation Wizard to install Active Directory?

3.

Explain the two ways you can use an answer file to install Active Directory.

4.

What command must you use to install Active Directory using the network or backup media?

5.

Which of the following commands is used to demote a domain controller?

a.

Dcdemote

b.

Dcinstall

c.

Dcpromo

d.

Dcremove

2-36

Chapter 2 Installing and Configuring Active Directory

Lesson Summary

■�

You can install Active Directory using the Active Directory Installation Wizard by using an answer file to perform an unattended installation, by using the network or backup media, or by using the Configure Your Server Wizard.

■�

The Active Directory Installation Wizard is the main tool used to install Active

Directory. You use the Dcpromo command to start the Active Directory Installa­ tion Wizard.

■�

You can create an answer file to run the Active Directory Installation Wizard. The answer file can be a part of the answer file used to install Windows Server 2003, or it can install only Active Directory and run after Windows Server 2003 Setup is complete.

■�

You can use the network or backup media to install Active Directory on additional domain controllers for an existing domain. Using backup media reduces bandwidth requirements for Active Directory installation.

■�

You can remove Active Directory from an existing domain controller and demote it to either a stand-alone server or a member server by using the Dcpromo command.

Lesson 3 Verifying Active Directory Installation

2

-

37

Lesson 3: Verifying Active Directory Installation

Verifying Active Directory installation involves verifying the domain configuration, DNS configuration, DNS integration with Active Directory, installation of the shared system volume, and operation of the Directory Services Restore Mode boot option. This lesson shows you how to verify your Active Directory installation.

After this lesson, you will be able to

Verify Active Directory installation

Estimated lesson time: 1 5 minutes

Verifying an Active Directory Installation

After you have completed the installation of Active Directory, you must verify that Active

Directory has been correctly installed. You can do this by verifying the following:

Domain configuration

DNS configuration

DNS integration with Active Directory

Installation of the shared system volume

Operation of the Directory Services Restore Mode boot option

Verifying Domain Configuration

After the domain controller is installed, various Active Directory administrative tools are added to the administrative tools menu. You can verify that Active Directory is func­ tioning properly and that your domain controller is placed properly by opening the

Active Directory Users And Computers console and checking for the presence of the domain and domain controller.

To verify domain configuration, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

On the Active Directory Users And Computers console, verify that your domain is correctly named by finding it in the console tree.

3.

Double-click the domain. Click the Domain Controllers container. Verify that your domain controller appears and is correctly named by finding it in the details pane.

4.

Double-click the server. Verify that all information is correct on the tabs in the

Properties dialog box for the server.

2-38

Chapter 2 Installing and Configuring Active Directory

Verifying the DNS Configuration

If you allow the Active Directory Installation Wizard to configure DNS for you, and your DNS solution supports dynamic update, the Netlogon service registers a set of default SRV resource records on the DNS server, as shown in Figure 2-16. SRV records are required for clients to find hosts that provide required services.

Figure 2-16 Set of default SRV records on Server1 and Server2

To verify the DNS configuration, complete the following steps:

1.

Click Start, point to Programs, point to Administrative Tools, and then click DNS.

2.

In the DNS console tree, double-click the DNS server, double-click Forward

Lookup Zones, double-click the zone. Expand the _msdcs, _sites, _tcp, and _udp folders to view the default resource records.

Notice that the set of default SRV resource records is registered in multiple layers. The structure shown in Figure 2-16 is for two domain controllers; more complex environ­ ments will appear as such, with multiple records in the multiple layers. Records are provided for the global catalog, Kerberos, Kpasswd (Kerberos password change), and

Lightweight Directory Access Protocol (LDAP) services.

The Netlogon service creates a log file that contains all the SRV resource records and places the log file in

%Systemroot%\

System32\Config\Netlogon.dns. An example Net­ logon.dns file is shown in Figure 2-17. If your DNS solution does not support dynamic update, you must manually enter these records on your DNS server(s).

Lesson 3 Verifying Active Directory Installation

2

-

39

Figure 2-17 Example Netlogon.dns file

Verifying DNS Integration with Active Directory

If you allow the Active Directory Installation Wizard to configure a basic DNS setup for you, and your DNS solution supports dynamic update, the wizard configures an

Active

Directory–integrated forward lookup zone

with the name of the domain. The configu­ ration of this zone changes the storage location of zone data from the zone file to

Active Directory on the server. You can verify DNS integration by viewing the properties for the DNS zone and the DNS server.

To verify DNS integration with Active Directory, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click DNS.

2.

In the DNS console tree, double-click the DNS server, double-click Forward

Lookup Zones, right-click the zone and select Properties from the menu. The

Properties dialog box for the zone appears.

3.

In the General Tab, verify that Active Directory–Integrated appears after Type. Verify that Nonsecure And Secure appears in the Dynamic Updates box. Notice that the

Security tab now exists to set the security for secure dynamic update. Click OK.

4.

In the DNS console tree, right-click the DNS server and then select Properties from the menu. The Properties dialog box for the DNS server appears.

5.

In the Advanced tab, verify that the Load Zone Data On Startup box is set to From

Active Directory And Registry. Click OK.

2-40

Chapter 2 Installing and Configuring Active Directory

Verifying Installation of the Shared System Volume

The Active Directory Installation Wizard builds the shared system volume, Sysvol, dur­ ing the creation of a domain controller. Sysvol is a tree of folders containing files that need to be available and synchronized between domain controllers in a domain or for­ est, including

Sysvol shared folder

Netlogon shared folder

Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Millennium

Edition (Windows Me), and Microsoft Windows NT 4 system policies

Windows 2000 and Windows Server 2003 Group Policy settings

User logon and logoff scripts

For example, the default folder structure contains the following folders for policies or scripts used by network clients:

%Systemroot%\Sysvol\Sysvol\domain_name\Policies

%Systemroot%\Sysvol\Sysvol\domain_name\Scripts

You can verify the installation of the shared system volume by viewing the Sysvol fold­ ers in the location you specified during Active Directory installation.

To verify installation of the shared system volume, complete the following steps:

1.

Open My Computer.

2.

Open

%Systemroot%\

Sysvol or the location you specified during Active Directory installation.

3.

Verify that the Sysvol folder contains a shared Sysvol folder. Verify that the shared

Sysvol folder contains a folder for the domain, which contains a shared Scripts and a Policies folder.

Verifying Operation of the Directory Services Restore Mode Boot Option

The Directory Services Restore Mode boot option allows restores of Active Directory on a domain controller. This option is not available on member servers. You should verify that this boot option is operational and runs with the password you specified during

Active Directory installation to ensure its availability if needed during troubleshooting or restore operations.

Lesson 3 Verifying Active Directory Installation

2

-

41

To verify operation of the directory services restore mode boot option, complete the following steps:

1.

Restart your computer and press F8 when you see the Boot menu.

2.

On the Windows Advanced Options menu, use the arrow keys to select Directory

Services Restore Mode, and then press Enter.

3.

The Boot menu is displayed again, with the words “Directory Services Restore

Mode” displayed in color at the bottom. Select the operating system installation that you want to start, and then press Enter. The computer restarts in directory ser­ vices restore mode. This can take a few minutes.

4.

On the Welcome To Windows screen, press Ctrl+Alt+Delete. Log on to the local computer using the server’s Administrator account name (specified during server setup) and directory services restore mode administrator password (specified dur­ ing Active Directory installation). Click OK.

Note

You cannot use the name and password of the Active Directory administrator because

Active Directory is offline and account verification cannot occur. Rather, the SAM database is used to control access to Active Directory on the local computer while Active Directory is offline.

5.

In the Windows Is Running In Safe Mode warning message box, click OK to run the domain controller in safe mode.

6.

To return to normal Active Directory operation, restart the computer.

Practice: Verifying Active Directory Installation

In this practice, you verify Active Directory installation on the domain controller you created in Lesson 2.

Note

To complete this practice successfully, you must have completed the practices in

Lessons 1 and 2.

Exercise: To Verify Active Directory Installation

In this exercise, you verify Active Directory installation by verifying the domain config­ uration, the DNS configuration, DNS integration with Active Directory, installation of the shared system volume, and operation of the Directory Services Restore Mode boot option.

2-42

Chapter 2 Installing and Configuring Active Directory

To verify Active Directory installation

1.

Log on to Server1 as Administrator using

password

as your password.

2.

Use the procedures provided earlier in this lesson to verify the following:

Domain configuration

DNS configuration

DNS integration with Active Directory

Installation of the shared system volume

Operation of the Directory Services Restore Mode boot option

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the “Questions and Answers” section at the end of this chapter.

1.

After Active Directory has been installed, how can you verify the domain configuration?

2.

After Active Directory has been installed, how can you verify the DNS configuration?

3.

After Active Directory has been installed, how can you verify DNS integration with

Active Directory?

4.

After Active Directory has been installed, how can you verify installation of the shared system volume?

Lesson Summary

You can verify that Active Directory has been correctly installed by verifying domain configuration, DNS configuration, DNS integration with Active Directory, installation of the shared system volume, and the operation of the Directory Ser­ vices Restore Mode boot option.

Lesson 4 Troubleshooting Active Directory Installation and Removal

2

-

43

Lesson 4: Troubleshooting Active Directory

Installation and Removal

In order to install or remove Active Directory you must be able to troubleshoot Active

Directory installation and removal. Troubleshooting Active Directory installation and removal involves using the Directory Service log; the Netdiag, Dcdiag, and Ntdsutil command-line tools; and the Dcpromo

xx

.log files to solve Active Directory installation and removal-related problems. This lesson shows you how to troubleshoot the instal­ lation and removal of Active Directory.

After this lesson, you will be able to

Troubleshoot the installation and removal of Active Directory

Estimated lesson time: 2 0 minutes

Troubleshooting Active Directory Installation

Some of the common problems you might encounter when installing and removing

Active Directory include the following:

You cannot reach the server from which you are installing, perhaps because the

DNS name is not registered yet.

The name of the domain you are authenticating against is incorrect or not available yet.

The user name and password you supplied are incorrect.

The DNS server settings are not configured correctly.

You are unable to remove data in Active Directory after an unsuccessful removal of Active Directory.

Windows Server 2003 provides the following tools to diagnose and resolve problems encountered during Active Directory installation and removal:

Directory Service log

Netdiag.exe: Network Connectivity Tester

Dcdiag.exe: Domain Controller diagnostic tool

Dcpromoui.log, Dcpromos.log, and Dcpromo.log files

Ntdsutil.exe: Active Directory diagnostic tool

2-44

Chapter 2 Installing and Configuring Active Directory

Troubleshooting with the Directory Service Log

Active Directory records events, including errors, warnings, and information that Active

Directory generates, in the Directory Service log in Event Viewer. You can use the log to monitor the activity level of Active Directory or to investigate problems.

To view the Directory Service log, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Event Viewer.

2.

In the console tree, select Directory Service. In the details pane, Event Viewer dis­ plays a list of events and summary information for each item, as shown in Figure

2-18. Information events appear with an “i” icon, warnings appear with a yellow triangle icon, and errors appear with a red circle and white “x” icon.

Figure 2-18 Example directory service log

3.

To view additional information for any event, double-click the event.

Troubleshooting with Netdiag.exe: Network Connectivity Tester

The Network Connectivity Tester (Netdiag) is a command-line, diagnostic tool included with the Windows Support Tools on the Windows Server 2003 Setup CD-ROM that helps isolate networking and connectivity problems by performing a series of tests to determine the state of a network client.

Netdiag

diagnoses network problems by checking all aspects of a host computer’s network configuration and connections.

These tests and the network information they provide give support personnel a more direct means of identifying and isolating network problems. In addition, because this tool does not require parameters or switches to be specified, support personnel can focus on analyzing the output, rather than using the tool.

Lesson 4 Troubleshooting Active Directory Installation and Removal

Netdiag has the following syntax: netdiag [/q] [/v] [/l] [/debug] [/d:

DomainName

] [/fix] [/DcAccountEnum]

[/test:

testname

] [/skip:

testname

] [/?]

Each of the command parameters is explained in Table 2-1.

2

-

45

Table 2-1

Netdiag Command Switches

Parameter

/q

/v

/l

/debug

/d:

DomainName

/fix

/DcAccountEnum

/test:

testname

/skip:

/?

testname

Function

Lists only tests that return errors

More extensive listing of test data as tests are performed

Stores output in Netdiag.log, in the default directory

Complete list of test data with reasons for success or failure

Finds a domain controller in the specified domain

Fixes minor problems

Enumerates domain controller computer accounts

Runs only the test specified by

testname

. For a complete list, type

netdiag /?

Skips the named test

Displays the netdiag syntax, including a list of tests.

Run Netdiag whenever a computer is having network problems. The utility tries to diagnose the problem and can even flag problem areas for closer inspection. It can fix simple DNS problems with the optional /fix switch.

To use Windows Support Tools, including Netdiag, you must first install them on your computer. To install the Windows Support Tools, complete the following steps:

1.

Start Windows Server 2003. You must log on as a member of the Administrators group to install the support tools.

2.

Insert the Windows Server 2003 CD into your CD-ROM drive.

3.

Click Start, then select Run.

4.

In the Run dialog box, type

E

:\Support\Tools\suptools.msi

, where

E:

is the drive letter of your CD-ROM drive. Click OK.

5.

Follow the instructions that appear on your screen.

2-46

Chapter 2 Installing and Configuring Active Directory

Note

The Setup program requires a maximum of 22 megabytes (MB) of free space to install all Windows Support Tools files onto your hard disk. Setup creates a Support Tools folder within the Program Files folder on the system drive. Support Tools are available from the Start Menu by selecting All Programs followed by the Windows Support Tools option. For detailed information about individual tools, click the Support Tools Help menu item. Graphical user interface (GUI) tools can be invoked from the Tools menu. Command-line tools must be invoked at the command prompt.

See Also

You can find more information about Windows Support Tools in Chapter 3,

“Administering Active Directory.”

To use Netdiag to check domain controller connectivity, complete the following steps:

1.

Click Start, and then click Command Prompt.

2.

At the command prompt, type

netdiag /debug

and press Enter. The test runs and displays the results in the command-prompt window.

For more information about Netdiag, see Windows Support Tools Help.

Troubleshooting with Dcdiag.exe: Domain Controller Diagnostic Tool

The Domain Controller Diagnostic tool (Dcdiag) is a command-line, diagnostic tool included with the Windows Support Tools on the Windows Server 2003 Setup CD-ROM that analyzes the state of domain controllers in a forest or enterprise and reports any problems.

Dcdiag

runs a series of tests to verify different functional areas of Active

Directory. The user specifies which domain controllers are tested, such as all domain controllers within an enterprise or site, or just a single domain controller. The user can also select domain controllers holding a directory partition. In the default mode, minimum output is displayed—a confirmation of each test. In the verbose mode, the col­ lected data for each test is displayed.

Dcdiag is a read-only tool that does not affect the state of the enterprise, and performs an automatic analysis of the domain controller with little user intervention. Although the Dcdiag tool has many other uses, you can use it to perform a test that diagnoses domain controller connectivity, which is a common Active Directory installation trou­ bleshooting issue. The test for connectivity in the Dcdiag tool verifies that

DNS names for the server are registered.

The server can be reached by means of IP at its IP address, LDAP, and a remote procedure call (RPC).

Lesson 4 Troubleshooting Active Directory Installation and Removal

2

-

47

Dcdiag has the following syntax: dcdiag /s:

DomainController

[/n:

NamingContext

] [/u:

Domain

\

Username

/p:{* |

Password

|

""}] [{/a | /e}] [{/q | /v}] [/i] [/f:

LogFile

] [/ferr:

ErrLog

] [/c [/skip:

Test

]] [/ test:

Test

] [/fix] [{/h|/?}]

Each of the command parameters is explained in Table 2-2.

Table 2-2

Dcdiag Command Switches

Parameters Function

/a

/e

/q

/v

/s:

DomainController

Uses

DomainController

as a home server. This is a required parameter.

/n:

NamingContext

Uses

NamingContext

as the naming context to test. Domains can be specified in NetBIOS, DNS, or distinguished name format.

/u:

Domain

\

Username

/p: Uses

Domain

\

Username

credentials for binding, with

Password

as

{* |

Password

| ""} the password. "" is an empty or null password. * prompts for the password.

Tests all the servers on this site.

Tests all the servers in the entire enterprise. Overrides /a.

(Quiet) Prints only error messages.

(Verbose) Prints extended information.

/i

/f:

LogFile

/ferr:

ErrLog

/c

Ignores superfluous error messages.

Redirects all output to

LogFile

. /f: operates independently of /ferr:.

Redirects fatal error output to a separate file

ErrLog

. /ferr: operates independently of /f:.

(Comprehensive) Runs all tests except DCPromo and Register-

InDNS, including nondefault tests. Optionally, can be used with

/skip to skip specified tests. The following tests are not run by default: Topology, CutoffServers, and OutboundSecureChannels.

/skip:

Test

/test:

/fix

Test

{/h|/?}

Skips the specified

Test

. Must be used with /c. Should not be run in the same command line with /test.

The only

Test

that cannot be skipped is Connectivity.

Runs only this test. The non-skippable Connectivity test is also run. Should not be run in the same command line with /skip. For a complete list, type

dcdiag /?

.

Fixes the Service Principal Names (SPNs) on the domain control­ ler’s Machine Account Object. Affects only the

MachineAccount

test.

Displays a syntax screen at the command prompt.

2-48

Chapter 2 Installing and Configuring Active Directory

Note

To use Windows Support Tools, including Dcdiag, you must first install them on your computer. You can find the complete installation procedure in Chapter 3, “Administering

Active Directory.”

To use Dcdiag to check domain controller connectivity, complete the following steps:

1.

Click Start, and then click Command Prompt.

2.

At the command prompt, type:

dcdiag /s:

domain_controller_name

/test:connectivity

and press Enter. The connectivity test runs and displays the results in the command-prompt window.

See Also

For more information about Dcdiag, see the Windows Support Tools Help.

Troubleshooting with the Dcpromo Log Files

Windows Server 2003 maintains Dcpromo log files that pertain to Active Directory installation. When installing or removing Active Directory using the Active Direc­ tory Installation Wizard, the following log files are created in the

%Systemroot

%\Debug folder:

Dcpromoui.log

Dcpromos.log

Dcpromo.log

You need to be familiar with the information provided in these log files because they provide facts about Active Directory installation and removal performance and services.

Dcpromoui.log

The Dcpromoui.log file contains a detailed progress report of the

Active Directory installation and removal processes from a graphical interface perspec­ tive. Logging begins when the Active Directory Installation Wizard is opened and con­ tinues until the summary page appears; regardless of whether it terminated prematurely or completed successfully. If the installation or removal fails, detailed error messages appear in the log immediately after the step that caused the failure. When the installation or removal process is successful, the log provides positive confirmation of that fact. The Dcpromoui.log file includes the following information about the installa­ tion or removal of Active Directory:

The name of the source domain controller for replication

The directory partitions that were replicated to the target server

The number of items that were replicated in each directory partition

Lesson 4 Troubleshooting Active Directory Installation and Removal

2

-

49

The services configured on the target domain controller

The access control entries (ACEs) set on the registry and files

The Sysvol directories

Applicable error messages

Applicable selections that were entered by the Administrator during the installa­ tion or removal process

Dcpromos.log The Dcpromos.log file is similar to Dcpromoui.log. Dcpromos.log is created by the user interface during the graphical user interface mode setup when a

Microsoft Windows 3.

x–

based or Microsoft Windows 4–based domain controller is pro­ moted to a Windows 2000 domain controller.

Dcpromo.log The Dcpromo.log file records settings used for promotion or demotion, such as the site name, the path for the Active Directory database and log files, time syn­ chronization, and information about the computer account. The Dcpromo.log file cap­ tures the creation of the Active Directory database, Sysvol trees and the installation, modification, and removal of services. This file is created by using the Active Directory

Installation Wizard.

To view the dcpromo logs, complete the following steps:

1.

Open My Computer.

2.

Open

%Systemroot

%\Debug. Double-click the desired log file.

Troubleshooting with Ntdsutil.exe: Active Directory Diagnostic Tool

The Active Directory diagnostic tool (Ntdsutil) is a command-line tool that provides management facilities for Active Directory. By default, the Ntdsutil.exe file is installed in the

%Systemroot%

\System32 folder. If you are an experienced administrator, you can use Ntdsutil to remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.

Caution

Ntdsutil is intended for use by experienced administrators only. Improper use of

Ntdsutil can result in partial or complete loss of Active Directory functionality. In a production environment, it’s recommended that you have a current backup of the system state data before using Ntdsutil. For information on backups, refer to Chapter 3, “Administering Active

Directory.”

As part of the removal of Active Directory from a domain controller, the Active Direc­ tory Installation Wizard removes the configuration data for the domain controller from

Active Directory. This data takes the form of the NTDS Settings object, which exists as a child of the server object. You can view these objects in the Sites container in the

2-50

Chapter 2 Installing and Configuring Active Directory

Active Directory Sites And Services console. The attributes of the NTDS Settings object include data that represent how the domain controller is identified to its replication partners, the directory partitions that are maintained on the computer, and whether or not the domain controller is a global catalog server. The NTDS Settings object is also a container that can have child objects that represent the domain controller’s direct rep­ lication partners. This data is required for the domain controller to operate within the environment, but the NTDS Settings object is removed upon the removal of Active

Directory.

Removing Orphaned Metadata If the NTDS Settings object is not properly removed during the process of removing Active Directory, you can use Ntdsutil with the Meta­ data Cleanup option to manually remove the NTDS Settings object. Before manually removing the NTDS Settings object from any server, you must also check if replication has occurred because of the removal of Active Directory.

Note

You can learn more about using Ntdsutil to manage orphaned metadata in Chapter 3,

“Administering Active Directory.” For more information about using Ntdsutil, refer to the

Microsoft Windows Server 2003 Resource Kit

, located on the Microsoft Web site at

http://microsoft.com/windowsserver2003/techinfo/reskit/resourcekit.mspx

Removing the Domain Controller Object After you remove Active Directory from a domain controller, the object that represents the server in the Active Directory Sites

And Services console remains. This condition occurs because the server object is a con­ tainer object that can hold child objects that represent configuration data for other ser­ vices installed on your computer. For this reason, the wizard does not automatically remove the server object.

If the server object contains any child objects named NTDS Settings, these objects rep­ resent the server as a domain controller and must be removed automatically when

Active Directory is removed. If these objects are not removed automatically, or if removal of Active Directory cannot be performed (for example, if a computer has mal­ functioning hardware), these objects must be removed by using Ntdsutil before you can delete the server object. You can safely delete the server object in the Active Direc­ tory Sites And Services console only after all services have been removed and no child objects exist.

To remove the domain controller object, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites and

Services.

2.

In the Active Directory Sites And Services console, double-click the Sites container to expand it, and then double-click the appropriate site object (the site in which the server resides) to expand the site object.

Lesson 4 Troubleshooting Active Directory Installation and Removal

2

-

51

3.

Double-click the Servers container, right-click the server object, and then click

Delete.

4.

When you are prompted to confirm deleting the object, click Yes. This process might not complete successfully for either of the following reasons:

If you receive a message that states the server is a container that contains other objects, verify that the appropriate services have been stopped before you continue.

If you receive a message that states the NTDS Settings object cannot be deleted, you might be attempting to delete an active domain controller. However, this message would only occur if the NTDS Settings object is the com­ puter that you are trying to delete. Otherwise, the delete operation will succeed.

Troubleshooting Scenarios

Table 2-3 describes some Active Directory installation and removal troubleshooting scenarios.

Table 2-3

Active Directory Installation and Removal

Troubleshooting Scenarios

Cause Solution

Error: The computer successfully resolved the DNS service (SRV) resource record required to locate a domain controller, but it failed to locate a domain controller for the Active Directory domain.

The required A (address) resource records Verify that the required A resource records that map the name of the domain controlle exist in DNS by using Nslookup. to its IP address do not exist in DNS.

The domain controller advertised in DNS Verify connectivity using ping and then verify might not be connected to the network or that the domain controller is running. is connected to the network but is not running.

Error: The server could not dynamically register Domain Controller Locator records because the DNS servers it uses for name resolution did not find a primary authorita­ tive zone for these resource records.

The preferred or alternate DNS servers used Update the root hints for the DNS servers. by this computer for name resolution contain incorrect root hints.

There are incorrect delegations in the DNS Verify DNS zone delegations by using zones starting at the root and descending to Nslookup.

the zone with same name as the Active Direc­ tory domain name you specified.

2-52

Chapter 2 Installing and Configuring Active Directory

Table 2-3

Active Directory Installation and Removal

Troubleshooting Scenarios (Continued)

Cause Solution

Error: The computer receives “Domain not found,” “Server not found,” or “RPC server is unavailable” messages.

Name registration or name resolution is not Run Netdiag /debug on the server that is expe­ functioning correctly. This could be caused riencing the problem to evaluate NetBIOS, by a NetBIOS or DNS name registration or DNS, registration, and services. Run Dcdiag on resolution problem, or a network connectivity the domain controller to evaluate network problem. connectivity.

Error: This computer could not locate a domain controller for the Active Directory domain displayed in the error message because the DNS servers used by this com­ puter for name resolution failed to look up the service (SRV) resource record.

The DNS SRV resource record is not registered in DNS.

One or more of the zones listed in the error message do not include a delegation to its child zone.

Verify that the service (SRV) resource record for the requested domain and service type exists in DNS by using Nslookup on a domain controller for the Active Directory domain you entered.

Verify DNS zone delegations by using

Nslookup.

Practice: Using Active Directory Installation Troubleshooting Tools

In this practice, you use Active Directory installation troubleshooting tools to perform routine troubleshooting tasks on the domain controller you created in Lesson 2.

Note

To complete this practice successfully, you must have completed the practices in

Lesson 1 and Lesson 2.

Exercise 1: Performing Routine Troubleshooting Tasks

In this exercise, you perform routine troubleshooting tasks, including viewing the directory service log, using Netdiag to check domain controller connectivity, using

Dcdiag to check domain controller connectivity, and viewing the Dcpromo logs.

To perform routine troubleshooting tasks

1.

Log on to Server1 as Administrator using

password

as your password.

2.

Use the procedure provided earlier in this lesson to

View the directory service log

Use Netdiag to check domain controller connectivity

Lesson 4 Troubleshooting Active Directory Installation and Removal

Use Dcdiag to check domain controller connectivity

View the Dcpromo logs

2

-

53

Off the Record

In Lesson 3 of this chapter, you learned how to verify the installation of

Active Directory using a variety of tools in the interface. Now that you’ve seen Dcdiag in action, you probably realize that it can also be used to verify the installation of Active Direc­ tory as well as check the system’s status. If you try to run Dcdiag on a non-domain controller, the utility will fail, telling you that the computer is not a domain controller. You should con­ sider the utilities that are part of the Windows Support Tools a primary troubleshooting resource. Windows XP and Windows 2000 also include Support Tools that are useful in troubleshooting client, server, and domain controller computers.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions in the “Questions and Answers” section can be found at the end of this chapter.

1.

What information is recorded in the directory service log?

2.

How can you fix data left behind after an unsuccessful removal of Active Directory?

3.

Which of the following tools are best used to evaluate network connectivity?

Choose all that apply.

a.

Dcpromoui.log file

b.

Dcpromo.log file

c.

Ntdsutil

d.

Netdiag

e.

Dcdiag

2-54

Chapter 2 Installing and Configuring Active Directory

Lesson Summary

The Directory Service log records events, including errors, warnings, and informa­ tion generated by Active Directory.

The Network Connectivity Tester (Netdiag) is a command-line, diagnostic tool that helps isolate networking and connectivity problems by performing a series of tests to determine the state of a network client.

The Domain Controller Diagnostic tool (Dcdiag) is a command-line, diagnostic tool that analyzes the state of domain controllers in a forest or enterprise and reports any problems.

The Dcpromoui.log, Dcpromos.log, and Dcpromo.log files are created when installing or removing Active Directory using the Active Directory Installation Wiz­ ard.

The Active Directory diagnostic tool (Ntdsutil) is a command-line tool that pro­ vides management facilities for Active Directory. Ntdsutil is designed to be run by an experienced administrator.

Case Scenario Exercise­

You are a network consultant. You are consulting for an educational institution called

Graphic Design Institute. The institute has four different departments: Information

Technology Services (ITS), Administration, Marketing, and Research. The ITS depart­ ment maintains the institute’s Web site (

http://www.graphicdesigninstitute.com

) and connection to the Internet. The Administration department primarily handles student services, such as the enrollment and transcript management and student user account creation and maintenance. The Marketing department is responsible for public aware­ ness, sales, and advertising for the institute. Table 2-4 describes the significant details concerning the Graphic Design Institute’s network infrastructure.

Table 2-4

Graphic Design Institute Network Description

Department

Number of

Users

ITS 10

Administration 5,000

Marketing 15

Number of

Computers

25

5,030

20

Operating Systems Used

UNIX

Windows 2000 Advanced Server,

Windows 2000 Professional, and

Windows XP

Windows NT 4 Workstation and Windows NT 4 Server

Chapter 2 Installing and Configuring Active Directory

2

-

55

The Research department is newly formed. The Research department has only two employees, Mary Baker, VP of Research, and Bob Gage, Manager of Research. The

Research department currently has four computers. Two of the computers are running

Windows XP Professional. The other two are expected to run Windows Server 2003.

Mary and Bob use the Windows XP Professional computers as their personal worksta­ tions. This department is expected to grow significantly in the near future. The ITS department has already installed a sufficient network infrastructure to support up to

200 computers. Bob plans to hire 25 new employees in the next month and another 75 in the next several months. Mary expects that her department will grow only to about

100 to 150 computers. Mary would like to centralize the department’s network admin­ istrative services and hire two people to manage the network.

The network structure for the Graphic Design Institute is outlined in Figure 2-19.

ITS Department

UNIX DNS graphicdesigninstitute.com

Marketing Research

Windows NT 4 domain

Administration

Windows XP workgroup

Windows 2000 domain

Windows 2000 DNS admin.graphicdesigninstitute.com

Figure 2-19 Network structure for the Graphic Design Institute

The Director of the Graphic Design Institute, Laura Steele, asks you to assist Mary with the implementation of an Active Directory infrastructure in the Research department.

She tells you that the company as a whole is not ready to even consider moving to

Active Directory right now. Laura wants you to consider setting up Active Directory using Windows Server 2003 for only the Research department at this time. If that goes well, she says she’ll discuss doing further upgrades that involve other departments.

Given this information, answer the following questions:

1.

Before you install Active Directory for the Research department, what Active

Directory domain structure decisions must be made?

2-56

Chapter 2 Installing and Configuring Active Directory

2.

Assuming that the Mary wants a separate forest for the Research department, what

DNS decisions should be made before you install Active Directory?

3.

If the ITS department decides to manage the Research department’s namespace, what requirements will their UNIX DNS servers need to meet?

4.

If the ITS department decides that it will manage the Research department’s namespace, but it won’t allow dynamic DNS updates, what must be done manually?

How often must this be done?

5.

If the Research department is expected to support the DNS records required by

Active Directory, what options would you have?

6.

If the Research department decides to handle its own DNS namespace and they want the most secure dynamic DNS configuration possible, what would you expect to configure?

7.

If the Research department wants to allow non-domain members or even non-

Microsoft computers to update Windows Server 2003 computers configured as

DNS servers, what type of updates must you allow?

Troubleshooting Lab­

You are troubleshooting connectivity problems reported by the network administrator for the Research department, which has two Windows Server 2003 computers and 100

Windows XP Professional client computers. One of the administrators for Research reports that he sees DNS registration errors in the Event Viewer and also sees errors when he runs the Netdiag utility.

Chapter 2 Installing and Configuring Active Directory

2

-

57

In this section, you’ll troubleshoot this problem using the DNS console and the Netdiag utility. To make this lab more realistic, you’ll actually create a problem by deleting the

PDC emulator DNS record. You’ll learn the significance of the PDC emulator in Chapter 4.

To delete the PDC emulator DNS record, perform the following steps:

1.

On Server1, log on as Administrator to the

contoso.com

domain.

2.

Open the DNS console. (You can do this in one of two ways: Click Start, select

Administrative Tools, and then click DNS; or Click Start, then Run, and type

dnsmgmt.msc

in the Open dialog box. Click OK.)

3.

Expand the SERVER1 object. Expand the following objects: Forward lookup

Zones, _msdcs.contoso.com, pdc, and then the tcp object.

4.

Select the _ldap record in the right-hand pane. Right-click the record and then select Delete. Click Yes to confirm the deletion.

5.

Right-click _msdcs.contoso.com object and click Properties on the resulting context menu. You’ll see the _msdcs.contoso.com Properties dialog box General tab appear.

6.

Change the Dynamic Updates option box to read None.

7.

Click OK.

8.

Close the DNS console.

9.

Restart Server1.

At this point you’ve purposely created a connectivity issue and deleted a significant

DNS record. Typically, an administrator wouldn’t purposely cause such a problem.

However, DNS problems due to mistakes, lack of administrator knowledge, and network connectivity issues are quite common. For example, changing the domain mem­ bership of a domain controller could potentially result in a DNS configuration error as documented in Microsoft Knowledge Base Article 311354: “Event 5781 Occurs After DC

Changes Domain.”

To fix such a problem, perform the following steps:

1.

On Server1, log on as Administrator.

2.

Open the Event Viewer application. (You can do this in one of two ways: Click Start, click All Programs, Administrative Tools, and then click Event Viewer; or Click Start, click Run, and then type

eventvwr.msc

in the Open dialog box. Click OK.)

3.

Click on the System log. You should see some Warning events in the right-hand pane that display a source of Netlogon. The time on these events should be the time you restarted Server1. There should be at least two unique messages, but there could be four or more of these events in a row. The Event IDs are 5773 and

2-58

Chapter 2 Installing and Configuring Active Directory

5781, which you can see by double-clicking each Warning event. Review the infor­ mation inside each Warning event and then close it. Once you’ve reviewed all of these messages, close the Event Viewer.

4.

Open a command prompt.

5.

In the Command Prompt window, type

netdiag

and press Enter. Remember, the

Windows Support Tools must be installed in order for this command to work.

6.

Once this utility has finished running, scroll up in the Command Prompt window until you see the DNS test section. Notice that the DNS test shows a failure. Read that message.

7.

Now, you’ll attempt to repair this issue by typing

netdiag /fix

and then pressing

Enter. Scroll up in the Command Prompt window until you see the DNS test sec­ tion. Notice all of the [FATAL] messages.

Your attempt to fix the issue at this point fails because your DNS server is not accepting dynamic updates. Now you’ll switch your DNS server back to allowing dynamic updates in order to correct this issue. Remember, if you don’t allow dynamic updates, the only way to correct this issue is to enter the records manu­ ally in DNS based on the contents of the Netlogon.dns file (as described earlier in this chapter).

8.

Open the DNS console and expand the SERVER1 object, Forward Lookup Zones object, and the _msdcs.contoso.com object.

9.

Right-click _msdcs.contoso.com object and click Properties on the resulting context menu. You’ll see the _msdcs.contoso.com Properties dialog box General tab appear.

10.

Change the Dynamic Updates option box to read Secure Only. Leave the DNS console open.

11.

Now, you’ll use the Netdiag utility to fix this issue. Return to the Command Prompt window and type

netdiag /fix

and press Enter. Once this utility has finished run­ ning, scroll up until you see the DNS test section. Notice that Netdiag has repaired the problem. The utility may still report one failure, but that issue is actually solved. You’ll see this if you run the utility one more time.

12.

Type

netdiag

and press Enter. Scroll up to the DNS test and notice that the DNS test is entirely successful.

13.

You can also verify the fix by checking the DNS console. Return to the DNS console and press the F5 key to refresh the screen. Notice that the _ldap record appears on the right-hand pane.

The Windows Support Tools are invaluable when troubleshooting configuration issues.

Netdiag is one of the first troubleshooting tools experienced administrators use because it can diagnose and even correct several issues.

Chapter 2 Installing and Configuring Active Directory

2

-

59

Chapter Summary

■ �

To prepare for Active Directory installation, you must determine the domain struc­ ture, domain names, storage location of the database and log files, location of the shared system volume folder, and the DNS configuration method.

❑ �

Begin your domain structure with a single domain, called the forest root domain. Add domains to meet required security policy settings, which are linked to domains; to meet special administrative requirements, such as legal or privacy concerns; to optimize replication traffic; to retain Windows NT domains; or to establish a distinct namespace.

❑ �

The default location for the database and the database log files is

%Systemroot%\

Ntds, although you can specify a different location during Active Directory installa­ tion. For best performance and fault tolerance, place the database and the log file on separate hard disks that are NTFS drives.

❑ �

The default location for the shared system volume is

%Systemroot%\

Sysvol, although you can specify a different location during Active Directory installa­ tion. The shared system volume must be located on a partition or volume formatted with NTFS.

❑ �

You can configure a Windows Server 2003 DNS server manually or you can allow it to be configured automatically during Active Directory installation.

Manual configuration of DNS to support Active Directory is required if you are using a non-Windows Server 2003 DNS server or if you want to set up a configuration other than the default configuration set up automatically during

Active Directory installation.

■ �

You can install Active Directory using the Active Directory Installation Wizard by using an answer file to perform an unattended installation, by using the network or backup media, or by using the Configure Your Server Wizard.

❑ �

The Active Directory Installation Wizard is the main tool used to install Active

Directory. You use the dcpromo command to start the Active Directory Instal­ lation Wizard.

❑ �

You can create an answer file to run the Active Directory Installation Wizard.

The answer file can be a part of the answer file used to install Windows Server

2003, or it can install only Active Directory and run after Windows Server 2003

Setup is complete. You can use the network or backup media to install Active

Directory on additional domain controllers for an existing domain.

❑ �

You can remove Active Directory from an existing domain controller and demote it to either a stand-alone server or a member server by using the dcpromo command.

2-60

Chapter 2 Installing and Configuring Active Directory

■ �

Troubleshooting Active Directory installation and removal involves using the directory service log; the Netdiag, Dcdiag, and Ntdsutil command-line tools; and the Dcpromo

xx

.log files to solve Active Directory installation and removal-related problems.

Exam Highlights

Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information.

Key Points

■ �

Before you can install Active Directory, you must determine the domain structure, domain names, storage location of the database and log files, location of the shared system volume folder, and the DNS configuration method.

■ �

You can install Active Directory using the Configure Your Server Wizard or the

Active Directory Installation Wizard, by using an answer file to perform an unat­ tended installation, or by using the network or backup media.

■ �

You can remove Active Directory from an existing domain controller and demote it to either a stand-alone server or a member server by using the

Dcpromo command.

■ �

You can troubleshoot Active Directory installation and removal by using the Direc­ tory Service log; the Netdiag, Dcdiag, and Ntdsutil command-line tools; and the

Dcpromo

xx

.log files.

Key Terms

Active Directory Installation Wizard

The tool that is used to install and remove

Active Directory.

Configure Your Server Wizard

The tool that helps assign roles to a server, includ­ ing the role of domain controller.

domain name

The name given by an administrator to a collection of networked computers that share a common directory. Part of the DNS naming structure, domain names consist of a sequence of name labels separated by periods.

forest root domain

The first domain created in a new forest.

Questions and Answers

2

-

61

Page

2-15

Page

2-35

Questions and Answers

Lesson 1 Review

1.

What are the reasons to create more than one child domain under a dedicated root domain?

The reasons to create more than one child domain under the dedicated root are to meet required security policy settings, which are linked to domains; to meet special administrative requirements, such as legal or privacy concerns; to optimize replication traffic; to retain

Windows NT domains; and to establish a distinct namespace.

2.

What is a forest root domain?

A forest root domain is the first domain you create in an Active Directory forest. The forest root domain must be centrally managed by an IT organization that is responsible for making domain hierarchy, naming, and policy decisions.

3.

For best performance and fault tolerance, where should you store the database and log files?

For best performance and fault tolerance, it’s recommended that you place the database and the log file on separate hard disks that are NTFS drives, although NTFS is not required.

4.

What is the function of the shared system volume folder and where is the default storage location of the folder?

The shared system volume folder stores public files that must be replicated to other domain controllers, such as logon scripts and some of the GPOs, for both the current domain and the enterprise. The default location for the shared system volume folder is

%Systemroot%\

Sysvol.

The shared system folder must be placed on an NTFS drive.

5.

Which of the following is not a valid reason for creating an additional domain?

a.

To meet SAM size limitations

b.

To meet required security policy settings, which are linked to domains

c.

To meet special administrative requirements, such as legal or privacy concerns

d.

To optimize replication traffic

The correct answer is a. In Windows NT, the SAM database had a limitation of about 40,000 objects per domain. In Windows Server 2003, each domain can contain more than 1 million objects, so it is no longer necessary to define a new domain just to handle more objects.

Lesson 2 Review

1.

What command must you use to install Active Directory using the Active Directory

Installation Wizard?

Use the Dcpromo command to install Active Directory using the Active Directory Installation

Wizard.

2-62

Chapter 2 Installing and Configuring Active Directory

Page

2-42

2.

What items are installed when you use the Active Directory Installation Wizard to install Active Directory?

The Active Directory Installation Wizard installs Active Directory, creates the full domain name, assigns the NetBIOS name for the domain, sets the Active Directory database and log folder location, sets the shared system volume folder location, and installs DNS and a preferred DNS server if you requested DNS installation.

3.

Explain the two ways you can use an answer file to install Active Directory.

An answer file that is used to install Windows Server 2003 can also include the installation of

Active Directory. Or, you can create an answer file that installs only Active Directory and is run after Windows Server 2003 Setup is complete and you have logged on to the system.

4.

What command must you use to install Active Directory using the network or backup media?

Use the Dcpromo /adv command to install Active Directory using the network or backup media.

5.

Which of the following commands is used to demote a domain controller?

a.

Dcdemote

b.

Dcinstall

c.

Dcpromo

d.

Dcremove

The correct answer is c. You use the Dcpromo command to demote a domain controller.

Lesson 3 Review

1.

After Active Directory has been installed, how can you verify the domain configuration?

You can verify the domain configuration in three steps by using the Active Directory Users And

Computers console. First, you verify that your domain is correctly named by finding it in the console tree. Second, you double-click the domain, click the Domain Controllers container, and ver­ ify that your domain controller appears and is correctly named by finding it in the details pane.

Third, you double-click the server and verify that all information is correct on the tabs in the

Properties dialog box for the server.

2.

After Active Directory has been installed, how can you verify the DNS configuration?

You can verify DNS configuration by viewing the set of default SRV resource records on the DNS server in the DNS console.

3.

After Active Directory has been installed, how can you verify DNS integration with

Active Directory?

You can verify DNS integration by viewing the Type setting and the Dynamic Updates setting in the General tab in the Properties dialog box for the DNS zone and the Load Zone Data On

Startup setting in the Advanced tab in the Properties dialog box for the DNS server.

Page

2-53

Page

2-55

Questions and Answers

2

-

63

4.

After Active Directory has been installed, how can you verify installation of the shared system volume?

You can verify installation of the shared system volume by opening

%Systemroot%\

Sysvol or the location you specified during Active Directory installation and verifying that the Sysvol folder contains a shared Sysvol folder and that the shared Sysvol folder contains a folder for the domain, which contains a shared Scripts and a Policies folder.

Lesson 4 Review

1.

What information is recorded in the directory service log?

Active Directory records events, including errors, warnings, and information that it generates, in the directory service log in Event Viewer.

2.

How can you fix data left behind after an unsuccessful removal of Active Directory?

First, you must remove the orphaned metadata—NTDS Settings objects—using Ntdsutil. Then you must remove the domain controller object in the Active Directory Sites And Services console. You can safely delete the domain controller object only after all services have been removed and no child objects exist.

3.

Which of the following tools are best used to evaluate network connectivity?

Choose all that apply.

a.

Dcpromoui.log file

b.

Dcpromo.log file

c.

Ntdsutil

d.

Netdiag

e.

Dcdiag

The correct answers are d and e. Netdiag and Dcdiag are the tools best suited to evaluate network connectivity. The Dcpromoui and Dcpromo log files log events during the installation pro­ cess, and Ntdsutil provides management facilities for Active Directory.

Case Scenario Exercise

1.

Before you install Active Directory for the Research department, what Active

Directory domain structure decisions must be made?

Mary must decide whether they want to install a completely new forest, install a domain tree, or become part of an existing domain. For example, the Research department could become part of the Windows 2000 Administrative domain, using their Windows Server 2003 domain controllers as replica servers. Given what Laura told you, the decision will probably be to install a new forest root.

2.

Assuming that Mary wants a separate forest for the Research department, what

DNS decisions should be made before you install Active Directory?

2-64

Chapter 2 Installing and Configuring Active Directory

You must determine whether Research or the ITS department will manage that namespace. You also need to know what namespace the new Research domain will use. For example, does

Mary want the new domain known as

research.graphicdesigninstitute.com

or something else?

3.

If the ITS department decides to manage the Research department’s namespace, what requirements will their UNIX DNS servers need to meet?

The UNIX DNS servers must be able to support SRV records.

4.

If the ITS department decides that it will manage the Research department’s namespace, but it won’t allow dynamic DNS updates, what must be done manually?

How often must this be done?

The SRV records must be entered manually from each domain controller’s Netlogon.dns file.

This will have to be done each time there is an infrastructure change to domain or any domain controller. For example, if the IP address or server name of a domain controller changes, you’ll have to update the DNS SRV records as well as the DNS A (Host) Records. If you add or remove a site or global catalog server, the SRV records will also require an update.

5.

If the Research department is expected to support the DNS records required by

Active Directory, what options would you have?

Probably the most obvious and certainly the most simple, is to ask the ITS department to del­ egate the domain name

research.graphicdesigninstitute.com

namespace to the Research department. The other option would be to have the Research department manage those por­ tions of the namespace that include SRV records. Those portions begin with _msdcs, _sites, tcp, and _udp. Delegation is only necessary if other departments and/or users from the Internet need to be able to contact the Research domain resources and hosts using host names.

6.

If the Research department decides to handle its own DNS namespace and they want the most secure dynamic DNS configuration possible, what would you expect to configure?

Set the Research department’s DNS servers to support Secure Only updates. This will work as long as all Research department computers are members of the Active Directory domain.

7.

If the Research department wants to allow non-domain members or even non-

Microsoft computers to update Windows Server 2003 computers configured as

DNS servers, what type of updates must you allow?

Secure and non-secure.

3

Administering Active

Directory

Exam Objectives in this Chapter:

Set an Active Directory forest and domain functional level based upon requirements

Manage schema modifications

Add or remove a UPN suffix

Restore Active Directory directory service

Perform an authoritative restore

Perform a nonauthoritative restore

Diagnose and resolve issues related to the Active Directory database

Why This Chapter Matters

The information in this chapter shows you how to use various tools to administer

Active Directory. Both graphical and command-line tools are available. The graphical tools are typically easier to use, especially for simple and unique tasks.

Many of the command line tools are quite useful when troubleshooting or automating processes. No matter how you decide to administer Active Directory, you should be sure to back up your Active Directory database routinely. Despite many technological advances, people still make mistakes and equipment sometimes fails. If someone accidentally deletes an Active Directory container object, or if a server crashes, you might need to restore from backup.

The Active Directory Domains And Trusts console, the Active Directory Sites And

Services Console, and the Active Directory Users And Computers console are the main tools for handling Active Directory—it’s important to know what function each console serves. Windows Support Tools are also available; you must know how to install them to be able to administer the fine points of Active Directory.

Microsoft Management Consoles (MMCs) allow you to administer Active Directory from remote locations or to allow other administrators to manage Active Direc­ tory. This chapter shows you how to create and work with MMCs. Finally, you use the Backup Or Restore Wizard to create backups of Active Directory and perform a restore. Being able to maintain effective backups and having the ability to restore Active Directory from backup is vital for effective system administration.

3-1

3-2

Chapter 3 Administering Active Directory

Lessons in this Chapter:

Lesson 1: Using Active Directory Administration Tools . . . . . . . . . . . . . . . 3-3

Lesson 2: Customizing MMCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Lesson 3: Backing Up Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

Lesson 4: Restoring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 3-44

Before You Begin

To complete the lessons in this chapter, you must:

Prepare your test environment according to the descriptions given in the “Getting

Started” section of “About This Book”

Complete the practices for installing and configuring Active Directory as discussed in Chapter 2, “Installing and Configuring Active Directory”

Lesson 1 Using Active Directory Administration Tools

3

-

3

Lesson 1: Using Active Directory Administration Tools

The powerful and flexible Active Directory administration tools that are included with

Windows Server 2003 simplifies directory service administration. The Active Directory administrative consoles enable you to administer Active Directory directory service. A number of additional Active Directory administration tools are available in the

Windows Support Tools. This lesson introduces the Active Directory administrative consoles and Windows Support Tools that are used to configure, manage, and debug

Active Directory.

After this lesson, you will be able to

Describe the functions of the Active Directory Users And Computers administrative console

Describe the functions of the Active Directory Sites And Services administrative console

■ Describe the functions of the Active Directory Domains And Trusts administrative console

Describe the functions of the Active Directory Schema snap-in

■ Change the domain functional level

Change the forest functional level

■ Add or remove a UPN suffix

Explain the purpose of each of the Windows Support Tools that pertain to Active Directory

Estimated lesson time: 2 0 minutes

Active Directory Administration Tools

Two main tools are used to administer Active Directory:

Active Directory administrative consoles

Active Directory–specific tools in Windows Support Tools

Active Directory Administrative Consoles

The Active Directory administrative consoles are installed automatically on computers configured as Windows Server 2003 domain controllers when Active Directory is installed. The administrative consoles can also be installed on other servers running

Windows Server 2003 using the optional Administrative Tools package. This enables you to administer Active Directory from a computer that is not a domain controller. The following administrative consoles are available on the Administrative Tools menu of all

Windows Server 2003 domain controllers:

Active Directory Domains And Trusts console

Active Directory Sites And Services console

Active Directory Users And Computers console

3-4

Chapter 3 Administering Active Directory

The Active Directory Schema snap-in is also available on a computer configured as a domain controller, but must be installed manually.

Active Directory Domains And Trusts Console The Active Directory Domains And

Trusts console provides the interface to manage domains and manage trust relationships between forests and domains. Using Active Directory Domains And Trusts, you can:

Provide interoperability with other domains (such as pre–Microsoft Windows 2000 domains or domains in other Windows Server 2003 forests) by managing explicit domain trusts. Trusts are discussed in detail in Chapter 4, “Installing and Managing

Domains, Trees, and Forests.”

Change the domain functional level (formerly known as a domain mode) of a

Windows Server 2003 domain from Windows 2000 mixed to the Windows 2000 native or Windows Server 2003 functional level.

Change the forest functional level from Windows 2000 to Windows Server 2003 functional level.

Add and remove alternate user principal name (UPN) suffixes used to create user logon names.

Transfer the domain naming operations master role from one domain controller to another. Operations master roles are discussed in detail in Chapter 4, “Installing and Managing Domains, Trees, and Forests.”

Domain Functional Levels

As you learned in Chapter 1,

domain functional levels

(formerly known as domain modes) provide a way to enable domain-wide Active

Directory features within your network environment. Four domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.

Windows 2000 mixed

When you first install or upgrade a domain controller to a Windows Server 2003 operating system, the domain controller is set to run in

Windows 2000 mixed functionality. The Windows 2000 mixed functional level allows a Windows Server 2003 domain controller to interact with domain controllers in the domain running Microsoft Windows NT 4, Windows 2000, or Windows Server 2003.

Windows 2000 native

The Windows 2000 native functional level allows a domain controller running the Windows Server 2003 operating system to interact with domain controllers in the domain running Windows 2000 or Windows Server

2003. You can raise the functional level of a domain to Windows 2000 native if the domain controllers in the domain are all running Windows 2000 Server or later.

Windows Server 2003 interim

The Windows Server 2003 interim functional level allows a domain controller running the Windows Server 2003 operating sys­ tem to interact with domain controllers in the domain running Windows NT 4 or

Windows Server 2003. The Windows Server 2003 interim functional level is an

Lesson 1 Using Active Directory Administration Tools

3

-

5 option only when upgrading the first Windows NT domain to a new forest and can be manually configured after the upgrade. This functional level does not support domain controllers running Windows 2000.

Windows Server 2003

The Windows Server 2003 functional level allows a domain controller running the Windows Server 2003 operating system to interact only with domain controllers in the domain running Windows Server 2003. You can raise the functional level of a domain to Windows Server 2003 only if all domain controllers in the domain are running Windows Server 2003.

Real World

Integrating Windows Server 2003 into Existing Domains

If you plan to install Windows Server 2003 servers configured as domain controllers into an existing Windows 2000 domain, you’ll have to run the

Adprep.exe command line utility. This utility is located in the I386 directory of the Windows 2003 Server installation CD-ROM. You’ll have to run the com­ mand

adprep /forestprep

on your existing Windows 2000 Server domain controller holding the schema operations master role. You’ll have to run

adprep /domainprep

on the Windows 2000 Server domain controller holding

Infrastructure Operations Master role. Be sure to search for articles concerning

ADPREP at

http://support.microsoft.com

before you actually run these commands.

When you convert from Windows 2000 mixed or Windows Server 2003 interim func­ tional level to the Windows 2000 native or Windows Server 2003 functional level, keep in mind the following:

Support for pre–Windows 2000 replication ceases. Because pre–Windows 2000 replication is gone, you can no longer have any domain controllers in your domain that are not running Windows 2000 Server or later.

You can no longer add new pre–Windows 2000 domain controllers to the domain.

The server that served as the primary domain controller during migration is no longer the domain master; all domain controllers begin acting as peers.

Note

The change in domain functional level is one-way only; you cannot change from the

Windows 2000 native or Windows Server 2003 functional level to the Windows 2000 mixed or Windows Server 2003 interim functional level.

Table 3-1 describes the domain-wide features that are enabled for their corresponding domain functional level.

3-6

Chapter 3 Administering Active Directory

Table 3-1

Features Enabled by Domain Functional Level

Domain Feature

Windows 2000

Mixed

Windows 2000

Native Windows Server 2003

Domain controller rename tool

Update logon timestamp

User password on

InetOrgPerson object

Universal Groups

SID History

Disabled

Disabled

Disabled

Disabled

Disabled

Disabled

Disabled

Enabled

Enabled

Enabled

Group Nesting

Disabled for security groups. Enabled for distribution groups.

Enabled for distribu­ tion groups. Disabled for security groups, except for domain local security groups that can have global groups as members.

Enabled. Allows security and distribu­ tion groups.

Enabled. Allows full group nesting.

Enabled. Allows secu­ rity and distribution groups.

Enabled. Allows full group nesting.

Converting Groups Disabled. No group conversions allowed.

Enabled. Allows conversion between security groups and distribution groups.

Enabled. Allows conversion between secu­ rity groups and distribution groups.

Enabled. Allows migration of security principals from one domain to another.

Enabled. Allows migra­ tion of security princi­ pals from one domain to another.

!

Exam Tip

Be able to distinguish between the domain functional levels.

To change the domain functional level to Windows 2000 native or Windows Server

2003, complete the following steps:

1.

Click Start, select Administrative Tools, and then click Active Directory Domains

And Trusts.

2.

Right click the domain and then click Raise Domain Functional Level.

3.

On the Raise Domain Functional Level dialog box, in the Select An Available Domain

Functional Level list, select the domain functionality you want. Click Raise.

4.

In the Raise Domain Functional Level message box, click OK.

Lesson 1 Using Active Directory Administration Tools

Windows Server 2003

Enabled

Enabled

Enabled

Enabled

Enabled

Enabled

Enabled

Enabled

3

-

7

Forest Functional Levels

Forest functional levels provide a way to enable forestwide Active Directory features within your network environment. Three forest func­ tional levels are available: Windows 2000 (default) and Windows Server 2003 interim, and Windows Server 2003.

■ �

Windows 2000

When you first install or upgrade a domain controller to a

Windows Server 2003 operating system, the forest is set to run in the Windows

2000 functional level. The Windows 2000 functional level allows a Windows

Server 2003 domain controller to interact with domain controllers in the forest run­ ning Windows NT 4, Windows 2000, or Windows Server 2003.

■ �

Windows Server 2003 interim

The Windows Server 2003 interim functional level allows a domain controller running the Windows Server 2003 operating sys­ tem to interact with domain controllers in the domain running Windows NT 4 or

Windows Server 2003. The Windows Server 2003 interim functional level is an option only when upgrading the first Windows NT domain to a new forest and can be manually configured after the upgrade. This functional level does not support domain controllers running Windows 2000.

■ �

Windows Server 2003

The Windows Server 2003 functional level allows a domain controller running the Windows Server 2003 operating system to interact only with domain controllers in the domain running Windows Server 2003. You can raise the functional level of a forest to Windows Server 2003 only if all domain controllers in the forest are running Windows Server 2003 and all domain func­ tional levels in the forest have been raised to Windows Server 2003.

Once the forest functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the forest. Table 3-2 describes the forestwide features that are enabled for their corresponding functional levels.

Table 3-2

Features Enabled by Forest Functional Levels

Forest Feature Windows 2000

Global catalog replication Enabled if both replication partners improvements are running Windows Server 2003.

Otherwise, disabled.

Defunct schema objects Disabled

Forest trusts Disabled

Linked value replication Disabled

Domain rename Disabled

Improved Active Directory Disabled replication algorithms

Dynamic auxiliary classes Disabled

InetOrgPerson objectClass Disabled change

3-8

Chapter 3 Administering Active Directory

!

Exam Tip

Be able to distinguish between the forest functional levels.

To change the forest functional level to Windows Server 2003, complete the follow­ ing steps:

1.

Click Start, select Administrative Tools, and then click Active Directory Domains

And Trusts.

2.

Right click the Active Directory Domains And Trusts node and then click Raise

Forest Functional Level.

3.

On the Raise Forest Functional Level dialog box, click Raise.

4.

In the Raise Forest Functional Level message box, click OK.

UPN Suffixes

A

UPN suffix

is the part of a UPN to the right of the @ character. The default UPN suffix for a user account is the Domain Name System (DNS) domain name of the domain that contains the user account. You can add alternative UPN suffixes to simplify administration and user logon processes by providing a single UPN suffix for all users. The UPN suffix is only used within the Active Directory forest and is not required to be a valid DNS domain name.

Using alternative domain names as the UPN suffix can provide additional logon secu­ rity and simplify the names used to log on to another domain in the forest. For exam­ ple, if your organization uses a deep domain tree, such as one organized by department and region, the domain name can be long. The default user UPN for a user in such a domain might be

sales.chi.contoso.com

. Creating a UPN suffix of “contoso” would allow the user to log on using the much simpler logon name of

[email protected]

.

If you create an alternative UPN, the UPN is then available when you create users by using Active Directory Users And Computers.

To add or remove UPN suffixes, complete the following steps:

1.

Click Start, select Administrative Tools, and then click Active Directory Domains

And Trusts.

2.

Right click the Active Directory Domains And Trusts node and then click Properties.

3.

On the Active Directory Domains And Trusts dialog box, in the UPN Suffixes tab, shown in Figure 3-1, do one of the following:

❑ �

To add a UPN suffix, type an alternative UPN suffix in the Alternative UPN

Suffixes box, and then click Add.

❑ �

To remove a UPN suffix, select the suffix from the Alternative UPN Suffixes box, and then click Remove. On the Active Directory Domains and Trusts message box, click Yes.

4.

Click OK.

Lesson 1 Using Active Directory Administration Tools

3

-

9

Figure 3-1 UPN Suffixes tab

Active Directory Sites And Services Console You provide information about the physical structure of your network by publishing sites to Active Directory using the

Active Directory Sites And Services console. Active Directory uses this information to determine how to replicate directory information and handle service requests. Sites are discussed in more detail in Chapter 5, “Configuring Sites and Managing Replication.”

Active Directory Users And Computers Console The Active Directory Users And Com­ puters console allows you to add, modify, delete, and organize Windows Server 2003 user accounts, computer accounts, security and distribution groups, and published resources in your organization’s directory. It also allows you to manage domain controllers and organizational units (OUs).

Active Directory Schema Snap-In The Active Directory Schema snap-in is available so you can view and modify Active Directory schema. By default, the snap-in is not available on the Administrative Tools menu. You must install it using the command line and by creating an MMC for it. This action is required to ensure that the schema cannot be modified by accident.

To install the Active Directory Schema snap-in, complete the following steps:

1.

Log on as an Administrator.

2.

Click Start, and then click Command Prompt.

3-10

Chapter 3 Administering Active Directory

3.

Type

regsvr32 schmmgmt.dll

.

4.

Click Start, and then click Run.

5.

In the Run box, type

mmc

and then click OK.

6.

On the File menu, click Add/Remove Snap-In.

7.

In the Add/Remove Snap-In dialog box, click Add.

8.

In the Add Standalone Snap-In dialog box, in the Snap-In column, double-click

Active Directory Schema, then click Close.

9.

In the Add/Remove Snap-In dialog box, click OK.

10.

To save this console, on the File menu, click Save. In the Save As dialog box, ensure that Administrative Tools is shown in the Save In box. Then type

Active

Directory Schema

in the File Name box and click Save. The Active Directory

Schema snap-in is now available from the Administrative Tools menu.

11.

Close the Active Directory Schema snap-in.

See Also

Modifying the Active Directory schema is an advanced operation that is best performed by experienced programmers or system administrators. For detailed information about modifying the Active Directory schema, see the

Microsoft Windows Server 2003 Resource Kit

, located on the Microsoft Web site at

http://www.microsoft.com/windowsserver2003/techinfo/ reskit/resourcekit.mspx

.

For further information about using MMCs, refer to Lesson 2.

Active Directory–Specific Windows Support Tools

In Chapter 2, you installed the Windows Support Tools to assist you in troubleshooting

Active Directory installation. In addition, several tools that can be used to configure, manage, and debug Active Directory are available in the Windows Support Tools. The

Windows Support Tools are included on the Windows Server 2003 CD in the \Support\Tools folder. These tools are intended for use by Microsoft support personnel and experienced users.

Table 3-3 describes the Windows Support Tools that pertain to Active Directory.

Lesson 1 Using Active Directory Administration Tools

3

-

11

Table 3-3

Active Directory–Specific Windows Support Tools

Tool Used to

Acldiag.exe: ACL

Diagnostics

1

Adsiedit.msc: ADSI Edit

2

Determine whether a user has been granted or denied access to an Active Directory object. It can also be used to reset access con­ trol lists (ACLs) to their default state.

Add, delete, and move objects in the directory (including schema and configuration naming contexts). Object attributes can be viewed, modified, and deleted.

Dcdiag.exe: Domain

Controller Diagnostic Tool

1

Dfsutil.exe: Distributed File

System Utility

1

Dsacls.exe

1

Analyze the state of domain controllers in a forest or enterprise and report any problems.

Manage all aspects of Distributed File System (DFS), check the configuration concurrency of DFS servers, and display the

DFS topology.

View or modify the ACLs of objects in Active Directory.

Dsastat.exe: Directory

Services Utility

1

Ldifde

1

Netdom.exe: Windows

Domain Manager

Nltest.exe

1

1

Compare naming contexts on domain controllers and detect differences.

Create, modify, and delete directory objects on computers run­ ning Windows Server 2003 or Microsoft Windows XP Professional.

Ldp.exe: LDP Tool

3 Allow Lightweight Directory Access Protocol (LDAP) operations, such as connect, bind, search, modify, add, and delete, to be performed against Active Directory.

Movetree.exe: Active Direc- Move Active Directory objects such as OUs and users between tory Object Manager

1 domains in a single forest to support domain consolidation or organizational restructuring operations.

Manage Windows Server 2003 domains and trust relationships from the command line.

Ntfrsutl

1

Provide a list of primary domain controllers, force a remote shutdown, provide information about trusts and replication.

Dump internal tables, thread, and memory information for the NT

File Replication Service (NTFRS). It runs against local and remote servers.

Repadmin.exe: Replication Diagnose replication problems between domain controllers. See

Diagnostics Tool

1 Chapter 5, “Configuring Sites and Managing Replication,” for more information about using Repadmin.

Replmon.exe: Active Direc­ tory Replication Monitor

3

Graphically display replication topology, monitor replication sta­ tus, force synchronization between domain controllers. See

Chapter 5, “Configuring Sites and Managing Replication,” for more information about using Replmon.

3-12

Chapter 3 Administering Active Directory

Table 3-3

Active Directory–Specific Windows Support Tools (Continued)

Tool Used to

Sdcheck.exe: Security

Descriptor Check Utility

1

Display the security descriptor for any object stored in Active

Directory. This tool enables an administrator to determine if ACLs are being inherited correctly and if ACL changes are being repli­ cated from one domain controller to another.

Search.vbs: Active Directory

Search Tool

1

Perform searches against an LDAP server to get information from

Active Directory.

Setspn.exe: Manipulate Ser­ vice Principal Names for

Accounts

1

Read, modify, and delete the Service Principal Names (SPN) direc­ tory property for an Active Directory service account.

SIDwalker Security Adminis­ tration Tools

Manage access control policies on Windows Server 2003 and

Windows NT systems. SIDwalker consists of three separate programs: Showaccs.exe

1

and Sidwalk.exe

1

for examining and changing access control entries, and Security Migration Editor for editing mapping between old and new security identifiers (SIDs).

1 command-line tool

2 MMC snap-in

3 GUI tool

See Windows Support Tools help for more information about using the Windows Support Tools that pertain to Active Directory.

Active Directory Service Interfaces (ADSI) provides a simple, powerful, object-oriented interface to Active Directory. ADSI makes it easy for programmers and administrators to create programs utilizing directory services by using high-level tools such as

Microsoft Visual Basic, Java, C, C# or Visual C++ as well as scripted languages such as

VBScript, JScript, or PerlScript without having to worry about the underlying differ­ ences between the different namespaces. ADSI is a fully programmable Automation object for use by administrators.

ADSI enables you to build or buy programs that give you a single point of access to multiple directories in your network environment, whether those directories are based on LDAP or another protocol.

Note

A detailed discussion of ADSI is beyond the scope of this training kit. For further information about ADSI, refer to the

Microsoft Windows Server 2003 Resource Kit

located on the Microsoft Web site at

http://www.microsoft.com/windowsserver2003/techinfo/reskit/ resourcekit.mspx

.

Lesson 1 Using Active Directory Administration Tools

3

-

13

Practice: Viewing Active Directory Administration Tools

In this practice, you view the Active Directory administrative consoles and some of the

Active Directory support tools.

Exercise 1: Viewing Active Directory Administrative Consoles

In this exercise, you view the Active Directory administrative consoles.

To view Active Directory administrative consoles

1.

Log on to Server01 as Administrator.

2.

Click Start, point to Administrative Tools, and then click Active Directory Domains

And Trusts.

3.

In the console tree, right-click the

contoso.com

domain and then select Properties.

In the Properties dialog box for the

contoso.com

domain, click the Trusts tab.

Notice the trust information boxes that would contain information about trusts if there were other domains in the forest. Click Cancel.

4.

In the console tree, right-click the

contoso.com

domain and then select Raise

Domain Functional Level. On the Raise Domain Functional Level dialog box, notice the list in which you can raise domain functionality. Click Cancel. In the console tree, right-click the Active Directory Domains And Trusts node and then select Raise Forest Functional Level. On the Raise Forest Functional Level dialog box, notice that you cannot raise forest functionality until you have raised the domain functional level to Windows Server 2003. Click OK.

5.

In the console tree, right-click the Active Directory Domains And Trusts node and then select Properties. On the UPN Suffixes tab, notice where you can enter alter­ nate UPN suffixes. Click OK and then close the Active Directory Domains And

Trusts console.

6.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services. In the console tree, double-click the Sites folder. Notice that a site called

Default-First-Site is present. This site is created automatically when Active Direc­ tory is installed. Close the Active Directory Sites And Services console.

7.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers. In the console tree, double-click the Builtin folder and examine all the default groups. Double-click the Users folder and examine all the default users. Close the Active Directory Users And Computers console.

3-14

Chapter 3 Administering Active Directory

Exercise 2: Installing and Viewing the Active Directory Schema Snap-In

In this exercise, you install the Active Directory Schema snap-in and view its contents.

To install and view the Active Directory Schema snap-in

1.

Use the procedure provided earlier in this lesson to install the Active Directory

Schema snap-in.

2.

Open the Active Directory Schema snap-in. In the console tree, double-click

Active Directory Schema. Double-click the Classes folder. Notice the list of classes provided in the details pane.

3.

In the console tree, double-click any class. Notice the list of attributes for that class provided in the Details pane. Close the Active Directory Schema snap-in.

4.

On the Microsoft Management Console message box, click No.

Exercise 3: Installing and Viewing the Active Directory–Specific

Windows Support Tools

In this exercise, you install Windows Support Tools and view some of the Active

Directory–specific support tools.

To install and view the Active Directory–specific Windows Support Tools

1.

If you haven’t already installed the Windows Support Tools, use the procedure provided in Chapter 2 to install them.

2.

Click Start, point to All Programs, point to Windows Support Tools, then click Support Tools Help.

3.

Access the Dsacls.exe tool in the alphabetical list of tools by file name. View Help for this tool.

4.

In help, click Open Command Prompt. At the command prompt, type

dsacls

\\server1\DC=contoso,DC=com

and press Enter. The output shows the access control list for Active Directory on Server01.

5.

Close the command prompt. Close Dsacls Help.

Lesson 1 Using Active Directory Administration Tools

3

-

15

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What is the purpose of the Active Directory Domains And Trusts console?

2.

What is the purpose of the Active Directory Sites And Services console?

3.

What is the purpose of the Active Directory Users And Computers console?

4.

Why isn’t the Active Directory Schema snap-in provided automatically on the

Administrative Tools menu after you install Active Directory?

5.

Which Active Directory-specific Windows Support Tool enables you to manage

Windows Server 2003 domains and trust relationships?

a.

Ntdsutl.exe

b.

Netdom.exe

c.

Active Directory Domains And Trusts console

d.

Nltest.exe

3-16

Chapter 3 Administering Active Directory

Lesson Summary

Three Active Directory administrative consoles are available on the Administrative

Tools menu of all Windows Server 2003 domain controllers. The Active Directory

Schema snap-in is also available on a domain controller, but must be installed manually to ensure the schema is not modified by accident.

Domain functional level (formerly known as the domain mode) provides a way to enable domain-wide Active Directory features within your network environment.

Four domain functional levels are available: Windows 2000 mixed (default),

Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.

The change in domain functional level is one-way only.

Forest functional level provides a way to enable forest-wide Active Directory features within your network environment. Three forest functional levels are available: Windows 2000 (default), Windows Server 2003 interim, and Windows

Server 2003. You can raise the functional level of a forest to Windows Server 2003 only if all domain controllers in the forest are running Windows Server 2003.

You can add alternative UPN suffixes to simplify administration and user logon processes by providing a single UPN suffix for all users. Using alternative domain names as the UPN suffix can provide additional logon security and simplify the names used to log on to another domain in the forest.

Several additional tools that can be used to configure, manage, and debug Active

Directory are available in the Windows Support Tools. To use these tools you must first install the Windows Support Tools on your computer.

Lesson 2 Customizing MMCs

3

-

17

Lesson 2: Customizing MMCs

In the previous lesson, you learned how to use the standard administrative consoles provided when you install Active Directory. You can also create custom consoles that focus on management tasks you specify by using the MMC. This lesson explains how you can create, use, and modify custom consoles.

After this lesson, you will be able to

Create customized MMCs

Modify customized MMCs

Estimated lesson time: 2 5 minutes

The MMC

The MMC is a tool used to create, save, and open collections of administrative tools, which are called

consoles

. When you access the Active Directory administrative consoles discussed in Lesson 1, you are accessing the MMC for that tool. The Active Direc­ tory Domains And Trusts, Active Directory Sites And Services, and Active Directory

Users And Computers administrative tools are each a console. The console does not provide management functions itself, but is the program that hosts management appli­ cations called

snap-ins

. Snap-ins are programs used by administrators to manage network services.

There are two types of MMCs: preconfigured and custom. Preconfigured MMCs contain commonly used snap-ins, and they appear on the Administrative Tools menu. You cre­ ate custom MMCs to perform a unique set of administrative tasks, such as the MMC for the Active Directory schema discussed in the previous lesson. You can use both preconfigured and custom MMCs for remote administration.

Preconfigured MMCs

Preconfigured MMCs contain snap-ins that you use to perform the most common administrative tasks. The Windows Server 2003 family installs a number of preconfigured

MMCs during installation. The following are characteristics of preconfigured MMCs:

They contain a stand-alone snap-in that provides the functionality to perform a related set of administrative tasks.

They function in user mode. Because preconfigured MMCs are in user mode, you cannot modify them, save them, or add additional snap-ins. However, when you create custom consoles, you can add as many preconfigured consoles as you want as snap-ins to your custom console.

3-18

Chapter 3 Administering Active Directory

They might be added by Windows Server 2003 when you install additional com­ ponents. Optional Windows Server 2003 components might include additional preconfigured MMCs that Windows Server 2003 adds when you install a compo­ nent. For example, when you install the DNS service, Windows Server 2003 also installs the DNS Management console.

Custom MMCs

You can use many of the preconfigured MMCs for administrative tasks. However, there will be times when you need to create your own custom MMCs. Although you can’t modify preconfigured consoles, you can combine multiple preconfigured snap-ins with third-party snap-ins provided by independent software vendors that perform related tasks to create custom MMCs. You can then do the following:

Save the custom MMCs to use again.

Distribute the custom MMCs to other administrators.

Use the custom MMCs from any computer to centralize and unify administra­ tive tasks.

Creating custom MMCs allows you to meet your administrative requirements by com­ bining snap-ins that you use to perform common administrative tasks. By creating a custom MMC, you do not have to switch between different programs or different preconfigured MMCs because all of the snap-ins that you need to perform your job are located in the custom MMC.

Consoles are saved as files and have an .msc extension. All the settings for the snap-ins contained in the console are saved and restored when the file is opened, even if the console file is opened on a different computer or network.

Console Tree and Details Pane

Every MMC has a

console tree

, which displays the hierarchical organization of its asso­ ciated snap-ins. The MMC in Figure 3-2, for example, contains Device Manager on the local computer and the Disk Defragmenter snap-ins.

Lesson 2 Customizing MMCs

3

-

19

Console tree

Snap-ins

Snap-ins

Details pane

Figure 3-2 A sample MMC

The console tree organizes snap-ins that are part of an MMC. This allows you to easily locate a specific snap-in. Items that you add to the console tree appear under the console root. The

details pane

lists the contents of the active snap-in.

Every MMC contains an Action menu and a View menu. The choices on these menus vary, depending on the current selection in the console tree.

Snap-Ins

Snap-ins are applications that are designed to work in an MMC. Use snap-ins to perform administrative tasks. There are two types of snap-ins: stand-alone snap-ins and extension snap-ins.

Stand-alone snap-ins are usually referred to simply as

snap-ins

. Use stand-alone snapins to perform Windows Server 2003 administrative tasks. Each snap-in provides one function or a related set of functions. Windows Server 2003 comes with many standard snap-ins.

Extension snap-ins are usually referred to simply as

extensions

. They are snap-ins that provide additional administrative functionality to another snap-in. The following are characteristics of extensions.

Extensions are designed to work with one or more stand-alone snap-ins, based on the function of the stand-alone snap-in. For example, the Group Policy extension is available in the Active Directory Users And Computers console; however, it is not available in the Disk Defragmenter snap-in, because Group Policy does not relate to the administrative task of disk defragmentation.

3-20

Chapter 3 Administering Active Directory

When you add an extension, Windows Server 2003 displays only extensions that are compatible with the stand-alone snap-in. Windows Server 2003 places the extensions into the appropriate location within the stand-alone snap-in.

When you add a snap-in to a console, MMC adds all available extensions by default. You can remove any extension from the snap-in.

You can add an extension to multiple snap-ins.

Figure 3-3 demonstrates the concept of snap-ins and extensions. A toolbox (an MMC) holds a drill (a snap-in). You can use a drill with its standard drill bit, and you can perform additional functions with different drill bits (extensions). Extensions are preassigned to snap-ins, and multiple snap-ins can use the same extension.

Snap-in

Console root

Extensions

Computer Manager

Event Viewer

Device Manager

Figure 3-3 Snap-ins and extensions

Some stand-alone snap-ins can use extensions that provide additional functionality, for example, Computer Management. However, some snap-ins, like Event Viewer, can act as either a snap-in or an extension.

Console Options

Use console options to determine how each MMC operates by selecting the appropri­ ate console mode. The console mode determines the MMC functionality for the person who is using a saved MMC. The two available console modes are author mode and user mode.

Note

Additional console options can be set using Group Policy. For information on setting group policies, see Chapter 11, “Administering Group Policy.”

When you save an MMC in author mode, you enable full access to all MMC function­ ality, which includes modifying the MMC. Save the MMC using author mode to allow those using it to do the following:

Add or remove snap-ins.

Create new windows.

Lesson 2 Customizing MMCs

3

-

21

View all portions of the console tree.

Save MMCs.

Note

By default, all new MMCs are saved in author mode.

Usually, if you plan to distribute an MMC to other administrators, you save the MMC in user mode. When you set an MMC to user mode, users cannot add snap-ins to, remove snap-ins from, or save the MMC.

There are three types of user modes that allow different levels of access and function­ ality. Table 3-4 describes when to use each type of user mode.

Table 3-4

MMC User Mode Types

User mode

Full access

Limited access, multiple windows

Limited access, single window

Use when

You want to allow users to navigate between snap-ins, open new windows, and gain access to all portions of the console tree.

You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view multiple windows in the console.

You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view only one window in the console.

Using MMCs for Remote Administration

When you create custom MMCs, you can set up a snap-in for remote administration.

Remote administration allows you to perform administrative tasks from any location.

For example, you can use a computer running Windows XP Professional with Service

Pack 1 or the 329357 hotfix applied to perform administrative tasks on a computer run­ ning Windows Server 2003. You cannot use all snap-ins for remote administration; the design of each snap-in dictates whether or not you can use it for remote administration.

To perform remote administration:

You can use snap-ins from computers running different editions of the Windows

Server 2003 family.

You must use specific snap-ins designed for remote administration. If the snap-in is available for remote administration, Windows Server 2003 prompts you to choose the target computer to administer.

3-22

Chapter 3 Administering Active Directory

Suppose you need to administer Windows Server 2003 from a Windows XP Profes­ sional desktop. Because Windows XP Professional does not provide the same level of administrative tools as Windows Server 2003, you will need to install a more complete set of tools on the Professional desktop. By accessing the server and executing the

Adminpak.msi file located at

%Systemroot%\

System32, you can copy the administrative tools onto the Professional desktop. Then configure each tool for use with the server.

One benefit of installing the entire package is that it includes the Active Directory Man­ agement MMC, which contains the three major Active Directory MMCs and the DNS

MMC. Note that some tools may be installed that are not actually running on the server; the Windows Server 2003 Administration Tools Setup Wizard is simply a means for loading administrative tools to a remote machine.

Off the Record

The Adminpak.msi can be used to repair console issues related to file cor­ ruption. For example, if you find that you can no longer open a console, such as the DNS console, you should try reinstalling Adminpak.msi.

Creating Custom MMCs

To create a custom MMC, you must open an empty console and then add the snap-ins needed to perform the desired administrative tasks.

To create a custom MMC, complete the following steps:

1.

Click Start and point to Run.

2.

Type

mmc

in the Run box, and then click OK. An MMC window opens, titled

Console1 and containing a window titled Console Root. This is an empty MMC.

3.

Maximize the Console1 and Console Root windows.

4.

On the File menu, click Add/Remove Snap-In.

5.

In the Standalone tab in the Add/Remove Snap-In dialog box, click Add.

6.

In the Add Standalone Snap-In dialog box, shown in Figure 3-4, select the snapin you want to add and click Add. In some instances, the snap-in is simply added to the MMC. In other cases, MMC requires you to specify additional details for the snap-in in a dialog box or through a wizard.

Lesson 2 Customizing MMCs

3

-

23

Figure 3-4 Add Standalone Snap-In dialog box

7.

Enter additional details for the snap-in as needed.

8.

If the snap-in supports remote administration, a dialog box for the snap-in appears, as shown in Figure 3-5. Do one of the following:

❑ Select Local Computer to manage the computer on which the console is running.

❑ Select Another Computer to manage a remote computer. Then click Browse.

In the Select Computer dialog box, type the name of the remote computer, then click OK.

Figure 3-5 Dialog box indicating type of management for the Computer Management snap-in

9.

Click Finish.

3-24

Chapter 3 Administering Active Directory

10.

When you are finished adding snap-ins, click Close in the Add Standalone Snap-

In dialog box. The snap-ins you have added appear in the list in the Add/Remove

Snap-In dialog box.

11.

In the Add/Remove Snap-In dialog box, click OK. MMC displays the snap-ins you have added in the console tree below Console Root.

12.

Select the Console Root.

13.

On the File menu, click Options. MMC displays the Options dialog box with the

Console tab active, as shown in Figure 3-6.

Figure 3-6 Options dialog box

14.

Select the console mode in the Console Mode box, and then click OK.

15.

On the File menu, click Save As.

16.

In the File Name box in the Save As dialog box, type the name for your custom­ ized MMC and then click Save. The name of your console appears in the MMC title bar.

17.

On the File menu, click Exit. The customized console has been created and saved and can now be accessed on the Administrative Tools menu.

Modifying Custom MMCs

You can modify a custom MMC by adding or removing snap-ins or extensions. Not all snap-ins have extensions. You can add or remove extensions from a console when you need to expand or limit administrative tasks. This allows you to include only those extensions that are relevant to the computer being administered.

Lesson 2 Customizing MMCs

3

-

25

To add a snap-in to an existing MMC, complete the following steps:

1.

Click Start, point to All Programs, point to Administrative Tools, and then click the name of the custom MMC.

2.

On the File menu, click Add/Remove Snap-In.

3.

In the Standalone tab in the Add/Remove Snap-In dialog box, click Add.

4.

In the Add Standalone Snap-In dialog box, select the snap-in you want to add to the existing MMC and click Add.

5.

Enter additional details for the snap-in as described in the previous procedure.

6.

When you are finished adding snap-ins, click Close in the Add Standalone Snap-

In dialog box. The snap-ins you have added appear in the list in the Add/Remove

Snap-In dialog box.

7.

In the Add/Remove Snap-In dialog box, click OK. MMC displays the snap-ins you have added in the console tree below Console Root.

To remove a snap-in from an existing MMC, complete the following steps:

1.

Click Start, point to All Programs, point to Administrative Tools, then click the name of the custom MMC.

2.

On the File menu, click Add/Remove Snap-In.

3.

In the Standalone tab in the Add/Remove Snap-In dialog box, select the snap-in you want to delete and click Remove. Then click OK. The snap-in is removed from the console.

To add or remove an extension to a snap-in on an existing MMC, complete the follow­ ing steps:

1.

Click Start, point to All Programs, point to Administrative Tools, and then click the name of the custom MMC.

2.

On the File menu, click Add/Remove Snap-In.

3.

In the Standalone tab in the Add/Remove Snap-In dialog box, select the snap-in for which you want to add or remove an extension. Then click the Extensions tab.

3-26

Chapter 3 Administering Active Directory

4.

In the Extensions tab, shown in Figure 3-7, indicate the extension(s) you want to add or delete, as follows:

To add an extension, click the desired extension.

To remove an extension, clear the Add All Extensions check box and then in the Available Extensions box, clear the check box for the desired extension.

Figure 3-7 Add/Remove Snap-In dialog box, Extensions tab

5.

Click OK.

6.

Expand the snap-in to confirm that the desired extension has been added or removed.

Practice: Customizing an MMC

In this practice, you customize an MMC.

Exercise 1: Creating a Custom MMC

In this exercise, you create a custom MMC.

To create a custom MMC

1.

Log on to Server1 as Administrator.

2.

Use the procedure provided earlier in this lesson to create a custom MMC. Add the

Computer Management snap-in to the MMC. Although the Computer Management snap-in supports remote administration, set up the snap-in to manage the local computer. Set the console mode to author mode. Save the MMC with the name

Administrator A.

Do not use any of the tools at this point.

Lesson 2 Customizing MMCs

3

-

27

Exercise 2: Adding a Snap-In to an Existing MMC

In this exercise, you add a snap-in to an existing MMC.

To add a snap-in to an existing MMC

1.

Use the procedure provided earlier in this lesson to add the Event Viewer snap-in to the Administrator A MMC. Set this snap-in to manage the local computer. Confirm that the Event Viewer snap-in has been added to the Administrator A MMC.

Exercise 3: Removing an Extension to a Snap-In on an Existing MMC

In this exercise, you remove an extension to a snap-in on an existing MMC.

To remove an extension to a snap-in on an existing MMC

1.

Use the procedure provided earlier in this lesson to remove the Disk Management extension from the Computer Management snap-in on the Administrator A MMC.

Confirm that the Disk Management extension has been removed from the Com­ puter Management snap-in.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What is the function of an MMC? Why is it necessary to create customized MMCs?

2.

What is a snap-in?

3.

What is the function of a console tree?

4.

What are extensions?

3-28

Chapter 3 Administering Active Directory

5.

Which of the following console mode types allows users to create new windows in the console?

a.

Author mode

b.

User mode—full access

c.

User mode—limited access, multiple window

d.

User mode—limited access, single window

Lesson Summary

There are two types of MMCs: preconfigured and custom. Preconfigured MMCs contain commonly used snap-ins and appear on the Administrative Tools menu.

You create custom MMCs to perform a unique set of administrative tasks.

Snap-ins are applications that work within an MMC and are used to perform administrative tasks. There are two types of snap-ins: stand-alone and extension.

Stand-alone snap-ins are referred to simply as snap-ins, and provide one function or a related set of functions. Extension snap-ins are referred to as extensions, and provide additional administrative functionality to another snap-in.

The console mode determines how an MMC is used. There are two console modes: author and user. Author mode provides full access to all MMC functional­ ity, which includes modifying the MMC. In user mode, users cannot add snap-ins to, remove snap-ins from, or save the MMC.

For custom MMCs, you can set up a snap-in for remote administration, allowing you to perform administrative tasks from any location. Not all snap-ins are available for remote administration.

Lesson 3 Backing Up Active Directory

3

-

29

Lesson 3: Backing Up Active Directory

This lesson guides you through the steps required to back up Active Directory data.

When you create a backup, you need to conduct several preliminary tasks, and then perform a number of tasks using the Backup Or Restore Wizard. In this lesson you will learn how to back up Active Directory data, how to schedule and run an unattended backup, and how to delete an unattended backup.

After this lesson, you will be able to

Back up Active Directory data at a local computer

Schedule and run an unattended backup of Active Directory data

Delete an unattended backup of Active Directory data

Estimated lesson time: 2 5 minutes

Preliminary Backup Tasks

An important part of backing up Active Directory data is performing the preliminary tasks. You must prepare the files that you want to back up, and, if you are using a removable media device, you must prepare the device. If you use a removable media device, you must ensure that:

The backup device is attached to a computer on the network and is turned on. If you are backing up to tape, you must attach the tape device to the computer on which you run Windows Backup.

The media device is listed on the Windows Server 2003 Hardware Compatibility

List (HCL).

The medium is loaded in the media device. For example, if you are using a tape drive, ensure that a tape is loaded in the tape drive.

You must be a member of the Administrators or the Backup Operators groups to perform a backup.

Creating an Active Directory Backup

After you have completed the preliminary tasks, you can perform the Active Directory backup using the Backup Or Restore Wizard. When you back up Active Directory, the

Backup Or Restore Wizard automatically backs up all the system components and all the distributed services that Active Directory requires. Collectively, these components and services are known as

system state data

.

3-30

Chapter 3 Administering Active Directory

For Windows Server 2003, the system state data comprises the registry, COM+ Class

Registration database, system boot files, files under Windows File Protection, and the

Certificate Services database (if the server is a certificate server). If the server is a domain controller, Active Directory and the Sysvol directory are also contained in the system state data. When you choose to back up system state data, all of the system state data that is relevant to your computer is backed up; you cannot choose to back up individual components of the system state data. This is due to dependencies among the system state components. You can back up only the system state data on a local computer. You cannot back up the system state data on a remote computer.

To create an Active Directory backup, complete the following steps:

1.

Log on to your domain as Administrator, point to Start, point to All Programs, point to Accessories, point to System Tools, and select Backup.

2.

On the Welcome To The Backup Or Restore Wizard page, click Next.

3.

On the Backup Or Restore page, shown in Figure 3-8, select Backup Files And Set­ tings, and then click Next.

Figure 3-8 Backup Or Restore page

4.

On the What To Back Up page, shown in Figure 3-9, select Let Me Choose What

To Back Up, and then click Next.

Lesson 3 Backing Up Active Directory

3

-

31

Figure 3-9 What To Back Up page

5.

On the Items To Back Up page, shown in Figure 3-10, expand the My Computer item, and then select System State. Click Next.

Figure 3-10 Items To Back Up page

6.

On the Backup Type, Destination, And Name page, shown in Figure 3-11, com­ plete the following steps:

Select Tape in the Select The Backup Type list if you are using tape; otherwise this option defaults to File.

3-32

Chapter 3 Administering Active Directory

In the Choose A Place To Save Your Backup list, choose the location where

Windows Backup will store the data. If you are saving to a tape, select the tape name. If you are saving to a file, browse to the path for the backup file location.

In the Type A Name For This Backup box, enter a name for the backup you are going to do.

Click Next.

Figure 3-11 Backup Type, Destination, And Name page

7.

On the Completing The Backup Or Restore Wizard page, click Advanced.

8.

On the Type Of Backup page, shown in Figure 3-12, select Normal as the backup type used for this backup job. Normal is the only backup type supported by Active

Directory. If the Hierarchical Storage Manager (HSM) has moved data to remote storage and you want to back it up, select the Backup Migrated Remote Storage

Data check box. Click Next.

Lesson 3 Backing Up Active Directory

3

-

33

Figure 3-12 Type Of Backup page

9.

On the How To Back Up page, shown in Figure 3-13, select the Verify Data After

Backup check box. This option causes the backup process to take longer but it confirms that files are correctly backed up. If you are using a tape device and it supports hardware compression, select the Use Hardware Compression, If Available check box to enable hardware compression. It’s recommended that you do not select the Disable Volume Shadow Copy check box. By default, Backup cre­ ates a volume shadow copy of your data to create an accurate copy of the contents of the hard drive, including open files or files in use by the system. Click Next.

Figure 3-13 How To Back Up page

3-34

Chapter 3 Administering Active Directory

10.

On the Backup Options page, shown in Figure 3-14, select the Replace The Exist­ ing Backups option, then select the Allow Only The Owner And The Administra­ tor Access To The Backup Data And To Any Backups Appended To This Medium check box. This action saves only the most recent copy of Active Directory and allows you to restrict who can gain access to the completed backup file or tape.

Click Next.

Figure 3-14 Backup Options page

11.

On the When To Back Up page, shown in Figure 3-15, select Now. Click Next.

Figure 3-15 When To Back Up page

Lesson 3 Backing Up Active Directory

3

-

35

12.

On the Completing The Backup Or Restore Wizard page, click Finish to start the backup operation.

13.

The Backup Progress window shows the progress of the backup.

14.

When the backup operation is complete, the Backup Progress window, shown in

Figure 3-16, shows that the backup is complete. You can click the Report button to see a report about the backup operation, as shown in Figure 3-17. The report is stored on the hard disk of the computer on which you are running the backup.

Figure 3-16 Backup Progress window showing completed backup

Figure 3-17 Backup operation report

15.

Close the report when you have finished viewing it and then click Close to close the backup operation.

3-36

Chapter 3 Administering Active Directory

Scheduling Active Directory Backup Operations

Scheduling an Active Directory backup operation means that you can have an unat­ tended backup job occur later when users are not at work and files are closed. You can also schedule Active Directory backup operations to occur at regular intervals. To enable this, Windows Server 2003 integrates the backup operation with the Task

Scheduler service. To schedule a backup operation, you must access the advanced backup settings as described in the following procedure.

To schedule an Active Directory backup operation, complete the following steps:

1.

Follow steps 1–10 in the previous section, “Creating an Active Directory Backup.”

2.

On the When To Back Up page, shown in Figure 3-18, select Later. Then type the job name in the Job Name box and click Set Schedule.

Figure 3-18 When To Back Up page

3.

In the Schedule tab in the Schedule Job dialog box, shown in Figure 3-19, select the frequency of the backup operation: Daily, Weekly, Monthly, Once, At System

Startup, At Logon, or When Idle from the Schedule Task list. Indicate the time the backup operation will begin in the Start Time list. Indicate when the task will occur in the Schedule Task box for the selected frequency. Click Advanced.

Lesson 3 Backing Up Active Directory

3

-

37

Figure 3-19 Schedule Job dialog box, Schedule tab

4.

In the Advanced Schedule Options dialog box, shown in Figure 3-20, you can specify when the backup operations should begin, end, or how often they should be repeated in the Start Date, End Date, and Repeat Task boxes respectively. Enter information as necessary and click OK.

Figure 3-20 Advanced Schedule Options dialog box

5.

In the Schedule tab in the Schedule Job dialog box, select the Show Multiple

Schedules check box if you wish to set up more than one schedule for the backup operation. Repeat steps 1–4 for each schedule. Click the Settings tab when you are finished setting up schedules.

6.

In the Settings tab in the Schedule Job dialog box, shown in Figure 3-21, specify whether to delete the task file from your computer’s hard disk after the backup

3-38

Chapter 3 Administering Active Directory operation has finished running and is not scheduled to run again in the Scheduled

Task Completed box. Specify whether to start or stop the backup operation based on the computer’s idle time in the Idle Time box. Specify whether to start or stop the backup operation based on the computer’s power status in the Power Manage­ ment box. Click OK.

Figure 3-21 Schedule Job dialog box, Settings tab

7.

On the When To Back Up page, click Next.

8.

In the Set Account Information dialog box, shown in Figure 3-22, type the password for the account shown in the Password box and confirm the password in the

Confirm Password box. Click OK.

Figure 3-22 Set Account Information dialog box

9.

Confirm your selections on the Completing The Backup Or Restore Wizard page, then click Finish to schedule the backup.

Lesson 3 Backing Up Active Directory

3

-

39

Deleting Scheduled Active Directory Backup Operations

To delete a scheduled Active Directory backup operation, you must access the advanced backup settings as described in the following procedure.

To delete a scheduled Active Directory backup operation, complete the following steps:

1.

Log on to your domain as Administrator, point to Start, point to All Programs, point to Accessories, point to System Tools, and select Backup.

2.

On the Welcome To The Backup Or Restore Wizard page click the Advanced

Mode link.

3.

On the Welcome To The Backup Utility Advanced Mode page, shown in Figure 3-23, click the Schedule Jobs tab.

Figure 3-23 Welcome To The Backup Utility Advanced Mode page

4.

In the Schedule Jobs tab, shown in Figure 3-24, icons for the scheduled backup operation(s) appear on the schedule for the date(s) the operation is specified to be performed. In this example, a backup operation is scheduled daily. Click the backup operation you want to delete.

3-40

Chapter 3 Administering Active Directory

Figure 3-24 Schedule Jobs tab

5.

In the Scheduled Job Options dialog box that appears, shown in Figure 3-25, ensure that the job you want to delete appears in the Job Name box. Click Delete.

Figure 3-25 Scheduled Job Options dialog box

6.

In the Removing a Scheduled Job message box that appears, click Yes. The backup operation has been deleted from the schedule.

Lesson 3 Backing Up Active Directory

3

-

41

Practice: Backing Up Active Directory

In this practice, you back up Active Directory and perform tasks related to backup scheduling.

Exercise 1: Creating an Active Directory Backup

In this exercise, you create an Active Directory backup.

To create an Active Directory backup

1.

Log on to Server1 as Administrator.

2.

Open the Active Directory Users And Computers console. Create a new, empty

OU by right-clicking the domain in the console tree, pointing to New, and then clicking Organizational Unit. In the New Object–Organizational Unit dialog box, type

TEST1

in the Name box, then click OK. Verify that the TEST1 OU appears in the console tree.

3.

Use the procedure provided earlier in this lesson to create an Active Directory backup. Name this backup Active Directory Backup1. Check with your adminis­ trator to ensure the availability of disks or tapes for backup storage.

4.

When you have finished the backup operation for Active Directory Backup1, return to Active Directory Users And Computers and delete the TEST1 OU you cre­ ated in step 2.

Note

In this exercise, you backed up Active Directory when it contained the TEST1 OU and then deleted the TEST1 OU. In the next lesson you will restore Active Directory to contain the TEST1 OU.

Exercise 2: Scheduling an Active Directory Backup Operation

In this exercise, you schedule an Active Directory backup operation.

To schedule an Active Directory backup operation

1.

Use the procedure provided earlier in this lesson to schedule an Active Directory backup operation. Name this backup Active Directory Backup2. Schedule this backup to occur daily at 12:00 A.M. Check with your administrator to ensure the availability of disks or tapes for backup storage at the specified time.

3-42

Chapter 3 Administering Active Directory

Exercise 3: Deleting a Scheduled Active Directory Backup Operation

In this exercise, you delete a scheduled Active Directory backup operation.

To delete a scheduled Active Directory backup operation

Use the procedure provided earlier in this lesson to delete Active Directory Backup2 after you have completed the exercise and the backup operation runs.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What tasks should you complete before attempting to back up Active Directory data?

2.

What is system state data and why is it significant to backing up Active Directory?

3.

Can you restrict who can gain access to a completed backup file or tape? If so, how?

4.

When you specify the items you want to back up in the Backup Or Restore Wiz­ ard, which of the following should you select to successfully back up Active Direc­ tory data?

a.

System state data

b.

Shared system volume folder

c.

Database and log files

d.

Registry

Lesson 3 Backing Up Active Directory

3

-

43

Lesson Summary

Before you can back up Active Directory data, you must prepare the files that you want to back up, and, if you are using a removable media device, you must prepare the device.

Active Directory and the Sysvol directory are also contained in the system state data. Therefore, when you back up Active Directory data, you must specify that you want to back up only system state data.

You can perform a backup of Active Directory data on demand, or you can sched­ ule the backup operation to occur daily, weekly, monthly, once, at system startup, at logon, or when idle.

3-44

Chapter 3 Administering Active Directory

Lesson 4: Restoring Active Directory

There are two ways to restore Active Directory: nonauthoritatively and authoritatively.

This lesson shows you how to perform both methods of restoring Active Directory.

After this lesson, you will be able to

Explain the difference between nonauthoritative and authoritative restore

Restore Active Directory

Estimated lesson time: 3 5 minutes

Restoring Active Directory

Like the backup process, when you choose to restore Active Directory, you can only restore all of the system state data that was backed up, including the registry, the

COM+ Class Registration database, system boot files, files under Windows File Protec­ tion; the Sysvol directory and Active Directory (if the server is a domain controller); and the Certificate Services database (if the server is a certificate server). You cannot choose to restore individual components (for example, only the Active Directory) of the sys­ tem state data.

If you are restoring the system state data to a domain controller, you must choose whether you want to perform a nonauthoritative restore or an authoritative restore. The default method of restoring the system state data to a domain controller is nonauthor­ itative. You must be a member of the Administrators or the Backup Operators groups to perform a restore.

Nonauthoritative Restore

In nonauthoritative restore, the distributed services on a domain controller are restored from backup media and the restored data is then updated through normal replication.

Each restored directory partition is updated with that of its replication partners by rep­ lication after you restore the data. For example, if the last backup was performed a week ago, and the system state is restored nonauthoritatively, any changes made subsequent to the backup operation will be replicated from the other domain controllers.

The Active Directory replication system will update the restored data with newer data from your other servers. Nonauthoritative restore is typically performed when a domain controller has completely failed due to hardware or software problems.

Lesson 4 Restoring Active Directory

3

-

45

Authoritative Restore

An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. For example, you must perform an author­ itative restore if you inadvertently delete users, groups, or OUs from Active Directory and you want to restore the system so that the deleted objects are recovered and rep­ licated. Authoritative restore is typically used to restore a system to a previously known state, for example before Active Directory objects were erroneously deleted.

To authoritatively restore Active Directory data, you must run the Ntdsutil utility after you have performed a nonauthoritative restore of the system state data but before you restart the server. The Ntdsutil utility allows you to mark objects as authoritative. Mark­ ing objects as authoritative changes the update sequence number of an object so it is higher than any other update sequence number in the Active Directory replication sys­ tem. This ensures that any replicated or distributed data that you have restored is prop­ erly replicated or distributed throughout your organization. The Ntdsutil utility can be found in the

%Systemroot%\

System32 directory and accompanying documentation within the Windows Server 2003 Help files (available from the Start menu).

For example, suppose you back up the system on Monday, and then create a new user called Ben Smith on Tuesday, which replicates to other domain controllers in the domain, but on Wednesday, another user, Nancy Anderson, is accidentally deleted. To authoritatively restore Nancy Anderson without reentering information, you can nonauthoritatively restore the domain controller with the backup created on Monday.

Then, using Ntdsutil you can mark the Nancy Anderson object as authoritative. The result is that Nancy Anderson is restored without any effect on Ben Smith.

!

Exam Tip

Know when to use authoritative or nonauthoritative restore.

Preliminary Restore Tasks

Like the backup process, an important part of restoring Active Directory data is performing the preliminary tasks. Before you can restore Active Directory, you must perform the following tasks:

Ensure that you can access all locations that require the restoration of files.

Ensure that the appropriate device for the storage medium containing the data to be restored is attached to a computer on the network and is turned on.

Ensure that the medium containing the data to be restored is loaded in the device.

3-46

Chapter 3 Administering Active Directory

Performing a Nonauthoritative Restore

To restore the system state data on a domain controller, you must first start your com­ puter in a special safe mode called directory services restore mode. This allows you to restore the Sysvol directory and Active Directory directory services database. You can only restore system state data on a local computer. You cannot restore the system state data on a remote computer.

However, you can restore backed up system state data to an alternate location—a folder you designate. By restoring to an alternate location, you preserve the file and folder structure of the backed up data—all folders and subfolders appear in the alter­ nate folder you specify.

Note

If you restore the system state data and you do not designate an alternate location for the restored data, Backup will erase the system state data that is currently on your computer and replace it with the system state data you are restoring. Also, if you restore the system state data to an alternate location, only the registry files, Sysvol directory files, Cluster database information files (if applicable) and system boot files are restored to the alternate location. The

Active Directory database, Certificate Services database (if applicable), and COM+ Class Regis­ tration database are not restored if you designate an alternate location.

To nonauthoritatively restore Active Directory, complete the following steps:

1.

Restart the computer.

2.

During the phase of startup where the operating system is normally selected, press F8.

3.

On the Windows Advanced Options Menu, select Directory Services Restore Mode and press Enter. This ensures that the domain controller is offline and is not con­ nected to the network.

4.

At the Please Select The Operating System To Start prompt, select the appropriate

Microsoft Windows Server 2003 operating system and press Enter.

5.

Log on to your domain as Administrator.

Note

When you restart the computer in directory services restore mode, you must log on as an Administrator by using a valid Security Accounts Manager (SAM) account name and password,

not

the Active Directory Administrator’s name and password. This is because

Active Directory is offline, and account verification cannot occur. Rather, the SAM accounts database is used to control access to Active Directory while it is offline. You specified this password when you set up Active Directory.

Lesson 4 Restoring Active Directory

3

-

47

6.

In the Desktop message box that warns you that Windows is running in safe mode, click OK.

7.

Point to Start, point to All Programs, point to Accessories, point to System Tools, and then select Backup.

8.

On the Welcome To The Backup Or Restore Wizard page, click Next.

9.

On the Backup Or Restore page, shown previously in Figure 3-8, select Restore

Files And Settings. Click Next.

10.

On the What To Restore page, shown in Figure 3-26, expand the media type that contains the data that you want to restore in the Items To Restore box or click

Browse. The media can be either tape or file. Expand the appropriate media set until the data that you want to restore is visible. Select the data you want to restore, such as system state, then click Next.

Figure 3-26 Backup Or Restore Wizard, What To Restore page with system state data selected for restore

11.

Ensure that media containing the backup file is in the correct location.

12.

On the Completing The Backup Or Restore Wizard page, do one of the following:

Click Finish to start the restore process. The Backup Or Restore Wizard requests verification for the source of the restore data and then performs the restore. During the restore, the Backup Or Restore Wizard displays status information about the restore.

❑ Click Advanced to specify advanced restore options. Refer to the next section,

“Specifying Advanced Restore Settings for a Nonauthoritative Restore” for details.

3-48

Chapter 3 Administering Active Directory

13.

In the Warning message box that warns you that restoring system state will always overwrite current system state, click OK.

14.

The Restore Progress dialog box displays status information about the restore process.

As with the backup process, when the restore is complete, you can choose to view the report of the restore. The report contains information about the restore, such as the number of files that have been restored and the duration of the restore process.

15.

Close the report when you have finished viewing it and then click Close to close the restore operation.

16.

When prompted to restart the computer, click Yes.

Real World

Shutdown Event Tracker

You’ve probably noticed that Windows Server 2003 has a new feature that requests a shutdown reason each time you restart the server. This feature is called the Shutdown Event Tracker. If you are working in a test environment, you might choose to disable this feature to avoid the hassle of typing in a reason each time you restart. To disable this feature, you can perform the following steps:

1.

Click Start, click Run, and type

gpedit.msc

and press Enter.

2.

Expand the Computer Configuration and then Administrative Templates objects. Click on the System object. In the right-hand pane you’ll see several settings appear.

3.

Locate and double-click that Display Shutdown Event Tracker setting. The

Display Shutdown Event Tracker Properties dialog box opens.

4.

Click the Disabled radio button to disable the Shutdown Event Tracker. Click

OK. Close the Group Policy Editor console.

Now when you shut down this server, you won’t be asked to enter a reason.

Specifying Advanced Restore Settings for a Nonauthoritative Restore

The Advanced settings in the Backup Or Restore Wizard vary, depending on the type of backup media from which you are restoring.

To specify advanced restore settings for a nonauthoritative Active Directory restore, complete the following steps:

1.

On the Where to Restore page, in the Restore Files To list, select the target location for the data that you are restoring. The choices in the list are the following:

Original Location

—Replaces corrupted or lost data. This is the default and must be selected to restore Active Directory.

Alternate Location

—Restores an older version of a file to a folder you designate.

Lesson 4 Restoring Active Directory

3

-

49

Single Folder

—Consolidates the files from a tree structure into a single folder.

For example, use this option if you want copies of specific files but do not want to restore the hierarchical structure of the files.

Note

If you select either an alternate location or a single folder, you must also provide the path to the location or folder.

2.

Click Next.

3.

On the How to Restore page, select how you want to restore the system state data from the following:

Leave Existing Files (Recommended)

—Prevents accidental overwriting of existing data. This is the default.

Replace Existing Files If They Are Older Than The Backup Files

—Verifies that the most recent copy exists on the computer.

Replace Existing Files

—Windows Backup does not provide a confirmation message if it encounters a duplicate file name during the restore operation.

4.

Click Next.

5.

On the Advanced Restore Options page, select whether or not to restore security or special system files from the following:

Restore Security Settings

—Applies the original permissions to files that you are restoring to a Windows NTFS file service volume. Security settings include access permissions, audit entries, and ownership. This option is available only if you have backed up data from an NFTS volume and are restoring to an NTFS volume.

Restore Junction Points, But Not The Folders And File Data They Reference

Restores junction points on your hard disk but not the data to which the junc­ tion points refer. If you have any mounted drives and you want to restore the data that mounted drives point to, you should

not

select this check box.

Preserve Existing Volume Mount Points

—Prevents the restore operation from writing over any volume mount points on the destination volume. If you are restoring data to a replacement drive, and you have partitioned and formatted the drive and restored volume mount points, you should select this option so your volume mount points are not restored. If you are restoring data to a par­ tition or drive that you have just reformatted, and you want to restore the old volume mount points, you should not select this option.

3-50

Chapter 3 Administering Active Directory

Restore The Cluster Registry To The Quorum Disk and All Other Nodes

—Makes certain that the cluster quorum database is restored and replicated on all nodes in a server cluster. If selected, the Backup Or Restore Wizard will stop the Cluster service on all other nodes of the server cluster after the node that was restored reboots.

When Restoring Replicated Data Sets, Mark The Restored Data As The Primary

Data For All Replicas

—Ensures that restored File Replication service (FRS) data is replicated to your other servers. If you are restoring FRS data, you should choose this option. If you do not choose this option, the FRS data that you are restoring may not be replicated to other servers because the restored data will appear to be older than the data already on the servers. This will cause the other servers to overwrite the restored data, preventing you from restoring the FRS data.

6.

Click Next.

7.

On the Completing The Backup Or Restore Wizard page, click Finish to start the restore process. The Backup Or Restore Wizard requests verification for the source of the restore data and then performs the restore. During the restore, the Backup

Or Restore Wizard displays status information about the restore.

Performing an Authoritative Restore

An authoritative restore occurs after a nonauthoritative restore and designates the entire directory, a subtree, or individual objects to be recognized as authoritative with respect to replica domain controllers in the forest. The Ntdsutil utility allows you to mark objects as authoritative so that they are propagated through replication, thereby updating existing copies of those objects throughout the forest.

To authoritatively restore Active Directory, complete the following steps:

1.

Perform a nonauthoritative restore as described previously.

2.

Restart the computer.

3.

During the phase of startup where the operating system is normally selected, press F8.

4.

On the Windows Advanced Startup Options Menu, select Directory Services

Restore Mode and press Enter. This ensures that the domain controller is offline and is not connected to the network.

5.

At the Please Select The Operating System To Start prompt, select the appropriate

Microsoft Windows Server 2003 operating system and press Enter.

6.

Log on as Administrator.

Lesson 4 Restoring Active Directory

3

-

51

Note

When you restart the computer in directory services restore mode, you must log on as an Administrator by using a valid SAM account name and password,

not

the Active Direc­ tory Administrator’s name and password. This is because Active Directory is offline and account verification cannot occur. Rather, the SAM accounts database is used to control access to Active Directory while it is offline.

7.

In the Desktop message box that warns you that Windows is running in safe mode, click OK.

8.

Point to Start, then select Command Prompt.

9.

At the command prompt, type

ntdsutil

and press Enter.

10.

At the Ntdsutil prompt, type

authoritative restore

and press Enter.

11.

At the authoritative restore prompt, do the following:

To authoritatively restore the entire directory, type

restore database

and press Enter.

❑ To authoritatively restore a portion or subtree of the directory, such as an OU, use the OU’s distinguished name, type

restore subtree

subtree_distinguished_name

and press Enter.

For example, to restore the Security1 OU in the

microsoft.com

domain, the commands would be ntdsutil authoritative restore restore subtree OU=Security1,DC=Microsoft,DC=COM

To authoritatively restore the entire directory

and

override the version increase, type

restore database verinc

version_increase

and press Enter.

❑ To authoritatively restore a subtree of the directory

and

override the version increase, type

restore subtree

subtree_distinguished_name

verinc

version_increase

and press Enter.

The authoritative restore opens the Ntds.dit file, increases version numbers, counts the records that need updating, verifies the number of records updated, and reports completion. If a version number increase is not specified, one is automat­ ically calculated.

12.

Type

quit

and press Enter to exit the Ntdsutil utility and close the Command

Prompt window.

13.

Restart the domain controller in normal mode and connect the restored domain controller to the network. When the restored domain controller is online and con­ nected to the network, normal replication brings the restored domain controller

3-52

Chapter 3 Administering Active Directory up to date with any changes from the additional domain controllers that were not overridden by the authoritative restore. Replication also propagates the authorita­ tively restored object(s) to other domain controllers in the forest. The deleted objects that were marked as authoritative are replicated from the restored domain controller to the additional domain controllers. Because the objects that are restored have the same object globally unique identifier (GUID) and object SID, security remains intact, and object dependencies are maintained.

14.

Ensure the integrity of the computer’s Group Policy by performing one of the following:

If you authoritatively restored the entire Active Directory database, copy the

Sysvol directory on the alternate location over the existing one

after

the Sys­ vol share is published.

If you authoritatively restored specific Active Directory objects, copy only the policy folders (identified by the GUID) corresponding to the restored policy objects from the alternate location

after

the Sysvol share is published. Then, copy them over the existing ones.

When authoritatively restoring either the entire Active Directory database or selected objects, it is important that you copy the Sysvol and policy data from the alternate loca­ tion

after

the Sysvol share is published. If the computer is in a replicated domain, it may take several minutes before the Sysvol share is published because it needs to syn­ chronize with its replication partners. If all computers in the domain are authoritatively restored and restarted at the same time, then each will be waiting (indefinitely) to syn­ chronize with each other. In this case, restore one of the domain controllers first so that its Sysvol share can be published; then restore the other computers nonauthoritatively.

Impact of Authoritative Restore on Trust Relationships and Network Connections

Both parent and child trust relationships in Windows domains and Kerberos and NTLM trust relationships to other Windows domains reside in the domain directory partition.

Because trust relationship and computer account passwords are renegotiated at a spec­ ified interval, if you authoritatively restore an entire domain directory partition, com­ puter passwords and trust relationship passwords are restored to the values at the time of the backup. If the password values are different from the current values, trust rela­ tionships and computer accounts might be invalidated. For trust relationships, domain controllers may no longer be able to communicate with domain controllers from other domains. If an older computer account password is restored, the member’s workstation may no longer be able to communicate with the server and the domain controller. If you authoritatively restore objects that affect trust relationships or computer account passwords, you must reset the passwords. Therefore, you should restore only those portions of the domain directory partition that are absolutely necessary. The more of the domain hierarchy included in the restore, the greater chance that trust relationships are affected.

Lesson 4 Restoring Active Directory

3

-

53

Note

By default, passwords are reset every seven days; except for computer accounts. The previous password is also maintained. Therefore, performing authoritative restore with a backup that is older than 14 days can affect the trust relationships.

To minimize the effort involved with resetting trusts and rejoining computers, you must perform regular backups.

Practice: Restoring Active Directory

In this practice, you restore Active Directory from the backup you made in Lesson 3.

Note

To complete this practice, you must have successfully completed the practice in

Lesson 3.

Exercise 1: Restoring Active Directory

In this exercise, you perform an authoritative restore to restore Active Directory.

To restore Active Directory

1.

Use the procedure provided earlier in this lesson to authoritatively restore Active

Directory using Active Directory Backup1. Hint: Use the

restore subtree

com­ mand parameter with

OU=TEST1,DC=contoso,DC=com

as the subtree distin­ guished name.

2.

Verify that the TEST1 OU you created, backed up, and deleted in Lesson 3 has been restored in the Active Directory Users And Computers console.

Lesson Review

The following questions are intended to reinforce key information presented in this les­ son. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the “Questions and Answers” section at the end of this chapter.

1.

Describe what happens in a nonauthoritative restore.

2.

Describe what happens in an authoritative restore.

3-54

Chapter 3 Administering Active Directory

3.

Which method of restore should you use if you accidentally delete an OU?

4.

Which method of restore should you use if a domain controller has completely failed due to hardware or software problems?

5.

Which of the following Ntdsutil command parameters should you use if you want to restore the entire directory?

a.

Restore database

b.

Restore subtree

c.

Database restore

d.

Subtree restore

Lesson Summary

■ 

You restore Active Directory data by performing a nonauthoritative restore

(default) or an authoritative restore.

■ 

In nonauthoritative restore, the distributed services on a domain controller are restored from backup media and the restored data is then updated through normal replication. Each restored directory partition is updated with that of its replication partners.

■ 

An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup.

■ 

Before you can restore Active Directory, you must ensure that you can access all locations that require the restoration of files, the appropriate device for the storage medium containing the data to be restored is attached to a computer on the network and is turned on, and the medium containing the data to be restored is loaded in the device.

■ 

To restore the system state data on a domain controller, you must start your com­ puter in directory services restore mode. To perform a nonauthoritative restore, use the Backup Or Restore Wizard. To perform an authoritative restore, use the

Backup Or Restore Wizard and the Ntdsutil command.

Chapter 3 Administering Active Directory

3

-

55

Case Scenario Exercise­

You are a network consultant. You are consulting for an educational institution called

Graphic Design Institute as described in Chapter 2. You’ve just finished installing the

Research department’s forest root domain controller. The Research department is using a server running Windows Server 2003 configured as a domain controller. You’ve installed a primary DNS server and configured those records to be stored in Active

Directory.

As you are working, Laura Steele, the director of the institute, asks you to discuss potential upgrades for the Administrative and Marketing departments. The following list describes significant details about the departments and network environment of the

Graphic Design Institute:

■ 

Information Technology Services (ITS)

This department utilizes UNIX client and server operating systems. The ITS department maintains DNS servers and

Internet access for the entire institute. There are 10 users and 25 computers in this department. The ITS department also maintains the institute’s physical network infrastructure which includes 100 Mbps and gigabit Ethernet capable cables, hubs, switches, and routers.

■ 

Administration department

This department has a Windows 2000 Active

Directory domain structure. The operating systems in use include Windows 2000

Advanced Server, Windows 2000 Professional, and Windows XP Professional.

There are 12 domain controllers, eight file servers, and 5,000 users in this department. Ten of those domain controllers are also hosting the domain’s Active

D i r e c t o r y - i n t e g r a t e d D N S z o n e . T h e I T S d e p a r t m e n t d e l e g a t e d t h e

admin.graphicdesigninstitute.com

namespace to the Administration department.

■ 

Marketing department

This department has a Windows NT 4 domain that includes one primary domain controller (PDC) and one backup domain controller

(BDC). The operating systems in use are Windows NT 4 Server, Windows NT 4

Workstation, and Windows 2000 Professional. The department has 15 users and 20 computers.

■ 

Research department

At this time the Research department has 25 employees and 30 computers. You’ve installed a forest root domain controller and DNS server on one computer. Most of the employees haven’t yet been issued computers. They are still putting together their office furniture. However, you’ve suggested install­ ing a Remote Installation Services (RIS) server to deploy Windows XP Professional.

Steve Masters, the newly hired network manager for Research, plans to install the client computers once you are finished configuring the directory structure.

3-56

Chapter 3 Administering Active Directory

Given this information, answer the following questions:

1.

Before you move on to upgrading the other departments, what should you do to ensure the Research department’s Active Directory data is protected? What should you ensure that Steve will continue to do in order to protect the Research depart­ ment’s data?

2.

What similarities exist between the implementation of Active Directory in the

Research and Marketing departments?

3.

If you must install an additional Windows Server 2003 domain controller in the existing Administration domain, what must you first do to the Administration domain?

4.

If you’re asked to upgrade the PDC of the Marketing domain, but hold off on the upgrade of the BDC, what functional level should you use on the new Windows

2003 Server domain?

5.

The network administrators of the Marketing domain want to know what the equivalent of the User Manager for Domains and the Server Manager applications are on Windows Server 2003 domain controller. What would you tell them?

Troubleshooting Lab­

You are a network administrator for Contoso Pharmaceuticals. You recently lost one of your domain controllers, named Server2, due to a hardware failure. This domain controller cannot be repaired and there was no recent backup. You notice many replica­ tion errors start to appear in the Directory Service log of the Event Viewer on your other domain controller. You need to install a new server to replace Server2. You

Chapter 3 Administering Active Directory

3

-

57 attempt to install a new domain controller named Server2, but the installation fails, reporting Server2 already exists. You must resolve this issue.

You’ll begin this lab by installing Server2 as a domain controller. Then, you’ll pretend that Server2 has experienced an unrecoverable error by reinstalling the entire operating system without first demoting Server2.

1.

Install Active Directory on Server2. You can do this manually or by using the

Server2dc.txt answer file on the Supplemental CD-ROM. Place the companion

CD-ROM in your CD-ROM drive. To use the answer file, run the command

dcpromo /answer:d:\70-294\labs\chapter03\Server2dc.txt

(this command makes the assumption that your CD-ROM drive is D, if not substitute the drive let­ ter of your CD-ROM drive). If you’d prefer to install Active Directory manually, use the written steps in Chapter 2 to install an additional domain controller for the

contoso.com

domain.

Caution

What you are about to do is not the recommended method for removing a domain controller from your Active Directory infrastructure. The recommended method is to run

DCPROMO to uninstall the domain controller first. You are performing these steps to simulate an unexpected failure of your domain controller.

2.

Ensure that you allow Server2 to fully complete the installation of Active Directory.

You are now about to reinstall Server2 using the Windows 2003 Enterprise Server installation CD-ROM. You can use an unattended setup file to install Server2.

For directions on using the unattended installation, see the setup.txt file in the

D:\70-394\Labs\Unattend\ folder.

3.

Then, place the Windows Server 2003 CD-ROM in the CD-ROM drive. When you see the Press Any Key To Boot From The CD-ROM message, press the Space bar.

If you want to use the unattended installation method, insert the floppy disk with the Winnt.sif immediately following this prompt. Otherwise, install manually, choosing options that are appropriate for your network.

Note

Whether you are using the unattended or manual method, you should not fully com­ plete the Server2 reinstallation at this point. Just begin the installation, but don’t go past the point of entering the Product Key code until you finish your work on Server1 (in the steps that follow). You need to be sure that you’ve removed all references of Server2 from Active Direc­ tory before you rejoin the domain.

4.

Log on to Server1 using the domain administrator name and password.

5.

Open a command prompt. Type

ntdsutil

and press Enter. The Ntdsutil prompt is displayed.

3-58

Chapter 3 Administering Active Directory

6.

Type

metadata cleanup

and press Enter. The metadata cleanup prompt is displayed.

7.

Type

connections

and press Enter. The server connections prompt is displayed.

8.

Type

connect to server server1

and press Enter.

9.

Type

quit

and press Enter. The metadata cleanup prompt appears again.

10.

Type

select operation target

.

11.

Type

list domains

. You should see only one domain and it should be numbered zero (0). If this is not the case, take note of which object and number represents

contoso.com

and use that number in the next step.

12.

Type

select domain 0

and press Enter.

13.

Type

list sites

and press Enter. You should see only one site and it should be numbered zero (0). If this is not the case, take note of which object and number represents your site and use that number in the next step.

14.

Type

select site 0

and press Enter.

15.

Type

list servers in site

and press Enter. You should see two servers. Take note of which number represents Server2, probably the number one (1). If that is not the case, then substitute the actual number of Server2 in the following step

(instead of typing 1).

16.

Type

select server 1

and press Enter.

17.

Type

quit

and press Enter. The metadata cleanup prompt is displayed.

18.

Type

remove selected server

and press Enter. A prompt appears asking you to confirm the removal of Server2. Read this prompt carefully and then click Yes to remove the object.

19.

Type

quit

and press Enter twice. This closes the metadata cleanup and Ntdsutil prompts. Then type

exit

to close the command prompt.

20.

You’ve now successfully removed the NTDS Setting object. However, there are still remnants of Server2 in the database. Therefore, you’ll have to delete additional items using the DNS console and ADSIEdit.

21.

Open the DNS console. Expand the structure as necessary to locate the

contoso.com

domain object and click on it.

22.

In the right-hand pane, locate the (same as parent folder) Host (A) record that has the same IP address as Server2. Right-click that record and select Delete. Click Yes to confirm deletion.

23.

Also in the right-hand pane, right-click the Server2 host record and select Delete.

Click Yes to confirm deletion. You’ve now removed the DNS record for Server2.

Close the DNS console.

Chapter 3 Administering Active Directory

3

-

59

24.

Click Start, click Run, and then type

ADSIEdit.msc

and press Enter. The ADSIEdit console opens.

25.

Expand the following structure: Domain\DC=contoso,DC=com\OU=Domain

Controllers. Click on the CN=Server2 object, and then press Delete. Click Yes to confirm this deletion. You’ve now removed the Server object from the Active

Directory Domain Name Context.

26.

Expand the following structure: Configuration\CN=Configuration,DC=contoso,

DC=com\CN=Sites\CN=Default-First-Site-Name\CN=Servers. Click on the

CN=Server2 object, and then press Delete. Click Yes to confirm this deletion.

You’ve now removed the Server object from the Configuration Name Context.

Close the ADSIEdit console.

You’ve now successfully removed the references to Server2 in the Active Directory domain hosted by Server1. This is how you would clean up Active Directory after the loss of a domain controller. Now you should finish the installation of Server2. Then, join Server2 to the

contoso.com

domain as a member server. Directions on how to do that are covered in Chapter 2.

Chapter Summary

The Active Directory administration tools include the Active Directory Domains

And Trusts console, the Active Directory Sites And Services console, the Active

Directory Users And Computers console, the Active Directory Schema snap-in, and the Active Directory–specific Windows Support Tools.

Domain functional level (formerly known as the domain mode) provides a way to enable domain-wide Active Directory features within your network environment.

Four domain functional levels are available: Windows 2000 mixed (default),

Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.

Forest functional level provides a way to enable forest-wide Active Directory fea­ tures within your network environment. Three forest functional levels are available:

Windows 2000 (default), Windows Server 2003 interim, and Windows Server 2003.

Alternative UPN suffixes simplify administration and user logon processes by pro­ viding a single UPN suffix for all users. Using alternative domain names as the

UPN suffix can provide additional logon security and simplify the names used to log on to another domain in the forest.

Several additional tools that can be used to configure, manage, and debug Active

Directory are available in the Windows Support Tools. To use these tools you must first install the Windows Support Tools on your computer.

The MMC is a tool used to create, save, and open collections of administrative tools, called consoles. There are two types of MMCs: preconfigured and custom.

3-60

Chapter 3 Administering Active Directory

Preconfigured MMCs contain commonly used snap-ins and appear on the Admin­ istrative Tools menu. You create custom MMCs to perform a unique set of admin­ istrative tasks.

You use the Backup Or Restore Wizard to back up Active Directory.

When you back up Active Directory data, you must specify that you want to back up only system state data. You can only back up the system state data on a local computer. You cannot back up the system state data on a remote computer.

You restore Active Directory data by performing a nonauthoritative restore

(default) or an authoritative restore. To restore the system state data on a domain controller, you must start your computer in directory services restore mode.

In a nonauthoritative restore, the distributed services on a domain controller are restored from backup media and the restored data is then updated through normal replication. Each restored directory partition is updated with that of its replication partners. An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup.

Exam Highlights

Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information.

Key Points

The Active Directory Domains And Trusts console provides the interface for set­ ting the domain and forest functional levels and for specifying alternative UPN suffixes.

Domain functional level provides a way to enable domain-wide Active Directory features within your network environment. Four domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native, Windows Server

2003 interim, and Windows Server 2003.

Forest functional level provides a way to enable forest-wide Active Directory fea­ tures within your network environment. Three forest functional levels are available:

Windows 2000 (default), Windows Server 2003 interim, and Windows Server 2003.

Alternative UPN suffixes simplify administration and user logon processes by pro­ viding a single UPN suffix for all users. Using alternative domain names as the

UPN suffix can provide additional logon security and simplify the names used to log on to another domain in the forest.

You use the Backup Or Restore Wizard to back up Active Directory. To back up

Active Directory data, you must specify that you want to back up only system state

Chapter 3 Administering Active Directory

3

-

61 data. You can only back up the system state data on a local computer. You cannot back up the system state data on a remote computer.

You restore Active Directory data by performing a nonauthoritative restore

(default) or an authoritative restore. You must start your computer in directory ser­ vices restore mode to initiate a restore.

Key Terms

authoritative restore

In Backup, a type of restore operation performed on an

Active Directory domain controller in which the objects in the restored directory are treated as authoritative, replacing (through replication) all existing copies of those objects.

domain functional level

The level on which a domain running Windows Server

2003 is running. The functional level of a domain can be raised to enable new

Active Directory features that will apply to that domain only.

forest functional level

The level on which a forest running Windows Server 2003 is running. The functional level of a forest can be raised to enable new Active Direc­ tory features that will apply to every domain in the forest.

nonauthoritative restore

A restore operation performed on an Active Directory domain controller in which the objects in the restored directory are not treated as authoritative. The restored objects are updated with changes held on other domain controllers in the domain.

UPN suffix

The part of the UPN to the right of the @ character. The default UPN suf­ fix for a user account is the DNS domain name of the domain that contains the user account. The UPN suffix is only used within the Active Directory forest, and it is not required to be a valid DNS name.

3-62

Chapter 3 Administering Active Directory

Page

3-15

Page

3-27

Questions and Answers

Lesson 1 Review

1.

What is the purpose of the Active Directory Domains And Trusts console?

The Active Directory Domains And Trusts console provides the interface to manage domains and manage trust relationships between forests and domains.

2.

What is the purpose of the Active Directory Sites And Services console?

The Active Directory Sites And Services console contains information about the physical struc­ ture of your network.

3.

What is the purpose of the Active Directory Users And Computers console?

The Active Directory Users And Computers console allows you to add, modify, delete, and orga­ nize Windows Server 2003 user accounts, computer accounts, security and distribution groups, and published resources in your organization’s directory. It also allows you to manage domain controllers and OUs.

4.

Why isn’t the Active Directory Schema snap-in provided automatically on the

Administrative Tools menu after you install Active Directory?

By default, the Active Directory Schema snap-in is not available on the Administrative Tools menu and must be installed. This action is required to ensure that the schema cannot be mod­ ified by accident.

5.

Which Active Directory-specific Windows Support Tool enables you to manage

Windows Server 2003 domains and trust relationships?

a.

Ntdsutl.exe

b.

Netdom.exe

c.

Active Directory Domains And Trusts console

d.

Nltest.exe

The correct answer is b. The Netdom.exe tool enables you to manage Windows Server 2003 domains and trust relationships. While the Active Directory Domains And Trusts console also provides this capability, this tool is not an Active Directory–specific Windows Support Tool.

Lesson 2 Review

1.

What is the function of an MMC? Why is it necessary to create customized MMCs?

The MMC is a tool used to create, save, and open collections of administrative tools, which are called consoles. The console does not provide management functions itself, but is the program that hosts management applications called snap-ins. You create custom MMCs to perform a unique set of administrative tasks.

Page

3-42

Questions and Answers

3

-

63

2.

What is a snap-in?

Snap-ins are programs used by administrators to manage network services.

3.

What is the function of a console tree?

A console tree displays the hierarchical organization of the snap-ins contained with an MMC.

4.

What are extensions?

Extensions are snap-ins that provide additional administrative functionality to another snap-in.

5.

Which of the following console mode types allows users to create new windows in the console?

a.

Author mode

b.

User mode—full access

c.

User mode—limited access, multiple window

d.

User mode—limited access, single window

The correct answer is a. Author mode allows users to add or remove snap-ins, create new win­ dows in the console, view all portions of the console tree, and save MMCs.

Lesson 3 Review

1.

What tasks should you complete before attempting to back up Active Directory data?

Before attempting to back up Active Directory data, you must prepare the files that you want to back up, and, if you are using a removable media device, you must prepare the device.

2.

What is system state data and why is it significant to backing up Active Directory?

For the Windows Server 2003 operating system, the system state data comprises the registry,

COM+ Class Registration database, system boot files, files under Windows File Protection, and the Certificate Services database (if the server is a certificate server). If the server is a domain controller, Active Directory and the Sysvol directory are also contained in the system state data.

To back up Active Directory, you must back up the system state data.

3.

Can you restrict who can gain access to a completed backup file or tape? If so, how?

You can restrict who can gain access to a completed backup file or tape by selecting the

Replace The Data On The Media With This Backup option and the Allow Only The Owner And The

Administrator Access To The Backup Data And To Any Backups Appended To This Medium option on the Backup Options page in the Backup Or Restore Wizard.

3-64

Chapter 3 Administering Active Directory

Page

3-53

4.

When you specify the items you want to back up in the Backup Or Restore Wiz­ ard, which of the following should you select to successfully back up Active Direc­ tory data?

a.

System state data

b.

Shared system volume folder

c.

Database and log files

d.

Registry

The correct answer is a. When you specify the items you want to back up in the Backup Or

Restore Wizard, you must specify system state data to successfully back up Active Directory data.

Lesson 4 Review

1.

Describe what happens in a nonauthoritative restore.

In a nonauthoritative restore, the distributed services on a domain controller are restored from backup media and the restored data is then updated through normal replication. Each restored directory partition is updated with that of its replication partners.

2.

Describe what happens in an authoritative restore.

An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup.

3.

Which method of restore should you use if you accidentally delete an OU?

Authoritative.

4.

Which method of restore should you use if a domain controller has completely failed due to hardware or software problems?

Nonauthoritative.

5.

Which of the following Ntdsutil command parameters should you use if you want to restore the entire directory?

a.

Restore database

b.

Restore subtree

c.

Database restore

d.

Subtree restore

The correct answer is a. Database restore and subtree restore are not Ntdsutil command parameters. Restore subtree is used to restore a portion or a subtree of the directory.

Page

3-56

Questions and Answers

3

-

65

Case Scenario Exercise

1.

Before you move on to upgrading the other departments, what should you do to ensure the Research department’s Active Directory data is protected? What should you ensure that Steve will continue to do in order to protect the Research depart­ ment’s data?

First, the Research department should have a minimum of two domain controllers, so they have an online redundant copy of the Active Directory database. Second, they should be sure to back up the system state of the domain controllers routinely. Backing up system state data monthly is probably the bare minimum. Remember, the default lifespan of an Active Directory backup is

60 days due to the tombstone lifetime. Performing system state backups on a weekly basis is common. They should also perform a backup anytime major changes are made to the Active

Directory database, such as when large numbers of accounts are added, modified, or deleted.

Also, they would be wise to run a system state backup if sites or domains are added, modified, or removed.

2.

What similarities exist between the implementation of Active Directory in the

Research and Marketing departments?

The need to determine which department will manage the DNS namespace. Also, what will that namespace be? (The answer is

marketing.graphicdesigninstitute.com.

) You should also install at least two Active Directory domain controllers and tell the network administration team for

Research to make regular backups of Active Directory.

3.

If you must install an additional Windows Server 2003 domain controller in the existing Administration domain, what must you do first to the Administration domain?

You must run Adprep.exe on the Windows 2000 domain so that it can support servers running

Windows Server 2003 configured as domain controllers.

4.

If you’re asked to upgrade the PDC of the Marketing domain, but hold off on the upgrade of the BDC, what functional level should you use on the new Windows

2003 Server domain?

The best option is Windows Server 2003 interim, since this domain is meant to interact only with Windows NT 4 domain controllers. That is all that is required in the Marketing department.

Another option is the Windows 2000 mixed functional level because this option allows a

Windows Server 2003 to interact with Windows 2000, Windows NT 4, and Windows Server

2003 products.

5.

The network administrators of the Marketing domain want to know what the equivalent of the User Manager for Domains and the Server Manager applications are on Windows Server 2003 domain controller. What would you tell them?

User Manager for Domains and Server Manager allow you to add computer and user accounts.

In Active Directory there is a single interface for doing this called Active Directory Users And

Computers. The snap-in is Dsa.msc. Server Manager allows you to also control some items like shared directories. You can do that by accessing the Computer Management console. The fast­ est way to do so is to click Start, click Run, type compmgmt.msc

, and then press Enter.

4

Installing and Managing

Domains, Trees, and Forests

Exam Objectives in this Chapter:

Plan flexible operations master role placement

Plan for operations master role business continuity

Identify operations master role dependencies

Implement an Active Directory forest and domain structure

Create a child domain

Establish trust relationships

Manage an Active Directory forest and domain structure

Manage trust relationships

Troubleshoot the Active Directory directory service

Diagnose and resolve issues related to operations master role failure

Why This Chapter Matters

This chapter shows you how to create the domains, trees, and forests that make up your Active Directory structure. Large organizations or those that have mul­ tiple autonomous departments often require Active Directory structures that include multiple domains. Other organizations may have the need to share data between previously autonomous business units or companies that have separate

Active Directory forests. The Microsoft Windows Server 2003 Active Directory implementation has the ability to better conform to these situations than did the

Microsoft Windows 2000 Active Directory implementation. As network adminis­ trator, you may be faced with situations in which you must be able to create multiple domains, rename domains, or restructure existing domains. You must also know how to protect your Active Directory structure from potential disasters and mistakes, so that you can restore data if necessary.

4-1

4-2

Chapter 4 Installing and Managing Domains, Trees, and Forests

Lessons in this Chapter:

Lesson 1: Creating Multiple Domains, Trees, and Forests . . . . . . . . . . . . . . . 4-3

Lesson 2: Renaming and Restructuring Domains and Renaming

Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19

Lesson 3: Managing Operations Master Roles . . . . . . . . . . . . . . . . . . . . . . . 4-24

Lesson 4: Managing Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41

Before You Begin

To complete the lessons in this chapter, you must

Prepare your test environment according to the descriptions given in the “Getting

Started” section of “About This Book”

Complete the practices for installing and configuring Active Directory as discussed in Chapter 2, “Installing and Configuring Active Directory”

Learn to use Active Directory administration tools as discussed in Chapter 3,

“Administering Active Directory”

Install the Windows Support Tools on Server2 as explained in Chapter 2

Lesson 1 Creating Multiple Domains, Trees, and Forests

4

-

3

Lesson 1: Creating Multiple Domains, Trees, and Forests

In Chapter 2, you learned to install Active Directory, which actually creates the initial domain, tree, and forest for an organization. However, some organizations might require multiple domains, trees, or forests for Active Directory to effectively meet their needs. This lesson shows you how to create additional domains, trees, and forests.

After this lesson, you will be able to

Create additional domains, trees, and forests

Explain the reasons for using multiple domains, trees, and forests

Explain the implications for using multiple domains, trees, and forests

Estimated lesson time: 2 0 minutes

Creating Multiple Domains

You must determine the number of domains for each forest in your organization.

Although one domain might effectively represent the structure of small or mediumsized organizations, larger and more complex organizations might find that one domain is not sufficient. Before adding any domains you should be able to state the purpose of the new domain and justify it in terms of administrative and hardware costs.

Reasons to Create Multiple Domains

As stated in Chapter 2, you should create multiple domains to

Meet security requirements

Meet administrative requirements

Optimize replication traffic

Retain Microsoft Windows NT domains

Tip

Do not create multiple domains to accommodate polarized groups or for isolated resources that are not easily assimilated into other domains. Both the groups and the resources are usually better candidates for organizational units (OUs).

Creating Domains to Meet Security Requirements The settings in the Account Poli­ cies subdirectory in the Security Settings node of a Group Policy Object (GPO) can be specified only at the domain level. If the security requirements set in the Account Pol­ icies subdirectory vary throughout your organization, you need to define separate

4-4

Chapter 4 Installing and Managing Domains, Trees, and Forests domains to handle the different requirements. The Account Policies subdirectory con­ tains the following policies:

Password policy

Contains settings for passwords, such as password history, age, length, complexity, and storage

Account lockout policy

Contains settings for account lockout, such as lockout duration, threshold, and the lockout counter

Kerberos policy

Contains Kerberos-related settings, such as user logon restric­ tions, service and user ticket lifetimes, and enforcement

Note

You can learn more about Account Policies in Chapter 13, “Administering Security

With Group Policy.”

Creating Domains to Meet Administrative Requirements

Some organizations might need to establish boundaries to meet special administrative requirements that cannot be accommodated by establishing OUs in one domain. Special requirements might include satisfying specific legal or privacy concerns. For example, an organization might have a privacy requirement that outside administrators not be given control over sensitive product development files. In a one-domain scenario, members of the

Domain Admins predefined global group would have complete control over all objects in the domain, including the sensitive files. By establishing a new domain containing the files, the first Domain Admins group is outside of the new domain and no longer has control of the files.

Creating Domains to Optimize Replication Traffic

In organizations with one or more sites, you must consider whether site links can handle the replication traffic associated with a single domain. In a forest with one domain, all objects in the forest are repli­ cated to every domain controller in the forest. If objects are replicated to locations where they are not used, bandwidth is used unnecessarily. By defining multiple small domains and replicating only those objects that are relevant to a location, you can reduce network traffic and optimize replication. However, you must weigh the savings achieved by optimizing replication against the cost of hardware and administration for the additional domains.

To determine whether you should define a domain to optimize replication traffic, you must consider

Link capacity and availability

If a link is operating near capacity or is not available for replication traffic during specific times of the day, it might not be able to handle replication traffic, and you should consider defining another domain.

However, if links are idle at specific times, replication could be scheduled to occur during these times, provided the appropriate bandwidth is available.

Lesson 1 Creating Multiple Domains, Trees, and Forests

4

-

5

Whether replication traffic will compete with other traffic

If a link carries other, more important traffic that you do not want disturbed by replication traffic, you should consider defining another domain.

Whether links are pay-by-usage

If replication traffic will cross an expensive pay-by-usage link, you should consider defining another domain.

Whether links are limited to Simple Mail Transport Protocol (SMTP)

If a location is connected by SMTP-only links, it must have its own domain. Mailbased replication can occur only between domains; it cannot be used between domain controllers in the same domain.

Creating Domains to Retain Windows NT Domains

Organizations that have large

Windows NT infrastructures might choose to retain an existing Windows NT domain.

Existing Windows NT domains can be upgraded to Windows Server 2003, sometimes referred to as an in-place upgrade. You must weigh the costs of upgrading the

Windows NT domain or consolidating the domain against the savings of maintaining and administering fewer domains. It is recommended that you minimize the number of domains by consolidating Wi ndows NT domains before upgr ading to

Windows Server 2003.

Implications of Creating Multiple Domains

Adding a domain increases administrative and hardware costs. When determining whether to create multiple domains, keep the following cost issues in mind:

Domain administrators

Each time a domain is added, a Domain Admins predefined global group is added as well. More administration is required to monitor the members of this group.

Security principals

As domains are added, the likelihood that security princi­ pals will need to be moved between domains becomes greater. Although moving a security principal between OUs within a domain is a simple operation, moving a security principal between domains is more complex and can negatively affect users.

Note

A

security principal

is a user, group, computer, or service that is assigned a unique

security identifier (SID)

. Security principals are discussed in more detail in Chapter 9, “Admin­ istering Active Directory Objects.”

Group policy and access control

Because group policy and access control are applied at the domain level, if your organization uses group policies or delegated administration across the enterprise or many domains, the measures must be applied separately to each domain.

4-6

Chapter 4 Installing and Managing Domains, Trees, and Forests

Domain controller hardware and security facilities

Each Windows Server

2003 domain requires at least two domain controllers to support fault-tolerance and multimaster requirements. In addition, it is recommended that domain controllers be located in a secure facility with limited access to prevent physical access by intruders.

Trust links

If a user from one domain must log on in another domain, the domain controller from the second domain must be able to contact the domain controller in the user’s original domain. In the event of a link failure, the domain controller might not be able to maintain service. More trust links, which require setup and maintenance, might be necessary to alleviate the problem.

Creating Additional Domains

When creating additional domains, you use the Active Directory Installation Wizard.

To create an additional domain, complete the following steps:

1.

Restart your computer and log on as Administrator.

2.

Click Start and then click Run. In the Run dialog box, type

dcpromo

in the Run box and click OK.

3.

On the Welcome To The Active Directory Installation Wizard page, click Next.

4.

On the Operating System Compatibility page, click Next.

5.

On the Domain Controller Type page, shown in Figure 4-1, select Domain Controller For A New Domain, and then click Next.

Figure 4-1 Active Directory Installation Wizard, Domain Controller Type page

Lesson 1 Creating Multiple Domains, Trees, and Forests

4

-

7

6.

On the Create New Domain page, shown in Figure 4-2, select Child Domain In An

Existing Domain Tree, and then click Next.

Figure 4-2 Active Directory Installation Wizard, Create New Domain page

7.

On the Network Credentials page, shown in Figure 4-3, type the user name, password, and domain of the user account that has permission to create the domain in the User Name, Password, and Domain boxes, respectively. Click Next.

Figure 4-3 Active Directory Installation Wizard, Network Credentials page

8.

On the Child Domain Installation page, shown in Figure 4-4, type the name of the parent domain in the Parent Domain box, and then type the name of the child domain in the Child Domain box. Ensure that the full Domain Name System (DNS)

4-8

Chapter 4 Installing and Managing Domains, Trees, and Forests name of the child appears the way you want it in the Complete DNS Name Of

New Domain box, and then click Next.

Figure 4-4 Active Directory Installation Wizard, Child Domain Installation page

9.

Proceed through the following Active Directory Installation Wizard pages in the same way you did in the “Installing Active Directory Using the Active Directory

Installation Wizard” section of Chapter 2:

❑ NetBIOS Domain Name

❑ Database And Log Folders

❑ Shared System Volume

❑ DNS Registration Diagnostics

❑ Permissions

❑ Directory Services Restore Mode Administrator Password

10.

On the Summary page, shown in Figure 4-5, the options that you selected are listed. Note that the new child domain is indicated. Review the contents of the

Summary page, and then click Next. The Configuring Active Directory progress indicator appears as the Active Directory service is installed on the server. This process takes several minutes.

Lesson 1 Creating Multiple Domains, Trees, and Forests

4

-

9

Figure 4-5 Active Directory Installation Wizard, Summary page

Creating Multiple Trees

Recall that a tree is a grouping or hierarchical arrangement of one or more

Windows Server 2003 domains with contiguous names that you create by adding one or more child domains to an existing parent domain. A forest can have one or more trees. However, one tree per forest is considered ideal because it requires fewer admin­ istrative activities. Although the recommended number of trees in a forest is one, you might need to define more than one tree if your organization has more than one DNS name. Create a new tree only when you need to create a domain whose DNS namespace is not related to the other domains in the forest.

Real World

DNS Considerations for New Domains

As mentioned in Chapter 2, one of the most important issues when configuring

Active Directory concerns DNS structure. When you create additional domains in the existing forest, you should consider your existing DNS structure and how it might change. The primary consideration is determining which servers should han­ dle name resolution for the new domain. If the parent or forest root domain DNS servers are designated to handle name resolution for the new domain, you need to ensure that the DNS zone for the new domain exists on those DNS servers. You must also configure the computers for the new domain to utilize the parent or forest root domain DNS servers as their Preferred and Alternate DNS servers.

4-10

Chapter 4 Installing and Managing Domains, Trees, and Forests

If instead you decide to install DNS servers in the new domain to handle name resolution, then you must delegate the new domain’s namespace to those DNS servers. You should also consider creating a stub domain for the delegated name space on the parent or forest root domain’s DNS servers. To learn more about DNS delegation and stub domains, review the topics “Delegating Zones” and “Understanding Stub Zones” in the Windows Server 2003 Help and Support Center.

Implications of Creating Multiple Trees

Creating multiple trees increases administrative costs. When determining whether to create multiple trees, keep the following items in mind:

DNS names

Because each tree requires a separate DNS name, your organization will be responsible for maintaining more DNS names.

Proxy client exclusion list or proxy autoconfiguration (PAC) file

Because each tree requires a separate DNS name, you must add these names to the list or file.

Non–Microsoft LDAP clients

Such Lightweight Directory Access Protocol

(LDAP) clients might not be able to perform a global catalog search and instead might need to perform an LDAP search of subtree scope that searches each tree separately.

Designating Tree Root Domains

Once you’ve determined the number of trees in each forest for your organization, you should determine which domain will serve as the

tree root domain

for each tree. The tree root domain is the highest-level domain in the tree; child and grandchild domains are arranged under it. Typically, the domain you select should be the one that is most critical to the operation of the tree. A tree root domain can also be the forest root domain, as shown in Figure 4-6.

microsoft.com

(Forest root domain and tree root domain)

Lesson 1 Creating Multiple Domains, Trees, and Forests

4

-

11 msn.com

(Tree root domain) uk.microsoft.com us.microsoft.com

(Child domain) (Child domain) uk.msn.com

(Child domain) us.msn.com

(Child domain) sls.uk.microsoft.com

(Grandchild domain)

Figure 4-6 Tree and forest root domains sls.uk.msn.com

(Grandchild domain)

Creating Additional Trees

When creating additional trees, you use the Active Directory Installation Wizard.

To create an additional tree, complete the following steps:

1.

Restart your computer and log on as Administrator.

2.

Click Start and then click Run. In the Run dialog box, type

dcpromo

in the Run box and click OK.

3.

On the Welcome To The Active Directory Installation Wizard page, click Next.

4.

On the Operating System Compatibility page, click Next.

5.

On the Domain Controller Type page, shown previously in Figure 4-1, select

Domain Controller For A New Domain, and then click Next.

6.

On the Create New Domain page, shown previously in Figure 4-2, select Domain

Tree In An Existing Forest, and then click Next.

7.

On the Network Credentials page, shown previously in Figure 4-3, type the user name, password, and domain of the user account that has permission to create the new domain in the User Name, Password, and Domain boxes, respectively. Click Next.

8.

On the New Domain Tree page, shown previously in Figure 4-7, type the com­ plete DNS name of the new tree root domain in the Full DNS Name For New

Domain box, and then click Next.

4-12

Chapter 4 Installing and Managing Domains, Trees, and Forests

Figure 4-7 Active Directory Installation Wizard, New Domain Tree page

9.

Proceed through the following Active Directory Installation Wizard pages in the same way you did in the “Installing Active Directory Using the Active Directory

Installation Wizard” section of Chapter 2:

❑ NetBIOS Domain Name

❑ Database And Log Folders

❑ Shared System Volume

❑ DNS Registration Diagnostics

❑ Permissions

❑ Directory Services Restore Mode Administrator Password

10.

On the Summary page, shown in Figure 4-8, the options that you selected are listed. Note that the new domain tree is indicated. Review the contents of the Sum­ mary page, and then click Next. The Configuring Active Directory progress indica­ tor appears as the Active Directory service is installed on the server. This process takes several minutes.

Lesson 1 Creating Multiple Domains, Trees, and Forests

4

-

13

Figure 4-8 Active Directory Installation Wizard, Summary page

Creating Multiple Forests

Because Windows Server 2003 domains in a forest share a single schema, configuration container, and global catalog, and are linked by two-way transitive trusts, you should strive to have only one forest for your organization. Ideally, the use of multiple forests should be temporary and reserved for situations such as a merger, acquisition, or part­ nership where two or more organizations must be joined. By defining multiple forests, you add substantial administrative and usability costs to your organization.

Reasons to Create Multiple Forests

Although you should strive to define only one forest for your organization, there are some situations that might warrant the creation of multiple forests. You might need to consider creating multiple forests if you need to:

Secure data

Sensitive data can be protected so that only users within that forest can access it, such as a situation where business units must be separately main­ tained or when there is a need to isolate the schema, configuration container, or global catalog.

Isolate directory replication

Schema changes, configuration changes, and the addition of new domains to a forest affect only that forest.

Accommodate development/lab environments

New or test environments that may not yet be ready for production can be isolated from the rest of the organization.

4-14

Chapter 4 Installing and Managing Domains, Trees, and Forests

If you want to separate business units or keep specific users from accessing resources

and you cannot achieve this through your domain or OU structure

, a multiple forest model can be an effective tool for creating privacy and security.

Implications of Creating Multiple Forests

Adding a forest dramatically increases administrative and usability costs. When determining whether to create multiple forests, keep the following administrative issues in mind:

Schema

Each forest has its own schema. You need to maintain the contents and administration group memberships for each schema separately even if they are similar.

Configuration container

Each forest has its own configuration container. You need to maintain the contents and administration group memberships for each configuration container separately even if they are similar.

Trusts

A one- or two-way forest trust is permitted between forest root domains in two different forests. You must explicitly (manually) set up and maintain this trust, which allows all domains in one forest to transitively trust all domains in another forest. A forest trust is not transitive across three or more forests.

Replication

Replication of objects between forests is manual and requires the development of new administrative policies and procedures.

Merging forests or moving domains

Forests cannot be merged in a one-step operation; you must clone security principals, migrate objects, decommission domain controllers, downgrade them to member servers, and add each to the new forest domain.

Moving objects

Although objects can be moved between forests, you must use the ClonePrincipal tool to clone security principals in the new forest, or the

Ldifde.exe command-line tool to move other objects.

Smart card logon

Default user principal names (UPNs) must be maintained for smart cards to be able to log on across forests.

Additional domains

Each forest must contain at least one domain. Additional domains increase hardware and administrative costs.

When determining whether to create multiple forests, keep the following usability issues in mind:

User logon

Unless a forest trust is created, when a user logs on to a computer outside his or her own forest, he or she must specify the default UPN, which

Lesson 1 Creating Multiple Domains, Trees, and Forests

4

-

15 contains the full domain path for the user account, rather than just the easy-toremember abstracted UPN. The default UPN is required because the domain controller in the forest will not be able to find the abstracted UPN in its global catalog. The user’s abstracted UPN resides only in the global catalog in the user’s forest.

User queries

Unless a forest trust is created, users must be trained to make explicit queries across all of an organization’s forests. Incomplete or incorrect queries can affect how users perform their work.

All the reasons for creating multiple forests involve administrative issues. However, the negative effects of a multiple forest scenario have the greatest impact on users. Unless you plan to create and administer forest trusts to make the use of multiple forests in your organization appear transparent to users, you should try not to create separate forests.

Creating Additional Forests

When creating additional forests, you use the Active Directory Installation Wizard.

To create an additional forest, complete the following steps:

1.

Restart your computer and log on as Administrator.

2.

Click Start and then click Run. In the Run dialog box, type

dcpromo

in the Run box and then click OK.

3.

On the Welcome To The Active Directory Installation Wizard page, click Next.

4.

On the Operating System Compatibility page, click Next.

5.

On the Domain Controller Type page, shown previously in Figure 4-1, select

Domain Controller For A New Domain, and then click Next.

6.

On the Create New Domain page, shown previously in Figure 4-2, select Domain

In A New Forest, and then click Next.

7.

On the New Domain Name page, shown in Figure 4-9, type the complete DNS name of the new forest root domain in the Full DNS Name For New Domain box, and then click Next.

4-16

Chapter 4 Installing and Managing Domains, Trees, and Forests

Figure 4-9 Active Directory Installation Wizard, New Domain Name page

8.

Proceed through the following Active Directory Installation Wizard pages in the same way you did in the “Installing Active Directory Using the Active Directory

Installation Wizard” section of Chapter 2:

❑ NetBIOS Domain Name

❑ Database And Log Folders

❑ Shared System Volume

❑ DNS Registration Diagnostics

❑ Permissions

❑ Directory Services Restore Mode Administrator Password

9.

On the Summary page, shown in Figure 4-10, the options that you selected are listed. Note that the new forest is indicated. Review the contents of the Summary page, and then click Next. The Configuring Active Directory progress indicator appears as the Active Directory service is installed on the server. This process takes several minutes.

Lesson 1 Creating Multiple Domains, Trees, and Forests

4

-

17

Figure 4-10 Active Directory Installation Wizard, Summary page

Practice: Creating a Child Domain

In this practice, you create a child domain for the domain

contoso.com.

Exercise 1: Creating a Child Domain

In this exercise, you create the child domain

chi.contoso.com

.

To create a child domain

1.

Log on to Server1 and Server2 as Administrator. If you completed the exercises in

Chapter 2, Server2 should currently be a member server.

2.

Use the procedure provided earlier in this lesson to create a child domain named

chi.contoso.com

on Server2. The parent domain is

contoso.com

.

3.

Verify that the domain has been installed correctly on Server2 by verifying the domain configuration, the DNS configuration, DNS integration with Active Direc­ tory, installation of the shared system volume and operation of the Directory Ser­ vices Restore Mode boot option as described in Chapter 2.

4.

On Server1, click Start, point to Administrative Tools, and then click Active Direc­ tory Domains And Trusts. Note the presence of the

chi.contoso.com

domain when you expand the

contoso.com

domain.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the

4-18

Chapter 4 Installing and Managing Domains, Trees, and Forests question again. Answers to the questions can be found in the “Questions and

Answers” section at the end of this chapter.

1.

What is the main consequence of creating multiple domains and trees?

2.

Why would you need to create additional trees in your Active Directory forest?

3.

What is a tree root domain?

4.

What are the reasons for creating multiple forests in an organization?

5.

Which of the following is not a reason for creating multiple domains?

a.

To meet security requirements

b.

To meet administrative requirements

c.

To optimize replication traffic

d.

To meet delegation requirements

e.

To retain Windows NT domains

Lesson Summary

Create multiple domains to meet security requirements, meet administrative requirements, optimize replication traffic, or retain Windows NT domains.

Although the recommended number of trees in a forest is one, you might need to define more than one tree if your organization has more than one DNS name.

Adding a domain or tree increases administrative and hardware costs.

The recommended number of forests is one. Consider creating multiple forests if you need to secure data or you need to isolate directory replication.

Adding a forest dramatically increases administrative and usability costs and can directly affect users during the logon and query processes.

To create additional domains, trees, or forests, you use the Dcpromo command and the Active Directory Installation Wizard.

Lesson 2 Renaming and Restructuring Domains and Renaming Domain Controllers

4

-

19

Lesson 2: Renaming and Restructuring Domains and

Renaming Domain Controllers

Windows Server 2003 allows you to rename any domain that has domain controllers running Windows Server 2003, move existing domains to other locations in the domain hierarchy, and rename domain controllers without first demoting them. This lesson shows you how to rename and restructure domains and how to rename domain controllers.

After this lesson, you will be able to

■ Name the tool used to rename and restructure a domain

Rename a domain controller

Estimated lesson time: 1 5 minutes

Renaming and Restructuring Domains

Windows Server 2003 allows you to rename a domain, which provides you with the flexibility to make important forest-wide infrastructure changes as the needs of your organization change. Renaming domains can accommodate acquisitions, mergers, name changes, or reorganizations.

Note

In Windows Server 2003, the domain renaming function provides a supported method to rename domains only when necessary. Domain renaming is a complex process, and the renaming function is not intended for use as a routine operation.

Windows Server 2003 also allows you to restructure the hierarchy of domains in your forest so that a domain residing in one domain tree can be moved to another domain tree. Restructuring a forest allows you to move a domain anywhere within the forest it resides in (except the forest root domain); this includes the ability to move a domain so that it becomes the root of its own domain tree.

Note

You can rename or restructure the domains in a forest only if all domain controllers in the forest are running Windows Server 2003, all domain functional levels in the forest have been raised to Windows Server 2003, and the forest functional level has been raised to

Windows Server 2003.

4-20

Chapter 4 Installing and Managing Domains, Trees, and Forests

You can use the domain rename utility (Rendom.exe) to rename or restructure a domain. Domain rename allows you to

Change the DNS and NetBIOS names of the forest-root domain

Change the DNS and NetBIOS names of any tree-root domains

Change the DNS and NetBIOS names of any parent and child domains

Restructure a domain’s position in the forest

The Rendom.exe utility can be found in the \Valueadd\Msft\Mgmt\Domren directory on the Windows Server 2003 CD-ROM. A domain rename will affect every domain controller in your forest and is a thorough multi-step process that requires a detailed understanding of the operation. For detailed information about the domain rename function, see the Readme file found in the same directory.

Renaming a Domain Controller

Windows Server 2003 allows you to rename domain controllers running

Windows Server 2003. You might want to rename a domain controller to

Use an existing domain controller to serve a large number of clients whose inac­ cessibility could overload the remaining domain controllers

Restructure your network for organizational and business needs

Make management and administrative control easier

Only Domain Admins have sufficient permissions to rename a domain controller.

Note

You can rename a domain controller only if the domain functional level of the domain to which the domain controller is joined is set to Windows Server 2003.

When a domain controller is renamed, the new name is automatically updated to DNS and Active Directory. Once the new name propagates to DNS and Active Directory, cli­ ents are then capable of locating and authenticating to the renamed domain controller.

DNS and Active Directory replication latency may cause a temporary inability of clients to locate or authenticate to the renamed domain controller. The length of time this takes depends on specifics of the network and the replication topology of the organi­ zation. This might be acceptable for clients who try to locate and authenticate to a par­ ticular domain controller since other domain controllers should be available to process the authentication request.

Lesson 2 Renaming and Restructuring Domains and Renaming Domain Controllers

4

-

21

Note

If the new domain controller name contains a primary DNS suffix different from the name of the domain to which it is joined, the domain should be properly configured for the new primary DNS suffix. The new primary DNS suffix is written to the dnsHostName attribute of the computer account in Active Directory.

You rename a domain controller by using the Netdom.exe: Windows Domain Manager command-line tool, included with the Windows Support Tools on the Windows Server

2003 Setup CD-ROM. You use the Netdom Computername command to manage the primary and alternate names for a computer.

Note

For detailed instructions on installing the Windows Support Tools, refer to Chapter 3,

“Administering Active Directory.”

To rename a domain controller, complete the following steps:

1.

Click Start, and then click Command Prompt.

2.

At the command prompt, type:

netdom computername

CurrentComputer-

Name

/add:

NewComputerName

, where

CurrentComputerName

is the current full computer name or IP address of the domain controller you are renaming and

NewComputerName

is the new full name for the domain controller. This action updates the service principal name (SPN) attributes in Active Directory for this domain controller account and registers DNS resource records for the new domain controller name.

3.

Wait for replication latency time interval to ensure replication of the registered

DNS host (A) resource record(s) to all authoritative DNS servers.

4.

At the command prompt type:

netdom computername

CurrentComputerName

/makeprimary:

NewComputerName

where

CurrentComputerName

is the current full computer name or IP address of the domain controller you are renaming and

NewComputerName

is the new full name for the domain controller. This action updates the domain controller account in the Active Directory with the new domain controller name (the name you added in step 2).

5.

Restart the computer.

6.

Wait for the replication of the domain controller locator resource records to occur on all authoritative DNS servers. These records are registered by the domain controller after the renamed domain controller has been restarted and contain the new computer name. The records that are registered are available on the domain controller in the %

Systemroot

%\System32\Config\Netlogon.dns file.

4-22

Chapter 4 Installing and Managing Domains, Trees, and Forests

7.

To ensure that the domain controller has been successfully renamed, make the fol­ lowing checks:

Click Start, point to Control Panel, and then click System. On the Computer

Name tab, verify that the correct name appears after Full Computer Name.

Click Cancel.

Click Start, and then click Command Prompt. At the command prompt, vali­ date the names that the computer is currently configured with by typing:

netdom computername

NewComputerName

/enumerate:

, where

NewComputerName

is the new name of the domain controller. Note that the domain controller has two names.

8.

At the command prompt, type:

netdom computername

NewComputerName

/remove:

OldComputerName

, where

NewComputerName

is the new name of the domain controller and

OldComputerName

is the old name of the domain controller. This action removes the old domain controller name.

Note

Both the old and new domain controller names are maintained until you remove the old domain controller name (shown in step 8). This function ensures that there is no interrup tion in the ability of clients to locate or authenticate to the renamed domain controller, except when the domain controller is restarted.

The new computer name must not coincide with the name of the computer object that already exists in the domain. Microsoft recommends using computer names that are shorter than 16 bytes. If you rename your computer or workgroup when it is discon­ nected from the network, duplicate computer names might result. Check with your network administrator before renaming your computer.

Practice: Renaming a Domain Controller

In this practice, you rename Server1.

Exercise 1: Renaming a domain controller

In this exercise, you rename Server1 to be Server9.

To rename a domain controller

1.

Log on to Server1 as Administrator.

2.

Use the procedure provided earlier in this lesson to change the name of

server1.contoso.com

to

server9.contoso.com

.

3.

Use the procedure provided earlier in this lesson to ensure that the domain controller has been successfully renamed to

server9.contoso.com

.

4.

Use the procedure provided earlier in this lesson to change the name of

server9.contoso.com

back to

server1.contoso.com

.

Lesson 2 Renaming and Restructuring Domains and Renaming Domain Controllers

4

-

23

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

Under what domain and forest functional levels can you rename or restructure domains in a forest?

2.

What utility is used to rename or restructure a domain in a forest?

3.

Under what domain functional level can you rename a domain controller?

4.

What tool is used to rename a domain controller?

Lesson Summary

You can rename the domains in a forest only if all domain controllers in the forest are running Windows Server 2003, all domain functional levels in the forest have been raised to Windows Server 2003, and the forest functional level has been raised to Windows Server 2003.

You use the domain rename utility (Rendom.exe) to rename or restructure a domain.

You can rename a domain controller only if the functional level of the domain to which the domain controller is joined is set to Windows Server 2003.

You rename a domain controller by using the Netdom.exe: Windows Domain

Manager command-line tool, included with the Windows Support Tools on the

Windows Server 2003 Setup CD-ROM. You use the Netdom Computername com­ mand to manage the primary and alternate names for a computer.

4-24

Chapter 4 Installing and Managing Domains, Trees, and Forests

Lesson 3: Managing Operations Master Roles

This lesson introduces you to operations master roles and the tasks involved in the management of master role assignments. Operations master roles (also known as flexible single master operations, or FSMO) are special roles assigned to one or more domain controllers in an Active Directory domain. The domain controllers assigned these roles perform single-master replication. In this lesson, you learn how to plan operations master locations and to view, transfer, and seize operations master role assignments.

After this lesson, you will be able to

Describe the forest-wide operations master roles

■ Describe the domain-wide operations master roles

Plan operations master locations

■ View operations master role assignments

Transfer operations master role assignments

■ Seize operations master role assignments

Estimated lesson time: 3 0 minutes

Operations Master Roles

As discussed in Chapter 1, Active Directory supports multimaster replication of the

Active Directory database between all domain controllers in the domain. However, some changes are impractical to perform in multimaster fashion, so one or more domain controllers can be assigned to perform operations that are

single-master

(not permitted to occur at different places in a network at the same time).

Operations mas­ ter roles

are assigned to domain controllers to perform single-master operations.

In any Active Directory forest, five operations master roles must be assigned to one or more domain controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest. You must be aware of operations master roles assigned to a domain controller if problems develop on the domain controller or if you plan to take it out of service.

Forest-Wide Operations Master Roles

Every Active Directory forest must have the following roles:

Schema master

Domain naming master

Lesson 3 Managing Operations Master Roles

4

-

25

These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one domain naming master.

Schema Master Role

The domain controller assigned the

schema master

role controls all updates and mod­ ifications to the schema. To update the schema of a forest, you must have access to the schema master. At any time, there can be only one schema master in the entire forest.

Domain Naming Master Role

The domain controller holding the

domain naming master

role controls the addition or removal of domains in the forest. There can be only one domain naming master in the entire forest at any time.

Domain-Wide Operations Master Roles

Every domain in the forest must have the following roles:

Relative identifier (RID), or relative ID, master

Primary domain controller (PDC) emulator

Infrastructure master

These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.

RID Master Role

The domain controller assigned the

RID master

role allocates sequences of relative IDs to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest.

Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain) and a relative ID that is unique for each security ID created in the domain.

To move an object between domains (using Movetree.exe: Active Directory Object

Manager), you must initiate the move on the domain controller acting as the RID mas­ ter of the domain that currently contains the object.

4-26

Chapter 4 Installing and Managing Domains, Trees, and Forests

PDC Emulator Role

If the domain contains computers operating without Windows Server 2003 client software or if it contains Windows NT backup domain controllers (BDCs), the domain controller assigned the

PDC emulator

role acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain in the forest.

Even after all systems are upgraded to Windows Server 2003, and the Windows Server

2003 domain is operating at the Windows Server 2003 functional level, the PDC emu­ lator receives preferential replication of password changes performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller due to a bad password, that domain controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.

Infrastructure Master Role

The domain controller assigned the

infrastructure master

role is responsible for updat­ ing the group-to-user references whenever the members of groups are renamed or changed. At any time, there can be only one domain controller acting as the infrastruc­ ture master in each domain.

When you rename or move a member of a group (and the member resides in a differ­ ent domain from the group), the group might temporarily appear not to contain that member. The infrastructure master of the group’s domain is responsible for updating the group so it knows the new name or location of the member. The infrastructure master distributes the update via multimaster replication.

There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.

Note

If there is more than one domain controller in the domain, the infrastructure master role should not be assigned to any domain controller that is hosting the global catalog. For more information, refer to the “Planning Operations Master Locations” section of this chapter.

Lesson 3 Managing Operations Master Roles

4

-

27

Figure 4-11 shows how the operations master roles are distributed throughout a forest by default. Domain A was the first domain created in the forest (the forest root domain). It holds both of the forest-wide operations master roles. The first domain controller in each of the other domains is assigned the three domain-specific roles.

1

2

Domain A Domain D

2

2

2 2

Domain B Domain C Domain E

1

Schema master

Domain naming master

2

Domain F

2

RID master PDC emulator

Infrastructure master

Figure 4-11 Operations master role default distribution in a forest

!

Exam Tip

Know which operations master roles are forest-wide and which are domain-wide.

Managing Operations Master Roles

There are two ways to manage operations master roles: transfer and seizure.

Transferring Operations Master Roles

To transfer an operations master role is to move it with the cooperation of its current owner. You transfer an operations master role when you want to move a role from one server to another. The transfer of an operations master role is secured by stan­ dard Windows Server 2003 access controls, and should be limited to only those that might need to move it. For example, an organization with a substantial Information

Technology (IT) department might place the schema master role on a server in the IT group and configure its access control list (ACL) so that it cannot be moved at all.

Seizing Operations Master Roles

To seize an operations master role is to move it without the cooperation of its current owner. You seize an operations master role assignment when a server that is holding a

4-28

Chapter 4 Installing and Managing Domains, Trees, and Forests role fails and you do not intend to restore it. The operations master role assignment is seized (reassigned) to a domain controller you select to act as a standby operations mas­ ter. Some operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem. Gener­ ally, you will notice that a single master operations role holder is unavailable when you try to perform some function controlled by the particular operations master.

Before seizing the operations master role, determine the cause and expected duration of the computer or network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait for the role holder to become available again.

If the domain controller that currently holds the role has failed, you must determine if it can be recovered and brought back online. You must also determine which domain controller can effectively serve as a standby operations master. In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again. The decision depends upon the role and how long the particular role holder will be unavailable. The impact of various role holder failures is discussed in the following topics.

Caution

A domain controller whose schema, domain naming, or RID master role has been seized must

never

be brought back online without first reformatting the drives and reloading

Windows Server 2003. Before proceeding with the role seizure, you must ensure that the outage of this domain controller is permanent by physically disconnecting the domain controller from the network.

Schema Master Failure Temporary loss of the schema operations master is not visible to network users. It is not visible to network administrators either, unless they are try­ ing to modify the schema or install an application that modifies the schema during installation. If the schema master will be unavailable for an unacceptable length of time, you can seize the role to the domain controller you’ve chosen to act as the standby schema master. However, seizing this role is a step that you should take only when the failure of the schema master is permanent.

Domain Naming Master Failure

Temporary loss of the domain naming master is not visible to network users. It is not visible to network administrators either, unless they are trying to add a domain to the forest or remove a domain from the forest. If the domain naming master will be unavailable for an unacceptable length of time, you can seize the role to the domain controller you’ve chosen to act as the standby domain naming master. However, seizing this role is a step that you should take only when the failure of the domain naming master is permanent.

Lesson 3 Managing Operations Master Roles

4

-

29

RID Master Failure Temporary loss of the RID operations master is not visible to network users. It is not visible to network administrators either, unless they are creating objects and the domain in which they are creating the objects runs out of relative identifiers. If the RID master will be unavailable for an unacceptable length of time, you can seize the role to the domain controller you’ve chosen to act as the standby RID master. However, seizing this role is a step that you should take only when the failure of the RID master is permanent.

PDC Emulator Failure The loss of the PDC emulator affects network users. Therefore, when the PDC emulator is not available, you might need to immediately seize the role.

If the current PDC emulator will be unavailable for an unacceptable length of time and its domain has clients without Windows Server 2003 client software, or if it contains

Windows NT backup domain controllers, seize the PDC emulator role to the domain controller you’ve chosen to act as the standby PDC emulator. When the original PDC emulator is returned to service, you can return the role to the original domain controller.

Infrastructure Master Failure

Temporary loss of the infrastructure master is not visible to network users. It is not visible to network administrators either, unless they have recently moved or renamed a large number of accounts. If the infrastructure master will be unavailable for an unacceptable length of time, you can seize the role to a domain controller that is not a global catalog but is well connected to a global catalog (from any domain), ideally in the same site as a global catalog server. When the original infra­ structure master is returned to service, you can transfer the role back to the original domain controller.

Planning Operations Master Locations

When you create the first domain in a new forest, all of the operations master roles are automatically assigned to the first domain controller in that domain. When you create a new child domain or the root domain of a new domain tree in an existing forest, the first domain controller in the new domain is automatically assigned the RID master,

PDC emulator, and infrastructure master roles. Because there can be only one schema master and one domain naming master in the forest, these roles remain in the first domain on the first domain controller created in the forest.

The default operations master locations work well for a forest deployed on a few domain controllers in a single site. In a forest with more domain controllers, or in a for­ est that spans multiple sites, you need to transfer the default operations master role assignments to other domain controllers in the domain or forest to

Balance the load among domain controllers, or

Accommodate domain controller maintenance and hardware upgrades

4-30

Chapter 4 Installing and Managing Domains, Trees, and Forests

Planning the Operations Master Role Assignments by Domain

Follow these guidelines when assigning operations master roles for a domain:

If a domain has only one domain controller, that domain controller must hold all of the domain roles.

If a domain has more than one domain controller

Choose two well-connected domain controllers that are direct replication partners. Make one of the domain controllers the operations master domain controller, to which you should assign the RID master, the PDC emulator, and the infrastructure master roles. The other domain controller functions as a standby operations master domain controller, used in case of failure of the operations master domain controller.

❑ In domains that are not large, assign both the RID master and PDC emulator roles to the domain controller you selected as the operations master domain controller.

❑ In very large domains, you can reduce the peak load on the PDC emulator by placing RID master and PDC emulator roles on separate domain controllers, both of which are direct replication partners of the domain controller you selected as the standby operations master domain controller. However, to avoid the administrative tasks associated with separating the two roles, you should keep the two roles together unless the load on the domain controller you selected as the operations master domain controller justifies separating the roles.

The infrastructure master role should not be assigned to any domain control­ ler that is hosting the global catalog. However, you should assign the infra­ structure master role to any domain controller that is well connected to a global catalog (from any domain) in the same site. If the domain controller you selected as the operations master domain controller meets these require­ ments, use it unless the load justifies the extra management burden of sepa­ rating the roles. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastruc­ ture master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain. If all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers have the current data and it does not matter which domain controller holds the infrastructure master role.

Lesson 3 Managing Operations Master Roles

4

-

31

Planning the Operations Master Roles for the Forest

Once you have planned all of the domain roles for each domain, consider the forest roles. The schema master and the domain naming master roles should always be assigned to the same domain controller. For best performance, assign them to a domain controller that is well connected to the computers used by the administrator or group responsible for schema updates and the creation of new domains. The load of these operations master roles is very light, so, to simplify management, place these roles on the operations master domain controller of one of the domains in the forest.

Planning for Growth

Normally, as your forest grows, you will not need to change the locations of the vari­ ous operations master roles. But when you are planning to decommission a domain controller, to change the global catalog status of a domain controller, or to reduce the connectivity between parts of your network, you should review your plan and revise the operations master role assignments, as necessary.

Viewing Operations Master Role Assignments

Before you can revise operations master role assignments, you need to view the current operations master role assignments for your domain.

To view the RID master, the PDC emulator, or the infrastructure master role assign­ ments, complete the following steps:

1.

Open the Active Directory Users And Computers console.

2.

In the console tree, right-click the Active Directory Users And Computers node, point to All Tasks, and then click Operations Masters.

3.

In the Operations Masters dialog box, select one of the following choices:

Click the RID tab, and the name of the RID master appears in the Operations

Master box.

Click the PDC tab, and the name of the PDC emulator appears in the Opera­ tions Master box.

Click the Infrastructure tab, and the name of the infrastructure master appears in the Operations Master box.

4.

Click Close to close the Operations Master dialog box.

4-32

Chapter 4 Installing and Managing Domains, Trees, and Forests

To view the domain naming master role assignment, complete the following steps:

1.

Open the Active Directory Domains And Trusts console.

2.

In the console tree, right-click the Active Directory Domains And Trusts node, then click Operations Master. In the Change Operations Master dialog box, the name of the current domain naming master appears in the Domain Naming Operations

Master box.

3.

Click Close to close the Change Operations Master dialog box.

To view the schema master role assignment, complete the following steps:

1.

Open the Active Directory Schema snap-in.

Note

The Active Directory Schema snap-in must be installed separately after Active Direc­ tory is installed. See Chapter 3 for details on installing the Active Directory Schema snap-in.

2.

In the console tree, right-click Active Directory Schema, and then click Operations

Master. In the Change Schema Master dialog box, the name of the current schema master appears in the Current Schema Master (Online) box.

3.

Click Close to close the Change Schema Master dialog box.

Transferring an Operations Master Role Assignment

To perform a role transfer, both domain controllers must be available and con­ nected to each other through the network. Depending upon the operations master role to be transferred, you perform the role transfer using one of the three Active

Directory consoles.

To transfer the RID master, the PDC emulator, or the infrastructure master role assign­ ments, complete the following steps:

1.

Open the Active Directory Users and Computers console.

2.

In the console tree, right-click the Active Directory Users And Computers node, and then click Connect To Domain.

3.

In the Connect To Domain dialog box, type the domain name or click Browse to select the domain from the list, and then click OK.

4.

In the console tree, right-click the Active Directory Users And Computers node, and then click Connect To Domain Controller.

5.

In the Connect To Domain Controller dialog box, shown in Figure 4-12, in the Or

Select An Available Domain Controller list, select the domain controller that will become the new RID master, PDC emulator, or infrastructure master, and then click OK.

Lesson 3 Managing Operations Master Roles

4

-

33

Figure 4-12 Connect To Domain Controller dialog box

6.

In the console tree, right-click the Active Directory Users And Computers node, point to All Tasks, and then click Operations Masters.

7.

In the Operations Masters dialog box, shown in Figure 4-13, select one of the fol­ lowing choices:

Click the RID tab, and then click Change.

Click the PDC tab, and then click Change.

Click the Infrastructure tab, and then click Change.

Figure 4-13 Operations Masters dialog box

4-34

Chapter 4 Installing and Managing Domains, Trees, and Forests

8.

On the Active Directory message box, click Yes to confirm that you want to transfer the operations master role. On the second Active Directory message box, click OK.

9.

Click Close to close the Operations Master dialog box.

To transfer the domain naming master role assignment, complete the following steps:

1.

Open the Active Directory Domains And Trusts console.

2.

In the console tree, right-click the Active Directory Domains And Trusts node, and then click Connect To Domain Controller.

3.

In the Connect To Domain Controller dialog box, in the Or Select An Available

Domain Controller list, select the domain controller that will become the new domain naming master, and then click OK.

4.

In the console tree, right-click the Active Directory Domains And Trusts node, and then click Operations Master.

5.

In the Change Operations Master dialog box, shown in Figure 4-14, click Change.

Figure 4-14 Change Operations Master dialog box

6.

Click Close to close the Change Operations Master dialog box.

To transfer the schema master role assignment, complete the following steps:

1.

Open the Active Directory Schema snap-in.

Note

The Active Directory Schema snap-in must be installed separately after Active Direc­ tory is installed. See Chapter 3 for details on installing the Active Directory Schema snap-in.

2.

In the console tree, right-click Active Directory Schema, and then click Change

Domain Controller.

Lesson 3 Managing Operations Master Roles

4

-

35

3.

In the Change Domain Controller dialog box, shown in Figure 4-15, click either

Any DC, to let Active Directory select the new schema operations master, or

Specify Name, and then type the name of the new schema master to specify the new schema operations master

Figure 4-15 Change Domain Controller dialog box

4.

Click OK.

5.

In the console tree, right-click Active Directory Schema, and then click Operations

Master.

6.

In the Change Schema Master dialog box, click Change.

7.

Click OK to close the Change Schema Master dialog box.

Seizing an Operations Master Role Assignment

A role seizure is controlled through the same per-role object permissions that con­ trols role transfers, plus the Write fsmoRoleOwner property permission at the new role owner. To seize a role, you need both the per-role object permission and the

Write fsmoRoleOwner property permission. By default, the Write fsmoRoleOwner property permission is granted to the same groups that are granted the per-role object permissions.

A role seizure is a two-step process. In the first step, you must determine whether the domain controller that seizes the role is fully up-to-date with the updates performed on the previous role owner by using the Repadmin command-line tool. After you have determined the status of the domain controller seizing the role, you can seize the oper­ ations master role by using the Ntdsutil utility.

Caution

Do not seize an operations master role if you can transfer it instead. Seizing an operations master role is a drastic step that should be considered only if the current opera­ tions master will never be available again.

4-36

Chapter 4 Installing and Managing Domains, Trees, and Forests

Determining the Status of the Domain Controller Seizing the Role

The domain controller that seizes the role must be fully up-to-date with the updates performed on the previous role owner. Because of replication latency, it is possible that the domain controller might not be up-to-date. To check the status of updates for a domain controller, use the Repadmin.exe: Replication Diagnostics command-line tool, included with the Windows Support Tools on the Windows Server 2003 CD-ROM in the \Support\Tools folder.

Note

For detailed instructions on installing the Windows Support Tools, refer to Chapter 3,

“Administering Active Directory.”

For example, to make sure a domain controller is fully up-to-date, suppose that

“server1” is the RID master of the domain

microsoft.com

, “server2” is the standby oper­ ations master domain controller, and “server3” is the only other domain controller in the

microsoft.com

domain. Using the Repadmin tool along with the /Showutdvec argu­ ment, you would issue the following commands, shown in bold:

C:\>

repadmin/showutdvec server2.microsoft.com dc=microsoft,dc=com

New-York\

server1

@ USN 2604 @ Time 2003-01-22 12:50:44

San-Francisco\server3 @ USN 2706 @ Time 2003-01-22 12:53:36

C:\>

repadmin/showutdvec server3.microsoft.com dc=microsoft,dc=com

New-York\server1 @ USN 2590 @ Time 2003-01-22 12:50:44

Chicago\server2 @ USN 3110 @ Time 2003-01-22 12:57:55

The output for server1 is especially relevant. Server2’s up-to-date status value with respect to server1 (server1 @ USN 2604) is larger than server3’s up-to-date status value with respect to server1 (server1 @ USN 2590), making it safe for server2 to seize the RID master role formerly held by server1. If the up-to-date status value for server2 was less than the value for server3, you would wait for normal replication to update server2, or use the Repadmin tool’s /Syncall commands to make the replication happen immedi­ ately. You can learn more about using Repadmin in Windows Support Tools help.

Seizing the Role

The Ntdsutil tool allows you to transfer and seize operations master roles. When you use the Ntdsutil command-line tool to seize an operations master role, the tool attempts a transfer from the current role owner first. Then, if the existing operations master is unavailable, it performs the seizure.

To seize the operations master role assignments, complete the following steps:

1.

Click Start, and then click Command Prompt.

2.

At the command prompt, type

ntdsutil

and press Enter.

Lesson 3 Managing Operations Master Roles

4

-

37

3.

At the ntdsutil prompt, type

roles

and press Enter.

4.

At the fsmo maintenance prompt, type

connections

and press Enter.

5.

At the server connections prompt, type

connect to server

, followed by the fully qualified domain name (FQDN), and press Enter.

6.

At the server connections prompt, type

quit

and press Enter.

7.

At the fsmo maintenance prompt, type one of the following:

seize schema

master and press Enter

seize domain naming master

and press Enter

seize RID master

and press Enter

seize PDC

and press Enter

seize infrastructure master

and press Enter

8.

At the fsmo maintenance prompt, type

quit

and press Enter.

9.

At the ntdsutil prompt, type

quit

and press Enter.

The following is an example of seizing an operations master role using the Ntdsutil command:

C:\>ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server server2.microsoft.com

Binding to server2.microsoft.com ...

Connected to server2.microsoft.com using credentials of locally logged on user server connections: quit fsmo maintenance: seize RID master

Server "server2.microsoft.com" knows about 5 roles

Schema - CN=NTDS Settings,CN=server01,CN=Servers,

CN=New-York,CN=Sites,CN=Configuration,DC=microsoft,DC=com

Domain - CN=NTDS Settings,CN=server01,CN=Servers,

CN=New-York,CN=Sites,CN=Configuration,DC=microsoft,DC=com

PDC - CN=NTDS Settings,CN=server2,CN=Servers,

CN=Chicago,CN=Sites,CN=Configuration,DC=microsoft,DC=com

RID - CN=NTDS Settings,CN=server2,CN=Servers,

CN=Chicago,CN=Sites,CN=Configuration,DC=microsoft,DC=com

Infrastructure - CN=NTDS Settings,CN=server3,CN=Servers,

CN=San-Francisco,CN=Sites,CN=Configuration,DC=microsoft,DC=com fsmo maintenance: quit ntdsutil: quit

C:\>

4-38

Chapter 4 Installing and Managing Domains, Trees, and Forests

Off the Record

You can use several methods to determine the operations master role holders of the forest and domain. For example, you can query these roles using the Replica- tion Monitor (Replmon.exe), Netdom, and Ntdsutil. You can also use the Windows Script Host

(WSH) to query the Active Directory Services Interface (ADSI) to find the operations masters, as documented in Microsoft Knowledge Base article 235617, “How to Find the FSMO Role

Owners Using ADSI and WSH” (available from

http://support.microsoft.com

).

Practice: Viewing and Transferring Operations Master Role

Assignments

In this practice, you manage operations master role assignments.

Note

To complete this practice, you must have successfully completed the practice in

Lesson 1.

Exercise 1: Viewing Operations Master Role Assignments

In this exercise, you view operations master role assignments.

To view operations master role assignments

1.

Log on to Server1 and Server2 as Administrator.

2.

Use the procedure provided earlier in this lesson to view the RID master, the PDC emulator, and the infrastructure master role assignments for the

contoso.com

domain.

3.

Use the procedure provided earlier in this lesson to view the domain naming mas­ ter role assignment for the

contoso.com

domain.

4.

Use the procedure provided earlier in this lesson to view the schema master role assignment for the

contoso.com

domain.

Exercise 2: Transferring an Operations Master Role Assignment

In this exercise, you transfer the domain naming master role assignment from Server1 to Server2.

To transfer an operations master role assignment

1.

Use the procedure provided earlier in this lesson to transfer the domain nam­ ing master role assignment from Server1 (

contoso.com

domain) to Server2

(

chi.contoso.com

domain).

Lesson 3 Managing Operations Master Roles

4

-

39

2.

When you have finished viewing the domain naming master role assignment on

Server2, transfer the domain naming master role assignment back to Server1.

3.

Demote Server2 so it becomes a member server for the

contoso.com

domain and the

chi.contoso.com

domain no longer exists.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What is the purpose of the operations master roles?

2.

Which operations master roles must be unique in each forest?

3.

Which operations master roles must be unique in each domain?

4.

When should you seize an operations master role?

5.

Which of the following operations master roles should not be assigned to the domain controller hosting the global catalog?

a.

Schema master

b.

Domain naming master

c.

RID master

d.

PDC emulator

e.

Infrastructure master

4-40

Chapter 4 Installing and Managing Domains, Trees, and Forests

Lesson Summary

■�

Operations master roles are assigned to domain controllers to perform singlemaster operations.

■�

Every Active Directory forest must have the schema master and domain naming master roles. Every domain in the forest must have the RID master, the PDC emu­ lator, and the infrastructure master roles.

There are two ways to manage operations master roles: transfer and seizure.

■�

To transfer an operations master role is to move it with the cooperation of its current owner. You transfer an operations master role to other domain controllers in the domain or forest to balance the load among domain controllers, or accommo­ date domain controller maintenance and hardware upgrades.

■�

To seize an operations master role is to move it without the cooperation of its current owner. You seize an operations master role assignment when a server holding the role fails and you do not intend to restore it. If the cause of the failure is a networking problem or a server failure that will be resolved soon, wait for the role holder to become available again. Do not seize an operations master role if you can transfer it instead. Seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again. The decision depends upon the role and how long the particular role holder will be unavailable.

Lesson 4 Managing Trust Relationships

4

-

41

Lesson 4: Managing Trust Relationships

This lesson introduces you to trust relationships and the tasks involved in the manage­ ment of trusts. In Chapter 1, you learned that a trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Trust relationships can be created automatically (implicitly) or manually

(explicitly). Trust relationships created implicitly do not need management. In this les­ son you learn how to plan, create, and administer explicit trust relationships.

After this lesson, you will be able to

Name the trust protocols used in Windows Server 2003

■ Describe the trust types used in Windows Server 2003

Explain when it is necessary to create a shortcut, realm, external, or forest trust

■ Create shortcut, realm, external, and forest trusts

Administer shortcut, realm, external, and forest trusts

Estimated lesson time: 3 0 minutes

Trust Relationships

A trust relationship is a logical relationship established between domains to allow passthrough authentication, in which a trusting domain honors the logon authentications of a trusted domain. There are two domains in a trust relationship—the trusting and the trusted domain.

In Windows NT, trusts are one-way and nontransitive, and can require a great deal of administrator maintenance. Trusts were limited to the two domains involved in the trust and the trust relationship was one-way. In Windows Server 2003, trusts have three characteristics.

Trusts can be created manually (explicitly) or automatically (implicitly).

■�

Trusts can be either transitive (not bound by the domains in the trust relationship) or nontransitive (bound by the domains in the trust relationship).

Trusts can be one-way or two-way.

Trust Protocols

Windows Server 2003 authenticates users and applications using either the Kerberos ver­ sion 5 or NTLM protocol. The Kerberos version 5 protocol is the default protocol for computers running Windows Server 2003. If any computer involved in a transaction does not support Kerberos version 5, the NTLM protocol is used.

4-42

Chapter 4 Installing and Managing Domains, Trees, and Forests

When using the Kerberos version 5 protocol, the client requests a ticket from a domain controller in its account domain for presentation to the server in the trusting domain.

This ticket is issued by an intermediary trusted by the client and the server. The client presents this trusted ticket to the server in the trusting domain for authentication.

When a client tries to access resources on a server in another domain using NTLM authentication, the server containing the resource must contact a domain controller in the client’s account domain to verify the account credentials. A trust relationship can also be created with any MIT version 5 Kerberos realm.

Trust Types

The following forms of trust relationships are supported by Windows Server 2003:

■�

Tree-root trust

Implicitly established when you add a new tree root domain to a forest. The trust is transitive and two-way.

■�

Parent-child trust

Implicitly established when you add a new child domain to a tree. The trust is transitive and two-way.

■�

Shortcut trust

Explicitly created by a systems administrator between two domains in a forest to improve user logon times. This is useful when two domains are separated by two domain trees. The trust is transitive and can be one- or twoway. A shortcut trust may also be referred to as a cross-link trust.

■�

Realm trust

Explicitly created by a systems administrator between a non–

Windows Kerberos realm and a Windows Server 2003 domain. This trust provides interoperability between Windows Server 2003 and any realm used in Kerberos ver­ sion 5 implementations. It can be transitive or nontransitive and one- or two-way.

■�

External trust

Explicitly created by a systems administrator between Windows

Server 2003 domains that are in different forests or between a Windows Server

2003 domain and a domain whose domain controller is running Windows NT 4 or earlier. This trust provides backward compatibility with Windows NT environ­ ments and communications with domains located in other forests not joined by forest trusts. The trust is nontransitive and can be one- or two-way.

■�

Forest trust

Explicitly created by a systems administrator between two forest root domains. If a forest trust is two-way, it effectively allows all authentication requests made from one forest to reach another. The trust is transitive between two forests only and can be one- or two-way.

Lesson 4 Managing Trust Relationships

4

-

43

Note

When a user is authenticated by a domain controller, the presence of a trust does not guarantee access to resources in that domain. Access to resources is determined solely by the rights and permissions granted to the user account by the domain administrator for the trusting domain. For information about providing access to resources, refer to Chapter 9,

“Administering Active Directory Objects.”

Understanding Forest Trusts

In Windows NT and Windows 2000, if users in one forest needed access to resources in a second forest, an administrator had to create an external trust relationship between the two domains. Because external trusts are one-way and nontransitive, they require administrator resources and limit the ability for trust paths to extend to other domains.

Forest trusts are a new feature in Windows Server 2003, extending transitivity beyond the scope of a single forest to a second Windows Server 2003 forest. Forest trusts provide the following benefits:

■�

Simplified management. Forest trusts reduce the number of external trusts neces­ sary to share resources with a second forest.

Two-way trust relationships between all domains in two forests.

UPN authentications can be used across two forests.

■�

Both the Kerberos and NTLM authentication protocols can be used to help improve the trustworthiness of authorization data transferred between forests.

■�

Administrative flexibility. Administrators can choose to split collaborative delega­ tion efforts with other administrators into forest-wide administrative units.

Forest trusts can be created and are transitive between only two forests. Therefore, if a forest trust is created between Forest1 and Forest2, and a forest trust is also created between Forest2 and Forest3, Forest1 does not have an implicit trust with Forest3.

Planning Trust Relationships

As an administrator, you must plan trust relationships to provide users with the access to resources they require. When you add a Windows Server 2003 domain to an existing

Windows Server 2003 forest, a tree-root or a parent-child trust is established automati­ cally. Both of these trust relationships are two-way and transitive and are established at the time that the domain is created. Once established, these trust relationships do not need to be managed.

The four remaining types of trusts must be managed. They are

Shortcut trusts

Realm trusts

4-44

Chapter 4 Installing and Managing Domains, Trees, and Forests

External trusts

Forest trusts

When to Create a Shortcut Trust

Shortcut trusts are transitive one-way or two-way trusts that can be used to optimize the authentication process between domains that are logically distant from each other.

In Windows Server 2003, authentication requests must travel an established trust path between domain trees. A

trust path

is a series of trust relationships that must be tra­ versed in order to pass authentication requests between any two domains. In a com­ plex forest, following the trust path can take time and affect query response performance; each time clients are referred to another domain controller, the chances of a failure or of encountering a slow link are increased. Windows Server 2003 pro­ vides a means for improving query response performance through shortcut trusts.

Shortcut trusts help to shorten the path traveled for authentication requests made between domains located in two separate trees.

Shortcut trusts can be created only between Windows Server 2003 domains in the same forest. Figure 4-16 illustrates a shortcut trust created to shorten the trust path and improve query response performance between Domain M and Domain P. If the shortcut trust were not created, the client in Domain M would have to “walk” the trust path through domains L, K, J, N, and O before being able to communicate with the domain controller in Domain P to verify the authentication request.

Domain J

Domain K

Domain N

Domain L

Parent-child trusts

(Implicit two-way transitive trusts)

Domain O

Domain M

Shortcut trust

(Explicit two-way transitive trust)

Figure 4-16 Shortcut trust

Domain P

One-Way Shortcut Trusts

A one-way shortcut trust established between two domains located in separate domain trees can reduce the time needed to fulfill authentication requests, but from only one direction. If a one-way shortcut trust is established between Domain M and Domain P, authentication requests made in Domain M to

Lesson 4 Managing Trust Relationships

4

-

45

Domain P can take full advantage of the new one-way trust path. However, when authentication requests from Domain P to Domain M are made, they cannot utilize the shortcut trust path that was created between Domain M and Domain P, and default to walking up the trust path hierarchy in order to find Domain M.

Two-Way Shortcut Trusts A two-way shortcut trust directly established between two domains located in separate domain trees can help optimize authentication requests made from users located in either domain. Therefore, authentication requests made from either Domain M to Domain P or from Domain P to Domain M can utilize the shortened shortcut trust path.

Accessing Resources Across Domains Joined by Shortcut Trust

Using Active Directory

Domains and Trusts, you can determine the scope of authentication between two domains that are joined by a shortcut trust. You can set

selective authentication

differently for outgoing and incoming shortcut trusts, which allows you to make flexible access control deci­ sions between domains. You set selective authentication on the Outgoing Trust

Authentication Level page when you set up a shortcut trust using the New Trust Wizard.

If you use domain-wide authentication on the incoming shortcut trust, users in the sec­ ond domain have the same level of access to resources in the local domain as users who belong to the local domain. For example, if Domain A has an incoming shortcut trust from Domain B and domain-wide authentication is used, any user from Domain B can access any resource in Domain A (assuming the user has the required permissions).

If you set selective authentication on an incoming shortcut trust, you need to manually assign permissions on each resource to which you want users in the second domain to have access. To do this, set an access control right Allowed To Authenticate on an object for that particular user or group from the second domain.

When a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user’s authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenti­ cated, if the Other Organization SID is not already present, the server to which the user authenticates adds the This Organization SID. Only one of these special SIDs can be present in an authenticated user’s context.

Administrators in each domain can add objects from one domain to access control lists

(ACLs) on shared resources in the other domain. You can use the ACL editor to add or remove objects residing in one domain to ACLs on resources in the other domain. For more information about how to set permissions on resources, refer to Chapter 9,

“Administering Active Directory Objects.”

4-46

Chapter 4 Installing and Managing Domains, Trees, and Forests

Requirements To create a shortcut trust, you must have Enterprise Admin or Domain

Admin privileges in both domains within the forest. Each trust is assigned a password that must be known to the administrators of both domains in the relationship.

When to Create a Realm Trust

A realm trust can be established between any non–Windows Kerberos version 5 realm and a Windows Server 2003 domain to allow cross-platform interoperability with secu­ rity services based on other Kerberos version 5 implementations, such as UNIX or MIT.

Realm trusts can be switched from nontransitive to transitive and back and can be either one- or two-way.

Requirements To create a realm trust, you must have Enterprise Admin or Domain

Admin privileges for the domain in the Windows Server 2003 forest and the appropri­ ate administrative privileges in the target Kerberos realm.

When to Create an External an Trust

You can create an external trust to form a one- or two-way nontransitive relationship with domains outside of your forest. External trusts are sometimes necessary when users need access to resources located in a Windows NT 4 domain or in a domain located within a separate forest that is not joined by a forest trust.

When a trust is established between a domain in a forest and a domain outside of that forest, security principals from the external domain can access resources in the internal domain. Active Directory creates a foreign security principal object in the internal domain to represent each security principal from the trusted external domain. These foreign security principals can become members of domain local groups in the internal domain. You can view foreign security principals in the Active Directory Users And

Computers console when Advanced Features are enabled. To enable Advanced Fea­ tures, select Advanced Features from the View menu on the Active Directory Users And

Computers console.

Note

If you upgrade a Windows NT 4 domain to a Windows Server 2003 domain, the exist­ ing trust relationship remains in the same state.

Accessing Resources Across Domains Joined by an External Trust

U s i n g A c t i v e

Directory Domains And Trusts, you can determine the scope of authentication between two domains that are joined by an external trust. You can set selective authentication differently for outgoing and incoming external trusts, which allows you to make flexi­ ble authentication decisions between external domains. You select domain-wide or

Lesson 4 Managing Trust Relationships

4

-

47 selective authentication on the Outgoing Trust Authentication Level page when you set up an external trust using the New Trust Wizard.

If you apply domain-wide authentication to an external trust, users in the trusted domain have the same level of access to resources in the local domain as users who belong to the local domain. For example, if Domain A trusts Domain B and domain-wide authentica­ tion is used, any user from Domain B can access any resource in Domain A (assuming the user has the required permissions).

If you apply selective authentication to an external trust, you need to manually desig­ nate which users in the trusted domain can authenticate for specific computers in the trusting domain. To do this, use Active Directory Users And Computers to open the access control list for each computer in the trusting domain that hosts resources that may be accessed by any users in the trusted domain. Grant users in the trusted domain

(or groups that include users in the trusted domain) the access control right Allowed To

Authenticate.

!

Exam Tip

Allowed To Authenticate is a new access control right that allows you to control which users from other domains can authenticate to a particular type of object or service.

When a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user’s authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenti­ cated, if the Other Organization SID is not already present, the server to which the user authenticates adds the This Organization SID. Only one of these special SIDs can be present in an authenticated user’s context.

Administrators in each domain can add objects from one domain to access control lists

(ACLs) on shared resources in the other domain. You can use the ACL editor to add or remove objects residing in one domain to ACLs on resources in the other domain. For more information about how to set permissions on resources, refer to Chapter 9,

“Administering Active Directory Objects.”

Requirements

To create an external trust, you must have Enterprise Admin or

Domain Admin privileges for the domain in the Windows Server 2003 forest, and Enter­ prise Admin or Domain Admin privileges for the domain outside of the forest. Each trust must be assigned a password that is known to the administrators of both domains in the relationship.

4-48

Chapter 4 Installing and Managing Domains, Trees, and Forests

When to Create a Forest Trust

Creating a trust between two forest root domains provides a transitive relationship between every domain residing within each forest, and can be one- or two-way. Forest trusts are useful for application service providers, organizations undergoing mergers or acquisitions, collaborative business extranets, and organizations seeking solutions for administrative autonomy.

One-Way Forest Trusts In a one-way forest trust, all domains in the trusted forest can utilize resources in the trusting forest, although members in the trusting forest cannot access resources in the trusted forest. For example, if you create a one-way forest trust between Forest1 (the trusted forest) and Forest2 (the trusting forest), then users in

Forest1 can access resources in Forest2 (assuming the users have permissions on resources). However, users in Forest2 will not be able to access resources in Forest1 until a second forest trust is established.

Two-Way Forest Trusts In a two-way forest trust, every domain in one forest trusts every domain in its partner forest implicitly. Users in either forest can access any resource located anywhere in either forest (assuming the users have permissions to the resource).

Accessing Resources Across Domains Joined by External Trust Using Active Direc­ tory Domains and Trusts, you can determine the scope of authentication between two forests that are joined by a forest trust. You can set selective authentication differently for outgoing and incoming forest trusts, which allows you to make flexible access con­ trol decisions between forests. You set selective authentication on the Outgoing Trust

Authentication Level page when you set up a forest trust using the New Trust Wizard.

If you use forest-wide authentication on the incoming external trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide authentication is used, any user from ForestB can access any resource in ForestA (assuming the user has the required permissions).

If you set selective authentication on an incoming forest trust, you must manually assign permissions on each domain and resource to which you want users in the sec­ ond forest to have access. To do this, set the access control right Allowed To Authen­ ticate on an object for that particular user or group from the second forest.

When a user authenticates across a trust with the Selective Authentication option enabled, an Other Organization security ID (SID) is added to the user’s authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenti­ cated, if the Other Organization SID is not already present, the server to which the user

Lesson 4 Managing Trust Relationships

4

-

49 authenticates adds the This Organization SID. Only one of these special SIDs can be present in an authenticated user’s context.

Administrators in each forest can add objects from one forest to access control lists

(ACLs) on shared resources in the other forest. You can use the ACL editor to add or remove objects residing in one forest to ACLs on resources in another forest. For more information about how to set permissions on resources, refer to Chapter 9, “Adminis­ tering Active Directory Objects.”

Requirements

To create a forest trust, you must have Enterprise Admin privileges in both forests. Each trust must be assigned a password that is known to the administrators of both forests in the relationship. Before creating a forest trust, you need to verify that you have the correct DNS infrastructure in place and that the appropriate functional level for the Active Directory forest has been established. For more information on what to ver­ ify before creating a forest trust, refer to the “Creating a Forest Trust” section of this chapter.

!

Exam Tip

Know when to create each type of trust.

Creating Trust Relationships

After you determine the trusts required by your organization, you must create the trusts. This section contains procedures for creating shortcut, realm, external, and for­ est explicit trusts. You use the New Trust Wizard to create explicit trusts.

Creating a Shortcut Trust

A shortcut trust is a trust between two domains in a forest, created to improve user logon times.

To create a shortcut trust, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Domains

And Trusts.

2.

In the console tree, right-click the domain node for the domain for which you want to create a shortcut trust, and then click Properties.

3.

In the Properties dialog box, click the Trusts tab.

4.

In the Trusts tab, shown in Figure 4-17, click New Trust to launch the New Trust

Wizard.

4-50

Chapter 4 Installing and Managing Domains, Trees, and Forests

Figure 4-17 Properties dialog box for a domain, Trusts tab

5.

On the Welcome To The New Trust Wizard page, click Next.

6.

On the Trust Name page, shown in Figure 4-18, type the DNS name of the target domain with which you want to establish a trust in the Name box, then click Next.

Figure 4-18 New Trust Wizard, Trust Name page

Lesson 4 Managing Trust Relationships

4

-

51

7.

On the Direction Of Trust page, shown in Figure 4-19, select one of the following choices.

If you want all users in both domains to be able to access all resources anywhere in either domain, click Two-Way, and then click Next.

If you want only users in this domain to be able to access resources anywhere in the other domain, click One-Way: Incoming, and then click Next.

If you want only users in the other domain to be able to access resources anywhere in this domain, click One-Way: Outgoing, and then click Next.

Note

By selecting the One-Way: Incoming option, users in the other domain will not be able to access any resources in this domain. By selecting One-Way: Outgoing option, users in this domain will not be able to access any resources in the other domain.

Figure 4-19 New Trust Wizard, Direction Of Trust page

8.

On the Sides Of Trust page, shown in Figure 4-20, select one of the following choices:

❑ Select This Domain Only to create the trust relationship in the local domain.

Click Next.

Select Both This Domain And The Specified Domain to create a trust relationship in the local domain and a trust relationship in the specified domain. If you select this option, you must have trust creation privileges in the specified domain. Click Next.

4-52

Chapter 4 Installing and Managing Domains, Trees, and Forests

Figure 4-20 New Trust Wizard, Sides Of Trust page

9.

Select one of the following paths, depending on your choices in steps 7 and 8:

❑ If you selected Two-Way or One-Way: Outgoing in step 7, and This Domain

Only in step 8, the Outgoing Trust Authentication Level page, shown in Fig­ ure 4-21, appears. Select Domain Wide Authentication to automatically authenticate all users in the specified domain for all resources in the local domain. Select Selective Authentication to not automatically authenticate all users in the specified domain for all resources in the local domain. Click Next.

On the Trust Password page, shown in Figure 4-22, type a password for the trust in the Trust Password and Confirm Trust Password boxes. Click Next.

Figure 4-21 New Trust Wizard, Outgoing Trust Authentication Level page

Lesson 4 Managing Trust Relationships

4

-

53

Figure 4-22 New Trust Wizard, Trust Password page

❑ If you selected One-Way: Incoming in step 7, and This Domain Only in step 8, the Trust Password page, shown in Figure 4-22, appears. Type a password for the trust in the Trust Password and Confirm Trust Password boxes. Click Next.

❑ If you selected Both This Domain And The Specified Domain in step 8, the

User Name And Password page, shown in Figure 4-23, appears. Type the user name and password of an account that has administrative privileges in the specified domain. Click Next.

Figure 4-23 New Trust Wizard, User Name And Password page

10.

On the Trust Selections Complete page, verify that the correct trust settings are configured, and then click Next. The wizard creates the trust.

4-54

Chapter 4 Installing and Managing Domains, Trees, and Forests

11.

On the Trust Creation Complete page, verify the settings, and then click Next.

12.

On the Confirm Outgoing Trust page, shown in Figure 4-24, select Yes, Confirm

The Outgoing Trust if you created both sides of the trust. If you only created one side, choose No, Do Not Confirm The Outgoing Trust. Click Next.

Figure 4-24 New Trust Wizard, Confirm Outgoing Trust page

13.

On the Confirm Incoming Trust page, shown in Figure 4-25, select Yes, Confirm

The Incoming Trust if you created both sides of the trust. If you only created one side, choose No, Do Not Confirm The Incoming Trust. Click Next.

Figure 4-25 New Trust Wizard, Confirm Incoming Trust page

14.

On the Completing The New Trust Wizard page, verify the settings, and then click

Finish.

Lesson 4 Managing Trust Relationships

4

-

55

15.

Note the presence of the shortcut trust you just set up in the Trusts tab of the Prop­ erties dialog box for the domain. An example is shown in Figure 4-26. Click OK.

Figure 4-26 Properties dialog box for a domain, Trusts tab, showing shortcut trust between

fabrikam.com

and

chi.contoso.com

, domains in separate trees in the same forest

Creating a Realm Trust

A realm trust is a trust between a non–Windows Kerberos realm and a Windows Server

2003 domain, created to allow cross-platform interoperability with security services based on other Kerberos version 5 implementations.

To create a realm trust, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Domains

And Trusts.

2.

In the console tree, right-click the domain node for the domain for which you want to create a realm trust, and then click Properties.

3.

In the Properties dialog box, click the Trusts tab.

4.

In the Trusts tab, shown previously in Figure 4-17, click New Trust.

5.

On the Welcome To The New Trust Wizard page, click Next.

6.

On the Trust Name page, shown previously in Figure 4-18, type the DNS name of the target realm with which you want to establish a trust in the Name box, and then click Next.

4-56

Chapter 4 Installing and Managing Domains, Trees, and Forests

7.

On the Trust Type page, shown in Figure 4-27, select the Realm Trust option, and then click Next.

Figure 4-27 New Trust Wizard, Trust Type page

8.

On the Transitivity Of Trust page, shown in Figure 4-28, select one of the follow­ ing choices:

If you want only this domain and the specified realm to form a trust relationship, click Nontransitive, and then click Next.

❑ If you want this domain and all trusted domains to form a trust relationship with the specified realm and all trusted realms, click Transitive, and then click Next.

Figure 4-28 New Trust Wizard, Transitivity Of Trust page

Lesson 4 Managing Trust Relationships

4

-

57

9.

On the Direction Of Trust page, shown previously in Figure 4-19, select one of the following choices:

If you want all users in both the domain and the realm to be able to access all resources anywhere in either the domain or the realm, click Two-Way, and then click Next.

If you want only users in this domain to be able to access resources anywhere in the realm, click One-Way: Incoming, and then click Next.

If you want only users in the realm to be able to access resources anywhere in this domain, click One-Way: Outgoing, and then click Next.

Note

By selecting the One-Way: Incoming option, users in the realm will not be able to access any resources in this domain. By selecting the One-Way: Outgoing option, users in this domain will not be able to access any resources in the realm.

10.

On the Trust Password page, shown previously in Figure 4-22, type the trust password in the Trust Password and Confirm Trust Password boxes. This password must match the password used in the realm. Click Next.

11.

On the Trust Selections Complete page, verify that the correct trust settings appear, and then click Next.

12.

On the Completing The New Trust Wizard page, verify the settings, and then click

Finish.

13.

Note the presence of the realm trust you just set up in the Trusts tab of the Prop­ erties dialog box for the domain. Click OK.

Creating an External Trust

An external trust is a trust between Windows Server 2003 domains in different forests or between a Windows Server 2003 domain and a domain whose domain controller is running Windows NT 4 or earlier. This trust is created to provide backward compati­ bility with Windows NT environments or communications with domains located in other forests not joined by forest trusts. Before you can create an external trust, you must configure a DNS forwarder

on both

of the DNS servers that are authoritative for the trusting forests.

4-58

Chapter 4 Installing and Managing Domains, Trees, and Forests

Note

Windows 2000 DNS does not support conditional forwarding. If you configure domains to forward to each other in Windows 2000, the resulting traffic may overwhelm many networks. You should forward domains to each other only if both servers support conditional forwarding, as in the Windows Server 2003 family.

To configure a DNS forwarder, complete the following steps on both authoritative DNS servers:

1.

Click Start, point to Administrative Tools, and then click DNS.

2.

In the console tree, right click the DNS server you want to configure, and then click Properties.

3.

In the Properties dialog box for the DNS server, click the Forwarders tab.

4.

In the Forwarders tab, specify the DNS domain names that require queries to be forwarded (conditional forwarding) in the Domain box by clicking New and typ­ ing the domain name. Type the IP address(es) of the server(s) to which the que­ ries are forwarded in the Selected Domain’s IP Address List, and then click Add.

5.

Click OK in the Forwarders tab.

To create an external trust, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Domains

And Trusts.

2.

In the console tree, right-click the domain node for the domain in the first forest for which you want to create an external trust, and then click Properties.

3.

In the Properties dialog box, click the Trusts tab.

4.

In the Trusts tab, shown previously in Figure 4-17, click New Trust.

5.

On the Welcome To The New Trust Wizard page, click Next.

6.

On the Trust Name page, shown previously in Figure 4-18, type the DNS name of the target domain in the second forest with which you want to establish a trust in the Name box, and then click Next.

7.

If the forest functional level is set to Windows Server 2003, the Trust Type page appears, shown in Figure 4-29. Select the External Trust option, and then click

Next. Otherwise, skip to the next step.

Lesson 4 Managing Trust Relationships

4

-

59

Figure 4-29 New Trust Wizard, Trust Type page

8.

On the Direction Of Trust page, shown previously in Figure 4-19, select one of the following choices:

If you want all users in both domains to be able to access all resources anywhere in either domain, click Two-Way, and then click Next.

❑ If you want only users in this domain to be able to access resources anywhere in the second domain, click One-Way: Incoming, and then click Next.

If you want only users in the second domain to be able to access resources anywhere in this domain, click One-Way: Outgoing, and then click Next.

Note

By selecting the One-Way: Incoming option, users in the domain in the second forest will not be able to access any resources in the domain in this forest. By selecting the

One-Way: Outgoing option, users in the domain in this forest will not be able to access any resources in the domain in the second forest.

9.

On the Sides Of Trust page, shown previously in Figure 4-20, select one of the fol­ lowing choices:

Select This Domain Only to create the trust relationship in the local domain.

Click Next.

❑ Select Both This Domain And The Specified Domain to create a trust relationship in the local domain and a trust relationship in the specified domain. If you select this option you must have trust creation privileges in the specified domain. Click Next.

4-60

Chapter 4 Installing and Managing Domains, Trees, and Forests

10.

Select one of the following paths, depending on your choices in steps 8 and 9:

If you selected Two-Way or One-Way: Outgoing in step 8, and This Domain

Only in step 9, the Outgoing Trust Authentication Level page, shown previ­ ously in Figure 4-21, appears. Select Domain Wide Authentication to automat­ ically authenticate all users in the specified domain for all resources in the local domain. Select Selective Authentication to not automatically authenticate all users in the specified domain for all resources in the local domain. Click

Next. On the Trust Password page, shown previously in Figure 4-22, type a password for the trust in the Trust Password and Confirm Trust Password boxes. Click Next.

If you selected One-Way: Incoming in step 8, and This Domain Only in step

9, the Trust Password page, shown previously in Figure 4-22, appears. Type a password for the trust in the Trust Password and Confirm Trust Password boxes. Click Next.

If you selected Both This Domain And The Specified Domain in step 9, the

User Name And Password page, shown previously in Figure 4-23, appears.

Type the user name and password of an account that has administrative priv­ ileges in the specified domain. Click Next.

11.

On the Trust Selections Complete page, verify that the correct trust settings are configured, and then click Next. The wizard creates the trust.

12.

On the Trust Creation Complete page, verify the settings, and then click Next.

13.

On the Confirm Outgoing Trust page, shown previously in Figure 4-24, select Yes,

Confirm The Outgoing Trust if you created both sides of the trust. If you only cre­ ated one side, choose No, Do Not Confirm The Outgoing Trust. Click Next.

14.

On the Confirm Incoming Trust page, shown previously in Figure 4-25, select Yes,

Confirm The Incoming Trust if you created both sides of the trust. If you only cre­ ated one side, choose No, Do Not Confirm The Incoming Trust. Click Next.

15.

On the Completing the New Trust Wizard page, verify the settings, and then click

Finish.

16.

Note the presence of the external trust you just set up in the Trusts tab of the Prop­ erties dialog box for the domain. An example is shown in Figure 4-30. Click OK.

Lesson 4 Managing Trust Relationships

4

-

61

Figure 4-30 Properties dialog box for a domain, Trusts tab, showing external trust between

treyresearch.com

and

contoso.com

, domains in different forests

Creating a Forest Trust

A forest trust is a trust between two forest root domains, created to allow all authenti­ cation requests made from one forest to reach another. The procedure for creating a forest trust is similar to the one used for creating an external trust. However, before you can create a forest trust, you must complete the following preliminary tasks.

Configure a DNS root server that is authoritative over both forest DNS servers that you want to form a trust with, or configure a DNS forwarder on both of the DNS servers that are authoritative for the trusting forests.

Ensure that the forest functional level for both forests is Windows Server 2003.

To configure a DNS forwarder, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click DNS.

2.

In the console tree, right click the DNS server you want to configure, and then click Properties.

3.

In the Properties dialog box for the DNS server, click the Forwarders tab.

4.

In the Forwarders tab, specify the DNS domain names that require queries to be forwarded (conditional forwarding) in the Domain box by clicking New and typing the domain name. Type the IP address(es) of the server(s) to which

4-62

Chapter 4 Installing and Managing Domains, Trees, and Forests the queries are forwarded in the Selected Domain’s IP Address List, and then click Add.

5.

Click OK in the Forwarders tab.

Note

You can raise the functional level of a forest to Windows Server 2003 only if all domain controllers in the forest are running Windows Server 2003 and all domain functional levels in the forest have been raised to Windows Server 2003. To change the forest func- tional level to Windows Server 2003, refer to Chapter 3, “Administering Active Directory.”

To create a forest trust, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Domains

And Trusts.

2.

In the console tree, right-click the domain node for the domain in the first forest for which you want to create a forest trust, and then click Properties.

3.

In the Properties dialog box, click the Trusts tab.

4.

In the Trusts tab, shown previously in Figure 4-17, click New Trust.

5.

On the Welcome To The New Trust Wizard page, click Next.

6.

On the Trust Name page, shown previously in Figure 4-18, type the DNS name of the target domain in the second forest with which you want to establish a trust in the Name box, and then click Next.

7.

On the Trust Type page, shown previously in Figure 4-29, select the Forest Trust option, and then click Next.

Note

If the Forest Trust option does not appear, you must confirm that you have completed the preliminary tasks for creating a forest trust.

8.

On the Direction Of Trust page, shown previously in Figure 4-19, select one of the following choices:

❑ If you want all users in both forests to be able to access all resources anywhere in either forest, click Two-Way, and then click Next.

If you want only users in this forest to be able to access resources anywhere in the second forest, click One-Way: Incoming, and then click Next.

❑ If you want only users in the second forest to be able to access resources anywhere in this forest, click One-Way: Outgoing, then click Next.

Lesson 4 Managing Trust Relationships

4

-

63

Note

By selecting the One-Way: Incoming option, users in the second forest will not be able to access any resources in this forest. By selecting the One-Way: Outgoing option, users in this forest will not be able to access any resources in the second forest.

9.

On the Sides Of Trust page, shown previously in Figure 4-20, select one of the fol­ lowing choices:

Select This Domain Only to create the trust relationship in the local forest.

Click Next.

Select Both This Domain And The Specified Domain to create a trust relationship in the local forest and a trust relationship in the specified forest. If you select this option, you must have trust creation privileges in the specified for­ est. Click Next.

10.

Select one of the following paths, depending on your choices in steps 8 and 9:

If you selected Two-Way or One-Way: Outgoing in step 8, and This Domain

Only in step 9, the Outgoing Trust Authentication Level page, shown previ­ ously in Figure 4-21, appears. Select Domain Wide Authentication to automat­ ically authenticate all users in the specified forest for all resources in the local forest. Select Selective Authentication to not automatically authenticate all users in the specified forest for all resources in the local forest. Click Next. On the Trust Password page, shown previously in Figure 4-22, type a password for the trust in the Trust Password and Confirm Trust Password boxes. Click Next.

If you selected One Way: Incoming in step 8, and This Domain Only in step 9, the Trust Password page, shown previously in Figure 4-22, appears.

Type a password for the trust in the Trust Password and Confirm Trust Password boxes. Click Next.

If you selected Both This Domain And The Specified Domain in step 9, the

User Name And Password page, shown previously in Figure 4-23, appears.

Type the user name and password of an account that has administrative priv­ ileges in the specified forest. Click Next.

11.

On the Trust Selections Complete page, verify that the correct trust settings are configured, and then click Next. The wizard creates the trust.

12.

On the Trust Creation Complete page, verify the settings, and then click Next.

13.

On the Confirm Outgoing Trust page, shown previously in Figure 4-24, select Yes,

Confirm The Outgoing Trust if you created both sides of the trust. If you only cre­ ated one side, choose No, Do Not Confirm The Outgoing Trust. Click Next.

4-64

Chapter 4 Installing and Managing Domains, Trees, and Forests

14.

On the Confirm Incoming Trust page, shown previously in Figure 4-25, select Yes,

Confirm The Incoming Trust if you created both sides of the trust. If you only cre­ ated one side, choose No, Do Not Confirm The Incoming Trust. Click Next.

15.

On the Completing the New Trust Wizard page, verify the settings, and then click Finish.

16.

Note the presence of the forest trust you just set up in the Trusts tab of the Prop­ erties dialog box for the domain. An example is shown in Figure 4-31. Click OK.

!

Figure 4-31 Properties dialog box for a domain, Trusts tab, showing forest trust between

woodgrovebank.com

and

contoso.com

, domains in different forests

Exam Tip

Know how to create each type of trust.

Administering Trust Relationships

To administer trust relationships, you use the New Trust Wizard. You can verify and remove shortcut, realm, external, and forest trusts.

To verify a trust, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Domains

And Trusts.

2.

In the console tree, right-click one of the domains involved in the trust you want to verify, and then click Properties.

Lesson 4 Managing Trust Relationships

4

-

65

3.

In the Properties dialog box, click the Trusts tab.

4.

In the Trusts tab, shown previously in Figure 4-17, click the trust to be verified in either the Domains Trusted By This Domain (Outgoing Trusts) box or the

Domains That Trust This Domain (Incoming Trusts) box, then click Properties.

5.

In the Properties dialog box for the trust, shown in Figure 4-32, click Validate.

Figure 4-32 Properties dialog box for a trust

6.

In the Active Directory dialog box, shown in Figure 4-33, select one of the follow­ ing choices:

❑ Select No, Do Not Validate The Incoming Trust to validate only the outgoing trust, and then click OK.

Select Yes, Validate The Incoming Trust, to validate the outgoing and the incoming trust. Type the user name and password of an account with admin­ istrative privileges in the other domain in the User Name and Password boxes respectively. Click OK.

4-66

Chapter 4 Installing and Managing Domains, Trees, and Forests

Figure 4-33 Active Directory dialog box

7.

In the Active Directory message box, a message indicates that the trust has been verified. Click OK.

8.

In the Properties dialog box for the trust, click OK.

9.

In the Trusts tab, click OK.

To remove a trust, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Domains

And Trusts.

2.

In the console tree, right-click one of the domain nodes involved in the trust you want to remove, and then click Properties.

3.

In the Properties dialog box, click the Trusts tab.

4.

In the Trusts tab, click the trust to be removed in the Domains Trusted By This

Domain (Outgoing Trusts) box, then click Remove.

5.

In the Active Directory dialog box, shown in Figure 4-34, select one of the follow­ ing choices:

❑ Select No, Remove The Trust From The Local Domain Only to remove the trust from the local domain, and then click OK.

Select Yes, Remove The Trust From Both The Local Domain And The Other

Domain, to remove the trust from both domains. Type the user name and password of an account with administrative privileges in the other domain in the User Name and Password boxes respectively. Click OK.

Lesson 4 Managing Trust Relationships

4

-

67

Figure 4-34 Active Directory dialog box

6.

In the Active Directory message box, confirm that you want to remove the trust by clicking Yes.

7.

In the Trusts tab, click the trust to be removed in the Domains That Trust This

Domain (Incoming Trusts) box, then click Remove.

8.

Repeat steps 4 and 5 to remove the incoming trusts.

9.

In the Trusts tab, note that the trusts have been removed, and then click OK.

Note

If you need to delete an external trust in a domain using Windows 2000 mixed func- tionality, the trust should always be deleted from a domain controller running Windows Server

2003. External trusts to Windows NT 4 or 3.51 domains can be deleted by authorized admin- istrators on the Windows NT 4 or 3.51 domain controllers. However, only the trusted side of the relationship can be deleted on Windows NT 4 or 3.51 domain controllers. The trusting side of the relationship (created in the Windows Server 2003 domain) is not deleted, and although it will not be operational, the trust will continue to display in the Active Directory

Domains And Trusts console. To remove the trust completely, you delete the trust from a domain controller running Windows Server 2003 in the trusting domain. If an external trust is inadvertently deleted from a Windows NT 4 or 3.51 domain controller, you must recreate the trust from any domain controller running Windows Server 2003 in the trusting domain.

Note

It is not possible to remove the default two-way transitive trusts between domains in a forest. Only explicitly created trusts can be deleted.

4-68

Chapter 4 Installing and Managing Domains, Trees, and Forests

Creating and Administering Trusts Using the Command Line

In addition to creating and administering trusts using the Windows interface, you can also create and administer most trusts by using the Netdom.exe: Windows Domain

Manager command line tool, included with the Windows Support Tools on the Windows

Server 2003 Setup CD-ROM. You use the netdom trust command to create, verify, or reset a trust relationship between domains.

Netdom trust has the following syntax: netdom trust

TrustingDomainName

/d:

TrustedDomainName

[/ud:[

Domain

\]

User

]

[/pd:{

Password

|*}] [/uo:

User

] [/po:{

Password

|*}] [/verify] [/reset] [/passwordt:

NewRealmTrustPassword

] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos]

[/transitive[:{YES|NO}]] [/verbose]

Each of the command parameters are explained in Table 4-1.

Table 4-1

Netdom Trust Command Parameters

Parameter Description

TrustingDomainName

/d:

TrustedDomainName

/uo:

/po:{

User

Password

|*}

Specifies the name of the trusting domain.

Specifies the name of the trusted domain. If the parameter is omitted, then the domain that the current computer belongs to is used.

Specifies the user account that makes the connec­ tion with the trusting domain. If this parameter is omitted, the current user account is used.

Specifies the password of the user account that is specified in the /uo parameter. Use * to be prompted for the password.

/verify the specific trust is based.

/reset Resets the trust secret between trusted domains or between the domain controller and the workstation.

/passwordt:

NewRealmTrustPassword

/add

/realm

Specifies a new trust password. This parameter is valid only with the /add parameter and only if one of the domains specified is a non-Windows

Kerberos realm. The trust password is set on the

Windows domain only, which means that creden­ tials are not needed for the non-Windows domain.

Specifies to create a trust.

Indicates that the trust is created to a non-Windows

Kerberos realm. The /realm parameter is valid only with the /add and /passwordt parameters.

Lesson 4 Managing Trust Relationships

4

-

69

Table 4-1

Netdom Trust Command Parameters (Continued)

Parameter Description

/remove

/force

/twoway

Specifies to break a trust.

Removes both the trusted domain object and the cross-reference object for the specified domain from the forest. This is used to clean up decommis­ sioned domains that are no longer in use and were not able to be removed by using the Active Direc­ tory Installation wizard. This can occur if the domain controller for that domain was disabled or damaged and there were no domain controllers or it was not possible to recover the domain controller from backup media. This parameter is valid only when the /remove parameter is specified.

Specifies to establish a two-way trust relationship rather than a one-way trust relationship.

/kerberos Specifies between a workstation and a target domain. This parameter is valid only when the /verify parameter is specified.

/transitive[:{YES|NO}] whether trust. This parameter is valid only for a non-

Windows Kerberos realm. Non-Windows Kerberos trusts are created as nontransitive. If a value is omitted, then the current transitivity state is dis­ played. Yes sets the realm to a transitive trust. No sets the realm to a nontransitive trust.

/verbose Specifies verbose output. By default, only the result of the operation is reported. If /verbose is speci­ fied, the output lists the success or failure of each transaction necessary to perform the operation as well as returning an error level based on the suc­ cess (0) or failure (1) of the operation.

Note

Netdom cannot be used to create a forest trust. You can type the command netdom query trust to see a list of existing trust relationships.

For further information about using Netdom to create and administer trusts, refer to

Windows Support Tools help.

4-70

Chapter 4 Installing and Managing Domains, Trees, and Forests

Off the Record

The Nltest tool can also be used to manage trusts as well. Nltest is an older tool typically utilized for troubleshooting issues relating to Windows NT 4.0 clients and domains. Still, you can use it with Windows Server 2003 computers and domains.

For example, try typing the following command at a Command Prompt on Server1: nltest

/server:Server1 /trusted_domains . For more information on the capabilities of Nltest, see

Support Tools Help (part of the Windows Support Tools).

Practice: Managing Trust Relationships

In this practice, you manage trust relationships by creating, validating, and removing a forest trust.

Note

To complete this practice, you must have successfully completed the practices in Les­ sons 1 and 3.

Exercise 1: Creating an Additional Forest

In this exercise, you create another forest in addition to the

contoso.com

forest you cre­ ated in Chapter 2.

To create an additional forest

1.

Use the procedure provided in Lesson 1 to create a new domain in a new forest on Server2. Name the domain

woodgrovebank.com

.

2.

Verify that the domain has been installed correctly on Server2 by verifying the domain configuration, the DNS configuration, DNS integration with Active Direc­ tory, installation of the shared system volume, and operation of the Directory Ser­ vices Restore Mode boot option as described in Chapter 2.

3.

On Server1, click Start, point to Administrative Tools, and then click Active Direc­ tory Domains And Trusts. Note that the

woodgrovebank.com

domain is not visible.

Exercise 2: Creating, Validating, and Deleting a Forest Trust

In this exercise, you create, validate, and finally delete a forest trust between the

con­ toso.com

forest root domain you created in Chapter 2 and the

woodgrovebank.com

for­ est root domain you created in Exercise 1.

To create, validate, and delete a forest trust

1.

Use the procedure provided earlier in this lesson to create a forest trust between the

contoso.com

forest root domain and the

woodgrovebank.com

forest root domain.

Lesson 4 Managing Trust Relationships

4

-

71

2.

Use the procedure provided earlier in this lesson to validate the forest trust.

3.

When you have finished exploring the forest trust, use the procedure provided earlier in this lesson to delete the forest trust.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the “Questions and Answers” section at the end of this chapter.

1.

Which type of trust provides transitive trusts between domains in two forests?

2.

What is the purpose of a shortcut trust?

3.

What is the purpose of an external trust?

4.

What preliminary tasks must you complete before you can create a forest trust?

5.

Which of the following trust types are created implicitly? Choose all that apply.

a.

Tree-root

b.

Parent-child

c.

Shortcut

d.

Realm

e.

External

f.

Forest

4-72

Chapter 4 Installing and Managing Domains, Trees, and Forests

Lesson Summary

A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain.

In Windows Server 2003, trusts can be created manually or automatically, can be transitive or nontransitive, and can be one- or two-way.

Windows Server 2003 supports the following types of trusts: tree-root, parentchild, shortcut, realm, external, and forest.

You use the New Trust Wizard to create explicit trusts, which is accessed from the

Active Directory Domains and Trusts administrative tool.

Troubleshooting Lab­

To prepare for this lab, you must first remove the

woodgrovebank.com

Active Direc­ tory installation. You should also remove the DNS server service. The following steps guide you through this task.

Note

The commands in this lab assume that your CD-ROM drive is D. If it is something else, use that letter in place of D in the steps below.

1.

Manually or automatically remove the

woodgrovebank.com

Active Directory install. To remove it automatically, insert the Supplemental CD into the CD-ROM drive on Server2. Click Start, click Run, and then type:

dcpromo /answer:D:\70-294\Labs\Chapter04\RemoveWoodgroveDC.txt,

and then press Enter.

2.

Log on to Server2 using the local administrator user name and password.

3.

To remove the DNS server service, click Start, point to Control Panel, and click

Add or Remove Programs.

4.

On the Add Or Remove Programs window, click the Add/Remove Windows Com­ ponents icon. Wait for the Windows Components Wizard to load.

5.

Clear the Networking Services checkbox and click Next. This will remove all Networking Services, including the DNS server service.

6.

Click Finish to complete this process. Close the Add or Remove Programs window.

7.

Now configure Server2 as a member server of

contoso.com

, as you learned to do in Chapter 2.

Chapter 4 Installing and Managing Domains, Trees, and Forests

4

-

73

Once this is complete, you are ready to begin the troubleshooting lab. The troubleshooting scenario follows:

You are a network administrator for Contoso Pharmaceuticals. Another member of your network administration team returns from a temporary assignment that lasted sev­ eral weeks. Her computer was offline the entire time she was away. She returns to the office and starts her computer. She has trouble logging on and then she finds an error in the Event Viewer console’s System log. She asks you to look at the error. (To see this error, you must open a saved Event Log on your Supplemental CD-ROM.)

1.

Log on to Server2 as the local administrator. Place your Supplemental CD-ROM into the CD-ROM drive of Server2 if you have not already done so.

2.

Click Start, click Run, type

eventvwr.msc

, and then press Enter.

3.

On the Event Viewer console, right click the Event Viewer (Local) icon, and then click Open Log File. The Open dialog box is displayed.

4.

In the File Name list, type

D:\70-294\Labs\Chapter04\3210.evt

. In the Log

Type box, click the down arrow and select System. Click Open. A Saved System

Log appears in your Event Viewer.

5.

In the right window pane, scroll to the only error event in the saved log and double-click it. The Event Properties dialog box opens. Review the error message and then click OK. Close the Event Viewer.

Note

This type of error can occur if a member server is unable to synchronize its machine password with the domain controller. If you haven’t done so already, install the Windows Support Tools on Server2. The Netdom commands in the following steps show you how to diag­ nose and repair this issue. Before you attempt any of the following commands, ensure that your domain controller has been on for at least 15 minutes.

6.

At the command prompt, reset the secure channel by typing

netdom reset server2 /domain:contoso

. You should see a confirmation message that reads:

“The secure channel from SERVER2 to the domain CONTOSO.COM has been reset.” You’ve now solved the problem.

7.

Now verify that the secure channel between the member server and domain controller is functioning properly. At the command prompt, type

netdom verify server2 /domain:contoso.com

. The following message appears: “The secure channel from SERVER2 to the domain CONTOSO.COM has been verified. The connection is with the machine \\SERVER1.CONTOSO.COM”, indicating the channel is functioning properly.

4-74

Chapter 4 Installing and Managing Domains, Trees, and Forests

Real World

Troubleshooting Secure Channels

Both the Nltest and Netdom tools can be used to verify and reset secure chan­ nels between domain controller and domain member computers. If either utility indicates a secure channel doesn’t exist for the domain member computer, try the following:

1.

Remove the computer from the domain by making it a member of a workgroup.

2.

Delete the computer account from the Active Directory Users And Comput­ ers console.

3.

Join the computer to the domain once again.

Case Scenario Exercise­

You are a computer consultant working for the Graphic Design Institute. In the past year you’ve helped the institute implement Active Directory in three different depart­ ments: Marketing, Administration, and Research. See the Case Scenario Exercises in

Chapter 2 and Chapter 3 for more information about this company. Today, the com­ pany’s network infrastructure is host to three different forests. These forests are

marketing.graphicdesigninstitute.com

administration.graphicdesigninstitute.com

research.graphicdesigninstitute.com

The Information Technology Services (ITS) department is still running UNIX servers and hosting the company’s Internet connection. ITS has delegated the applicable DNS namespace for each domain to the Marketing, Administration, and Research depart­ ments. Each department has its own network administration team.

Laura Steele, the director of the institute, wants to discuss some issues she and the department directors have experienced.

Answer the following questions based on this information:

1.

Right now, Research and Marketing are sharing data by burning CD-ROMs and

DVD-ROMs. Under the current structure, how could Research and Marketing share information over the network?

Chapter 4 Installing and Managing Domains, Trees, and Forests

4

-

75

2.

Laura asks you, “What if we decided that ITS should handle the entire institute’s network administration? If we were building the entire administrative structure right now using Windows Server 2003 and Active Directory, how would it be dif­ ferent than what we have now?”

3.

What are the potential issues of simply moving the management function of the existing structure to the ITS department, without modifying anything?

Chapter Summary

You can create multiple domains, trees, and forest by using dcpromo and the

Active Directory Installation Wizard.

Create multiple domains to meet security requirements, meet administrative requirements, optimize replication traffic, or retain Windows NT domains. Create multiple trees if your organization has more than one DNS name. Create multiple forests if you need to secure data or you need to isolate directory replication.

In Windows Server 2003, you can now rename any domain that has domain controllers running Windows Server 2003 and move existing domains to other loca­ tions in the domain hierarchy if all domain functional levels in the forest have been raised to Windows Server 2003, and the forest functional level has been raised to Windows Server 2003. Use the domain rename utility (Rendom.exe) to rename or restructure a domain.

You can rename domain controllers without first demoting them if the functional level of the domain to which the domain controller is joined is set to

Windows Server 2003. Use the Netdom.exe: Windows Domain Manager com­ mand-line tool, included with the Windows Support Tools on the Windows Server

2003 Setup CD-ROM, to rename a domain controller.

Operations master roles are assigned to domain controllers to perform singlemaster operations. Every Active Directory forest must have the schema master and domain naming master roles. Every domain in the forest must have the RID mas­ ter, the PDC emulator, and the infrastructure master roles. There are two ways to manage operations master roles: transfer and seizure.

4-76

Chapter 4 Installing and Managing Domains, Trees, and Forests

A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Windows Server 2003 supports the following types of trusts: tree-root, parent-child, shortcut, realm, external, and forest.

Exam Highlights

Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information.

Key Points

Before implementing a forest and domain structure, plan the structure. Create child domains to meet security requirements, meet administrative requirements, optimize replication traffic, or retain Windows NT domains. Create multiple trees if your organization has more than one DNS name. Create multiple forests if you need to secure data or you need to isolate directory replication. You implement an

Active Directory forest and domain structure by using dcpromo and the Active

Directory Installation Wizard.

The default FSMO role configuration works well for most organizations. In a forest with more than a few domain controllers, or in a forest that spans multiple sites, you might want to transfer the default operations master role assignments to other domain controllers in the domain or forest to balance the load among domain controllers, or accommodate domain controller maintenance and hardware upgrades.

Every Active Directory forest must have the schema master and domain naming master roles. Every domain in the forest must have the RID master, the PDC emu­ lator, and the infrastructure master roles. The infrastructure master role should not be assigned to the domain controller that is hosting the global catalog.

To handle FSMO role failure, you can transfer or seize an operations master role.

Tree-root and parent-child trusts are established automatically when you add a new tree root domain to a forest or a new child domain to a tree. There are four other trusts which must be planned and established explicitly: shortcut trusts, realm trusts, external trusts, and forest trusts. You use the New Trust Wizard to cre­ ate explicit trusts, which is accessed from the Active Directory Domains and Trusts administrative tool.

Chapter 4 Installing and Managing Domains, Trees, and Forests

4

-

77

Key Terms

operations master

A domain controller that has been assigned one or more special roles in an Active Directory domain. The domain controllers assigned these roles perform operations that are single-master (not permitted to occur at different places on the network at the same time).

selective authentication

A method of setting the scope of authentication differently for outgoing and incoming external and forest trusts. Selective trusts allow you to make flexible access control decisions between external domains in a forest.

trust relationship

A logical relationship established between domains to allow pass-through authentication, in which a trusting domain honors the logon authen­ tications of a trusted domain. User accounts and global groups defined in a trusted domain can be given rights and permissions in a trusting domain, even though the user accounts or groups don’t exist in the trusting domain’s directory.

4-78

Chapter 4 Installing and Managing Domains, Trees, and Forests

Page

4-18

Page

4-23

Questions and Answers

Lesson 1 Review

1.

What is the main consequence of creating multiple domains and trees?

Adding domains and trees increases administrative and hardware costs.

2.

Why would you need to create additional trees in your Active Directory forest?

You might need to define more than one tree if your organization has more than one DNS name.

3.

What is a tree root domain?

A tree root domain is the highest-level domain in the tree; child and grandchild domains are arranged under it. Typically, the domain you select for a tree root should be the one that is most critical to the operation of the tree. A tree root domain can also be the forest root domain.

4.

What are the reasons for creating multiple forests in an organization?

Some of the reasons for creating multiple forests include to secure data and to isolate direc­ tory replication.

5.

Which of the following is not a reason for creating multiple domains?

a.

To meet security requirements

b.

To meet administrative requirements

c.

To optimize replication traffic

d.

To meet delegation requirements

e.

To retain Windows NT domains

The correct answer is d. In Windows NT, domains were the smallest units of administrative delegation. In Windows Server 2003, OUs allow you to partition domains to delegate adminis­ tration, eliminating the need to define domains just for delegation.

Lesson 2 Review

1.

Under what domain and forest functional levels can you rename or restructure domains in a forest?

You can rename or restructure the domains in a forest only if all domain controllers in the forest are running Windows Server 2003, all domain functional levels in the forest have been raised to Windows Server 2003, and the forest functional level has been raised to Windows Server

2003.

2.

What utility is used to rename or restructure a domain in a forest?

You can use the domain rename utility (Rendom.exe) to rename or restructure a domain.

Page

4-39

Questions and Answers

4

-

79

3.

Under what domain functional level can you rename a domain controller?

You can rename a domain controller only if the domain functionality of the domain to which the domain controller is joined is set to Windows Server 2003.

4.

What tool is used to rename a domain controller?

You rename a domain controller by using the Netdom.exe: Windows Domain Manager com­ mand-line tool, included with the Windows Support Tools on the Windows Server 2003 Setup

CD-ROM. You use the Netdom Computername command to manage the primary and alternate names for a computer.

Lesson 3 Review

1.

What is the purpose of the operations master roles?

The domain controllers assigned operations master roles perform operations that are singlemaster (not permitted to occur at different places in the network at the same time).

2.

Which operations master roles must be unique in each forest?

The schema master and the domain naming master roles must be unique in each forest.

3.

Which operations master roles must be unique in each domain?

The RID master, the PDC emulator, and the infrastructure master roles must be unique in each domain.

4.

When should you seize an operations master role?

Consider seizing an operations master role assignment when a server that is holding a role fails and you do not intend to restore it. Before seizing the operations master role, determine the cause and expected duration of the computer or network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait for the role holder to become available again. If the domain controller that currently holds the role has failed, you must determine if it can be recovered and brought back online. In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again.

5.

Which of the following operations master roles should not be assigned to the domain controller hosting the global catalog?

a.

Schema master

b.

Domain naming master

c.

RID master

d.

PDC emulator

e.

Infrastructure master

The correct answer is e. The infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.

4-80

Chapter 4 Installing and Managing Domains, Trees, and Forests

Page

4-71

Lesson 4 Review

Page

4-74

1.

Which type of trust provides transitive trusts between domains in two forests?

A forest trust.

2.

What is the purpose of a shortcut trust?

A shortcut trust is a trust between two domains in a forest, created to improve user logon times.

3.

What is the purpose of an external trust?

An external trust is a trust between Windows Server 2003 domains in different forests or between a Windows Server 2003 domain and a domain whose domain controller is running

Windows NT 4 or earlier. This trust is created to provide backward compatibility with

Windows NT environments or communications with domains located in other forests not joined by forest trusts.

4.

What preliminary tasks must you complete before you can create a forest trust?

Before you can create a forest trust, you must

1. Configure a DNS root server that is authoritative over both forest DNS servers that you want to form a trust with, or configure a DNS forwarder on both of the DNS servers that are authoritative for the trusting forests.

2. Ensure that the forest functionality for both forests is Windows Server 2003.

5.

Which of the following trust types are created implicitly? Choose all that apply.

a.

Tree-root

b.

Parent-child

c.

Shortcut

d.

Realm

e.

External

f.

Forest

The correct answers are a and b. Shortcut, realm, external, and forest trusts must all be cre­ ated manually (explicitly).

Case Scenario Exercise

1.

Right now, Research and Marketing are sharing data by burning CD-ROMs and

DVD-ROMs. Under the current structure, how could Research and Marketing share information over the network?

There are two main options: 1) The departments could share resources to Everyone and allow unauthenticated access to their resources. This could pose a security risk as they’d be allowing anyone access to their data, instead of just users in the Research or Marketing departments.

2) Research and Marketing could create trust relationships between their separate forests and share information to specific users in a more secure way.

Questions and Answers

4

-

81

2.

Laura asks you, “What if we decided that ITS should handle the entire institute’s network administration? If we were building the entire administrative structure right now using Windows Server 2003 and Active Directory, how would it be dif­ ferent than what we have now?”

The institute’s network resources would probably be configured as a single forest. The single forest model allows the company to share a common set of administrators called Enterprise

Admins. These administrators would have the user rights to handle issues throughout the entire institute. If you wanted separate domains for each department, you’d probably configure them as child domains. The forest root and parent of all these child domains would be the ITS department. Another option would be to configure a single domain and create OUs to subdivide the domain when there are unique administrative requirements. For example, you might create a separate OU for each department, if they required separate management.

3.

What are the potential issues of simply moving the management function of the existing structure to the ITS department, without modifying anything?

Centralized management of resources would be more complicated than necessary because there are currently three separate forests with no trust relationships. The administrative team would have to use three separate sets of Enterprise Admin accounts. Many tasks would have to be performed three times instead of only once.

5

Configuring Sites and

Managing Replication

Exam Objectives in this Chapter:

Plan a strategy for placing global catalog servers

Identify network traffic considerations when placing global catalog servers

Identify the need to enable universal group membership caching

Create and configure application directory partitions

Implement an Active Directory site topology

Configure site links

Configure preferred bridgehead servers

Manage an Active Directory site

Configure replication schedules

Configure site link costs

Configure sites

Monitor Active Directory replication failures

Monitor Active Directory replication

Troubleshoot Active Directory directory service

Diagnose and resolve issues related to Active Directory replication

Why This Chapter Matters

This chapter shows you how to configure your Active Directory physical structure by configuring sites and replication. When you are faced with managing a geo­ graphically spread out Active Directory infrastructure, you’ll need to understand replication. There are two types of replication: intersite and intrasite. Intrasite is the default replication type that occurs as soon as you place the second domain controller in a domain. Intersite replication occurs when you create sites. You use sites to control data replication between domain controllers. To implement a site topology, you’ll need to know how to configure sites and intersite replication. To configure intersite replication, you must be familiar with site links and their attributes of cost, frequency, and scheduling. You must know why it’s not always necessary to designate a preferred bridgehead server, site link bridges, or connec­ tion objects.

5-1

5-2

Chapter 5 Configuring Sites and Managing Replication

Lessons in this Chapter:

Lesson 1: Understanding Sites and Replication . . . . . . . . . . . . . . . . . . . . . . . 5-3

Lesson 2: Configuring Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11

Lesson 3: Configuring Intersite Replication. . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Lesson 4: Configuring Global Catalog Servers . . . . . . . . . . . . . . . . . . . . . . 5-41

Lesson 5: Configuring Application Directory Partitions . . . . . . . . . . . . . . . . 5-48

Lesson 6: Monitoring and Troubleshooting Replication . . . . . . . . . . . . . . . . 5-59

Before You Begin

To complete the lessons in this chapter, you must

Prepare your test environment according to the descriptions given in the “Getting

Started” section of “About This Book”

Complete the practices for installing and configuring Active Directory as discussed in Chapter 2, “Installing and Configuring Active Directory”

Learn to use Active Directory administration tools as discussed in Chapter 3,

“Administering Active Directory”

Lesson 1 Understanding Sites and Replication

5

-

3

Lesson 1: Understanding Sites and Replication

Understanding how sites and replication work is a prerequisite for being able to configure and manage sites and replication for Active Directory. This lesson introduces you to how sites and replication work to represent the physical structure of Active

Directory.

After this lesson, you will be able to

Explain the purpose of sites

Explain how information is replicated within sites and between sites

Explain the purpose of site links, site link bridges, and bridgehead servers

Explain site link transitivity

Estimated lesson time: 2 0 minutes

Understanding Sites

Recall from Chapter 1, “Introduction to Active Directory,” that a

site

is a set of Internet

Protocol (IP) subnets connected by a highly reliable and fast link, usually a local area network (LAN). A

subnet

is a subdivision of an IP network. Typically, networks with a bandwidth of at least 512 kilobits per second (Kbps) are considered fast networks. An available bandwidth of 128 Kbps and higher is sufficient for designating a site.

Available bandwidth

is the amount of bandwidth that is actually available for use during peak traffic after normal network traffic is handled.

In Active Directory, site structure mirrors the location of user communities. Site struc­ ture corresponds to the physical environment and is maintained separately from the logical environment, which is represented by the domain structure. Because sites are independent of the domain structure, a single domain can include a single site or mul­ tiple sites, and a single site can include multiple domains.

The main purpose of a site is to physically group computers to optimize network traf­ fic. Sites act to confine authentication and replication traffic to only the devices within a site. Because network traffic is prevented from unnecessarily crossing slow wide area network (WAN) links, WAN traffic is limited. Sites have two main roles:

To facilitate authentication, by determining the nearest domain controller when a user logs on from a workstation

To facilitate the replication of data between sites

Because site names are used in the records registered in the Domain Name System

(DNS) by the domain locator, they must be valid DNS names. Recall that valid DNS names consist of the standard characters A–Z, a–z, 0–9, and hyphen (-).

5-4

Chapter 5 Configuring Sites and Managing Replication

Understanding Replication

In Active Directory, all of the objects in the forest are represented in the

directory tree

, a hierarchy of objects and containers. For each forest, the directory tree is partitioned to allow sections to be distributed to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a

directory partition

. A directory partition is also known as a

naming context

.

The copy of the directory partition is called a

replica

. A replica contains all attributes for each directory partition object and is readable and writable. In the Microsoft

Windows Server 2003 operating system, the replication process ensures that changes made to a replica on one domain controller are synchronized to replicas on all other domain controllers within the domain.

Information Replicated

At least three types of directory partition replicas are stored on each domain controller:

Schema partition

Contains definitions of objects that can be created in the for­ est and the attributes those objects can have. Objects in the schema partition must be replicated to all domain controllers in all domains in the forest.

Configuration partition

Contains objects that represent the logical structure of the forest deployment, including the domain structure and replication topology.

Objects in the configuration partition must be replicated to all domain controllers in all domains in the forest.

Domain partition

Contains all of the objects stored in a domain. Objects in the domain partition can be replicated only to domain controllers within the domain.

In addition, a new type of directory partition—-the Application directory partition—is available only to domain controllers in the Windows Server 2003 operating system.

This partition is used by applications and services to store application-specific data, which can include any type of object except security principals (users, groups, and computers). The application partition can be configured to replicate objects to any set of domain controllers in the forest, not necessarily all in the same domain. This parti­ tion provides the capability to host data in Active Directory without significantly impacting network performance by providing control over the scope of replication and placement of replicas. Therefore, dynamic data from network services such as Remote

Access Service (RAS), RADIUS, Dynamic Host Configuration Protocol (DHCP), and

Common Open Policy Service (COPS) can reside in a directory, allowing applications to access them uniformly with one access methodology.

Some domain controllers are global catalog servers. On these domain controllers, there is also stored a partial replica of directory partition objects from other domains, for the purpose of finding information throughout the domain tree or forest. A partial replica contains a subset of the attributes of a directory partition replica and is read-only. To be

Lesson 1 Understanding Sites and Replication

5

-

5 stored in a partial replica, an attribute must have the

isMemberOfPartialAttributeSet

value on its

attributeSchema

object set to TRUE.

Replication Triggers

The following actions trigger replication between domain controllers:

Creating an object

Modifying an object

Moving an object

Deleting an object

How Information Is Replicated

Active Directory replicates information in two ways:

intrasite

(within a site) and

intersite

(between sites). Table 5-1 compares intrasite and intersite replication.

Table 5-1

Intrasite and Intersite Replication Comparison

Intrasite Replication Intersite Replication

Compression • To save CPU time, replication data is not compressed.

Replication model• To reduce replication latency, replication partners notify each other when changes need to be replicated and then pull the information for processing.

Replication frequency• Replication partners poll each other periodically.

Transport protocols Remote procedure call (RPC).

To save WAN bandwidth, replica­ tion data greater than 50 kilobytes

(KB) is compressed.

To save WAN bandwidth, replica­ tion partners do not notify each other when changes need to be replicated.

Replication partners poll each other at specified intervals, only during scheduled periods. If updates are necessary, operations are sched­ uled to pull the information for processing.

IP or Simple Mail Transport

Protocol (SMTP).

For intrasite replication, the knowledge consistency checker (KCC) on each domain controller helps to automatically generate and optimize a replication topology among domain controllers in the same domain. To accomplish this, the KCC automatically creates connection objects between domain controllers. A

connection object

is an

Active Directory object that represents an inbound-only connection to a domain controller. Under normal conditions, Active Directory automatically creates and deletes

5-6

Chapter 5 Configuring Sites and Managing Replication connection objects. However, you can manually create connection objects to force replication if you are certain the connection is required and you want the connection to persist until you manually remove it.

Real World

Initiating Replication

You can use several different methods to force replication. Microsoft Knowledge

Base article 232072, “Initiating Replication Between Active Directory Direct Rep­ lication Partners” (available from

http://support.microsoft.com

), discusses the fol­ lowing four methods:

1.

Using the Active Directory Sites and Services MMC snap-in (Dssite.msc)

2.

Using Repadmin

3.

Using Replmon

4.

Using a script

All of these methods, except for using a script, are illustrated in the exercises and examples in this chapter. A sample script for initiating replication named Repli­ cate.vbs can be found in the \70-294\Labs\Chapter05 folder on the Supplemental

CD-ROM.

Site Links

For intersite replication to occur, you must customize how Active Directory replicates information by setting up site links.

Site links

are logical, transitive connections between two or more sites that mirror the network links and allow replication to occur.

Once you have created site links, the KCC will then automatically generate the replica­ tion topology by creating the appropriate connection objects. It is important to note the difference between site links and connection objects. Site links are used by the KCC to determine replication paths between two sites and

must

be created manually. Connec­ tion objects actually connect domain controllers and are created by the KCC, though you can also manually create them if necessary.

Real World

Site Link Availability Schedule

If you work for an organization that spans multiple time zones, you must consider this when configuring your site link schedule. Although the site link schedule interface displays the schedule based on local time, this information is stored in

Coordinated Universal Time (UTC). This means that someone in another time zone looking at the same schedule will see different link availability. Ensure that when you schedule site link availability for two locations in different time zones, you take into account what is happening at both locations at the scheduled time.

Lesson 1 Understanding Sites and Replication

5

-

7

Site Link Transitivity By default, all site links are transitive, which simply means that if sites A and B are linked and sites B and C are linked, then site A and site C are tran­ sitively linked. Site link transitivity is enabled or disabled by selecting the Bridge All

Site Links check box in the Properties dialog box for either the IP or the SMTP intersite transport. By default, site link transitivity is enabled for each transport.

Note

If site link transitivity is enabled and connections are created between sites that span firewalls, replication errors will occur if the firewall allows packets to travel only between spe­ cific domain controllers.

If you disable site link transitivity for a transport, all site links for that transport are affected and none of them are transitive. You must manually create site link bridges to provide transitive replication. The following are some reasons why you might want to disable site link transitivity:

To have total control over replication traffic patternsŽ

To avoid a particular replication path, such as a path that involves a firewallŽ

If your IP network is not fully routedŽ

Caution

Carefully consider the needs of your organization before disabling site link transitivity.

Site Link Bridges

A

site link bridge

connects two or more site links in a transport where transitivity has been disabled in order to create a transitive and logical link between two sites that do not have an explicit site link. For example, in Figure 5-1, site link Ber-Lu connects the Bern and Lucerne sites. Site link Lu-Zur connects the Lucerne and Zurich sites. Site link bridge Ber-Lu-Zur connects site links Ber-Lu and Lu-Zur.

Because site links are transitive by default, it is seldom necessary to create site link bridges. In other words, if site link transitivity is enabled, then manually creating a site link bridge is redundant and has no effect. However, if site link transitivity is disabled, you need to manually create a site link bridge if a transitive link is required to handle your organization’s replication strategy.

5-8

Chapter 5 Configuring Sites and Managing Replication

Ber-Lu-Zur site link bridge

BERN

Ber-Lu site link

Lu-Zur site link

ZURICH

LUCERNE

Figure 5-1 A site link bridge

Bridgehead Servers

After you have configured sites and site links, the KCC automatically designates a domain controller in each site, for each intersite transport, as the

bridgehead server

. A bridgehead server is a single domain controller in a site, the contact point, used for rep­ lication between sites. The KCC automatically creates connection objects between bridgehead servers. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site.

A bridgehead server is designated automatically by the KCC. You can also specify a

preferred bridgehead server

if you have a computer with appropriate bandwidth to transmit and receive information. If you specify a preferred bridgehead server rather than use the one designated by the KCC, you can select the optimum conditions for the connection between sites. You can specify multiple preferred bridgehead servers, but only one is active at any time in a single site.

Caution

By specifying preferred bridgehead servers, you limit the ability of the KCC to provide failover if the bridgehead servers you designated as preferred go offline. If an active pre­ ferred bridgehead server fails, Active Directory selects another preferred bridgehead server from the set you designated. If no other preferred bridgehead servers are specified or no other preferred bridgehead servers are available, replication does not occur to that site even if there are servers that can act as bridgehead servers.

Lesson 1 Understanding Sites and Replication

5

-

9

How Intersite Replication Works

The following steps, illustrated in Figure 5-2, show how intersite replication works:

1.

At the interval determined by the selected replication frequency, the bridgehead server in the Zurich site polls the bridgehead server in the Lucerne site for any updated data.

2.

If the bridgehead server in the Lucerne site finds that it has updated Active Direc­ tory data, it compresses the data (if larger than 50 KB) and sends it to the bridgehead server in the Zurich site.

3.

When the bridgehead server in the Zurich site has received all of the data, it then replicates the data to the other domain controllers in the site, without compressing the information.

LUCERNE

Bridgehead

Server

Lu-Zur site link

1

Bridgehead

Server

ZURICH

3

DC1

DC3

DC2

2

DC1

DC3

DC2

Figure 5-2 The intersite replication process

Note that polling and pull replication, rather than notification and push replication, are used between bridgehead servers during intersite replication. Pull replication is more efficient for intersite replication because the destination domain controller knows which replication data to request. In contrast, notification and push replication are more efficient for intrasite replication, when domain controllers are well connected and not restrained by site link schedules.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What is a site?

5-10

Chapter 5 Configuring Sites and Managing Replication

2.

Which directory partition replica type must be replicated to all domain controllers within the domain?

3.

Which type of replication compresses data to save WAN bandwidth?

4.

What is the difference between a site link and a connection object?

5.

Which of the following actions does not trigger replication?

a.

Accessing an object

b.

Creating an object

c.

Deleting an object

d.

Modifying an object

e.

Moving an object

Lesson Summary

A site is a set of IP subnets connected by a highly reliable and fast link (usually a

LAN). Site structure mirrors the location of user communities. Sites have two main roles: to facilitate authentication and the replication of data between sites.

The replication process ensures that changes made to a replica on one domain controller are synchronized to replicas on all other domain controllers within the domain. Creating, modifying, moving, or deleting an object triggers replication between domain controllers. Active Directory replicates information in two ways: intrasite (within a site) and intersite (between sites).

There are four types of directory partition replicas: schema, configuration, domain, and application.

A site link is a logical, transitive connection between two or more sites that mirrors the network links and allows replication to occur. By default, all site links are tran­ sitive. A site link bridge connects two or more site links in a transport where tran­ sitivity has been disabled in order to create a transitive and logical link between two sites that do not have an explicit site link.

A bridgehead server is a single domain controller in a site, the contact point, used for replication between sites, and is designated automatically by the KCC.

Lesson 2 Configuring Sites

5

-

11

Lesson 2: Configuring Sites

This lesson discusses the configuration of sites, which includes the creation of sites, subnets, and domain controller objects and the designation of a site license server. It also discusses when to create sites and where to place domain controllers. In this les­ son, you learn how to create and rename a site, to create subnets and associate them with sites, to create, move, or remove domain controller objects in a site, and to view and change a site license server.

After this lesson, you will be able to

Determine when to create a site

■ Create a site

Rename a site

■ Create a subnet

Associate a subnet with a site

■ Determine when to place a domain controller in a site

Create a domain controller object in a site

■ Move a domain controller object between sites

Remove a domain controller object from a site

■ View a site license server

Change a site license server

Estimated lesson time: 2 0 minutes

Configuring Sites

To configure a site you must complete the following tasks:

1.

Create a site

2.

Create a subnet and associate it with site

3.

Create or move a domain controller object into the site

4.

Designate a site license server for the site

You can complete each of these tasks by using the Active Directory Sites And Services console.

The Active Directory Sites And Services Console

You use the Active Directory Sites And Services console to configure sites. The hierar­ chy of objects used by the KCC to represent the replication topology are displayed as the contents of the Sites container, as shown in Figure 5-3.

5-12

Chapter 5 Configuring Sites and Managing Replication

Figure 5-3 Sites container in the Active Directory Sites And Services console

The Sites container contains an object for each site in the forest. The Sites container stores the following objects, arranged in a hierarchy:

Varying numbers of Site objects, each of which contain three child objects:

The Licensing Site object, which stores the licensing settings for the site.

The NTDS Site Settings object, which stores directory properties common to all domain controllers in the site, such as the schedule for replication.

The Servers container, which stores a server object for each domain controller in the site. Each server object contains an NTDS Settings object. Each NTDS

Settings object represents the presence of Active Directory on the server. If

Active Directory is removed from a server, its NTDS Settings object is deleted, but the server object remains. Each NTDS Settings object contains connection objects that represent the inbound connections from other domain controllers in the forest that are currently available to send changes to this domain controller.

Inter-Site Transports container, which stores site link objects.

Subnets container, which stores subnet objects.

Creating Sites

When you install Active Directory on the first domain controller in a domain, a site object named Default-First-Site-Name is automatically created in the Sites container on the Active Directory Sites And Services console. The first domain controller for the domain is then installed into this site. Subsequent domain controllers are installed either into the site of the source domain controller (assuming the IP address maps to the site) or into an existing site. When your first domain controller has been installed, you can rename Default-First-Site-Name to the name you want to use for the site.

Lesson 2 Configuring Sites

5

-

13

When you install Active Directory on subsequent servers, if alternate sites have been defined in Active Directory and the IP address of the installation computer matches an existing subnet in a defined site, the domain controller is added to that site. Newly installed domain controllers that do not have a subnet identifier matching one of the previously defined sites will be placed in the site named Default-First-Site-Name. If you rename the Default-First-Site-Name site to something different, you’ll find the new domain controllers in that location.

Define a site for

Each LAN or set of LANs that are connected by a high-speed backbone.

Each location that does not have direct connectivity to the rest of the network and is reachable only by SMTP mail.

Networks separated by links that are heavily used during some parts of the day and idle during other parts of the day. You can then schedule replication between sites to prevent replication traffic from competing with other traffic during high usage hours.

Tip

A

multihomed

computer (a computer with more than one IP address) with subnet addresses in different sites can belong to only one site. To avoid confusion, you should assign all the addresses for a multihomed computer to the same site.

If an entire network consists of fast, reliable links, the network can be considered a sin­ gle site. Similarly, if bandwidth between networks is plentiful and it is acceptable for a client on one network to communicate with a server on another network, the networks can together be considered a single site.

To create a site, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Right-click the Sites container, and then click New Site.

3.

In the New Object–Site dialog box, shown in Figure 5-4, type the name of the new site in the Name box. Assign a site link to the site by selecting a site link in the Link

Name column, and then click OK.

Note

If you want to assign a site link that has not yet been created for the site, you can cre­ ate and assign this link after the site is created. However, you must assign a site link at the creation of the site, so use DEFAULTIPSITELINK until you change it. To learn more about creat­ ing and assigning site links, refer to Lesson 3, “Configuring Intersite Replication.”

5-14

Chapter 5 Configuring Sites and Managing Replication

Figure 5-4 New Object–Site dialog box

4.

In the Active Directory message box, shown in Figure 5-5, note that to finish the configuration of a site, you must

❑ Ensure that the site is linked to other sites with site links as appropriate.

❑ Add subnets for the site to the Subnets container.

❑ Install one or more domain controllers in the site or move existing domain controllers into the site.

Select the licensing computer for the site.

Figure 5-5 Active Directory message box

5.

Click OK.

Lesson 2 Configuring Sites

5

-

15

To rename a site, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Click the Sites folder.

3.

Right-click the site you want to rename, and then click Rename.

4.

Type the new site name over the existing site name. Click in an empty part of the console tree.

Creating Subnets

Computers on TCP/IP networks are assigned to sites based on their location in a subnet or a set of subnets. Subnet information is used to find a domain controller in the same site as the computer that is authenticated during the logon process, and is used during Active Directory replication to determine the best routes between domain controllers. Subnets must be defined in Active Directory to ensure accurate and efficient directory replication and resource usage. Each site must have at least one subnet, but a subnet can be assigned to only one site.

When you create a subnet, you must specify the subnet address and mask. Then you must assign the subnet to a specific site. A subnet name is automatically assigned based on the subnet address you entered and the number of subnet mask bits you specified in the subnet mask. For example, if you specify a subnet address of 192.168.16.0 and a subnet mask of 255.255.255.0, the subnet name assigned is 192.168.16.0/24.

To create a subnet, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Double-click the Sites folder.

3.

Right-click the Subnets folder, and then click New Subnet.

4.

In the New Object–Subnet dialog box, shown in Figure 5-6, type the subnet address in the Address box. In the Mask box, type the subnet mask that describes the range of addresses included in this site’s subnet. Choose a site to associate this subnet, and then click OK.

5-16

Chapter 5 Configuring Sites and Managing Replication

Figure 5-6 New Object–Subnet dialog box

To associate an existing subnet with a site, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Open the Subnets folder, and then click the subnet.

3.

Right-click the subnet, and then click Properties.

4.

In the Properties dialog box for the subnet, shown in Figure 5-7, select a site with which to associate this subnet from the choices available in the Site list, and then click OK.

Figure 5-7 Properties dialog box for a subnet

Lesson 2 Configuring Sites

5

-

17

Creating, Moving, and Removing Domain Controller Objects in a Site

As discussed earlier in this lesson, when you install Active Directory on the first domain controller in a domain, a site object named Default-First-Site-Name is automatically cre­ ated in the Sites container and the first domain controller for the domain is installed into this site. Subsequent domain controllers are installed either into the site of the source domain controller (assuming the IP address maps to the site) or into an existing site. Domain controllers might also need to be demoted. Therefore, it is often neces­ sary to create, move, or remove domain controller objects in a site. However, you must first consider the location of domain controllers for each site.

Determining the Location of Domain Controllers

For optimum network response time and application availability, place at least

One domain controller in each site

A domain controller in each site provides users with a local computer that can service query requests for their domain over

LAN connections.

Two domain controllers in each domain

By placing at least two domain controllers in each domain, you provide redundancy and reduce the load on the exist­ ing domain controller in the domain. Recall that a domain controller can service only one domain.

Note

When a single site includes multiple domains, you cannot place a domain controller in the site and expect it to service more than one domain.

Reasons for placing additional domain controllers in a site are the following:

There are a large number of users in the site, and the link to the site is slow or near capacity.

If a site has slow logon times and slow authentication when attempting to access user resources, capacity might be insufficient. By monitoring domain controller usage, you can determine whether there is enough processing power and bandwidth to service requests. If performance is lagging, you should consider adding another domain controller to the site.

The link to the site is historically unreliable or only intermittently unavailable.

If a single domain controller in a site fails, clients can connect to other domain controllers in other sites in the domain by crossing site links. However, if site links are unreliable, users on that site may not be able to log on to their computers. In this case, you should consider adding another domain controller to the site.

5-18

Chapter 5 Configuring Sites and Managing Replication

In some situations, it might

not

be efficient to place a domain controller in a site. These situations include

Sites with small numbers of users

For sites with a small number of users, using available bandwidth to log on and query the directory might be more eco­ nomical than adding a domain controller.

Small sites that have client computers but no servers

For sites with no serv­ ers, a domain controller is not necessary. Users can still log on using cached cre­ dentials if the site link fails. Because there are no server-based resources at the site, there is no need for further authentication.

Note

The following procedures are used to create, move, and remove domain controller objects in a site, which is not the same as installing or demoting a domain controller. To install or demote a domain controller, you must use the Active Directory Installation Wizard.

These procedures associate or disassociate a domain controller with a site.

To create a domain controller object in a site, complete the following steps:

1.

Click Start, point to Administrative Tools, then click Active Directory Sites And

Services.

2.

In the Active Directory Sites And Services console tree, double-click the site that you want to contain the new domain controller object.

3.

Right-click the Servers folder, point to New, and then click Server.

4.

In the New Object–Server dialog box, type the name for the new domain control­ ler object in the Name box, and then click OK.

To move a domain controller object into a site, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

In the Active Directory Sites And Services console tree, right-click the domain controller object that you want to move to a different site, and then click Move.

3.

In the Move Server dialog box, click the site to which you want to move the domain controller object, and then click OK.

Lesson 2 Configuring Sites

To remove a domain controller object from a site, complete the following steps:

5

-

19

Note

Use this procedure only if you want to permanently remove a server object from a site. If you plan to reactivate the server, delete the NTDS Settings object for the server, rather than the server object itself. When you bring the server back online, Active Directory automat­ ically creates a new NTDS Settings object, inserting the server into the replication topology as appropriate.

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

In the Active Directory Sites And Services console tree, right-click the domain controller object that you want to remove, and then click Delete.

3.

In the Active Directory message box, click Yes.

Designating a Site License Server

An administrator can ensure an organization’s legal compliance with software license agreements for the Windows Server 2003 operating system by monitoring license pur­ chases, deletions, and usage. The License Logging service on each server in a site col­ lects and replicates this licensing information to a centralized database on a server for the site called the

site license server

. A site administrator or administrator for the site license server can then use the Licensing utility in Administrative Tools to view the licensing history for the entire site stored on the site license server.

The default site license server is the first domain controller created for the site; however, the site license server does not have to be a domain controller. For optimal per­ formance, however, the site license server should be in the same site. In a large organization with multiple sites, licensing information for each site is collected sepa­ rately by the site license server in each site.

To view the site license server for a site, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

In the console tree, click the site.

3.

In the details pane, click Licensing Site Settings.

4.

On the Action menu, click Properties.

5.

In the Licensing Site Settings Properties dialog box, shown in Figure 5-8, the current site license server is listed in the Computer and Domain boxes.

5-20

Chapter 5 Configuring Sites and Managing Replication

Figure 5-8 Licensing Site Settings Properties dialog box

To change a license server for a site, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Click the site for which you want to assign a licensing computer.

3.

In the details pane, right-click Licensing Site Settings, and then click Properties.

4.

In the Licensing Site Settings Properties dialog box, shown previously in Figure 5-8, click Change in the Licensing Computer box.

5.

In the Select Computer dialog box, shown in Figure 5-9, select the computer you want to designate as the licensing computer for this site, and then click OK.

Figure 5-9 Select Computer dialog box

6.

In the Licensing Site Settings Properties dialog box, click OK.

Lesson 2 Configuring Sites

5

-

21

Practice: Configuring Sites

In this practice, you configure sites, including renaming and creating sites, creating subnets and associating them with sites, moving and creating a domain controller object, and changing the site licensing server for a site.

Note

To complete this practice, you must make Server2 an additional domain controller in the

contoso.com

domain. If you didn’t complete the Troubleshooting Lab in Chapter 4,

Server2 is still a domain controller for

woodgrovebank.com

. In that case, you must demote

Server2 and then promote it to be an additional domain controller in the

contoso.com

domain.

If necessary, refer to Chapter 2, “Installing and Configuring Active Directory,” for instructions on removing and installing Active Directory.

Exercise 1: Renaming and Creating Sites

In this exercise, you rename the Default-First-Site-Name site and create two other sites.

To rename and create sites

1.

Log on to Server1 and Server2 as Administrator.

2.

On Server1, use the procedure provided earlier in this lesson to rename the

Default-First-Site-Name site to Columbus.

3.

On Server2, use the procedure provided earlier in this lesson to create a new site named Chicago. Assign the DEFAULTIPSITELINK object to the Chicago site for now.

You will work with site links in the next lesson when you configure replication.

4.

On Server1, use the procedure provided earlier in this lesson to create a new site named KC. Assign the DEFAULTIPSITELINK object to the KC site for now.

Note

You might have to wait up to 15 minutes for replication to occur before you can see the results of the changes you made in steps 2–4 in the Active Directory Sites And Services console on the opposite server.

Exercise 2: Creating Subnets and Associating Them with Sites

In this exercise, you create subnets and associate them with the sites you created in

Exercise 1.

To create subnets and associate them with sites

1.

On Server1, use the procedure provided earlier in this lesson to create a subnet with the address 192.168.16.0 and subnet mask 255.255.255.0. Associate the subnet to the Columbus site.

5-22

Chapter 5 Configuring Sites and Managing Replication

2.

On Server2, use the procedure provided earlier in this lesson to create a subnet with the address 10.100.1.0 and subnet mask 255.255.255.0. Associate the subnet to the Chicago site.

3.

On Server1, use the procedure provided earlier in this lesson to create a subnet with the address 172.16.1.0 and subnet mask 255.255.255.0. Associate the subnet to the KC site.

Note

You might have to wait up to 15 minutes for replication to occur before you can see the results of the changes you made in steps 1–3 in the Active Directory Sites And Services console on the opposite server.

Exercise 3: Moving a Domain Controller Object to a Site

In this exercise, you move a domain controller object to a site you created in Exercise 1.

To move a domain controller object to a site

1.

Note how Server1 has been installed in the Default-First-Site-Name site, which is now the Columbus site. By default, Server2 has been installed into the Columbus site as well because its IP address maps to the Columbus site.

2.

On Server1, use the procedure provided earlier in this lesson to move Server2 to the Chicago site. Do not be concerned that IP address of Server2 does not match the subnet of the Chicago site at this time.

Exercise 4: Creating a Domain Controller Object in a Site

In this exercise, you create a domain controller object in a site you created in Exercise 1.

To create a domain controller object in a site

On Server1, use the procedure provided earlier in this lesson to create the domain controller object for Server1 in the KC site. Do not be concerned that Server1 is used in both the Columbus and KC sites and that the IP address of Server1 does not match the subnet of the KC site at this time.

Exercise 5: Changing the Site License Server

In this exercise, you change the site license server for a site you created in Exercise 1.

To change the site license server

On Server1, use the procedure provided earlier in this lesson to change the site license server for the Chicago site to Server2 in the

contoso.com

domain.

Lesson 2 Configuring Sites

5

-

23

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What site is created automatically in the Sites container when you install Active

Directory on the first domain controller in a domain?

2.

How many subnets must each site have? To how many sites can a subnet be assigned?

3.

What is the minimum number of domain controllers you should place in a site?

4.

What is the purpose of a site license server?

5.

Which of the following administrative tools is used to configure sites?

a.

Active Directory Users And Computers console

b.

Active Directory Domains And Trusts console

c.

Active Directory Sites And Services console

d.

Licensing console

5-24

Chapter 5 Configuring Sites and Managing Replication

Lesson Summary

■�

To configure a site you must create the site, create a subnet and associate it with site, create or move a domain controller object into the site, and designate a site license server for the site.

■�

When you install Active Directory on the first domain controller in the domain, a site object named Default-First-Site-Name is automatically created in the Sites con­ tainer on the Active Directory Sites And Services console.

■�

Subnet information is used to find a domain controller in the same site as the com­ puter that is authenticated during the logon process, and is used during Active

Directory replication to determine the best routes between domain controllers.

Each site must have at least one subnet, but a subnet can be assigned to only one site.

■�

When you install additional domain controllers in an Active Directory domain, they are installed either into the site of the source domain controller (assuming the

IP address maps to the site) or into an existing site.

■�

For optimum network response time and application availability, place at least one domain controller in each site or two domain controllers in each domain.

Lesson 3 Configuring Intersite Replication

5

-

25

Lesson 3: Configuring Intersite Replication

This lesson introduces you to the tasks involved in the configuration of intersite repli­ cation. By creating site links and configuring their cost, replication frequency, and rep­ lication availability, you provide Active Directory with information about how to use these connections to replicate directory data. Optionally, you can also designate a pre­ ferred bridgehead server, create site link bridges, and create and configure connection objects to meet your organization’s replication needs.

After this lesson, you will be able to

Create site links

■ Configure site link attributes

Designate a preferred bridgehead server

■ Create site link bridges

Create and configure connection objects

Estimated lesson time: 3 5 minutes

Configuring Intersite Replication

To configure intersite replication you must complete the following tasks:

1.

Create site links.

2.

Configure site link attributes.

3.

Designate a preferred bridgehead server (optional).

4.

Create site link bridges (optional).

5.

Create and configure connection objects (optional).

Creating Site Links

When you install Active Directory on the first domain controller in a site, the Active

Directory Installation Wizard automatically creates an object named DEFAULTIP­

SITELINK in the IP container for the first default site, also created by the Active Direc­ tory Installation Wizard. You must create subsequent site links separately. When your first domain controller has been installed, you can rename the DEFAULTIPSITELINK to the name you want to use for the site link.

5-26

Chapter 5 Configuring Sites and Managing Replication

Replication Transport Protocols

Directory information can be exchanged over site links using one of the following protocols:

■�

Directory Service Remote Procedure Call (DS-RPC)

Designated in the

Windows Server 2003 operating system as IP. Choose IP replication for a site link when there is a live, reliable connection between two or more domain controllers in different sites. IP site links communicate synchronously, mean­ ing each replication transaction must complete before another can start. By default, intersite IP replication adheres to replication schedules and does not require a certificate authority (CA).

■�

Inter-Site Messaging–Simple Mail Transport Protocol (ISM-SMTP)

Designated in the Windows Server 2003 operating system as SMTP. Choose SMTP replication when the network connections are unreliable or not always available. SMTP site links communicate asynchronously, meaning each replication transaction does not need to complete before another can start because the transaction can be stored until the des­ tination server is available. Because SMTP is asynchronous, it does not adhere to rep­ lication schedules and requires the installation and configuration of a CA. The CA signs SMTP messages that are exchanged between domain controllers, ensuring the authenticity of directory updates.

Note

Installing a CA is beyond the scope of this training kit. Refer to the

Microsoft Windows

Server 2003 Resource Kit

(located on the Microsoft Web site at

http://www.microsoft.com/ windowsserver2003/techinfo/reskit/resourcekit.mspx

) for more information on this topic.

The following rules apply to the replication transports:

Intrasite replication always uses RPC over IP.

Intersite replication can use either RPC over IP or SMTP.

■�

Intersite replication using SMTP is supported only for domain controllers in differ­ ent domains. Domain controllers in the same domain must replicate using RPC over IP.

Use the Inter-Site Transports container to map the site link to the replication transport.

If you create the site link in the IP container, it will use RPC over IP as its transport pro­ tocol. If you create the site link in the SMTP container, it will use SMTP as its transport protocol.

Lesson 3 Configuring Intersite Replication

5

-

27

To create a site link, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Open the Inter-Site Transports folder and right-click either the IP or SMTP folder, depending on which protocol you want the site to use. Select New Site Link.

Caution

If you create a site link that uses SMTP, you must have an enterprise CA available and SMTP must be installed on all domain controllers that use the site link.

3.

In the New Object–Site Link dialog box, shown in Figure 5-10, type the name to be given to the site link in the Name field. Use a name that includes the sites that you are linking.

Figure 5-10 New Object–Site Link dialog box

4.

In the Sites Not In This Site Link box, click two or more sites to connect, and then click Add. Click OK.

To rename a site link, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Open the Inter-Site Transports folder and double-click either the IP or SMTP folder, depending on the location of the site link you want to rename.

5-28

Chapter 5 Configuring Sites and Managing Replication

3.

In the details pane, right-click the site link you want to rename, and then click

Rename.

4.

Type the new site link name over the existing site link name. Click in an empty part of the details pane.

To add a site to an existing site link, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Open the Inter-Site Transports folder and either the IP or SMTP folder, and then right-click the site link to which you want to add the site. Click Properties.

3.

In the Properties dialog box for the site link, in the Sites Not In This Site Link box, click the site you want to add to this site link, and then click Add. Click OK.

Configuring Site Link Attributes

To ensure efficient replication and fault tolerance, you must configure site link cost, replication frequency, and replication availability information for all site links.

Configuring Site Link Cost

Configure site link cost to indicate the cost of the connection in relation to the speed of the link. Higher costs are used for slow links, and lower costs are used for fast links.

For example, if you have a high-speed T1 line and a dial-up network connection in case the T1 line is unavailable, configure a lower cost for the T1 line and a higher cost for the dial-up network connection. Active Directory always chooses the connection on a per-cost basis, so the least expensive connection is used as long as it is available.

Configuring Site Link Replication Frequency

Configure site link replication frequency for site links by providing an integer value that tells Active Directory how many minutes it should wait before using a connection to check for replication updates. The replication interval must be at least 15 and no more than 10,080 minutes (equal to one week). A site link must be available for any replication to occur, so if a site link is scheduled as unavailable when the number of minutes between replication updates has passed, no replication occurs.

Configuring Site Link Replication Availability

Configure site link replication availability to determine when a site link will be available for replication. Because SMTP is asynchronous and ignores all schedules, do not configure site link replication availability on SMTP site links unless

The site links use scheduled connection objects

Lesson 3 Configuring Intersite Replication

5

-

29

■�

The SMTP queue is not on a schedule and information is being exchanged directly from one server to another and not through intermediaries, as is the case, for example, on a network backbone

To configure site link attributes, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Open the Inter-Site Transports folder and either the IP or SMTP folder, and then right-click the site link for which you want to configure site link cost. Click Properties.

3.

In the Properties dialog box for the site link, shown in Figure 5-11, enter a value for the cost of replication in the Cost box. The default cost is 100; the lower the value, the higher the priority. For example, the cost of a T1 link might be 100, while the cost of a dial-up link might be 120.

Figure 5-11 Properties dialog box for a Site Link

4.

In the Replicate Every box, type the number of minutes between replications. The default time is 180; the value is processed as the nearest multiple of 15, ranging from a minimum of 15 to a maximum of 10,080 minutes (one week).

5.

Click Change Schedule.

6.

In the Schedule For dialog box for the site link, shown in Figure 5-12, select the block of time when this site link is or is not available to replicate directory infor­ mation, then click OK.

5-30

Chapter 5 Configuring Sites and Managing Replication

Figure 5-12 Schedule For dialog box for a Site Link

7.

In the Properties dialog box for the site link, click OK.

Note

Steps 5 and 6 have no effect if you have enabled Ignore Schedules in the Properties dialog box for the intersite transport.

To ignore schedules, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Open the Inter-Site Transports folder and right-click either the IP or SMTP folder, and then click Properties.

3.

On the General tab in the IP Properties or SMTP Properties dialog box, shown in

Figure 5-13, select the Ignore Schedules check box. Click OK.

Figure 5-13 IP Properties dialog box, General tab

Lesson 3 Configuring Intersite Replication

5

-

31

Designating a Preferred Bridgehead Server

Bridgehead servers are the contact point for exchange of directory information between sites. Replication occurs between bridgehead servers in different sites. When two sites are connected by a site link, the KCC automatically selects bridgehead servers—one in each site for each domain that has domain controllers in the site. The KCC then creates inbound-only connection objects between bridgehead servers. You can designate bridgehead servers manually if you want the same servers to be always used as bridgehead servers.

You can specify a preferred bridgehead server if you have a computer with appropriate bandwidth to transmit and receive information. If there’s typically a high level of direc­ tory information exchange, a computer with more bandwidth can ensure these exchanges are handled promptly. Matching the demands of your Active Directory deployment with a domain controller having the capacity to handle those demands can help to enable efficient updates of directory information. You can specify multiple pre­ ferred bridgehead servers, but only one in each site is the active preferred bridgehead server at any time.

You must specify a preferred bridgehead server if your deployment uses a firewall to protect a site. Establish your firewall proxy server as the preferred bridgehead server, making it the contact point for exchanging information with servers outside the firewall. If you do not do this, directory information might not be successfully exchanged.

The Implications of Using a Preferred Bridgehead Server

If the active preferred bridgehead server fails, Active Directory selects another pre­ ferred bridgehead server to be the active preferred bridgehead server from the set you designate. If no other preferred bridgehead servers are specified or no other preferred bridgehead servers are available, replication does not occur to that site even if there are servers that can act as bridgehead servers.

In addition, if you specify preferred bridgehead servers, you must assign one bridgehead server for each domain and writable directory partition combination in your for­ est, which might result in high costs in a large organization.

5-32

Chapter 5 Configuring Sites and Managing Replication

Replacement of a Failed Preferred Bridgehead Server

If a preferred bridgehead server fails and you want the KCC to be able to fail over to other domain controllers but there are no other preferred bridgehead servers available, you must perform one of the following tasks at a domain controller in each site:

Add new domain controllers and designate them as preferred bridgehead servers for the corresponding directory partitions, site, and transport. If there is more than one domain represented in the site, you must add a preferred bridgehead server for each domain.

Remove all preferred bridgehead designations that you have made for the corre­ sponding directory partition, site, and transport, and allow the KCC to select new bridgehead servers automatically.

Because the KCC creates only inbound connections, a bridgehead server cannot create an outbound connection to another bridgehead server. This is the reason why changes to preferred bridgehead server status must be made on a domain controller in each affected site so that inbound connections are created in each site. This process might require two administrators if the site locations are far away from each other.

Note

If preferred bridgehead are servers available and you want to add another preferred bridgehead server to the site, you do not have to add the server in both sites because the change replicates to the other site through the currently available bridgehead servers.

To designate a preferred bridgehead server, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

In the Active Directory Sites And Services console tree, click the site that contains the domain controller that you want to make a preferred bridgehead server.

3.

In the Active Directory Sites And Services console tree, right-click the domain controller that you want to make a bridgehead server, and then click Properties.

4.

In the Properties dialog box for the domain controller, shown in Figure 5-14, in the

Transports Available For Inter-Site Data Transfer box, select the intersite transport or transports for which this computer will be a preferred bridgehead server. Click

Add, and then click OK.

Lesson 3 Configuring Intersite Replication

5

-

33

Figure 5-14 Properties dialog box for a domain controller

Creating Site Link Bridges

As discussed in Lesson 1, when more than two sites are linked for replication and use the same transport, by default, all of the site links are “bridged” in terms of cost, assum­ ing the site links have common sites. If site link transitivity is enabled, which it is by default, creating a site link bridge has no effect. It is seldom necessary to create site link bridges. However, if site link transitivity has been disabled, you need to create a site link bridge manually if a transitive link is required to handle your organization’s repli­ cation strategy.

Note

If site link transitivity is enabled and connections are created between sites that span firewalls, replication errors will occur if the firewall allows packets to travel only between spe­ cific domain controllers.

5-34

Chapter 5 Configuring Sites and Managing Replication

To create a site link bridge, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Open the Inter-Site Transports folder and right-click either the IP or SMTP folder, and then click New Site Link Bridge.

3.

In the New Object–Site Link Bridge dialog box, shown in Figure 5-15, type a name for the site link bridge in the Name box.

Figure 5-15 New Object–Site Link Bridge dialog box

4.

In the Site Links Not In This Site Link Bridge box, click two or more sites to con­ nect, and then click Add. Click OK.

Tip

If site link transitivity is enabled, which it is by default, this procedure is redundant and has no effect.

To disable site link transitivity, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Open the Inter-Site Transports folder and right-click either the IP or SMTP folder, then click Properties.

3.

On the General tab in the IP Properties or SMTP Properties dialog box, shown pre­ viously in Figure 5-13, clear the Bridge All Site Links check box. Click OK.

!

Lesson 3 Configuring Intersite Replication

5

-

35

Exam Tip

Know how to configure site links, site link costs, replication schedules, and pre­ ferred bridgehead servers.

Creating and Configuring Connection Objects

As discussed in Lesson 1, a connection object is an Active Directory object that repre­ sents an inbound-only connection to a domain controller. When there is a single site, all KCCs generate connection objects for replication within the site. When there is more than one site, a single KCC in each site generates all connection objects for replication between sites. Connection objects can also be created manually by an administrator.

Connection objects created by the KCC are “owned” by the KCC. Connection objects created or modified by an administrator are owned by the administrator.

Although you can create or configure connection objects manually to force replication over a particular connection, normally you should allow replication to be automatically optimized by the KCC based on information you provide in the Active Directory Sites

And Services console about your deployment. Create connection objects manually only if the connections that are automatically configured by the KCC do not connect specific domain controllers that you want to connect. Adding redundant manual connection objects to the optimal connection objects created by the KCC can increase replica­ tion traffic.

Connection Transport

Each connection object has a replication transport, which is assigned to the RPC transport by default. The RPC transport is used for uniform high-speed, synchronous RPC over IP within a site. Because the IP and SMTP transports are used for intersite replica­ tion, it is unlikely that you will need to use them when configuring a connection object.

Connection Schedule

Each connection object has a schedule that is set automatically by the KCC. The con­ nection schedule controls the frequency of intrasite replication on the connection, with a minimum increment of 15 minutes. The default intrasite replication schedule for auto­ matically generated connection objects is once per hour, which is set in the NTDS Site

Settings object, available at the site level. Here you can set a default schedule of None

(no replication), Once Per Hour (default), Twice Per Hour, or Four Times Per Hour.

You can override the default schedule set on the NTDS Site Settings object only if you create a connection object manually. The default intrasite replication schedule for man­ ually created connection objects is four times per hour. If you attempt to modify the schedule on an automatically generated connection object (owned by the KCC), you

5-36

Chapter 5 Configuring Sites and Managing Replication receive a warning message asking if you want to turn the connection object into a manually created connection object. If you select Yes, the automatically generated con­ nection object will be turned into a manual one. If you select No, the KCC reverts to the schedule on the NTDS Site Settings object the next time it runs.

Intrasite replication is triggered by changes; if a change occurs, replication is initiated after a default interval of five minutes. If no changes occur on the domain controller during the time allowed by the connection schedule, replication is triggered according to the default schedule set on the NTDS Site Settings object.

To create and configure a connection object, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

Double-click the site that contains the domain controller for which you want to create a connection object.

3.

Open the Servers folder, select the domain controller for which you are enabling the inbound connection, right-click NTDS Settings, and then click New Active

Directory Connection.

4.

In the Find Domain Controllers dialog box, shown in Figure 5-16, select the domain controller and click OK.

Figure 5-16 Find Domain Controllers dialog box

5.

In the New Object–Connection dialog box, type a name for the new Connection object in the Name field. It is best to use the name of the domain controller for which you are enabling the inbound connection. Click OK.

6.

Right-click the connection object in the details pane and select Properties.

Lesson 3 Configuring Intersite Replication

5

-

37

7.

In the Properties dialog box for the connection object, shown in Figure 5-17, type a description of the connection object in the Description box. Ensure that RPC appears in the Transport box. Click Change Schedule to change the default intra­ site replication schedule (four times per hour).

Figure 5-17 Properties dialog box for a connection object

8.

In the Schedule For dialog box for the connection object, shown in Figure 5-18, select the intrasite replication frequency for this connection object, then click OK.

Figure 5-18 Schedule For dialog box for a connection object

9.

In the Properties dialog box for the connection object, click OK.

5-38

Chapter 5 Configuring Sites and Managing Replication

Practice: Configuring Intersite Replication

In this practice, you configure intersite replication, including renaming a site link, cre­ ating additional site links, configuring site link attributes, designating a preferred bridgehead server, and configuring a connection object.

Note

To complete this practice, you must have successfully completed the exercises in

Lesson 2.

Exercise 1: Renaming and Creating Sites

In this exercise, you rename DEFAULTIPSITELINK and create two other site links.

To rename and create sites

1.

Use the procedure provided earlier in this lesson to rename the DEFAULTIP­

SITELINK “Columbus to Chicago.”

2.

Use the procedure provided earlier in this lesson to create two new site links.

Name the first site link “Columbus to KC,” and link the Columbus and KC sites.

Name the second site link “Chicago to KC,” and link the Chicago and KC sites.

Exercise 2: Configuring Site Links

In this exercise, you configure the site links you renamed and created in Exercise 1.

To configure site links

1.

Use the procedure provided earlier in this lesson to configure site link attributes for each of the site links you created in Exercise 1. Examine the Properties dia­ log box for each site link. Experiment with the settings for cost and replication frequency.

2.

Click the Change Schedule button to experiment with setting replication availabil­ ity. Make one of the site links available at all times except 8–9 A.M. and 4–5 P.M.

Exercise 3: Designating a Preferred Bridgehead Server

In this exercise, you designate a preferred bridgehead server for a site.

To designate a preferred bridgehead server

Use the procedure provided earlier in this lesson to designate Server1 as a preferred bridgehead server. In the Description box, type

Bridgehead Server Columbus to

Chicago

.

Lesson 3 Configuring Intersite Replication

5

-

39

Exercise 4: Creating and Configuring a Connection Object

In this exercise, you create and configure a connection object for a domain controller.

To create and configure a connection object

1.

Use the procedure provided earlier in this lesson to create a connection object for

Server1. Although you will receive a message stating that there is already a con­ nection from Server1 to the destination server, create another connection for this exercise. Name the connection object SERVER1.

2.

Configure the connection object to use RPC protocol. Schedule the intrasite repli­ cation frequency for this connection object to be once per hour from 8 A.M. to

5 P.M. on weekdays. Leave the replication frequency for the remaining days and times as default.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What object is created automatically in the IP container when you install Active

Directory on the first DC in a domain?

2.

You specified a preferred bridgehead server for your network. It fails and there are no other preferred bridgehead servers available. What is the result?

3.

Why is it seldom necessary to create site link bridges?

4.

Which type of replication does the connection schedule control?

5-40

Chapter 5 Configuring Sites and Managing Replication

5.

Which of the following protocols should you use when network connections are unreliable?

a.

IP

b.

SMTP

c.

RPC

d.

DHCP

6.

You have a high-speed T1 link and a dial-up network connection in case the T1 link is unavailable. You assign the T1 link to have a cost of 100. What cost value should you assign to the dial-up link?

a.

0

b.

50

c.

100

d.

150

Lesson Summary

■�

To configure intersite replication, you must create site links and configure site link attributes. Optionally, you can designate a preferred bridgehead server, create site link bridges, and create and configure connection objects. Directory information can be exchanged over site links using the DS-RPC or the ISM-SMTP protocols.

■�

Site link attributes of cost, replication frequency, and replication availability are set in the Properties dialog box for a site link.

■�

Bridgehead servers are the contact point for exchange of directory information between sites. When two sites are connected by a site link, the KCC automatically selects bridgehead servers. You can designate bridgehead servers manually; these are known as “preferred” bridgehead servers.

■�

A site link bridge is the linking of more than two sites for replication using the same transport. When more than two sites are linked for replication and use the same transport, by default, all of the site links are “bridged” in terms of cost, assuming the site links have common sites. If site link transitivity is enabled, which it is by default, creating a site link bridge has no effect. Therefore, it is seldom nec­ essary to create site link bridges.

■�

A connection object is an Active Directory object that represents an inbound-only connection to a domain controller and is created automatically by the KCC. You can also create connection objects manually.

Lesson 4 Configuring Global Catalog Servers

5

-

41

Lesson 4: Configuring Global Catalog Servers

This lesson introduces you to the tasks involved in configuring global catalog servers.

It also discusses when to designate a domain controller as a global catalog server and introduces you to the universal group membership caching feature.

After this lesson, you will be able to

■ Determine when to designate a domain controller as a global catalog server

Create a global catalog server

■ Remove a global catalog server

Enable the universal group membership caching logon feature

Estimated lesson time: 1 0 minutes

Understanding Global Catalog Servers

Recall from Chapter 1, “Introduction to Active Directory,” that the

global catalog

is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest, known as the global catalog server. A

global catalog server

stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. This storage strategy provides efficient searches without unnecessary referrals to other domain controllers.

The global catalog performs three key functions:

■�

It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.

■�

It enables finding directory information regardless of which domain in the forest actually contains the data.

■�

It resolves user principal names (UPNs) when the authenticating domain control­ ler does not have knowledge of the account.

If a global catalog is not available when a user in a universal security group logs on to a domain, the computer uses cached credentials to allow access if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can log on only to the local computer, unless the universal group membership caching feature has been enabled.

Although the initial domain controller in a forest is designated as a global catalog server, you can configure any domain controller or designate additional domain controllers to serve this function.

5-42

Chapter 5 Configuring Sites and Managing Replication

Universal Group Membership Caching Feature

Due to network bandwidth and server hardware limitations, it might not be practical to have a global catalog in small remote office locations. The

universal group membership caching

feature, new in Windows Server 2003, allows a site that does not contain a glo­ bal catalog server to be configured to cache universal group memberships for users who log on to the domain controller in the site. This ability allows a domain controller to process user logon requests without contacting a global catalog server when a glo­ bal catalog server is unavailable. The cache is refreshed periodically as determined in the replication schedule. This feature eliminates the need to deploy global catalog serv­ ers into smaller remote office locations in order to avoid logon failures in the event that the network link connecting the remote site to the rest of the organization is discon­ nected. The universal group membership caching feature must be set for each site and requires a domain controller to run a Windows Server 2003 operating system.When a user attempts to log on the first time after a Windows Server 2003 domain controller has been configured to enable the universal group membership caching feature, the domain controller obtains the universal group membership information for the user from a global catalog. The universal group membership information is then cached on the domain controller for the site indefinitely and is periodically refreshed. The next time the user attempts to log on, the authenticating Windows Server 2003 domain controller obtains the universal group membership information from its local cache without contacting a global catalog.

By default, the universal group membership information contained in the cache of each domain controller is refreshed every eight hours. To refresh the cache, domain controllers running Windows Server 2003 send a universal group membership confir­ mation request to a designated global catalog. Up to 500 universal group memberships can be updated at once.

The universal group membership caching feature provides the following benefits to remote office locations:

■�

Faster logon times, because the authenticating domain controllers no longer need to access a global catalog to obtain universal group membership information

■�

No need to upgrade hardware of existing domain controllers to handle the extra system requirements necessary for hosting a global catalog

■�

Minimized network bandwidth usage, because a domain controller does not have to handle replication for all of the objects located in the forest

Determining the Location of Global Catalog Servers

For optimum network response time and application availability, designate at least one domain controller in each site as the global catalog server. A global catalog server in each site provides users with a local computer that can service query requests for their

Lesson 4 Configuring Global Catalog Servers

5

-

43 domain over LAN connections. When considering which domain controllers to desig­ nate as global catalog servers, base your decision on the ability of your network struc­ ture to handle replication and query traffic. Network traffic related to global catalog queries generally requires more network resources than normal directory replication traffic.

Off the Record

As you learned in earlier chapters, domain member computers use DNS servers to locate domain controllers. Therefore, you should consider placing a DNS server in each site. If you use Active Directory integrated DNS and you already have domain controllers in each site, you could install the DNS server service on one or more domain controllers in each site. DNS record replication would follow the same replication as Active Directory. If you cannot use that option, you might choose to create standard secondary DNS servers or caching-only DNS servers in each location.

To optimize replication in a multiple site environment, you might need to consider adding global catalogs for specific sites. Table 5-2 shows some reasons for adding a global catalog, along with their consequences.

Table 5-2

Reasons for Adding a Global Catalog and Their Consequences

Add a global catalog when Advantage Disadvantage

A commonly used application in the site utilizes port 3268 to resolve global catalog queries.

Performance improvement•

Additional network traffic due to replication

A slow or unreliable WAN connection is used to connect to other sites. Use the same failure and load distribution rules that you use for individual domain controllers to determine whether addi­ tional global catalog servers are necessary in each site.

Fault tolerance• Additional network traffic due to replication

Users in the site belong to a Microsoft Windows

2000 or Windows Server 2003 domain running in native mode. In this case, all users must obtain uni­ versal group membership information from a global catalog server. If a global catalog is not located within the same site, all logon requests must be routed over your WAN connection to a globalŽ catalog located in another site. Ž

Fast user logon Additional network implementation• traffic due to replication

(If the domain controller is a Windows Server 2003 Ž domain controller and it has the universal group Ž membership caching option enabled, thenŽ all users obtain a current cached listing of theirŽ universal group memberships from the domainŽ controller located within their site, and anŽ additional global catalog is not needed.)Ž

5-44

Chapter 5 Configuring Sites and Managing Replication

Note

You might want to continue using a global catalog in branch office locations if an application in a site is sending global catalog queries to port 3268. Universal group membership caching feature does not intercept calls made to port 3268.

If your organization uses Microsoft Exchange 2000 Server, you should try to place a global catalog server in each site that contains an Exchange server. This is because

Exchange 2000 uses Active Directory as its directory service, and all mailbox names are resolved by queries through Active Directory to the global catalog server. In a large

Exchange environment, a global catalog server might need to handle a large number of queries, so placing a global catalog server in each site that contains an Exchange server can ensure that all queries are handled promptly.

!

Exam Tip

Know the reasons for adding a global catalog server.

Creating or Removing a Global Catalog

Global catalogs can be created or removed using the Active Directory Sites And Ser­ vices console.

Caution

Do not create a global catalog unless you are certain it will provide value in your deployment. For this option to be useful, your deployment must have multiple domains, and even then only one global catalog server is typically useful in each site.

To create or remove a global catalog, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

In the Active Directory Sites And Services console tree, double-click the domain controller hosting the global catalog.

3.

Right-click NTDS Settings, and then click Properties.

4.

In the NTDS Settings Properties dialog box, shown in Figure 5-19, perform one of the following actions:

To create a global catalog, select the Global Catalog check box, then click OK.

To remove a global catalog, clear the Global Catalog check box, then click OK.

Lesson 4 Configuring Global Catalog Servers

5

-

45

Figure 5-19 NTDS Settings Properties dialog box

Enabling the Universal Group Membership Caching Feature

The universal group membership caching feature can be enabled using the Active

Directory Sites And Services console.

To enable the universal group membership caching feature, complete the follow­ ing steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Sites And

Services.

2.

In the Active Directory Sites And Services console tree, click the site for which you want to enable universal group membership caching.

3.

In the details pane, right-click NTDS Site Settings, and then click Properties.

4.

In the NTDS Site Settings Properties dialog box, shown in Figure 5-20, select the

Enable Universal Group Membership Caching check box. Although you can choose a site from which this site will refresh its cache in the Refresh Cache From list, it is recommended that you leave this list clear (the default setting), in which case the most efficient route to a site with a global catalog is used. Click OK.

5-46

Chapter 5 Configuring Sites and Managing Replication

Figure 5-20 NTDS Site Settings Properties dialog box

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the “Questions and

Answers” section at the end of this chapter.

1.

What is the function of the global catalog?

2.

What is a global catalog server?

3.

What must you do to allow a domain controller to process user logon requests without contacting a global catalog server?

4.

For optimum network response time, how many domain controllers in each site should you designate as a global catalog server?

Lesson 4 Configuring Global Catalog Servers

5

-

47

5.

The universal group membership caching feature is set for which of the following?

a.

Forest

b.

Domain

c.

Site

d.

Domain controller

Lesson Summary

The global catalog is the central repository of information about objects in a tree or forest and is created automatically on the initial domain controller in the first domain in the forest, known as the global catalog server. A global catalog server is a domain controller that stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.

Universal group membership caching, a new feature in the Windows Server 2003 operating system, allows a site that does not contain a global catalog server to be configured to cache universal group memberships for users who log on to the domain controller in the site. The universal group membership caching feature must be set for each site and requires a domain controller to run a Windows

Server 2003 operating system.

For optimum network response time and application availability, designate at least one domain controller in each site as the global catalog server. To optimize repli­ cation in a multiple site environment, you might need to consider adding global catalogs for specific sites.

5-48

Chapter 5 Configuring Sites and Managing Replication

Lesson 5: Configuring Application Directory Partitions

This lesson introduces you to application directory partitions, a new feature in

Windows Server 2003. It also walks you through the tasks involved in configuring and managing application directory partitions.

After this lesson, you will be able to

■ Explain the purpose of an application directory partition

Configure an application directory partition

■ Manage an application directory partition

Estimated lesson time: 3 0 minutes

Application Directory Partitions

An

application directory partition

is a directory partition that is replicated only to spe­ cific domain controllers. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition. Applications and services can use application directory partitions to store application-specific data. Application directory partitions can contain any type of object, except security principals (users, groups, and computers). Telephony Application Programming Interface (TAPI) is an example of a service that stores its application-specific data in an application directory partition.

Using an application directory partitions provides the following benefits:

Provides redundancy, availability, or fault tolerance, by replicating data to a spe­ cific domain controller or any set of domain controllers anywhere in the forest.

Reduces replication traffic because the application data is only replicated to spe­ cific domain controllers.

Applications or services that use Lightweight Directory Access Protocol (LDAP) can continue using it to access and store their application data in Active Directory.

Application directory partitions are usually created by the applications that use them to store and replicate data. For testing and troubleshooting purposes, members of the

Enterprise Admins group can manually create or manage application directory parti­ tions using the Ntdsutil command-line tool.

Application Directory Partition Naming

An application directory partition is part of the overall forest namespace just like a domain directory partition. It follows the same DNS and distinguished names naming conventions as a domain directory partition. An application directory partition can appear anywhere in the forest namespace that a domain directory partition can appear.

Lesson 5 Configuring Application Directory Partitions

5

-

49

An application directory partition can be placed in the following areas in the forest namespace:

A child of a domain directory partition

A child of an application directory partition

A new tree in the forest

For example, if you created an application directory partition called example1 as a child of the

microsoft.com

domain, the DNS name of the application directory partition would be

example1.microsoft.com

. The distinguished name of the application directory partition would be dc=example1, dc=microsoft, dc=com. If you then created an application direc­ tory partition called example2 as a child of

example1.microsoft.com

, the DNS name of the application directory partition would be

example2.example1.microsoft.com

and the distin­ guished name would be dc=example2, dc=example1, dc=microsoft, dc=com.

However, if the domain

microsoft.com

was the root of the only domain tree in your for­ est, and you created an application directory partition with the DNS name of example1 and the distinguished name of dc=example1, this application directory partition is not in the same tree as the

microsoft.com

domain. This application directory partition would be the root of a new tree in the forest.

Domain directory partitions cannot be children of an application directory partition.

For example, if you created an application directory partition with the DNS name of

example1.microsoft.com

, you could not create a domain with the DNS name of

domain.example1.microsoft.com

.

Application Directory Partition Replication

The KCC automatically generates and maintains the replication topology for all appli­ cation directory partitions in the enterprise. When an application directory partition has replicas in more than one site, those replicas follow the same intersite replication schedule as the domain directory partition. Objects stored in an application directory partition are never replicated to the global catalog as read-only replicas. Any domain controller running Windows Server 2003 can hold a replica, including domain control­ lers that also act as global catalog servers.

In addition, if an application requests data through the global catalog port (with LDAP, port 3268, or with LDAP/SSL port 3269), that query will not return any objects from an application directory partition, even if the computer hosting the application directory partition is also hosting the global catalog. This is done so that LDAP queries to differ­ ent global catalogs will not return inconsistent results because the application directory partition is replicated to only one of the servers hosting the global catalogs.

5-50

Chapter 5 Configuring Sites and Managing Replication

Application Directory Partitions and Domain Controller Demotion

If you must demote a domain controller, consider the following:

If a domain controller holds a replica of an application directory partition, then you must remove the domain controller from the replica set of the application directory partition or delete the application directory partition before you can demote the domain controller.

If a domain controller holds the last replica of an application directory partition, then before you can demote the domain controller you must do one of the follow­ ing: specify that you want the Active Directory Installation Wizard to remove all replicas from the domain controller, remove the replica manually by using the util­ ity provided by the application that installed it, or remove the replica manually by using the Ntdsutil command.

Before deleting the application directory partition, you must:

Identify the applications that use it

To determine what application directory partitions are hosted on a computer, refer to the list on the Application Directory

Partitions page of the Active Directory Installation Wizard.

Determine if it is safe to delete the last replica

Removing the last replica of an application directory partition results in the permanent loss of any data con­ tained in the partition. If you have identified the applications using the application directory partition, consult the documentation provided with those applications to determine if there is any reason to keep the data. If the applications that use the application directory partition are out of service, it is probably safe to remove the partition. If it is not safe to delete the last replica, or if you cannot determine whether or not it is safe, and you must demote the domain controller holding the last replica of a particular application directory partition, follow these steps: Add a replica of the partition on another domain controller, force the replication of the contents of the application directory partition to the domain controller holding the new replica, and then remove the replica of the partition on the domain controller to be demoted.

Identify the partition deletion tool provided by the application

Most appli­ cations that create application directory partitions provide a utility to remove the partitions. When possible, always delete an application directory partition using the utility provided. Refer to the application’s documentation for information about removing application directory partitions that were created and used by that application. If you cannot identify the application that created the application directory partition, or if your application does not provide a means to delete appli­ cation directory partitions that it created, you can use the Ntdsutil command-line tool. To do this, refer to the section “Creating or Deleting an Application Directory

Partition” later in this chapter.

Lesson 5 Configuring Application Directory Partitions

5

-

51

Note

If the domain controller holds a TAPI application directory partition, you can use the

Tapicfg command-line tool to remove the TAPI application directory partition. For more infor­ mation about the Tapicfg command-line tool, refer to Windows Server 2003 Help.

Security Descriptor Reference Domain

Every container and object on the network has a set of access control information attached to it. Known as a

security descriptor

, this information controls the type of access allowed by users, groups, and computers. If the object or container is not assigned a security descriptor by the application or service that created it, then it is assigned the default security descriptor for that object class as defined in the schema.

This default security descriptor is ambiguous in that it may assign members of the

Domain Admins group read permissions to the object, but it does not specify to what domain the domain administrators belong. When this object is created in a domain naming partition, that domain naming partition is used to specify which Domain

Admins group actually is assigned read permission. For example, if the object is cre­ ated in mydomain.microsoft.com, then members of the mydomain Domain Admins group would be assigned read permission.

When an object is created in an application directory partition, the definition of the default security descriptor is difficult because an application directory partition can have replicas on different domain controllers belonging to different domains. Because of this potential ambiguity, a default security descriptor reference domain is assigned when the application directory partition is created.

The default security descriptor reference domain defines what domain name to use when an object in the application directory partition needs to define a domain value for the default security descriptor. The default security descriptor reference domain is assigned at the time of creation.

If the application directory partition is a child of a domain directory partition, by default, the parent domain directory partition becomes the security descriptor refer­ ence domain. If the application directory partition is a child object of another applica­ tion directory partition, the security descriptor reference domain of the parent application directory partition becomes the reference domain of the new, child, appli­ cation directory partition. If the new application directory partition is created as the root of a new tree, then the forest root domain is used as the default security descriptor reference domain.

You can manually specify a security reference domain. However, if you plan to change the default security descriptor reference domain of a particular application directory partition, you should do so before creating the first instance of that partition. To do

5-52

Chapter 5 Configuring Sites and Managing Replication this, you must prepare the cross-reference object and change the default security ref­ erence domain before completing the application directory partition creation process.

Managing Application Directory Partitions

You can use the following tools to create, delete, or manage application directoryŽ partitions: Ž

Application-specific tools from the application vendor Ž

Ntdsutil command-line tool Ž

LDAP Ž

Active Directory Service Interfaces (ADSI) Ž

This lesson provides information about using Ntdsutil to create and manage applica-Ž tion directory partitions. To manage application directory partitions, you must be ableŽ to complete the following tasks:Ž

Create or delete an application directory partition. Ž

Add or remove an application directory partition replica. Ž

Display application directory partition information. Ž

Set a notification delay. Ž

Prepare a cross-reference object. Ž

Set an application directory partition reference domain. Ž

To perform these tasks, you must be a member of the Domain Admins group or theŽ

Enterprise Admins group in Active Directory, or you must have been delegated theŽ appropriate authority.Ž

To perform these tasks, you use the domain management command within the NtdsutilŽ command. To open the Ntdsutil domain management command:Ž

1.

Click Start, and then click Command Prompt.

2.

At the command prompt, type

ntdsutil

.

3.

At the Ntdsutil command prompt, type

domain management

.

4.

At the domain management command prompt, type

connection

.

5.

At the connection command prompt, type

connect to server

ServerName

, where

ServerName

is the DNS name of the domain controller to which you want to connect.

6.

At the connection command prompt, type

quit

.

Lesson 5 Configuring Application Directory Partitions

5

-

53

Creating or Deleting an Application Directory Partition

When you create an application directory partition, you are creating the first instance of this partition. When you delete an application directory partition, you are removing all replicas of that partition from your forest. The deletion process must replicate to all domain controllers that contain a replica of the application directory partition before the deletion process is complete. When an application directory partition is deleted, any data that is contained in it is lost. To create or delete an application directory partition:

1.

Type the appropriate commands to invoke the ntdsutil domain management com­ mand.

2.

At the domain management command prompt, do one of the following:

❑ To create an application directory partition, type:

create nc

ApplicationDirectoryPartition DomainController

, where

Appli­ cationDirectoryPartition

is the distinguished name of the application directory partition you want to create, and

DomainController

is the DNS name of the domain controller on which you want to create the application directory par­ tition. Type

null

to create the application directory partition on the domain controller to which you are currently connected.

To delete an application directory partition, type:

delete nc

ApplicationDirectoryPartition

, where

ApplicationDirectoryPar­ tition

is the distinguished name of the application directory partition you want to delete.

Adding or Removing an Application Directory Partition Replica

An

application directory partition replica

is an instance of a partition on another domain controller, created for redundancy or data access purposes. When you remove an application directory partition replica, any data that is contained in the replica is lost.

To add or remove an application directory partition replica:

1.

Type the appropriate commands to invoke the ntdsutil domain management command.

2.

At the domain management command prompt, do one of the following:

To add an application directory partition replica, type:

add nc

ApplicationDirectoryPartition DomainController

, where

Appli­ cationDirectoryPartition

is the distinguished name of the application direc­ tory partition replica that you want to add, and

DomainController

is the DNS name of the domain controller on which you want to create the application directory partition replica. Type

null

to create the application directory parti­ tion replica on the domain controller to which you are currently connected.

5-54

Chapter 5 Configuring Sites and Managing Replication

To remove an application directory partition replica, type:

remove nc

ApplicationDirectoryPartition DomainController

, where

ApplicationDirectoryPartition

is the distinguished name of the application directory partition replica that you want to delete, and

DomainController

is the DNS name of the domain controller on which you want to remove the application directory partition replica. Type

null

to create the application directory partition replica on the domain controller to which you are currently connected.

Displaying Application Directory Partition Information

Any domain controller that holds a replica of a particular directory partition (including application directory partitions) is said to be a member of the replica set for that direc­ tory partition. You can use Ntdsutil to list the domain controllers that are members of a particular replica set for an application directory partition. An addition of a domain controller to the replica set attribute on the cross-reference object does not create the replica, but it will display when the list nc replica command is used in Ntdsutil. The creation of the instance must replicate before the creation of the replica is complete.

To display application directory partition information:

1.

Type the appropriate commands to invoke the Ntdsutil domain management command.

2.

At the domain management command prompt, do one or more of the following:

To show the distinguished names of known directory partitions, type:

list

.

To show the reference domain and replication delays for an application direc­ tory partition, type:

list nc information

DistinguishedName

, where

Dis­ tinguishedName

is the distinguished name of the application directory partition you want information about.

To show the list of domain controllers in the replica set for an application directory partition, type:

list nc replicas

DistinguishedName

, where

Dis­ tinguishedName

is the distinguished name of the application directory parti­ tion you want information about.

Setting Replication Notification Delays

Changes made to a particular directory partition on a particular domain controller are replicated to the other domain controllers that contain that directory partition. The domain controller on which the change was made notifies its replication partners that it has a change. You can configure how long the domain controller will wait to send the change notification to its first replication partner. You can also configure how long it waits to send the subsequent change notification to its remaining replication

Lesson 5 Configuring Application Directory Partitions

5

-

55 partners. These delays can be set for any directory partition (including domain direc­ tory partitions) on a particular domain controller.

To set a replication notification delay:

1.

Type the appropriate commands to invoke the ntdsutil domain management command.

2.

At the domain management command prompt, type:

set nc replicate notification delay

ApplicationDirectoryPartition DelayIn-

Seconds AdditionalDelayInSeconds

, where

ApplicationDirectoryPartition

is the distinguished name of the application directory partition for which you want to set a notification delay,

DelayInSeconds

is the number of seconds to delay before sending the change notification to the first replication partner, and

Addi­ tionalDelayInSeconds

is the number of seconds to delay before sending subse­ quent change notifications to the remaining replication partners.

Delegating the Creation of Application Directory Partitions

There are two things that happen when creating an application directory partition:

Creation of the cross-reference objectŽ

Creation of the application directory partition root node Ž

Normally only members of the Enterprise Admins group can create an application directory partition. However, it is possible for a member of the Enterprise Admins group to prepare a cross-reference object for the application directory partition and to delegate the rest of the process to someone with more limited permissions.

The cross-reference object for an application directory partition holds several valuable pieces of information, including the domain controllers that are to have a replica of this partition and the security descriptor reference domain. The partition root node is the

Active Directory object at the root of the partition.

The Enterprise Admin can create the cross-reference object then delegate to a person or group with less permissions the right to create the application directory partition root node. Both creation of the cross-reference object and the application directory partition root node can be accomplished using Ntdsutil.

After using Ntdsutil to create the cross-reference object, the enterprise administrator must modify the cross-reference object’s access control list to allow the delegated administrator to modify this cross-reference. This will allow the delegated administrator to create the application directory partition and modify the list of domain controllers that holds replicas of this application directory partition. The delegated administrator must use the names of the application directory partition and the domain controller name that were specified during the precreation process.

5-56

Chapter 5 Configuring Sites and Managing Replication

To prepare a cross-reference object:

1.

Type the appropriate commands to invoke the Ntdsutil domain management command.

2.

At the domain management command prompt, type:

precreate

ObjectName DomainController

, where

ObjectName

is the distin­ guished name of the object you want to create, and

DomainController

is the DNS name of the domain controller on which the object will reside.

Setting the Application Directory Partition Reference Domain

The security descriptor reference domain defines a domain name for the default secu­ rity descriptor for objects in the application directory partition. By default, the security descriptor reference domain is the parent domain of the application directory partition.

If the application directory partition is a child of another application directory partition, the default security descriptor reference domain is the security descriptor reference domain of the parent application directory partition. If the application directory parti­ tion has no parent, the forest root domain becomes the default security descriptor ref­ erence domain. You can use Ntdsutil to change the default security descriptor reference domain.

To set an application directory partition reference domain:

1.

Type the appropriate commands to invoke the Ntdsutil domain management command.

2.

At the domain management command prompt, type:

set nc reference domain

ApplicationDirectoryPartition ReferenceDomain

, where

ApplicationDirectoryPartition

is the distinguished name of the application directory partition for which you want to set the reference domain, and

Reference-

Domain

is the distinguished name of the domain that you want to be the refer­ ence domain for the application directory partition.

!

Exam Tip

Know how to create and configure application directory partitions.

Lesson 5 Configuring Application Directory Partitions

5

-

57

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What is an application directory partition?Ž

2.

Name the benefits of using an application directory partition.Ž

3.

What is a security descriptor and how is it used in an application directory partition?Ž

4.

What considerations should you make before deleting an application directoryŽ partition?Ž

5.

Which of the following tools can you use to delete an application directory parti-Ž tion? (Select all that apply.)Ž

a.

Ntdsutil command-line toolŽ

b.

Application-specific tools from the application vendorŽ

c.

Active Directory Installation WizardŽ

d.

Active Directory Domains And Trusts consoleŽ

e.

Active Directory Sites And Services consoleŽ

5-58

Chapter 5 Configuring Sites and Managing Replication

Lesson Summary

An application directory partition is a directory partition that is replicated only to specific domain controllers. Only domain controllers running Windows Server

2003 can host a replica of an application directory partition. Application directory partitions are usually created by the applications that use them to store and repli­ cate data.

An application directory partition can be a child of a domain directory partition, a child of an application directory partition, or a new tree in the forest.

The KCC automatically generates and maintains the replication topology for all application directory partitions in the enterprise. When an application directory partition has replicas in more than one site, those replicas follow the same intersite replication schedule as the domain directory partition.

If you must demote a domain controller, you must remove the domain controller from the replica set of the application directory partition or delete the application directory partition before you can demote the domain controller.

For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the

Ntdsutil command-line tool.

Lesson 6 Monitoring and Troubleshooting Replication

5

-

59

Lesson 6: Monitoring and Troubleshooting Replication

In order to maintain an effective replication configuration, you must be able to monitor and troubleshoot Active Directory replication. Monitoring and troubleshooting replica­ tion involves using the Replmon.exe: Active Directory Replication Monitor graphical tool and the Repadmin.exe: Replication Diagnostics Tool and Dsastat.exe commandline tools to handle replication-related issues.

After this lesson, you will be able to

Explain the purpose of the Replmon.exe: Active Directory Replication Monitor graphical tool

■ Use Replmon to perform various replication monitoring and troubleshooting tasks

Explain the purpose of the Repadmin.exe: Replication Diagnostics Tool command-line tool

Use Repadmin to perform various replication monitoring and troubleshooting tasks

■ Explain the purpose of the Dsastat.exe command-line tool

Use Dsastat.exe to perform various monitoring and troubleshooting tasks

Estimated lesson time: 4 0 minutes

Monitoring and Troubleshooting Replication

As an administrator, it will likely be your task to monitor and troubleshoot Active Direc­ tory replication. Windows Support Tools provide the following tools for monitoring and troubleshooting replication:

Replmon.exe: Active Directory Replication Monitor

Repadmin.exe: Replication Diagnostics Tool

Dsastat.exe

Replmon.exe: Active Directory Replication Monitor

The Active Directory Replication Monitor (Replmon) enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and perfor­ mance of domain controller replication.

Replmon must be installed on a computer running Windows Server 2003. The com­ puter can be a domain controller, member server, member workstation, or stand-alone computer. In addition, Replmon can be used to monitor domain controllers from different forests simultaneously.

5-60

Chapter 5 Configuring Sites and Managing Replication

Note

To use Replmon, you must first install the Windows Support Tools on your computer.

You can find the complete installation procedure in Chapter 2, “Administering Active Directory.”

To start Replmon, complete the following steps:

1.

Click Start, point to Command Prompt, type

replmon

, and then press Enter.

2.

In the console tree, right-click Monitored Servers, and select Add Monitored

Server.

3.

On the Add Monitored Server Wizard page, select Add The Server Explicitly By

Name, and then click Next.

4.

On the Add Server To Monitor page, type the name of the server you want to monitor in the Enter The Name Of The Server To Monitor Explicitly box, and then click Finish.

5.

In the Active Directory Replication Monitor window, shown in Figure 5-21, the server you chose for monitoring appears in the console tree. You can now monitor replication processes for this server.

Figure 5-21 Active Directory Replication Monitor window

Features of the Active Directory Replication Monitor Window All objects visible in the console tree support context-sensitive (right-click) menus for quick access to actions that can be performed on the node selected. The details pane displays data relevant to the node you select in the console tree. If you select a monitored server, the history of the date and time that each status refresh was initiated, along with Group Policy Objects (GPOs) and performance statistics (if those options are enabled), are

Lesson 6 Monitoring and Troubleshooting Replication

5

-

61 displayed. Replmon also records other pertinent data regarding changes to the domain controller status in this view.

If you right-click a monitored server object, you’ll see several actions you can initiate.

One of those actions is to Synchronize Each Directory Partition with All Servers. If you select that option, you’ll can initiate several different types of replication as shown in Figure 5-22.

Figure 5-22 Replication Monitor Directory synchronization options

Icons enable you to determine replication status at a glance. A regular site icon repre­ sents a site. A regular server icon represents a monitored server. If the monitored server is a global catalog server, the server icon appears with a globe to the upper right. A book icon is used to represent directory partitions.

Replication partners appear under directory partitions. If the replication partner is a direct replication partner and the last replication attempt was successful, an icon rep­ resenting two domain controllers on a network is used. If the replication partner is a direct replication partner and the last replication attempt failed, an icon representing two domain controllers on a network with a red “X” is used. If the replication partner is a bridgehead server, an icon representing a phone connection is used. If the last rep­ lication attempt failed, an icon representing a phone connection with a red “X” is used to denote the failure. For transitive replication partners, a single computer icon is used.

For more information about Replmon.exe: Active Directory Replication Monitor, see

Windows Support Tools Help.

5-62

Chapter 5 Configuring Sites and Managing Replication

Repadmin.exe: Replication Diagnostics Tool

The Replication Diagnostics Tool (Repadmin), a command-line tool, allows you to view the replication topology as seen from the perspective of each domain controller.

In addition, Repadmin can be used in troubleshooting to create the replication topol­ ogy manually (although in normal practice this should not be necessary), to force rep­ lication events between domain controllers, and to view the replication metadata. You can also use Repadmin to see how up-to-date each domain controller is.

Note

During the normal course of operations, there is no need to manually create the repli­ cation topology. Incorrect use of this tool might adversely impact the replication topology. The main use of this tool is to monitor replication so problems such as offline servers or unavail­ able LAN/WAN connections can be identified.

Repadmin has the following syntax:Ž

repadmin command arguments

[

/rpc

][

/ldap

][

/u:domain

\

user /pw

:{

password

|*}]

Each of the command parameters are explained in Table 5-3.Ž

Table 5-3

Repadmin Command Parameters

Parameter

command arguments

/rpc

/ldap

/u: domain

/pw:

{

\

user password

|*} •

Description

Allows you to specify a command and the arguments that apply to it. For a list of commands and arguments, see Windows Support

Tools Help.

Forces Repadmin to use an RPC session for network communications.

Forces Repadmin to use an LDAP session for network communications.

Allows you to specify an optional user as the administrator. If the user name is not specified, the credentials of the currently logged-on user are used.

Allows you to specify the password of the user specified by the

/u:

parameter. If the password is not specified, the credentials of the currently logged-on user are used.

Using Repadmin This section describes how to perform the following replicationŽ monitoring and troubleshooting tasks using Repadmin:Ž

Display the replication partners for a serverŽ

Display the highest update sequence number (USN) on a server Ž

Display the connection objects for a serverŽ

Force replication between replication partnersŽ

Lesson 6 Monitoring and Troubleshooting Replication

5

-

63

There are additional monitoring and troubleshooting tasks you can perform using

Repadmin. Refer to Windows Support Tools Help for further information.

Note

To use Repadmin, you must first install the Windows Support Tools on your computer.

You can find the complete installation procedure in Chapter 2, “Administering Active Directory.”

To use Repadmin, complete the following steps:

1.

Click Start, and then click Command Prompt.

2.

At the command prompt, type the appropriate Repadmin command and parame­ ters. The following are among the options available:

To display the replication partners for a domain controller, type:

repadmin /showrepl

DC_LIST

, where

DC_LIST

is the host name of the domain controller.

For example:

repadmin /showrepl server1.contoso.com

. The object-

GUID (the globally unique identifier) for the selected server and its replica­ tion partners and the InvocationID for the selected server are shown.

❑ To display the highest USN on a domain controller, type:

repadmin /showutdvec

DC_LIST NamingContext

, where

DC_LIST

is the host name of the domain controller and

NamingContext

is the distinguished name of the directory partition on the domain controller.

For example:

repadmin /showutdvect server1.contoso.com dc=con­ toso,dc=com

. The highest USN is shown for the specified domain controller and its replication partners.

To display the connection objects for a domain controller, type:

repadmin /showconn

DC_LIST

, where

DC_LIST

is the host name of the domain controller.

For example:

repadmin /showconn server1.contoso.com

. The connec­ tion object name and replication information are shown.

To force replication between two replication partners, type:

repadmin /replicate

DC_LISTsource DC_LISTtarget NamingContext

, where

DC_LISTsource

is the host name of the source domain controller,

DC_LISTtarget

is the host name of the target domain controller, and

NamingCon­ text

is the distinguished name of the directory partition on the domain controller.

For example:

repadmin /replicate server1.contoso.com Server2.contoso.com dc=contoso,dc=com

. A message appears, stating that the sync from

server1.contoso.com

to

server2.contoso.com

was completed successfully.

5-64

Chapter 5 Configuring Sites and Managing Replication

For detailed information about using Repadmin.exe: Replication Diagnostics Tool, see

Windows Support Tools Help.

Dsastat.exe

Dsastat.exe compares and detects differences between directory partitions on domain controllers and can be used to ensure that domain controllers are up-to-date with one another. The tool retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class, and compares the attributes of replicated objects.

Dsastat has the following syntax:

dsastat

[

/loglevel:option

] [

/output:option

]

[

/s:servername

[

portnumber

][;

servername

[

portnumber

];...]]

[

/t:option

] [

/sort:option

] [

/p:entrynumber

] [

/scope:option

]

[

/b:searchpath

] [

/filter:ldapfilter

] [

/gcattrs:option

[;

option

;...]]

[

/u:

username] [

/pwd:

password] [

/d:

domain]

Each of the command parameters are explained in Table 5-4.

Table 5-4

Dsastat Command Parameters

Parameter

/loglevel:

/output:

/s:

[;

/t: option option servername servername option

[

[

portnumber portnumber

]

];...]

Description

Specifies the type of logging performed. Valid option values are: INFO, TRACE, and DEBUG.

Specifies where the results of Dsastat are displayed.

Valid option values are: SCREEN, FILE, or BOTH.

Specifies the names of the servers on which the compar­ ison will be performed. Separate each server name with a semicolon.

Specifies whether to perform a statistics comparison or a full-content comparison. Valid option values are TRUE

(perform a statistical comparison) or FALSE (perform a full-content comparison). The statistical comparison merely counts the objects. It does not compare the attributes of the objects that have been retrieved from the domain controllers and it ignores the

/gcattrs

option.

A full-content comparison retrieves every object with attribute values and performs a comparison of the attributes of the same object from different domain controllers.

Lesson 6 Monitoring and Troubleshooting Replication

5

-

65

Table 5-4

Dsastat Command Parameters (Continued)

Parameter

/sort:

/p:

/scope:

/b:

/filter:

/gcattrs:

/u:

/d: option pagesize option searchpath ldapfilter option username

/pwd: password domain

[;

option

;…]

Description

Determines whether the search operations are performed with sorting based on objectGUID. Valid option values are TRUE (perform sorted queries) or FALSE (do not perform sorted queries). Performing a sorted query by setting this option to TRUE has a negative impact on performance; however, it complements the full-content comparison because it ensures that objects are returned in nearly the same order from different servers and improves the performance of full-content comparison.

Sets page size for the LDAP search operation, indicating the number of entries to be returned per page. The valid range for pagesize is from 1 to 999. The default value is 64.

Specifies the extent of the scope for the search opera­ tion. Valid option values are: BASE, ONELEVEL, or SUB-

TREE. The default option is SUBTREE.

Sets the distinguished name of the base search path, allowing Dsastat to perform the comparison against any subtree of the directory.

Sets LDAP filter used in the LDAP search operation.

Specifies attributes to be returned from search. This option is used only if the comparison option

/t

is set to

FALSE. Valid option values are:

LDAPattributes

, which displays any LDAP attribute;

ObjectClass

, which specifies that no attributes be displayed;

auto

, which specifies that only attributes replicated to the global catalog be dis­ played; and

All

, which specifies that all attributes con­ tained in an object be displayed.

The user name to use for the query.

Password for authenticating the user name. Must be used with the

/u

parameter.

The domain to use for authenticating the user name.

Must be used with the

/u

parameter.

5-66

Chapter 5 Configuring Sites and Managing Replication

Using Dsastat This section describes how to perform the following replication moni­ toring and troubleshooting tasks using Dsastat:

Comparison of the number of objects in the directory for the domain

Full-content search and comparison of all the objects in the domain

Full-content search and comparison of all the objects in a subtree of a domain

To use Dsastat, complete the following steps:

1.

Click Start, and then click Command Prompt.

2.

At the command prompt, type the appropriate Dsastat command and parameters.

The following are among the options available:

To compare the number of objects in the directory for the domain, type:

dsastat

[

/s:

servername

[

portnumber

][

;

servername

[

portnumber

]

;...

]]

[

/b:

searchpath

] [

/gcattrs:

option

[

;

option

;...

]] [

/p:

entrynumber

]

For example:

dsastat /s:server1;server2 /b:DC=contoso,DC=com

/gcattrs:objectclass /p:999

. This search keeps a count of the different types of objects in each of the replicas and then compares the count for each object class.

To perform a full-content search and comparison of all the objects in the domain, type:

dsastat

[

/s:

servername

[

portnumber

] [

;

servername

[

portnumber

]

;...

]]

[

/b:

searchpath

] [

/gcattrs:

option

[

;

option

;...

]] [

/sort:

option

] [

/t:

option

]

[

/p:

entrynumber

]

For example:

dsastat /s:server1;server2 /b:DC=contoso,DC=com

/gcattrs:all /sort:true /t:false /p:16

. This search does a full-content search and comparison of all the objects in the

contoso.com

domain.

To perform a full-content search and comparison of all the objects in a subtree of a domain, type:

dsastat

[

/s:

servername

[

portnumber

] [

;

servername

[

portnumber

]

;...

]]

[

/b:

searchpath

] [

/gcattrs:

option

[

;

option

;...

]] [

/sort:

option

] [

/t:

option

]

[

/p:

entrynumber

]

For example:

dsastat /s:server1;server2 /b:OU=Sales,DC=contoso,

DC=com /gcattrs:all /sort:true /t:false /p:16

. This search does a fullcontent search and comparison of all the objects in the organizational unit

(OU) Sales in the

contoso.com

domain.

Lesson 6 Monitoring and Troubleshooting Replication

5

-

67

Troubleshooting Active Directory Replication

Some of the common problems you might encounter with Active Directory replicationŽ include the following:Ž

New users are not recognized.Ž

Directory information is out-of-date.Ž

Service requests are not handled in a timely fashion.Ž

Domain controllers are unavailable.Ž

Active Directory Replication Troubleshooting Scenarios

Table 5-5 describes some Active Directory replication troubleshooting scenarios.

Table 5-5

Active Directory Replication Troubleshooting Scenarios

Cause Solution

Problem: Replication of directory information has stopped.

The sites containing the clients and domain Create a site link from the current site to a siteŽ controllers are not connected by site links to that is connected to the rest of the sites in the Ž domain controllers in other sites in the network, resulting in a failure to exchangeŽ network.Ž directory information between sites.Ž

Problem: Replication of directory information has slowed but not stopped.

Although all sites are connected by site links, your intersite replication structure is not as complete as it might be. Directory information is replicated to all domain controllers if they are all connected by site links, but this is not optimal. If there are site links but no site link bridges, changes made to domain controllers might take an unacceptably long time to be distributed to other domain controllers that are not closely linked.

Make sure Active Directory has been config­ ured appropriately. Spanning multiple site links and creating site link bridges might provide more efficient replication.

The current network resources are insufficient to handle the amount of replication traffic.

This can affect services unrelated to Active

Directory, because the exchange of directory information is consuming an inordinate amount of network resources.

Increase the proportion of available network resources relative to directory traffic by decreasing the frequency in the replication schedule or increasing the site link cost so a site link corresponding to a higher bandwidth network connection is used.

Make network connections with more bandwidth available to Active Directory by adding site links or site link bridges.

5-68

Chapter 5 Configuring Sites and Managing Replication

Table 5-5

Active Directory Replication Troubleshooting Scenarios (Continued)

Cause Solution

Directory information changed at domain controllers in one site is not being updated in domain controllers in other sites in a timely fashion.

Increase the frequency of intersite replication to make up-to-date information available. If the replication is occurring over a site link bridge, check which site link is restricting replication. Increase the time range during which replication can occur or the frequency of replication within the time frame for that site link.

Clients are having to request authentication, information, and services from a domain controller with a low-bandwidth connection, resulting in a slow response for authentica­ tion, directory information, or other services.

If there is a site that will serve a client’s subnet well, associate that subnet with the site. If a client who is experiencing poor service is isolated from domain controllers, and you plan to create another site that will include the client, create a new site with its own domain controller. You can also install a con­ nection with more bandwidth.

Problem: Received Event ID 1311 in the directory service log.

Replication is configured incorrectly:

One or more domain controllers are offline.

Bridgehead servers are online but experi­ encing errors replicating a required naming context between Active Directory sites.

Preferred bridgehead servers defined by an administrator are online but do not host the required naming contexts. One or more sites are not contained in site links. Site links contain all sites but the site links are not all connected. Preferred bridgehead servers defined by an administrator are offline.

Ensure all sites belong to at least one site link.

Make sure the site links provide a path between all domain controllers containing a replica of a given directory partition. Make sure “Bridge All Site Links” is set correctly. If you have manually assigned preferred bridgehead servers, make sure they are online.

Problem: Received Event ID 1265 with error “DNS Lookup Failure” or “RPC server is unavailable” in the directory service log; or received “DNS Lookup Failure” or “Target account name is incorrect” from the Repadmin command.

These messages are often the result of DNS configuration problems. •

Each domain controller must register its

CNAME record for the

DsaGuid

._msdcs.

Forest­ name

. Each domain controller must register its

A record in the appropriate zone. The A record must map to the domain controller.

The records must replicate to DNS servers used by direct replication partners. Each DNS zone must have the proper delegations to child zones. The IP configuration of the domain controllers must contain correct pre­ ferred and alternate DNS servers.

Lesson 6 Monitoring and Troubleshooting Replication

5

-

69

Table 5-5

Active Directory Replication Troubleshooting Scenarios (Continued)

Cause Solution

Problem: Received Event ID 1265 “Access denied” in the directory service log. Or, received “Access denied” from the repadmin command.

These errors can occur if the local domain

Stop the Key Distribution Center controller fails to authenticate against its

(KDC) service by typing

net stop

replication partner when creating the replica­

KDC

. tion link or when trying to replicate over an

■ Purge the ticket cache on the local existing link. This often happens when the domain controller. domain controller has been disconnected

■ Reset the domain controller’s account from the rest of the network for a long time password on the PDC emulator mas­ and its computer account password is not ter by typing

netdom /resetpwd

. synchronized with the computer account password stored in the directory of its replica­ tion partner.

■ Synchronize the domain directory partition of the replication partner with the PDC emulator master.

Manually force replication between the replication partner and the PDC emulator master.

Start the KCC on the local domain controller by typing

net start KDC

.

Problem: Received “Access denied” from the Active Directory Sites And Services console when manual replication was attempted.

Using the Active Directory Sites And Services console to force replication initiates replica­

Use the Repadmin or Replmon command line tools from Windows Support Tools to manu­ tion on all common directory partitions between ally force replication of a specific directory the replication partners. However, a user can force manual replication only for containers partition. on which they have been assigned the Replica­ tion Synchronization permission. The replication of other directory partitions will fail, causing the error.

Practice: Monitoring and Troubleshooting Active Directory Replication

In this practice, you use Replmon, Repadmin, and Dsastat to perform routine replica­ tion monitoring and troubleshooting tasks.

Note

To complete this practice, you must have successfully completed the practices in Les­ sons 2 and 3.

5-70

Chapter 5 Configuring Sites and Managing Replication

Exercise 1: Using Replmon

In this exercise, you practice using Replmon to do various monitoring and troubleshooting tasks.

To use Replmon

1.

Log on to Server1 as Administrator.

2.

Use the procedure provided earlier in this lesson to start Replmon. Add Server1 and Server2 as monitored servers.

3.

In the console tree, find the Columbus site. Find Server1 in the Columbus site.

Note how the global catalog server is represented by a domain controller icon with a globe to the upper right.

4.

Select Server1. Note how the status for the server appears in the details pane. In the console tree, expand Server1. Note how the directory partitions are repre­ sented by the book icon. Expand the directory partitions for Server1. Note how the replication partners are represented by an icon resembling a phone connec­ tion, which represents a bridgehead connection. Select one of the replication part­ ners. Note how the status for the replication partner appears in the details pane.

5.

Right-click Server1, point to Show Bridgehead Servers, and click In The Enterprise.

Note the results on the Show Bridgehead Servers In Site dialog box.

6.

Right-click Server1 and select Generate Status Report. In the Save As dialog box, type

New

in the File Name list, and then click Save. In the Report Options dialog box, click OK. Click OK in the Report Status message box. In the Active Directory

Replication Monitor window, select File, and then click Open Log. In the Open dialog box, select the New.log file you just created, and then click Open. View the results of the status report.

Exercise 2: Using Repadmin

In this exercise, you use Repadmin to display the replication partners for a server, dis­ play the highest USN on the server, determine if the server is up-to-date with another server, display the connection objects for the server, and force replication between rep­ lication partners.

To use Repadmin

1.

On Server1, click Start, and then click Command Prompt.

2.

At the command prompt, type

repadmin /showrepl server1.contoso.com

to display the replication partners for Server1. The objectGUID for the selected server and its replication partners and the InvocationID for the selected server are shown.

Lesson 6 Monitoring and Troubleshooting Replication

5

-

71

3.

Type

repadmin /showutdvec server1.contoso.com dc=contoso,dc=com

to display the highest USN on the server.

4.

Type

repadmin /showconn server1.contoso.com

to display the connection objects for Server1.

5.

Type

repadmin /replicate server1.contoso.com server2.contoso.com dc=contoso,dc=com

to force replication between replication partners.

Exercise 3: Using Dsastat

In this exercise, you use Dsastat to compare the number of objects in the directory for the domain.

To use Dsastat

1.

Click Start, and then click Command Prompt.

2.

At the command prompt, type

dsastat -s:server1;server2

-b:DC=contoso,DC=com -gcattrs:objectclass -p:999

to compare the number of objects in the directory for the domain. This search keeps a count of the different types of objects in each of the replicas and then compares the count for each object class.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What is the function of Replmon.exe?

2.

What is the function of Repadmin.exe?

3.

What is the function of Dsastat.exe?

5-72

Chapter 5 Configuring Sites and Managing Replication

4.

If replication of directory information has stopped, what should you check?

5.

You received Event ID 1265 with the error “DNS Lookup Failure.” What are some actions you might take to remedy the error? (Choose all that apply.)

a.

Manually force replication.

b.

Reset the domain controller’s account password on the PDC emulator master.

c.

Check the domain controller’s CNAME record.

d.

Make sure “Bridge All Site Links” is set correctly.

e.

Check the domain controller’s A record.

Lesson Summary

Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edi­ tion, provide Replmon.exe: Active Directory Replication Monitor, Repadmin.exe:

Replication Diagnostics Tool, and Dsastat.exe for monitoring and troubleshooting replication. To use these tools, you must first install the Windows Support Tools on your computer.

The Active Directory Replication Monitor (Replmon) enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication through a graphical interface.

The Replication Diagnostics Tool (Repadmin), allows you to view the replication topology as seen from the perspective of each domain controller and the replica­ tion metadata and up-to-datedness vectors. This tool can be used in troubleshooting to manually create the replication topology (although in normal practice this should not be necessary), and to force replication events between domain controllers.

Dsastat.exe compares and detects differences between directory partitions on domain controllers and can be used to ensure that domain controllers are up-todate with one another. The tool retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class, and compares the attributes of replicated objects.

Chapter 5 Configuring Sites and Managing Replication

5

-

73

Troubleshooting Lab

You are a network administrator for Contoso Pharmaceuticals. One of your domain controllers, Server2, had a hardware failure and was offline for over a month until a replacement component was located. You start Server2 and verify that you can connect to the administrative shares (C$ and admin$) on other domain controllers from Server2.

Then, you try to synchronize the domain, but the attempt fails, producing an “Access denied” error message. You look in the Event Viewer’s Directory Service log and see

Event ID 1265 that reads “Access Denied.” You want to resolve this issue without rebuilding the domain controller.

As described earlier in this chapter, this situation is common when domain controllers have been out of communication for a while. To correct this issue, you must reset the machine account password on your domain controller. To do this, you’ll require both the

Windows Support Tools and the Kerbtray.exe application. You should already have the Windows Support Tools on Server2. If you haven’t installed them, use the instruc­ tions in Chapter 2 to install them. To install Kerbtray, follow these steps:

1.

Log on to Server2 using the administrator user name and password.

2.

Place the Supplemental CD-ROM in the CD-ROM drive of Server2.

3.

Assuming your CD-ROM is letter D, click Start, click Run, type:

D:\70-294

\Labs\Chapter05\Kerbtray_setup.exe

, and press Enter. The Microsoft Web

Installation Wizard opens.

4.

Click Next to begin the installation of Kerbtray.exe. Read the license agreement and click “I agree” (if you agree to the terms—otherwise you cannot continue this lab). Then click Next to proceed. The destination directory screen is displayed.

5.

Since Kerbtray.exe requires only 656 KB to install, you shouldn’t have to worry about drive space. Click Install Now. Click Finish once the installation is complete.

You are now ready to proceed with resetting the computer account on Server2. Imag­ ine that Server1 is one of your existing domain controllers and Server2 is your recently repaired domain controller that has been offline for over a month.

1.

Stop the Key Distribution Center (KDC) service on Server2. To do so, open a Com­ mand Prompt, type

net stop KDC

, and press Enter.

2.

Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and then typing

c:\program files\resource kit\kerbtray.exe

and pressing Enter. You should see a little green ticket icon in your system tray in the lower right corner of your desktop.

5-74

Chapter 5 Configuring Sites and Managing Replication

3.

Purge the ticket cache on Server2, right-click the green ticket icon in your system tray, and then click Purge Tickets. You should receive a confirmation that your ticket cache was purged. Click OK.

4.

Reset the Server2 domain controller account password on Server1 (the PDC emu­ lator). To do so, open a command prompt and type:

netdom /resetpwd /server:server2 /userd:contoso.com\administrator

/passwordd:password

, and then press Enter.

5.

Synchronize the domain. To do so, open a command prompt, type

repadmin

/syncall

, and then press Enter.

6.

Start the KDC service on Server2. To do so, open a command prompt, type

net start KDC

, and press Enter.

This completes the process, and the domain controllers should be replicating successfully now.

Case Scenario Exercise

You are a network administrator for City Power & Light (

http://www.cpandl.com

). City

Power & Light has five different locations named Main, North, South, East, and West.

The Main location has 350 employees. The North and East locations have 150 employ­ ees each. The South location has 100 employees. The West location is fairly new and has only five employees. Each employee has a client computer on the network. The offices are connected as a WAN utilizing leased digital lines with varying speeds as shown in Figure 5-23.

Internet

North

T1

West

56 Kbps

56 Kbps

56 Kbps

Main

T1

South

East

Figure 5-23 City Power & Light WAN connections

City Power & Light has a single Windows Server 2003 domain. There are two domain controllers at the Main location. No other domain controllers have been installed.

Chapter 5 Configuring Sites and Managing Replication

5

-

75

There are two computers running Windows 2000 Server that are configured as member servers at each location. These servers are used for file sharing. All locations use the same applications and services. All client computers were recently upgraded from

Microsoft Windows 98 to Microsoft Windows XP Professional. After the upgrade, users noticed some delay in logging on to the network.

Given this information, answer the following questions:

1.

Assume that the company has only enough money to purchase two additional domain controllers. Which two locations would benefit most from those domain controllers?

2.

Other than domain controllers, what services would you add to each location in order to speed up logons and directory access?

3.

You’ve installed additional domain controllers at the North and East locations.

Now you want to control replication between those new domain controllers and the domain controllers at the Main location. What should you do?

4.

Backups are run every night between 10 P.M. and 4 A.M. At this time, all remote file server data is sent to the Main location. You want to ensure that Active Direc­ tory doesn’t try to replicate data during those hours. What should you do?

5.

The physical connection between East and Main was primarily used for logons.

Now that East has its own site, the link is mainly used for replication traffic. City

Power & Light pays for that connection by the minute. You just installed a new connection between East and North that doesn’t carry a per-minute cost. You want replication to take place between East and North, but you cannot completely elim­ inate the connection between East and Main. You want the site link between East and Main to be used only if the site link between East and North is unavailable.

What should you do?

5-76

Chapter 5 Configuring Sites and Managing Replication

Chapter Summary

■ 

A site is a set of IP subnets connected by a highly reliable and fast link (usually a

LAN). Site structure mirrors the location of user communities. Sites have two main roles: to facilitate authentication and the replication of data between sites. Active

Directory replicates information in two ways: intrasite (within a site) and intersite

(between sites).

■ 

For optimum network response time and application availability, place at least one domain controller in each site or two domain controllers in each domain.

Intersite replication is replication that occurs between sites.

■ 

A site link is a logical, transitive connection between two or more sites that mirrors the network links and allows replication to occur.

■ 

Bridgehead servers are the contact point for exchange of directory information between sites. When two sites are connected by a site link, the KCC automatically selects bridgehead servers. You can designate bridgehead servers manually, called

“preferred” bridgehead servers.

■ 

A site link bridge is the linking of more than two sites for replication using the same transport. When more than two sites are linked for replication and use the same transport, by default, all of the site links are “bridged” in terms of cost, assuming the site links have common sites. If site link transitivity is enabled, which it is by default, creating a site link bridge has no effect. Therefore, it is seldom nec­ essary to create site link bridges.

■ 

A global catalog server is a domain controller that stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. For optimum network response time and application availability, designate at least one domain controller in each site as the global catalog server. To optimize replication in a multiple site environment, you might need to consider adding global catalogs for specific sites.

■ 

Universal group membership caching, a new feature in Windows Server 2003, allows a site that does not contain a global catalog server to be configured to cache universal group memberships for users who log on to the domain controller in the site.

■ 

An application directory partition is a directory partition that is replicated only to specific domain controllers running Windows Server 2003. Application directory partitions are usually created by the applications that use them to store and repli­ cate data.

■ 

Replmon.exe: Active Directory Replication Monitor, Repadmin.exe: Replication

Diagnostics Tool, and Dsastat.exe are provided for monitoring and troubleshooting replication. To use these tools, you must first install the Windows Support Tools on your computer.

Chapter 5 Configuring Sites and Managing Replication

5

-

77

Exam Highlights

Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information.

Key Points

■ 

A global catalog server is a domain controller that stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. For optimum network response time and application availability, designate at least one domain controller in each site as the global catalog server. To optimize replication in a multiple site environment, you might need to consider adding global catalogs for specific sites.

■ 

Universal group membership caching allows a site that does not contain a global catalog server to be configured to cache universal group memberships for users who log on to the domain controller in the site. Use the universal group membership caching feature to eliminate the need to deploy global catalog servers into smaller remote office locations in order to avoid logon failures in the event that the network link connecting the remote site to the rest of the organization is dis­ connected.

■ 

An application directory partition is a directory partition that is replicated only to specific domain controllers running Windows Server 2003. Use the Ntdsutil com­ mand-line tool to create or delete an application directory partition, add or remove an application directory partition replica, display application directory partition information, set a notification delay, prepare a cross-reference object, or set an application directory partition reference domain.

■ 

To configure a site you must create a site, create a subnet and associate it with site, create or move a domain controller object into the site, and designate a site license server for the site.

■ 

A site link is a logical, transitive connection between two or more sites that mirrors the network links and allows replication to occur. Site link replication frequency tells Active Directory how many minutes it should wait before using a connection to check for replication updates. Site link cost indicates the cost of the connection in relation to the speed of the link. Higher costs are used for slow links, and lower costs are used for fast links. A preferred bridgehead server is a server you manually designate to be a contact point for exchange of directory information between sites.

You configure site links by using the Active Directory Sites And Services console.

■ 

Use Replmon.exe: Active Directory Replication Monitor, Repadmin.exe: Replica­ tion Diagnostics Tool, and Dsastat.exe to monitor and troubleshoot replication.

5-78

Chapter 5 Configuring Sites and Managing Replication

Key Terms

application directory partition

A directory partition that is replicated only to spe­ cific domain controllers. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition. Applications and services can use application directory partitions to store application-specific data.

global catalog server

A domain controller running Windows Server 2003 that holds a copy of the global catalog for the forest.

preferred bridgehead server

A domain controller in a site, designated manually by the administrator, that is part of a group of bridgehead servers. Once designated, preferred bridgehead servers are used exclusively to replicate changes collected from the site. An administrator may choose to designate preferred bridgehead servers when there is a lot of data to replicate between sites, or to create a faulttolerant topology. If one preferred bridgehead server is not available, the KCC automatically uses one of the other preferred bridgehead servers. If no other pre­ ferred bridgehead servers are available, replication does not occur to that site.

universal group membership caching

A feature in Windows Server 2003 that allows a site that does not contain a global catalog server to be configured to cache universal group memberships for users who log on to the domain controller in the site. This ability allows a domain controller to process user logon requests without contacting a global catalog server when a global catalog server is unavail­ able. The cache is refreshed periodically as determined in the replication schedule.

Questions and Answers

5

-

79

Page

5-9

Page

5-23

Questions and Answers

Lesson 1 Review

1.

What is a site?

A site is a set of IP subnets connected by a highly reliable and fast link (usually a LAN).

2.

Which directory partition replica type must be replicated to all domain controllers within the domain?

The domain partition must be replicated to all domain controllers within the domain.

3.

Which type of replication compresses data to save WAN bandwidth?

Intersite replication compresses data to save WAN bandwidth.

4.

What is the difference between a site link and a connection object?

Site links are used by the KCC to determine replication paths between two sites and must be created manually. Connection objects actually connect domain controllers and are created by the KCC, though you can also create them manually if necessary.

5.

Which of the following actions does not trigger replication?

a.

Accessing an object

b.

Creating an object

c.

Deleting an object

d.

Modifying an object

e.

Moving an object

The correct answer is a. Creating, deleting, modifying, or moving an object triggers replication between domain controllers.

Lesson 2 Review

1.

What site is created automatically in the Sites container when you install Active

Directory on the first domain controller in a domain?

The Default-First-Site-Name site.

2.

How many subnets must each site have? To how many sites can a subnet be assigned?

Each site must have at least one subnet, but a subnet can be assigned to only one site.

3.

What is the minimum number of domain controllers you should place in a site?

For optimum network response time and application availability, place at least one domain controller for each domain available at each site.

5-80

Chapter 5 Configuring Sites and Managing Replication

Pag

5-39

4.

What is the purpose of a site license server?

The site license server stores and replicates licensing information collected by the License Log­ ging service on each server in a site.

5.

Which of the following administrative tools is used to configure sites?

a.

Active Directory Users And Computers console

b.

Active Directory Domains And Trusts console

c.

Active Directory Sites And Services console

d.

Licensing console

The correct answer is c. The Active Directory Sites And Services console is used to configure sites.

Lesson 3 Review

1.

What object is created automatically in the IP container when you install Active

Directory on the first DC in a domain?

The DEFAULTIPSITELINK site link.

2.

You specified a preferred bridgehead server for your network. It fails and there are no other preferred bridgehead servers available. What is the result?

If no other preferred bridgehead servers are specified or no other preferred bridgehead servers are available, replication does not occur to that site even if there are servers that can act as bridgehead servers.

3.

Why is it seldom necessary to create site link bridges?

If site link transitivity is enabled, which it is by default, creating a site link bridge has no effect.

Therefore, it is seldom necessary to create site link bridges.

4.

Which type of replication does the connection schedule control?

Intrasite replication.

5.

Which of the following protocols should you use when network connections are unreliable?

a.

IP

b.

SMTP

c.

RPC

d.

DHCP

The correct answer is b. Choose SMTP replication when network connections are unreliable or not always available. SMTP site links communicate asynchronously, meaning each replication transaction does not need to complete before another can start, because the transaction can be stored until the destination server is available.

Page

5-46

Questions and Answers

5

-

81

6.

You have a high-speed T1 link and a dial-up network connection in case the T1 link is unavailable. You assign the T1 link to have a cost of 100. What cost value should you assign to the dial-up link?

a.

0

b.

50

c.

100

d.

150

The correct answer is d. Higher costs are used for slow links (the dialup connection), and lower costs are used for fast links (the T1 connection). Because Active Directory always chooses the connection on a per-cost basis, the less expensive connection (T1) is used as long as it is available.

Lesson 4 Review

1.

What is the function of the global catalog?

The global catalog performs three key functions:

It enables users to log on to a network by providing universal group membership informa­ tion to a domain controller when a logon process is initiated.

It enables finding directory information regardless of which domain in the forest actually contains the data.

It resolves UPNs when the authenticating domain controller does not have knowledge of the account.

2.

What is a global catalog server?

A global catalog server is a domain controller that stores a full copy of all objects in the direc­ tory for its host domain and a partial copy of all objects for all other domains in the forest.

3.

What must you do to allow a domain controller to process user logon requests without contacting a global catalog server?

Enable the universal group membership caching feature using Active Directory Sites And

Services.

4.

For optimum network response time, how many domain controllers in each site should you designate as a global catalog server?

For optimum network response time and application availability, designate at least one domain controller in each site as the global catalog server.

5.

The universal group membership caching feature is set for which of the following?

a.

Forest

b.

Domain

5-82

Chapter 5 Configuring Sites and Managing Replication

Page

5-57

c.

Site

d.

Domain controller

The correct answer is c. The universal group membership caching feature must be set for each site and requires a domain controller to run a Windows Server 2003 operating system.

Lesson 5 Review

1.

What is an application directory partition?

An application directory partition is a directory partition that is replicated only to specific domain controllers. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.

2.

Name the benefits of using an application directory partition.

Using an application directory partition provides redundancy, availability, or fault tolerance, by replicating data to a specific domain controller or any set of domain controllers anywhere in the forest; it reduces replication traffic because the application data is only replicated to specific domain controllers; and applications or services that use LDAP can continue using it to access and store their application data in Active Directory.

3.

What is a security descriptor and how is it used in an application directory parti­ tion?

A security descriptor is a set of access control information attached to a container or object that controls the type of access allowed by users, groups, and computers. When an object is created in an application directory partition, a default security descriptor reference domain is assigned when the application directory partition is created.

4.

What considerations should you make before deleting an application directory partition?

Before deleting the application directory partition, you must identify the applications that use it, determine if it is safe to delete the last replica, and identify the partition deletion tool provided by the application.

5.

Which of the following tools can you use to delete an application directory parti­ tion? (Choose all that apply.)

a.

Ntdsutil command-line tool

b.

Application-specific tools from the application vendor

c.

Active Directory Installation Wizard

d.

Active Directory Domains And Trusts console

e.

Active Directory Sites And Services console

The correct answers are a, b, and c. To delete the application directory partition, you can use the Active Directory Installation Wizard to remove all application directory partition replicas from the domain controller, the tools provided with the application, or the Ntdsutil commandline tool.

Page

5-71

Page

5-75

Questions and Answers

5

-

83

Lesson 6 Review

1.

What is the function of Replmon.exe?

Replmon.exe, the Active Directory Replication Monitor, enables administrators to view the lowlevel status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication through a graphical interface.

2.

What is the function of Repadmin.exe?

Repadmin.exe, the Replication Diagnostics Tool, allows you to view the replication topology as seen from the perspective of each domain controller. Repadmin.exe can be used in troubleshooting to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view the rep­ lication metadata and see how up-to-date a domain controller is.

3.

What is the function of Dsastat.exe?

Dsastat.exe compares and detects differences between directory partitions on domain control­ lers and can be used to ensure that domain controllers are up-to-date with one another. The tool retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class, and compares the attributes of replicated objects.

4.

If replication of directory information has stopped, what should you check?

Site links. Make sure that a site link has been created from the current site to a site that is con­ nected to the rest of the sites in the network.

5.

You received Event ID 1265 with the error “DNS Lookup Failure.” What are some actions you might take to remedy the error? (Choose all that apply.)

a.

Manually force replication.

b.

Reset the domain controller’s account password on the PDC emulator master.

c.

Check the domain controller’s CNAME record.

d.

Make sure “Bridge All Site Links” is set correctly.

e.

Check the domain controller’s A record.

The correct answers are c and e. This message is often the result of DNS configuration p r o b l e m s . E a c h d o m a i n c o n t r o l l e r m u s t r e g i s t e r i t s C N A M E r e c o r d f o r t h e

DsaGuid

._msdcs.

Forestname

. Each domain controller must register its A record in the appro­ priate zone. So, by checking the domain controller’s CNAME and A records, you may be able to fix the problem.

Case Scenario Exercise

1.

Assume that the company has only enough money to purchase two additional domain controllers. Which two locations would benefit most from those domain controllers?

5-84

Chapter 5 Configuring Sites and Managing Replication

The North and East locations have slow links and more users than the other locations. They could benefit most from an additional domain controller. The West and South locations may not even require additional domain controllers. The South location has a T1 link that may be suffi­ cient for the amount of use that link receives. The West location has only five users. The five users may not be sending anymore traffic over the WAN during logon than a domain controller would generate in replication traffic.

2.

Other than domain controllers, what services would you add to each location in order to speed up logons and directory access?

DNS servers are used to locate domain controllers, so local DNS servers would help reduce logon delays. Since domain controllers running Windows Server 2003 can cache universal group membership information, you no longer need global catalog servers in each remote site.

3.

You’ve installed additional domain controllers at the North and East locations.

Now you want to control replication between those new domain controllers and the domain controllers at the Main location. What should you do?

Create sites for those locations. Create site links that connect each remote location to the

Main location.

4.

Backups are run every night between 10 P.M. and 4 A.M. At this time, all remote file server data is sent to the Main location. You want to ensure that Active Direc­ tory doesn’t try to replicate data during those hours. What should you do?

Schedule the site link to be unavailable during those hours.

5.

The physical connection between East and Main was primarily used for logons.

Now that East has its own site, the link is mainly used for replication traffic. City

Power & Light pays for that connection by the minute. You just installed a new connection between East and North that doesn’t carry a per-minute cost. You want replication to take place between East and North, but you cannot completely elim­ inate the connection between East and Main. You want the site link between East and Main to be used only if the site link between East and North is unavailable.

What should you do?

Create a site link between East and North. Configure a higher cost for the site link between

East and Main than East and North. This way the lower cost connection between East and

North will be preferred for the sake of replication.

6

Implementing an OU

Structure

Exam Objectives in this Chapter:

Plan an administrative delegation strategy

Plan an organizational unit (OU) structure based upon delegation requirements

Plan an OU structure

Identify the administrative requirements for an OU

Identify the group policy requirements for an OU structure

Implement an OU structure

Create an OU

Move objects within an OU hierarchy

Why This Chapter Matters

This chapter shows you how to plan and implement an OU structure. OUs are created to delegate administration, to administer Group Policy, and to hide objects. Creating OUs to delegate administration is the most important reason for creating an OU, and you should consider this before creating OUs to administer

Group Policy or to hide objects. Administrative tasks for OUs, such as renaming, moving, and deleting OUs, and setting OU properties, are necessary tasks you must learn to maintain OUs.

Lessons in this Chapter:

Lesson 1: Understanding OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Lesson 2: Creating an OU Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

Lesson 3: Administering OUs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

6-1

6-2

Chapter 6 Implementing an OU Structure

Before You Begin

To complete the lessons in this chapter, you must

Prepare your test environment according to the descriptions given in the “Getting

Started” section of “About This Book”

Complete the practices for installing and configuring Active Directory as discussed in Chapter 2, “Installing and Configuring Active Directory”

Learn to use Active Directory administration tools as discussed in Chapter 3,

“Administering Active Directory”

Complete the practices for configuring sites and replication as discussed in

Chapter 5, “Configuring Sites and Managing Replication”

Lesson 1 Understanding OUs

6

-

3

Lesson 1: Understanding OUs

Understanding how OUs work is a prerequisite for the creation of OU structures and the administration of OUs. This lesson explains the reasons for defining OUs and intro­ duces you to the principles of OU structure.

After this lesson, you will be able to

■ Identify the three reasons for defining an OU

Recognize the OU hierarchy models for delegation of administration

Estimated lesson time: 1 0 minutes

Understanding OUs

Recall that an

organizational unit (OU)

is a container used to organize objects within one domain into logical administrative groups. An OU can contain objects such as user accounts, groups, computers, printers, applications, shared folders, and other OUs from the same domain. OUs are represented by a folder icon with a book inside. The

Domain Controllers OU is created by default when Active Directory is installed to hold new Microsoft Windows Server 2003 domain controllers. OUs can be added to other

OUs to form a hierarchical structure; this process is known as

nesting OUs

. Each domain has its own OU structure—the OU structure within a domain is independent of the OU structures of other domains.

There are three reasons for defining an OU:

To delegate administration

To administer Group Policy

To hide objects

Defining OUs to Delegate Administration

The primary reason for defining an OU is to delegate administration.

Delegating administration

is the assignment of information technology (IT) management respon­ sibility for a portion of the namespace, such as an OU, to an administrator, a user, or a group of administrators or users. In the Windows Server 2003 operating system, you can delegate administration for the contents of an OU (all users, computers, or resource objects in the OU) by granting administrators specific permissions for an OU on the OU’s access control list. An

access control list (ACL)

is the mechanism for limit­ ing access to certain items of information or certain controls based on users’ identity

6-4

Chapter 6 Implementing an OU Structure and their membership in various groups.

Access control entries (ACEs)

in each ACL determine which users or groups can access the OU and what type of access they have. ACLs and ACEs are discussed in more detail in Chapter 9, “Administering Active

Directory Objects.”

OU Hierarchy Models for Delegation of Administration

Once you determine the OUs needed for your organization, you can add OUs to other

OUs to form a hierarchy of administrative control. Hierarchies consist of one layer of

OUs, called

top-level OUs

, under which are arranged various layers of

second-level OUs

.

Hierarchies for delegating administration can reflect the following organizational models:

Location

This structure might be used if administration within a domain is han­ dled by location, as shown in Figure 6-1. The top-level OUs—East and West— correspond to the regions set up for the

contoso.com

organization. The secondlevel OUs represent the physical locations of the company’s four offices. contoso.com

West East

Kansas City St. Paul Chicago Columbus

Figure 6-1 An OU structure based on location

Business function

This structure might be used if administration within a domain is handled by business function, as shown in Figure 6-2. The top-level OUs—Admin,

Devel, and Sales—correspond to

contoso.com

’s business divisions. The second-level

OUs represent the functional divisions within the business divisions.

Lesson 1 Understanding OUs

6

-

5 contoso.com

Admin Devel Sales

HR Acctg Mktg Apps OpSys Apps OpSys

Figure 6-2 An OU structure based on business function

Object type

This structure might be used if administration within a domain is handled by the types of objects being managed, as shown in Figure 6-3. The toplevel OUs—Users, Computers, and Resources—correspond to the types of objects used at

contoso.com

. The second-level OUs represent further detailing of the object types. contoso.com

Users Computers Resources

Users Groups Workstations Servers Apps Printers

Figure 6-3 An OU structure based on types of objects

6-6

Chapter 6 Implementing an OU Structure

Combination

This structure might be used if administration within a domain is handled by some combination of the location, business function, and object type hierarchy models, as shown in Figure 6-4. The top-level OUs—West and East— correspond to the regions in which

contoso.com

has offices. The second-level OUs represent functional divisions within the company.

West East

Admin Devel Sales Admin Devel Sales

Figure 6-4 An OU structure based on location and business function

Types of Administrative Responsibility

There are two types of administrative responsibility you can delegate for an OU:Ž

Full controlŽ

Control for object classesŽ

By default, only domain administrators have full control over all objects in a domain.Ž

Domain administrators are responsible for creating the initial OU structure, repairingŽ mistakes, and creating additional domain controllers. It is usually sufficient to allowŽ only domain administrators full control over objects in a domain. However, if there areŽ units in the organization that need to determine their own OU structure and adminis-Ž trative models, you can provide them with this permission by delegating full control.Ž

Note

For detailed information on delegating administrative control of Active Directory objects, including OUs, refer to Chapter 9, “Administering Active Directory Objects.”

Lesson 1 Understanding OUs

6

-

7

When determining whether to delegate full control for an OU, you must determine which areas in the organization need to be allowed to change OU properties and to create, delete, or modify any objects in the OU. If more restrictive control is appropri­ ate, you can accomplish this by delegating control of specific object classes for an OU.

Although there are many object classes in the schema, you need to consider only the object classes in which administrators will create objects. Such object classes typically include user account objects, computer account objects, group objects, and OU objects. When determining whether to delegate control of object classes, for each object class that your administrators will create in Active Directory you must determine

Which areas in the organization should be granted full control over objects of this class in the OU

Which areas in the organization should be allowed to create objects of this class and thus have full control over these objects

Which areas in the organization should be allowed to modify only specific attributes for or perform specific tasks pertaining to existing objects of this class

Note

By default, all child objects in an OU inherit the permissions set on the OU.

Defining OUs to Administer Group Policy

Recall that

group policies

are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users’ desktops. To create a specific desktop configuration for a particular group of users, you create

Group Policy Objects (GPOs)

, which are collections of Group Policy settings. By linking GPOs to OUs, GPOs can be applied to either users or computers in the OU. Group Policy is discussed in more detail in Chapter 11, “Administering Group

Policy.”

Defining OUs to Hide Objects

Your organization might require that certain domain objects, such as objects within an

OU or OUs themselves, be hidden from certain users. For example, although a user might not have the permission to read an object’s attributes, the user, if permitted to view the contents of the object’s parent container, can still see that the object exists.

You can hide objects in a domain by creating an OU for the objects and limiting the set of users who have the List Contents permission for that OU. Permissions are discussed in more detail in Chapter 9, “Administering Active Directory Objects.”

6-8

Chapter 6 Implementing an OU Structure

Note

Because there is only one way to delegate administration and there are multiple ways to administer Group Policy, you must define OU structures to delegate administration first.

After an OU structure is defined to handle delegation of administration, you can define addi­ tional OUs to administer Group Policy or hide objects.

Designing OU Structures

You should design OUs for simplicity. Previous chapters emphasized the use of mini­ mal numbers of forests and domains. However, it is likely that your domains will require a number of OUs to meet administrative requirements. The best practice is to begin with one OU and then add only those OUs that you can justify. Although you can have many levels of nested OUs, keep the number of levels to a minimum (fewer than seven) to avoid administrative and performance problems.

Real World

Nested OUs

You can find a wide variety of advice on how many levels down an OU structure is acceptable. Three to seven levels are probably the most common recommen­ dations. However, some suggest that ten levels is still acceptable. The way in which you choose to configure and use the OU structure is probably of more con­ cern than the actual number of levels. For example, a five-level nested OU struc­ ture with different group policies applied at each level would actually be more cumbersome than a seven-level OU hierarchy with fewer group policies applied.

Logon and startup times increase when the system has more group policies to evaluate. Further, if you set different permissions on each OU in the hierarchy, troubleshooting could be considerably more difficult than if you had a structure with uniform (inherited) permissions applied. The point to keep in mind is to organize the OU structure to minimize the number of changes in permissions and to reduce the number of GPOs processed. When designing OU structures for your organization, it’s also important to keep the following in mind:

OUs are not security principals. That is, you cannot assign access permis­ sions based on a user’s membership in an OU. Access control is the respon­ sibility of global, domain local, or universal groups.

Users will not use the OU structure for navigation. Although users can see the OU structure of a domain, the most efficient way for users to find resources in Active Directory is to query the global catalog. Therefore, you should define OUs with administration, not users, in mind.

!

Lesson 1 Understanding OUs

6

-

9

Exam Tip

Be able to plan an OU structure. Know when to create an OU to delegate administration.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” section at the end of this chapter.

1.

What are the three reasons for defining an OU?Ž

2.

What is “delegating administration”?Ž

3.

What is the purpose of creating an OU to hide objects?Ž

4.

Can you assign access permissions based on a user’s membership in an OU? WhyŽ or why not?Ž

5.

Which of the following is the primary reason for defining an OU? Ž

a.

To delegate administrationŽ

b.

To hide objectsŽ

c.

To administer Group PolicyŽ

d.

To define the domain structureŽ

6-10

Chapter 6 Implementing an OU Structure

Lesson Summary

An OU is a container used to organize objects within one domain into logical administrative groups. OUs can be added to other OUs to form a hierarchical structure.

There are three reasons for defining an OU: to delegate administration, to admin­ ister Group Policy, or to hide objects.

Design OUs with administration, not users, in mind. Users will not use the OU structure for navigation. Design OUs for simplicity. The best practice is to begin with one OU and then add only those OUs that you can justify.

OUs are not security principals—you cannot assign access permissions based on a user’s membership in an OU. Access control is the responsibility of global, domain local, or universal groups.

Lesson 2 Creating an OU Structure

6

-

11

Lesson 2: Creating an OU Structure

Each domain can implement its own OU hierarchy. If your enterprise contains several domains, you can create OU structures within each domain, independent of the struc­ tures in the other domains. This lesson walks you through the steps for creating an OU structure.

After this lesson, you will be able to

Create OUs

Estimated lesson time: 1 5 minutes

Creating OUs

Use the Active Directory Users And Computers console to create OUs.

To create OUs, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Right-click the location where you want to create this OU, which can be either a domain or another OU, point to New, and then click Organizational Unit.

3.

In the New Object–Organizational Unit dialog box, shown in Figure 6-5, type the name of the new OU in the Name box, and then click OK.

Figure 6-5 New Object–Organizational Unit dialog box

6-12

Chapter 6 Implementing an OU Structure

Off the Record

You can also use scripts to create, delete, and manage OUs. You can review some sample scripts for doing so on the Supplemental CD-ROM in the \70-294\Labs\

Chapter06 folder. The CreateLabsOU.vbs script will create an OU named Labs in the

con toso.com

domain. The ViewDCMembers.vbs script lists the members of the Domain Control­ lers OU. Members of that OU are the Server1 and Server2 computer accounts. The

DeleteLabsOU.vbs script removes the Labs OU from the

contoso.com

domain. To view the contents of any script, right-click the script and then click Edit.

Creating OUs to Hide Objects

Use the Active Directory Users And Computers console and the Security tab in the

Properties dialog box for the OU to create OUs for the purpose of hiding objects. Only users who can modify the ACL on an OU are able to hide objects using this procedure.

To create an OU to hide objects, complete the following steps:

1.

Create the OU where you will hide objects, as described in “Creating OUs.”

2.

Right-click the OU and select Properties.

3.

In the Properties dialog box for the OU, click the Security tab.

Note

To view the Security tab in the Properties dialog box for an OU, you must select

Advanced Features from the View menu on the Active Directory Users And Computers console.

4.

In the Properties dialog box Security tab, shown in Figure 6-6, remove all existing permissions from the OU. Click Advanced.

5.

In the Advanced Security Settings dialog box for the OU, clear the Allow Inherita­ ble Permissions From The Parent To Propagate To This Object And All Child

Objects check box.

6.

In the Security message box, click Remove. Click OK.

7.

In the Properties dialog box Security tab, identify the groups that you want to have full control on the OU. Grant those groups full control.

8.

Identify the groups that should have generic read access on the OU and its contents. Grant those groups read access.

9.

Identify any other groups that might need specific access, such as the right to cre­ ate or delete a particular class of objects, on the OU. Grant those groups the spe­ cific access. Click OK.

10.

Move the objects you want to hide into the OU.

Lesson 2 Creating an OU Structure

6

-

13

Figure 6-6 The Security tab of the Properties dialog box for an OU

Practice: Creating an OU

In this practice, you create the OU structure for the

contoso.com

domain.

Exercise 1: Planning an OU Structure

In this exercise, you plan an OU structure for Contoso Pharmaceuticals.

To plan an OU structure

Contoso Pharmaceuticals has four locations: Chicago, Kansas City, St. Paul, and Colum­ bus. The organization is divided into two regions, East and West, with Chicago and

Columbus in the East region and Kansas City and St. Paul in the West region. The com­ pany has one domain,

contoso.com

. Some administrative decisions are handled by the

IT department in each location, and each IT department reports to its regional IT department, which handles larger administrative decisions. Map the OU hierarchy for

contoso.com

.

Your map should be similar to Figure 6-1.

6-14

Chapter 6 Implementing an OU Structure

Exercise 2: Creating Top-Level OUs

In this exercise, you create top-level OUs for the

contoso.com

domain.

To create top-level OUs

1.

Log on to Server1 as Administrator.

2.

On Server1, use the procedure provided earlier in this lesson to create the toplevel OUs you planned in Exercise 1.

Exercise 3: Creating Second-Level OUs

In this exercise, you create second-level OUs for the

contoso.com

domain.

To create second-level OUs

1.

On Server1, use the procedure provided earlier in this lesson to create the secondlevel OUs you planned in Exercise 1.

2.

The Active Directory Users And Computers console displays the OU structure for

contoso.com

, which is similar to the one shown in Figure 6-7.

Figure 6-7 OU structure for

contoso.com

Lesson 2 Creating an OU Structure

6

-

15

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

In what two locations can you create an OU?

2.

What tool do you use to create an OU?

3.

What action must you take to be able to view the Security tab in the Properties dia­ log box for an OU?

4.

How does the icon used for an OU differ from the icon used for a container?

Lesson Summary

Use the Active Directory Users And Computers console to create an OU.

You can create an OU within a domain or within another OU.

Use the Active Directory Users And Computers console and the Security tab in the

Properties dialog box for the OU to create OUs for the purpose of hiding objects.

6-16

Chapter 6 Implementing an OU Structure

Lesson 3: Administering OUs

This lesson introduces you to the tasks involved in the administration of OUs. These tasks help administrators to handle changes in the organization that affect OUs.

After this lesson, you will be able to

Rename OUs

Move OUs

Delete OUs

Set OU properties

Move objects between OUs

Estimated lesson time: 2 5 minutes

Administering OUs

The OU administration tasks include renaming, moving, and deleting OUs; setting

OU properties; and moving objects between OUs.

Renaming, Moving, and Deleting OUs

To meet the changing needs of your organization, you might find it necessary to rename, move, or delete an OU.

Caution

If you decide to delete an OU that contains objects, all of the objects that are in the OU are also deleted.

To rename an OU, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Expand the domain.

3.

Right-click the OU you want to rename, and then click Rename.

4.

Type the new OU name over the existing site name. Click in an empty part of the console tree.

Lesson 3 Administering OUs

6

-

17

To move an OU, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Expand the domain.

3.

Click the OU you want to move, drag it to the desired location, and then release.

The OU reappears in the new location.

Note

You can use the Active Directory Users And Computers console to move OUs only within a domain. To move OUs between domains, you must use Movetree.exe: Active Direc­ tory Object Manager. For more information about using Movetree.exe, refer to Windows Support Tools Help.

To delete an OU, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Expand the domain.

3.

Right-click the OU you want to delete, and then click Delete.

4.

In the Active Directory message box, click Yes.

5.

If the OU contains objects, an additional Active Directory message box appears.

Click Yes to delete the OU and the objects it contains.

Setting OU Properties

To provide additional information about the OU or to assist in finding the OU, you might want to set properties for an OU. The General and Managed By tabs in the Prop­ erties dialog box for each OU contain information about the OU. The General tab, shown in Figure 6-8, contains the OU’s description, street address, city, state or prov­ ince, ZIP code or postal code, and country or region. You can search for the OU by description if it is entered here.

6-18

Chapter 6 Implementing an OU Structure

Figure 6-8 Properties dialog box for an OU, General tab

The Managed By tab, shown in Figure 6-9, contains the OU manager’s name, office location, street address, city, state or province, country or region, telephone number, and fax number. If you type the manager’s fully qualified domain name (FQDN) in the

Name box in this tab, and you have previously entered information in the Properties dialog box for the user, the information is automatically pulled into the Managed By tab.

Figure 6-9 Properties dialog box for an OU, Managed By tab

Lesson 3 Administering OUs

6

-

19

To set properties for an OU, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Expand the domain.

3.

Right-click the appropriate OU, and then click Properties.

4.

Click the appropriate tab for the OU properties that you want to enter or change, and then type values for each property. Click OK.

Moving Objects Between OUs

When you move objects between OUs in a domain, permissions that are assigned directly to objects remain the same, and the objects inherit permissions from the new

OU. Any permissions that were previously inherited from the old OU no longer affect the objects.

Note

To simplify assignment of permissions for printers, move printers on different print servers that require identical permissions to the same OU. Printers are located in the com­ puter object for the print server. To view a printer, click View, then click Users, Groups, And

Computers As Containers.

There are three ways to move Active Directory objects between OUs:Ž

Use drag and drop.Ž

Use the Move option on the Active Directory Users And Computers console.Ž

Use the Dsmove command-line tool.Ž

Using Drag and Drop

You can move objects between OUs by selecting them in the source OU, dragging them to the target OU, and then dropping them.

To use drag and drop to move objects between OUs, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Expand the domain, then expand the source OU.

3.

In the details pane, click the object you want to move in the source OU, drag it to the target OU in the console tree, and then release. The object reappears in the new location.

6-20

Chapter 6 Implementing an OU Structure

Note

You can use the Active Directory Users And Computers console to move OUs only within a domain. To move OUs between domains, you must use Movetree.exe: Active Direc­ tory Object Manager. For more information about using Movetree.exe, refer to Windows Support Tools Help.

Using the Move Option

To meet the needs of your organization, you might need to move only a few users or you might need to move entire groups between OUs. However, you use the Move option in the same way regardless of the objects you are moving.

To use the Move option to move objects between OUs, complete the following steps:

1.

In Active Directory Users And Computers, right-click the object to move, and then select Move.

Note

You can move multiple objects at the same time by holding down the Ctrl key as you select the objects, then right-clicking and selecting Move.

2.

In the Move dialog box, shown in Figure 6-10, select the OU or container to which you want the object to move, then click OK.

Figure 6-10 The Move dialog box

Using the Dsmove Command-Line Tool

Dsmove is a command-line tool that enables you to move objects between OUs. By using Dsmove, you can also rename a single object without moving it in the direc­ tory tree.

Lesson 3 Administering OUs

The syntax for Dsmove is dsmove

ObjectDN

[-newname

NewName

] [-newparent

ParentDN

] [{-s

Server

| -d

Domain

}]

[-u

UserName

] [-p {

Password

|*}] [-q] {-uc | -uco | -uci}

Each of the command parameters is explained in Table 6-1.

6

-

21

Table 6-1

Dsmove Command Parameters

Parameter Function

ObjectDN •

Specifies the distinguished name of the object you want to move or rename. This parameter is required.

Renames the object with a new relative distinguished name. -newname

NewName

-newparent

ParentDN

{-s

-u

Server

Domain

}

| -d

UserName•

Specifies the new location to which you want to move the object. The new location is specified as the distinguished name of the new parent node.

Connects to a specified remote server or domain. By default, the computer is connected to the domain controller in the logon domain.

Specifies the user name with which the user logs on to a remote server. By default, the logged on user name is used. You can specify a user name using one of the following formats: user name (such as

linda

), domain

\user name (such as

contoso\linda

), user principal name (such as

[email protected]

).

-p {

Password

| *} • Specifies to use either a password or a (*) to log on to a remote server. If you type *, then you are prompted for a password.

-q Suppresses all output to standard output (quiet mode).

-uc

-uco

-uci

Specifies a Unicode format for input from or output to a pipe (|).

Specifies a Unicode format for output to a pipe (|) or a file.

Specifies a Unicode format for input from a pipe (|) or a file.

If a value that you supply contains spaces, use quotation marks around the text (for example, “CN=User One,CN=Users,DC=Contoso,DC=Com”). If you supply multiple values for a parameter, use spaces to separate the values (for example, a list of distin­ guished names).

To move User One from the Sales OU to the Marketing OU, type:

dsmove “CN=User One,OU=Sales,DC=Contoso,DC=Com” -newparent

OU=Marketing,DC=Contoso,DC=Com

To rename a user object from User One to User Two, type:

dsmove “CN=User One,OU=Sales,DC=Contoso,DC=Com” -newname “User

Two”

6-22

Chapter 6 Implementing an OU Structure

To combine the move and rename operations, type:

dsmove “CN=User One,OU=Sales,DC=Contoso,DC=Com” -newparent

OU=Marketing,DC=Contoso,DC=Com -newname “User Two”

To use Dsmove to move objects between OUs, complete the following steps:

1.

Click Start, and then click Command Prompt.

2.

At the command prompt, type

dsmove

and the appropriate parameters.

!

Exam Tip

Be able to move objects within an OU hierarchy.

Practice: Administering OUs

In this practice, you administer OUs.

Note

To complete this practice, you must have successfully completed the exercises in

Lesson 2.

Exercise 1: Renaming, Deleting, and Moving OUs

In this exercise, you rename the East OU, delete and re-create the St. Paul OU, and move the Kansas City OU.

To rename, delete, and move OUs

1.

Use the procedure provided earlier in this lesson to rename the East OU as the

North OU. Rename the new North OU back to the East OU.

2.

Use the procedure provided earlier in this lesson to delete the St. Paul OU. Use the procedure provided in Lesson 2 to re-create the St. Paul OU.

3.

Use the procedure provided earlier in this lesson to move the St. Paul OU to the East OU. Move the St. Paul OU back to the West OU.

Exercise 2: Setting OU Properties

In this exercise, you set OU properties for the East and West OUs.

To set OU properties

1.

Use the procedure provided earlier in this lesson to set OU properties for the

East OU.

2.

Use the procedure provided earlier in this lesson to set OU properties for the

West OU.

Lesson 3 Administering OUs

6

-

23

Exercise 3: Moving Objects Between OUs

In this exercise, you move users, groups, and OUs between OUs by using the Move option and the Dsmove command-line tool.

To move objects between OUs

1.

Log on to Server1 as Administrator.

2.

On Server1, use the procedure provided earlier in this lesson to perform the fol­ lowing moves by using drag and drop or the Move option:

❑ Move User11, User13, User15, User17, and User19 from the KC OU to the St.

Paul OU and back to the KC OU.

Move the West OU into the East OU as a second-level OU and back into the

contoso.com

domain as a first-level OU.

❑ Move User7 from the Chicago OU to the Columbus OU, then back to the

Chicago OU.

3.

On Server1, use the procedure provided earlier in this lesson to move User9 from the Chicago OU to the Columbus OU by using the Dsmove command-line tool.

4.

What command did you use to move User9 from the Chicago OU to the

Columbus OU?

Dsmove “CN=User Nine,OU=Chicago,OU=East,DC=Contoso,DC=Com”

-newparent OU=Columbus, OU=East,DC=Contoso,DC=Com

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the “Questions and Answers” section at the end of this chapter.

1.

What is the purpose of setting properties for an OU?

2.

Why might you need to move an OU?

6-24

Chapter 6 Implementing an OU Structure

3.

Which is more flexible, domain structure or OU structure?

4.

What are the three ways to move Active Directory objects between OUs?

5.

What happens to permissions when you move objects between OUs?

Lesson Summary

Use the Active Directory Users And Computers console to rename, move within a domain, and delete OUs. If you delete an OU that contains objects, all of the objects that are in the OU are also deleted.

There are three ways to move Active Directory objects between OUs: 1) use drag and drop, 2) use the Move option on the Active Directory Users And Computers console, and 3) use the Dsmove command.

When you move objects between OUs in a domain, permissions that are assigned directly to objects remain the same, and the objects inherit permissions from the new OU. Any permissions that were previously inherited from the old OU no longer affect the objects.

Case Scenario Exercise

You are the domain administrator for City Power & Light (

http://www.cpandl.com

), as introduced in the Troubleshooting Lab of Chapter 5. City Power & Light now has three

Active Directory sites, as shown in Figure 6-11. The North and East sites have one domain controller each and the Main site has two domain controllers. All locations con­ tain client computers running Microsoft Windows XP Professional. All servers running

Microsoft Windows 2000 were upgraded to Windows Server 2003. The number of employees at each location has not changed.

Chapter 6 Implementing an OU Structure

6

-

25

North location

Active Directory site

Internet

T1

56 Kbps

East location

Active Directory site

56 Kbps

Main location

Active Directory site

56 Kbps

West location

T1

South location

Figure 6-11 City Power & Light Active Directory infrastructure

City Power & Light still has a single Windows 2003 domain. There are three different offices in the Main location. These offices are named Accounting, Human Resources, and Operations. Each location (except Main) is also an office. The offices are named after their geographic location (North, South, East, and West).

Given this information, answer the following questions:

1.

Each office with more than 100 users is allowed to hire its own network adminis­ trator. Network administrators should be allowed to create, delete, rename, reset, and manage the user accounts and computer accounts of those offices. Currently, the East, North, and Operations offices have more than 100 users apiece. What should you do?

2.

The North, South, East, and West offices all require the same specialized software.

However, none of the other offices require this software. What are ways in which you can organize the Active Directory structure to accommodate these require­ ments while distributing the software using Group Policy?

6-26

Chapter 6 Implementing an OU Structure

3.

A total of 50 contracted employees are hired to work in the Operations office.

They require different software than the rest of the users in the Operations office.

Furthermore, the manager of the Operations office wants you to lock down spe­ cific portions of their desktops. The network administrator of the Operations OU needs your help. You must ensure that the network administrator of the Opera­ tions OU can manage these users and their computers. What should you do?

Troubleshooting Lab

You are a network administrator for Contoso Pharmaceuticals. You were recently on vacation for a week, and during your absence, two people were assigned to handle your daily tasks. One of those tasks was to create an OU named Accounting. Due to a communications error, both people performed this task. Each did so at a different domain controller. When you return to work, you are told about the situation and then shown what they believe to be corrupted data in the Active Directory database. They need your help to figure out what happened and determine what to do about it.

In order to see this issue, you must first create the problem. To do so, complete the fol­ lowing steps:

1.

Unplug the network cable from the network card of Server2 to ensure that the servers are not able to replicate while you complete these steps.

2.

Log on to Server1 using the domain administrator’s user name and password.

3.

Open the Active Directory Users And Computers console.

4.

Create a new OU named Accounting in the

contoso.com

domain.

5.

Once you see the Accounting OU in

contoso.com

, unplug the network cable from the network interface card of Server1. Reconnect the network cable that you removed from Server2. The network cable of Server1 should be unplugged and the network cable of Server2 should be connected.

6.

Log on to Server2 using the domain administrator’s user name and password.

7.

Open the Active Directory Users And Computers console. This will take awhile, so be patient.

8.

You’ll see an error indicating that naming information cannot be located. Click

OK. The Active Directory Users And Computers console opens.

9.

Right-click the Active Directory Users And Computers object in the console. Then click Connect To Domain Controller.

Chapter 6 Implementing an OU Structure

6

-

27

10.

Type

Server2

into the Enter The Name Of Another Domain Controller text box and click OK. Click Yes to confirm that you’d like to make this connection. It will take a few moments to make the connection.

Off the Record

If you ever see an error when initializing a domain management console, you should investigate the reason for the error. You should also make arrangements to ensure that no two administrators attempt to perform the same administrative tasks at differ­ ent sites (that is, on different domain controllers). Otherwise, problems might occur that are difficult to correct. For example, two administrators moving the same server object in Active

Directory Sites and Services, but from two different geographical locations, are likely to cause a problem that would require Ntdsutil and Metadata cleanup. You learned about Metadata cleanup in Chapter 3.

11.

Click Refresh or press the F5 key after about 60 seconds and you should see the

contoso.com

domain load.

12.

Create an OU named Accounting. Although the console will run a bit slower, you should be able to perform this task. This is a different Accounting OU than you just created on Server1. You will see this once the two servers have synchronized.

13.

Once the Accounting OU has been created, insert the network cable of Server1.

Now both Server1 and Server2 will replicate. Wait a couple of minutes.

14.

Return to Server1. Close and then reopen the Active Directory Users And Comput­ ers console. You should see two new OUs: one named Accounting and the other named Accounting with some additional characters, including a box and the let­ ters CNF followed by a colon and 32 hexadecimal digits.

This is what happens when two administrators create objects with the same name at two different locations. This is not corrupted data, but rather a data collision. Two

Lightweight Directory Access Protocol (LDAP) objects cannot have the same names in the directory structure, so Active Directory has renamed the object created last with a name that won’t conflict with the object created first. You may simply delete the object with the really long name. Of course, if the object with the really long name contained other resources that were supposed to be part of your domain, you’d first move those resources to the appropriate containers.

Note

Although you caused the replication delay by unplugging the domain controllers, you’d typically find replication delays in environments utilizing sites. The default replication interval of 180 minutes and the potential for a replication schedule that prevents servers from repli­ cating immediately make such issues more likely to occur.

6-28

Chapter 6 Implementing an OU Structure

Chapter Summary

■�

An OU is a container used to organize objects within one domain into logical administrative groups. OUs can be added to other OUs to form a hierarchical structure.

■�

There are three reasons for defining an OU: to delegate administration, to admin­ ister Group Policy, and to hide objects.

■�

Design OUs with administration, not users, in mind. Users will not use the OU structure for navigation. OUs are not security principals—you cannot assign access permissions based on a user’s membership in an OU. Design OUs for simplicity.

The best practice is to begin with one OU and then add only those OUs that you can justify.

■�

Use the Active Directory Users And Computers console to create an OU. You can create an OU within a domain or within another OU.

The OU administration tasks include renaming, moving, and deleting OUs, setting

OU properties, and delegating control of OUs.

■�

Use the Active Directory Users And Computers console to rename, move within a domain, and delete OUs. If you delete an OU that contains objects, all of the objects that are in the OU are also deleted.

■�

Use the Active Directory Users And Computers console to set properties for an

OU. Properties provide additional information about the OU or to assist in finding the OU.

■�

Use drag and drop, the Move option on the Active Directory Users And Computers console, or the Dsmove command to move Active Directory objects between OUs.

When you move objects between OUs in a domain, permissions that are assigned directly to objects remain the same, and the objects inherit permissions from the new OU. Any permissions inherited from the old OU no longer affect the objects.

Exam Highlights

Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information.

Chapter 6 Implementing an OU Structure

6

-

29

Key Points

■�

The primary reason for defining an OU is to delegate administration. Delegating administration is the assignment of IT management responsibility for a portion of the namespace, such as an OU, to an administrator, a user, or a group of adminis­ trators or users.

■�

You should design OUs for simplicity. It is likely that your domains will require a number of OUs to meet administrative requirements. The best practice is to begin with one OU and then add only those OUs that you can justify. Define OUs with administration, not users, in mind.

■�

By linking GPOs to OUs, GPOs can be applied to either users or computers in the

OU. Because there is only one way to delegate administration and there are mul­ tiple ways to administer Group Policy, you must define OU structures to delegate administration first. After an OU structure is defined to handle delegation of administration, you can define additional OUs to administer Group Policy.

■�

You cannot assign access permissions based on a user’s membership in an OU.

OUs are not security principals. Access control is the responsibility of global, domain local, or universal groups.

■�

You move objects within an OU hierarchy by using drag and drop, the Move option on the Active Directory Users And Computers console, or the Dsmove command.

Key Terms

access control list (ACL)

The mechanism for limiting access to certain items of information or to certain controls based on users’ identity and their membership in various predefined groups. An ACL is typically used by system administrators for controlling user access to network resources such as servers, directories, and files and is typically implemented by granting permissions to users and groups for access to specific objects.

nested OUs

The creation of organizational units (OUs) within OUs.

organizational unit (OU)

An Active Directory container object used within a domain. An OU is a logical container into which you can place users, groups, computers, and other OUs. It can contain objects only from its parent domain. An

OU is the smallest scope to which you can apply a Group Policy or delegate authority.

6-30

Chapter 6 Implementing an OU Structure

Page

6-9

Page

6-15

Questions and Answers

Lesson 1 Review

1.

What are the three reasons for defining an OU?

The three reasons for defining an OU are to delegate administration, to administer Group Policy, or to hide objects.

2.

What is “delegating administration”?

Delegating administration is the assignment of IT management responsibility for a portion of the namespace, such as an OU, to an administrator, a user, or a group of administrators or users.

3.

What is the purpose of creating an OU to hide objects?

Although a user might not have the permission to read an object’s attributes, the user can still see that the object exists by viewing the contents of the object’s parent container. You can hide objects in a domain by creating an OU for the objects and limiting the set of users who have the

List Contents permission for that OU.

4.­

Can you assign access permissions based on a user’s membership in an OU? Why or why not?

No, you cannot assign access permissions based on a user’s membership in an OU. OUs are not security principals. Access control is the responsibility of global, domain local, or universal groups.

5.

Which of the following is the primary reason for defining an OU?

a.

To delegate administration

b.

To hide objects

c.

To administer Group Policy

d.

To define the domain structure

The correct answer is a. Although hiding objects and administering Group Policy are reasons for defining an OU, they are not the primary reason. You do not define an OU to define the domain structure.

Lesson 2 Review

1.­

In what two locations can you create an OU?

You can create an OU within a domain or within another OU.

2.­

What tool do you use to create an OU?

The Active Directory Users And Computers console is used to create an OU.

Page

6-23

Page

6-25

Questions and Answers

6

-

31

3.­

What action must you take to be able to view the Security tab in the Properties dia­ log box for an OU?

You must select Advanced Features from the View menu on the Active Directory Users And

Computers console.

4.

How does the icon used for an OU differ from the icon used for a container?

The icon used for an OU is a folder with a book. The icon used for a container is a folder.

Lesson 3 Review

1.

What is the purpose of setting properties for an OU?

To provide additional information about the OU or to assist in finding the OU, you might want to set properties for an OU.

2.­

Why might you need to move an OU?

To accommodate the changing needs of an organization.

3.

Which is more flexible, domain structure or OU structure?

Because OUs can be easily renamed, moved, and deleted, OU structure is more flexible than domain structure.

4.

What are the three ways to move Active Directory objects between OUs?

There are three ways to move Active Directory objects between OUs:

■ Use drag and drop

Use the Move option on the Active Directory Users And Computers console

■ Use the Dsmove command

5.

What happens to permissions when you move objects between OUs?

Permissions that are assigned directly to objects remain the same, and the objects inherit permissions from the new OU. Any permissions that were previously inherited from the old OU no longer affect the objects.

Case Scenario Exercise

1.­

Each office with more than 100 users is allowed to hire its own network adminis­ trator. Network administrators should be allowed to create, delete, rename, reset, and manage the user accounts and computer accounts of those offices. Currently, the East, North, and Operations offices have more than 100 users apiece. What should you do?

Create an OU for East, North, and Operations. Create a user account for each new administra­ tor. Place all of the user and computer accounts for each office into their respective OUs. Del­ egate administrative rights to the new administrators to their respective office OUs.

6-32

Chapter 6 Implementing an OU Structure

2.­

The North, South, East, and West offices all require the same specialized software.

However, none of the other offices require this software. What are ways in which you can organize the Active Directory structure to accommodate these require­ ments while distributing the software using Group Policy?

Since you already have East and North OUs, you could create additional OUs for West and

South. Then, you could distribute the software to each of these OUs by creating a single GPO and linking it to all four OUs. The other option is to place each OU inside a single OU. For exam­ ple, you could create an OU named Remote and then place the North, South, East, and West

OUs inside the Remote OU. Then you could assign a GPO that distributed the software to the

Remote OU, which in turn would flow down to the separate locations. Probably the best way would be to use the first method, linking the GPO here to each individual OU. Flatter OU struc­ tures are easier to manage and troubleshoot. Further, Group Policy processing occurs more quickly on flat OU structures.

3.­

A total of 50 contracted employees are hired to work in the Operations office.

They require different software than the rest of the users in the Operations office.

Furthermore, the manager of the Operations office wants you to lock down spe­ cific portions of their desktops. The network administrator of the Operations OU needs your help. You must ensure that the network administrator of the Opera­ tions OU can manage these users and their computers. What should you do?

The most efficient option is to create a new OU. For example, you could create an OU named

Contractors that is subordinate to (within) the Operations OU. The network administrator of the

Operations OU would then inherit the ability to manage the Contractors OU. Then, you’d use

Group Policy to assign the specific software and desktop lockdown policies that are required to meet the needs of these contracted employees.

7

Administering User

Accounts

Exam Objectives in this Chapter:

Plan a user authentication strategy

Plan a smart card authentication strategy

Why This Chapter Matters

This chapter shows you how to work with user accounts. As a network adminis­ trator, you’ll undoubtedly have to create, modify, delete, and troubleshoot issues with user accounts. In order to perform these tasks effectively, you’ll need to know the different types of user accounts, such as local, domain user, and builtin accounts. You must also understand the differences in the way these accounts are authenticated as well as the system rights and permissions these accounts have by default.

You may also need to establish standards for the appearance and consistency of user’s desktops and data. In order to do so, you must understand how to manage user properties and user profiles. For example, you should know the differences between the types of user profiles: local, roaming, and mandatory. You should also know how and when to use each type.

User account security is an important consideration in the management of user accounts. You need to understand how to create and enforce secure password and account policies in order to help protect your network from compromise.

You should understand how smart cards could be used to alleviate some of the common problems with passwords and reduce the chances of user account com­ promise.

Lessons in this Chapter:

Lesson 1: Understanding User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Lesson 2: Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13

Lesson 3: Managing User Profiles and Home Folders . . . . . . . . . . . . . . . . . 7-27

Lesson 4: Maintaining User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-44

7-1

7-2

Chapter 7 Administering User Accounts

Before You Begin

To complete the lessons in this chapter, you must

Prepare your test environment according to the descriptions given in the “Getting

Started” section of “About This Book”

Complete the practices for installing and configuring Active Directory as discussed in Chapter 2, “Installing and Configuring Active Directory”

Learn to use Active Directory administration tools as discussed in Chapter 3,

“Administering Active Directory”

Complete the practices for configuring sites and replication as discussed in

Chapter 5, “Configuring Sites and Managing Replication”

Complete the practices for implementing an organizational unit (OU) structure as discussed in Chapter 6, “Implementing an OU Structure”

Lesson 1 Understanding User Accounts

7

-

3

Lesson 1: Understanding User Accounts

Before you can create user accounts or user profiles, you must understand the types of user accounts and the information necessary to create them. This lesson introduces you to the various types of user accounts, user account naming conventions, and user account password requirements.

After this lesson, you will be able to

Describe the difference between a local user account and a domain user account

Describe the purpose of the built-in accounts

Explain the purpose of user account naming conventions

Explain the user account password requirements

Explain how smart cards are used to authenticate users

Estimated lesson time: 1 0 minutes

Understanding User Accounts

A

user account

is a record that consists of all the information that defines a user to

Microsoft Windows Server 2003. This includes the user name and password required for the user to log on, the groups in which the user account has membership, and the rights and permissions the user has for using the computer and network and accessing their resources. A user account provides a user with the ability to log on to a computer to gain access to resources on that computer or to log on to a domain to gain access to network resources. Each person who regularly uses a computer or the network should have a unique user account.

In Windows Server 2003, authentication for domain users is based on user accounts in

Active Directory.

Authentication

confirms the identity of any user trying to log on to a domain or to access network resources. Windows Server 2003 authentication enables single sign-on to all network resources. With single sign-on, a user can log on to the client computer once, using a single password or smart card, and authenticate to any computer in the domain. To provide security for a network running Windows Server

2003, you must provide access for legitimate users but screen out potential intruders.

This means you must set up your security features to authenticate all user access to sys­ tem resources. Authentication protects against intruders trying to steal identities or impersonate users.

User Account Types

Windows Server 2003 provides three types of user accounts: local user accounts, domain user accounts, and built-in user accounts. With a

local user account

, a user logs on to a specific computer to gain access to resources on that computer. With a

7-4

Chapter 7 Administering User Accounts

domain user account

, a user can log on to a domain to gain access to network resources.

Built-in user accounts

are created automatically by Windows Server 2003 for the purpose of performing administrative tasks or to gain access to network resources.

This training kit focuses on domain user accounts.

Local User Accounts

Local user accounts allow users to log on to, and gain access to resources on, only the computer where the local user account is created. When you create a local user account, as shown in Figure 7-1, Windows Server 2003 creates the account only in that computer’s security database, which is called the local security database. Windows

Server 2003 does not replicate local user account information to domain controllers.

After a local user account is created, the computer uses its local security database to authenticate the local user account, which allows the user to log on to that computer.

Local user

Local user account

Local security database

Figure 7-1 Local user account

Do not create local user accounts on computers that require access to domain resources, because the domain does not recognize local user accounts. Therefore, the user is unable to gain access to resources in the domain.

Domain User Accounts

Domain user accounts allow users to log on to a domain and gain access to resources anywhere on the network. The user provides his or her user name and password dur­ ing the logon process. By using this information, Windows Server 2003 authenticates the user and then builds an access token that contains information about the user and security settings. The access token identifies the user to computers running Windows

Server 2003 and computers running pre–Windows Server 2003 operating systems on which the user tries to gain access to resources. Windows Server 2003 provides the access token for the duration of the logon session.

You create a domain user account in a container or an OU in the copy of the Active

Directory database (called the directory) on a domain controller, as shown in Figure 7-2.

The domain controller replicates the new user account information to all domain controllers in the domain.

Domain controller

Domain user account

Lesson 1 Understanding User Accounts

7

-

5

Domain user

Active

Directory

Figure 7-2 Domain user account

After Windows Server 2003 replicates the new user account information, all of the domain controllers in the domain tree can authenticate the user during the logon process.

Note

It can take a few minutes to replicate the domain user account information to all domain controllers. This delay might prevent a user from immediately logging on using the newly created domain user account. By default, replication of directory information within a site occurs every five minutes.

Built-In User Accounts

Windows Server 2003 automatically creates accounts called built-in accounts. Two commonly used built-in accounts are Administrator and Guest.

Note

The IUSR_

computername

and IWAM_

computername

built-in accounts are automati­ cally created when Microsoft Internet Information Services (IIS) are installed on the domain controller. IUSR_

computername

is an account for anonymous access to IIS.

IWAM_

computername

is an account for anonymous access to IIS out-of-process applications.

The TsInternetUser account is automatically created when Terminal Services are installed on the domain controller.

TsInternetUser is an account used by Terminal Services.

Administrator

Use the built-in Administrator account to manage the overall computer and domain configuration for such tasks as creating and modifying user accounts and groups, managing security policies, creating printers, and assigning permissions and rights to user accounts to gain access to resources. This account is assigned the password you spec­ ified during Active Directory installation and has permissions to perform all tasks in the domain. The Administrator account cannot be deleted.

Because the Administrator account has full permissions, you must protect it from pen­ etration by intruders. First, you should always rename the Administrator account with

7-6

Chapter 7 Administering User Accounts a new name that does not connect the account to administrative tasks. Renaming makes it difficult for unauthorized users to break into the Administrator account because they do not know which user account it is. Second, you should always use a long and complex password that cannot be easily cracked for the Administrator account. Third, do not allow too many people to know the administrator password.

Finally, if you are the administrator, you should create a separate user account that you use to perform nonadministrative tasks. Log on by using the Administrator account only when you perform administrative tasks. Or, log on with your user account and use the Run As program when you need to perform a few administrative tasks. For infor­ mation on setting up user accounts for performing nonadministrative tasks and the Run

As program, see Chapter 8, “Administering Group Accounts.”

Guest

The purpose of the built-in Guest account is to provide users who do not have an account in the domain with the ability to log on and gain access to resources. For example, an employee who needs access to resources for a short time can use the

Guest account. By default, the Guest account does not require a password (the password can be blank) and is disabled. You should enable the Guest account only in lowsecurity networks and always assign it a password. If you enable the Guest account, always rename it to provide a greater degree of security. Use a name that does not identify it as the Guest account. You can rename and disable the Guest account, but you cannot delete it.

Domain User Account Naming Conventions

The domain user account naming convention you adopt establishes how users are identified in the domain. A consistent user account naming convention helps you and your users remember user logon names and locate them in lists. Table 7-1 summarizes some points you might want to consider in determining a domain user account naming convention for your organization.

Table 7-1

Domain User Account Naming Convention Considerations

Consideration

Selecting local user account names

Selecting domain user account names

Explanation

Local user account names must be unique on the computer where you create the local user account.

The user’s logon name, a distinguished name (DN), must be unique to the directory. The user’s full name (also referred to as the display name or account name), a relative distinguished name

(RDN), must be unique within the OU where you create the domain user account. The user’s Security

Accounts Manager (SAM) name must be unique to the directory.

Lesson 1 Understanding User Accounts

7

-

7

Table 7-1

Domain User Account Naming Convention Considerations (Continued)

Consideration

Determining the number of characters in user logon name

Determining characters in user logon name

Accommodating duplicate names

Identifying the type of user

Accommodating e-mail systems

Explanation

User logon names can contain up to 20 uppercase Ž or lowercase characters. Although the field accepts Ž more than 20 characters, Windows Server 2003 rec-Ž ognizes only the first 20.Ž

The following characters are invalid in user logon Ž names if you are using pre–Microsoft Windows 2000 Ž systems: / \ [ ] : ; | = , + * ? < > @ ”Ž

You can use a combination of special and alphanu-Ž meric characters to help uniquely identify user Ž accounts. User logon names are not case sensitive, Ž but Windows Server 2003 preserves the case.Ž

If two users were named John Emory, you could use the first name and the last initial, and then add letters from the last name to differentiate the dupli­ cate names. In this example, one user account logon name could be Johne and the other Johnem.

Another possibility would be to number each user logon name—for example, Johne1 and Johne2.

In some organizations, it is useful to identify tempo­ rary employees by their user account. To identify temporary employees, you can use a T and a hyphen in front of the user’s logon name—for example, T-Johne. Alternatively, use parentheses in the name—for example, John Emory (Temp).

Some e-mail systems might not accept certain char­ acters, such as spaces and parentheses. These char­ acters should not be included in user names.

Password Requirements and Guidelines

To protect access to the domain or a computer, every user account should have a strong password. A

strong password

is a password that provides an effective defense against unauthorized access to a resource. It’s important to educate users about the benefits of using strong passwords and to teach them how to create passwords that are actually strong.

Passwords can be up to 127 characters. However, if your network has computers run­ ning Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows Millennium

Edition (Windows Me), you should use a maximum of 14 characters because these operating systems support passwords of up to only 14 characters. A minimum length of seven characters is recommended.

7-8

Chapter 7 Administering User Accounts

A strong password

Is at least seven characters long.

Does not contain a user name, real name, or company name.

Does not contain a complete dictionary word.

Is significantly different from previous passwords. Passwords that increment

(

Password1, Password2, Password3

...) are not strong.

Contains characters from each of the following four groups shown in Table 7-2.

Table 7-2

Strong Password Requirement Groups

Group Examples

Uppercase letters

Lowercase letters

Numerals

Symbols found on the keyboard (all keyboard characters not defined as letters or numerals)Ž

A, B, C ... a, b, c ...

0, 1, 2, 3, 4, 5, 6, 7, 8, 9

` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : "Ž

; ' < > ? , . /Ž

An example of a strong password is

K*c6mr93}D

. Be cautious about using keyboard symbols in passwords if your organization uses several different operating systems.

Note

Windows Server 2003 group policies can also affect passwords. You can implement a password policy setting that enforces password complexity requirements by using the Password Must Meet Complexity Requirements policy setting. For further information on using

Group Policy, see Chapter 13, “Administering Security with Group Policy.”

!

Real World

Password Security

Password security is a real problem and remains a fairly large security hole for many organizations and individuals. You can and should set a password policy at the domain level in order to enforce strong passwords. You’ll learn more about this in Chapter 13, “Administering Security with Group Policy.” You should also consider using a password auditing tool in order to monitor your network for weak passwords. There are several password auditing tools available. Probably the most popular password auditing tool for computers running Microsoft Windows is L0phtCrack from @Stake, which can be found at

http://www.atstake.com/

.

Exam Tip

Know the components of a strong password.

Lesson 1 Understanding User Accounts

7

-

9

Using Smart Cards

Windows Server 2003 supports optional smart card authentication. A

smart card

is a credit card-sized device that is used with a personal identification number (PIN) to enable cer­ tificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal infor­ mation. Smart cards provide a more secure means of user authentication than passwords.

However, deploying and maintaining a smart card program requires additional overhead, including the configuration of the Microsoft Certificate Services, smart card reader devices, and the smart cards themselves. A smart card contains a chip that stores the user’s private key, logon information, and public key certificate. The user inserts the card into a smart card reader attached to the computer and types in a PIN when requested. Smart cards rely on the

public key infrastructure (PKI)

of Windows Server 2003.

Note

A discussion of PKI is outside the scope of this training kit. Refer to the

Microsoft

Windows Server 2003 Resource Kit

(located on the Microsoft Web site at

http:// microsoft.com/windowsserver2003/techinfo/reskit/resourcekit.mspx

) for more information on this topic.

Implementing Smart Cards

In addition to PKI and the cards themselves, each computer needs a smart card reader.

You must set up at least one computer as a smart card enrollment station and authorize at least one user to operate it. Although no extra hardware is required beyond a smart card reader, the user who operates the enrollment station needs to be issued an Enroll­ ment Agent certificate. Because the holder of the Enrollment Agent certificate can gen­ erate a smart card for anyone in the organization, there must be strong security policies in place for issuing Enrollment Agent certificates.

Real World

Smart Card Benefit

The main problem with passwords is that the more secure a password, the more difficult it is to remember. If you require your users to create 32–character, multi-case alphanumeric passwords, they are likely to write them down. If you let your users establish any type of password they want, some people will probably decide to use a password that can be easily compromised. Smart cards can be a solution to these problems because you can implement them in place of passwords. Of course, you’ll have to place smart card readers on every computer and issue smart cards to every user. However, once that is done, users won’t have to use passwords anymore.

Instead, they’ll probably use a PIN or maybe a biometric (i.e., thumbprint or retinal scan) to gain access to their workstation and the network. Smart cards make it a lot more difficult for remote attackers to compromise network user’s accounts.

7-10

Chapter 7 Administering User Accounts

Smart Card Deployment Considerations

Smart card logon is supported for Windows 2000 and Windows Server 2003. To imple­ ment smart cards, you must deploy an enterprise certification authority rather than a stand-alone or third-party certification authority to support smart card logon to

Windows Server 2003 domains. Windows Server 2003 supports industry standard Per­ sonal Computer/Smart Card (PC/SC)–compliant smart cards and readers and provides drivers for commercially available plug and play smart card readers. Windows Server

2003 does not support non-PC/SC-compliant or non–plug and play smart card readers.

Some manufacturers might provide drivers for non–plug and play smart card readers that work with Windows Server 2003; however, it is recommended that you purchase only plug and play PC/SC-compliant smart card readers.

The cost of administering a smart card program depends on several factors, including:

The number of users enrolled in the smart card program and their location.

Your organization’s practices for issuing smart cards to users, including the requirements for verifying user identities. For example, will you require users to simply present a valid personal identification card or will you require a background investigation? Your policies affect the level of security provided as well as the actual cost.

Your organization’s practices for users who lose or misplace their smart cards. For example, will you issue temporary smart cards, authorize temporary alternate logon to the network, or make users go home to retrieve their smart cards? Your policies affect how much worker time is lost and how much help desk support is needed.

Your smart card authentication strategy must describe the network logon and authen­ tication methods you use, including:

Identify network logon and authentication strategies you want to deploy. Ž

Describe smart card deployment considerations and issues. Ž

Describe PKI certificate services required to support smart cards.Ž

In addition to smart cards, third-party vendors offer a variety of security products to provide two-factor authentication, such as “security tokens” and biometric accessories.

These accessories use extensible features of the Windows Server 2003 graphical logon user interface to provide alternate methods of user authentication.

!

Exam Tip

Know what you must do to deploy smart cards.

Lesson 1 Understanding User Accounts

7

-

11

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

Where are domain user accounts created?Ž

2.

What is a smart card? Ž

3.

Why should you always rename the built-in Administrator account?Ž

4.

What is the purpose of the Guest account? What is the default condition of theŽ

Guest account?Ž

5.

Which of the following are characteristics of a strong password? Ž

a.

Is at least seven characters longŽ

b.

Contains your user nameŽ

c.

Contains keyboard symbolsŽ

d.

Contains numeralsŽ

e.

Contains a dictionary wordŽ

7-12

Chapter 7 Administering User Accounts

Lesson Summary

Windows Server 2003 provides three types of user accounts: local user accounts, domain user accounts, and built-in user accounts.

Local user accounts are stored only in a computer’s local security database.

Domain user accounts are stored in Active Directory and replicated to all domain controllers in a domain. Built-in user accounts are created automatically by Windows Server 2003 for the purpose of performing administrative tasks or to gain access to network resources.

The user account naming convention you adopt establishes how users are identi­ fied in the domain. A consistent user account naming convention helps you and your users remember user logon names and locate them in lists.

To protect access to the domain or a computer, every user account should have a strong password. A strong password is a password that provides an effective defense against unauthorized access to a resource. A strong password is at least seven characters long, does not contain all or part of the users account name, and contains at least three of the four following categories of characters: uppercase characters, lowercase characters, base 10 digits, and symbols found on the keyboard (such as !, @, #).

A smart card is a credit card-sized device that is used with a PIN number to enable certificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal information. Deploying and maintaining a smart card program requires additional overhead, including the configuration of the Microsoft Certificate Ser­ vices, smart card reader devices, and the smart cards themselves.

Lesson 2 Creating User Accounts

7

-

13

Lesson 2: Creating User Accounts

Domain user accounts are created using the Active Directory Users And Computers console. To use either tool, you must have administrator privileges. This lesson takes you step-by-step through creating user accounts and setting user account properties.

After this lesson, you will be able to

■ Create domain user accounts

Modify domain user account proper ties

Estimated lesson time: 3 0 minutes

Creating Domain User Accounts

Use the Active Directory Users And Computers console to create a new domain user account. When you create the domain user account, the user logon name is by default associated with the domain in which you are creating the domain user account. However, you can associate a user logon name with any domain in which you have permis­ sions to create domain user accounts. You must select the container in which to create the new account. Although you can create the domain user account in the Users con­ tainer by default, you should add actual users to a custom OU. OUs are discussed in detail in Chapter 6, “Implementing an OU Structure.”

To create domain user accounts, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Click the domain, right-click the OU in which the domain user account will be stored, point to New, and then click User.

3.

In the New Object–User dialog box, shown in Figure 7-3, set the domain user name options as described in Table 7-3. Click Next.

7-14

Chapter 7 Administering User Accounts

Figure 7-3 New Object–User dialog box

Table 7-3

User Name Options in the New Object–User Dialog Box

Option Action

First Name box•

Initials box•

Last Name box•

Full Name box•

Type the user’s first name. An entry in this, the Initials, or the Last

Name box is required.

Type the user’s initials, if applicable. An entry in this, the First

Name, or the Last Name box is required. Do not use a period after the last initial; a period is entered automatically.

Type the user’s last name. An entry in this, the Initials, or the First

Name box is required.

No action is necessary, because the user’s complete name is entered automatically from information you entered in the First

Name, Initials, and Last Name boxes. The name must be unique within the OU or container where you create the user account.

The full name is the one displayed in the OU or container where the user account is located in the directory.

Lesson 2 Creating User Accounts

7

-

15

Table 7-3

User Name Options in the New Object–User Dialog Box (Continued)

Option Action

User Logon Name box

User Logon Name

(Pre–Windows 2000) box

The User Logon Name box is accompanied by a domain name list.

The user logon name and the domain name together uniquely iden­ tify the user throughout the entire network. Based on your naming conventions, type the user’s unique logon name in the box (on the left). The logon name is required and in combination with the domain name on the right must be unique within the domain. The current domain name is entered automatically from the list (on the right) of domains for which you have the appropriate permissions, but you may select another instead.

No action is necessary because an entry is entered automatically.

The entry is the user’s unique logon name that is used to log on from earlier versions of Windows, such as Microsoft Windows NT

4 or Windows NT 3.5.1. An entry is required, and must be unique within the domain. If you entered any of the following: / \ [ ] : ; |

= , + * ? < > @ ” in the User Logon Name box, a message appears, reminding you that these characters are not valid for pre–

Windows 2000 systems and that the characters will be replaced with the underscore symbol for the pre–Windows 2000 user logon.

4.

In the second New Object–User dialog box, shown in Figure 7-4, set the password requirements for the domain user account as described in Table 7-4. Click Next.

Figure 7-4 New Object–User dialog box

7-16

Chapter 7 Administering User Accounts

Table 7-4

Password Options in the New Object–User Dialog Box

Option Action

Password box

Confirm Password box

User Must Change Password

At Next Logon check box

User Cannot Change Password check box

Password Never Expires check box

Account Is Disabled check box

Type the password used to authenticate the user.

For greater security, assign a strong password. The password is hidden by asterisks when you type it.

Confirm the password by typing it a second time to make sure that you typed the password correctly. An entry is required if you assign a password.

Select this check box to require the user to change his or her password the first time that he or she logs on. This ensures that the user is the only person who knows the password.

Select this check box if you have more than one person using the same domain user account (such as

Guest) or to maintain control over user account passwords.

Select this check box if the password should never change—for example, for a domain user account that is used by a program or a Windows Server 2003 service. This option overrides the User Must Change

Password At Next Logon option. If both check boxes are selected, the system clears the User Must Change

Password At Next Logon check box.

Select this check box to prevent the use of the user’s account—for example, for a new employee who has not yet started.

Note

It is recommended that you require new users to change their passwords the first time that they log on, so only the user knows the password. In addition, when you create the initial password for user accounts, combine letters and numbers to create a random password that will help keep the account secure.

5.

In the third New Object–User dialog box, confirm that the full name and the user logon name are correct for the user. Click Finish.

Lesson 2 Creating User Accounts

7

-

17

Off the Record

If you are ever faced with creating a large number of user accounts at one time, you might want to explore methods for automating user account creation. One way to do this is to acquire or write a script that allows you to create user accounts. To get started writ­ ing your own user creation script, you could review Microsoft Knowledge Base article 230750 entitled “Basic User Account Creation with ADSI Scripting,” available from

http://support/ microsoft.com

. There are, of course, many books on ADSI and VB Scripting as well. For readymade scripts, look to the TechNet Script Center, which is available on the Microsoft Web site.

Also, look on Supplemental CD-ROM for this course in the \70-294\Labs\Chapter07 folder.

There is a VB script that will create an OU named Trial along with 30 user accounts. The script is named 30users.vbs.

Modifying Domain User Account Properties

A set of default properties is associated with each domain user account that you create.

For domain user accounts, these account properties equate to object attributes. You can use the properties that you define for a domain user account to search for users in the directory, or the properties can be used in other applications as object attributes.

For this reason, you should provide detailed definitions for each domain user account that you create. For example, if a user knows a person’s last name and wants to find the person’s telephone number, the user can use the last name to search for the tele­ phone number.

The tabs in the Properties dialog box for a user, shown in Figure 7-5, contain informa­ tion about each user account. Table 7-5 describes the tabs in the Properties dialog box.

Figure 7-5 Tabs in the Properties dialog box for a user account

7-18

Chapter 7 Administering User Accounts

Table 7-5

Tabs in the Properties Dialog Box

Tab

General

Address

Account

Profile

Telephones

Organization

Remote Control

Terminal Services Profile

COM+

Published Certificates

Member Of

Dial-In

Environment

Sessions

Object

*

*

Description

Documents the user’s first name, initials, last name, dis­ play name, description, office location, telephone num­ ber(s), e-mail address, and Web page(s)

Documents the user’s street address, post office box, city, state or province, ZIP code or postal code, and country or region

Documents the user’s account properties, including user logon name, logon hours, computers permitted to log on to, account options, and account expiration

Sets a profile path, logon script path, and home folder

Documents the user’s home, pager, mobile, fax, and Internet Protocol (IP) telephone numbers, and contains space for notes

Documents the user’s title, department, company, man­ ager, and direct reports

Configures Terminal Services remote control settings

Configures the Terminal Services user profile

Documents the COM+ partition set of which the user is a member

Documents the list of X.509 certificates for the user account

Documents the groups to which the user belongs

Documents the dial-in properties for the user

Configures the Terminal Services startup environment

Sets the Terminal Services timeout and reconnection settings

Documents the fully qualified domain name (FQDN), object class, create and modified dates, the original update sequence number (USN), and the current USN

Sets permissions on the user object Security

*

*• This tab is available only if Advanced Features is selected in the View menu on the Active Directory Users And

Computers console.

You can also set properties on multiple user objects. To do this, select the user objects you want to modify, right click, and then select Properties. A set of property sheets is available on which you can set or clear object attributes for the selected users.

Lesson 2 Creating User Accounts

7

-

19

To modify properties for domain user accounts, complete the following steps:

1.

On the Administrative Tools menu, click Active Directory Users And Computers, and then click the domain.

2.

Click the appropriate OU to view available domain user accounts.

3.

Right-click the domain user account for which you want to modify properties, and then click Properties.

4.

Click the appropriate tab for the properties that you want to enter or change, and then complete the necessary information.

5.

Click OK.

Setting Up a User for Smart Card Authentication

Set up a user for smart card authentication when you have deployed smart cards in your organization.

To set up a user for smart card authentication, complete the following steps:

1.

In the Properties dialog box for the user account, in the Account Options list on

Account tab, click Smart Card Is Required For Interactive Logon.

2.

Click OK.

Note

Setting up a user for smart card authentication is only one task required for deploying smart cards in your organization. The details for deploying smart cards are beyond the scope of this training kit. Refer to “Checklist: Deploying Smart Cards for logon on to Windows” in

Windows Server 2003 Help for detailed information about deploying smart cards.

Setting Logon Hours

Set logon hours to control when a user can log on to the domain. Restricting logon hours limits the hours that users can explore the network. By default, Windows Server

2003 permits access for all hours on all days. You might want to allow users to log on only during working hours. Setting logon hours reduces the amount of time that the account is vulnerable to unauthorized access.

To set logon hours, complete the following steps:

1.

In the Properties dialog box for the user account, in the Account tab, click Logon

Hours.

2.

In the Logon Hours dialog box for the user account, shown in Figure 7-6, select the days and hours for which you want to allow or deny access.

7-20

Chapter 7 Administering User Accounts

To allow access, select the rectangles on the days and hours for which you want to allow access by clicking the start time, dragging to the end time, and then clicking Logon Permitted. The days and hours for which you have allowed access appear in blue.

To deny access, select the rectangles on the days and hours for which you want to deny access by clicking the start time, dragging to the end time, and then clicking Logon Denied. The days and hours for which you have denied access appear in white.

Figure 7-6 Logon hours dialog box

3.

Click OK.

Note

Any connections to network resources on the domain are not disconnected when the user’s logon hours run out. However, the user will not be able to make any new connections.

Setting the Computers from Which Users Can Log On

By default, each user can log on from all computers in the domain. Setting the com­ puters from which a user can log on prevents users from accessing another user’s data that is stored on that user’s computer.

Note

To control the computers from which a user can log on to a domain, NetBIOS over

Transmission Control Protocol/Internet Protocol (TCP/IP) must be enabled. If NetBIOS over

TCP/IP is disabled, Windows Server 2003 is unable to determine the computer from which a user is logging on and therefore cannot restrict users to specific computers.

Lesson 2 Creating User Accounts

7

-

21

To set logon workstations, complete the following steps:

1.

In the Properties dialog box for the user account, in the Account tab, click Log On To.

2.

In the Logon Workstations dialog box, shown in Figure 7-7, select The Following

Computers. Then type the name of the computer from which a user is permitted to log on in the Computer Name box. Click Add.

Figure 7-7 Logon Workstations dialog box

3.

If necessary, type additional computer names in the Computer Name box, then click Add. Click OK.

Setting Account Expiration Date

Set the account expiration date to control when a user account expires. The account expires at the end of the day on the date you select. Setting an account expiration date ensures that users can log on only when they are supposed to and reduces the amount of time that the account is open to unauthorized access.

To set account expiration date, complete the following steps:

1.

In the Account tab of the Properties dialog box for the user account, shown in

Figure 7-8, select either of the following options:

❑ Never, if you do not want the user account to expire

❑ End Of (and then enter a date in the adjoining text box), if you want Windows

Server 2003 to disable the user account automatically at the end of the day on the date you specify

7-22

Chapter 7 Administering User Accounts

Figure 7-8 The Account tab of the Properties dialog box for a user account

2.

Click OK.

Practice: Creating, Modifying, and Verifying Domain User Accounts

In this practice, you create, modify, and verify domain user accounts for the

contoso.com

domain.

Exercise 1: Creating Domain User Accounts

In this exercise, you create some domain user accounts for the

contoso.com

domain.

To create domain user accounts

1.

Log on to Server1 as Administrator.

2.

On Server1, use the procedure provided earlier in this lesson to create the domain user accounts shown in Table 7-6 in the Chicago OU for

contoso.com

.

Table 7-6

Domain User Accounts for Exercise 1

First Name

User

User

User

User

User

Last Name

One

Three

Five

Seven

Nine

User Logon Name Password

User1

User3

User5

User7

User9

(blank)

(blank)

User5

User7

User9

Change Password

Must

Must

Must

Must

Cannot

Lesson 2 Creating User Accounts

7

-

23

Exercise 2: Modifying User Account Properties

In this exercise, you modify user account properties for two of the user accounts you created in Exercise 1. For one account, you configure the logon hours. For the other account, you configure the account expiration settings.

To modify user account properties

1.

On Server1, use the procedure provided earlier in this lesson to modify the User

Three and User Five domain user accounts you set up in Exercise 1. Use the prop­ erties specified in Table 7-7.

Table 7-7

Domain User Account Properties for Exercise 2

User Account

User Three•

Logon Hours Account Expires

No change

User Five

6 P.M.–6 A.M.,

Monday–Friday

No change Yesterday

2.

Close the Active Directory Users And Computers console and log off.

Exercise 3: Verifying the Creation of User Accounts

In this exercise, you attempt to log on to the domain controller using the User One account you created in Exercise 1. Then you allow users to log on at the domain control­ ler by adding the user accounts you created in Exercise 1 and modified in Exercise 2 to the Print Operators group. Finally, you verify the password restrictions that you set up in Exercise 1 and the logon hours restrictions and account expiration settings that you set in Exercise 2.

To verify the creation of user accounts

The first step in verifying the creation of a user account is to use the account to log on to a domain controller.

1.

Log on to Server1 as User1 with no password.

2.

In the Logon Message message box, click OK.

3.

In the Change Password dialog box, leave the Old Password box blank, type

stu­ dent

in the New Password box and the Confirm New Password box, and click OK.

4.

In the Change Password message box, click OK. Were you able to successfully log on? Why or why not?

No. By default, administrators have the right to log on to a domain controller, but regular users, like User1, do not.

7-24

Chapter 7 Administering User Accounts

The second step in verifying the creation of a user account is to enable users to log on at a domain controller if you have not already done so. There are several ways to allow regular users to log on at a domain controller. In the next procedure, you add the users to the Print Operators group because this group has the right to log on to a domain controller. A group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions to a group of users rather than having to assign permissions to each individual user account. For more information on groups, see Chapter 8,

“Administering Group Accounts.”

1.

Log on to Server1 as Administrator.

2.

In the console tree of the Active Directory Users And Computers console, expand the East OU and the Chicago OU.

3.

In the details pane, right-click User One, and then click Properties.

4.

In the User One Properties dialog box, click the Member Of tab. Click Add.

5.

In the Select Groups dialog box, select Advanced.

6.

In the next Select Groups dialog box, click Find Now. Scroll down the box dis­ playing the groups and select the Print Operators group. Click OK.

7.

In the Select Groups dialog box, click OK.

8.

Click OK to close the User One Properties window.

9.

Repeat steps 3–8 for User3, User5, User7, and User9.

10.

Close the Active Directory Users And Computers console and log off.

The third step in verifying the creation of a user account is to verify the operation of the password restrictions set for the account.

1.

Attempt to log on as User7 with no password. Were you able to successfully log on? Why or why not?

No, because User7 was assigned a password when the user accounts were created.

2.

Attempt to log on as User7 with a password of User7.

3.

When prompted, change the password to

student

. Were you able to log on? Why or why not?

Yes, because User7 is the correct password for the User7 user account.

4.

Press Ctrl+Alt+Delete.

5.

In the Windows Security dialog box, click Log Off.

6.

In the Log Off Windows dialog box, click Log Off to log off.

7.

Attempt to log on as User9 with a password of User9. Were you able to successfully log on? Why or why not?

Yes, because User9 is the correct password for the User9 user account.

Lesson 2 Creating User Accounts

7

-

25

8.

Press Ctrl+Alt+Delete.

9.

In the Windows Security dialog box, click Change Password.

10.

In the Change Password dialog box, in the Old Password box, type

User9

. In the

New Password and Confirm New Password boxes, type

student

, and then click

OK. Were you able to change the password? Why or why not?

No, because User9 has been restricted from changing passwords.

11.

In the Change Password message box, click OK, and then click Cancel to return to the Windows Security dialog box. Click Log Off.

12.

In the Log Off Windows dialog box, click Log Off to log off.

The fourth step in verifying the creation of a user account is to verify logon hour restrictions, if applicable.

1.

Attempt to log on as User3 with no password.

2.

When prompted, change the password to

student

. Were you able to successfully log on? Why or why not?

No, because User3 is only allowed to log on between 6 P.M. and 6 A.M. (The answer is Yes if you are logging on between 6 P.M. and 6 A.M.)

3.

Press Ctrl+Alt+Delete.

4.

In the Windows Security dialog box, click Log Off.

5.

In the Log Off Windows dialog box, click Log Off to log off.

The final step in verifying the creation of a user account is to verify the account expi­ ration properties, if applicable.

1.

Attempt to log on as User5 with a password of

student

. Were you successful? Why or why not?

No, because the account for User5 has expired.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

To what type of container should you add users?

7-26

Chapter 7 Administering User Accounts

2.

A user’s full name must be unique to what Active Directory component?

3.

A user’s logon name must be unique to what Active Directory component?

4.

Why should you always require new users to change their passwords the first time that they log on?

5.

From which tab on a user’s Properties dialog box can you set logon hours?

a.

General tab

b.

Account tab

c.

Profile tab

d.

Security tab

Lesson Summary

To create domain user accounts, use the Active Directory Users And Computers console.

For domain user accounts, a user’s full name must be unique within the OU or container where you create the user account. A user’s logon name is based on your naming conventions and must be unique within the domain.

Always require new users to change their passwords the first time that they log on, so only the user knows the password. Be able to set the various password options.

Provide detailed property information for each domain user account that you cre­ ate so you can use this information to search for users in the directory. Be able to set logon hours, set the computer from which a user can log on, and set an account expiration date.

Lesson 3 Managing User Profiles and Home Folders

7

-

27

Lesson 3: Managing User Profiles and Home Folders

User profiles maintain consistency for users in their desktop environments by provid­ ing each user with the same desktop environment as the last time that he or she logged on to the computer. This lesson introduces user profiles and explains the differences between local user profiles, roaming user profiles, mandatory user profiles, and tem­ porary user profiles. It also discusses the use of home folders.

After this lesson, you will be able to

Explain the difference between a local user profile, a roaming user profile, a mandatory user profile, and a temporary user profile

■ Configure a local user profile

Manage a roaming user profile

■ Manage a mandatory user profile

Manage home folders

Estimated lesson time: 3 5 minutes

Understanding User Profiles

A

user profile

is a collection of folders and data that stores the user’s current desktop environment, application settings, and personal data. A user profile also contains all of the network connections that are established when a user logs on to a computer, such as Start menu items and mapped drives to network servers. On computers running

Windows Server 2003, user profiles automatically create and maintain the desktop set­ tings for each user’s work environment on the local computer.

Settings Saved in a User Profile

A user profile contains configuration preferences and options for each user—a snapshot of a user’s desktop environment. Table 7-8 shows a sample of the settings con­ tained in a user profile.

Table 7-8

Settings Contained in a User Profile

Parameters Saved

All user-definable settings for Windows Explorer

User-stored documents

User-stored picture items

Shortcuts to favorite locations on the Internet

Any user-created mapped network drives

Links to other computers on the network

Source

Windows ExplorerŽ

My DocumentsŽ

My PicturesŽ

FavoritesŽ

Mapped network driveŽ

My Network PlacesŽ

7-28

Chapter 7 Administering User Accounts

Table 7-8

Settings Contained in a User Profile (Continued)

Parameters Saved

Items stored on the Desktop and shortcut elements

All user-definable computer screen colors and display text settings

Application data and user-defined configuration settings

Source

Desktop contents

Screen colors and fonts

Network printer connections

All user-defined settings made in Control Panel

All user-specific program settings affecting the user’s

Windows environment, including Calculator, Clock,

Notepad, and Paint

Per-user program settings for programs written specifically for Windows Server 2003 and designed to track program settings

Any bookmarks placed in the Windows Server 2003 family

Help system

Application data and registry hive

Printer settings

Control Panel

Accessories

Windows Server 2003 family– based programs

Online user education bookmarks

Contents of a User Profile Folder

Unless you have upgraded to Windows Server 2003 from Windows NT 4, local user profiles are stored in the

C

:\Documents and Settings folder, where

C

is the name of your system drive. If you have upgraded to Windows Server 2003 from Windows NT 4, local user profiles are stored in the %

Systemroot

%\Profiles folder. Roaming user profiles are stored in a shared folder on the server. Table 7-9 is a sample of the folders con­ tained in a user profile folder.

Table 7-9

Sample Folders Contained in a User Profile Folder

Item Contents

Application data folder

Cookies folder

Desktop folder

Favorites folder

Local Settings folder

*•

*•

My Documents folder

My Recent Documents folder

*•

Program-specific data—for example, a custom dictionary. Program vendors decide what data to store in the user profile folder.

User information and preferences.

Desktop items, including files, shortcuts, and folders.

Shortcuts to favorite locations on the Internet.

Application data, History, and Temporary files. Application data roams with the user by way of roaming user profiles.

User documents and subfolders.

Shortcuts to the most recently used documents and accessed folders.

Lesson 3 Managing User Profiles and Home Folders

Table 7-9

Sample Folders Contained in a User Profile Folder (Continued)

Item

NetHood folder

*

PrintHood folder

*

SendTo folder

*

Start Menu folder

Templates folder

*

* Item is hidden.

Contents

Shortcuts to My Network Places items.

Shortcuts to printer folder items.

Shortcuts to document-handling utilities.

Shortcuts to program items.

User template items.

7

-

29

Also in the User Profile Folder is the Ntuser.dat file. The Ntuser.dat file is the registry portion of the user profile. When a user logs off the computer, the system unloads the user-specific section of the registry (HKEY_CURRENT_USER) into Ntuser.dat and updates the file.

Using the My Documents folder centralizes all user settings and personal documents into a single folder that is part of the user profile. Windows Server 2003 automatically sets up the My Documents folder, and it is the default location for storing users’ data for

Microsoft applications. Home folders, covered later in this lesson, can also contain files and programs for a user.

User Profile Types

There are four types of user profiles:

Local

Roaming

Mandatory

Temporary

Local User Profiles

A

local user profile

is based at the local computer and is available at only the local com­ puter. When a user logs on to the client computer running Windows Server 2003, he or she always receives his or her individual desktop settings and connections, regardless of how many users share the same client computer. Windows Server 2003 automati­ cally creates a local user profile the first time that a user logs on to a workstation or server computer. The local user profile is stored in the

C

:\Documents and Settings\

User_logon_name

folder on the computer, where

C

is the name of your system drive and

User_logon_name

is the name the user types when logging on to the system.

7-30

Chapter 7 Administering User Accounts

A user changes his or her local user profile by changing desktop settings. For example, a user might make a new network connection or add a file to My Documents. Then, when a user logs off, Windows Server 2003 incorporates the changes into the user profile stored on the computer. The next time the user logs on to the local computer, the new network connection and the file are present.

Roaming User Profiles

To support users who work at multiple computers, you can set up roaming user profiles. A roaming user profile is based at the server and is downloaded to the local com­ puter every time a user logs on. In contrast to a local user profile, which resides on only one client computer, a roaming user profile is available at any workstation or server computer on the network. Changes made to a user’s roaming user profile are updated locally and on the server when the user logs off. This profile is created by a system administrator and is stored in a shared folder on a server.

The first time that a user logs on at a computer, Windows Server 2003 copies all docu­ ments to the local computer. Thereafter, when the user logs on to the computer, Windows

Server 2003 compares the locally stored user profile files and the roaming user profile files. It copies only the files that have changed since the last time the user logged on at the computer, which makes the logon process shorter.

Mandatory User Profiles

To specify a profile for individuals or an entire group of users, you can set up manda­ tory user profiles. A mandatory user profile is a read-only roaming profile, based at the server and downloaded to the local computer every time a user logs on. It is available at any workstation or server computer on the network. Users can modify the desktop settings of the computer while they are logged on, but none of these changes are saved when they log off. The next time that the user logs on, the profile is the same as the last time that he or she logged on. Only system administrators can make changes to man­ datory user profiles. The mandatory profile settings are downloaded to the local com­ puter each time the user logs on. You can assign one mandatory profile to multiple users who require the same desktop settings. If you need to change the desktop envi­ ronment for this set of users, you can do so by changing only one profile.

Note

Preferably, profiles should be managed by using Group Policy. Although mandatory user profiles are permitted, they are more likely to create administration problems. For infor­ mation about Group Policy, see Chapter 11, “Administering Group Policy.”

Lesson 3 Managing User Profiles and Home Folders

7

-

31

Temporary User Profiles

A temporary user profile is issued any time an error condition prevents a user’s profile from being loaded. Temporary profiles are deleted at the end of each session. Changes made to a user’s desktop settings and files are lost when the user logs off.

User Profiles Settings in Group Policy

In Windows Server 2003, there are several Group Policy settings that affect user profiles:

Prevent Roaming Profile Changes From Propagating To The Server

This policy determines if the changes a user makes to his or her roaming profile are merged with the server copy of his or her roaming profile. If this policy is set at user logon, the user receives his or her roaming profile, but any changes the user makes to his or her profile will not be merged to his or her roaming user profile at logoff.

Add The Administrator Security Group To Roaming User Profiles

This policy allows an administrator to choose the same behavior as Windows NT 4 and permit the administrators group to have full control of the user’s profile directo­ ries. In Windows Server 2003, the default file permissions for newly generated roaming profiles are full control, or read and write access for the user, and no file access for the Administrators group.

Only Allow Local User Profiles

This setting determines whether roaming user profiles are available on a particular computer. By default, when roaming profile users log on to a computer, their roaming profile is copied to the local computer.

By using this setting, an administrator can prevent users configured to use roam­ ing profiles from receiving their roaming profile on a specific computer.

Note

For detailed information about setting Group Policies, refer to Chapter 10, “Imple­ menting Group Policy.”

Creating User Profiles

You create local user profiles simply by logging on. To create roaming user profiles, you assign a profile to a user account. To create mandatory user profiles, you must cre­ ate a profile template, define a profile template storage location, define a profile, assign a profile to a user account, and configure the profile as mandatory. Temporary user profiles are created automatically by the system if there is a problem and therefore cannot be created by an administrator.

7-32

Chapter 7 Administering User Accounts

Creating Roaming User Profiles

Create roaming user profiles on a file server that you frequently back up, so that you have copies of the latest roaming user profiles. To improve logon performance for a busy network, place the roaming user profile folder on a member server instead of a domain controller. The copying of roaming user profiles between the server and client computers can use a lot of system resources, such as bandwidth and computer pro­ cessing. If the profiles are on the domain controller, this can delay the authentication of users by the domain controller.

The Windows Server 2003 family does not support the use of encrypted files within the roaming user profile. Roaming user profiles that are used with Terminal Services clients are not replicated to the server until the interactive user logs off and the interactive ses­ sion is closed.

Note

To create roaming user profiles for user accounts successfully, you must have permis­ sion to administer the object in which the user accounts reside.

To create a roaming user profile, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Expand the appropriate domain, and then click the appropriate OU.

3.

In the details pane, right-click the user account for which you want to create a roaming user profile, and then click Properties.

4.

In the Properties dialog box for the user, click the Profile tab.

5.

In the Profile tab, shown in Figure 7-9, in the Profile Path box, type the path to the folder in which you want to store the user profile, using the for mat

\\Server_name\Shared_folder_name\%Username%

. Click OK.

Note

When you type the variable %

Username

%, Windows Server 2003 automatically replaces the variable with the user account name for the roaming user profile.

Lesson 3 Managing User Profiles and Home Folders

7

-

33

Figure 7-9 Properties dialog box for a user, Profile tab

6.

Close the Active Directory Users And Computers console.

Creating Mandatory User Profiles

To create a mandatory user profile, you must complete the following tasks:

1.

Create a mandatory user profile template.

2.

Define a mandatory user profile template storage location.

3.

Define a user profile.

4.

Assign a user profile to a user account.

5.

Configure the user profile as mandatory.

Creating a Mandatory User Profile Template You create a mandatory user profile template by creating a domain user account with the profile you intend to use for the mandatory user profile; the account is created for the sole purpose of the profile.

Because the domain user account is used for profile administration purposes only, you can make changes to the template without affecting an actual user.

To create a mandatory user profile template, complete the following steps:

1.

Create a domain user account that can be easily identified as the account contain­ ing the mandatory user profile template.

2.

Log on to the domain user account you created in step 1.

3.

Customize the desktop for the user as desired.

4.

Log off the domain user account.

5.

Log on as Administrator.

7-34

Chapter 7 Administering User Accounts

6.

Click Start, point to Control Panel, and then click System.

7.

In the System Properties dialog box, click the Advanced tab. In the User Profiles box, click Settings.

8.

In the User Profiles dialog box, shown in Figure 7-10, ensure that the profile for the user account you created in step 1 is listed in the Profiles Stored On This Com­ puter box. Leave the System Properties dialog box, with the User Profiles tab open for the next procedure.

Figure 7-10 User Profiles dialog box

Defining a Mandatory User Profile Template Storage Location You define a manda­ tory user profile template storage location by creating a shared folder that can be accessed when the user logs on.

To define a mandatory user profile template storage location, complete the follow­ ing steps:

1.

On a server, create a folder to store the folder containing the mandatory user profile template in the

C

drive, where

C

is the name of your system drive. Ensure that the folder can be easily identified as the folder containing the mandatory user profile template.

2.

Share the folder you created in step 1.

Note

To share the folder, follow these steps: Right-click the folder, then click Properties. In the Properties dialog box for the folder, select the Sharing tab. Click Share This Folder and ensure that the shared folder name appears in the Share Name box. Click OK.

Lesson 3 Managing User Profiles and Home Folders

7

-

35

3.

Open the folder and create a subfolder to store the mandatory user profile. Ensure that the subfolder can be easily identified as the folder containing the mandatory user profile.

Defining a Mandatory User Profile

You define a mandatory user profile by selecting the profile template, specifying the path to the folder you created to store the manda­ tory user profile, and selecting the user or group you want to be able to use the man­ datory user profile in the User Profiles tab in the System Properties dialog box.

To define a mandatory user profile, complete the following steps:

1.

Locate the System Properties dialog box with the User Profiles tab that you left open when creating the mandatory user profile template.

2.

In the User Profiles dialog box, shown previously in Figure 7-10, select the user whose profile you want to use as the mandatory user profile, then click Copy To.

The user account should be the same one you created for the mandatory user profile template in the previous procedure.

3.

In the Copy To dialog box, shown in Figure 7-11, type the path to the folder you created to store the mandatory user profile in step 1, using the format

\\Server_name\Shared_folder_name

. In the Permitted To Use box, click Change.

Figure 7-11 Copy To dialog box

4.

The Confirm Copy message box appears, stating that the folder you created to store the mandatory user profile in step 1 already exists and that the current contents will be deleted. This message appears because you already created the folder for the profile. Click Yes.

5.

In the User Profiles dialog box, click OK. In the System Properties dialog box, click OK.

Assigning a Mandatory User Profile to a User Account You assign a mandatory user profile to a user account by indicating the path to the folder you created to store the

7-36

Chapter 7 Administering User Accounts mandatory user profile in the Profile tab in the Properties dialog box for the user account.

To assign a mandatory user profile to a user account, complete the following steps:

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Expand the appropriate domain, and then click the appropriate OU.

3.

In the details pane, double-click the user account(s) to which you want to assign the mandatory user profile.

4.

In the Properties dialog box for a user account, click the Profile tab.

5.

In the Profile tab, shown previously in Figure 7-9, in the Profile Path box, type the path to the folder you created to store the mandatory user profile, using the format

\\Server_name\Shared_folder_name

. Click OK.

6.

Close the Active Directory Users And Computers console.

Configuring a User Profile as Mandatory A hidden file in the profile called Ntuser.dat contains that section of the Windows Server 2003 system settings that applies to the individual user account and contains the user environment settings, such as desktop appearance. To configure a user profile as mandatory, you must make it read-only by changing the name of the Ntuser.dat file to Ntuser.man.

To configure a user profile as mandatory, complete the following steps:

1.

Click Start, and then click My Computer.

2.

On the

C

drive, where

C

is the name of your system drive, double-click the folder where you stored the mandatory user profile.

3.

Double-click the subfolder where you stored the mandatory user profile.

4.

Click the Tools menu, then click Folder Options.

5.

In the Folder Options dialog box, click the View tab.

6.

In the View tab, shown in Figure 7-12, select Show Hidden Files And Folders, then clear the Hide Extensions For Known File Types check box. Click OK.

Lesson 3 Managing User Profiles and Home Folders

7

-

37

Figure 7-12 Folder Options dialog box, View tab

7.

In the window for the subfolder where you stored the mandatory user profile, click Ntuser.dat. Click the File menu, then click Rename.

8.

Change the extension of the Ntuser.dat file to Ntuser.man, then press Enter.

9.

Close the window for the folder.

Practice: Managing User Profiles

In this practice, you create and test a roaming user profile and a mandatory user profile.

Exercise 1: Creating and Testing a Roaming User Profile

In this exercise, you create and test a roaming user profile for User1.

To create and test a roaming user profile

1.

Log on to Server1 as Administrator.

2.

On Server1, use the procedure provided earlier in this lesson to create a roaming user profile for User1.

3.

Log on to Server2 as User1.

4.

Right-click anywhere on the desktop, then click Properties.

5.

In the Display Properties dialog box, click the Appearance tab. Notice the current color scheme.

6.

In the Appearance tab, in the Scheme list, select a different color scheme, then click OK. This change takes effect immediately.

7-38

Chapter 7 Administering User Accounts

7.

Log off and log on as the same user, User1. Were screen colors saved? Why or why not?

Yes, because the screen colors are saved in the User1’s roaming user profile.

8.

Log off Server2.

Exercise 2: Creating and Testing a Mandatory User Profile

In this exercise, you create and test a mandatory user profile for User9.

To create and test a mandatory user profile

1.

Log on to Server1 as Administrator.

2.

On Server1, use the procedures provided earlier in this lesson to create a manda­ tory user profile for User9.

Create a mandatory user profile template named ProfileTemplate. Right-click anywhere on the desktop, then click Properties. In the Display Properties dia­ log box, click the Appearance tab. Notice the current color scheme. In the

Appearance tab, in the Scheme list, select a different color scheme, then click

OK. This change takes effect immediately.

Define the mandatory user profile template storage location by creating a subfolder named Mandatory in a folder named Profiles on your

C

drive, where C is the name of your system drive.

Define the mandatory user profile. Ensure that User9 is permitted to use the mandatory user profile.

❑ Assign the mandatory user profile to the User9 user account.

❑ Configure the user profile as mandatory.

3.

Log on to Server2 as User9. Were screen colors saved? Why or why not?

Yes, because the screen colors are saved in User9’s mandatory user profile.

4.

Right-click anywhere on the desktop, then click Properties. In the Display Properties dialog box, click the Appearance tab. In the Scheme list, select a different color scheme, then click OK. This change takes effect immediately.

5.

Log off and log on as the same user, User9. Were screen colors you set in step 4 saved? Why or why not?

No, because the screen colors are saved in User9’s mandatory user profile. The mandatory user profile is read-only and cannot be changed by users.

6.

Log off Server2.

Lesson 3 Managing User Profiles and Home Folders

7

-

39

Best Practices for User Profiles

The following are the best practices for handling user profiles:

Allow for different hardware configurations.

Use the same type of video hardware when you create or edit a user profile for a single user.

Create a single mandatory user profile for a group of users only if they all use computers with the same type of video hardware.

Do not use Offline Folder caching on roaming user profile shared directories. Oth­ erwise, you could experience synchronization problems when both Offline Fold­ ers and the roaming user profile attempt to synchronize the files in a user’s profile.

Do not use Encrypted File System (EFS) on files in a roaming user profile. EFS is not compatible with roaming user profiles.

Do not set disk quotas too low for users with roaming user profiles. Otherwise, the roaming user profile synchronization might fail.

When creating a roaming profile shared directory, limit access to only those users who need access. Only give users the minimum amount of permissions needed.

When creating the shared directory, hide it by putting a $ after the share name.

This hides the shared directory from casual browsers and it will not be visible in

My Network Places.

Use servers running Windows 2000 or later to host roaming user profile shared directories. Security features in Windows 2000 and the Windows Server 2003 fam­ ily can help to secure a user’s data.

Always use the NTFS file system for volumes holding users’ data. NTFS supports discretionary access control lists (DACLs) and system access control lists (SACLs), which control who can perform operations on a file and what events will trigger logging of actions performed on a file.

Home Folders

A

home folder

is an additional folder that you can provide for users to store personal documents, and for older applications, it is sometimes the default folder for saving doc­ uments. You can store a home folder on a client computer or in a shared folder on a file server. Because a home folder is not part of a roaming user profile, its size does not affect network traffic during the logon process. You can locate all users’ home folders in a central location on a network server. Storing all home folders on a file server pro­ vides the following advantages:

Users can gain access to their home folders from any client computer on the network.

7-40

Chapter 7 Administering User Accounts

The backing up and administration of user documents is centralized.

The home folders are accessible from a client computer running any Microsoft operating system (including MS-DOS, Windows 95, Windows 98, Windows Me,

Windows 2000, and Windows Server 2003).

Note

You should store home folders on an NTFS volume so that you can use NTFS permis­ sions to secure user documents. If you store home folders on a file allocation table (FAT) vol­ ume, you can restrict home folder access only by using shared folder permissions.

You can further enhance the home folder feature by redirecting the user’s My Docu­ ments pointer to the location of his or her home folder.

Creating Home Folders on a Server

To successfully complete the tasks for creating home folders, you must have permis­ sion to administer the object in which the user accounts reside.

To create home folders on a server, complete the following steps:

1.

On a server, create a folder to store all home folders on a network server in the

C

drive, where

C

is the name of your system drive. The home folder for each user will reside in this shared folder. Ensure that the folder can be easily identified as the folder containing the home folders.

2.

Share the folder you created in step 1.

Note

To share the folder, follow these steps: Right-click the folder, then click Properties. In the Properties dialog box for the folder, select the Sharing tab. Click Share This Folder and ensure that the folder name or the name users need to connect to the shared folder appears in the Share Name box. Click OK.

3.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

4.

Expand the appropriate domain, then click the appropriate OU.

5.

In the details pane, double-click the user account(s) to which you want to assign the home folder.

6.

In the Properties dialog box for a user account, click the Profile tab.

7.

In the Profile tab, shown in Figure 7-13, click Connect in order to connect to the home folder on the server, and specify a drive letter to use to connect. In the To box, specify a Uniform Naming Convention (UNC) name, for example,

\\Server_name\Shared_folder_name\User_logon_name

. You can use the

Lesson 3 Managing User Profiles and Home Folders

7

-

41

%

Username

% variable as the user’s logon name to automatically name and create each user’s home folder the same as the user logon name. Click OK.

Figure 7-13 The Profile tab of the Properties dialog box

Note

If you use %

Username

% to name a folder on an NTFS volume, the user and the built-in local Administrators group are assigned the NTFS Full Control permission. All other permis­ sions are removed for the folder.

Off the Record

You can use the %

Username

% environment variable in a template user account. A

template user account

is a user account that you create in order to create other similar user accounts. Typically, you’d create a user account named template (or something similar) for such a purpose. You can copy the template account each time you need to create a user with similar properties. One of those settings could be the home folder. For example, if you wanted to store all user home directories on Server1 in the Home share, you could set the home folder to \\Server1\Home\%

Username

%. Each new user you create by copying the template will automatically have his or her home folder created after the user name you enter.

Practice: Managing Home Folders

In this practice, you manage a home folder for a user.

Exercise 1: Creating and Testing Home Folders

In this exercise, you create and test a home folder for User1.

7-42

Chapter 7 Administering User Accounts

To create and test a home folder

1.

Log on to Server1 as Administrator.

2.

On Server1, use the procedures provided earlier in this lesson to create a home folder for User1, as outlined below:

Create a home folder storage location by creating a folder named Home-

Folders on your

C

drive, where

C

is the name of your system drive. Share this folder as HomeFolders.

Assign the HomeFolders folder to User1. Connect to the Z drive letter.

3.

Log off as Administrator and log on as User1.

4.

Double-click My Computer. Note that a new network drive appears, pointing to the User1 folder on \\Server1\HomeFolders with a drive assignment of Z.

5.

Close the My Computer window and log off.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques­ tion again. Answers to the questions can be found in the “Questions and Answers” sec­ tion at the end of this chapter.

1.

What is a user profile?

2.

Describe the function of the three types of user profiles.

3.

What must you do to ensure that a user on a client computer running

Windows Server 2003 has a roaming user profile?

4.

How can you ensure that a user has a centrally located home folder?

Lesson 3 Managing User Profiles and Home Folders

7

-

43

5.

Which of the following files must be renamed to configure a user profile as mandatory?

a.

Ntuser.dat

b.

Ntuser.doc

c.

Ntuser.man

d.

Ntuser.txt

Lesson Summary

A user profile is a collection of folders and data that stores the user’s current desktop environment, application settings, and personal data. A user profile also con­ tains all of the network connections that are established when a user logs on to a computer. There are four types of user profiles: local, roaming, mandatory, and temporary.

A local user profile is based at the local computer and is available at only the local computer. Be able to create a local user profile.

A roaming user profile is based at the server and is downloaded to the local com­ puter every time a user logs on and is available at any workstation or server com­ puter on the network. Be able to create a roaming user profile.

A mandatory user profile is a read-only roaming profile, based at the server and downloaded to the local computer every time a user logs on and is available at any workstation or server computer on the network. Be able to create a manda­ tory user profile. A temporary user profile is issued anytime an error condition prevents a user’s profile from being loaded. Temporary profiles are deleted at the end of each session.

A home folder is a folder that you can provide for users to store personal docu­ ments, and for older applications, it is sometimes the default folder for saving doc­ uments. You can store a home folder on a client computer or in a shared folder on a file server. Be able to create a home folder.

7-44

Chapter 7 Administering User Accounts

Lesson 4: Maintaining User Accounts

Changes to your organization or personnel might require you to modify user accounts.

These modifications include renaming, disabling, enabling, and deleting a user account. You might also need to unlock a user account or reset a user’s password. This lesson takes you step-by-step through renaming, disabling, enabling, deleting, and unlocking user accounts and resetting user passwords.

After this lesson, you will be able to

Rename, disable, enable, and delete user accounts

Unlock user accounts

Reset user passwords

Estimated lesson time: 1 5 minutes

Renaming, Disabling, Enabling, and Deleting User Accounts

Modifications that you make to user accounts that affect the functionality of the user accounts include the following:

Renaming a user account

Rename a user account when you want to retain all rights, permissions, and group memberships for the user account and reassign it to a different user. For example, if there is a new company accountant replacing an accountant who has left the company, rename the account by changing the first, last, and user logon names to those of the new accountant.

Disabling and enabling a user account

Disable a user account when a user does not need an account for an extended period, but will need it again. For example, if a user takes a two-month leave of absence, you would disable his or her user account at the beginning of the leave. When the user returns, you would enable his or her user account so that he or she could log on to the network again.

Deleting a user account

Delete a user account when an employee leaves the organization and you are not going to rename the user account. You might decide first to disable such an account and then delete it at a later time. This allows access to any items to which the user had exclusive rights or time to assign the account to another user. In the end, if the account remains unused, you should delete it so you do not have unused accounts in Active Directory.

To modify a user account, you make changes to the user account object in Active

Directory. To complete the tasks for modifying user accounts successfully, you must have permission to administer the OU or container in which the user accounts reside.

The procedures for renaming, disabling, enabling, and deleting user accounts are very similar.

Lesson 4 Maintaining User Accounts

7

-

45

To rename, disable, enable, and delete user accounts

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Expand the appropriate domain, and then click the appropriate OU.

3.

In the details pane, select the user account that you want to rename, disable, enable, or delete. Click Action.

4.

On the Action menu, click the command for the type of modification that you want to make, such as Rename, Disable Account, Enable Account, or Delete.

Note

If a user account is enabled, the Action menu displays the Disable Account command. If a user account is disabled, the Action menu displays the Enable Account command.

Unlocking User Accounts and Resetting Passwords

If a user cannot log on to the domain or to a local computer, you night need to unlock the user’s account or reset the user’s password. It is not possible to “lock” a user’s account—if you need to ensure a user’s account is not accessed, you must disable the account.

Unlocking User Accounts

A Windows Server 2003 group policy locks out a user account when the user violates the policy, for example, if the user exceeds the limit that a Group Policy allows for bad logon attempts. When a user account is locked out, Windows Server 2003 displays an error message. For further information on using Group Policy, see Chapter 13, “Admin­ istering Security with Group Policy.”

To unlock a user’s account

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Expand the appropriate domain, and then click the appropriate OU.

3.

In the details pane, select the locked user account that you want to unlock. Click

Action.

4.

On the Action menu, click Properties.

5.

In the Properties dialog box, click the Account tab, where the Account Is Locked

Out check box is selected. Clear the check box and click OK.

7-46

Chapter 7 Administering User Accounts

Resetting Passwords

If a user’s password expires before he or she can change it, or if a user forgets his or her password, you need to reset the password. You do not need to know the old password to reset a password. After the password has been set for a user account, either by the administrator or by the user, the password is not visible to any user, including the administrator. This improves security by preventing users, including the administrator, from learning another user’s password.

To reset a user password

1.

Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.

Expand the appropriate domain, and then click the appropriate OU.

3.

In the details pane, select the user account for which you want to reset a password. Click Action.

4.

On the Action menu, click Reset Password.

5.

In the Reset Password dialog box, shown in Figure 7-14, type a new password for the user in the New Password box. Confirm the password in the Confirm Password box. Select User Must Change Password At Next Logon to force the user to change his or her password the next time he or she logs on. Click OK.

Note

If a user logs on through the Internet only, do not select the User Must Change Password At Next Logon option.

Figure 7-14 Reset Password dialog box

Practice: Administering User Accounts

In this practice, you work with disabling and enabling a user account and learn how to reset the password for a user account.

Exercise 1: Disabling and Enabling a User Account

In this exercise, you disable a user account so that it can no longer be used to log on to the domain. You then enable the same account.

Lesson 4 Maintaining User Accounts

7

-

47

To disable and enable a user account

1.

Log on to Server1 as Administrator.

2.

On Server1, use the procedure provided earlier in this lesson to disable the User

Three user account you created in Lesson 2. How can you tell that the user account is disabled?

The Enable Account option appears on the Action menu, and a red X appears on the user icon for User Three in the details pane.

3.

Log off Windows Server 2003.

4.

Attempt to log on as User3. Were you successful? Why or why not?

No, because the account is disabled.

5.

Log on to your domain as Administrator.

6.

Use the procedure provided earlier in this lesson to enable the User Three user account.

7.

Click OK to return to the Active Directory Users and Computers console. How can you tell that the user account is enab